Secret Approval Request: check if user is a reviewer to trigger hasSecretReadValueOrDescribePermission

2026-01-10 07:58:15 -05:00 · 2025-09-24 18:17:58 -03:00
parent f5d7ba2922
commit aedf6c0065
1 changed files with 9 additions and 39 deletions
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@@ -285,13 +285,10 @@ export const secretApprovalRequestServiceFactory = ({
    ) {
      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
    }
-    const getHasSecretReadAccess = (
-      shouldCheckSecretPermission: boolean | null | undefined,
-      environment: string,
-      tags: { slug: string }[],
-      secretPath?: string
-    ) => {
-      if (shouldCheckSecretPermission) {
+    const getHasSecretReadAccess = (environment: string, tags: { slug: string }[], secretPath?: string) => {
+      const isReviewer = policy.approvers.some(({ userId }) => userId === actorId);
+
+      if (!isReviewer) {
        const canRead = hasSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
          environment,
          secretPath: secretPath || "/",
@@ -322,18 +319,8 @@ export const secretApprovalRequestServiceFactory = ({
        version: el.version,
        secretMetadata: el.secretMetadata as ResourceMetadataDTO,
        isRotatedSecret: el.secret?.isRotatedSecret ?? false,
-        secretValueHidden: !getHasSecretReadAccess(
-          secretApprovalRequest.policy.shouldCheckSecretPermission,
-          secretApprovalRequest.environment,
-          el.tags,
-          secretPath?.[0]?.path
-        ),
-        secretValue: !getHasSecretReadAccess(
-          secretApprovalRequest.policy.shouldCheckSecretPermission,
-          secretApprovalRequest.environment,
-          el.tags,
-          secretPath?.[0]?.path
-        )
+        secretValueHidden: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path),
+        secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
          ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
          : el.secret && el.secret.isRotatedSecret
            ? undefined
@@ -354,17 +341,11 @@ export const secretApprovalRequestServiceFactory = ({
              id: el.secret.id,
              version: el.secret.version,
              secretValueHidden: !getHasSecretReadAccess(
-                secretApprovalRequest.policy.shouldCheckSecretPermission,
                secretApprovalRequest.environment,
                el.tags,
                secretPath?.[0]?.path
              ),
-              secretValue: !getHasSecretReadAccess(
-                secretApprovalRequest.policy.shouldCheckSecretPermission,
-                secretApprovalRequest.environment,
-                el.tags,
-                secretPath?.[0]?.path
-              )
+              secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
                ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
                : el.secret.encryptedValue
                  ? secretManagerDecryptor({ cipherTextBlob: el.secret.encryptedValue }).toString()
@@ -380,17 +361,11 @@ export const secretApprovalRequestServiceFactory = ({
              id: el.secretVersion.id,
              version: el.secretVersion.version,
              secretValueHidden: !getHasSecretReadAccess(
-                secretApprovalRequest.policy.shouldCheckSecretPermission,
                secretApprovalRequest.environment,
                el.tags,
                secretPath?.[0]?.path
              ),
-              secretValue: !getHasSecretReadAccess(
-                secretApprovalRequest.policy.shouldCheckSecretPermission,
-                secretApprovalRequest.environment,
-                el.tags,
-                secretPath?.[0]?.path
-              )
+              secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
                ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
                : el.secretVersion.encryptedValue
                  ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedValue }).toString()
@@ -409,12 +384,7 @@ export const secretApprovalRequestServiceFactory = ({
      const encryptedSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
      secrets = encryptedSecrets.map((el) => ({
        ...el,
-        secretValueHidden: !getHasSecretReadAccess(
-          secretApprovalRequest.policy.shouldCheckSecretPermission,
-          secretApprovalRequest.environment,
-          el.tags,
-          secretPath?.[0]?.path
-        ),
+        secretValueHidden: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path),
        ...decryptSecretWithBot(el, botKey),
        secret: el.secret
          ? {