address bugbot comments

This commit is contained in:
Vikhyath Mondreti
2026-02-14 12:27:03 -08:00
parent cd1ccf1f1f
commit 41cdca20d6
2 changed files with 18 additions and 11 deletions

View File

@@ -5,6 +5,7 @@ import { and, eq } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { getSession } from '@/lib/auth'
import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
const logger = createLogger('CredentialMembersAPI')
@@ -37,7 +38,7 @@ export async function GET(_request: NextRequest, context: RouteContext) {
const { id: credentialId } = await context.params
const [cred] = await db
.select({ id: credential.id })
.select({ id: credential.id, workspaceId: credential.workspaceId })
.from(credential)
.where(eq(credential.id, credentialId))
.limit(1)
@@ -46,6 +47,15 @@ export async function GET(_request: NextRequest, context: RouteContext) {
return NextResponse.json({ members: [] }, { status: 200 })
}
const callerPerm = await getUserEntityPermissions(
session.user.id,
'workspace',
cred.workspaceId
)
if (callerPerm === null) {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
}
const members = await db
.select({
id: credentialMember.id,

View File

@@ -39,6 +39,8 @@ export async function authorizeCredentialUse(
return { ok: false, error: auth.error || 'Authentication required' }
}
const actingUserId = auth.authType === 'internal_jwt' ? callerUserId : auth.userId
const [workflowContext] = workflowId
? await db
.select({ workspaceId: workflowTable.workspaceId })
@@ -81,12 +83,9 @@ export async function authorizeCredentialUse(
return { ok: false, error: 'Credential account not found' }
}
const effectiveCallerId =
callerUserId || (auth.authType !== 'internal_jwt' ? auth.userId : null)
if (effectiveCallerId) {
if (actingUserId) {
const requesterPerm = await getUserEntityPermissions(
effectiveCallerId,
actingUserId,
'workspace',
platformCredential.workspaceId
)
@@ -97,7 +96,7 @@ export async function authorizeCredentialUse(
.where(
and(
eq(credentialMember.credentialId, platformCredential.id),
eq(credentialMember.userId, effectiveCallerId),
eq(credentialMember.userId, actingUserId),
eq(credentialMember.status, 'active')
)
)
@@ -167,16 +166,14 @@ export async function authorizeCredentialUse(
return { ok: false, error: 'Credential account not found' }
}
const legacyCallerId = callerUserId || (auth.authType !== 'internal_jwt' ? auth.userId : null)
if (legacyCallerId) {
if (actingUserId) {
const [membership] = await db
.select({ id: credentialMember.id })
.from(credentialMember)
.where(
and(
eq(credentialMember.credentialId, workspaceCredential.id),
eq(credentialMember.userId, legacyCallerId),
eq(credentialMember.userId, actingUserId),
eq(credentialMember.status, 'active')
)
)