fix: rbac: update of a step state is reserved to template owners only (…

…#307) Previously, edition of the step state was allowed to resolvers. But resolvers are regular users, that have the right to resolve the task, they are not aware of the behaviour of the template. This power should be reserved to template owners, who wrote the template, and know how the steps state can be changed. Signed-off-by: Romain Beuque <556072+rbeuque74@users.noreply.github.com>
ovh · Dec 29, 2021 · ad68312 · ad68312
1 parent 21bd1dc
commit ad68312
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/api/handler/resolution.go b/api/handler/resolution.go
@@ -807,7 +807,7 @@ type updateResolutionStepStateIn struct {
 }
 
 // UpdateResolutionStepState allows the edition of a step state.
-// Can only be called when the resolution is in state PAUSED, and by a resolution manager.
+// Can only be called when the resolution is in state PAUSED, and by the template owners.
 func UpdateResolutionStepState(c *gin.Context, in *updateResolutionStepStateIn) error {
 	metadata.AddActionMetadata(c, metadata.ResolutionID, in.PublicID)
 	metadata.AddActionMetadata(c, metadata.StepName, in.StepName)
@@ -854,7 +854,7 @@ func UpdateResolutionStepState(c *gin.Context, in *updateResolutionStepStateIn)
 	metadata.AddActionMetadata(c, metadata.TemplateName, tt.Name)
 
 	admin := auth.IsAdmin(c) == nil
-	resolutionManager := auth.IsResolutionManager(c, tt, t, r) == nil
+	resolutionManager := auth.IsTemplateOwner(c, tt) == nil
 
 	if !admin && !resolutionManager {
 		dbp.Rollback()