fix: permission checks for updating or viewing projects in orgs

uselagoon · Jul 22, 2024 · de8dbfd · de8dbfd
1 parent 9d821a6
commit de8dbfd
Showing 1 changed file with 21 additions and 15 deletions.
diff --git a/services/api/src/resources/project/helpers.ts b/services/api/src/resources/project/helpers.ts
@@ -14,38 +14,44 @@ export const Helpers = (sqlClientPool: Pool) => {
       // then falling through to the default project view for general users
       const rows = await query(sqlClientPool, Sql.selectProject(pid));
       const project = rows[0];
-      if (project.organization != null) {
-        try {
+      try {
+        // finally check the user view:project permission
+        await hasPermission('project', 'view', {
+          project: project.id
+        });
+        return
+      } catch (err) {
+        if (project.organization != null) {
           await hasPermission('organization', 'viewProject', {
             organization: project.organization
           });
           // if the organization owner has permission to view project, return
           return
-        } catch (err) {
-          // otherwise fall through to project view permission check
         }
+        throw err
       }
-      // finally check the user view:project permission
-      await hasPermission('project', 'view', {
-        project: project.id
-      });
     }
   }
   const checkOrgProjectUpdatePermission = async (hasPermission, pid) => {
     // helper checks the permission to updateProject:organization
     // or the update:project permission
     const rows = await query(sqlClientPool, Sql.selectProject(pid));
     const project = rows[0];
-    if (project.organization != null) {
-      // if the project is in an organization, only the organization owner should be able to do this
-      await hasPermission('organization', 'updateProject', {
-        organization: project.organization
-      });
-    } else {
-      // if not in a project, follow the standard rbac
+    try {
+      // finally check the user update:project permission
       await hasPermission('project', 'update', {
         project: project.id
       });
+      return
+    } catch (err) {
+      if (project.organization != null) {
+        await hasPermission('organization', 'updateProject', {
+          organization: project.organization
+        });
+        // if the organization owner has permission to update project, return
+        return
+      }
+      throw err
     }
   }