huanld/speckle-server
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(policies): allow god mode admins to create dashboards (#5612)

Browse Source
This commit is contained in:
Gergő Jedlicska
2025-10-01 13:55:34 +02:00
committed by GitHub
parent 47cb1a83a2
commit 0ab254efb4
4 changed files with 34 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/shared/src/authz/policies/dashboard/canDelete.ts
+8
View File
@@ -18,9 +18,12 @@ import { hasMinimumWorkspaceRole } from '../../checks/workspaceRole.js'
import { Roles } from '../../../core/constants.js'
import { hasEditorSeat } from '../../checks/workspaceSeat.js'
import { isDashboardOwner } from '../../checks/dashboards.js'
import { checkIfAdminOverrideEnabledFragment } from '../../fragments/server.js'
type PolicyLoaderKeys =
| typeof AuthCheckContextLoaderKeys.getEnv
| typeof AuthCheckContextLoaderKeys.getServerRole
| typeof AuthCheckContextLoaderKeys.getAdminOverrideEnabled
| typeof AuthCheckContextLoaderKeys.getDashboard
| typeof AuthCheckContextLoaderKeys.getWorkspacePlan
| typeof AuthCheckContextLoaderKeys.getWorkspaceRole
@@ -57,6 +60,11 @@ export const canDeleteDashboardPolicy: AuthPolicy<
)({ workspaceId })
if (ensuredFeatureAccess.isErr) return err(ensuredFeatureAccess.error)
const hasAdminAccess = await checkIfAdminOverrideEnabledFragment(loaders)({
userId
})
if (hasAdminAccess.isOk && hasAdminAccess.value) return ok()
const isWorkspaceEditorSeat = await hasEditorSeat(loaders)({
userId: userId!,
workspaceId
packages/shared/src/authz/policies/dashboard/canEdit.ts
+8
View File
@@ -16,9 +16,12 @@ import {
import { hasMinimumWorkspaceRole } from '../../checks/workspaceRole.js'
import { Roles } from '../../../core/constants.js'
import { hasEditorSeat } from '../../checks/workspaceSeat.js'
import { checkIfAdminOverrideEnabledFragment } from '../../fragments/server.js'
type PolicyLoaderKeys =
| typeof AuthCheckContextLoaderKeys.getEnv
| typeof AuthCheckContextLoaderKeys.getServerRole
| typeof AuthCheckContextLoaderKeys.getAdminOverrideEnabled
| typeof AuthCheckContextLoaderKeys.getDashboard
| typeof AuthCheckContextLoaderKeys.getWorkspacePlan
| typeof AuthCheckContextLoaderKeys.getWorkspaceRole
@@ -54,6 +57,11 @@ export const canEditDashboardPolicy: AuthPolicy<
)({ workspaceId })
if (ensuredFeatureAccess.isErr) return err(ensuredFeatureAccess.error)
const hasAdminAccess = await checkIfAdminOverrideEnabledFragment(loaders)({
userId
})
if (hasAdminAccess.isOk && hasAdminAccess.value) return ok()
const isWorkspaceMember = await hasMinimumWorkspaceRole(loaders)({
userId: userId!,
workspaceId,
packages/shared/src/authz/policies/dashboard/canRead.ts
+10 -1
View File
@@ -17,11 +17,15 @@ import {
} from '../../fragments/dashboards.js'
import { hasMinimumWorkspaceRole } from '../../checks/workspaceRole.js'
import { Roles } from '../../../core/constants.js'
import { ensureMinimumServerRoleFragment } from '../../fragments/server.js'
import {
checkIfAdminOverrideEnabledFragment,
ensureMinimumServerRoleFragment
} from '../../fragments/server.js'
type PolicyLoaderKeys =
| typeof AuthCheckContextLoaderKeys.getEnv
| typeof AuthCheckContextLoaderKeys.getServerRole
| typeof AuthCheckContextLoaderKeys.getAdminOverrideEnabled
| typeof AuthCheckContextLoaderKeys.getDashboard
| typeof AuthCheckContextLoaderKeys.getWorkspaceRole
| typeof AuthCheckContextLoaderKeys.getWorkspacePlan
@@ -63,6 +67,11 @@ export const canReadDashboardPolicy: AuthPolicy<
)({ workspaceId })
if (ensuredFeatureAccess.isErr) return err(ensuredFeatureAccess.error)
const hasAdminAccess = await checkIfAdminOverrideEnabledFragment(loaders)({
userId
})
if (hasAdminAccess.isOk && hasAdminAccess.value) return ok()
const isWorkspaceMember = await hasMinimumWorkspaceRole(loaders)({
userId: userId!,
workspaceId,
packages/shared/src/authz/policies/workspace/canCreateDashboards.ts
+8
View File
@@ -15,9 +15,12 @@ import {
import { hasMinimumWorkspaceRole } from '../../checks/workspaceRole.js'
import { Roles } from '../../../core/constants.js'
import { hasEditorSeat } from '../../checks/workspaceSeat.js'
import { checkIfAdminOverrideEnabledFragment } from '../../fragments/server.js'
type PolicyLoaderKeys =
| typeof AuthCheckContextLoaderKeys.getEnv
| typeof AuthCheckContextLoaderKeys.getServerRole
| typeof AuthCheckContextLoaderKeys.getAdminOverrideEnabled
| typeof AuthCheckContextLoaderKeys.getWorkspacePlan
| typeof AuthCheckContextLoaderKeys.getWorkspaceRole
| typeof AuthCheckContextLoaderKeys.getWorkspaceSeat
@@ -46,6 +49,11 @@ export const canCreateDashboardsPolicy: AuthPolicy<
)({ workspaceId })
if (ensuredFeatureAccess.isErr) return err(ensuredFeatureAccess.error)
const hasAdminAccess = await checkIfAdminOverrideEnabledFragment(loaders)({
userId
})
if (hasAdminAccess.isOk && hasAdminAccess.value) return ok()
const isWorkspaceMember = await hasMinimumWorkspaceRole(loaders)({
userId: userId!,
workspaceId,