Add missing access control check (#12213)

Release Notes: - N/A
2025-01-09 02:44:49 +00:00 · 2024-05-23 16:59:04 -06:00 · 2024-05-23 16:59:04 -06:00 · ec4703a8d5
commit ec4703a8d5
parent 3b14115c2f
1 changed files with 10 additions and 1 deletions
--- a/crates/collab/src/db/queries/projects.rs
+++ b/crates/collab/src/db/queries/projects.rs
@ -66,6 +66,16 @@ impl Database {
                    .await?
                    .ok_or_else(|| anyhow!("no remote project"))?;

+                let (_, dev_server) = dev_server_project::Entity::find_by_id(dev_server_project_id)
+                    .find_also_related(dev_server::Entity)
+                    .one(&*tx)
+                    .await?
+                    .ok_or_else(|| anyhow!("no dev_server_project"))?;
+
+                if !dev_server.is_some_and(|dev_server| dev_server.user_id == participant.user_id) {
+                    return Err(anyhow!("not your dev server"))?;
+                }
+
                if project.room_id.is_some() {
                    return Err(anyhow!("project already shared"))?;
                };
@ -77,7 +87,6 @@ impl Database {
                .exec(&*tx)
                .await?;

-                // todo! check user is a project-collaborator
                let room = self.get_room(room_id, &tx).await?;
                return Ok((project.id, room));
            }