Commit e02eb9a3 authored by Sacha Brants's avatar Sacha Brants
Browse files

Merge branch 'slb/dm3/fix-auth-close' into 'master'

fix: added missing auth check on close operation

See merge request !128
parents a0286e2f 4185af3a
Pipeline #49202 failed with stages
in 12 minutes and 3 seconds
......@@ -410,6 +410,19 @@ export class DatasetHandler {
// return immediately if it is a simple close with empty body (no patch to apply)
if (Object.keys(req.body).length === 0 && req.body.constructor === Object && wid) {
// Check authorizations
if (FeatureFlags.isEnabled(Feature.AUTHORIZATION)) {
if(wid.startsWith('W')) {
await Auth.isWriteAuthorized(req.headers.authorization,
subproject.acls.admins,
datasetIN.tenant, subproject.name, tenant.esd, req[Config.DE_FORWARD_APPKEY]);
} else {
await Auth.isReadAuthorized(req.headers.authorization,
subproject.acls.viewers.concat(subproject.acls.admins),
datasetIN.tenant, datasetIN.subproject, tenant.esd, req[Config.DE_FORWARD_APPKEY]);
}
}
// Retrieve the dataset metadata
const dataset = subproject.enforce_key ?
await DatasetDAO.getByKey(journalClient, datasetIN) :
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment