Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: Change permission check to be based on workflow settings #5390

Merged
merged 1 commit into from
Feb 7, 2023
Merged

refactor: Change permission check to be based on workflow settings #5390

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 18 additions & 35 deletions packages/cli/src/WorkflowHelpers.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,9 @@ import { WorkflowRunner } from '@/WorkflowRunner';
import config from '@/config';
import type { WorkflowEntity } from '@db/entities/WorkflowEntity';
import type { User } from '@db/entities/User';
import { getWorkflowOwner, whereClause } from '@/UserManagement/UserManagementHelper';
import { whereClause } from '@/UserManagement/UserManagementHelper';
import omit from 'lodash.omit';
import { PermissionChecker } from './UserManagement/PermissionChecker';

const ERROR_TRIGGER_TYPE = config.getEnv('nodes.errorTriggerType');

Expand Down Expand Up @@ -94,30 +95,7 @@ export async function executeErrorWorkflow(
): Promise<void> {
// Wrap everything in try/catch to make sure that no errors bubble up and all get caught here
try {
let workflowData: WorkflowEntity | null = null;
if (workflowId !== workflowErrorData.workflow.id) {
// To make this code easier to understand, we split it in 2 parts:
// 1) Fetch the owner of the errored workflows and then
// 2) if now instance owner, then check if the user has access to the
// triggered workflow.

// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
const user = await getWorkflowOwner(workflowErrorData.workflow.id!);

if (user.globalRole.name === 'owner') {
workflowData = await Db.collections.Workflow.findOneBy({ id: workflowId });
} else {
const sharedWorkflowData = await Db.collections.SharedWorkflow.findOne({
where: { workflowId, userId: user.id },
relations: ['workflow'],
});
if (sharedWorkflowData) {
workflowData = sharedWorkflowData.workflow;
}
}
} else {
workflowData = await Db.collections.Workflow.findOneBy({ id: workflowId });
}
const workflowData = await Db.collections.Workflow.findOneBy({ id: workflowId });

if (workflowData === null) {
// The error workflow could not be found
Expand All @@ -129,15 +107,6 @@ export async function executeErrorWorkflow(
return;
}

const user = await getWorkflowOwner(workflowId);
if (user.id !== runningUser.id) {
// The error workflow could not be found
Logger.warn(
`An attempt to execute workflow ID ${workflowId} as error workflow was blocked due to wrong permission`,
);
return;
}

const executionMode = 'error';
const nodeTypes = NodeTypes();

Expand All @@ -152,6 +121,20 @@ export async function executeErrorWorkflow(
settings: workflowData.settings,
});

try {
await PermissionChecker.checkSubworkflowExecutePolicy(
workflowInstance,
runningUser.id,
workflowErrorData.workflow.id,
);
} catch (error) {
Logger.info('Error workflow execution blocked due to subworkflow settings', {
erroredWorkflowId: workflowErrorData.workflow.id,
errorWorkflowId: workflowId,
});
return;
}

let node: INode;
let workflowStartNode: INode | undefined;
for (const nodeName of Object.keys(workflowInstance.nodes)) {
Expand Down Expand Up @@ -204,7 +187,7 @@ export async function executeErrorWorkflow(
executionMode,
executionData: runExecutionData,
workflowData,
userId: user.id,
userId: runningUser.id,
};

const workflowRunner = new WorkflowRunner();
Expand Down