From 5a8a48f9bf8d0acf746465a9cabca8afd9724000 Mon Sep 17 00:00:00 2001 From: Owen Date: Fri, 12 Jun 2026 14:22:17 -0700 Subject: [PATCH] Enforce the action inside of the function --- server/private/routers/external.ts | 2 +- server/private/routers/ssh/signSshKey.ts | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/server/private/routers/external.ts b/server/private/routers/external.ts index 881ba2277..3cecd2ebb 100644 --- a/server/private/routers/external.ts +++ b/server/private/routers/external.ts @@ -612,7 +612,7 @@ authenticated.post( verifyValidSubscription(tierMatrix.advancedPrivateResources), verifyOrgAccess, verifyLimits, - verifyUserHasAction(ActionsEnum.signSshKey), + // verifyUserHasAction(ActionsEnum.signSshKey), // this check happens inside of the function now // logActionAudit(ActionsEnum.signSshKey), // it is handled inside of the function below so we can include more metadata ssh.signSshKey ); diff --git a/server/private/routers/ssh/signSshKey.ts b/server/private/routers/ssh/signSshKey.ts index fc2319d53..99fedc944 100644 --- a/server/private/routers/ssh/signSshKey.ts +++ b/server/private/routers/ssh/signSshKey.ts @@ -20,6 +20,7 @@ import { logsDb, newts, roles, + roleActions, rolePolicies, roleResources, roleSiteResources, @@ -141,6 +142,27 @@ export async function signSshKey( ); } + const roleActionPermission = await db + .select({ roleId: roleActions.roleId }) + .from(roleActions) + .where( + and( + eq(roleActions.actionId, ActionsEnum.signSshKey), + inArray(roleActions.roleId, roleIds), + eq(roleActions.orgId, orgId) + ) + ) + .limit(1); + + if (roleActionPermission.length === 0) { + return next( + createHttpError( + HttpCode.FORBIDDEN, + "User does not have permission perform this action" + ) + ); + } + const isLicensed = await isLicensedOrSubscribed( orgId, tierMatrix.advancedPrivateResources