fix(api-file-manager): security check on settings (#4626)

Author: brunozoric

apps/core/dynamoToElastic/src/index.ts

@@ -1,14 +1,12 @@
 import { createHandler } from "@webiny/handler-aws/raw";
 import elasticsearchClientContextPlugin from "@webiny/api-elasticsearch";
-import elasticsearchDataGzipCompression from "@webiny/api-elasticsearch/plugins/GzipCompression";
 import { createEventHandler as createDynamoDBEventHandler } from "@webiny/api-dynamodb-to-elasticsearch";
 
 export const handler = createHandler({
     plugins: [
         elasticsearchClientContextPlugin({
             endpoint: `https://${process.env.ELASTIC_SEARCH_ENDPOINT}`
         }),
-        elasticsearchDataGzipCompression(),
         createDynamoDBEventHandler()
     ]
 });

packages/api-file-manager/src/FileManagerContextSetup.ts

@@ -1,5 +1,11 @@
-import { FileManagerAliasesStorageOperations, FileManagerContext } from "~/types";
-import { createFileManager, FileManagerConfig } from "~/createFileManager";
+import {
+    FileManagerAliasesStorageOperations,
+    type FileManagerContext,
+    FilePermission,
+    type SettingsPermission
+} from "~/types";
+import type { FileManagerConfig } from "~/createFileManager/types";
+import { createFileManager } from "~/createFileManager";
 import { FileStorage } from "~/storage/FileStorage";
 import WebinyError from "@webiny/error";
 import { SecurityPermission } from "@webiny/api-security/types";
@@ -8,6 +14,7 @@ import { CmsFilesStorage } from "~/cmsFileStorage/CmsFilesStorage";
 import { CmsModelModifierPlugin } from "~/modelModifier/CmsModelModifier";
 import { CmsModelPlugin, isHeadlessCmsReady } from "@webiny/api-headless-cms";
 import { FilesPermissions } from "~/createFileManager/permissions/FilesPermissions";
+import { SettingsPermissions } from "~/createFileManager/permissions/SettingsPermissions";
 
 export class FileManagerContextSetup {
     private readonly context: FileManagerContext;
@@ -31,13 +38,21 @@ export class FileManagerContextSetup {
 
         const filesPermissions = new FilesPermissions({
             getIdentity: this.context.security.getIdentity,
-            getPermissions: () => this.context.security.getPermissions("fm.file"),
+            getPermissions: () => this.context.security.getPermissions<FilePermission>("fm.file"),
+            fullAccessPermissionName: "fm.*"
+        });
+
+        const settingsPermissions = new SettingsPermissions({
+            getIdentity: this.context.security.getIdentity,
+            getPermissions: () =>
+                this.context.security.getPermissions<SettingsPermission>("fm.settings"),
             fullAccessPermissionName: "fm.*"
         });
 
         return createFileManager({
             storageOperations,
             filesPermissions,
+            settingsPermissions,
             getTenantId: this.getTenantId.bind(this),
             getLocaleCode: this.getLocaleCode.bind(this),
             getIdentity: this.getIdentity.bind(this),

packages/api-file-manager/src/createFileManager/files.crud.ts

@@ -1,21 +1,31 @@
 import { NotFoundError } from "@webiny/handler-graphql";
 import { createTopic } from "@webiny/pubsub";
 import WebinyError from "@webiny/error";
-import {
+import type {
     File,
     FileManagerFilesStorageOperationsListParamsWhere,
     FileManagerFilesStorageOperationsTagsParamsWhere,
     FilesCRUD,
     FilesListOpts
 } from "~/types";
-import { FileManagerConfig } from "~/createFileManager/index";
+import { FileManagerConfig } from "~/createFileManager/types";
 import { ROOT_FOLDER } from "~/contants";
 import { NotAuthorizedError } from "@webiny/api-security";
 import { getDate } from "@webiny/api-headless-cms/utils/date";
 import { getIdentity as utilsGetIdentity } from "@webiny/api-headless-cms/utils/identity";
 import { CmsEntryListSort } from "@webiny/api-headless-cms/types";
 
-export const createFilesCrud = (config: FileManagerConfig): FilesCRUD => {
+export const createFilesCrud = (
+    config: Pick<
+        FileManagerConfig,
+        | "storageOperations"
+        | "filesPermissions"
+        | "getLocaleCode"
+        | "getTenantId"
+        | "getIdentity"
+        | "WEBINY_VERSION"
+    >
+): FilesCRUD => {
     const {
         storageOperations,
         filesPermissions,

packages/api-file-manager/src/createFileManager/index.ts

@@ -1,21 +1,8 @@
-import { FileManagerContextObject, FileManagerStorageOperations } from "~/types";
-import { GetPermissions, SecurityIdentity } from "@webiny/api-security/types";
+import type { FileManagerContextObject } from "~/types";
 import { createFilesCrud } from "~/createFileManager/files.crud";
-import { FileStorage } from "~/storage/FileStorage";
 import { createSettingsCrud } from "~/createFileManager/settings.crud";
 import { createSystemCrud } from "~/createFileManager/system.crud";
-import { FilesPermissions } from "~/createFileManager/permissions/FilesPermissions";
-
-export interface FileManagerConfig {
-    storageOperations: FileManagerStorageOperations;
-    filesPermissions: FilesPermissions;
-    getTenantId: () => string;
-    getLocaleCode: () => string;
-    getIdentity: () => SecurityIdentity;
-    getPermissions: GetPermissions;
-    storage: FileStorage;
-    WEBINY_VERSION: string;
-}
+import type { FileManagerConfig } from "~/createFileManager/types";
 
 export const createFileManager = (config: FileManagerConfig): FileManagerContextObject => {
     const filesCrud = createFilesCrud(config);

packages/api-file-manager/src/createFileManager/permissions/SettingsPermissions.ts

@@ -0,0 +1,4 @@
+import { AppPermissions } from "@webiny/api-security/utils/AppPermissions";
+import type { SettingsPermission } from "~/types";
+
+export class SettingsPermissions extends AppPermissions<SettingsPermission> {}

packages/api-file-manager/src/createFileManager/settings.crud.ts

@@ -1,6 +1,6 @@
 import { createTopic } from "@webiny/pubsub";
-import { FileManagerSettings, SettingsCRUD } from "~/types";
-import { FileManagerConfig } from "~/createFileManager/index";
+import type { FileManagerSettings, SettingsCRUD } from "~/types";
+import type { FileManagerConfig } from "./types";
 import zod from "zod";
 import { createZodError } from "@webiny/utils";
 
@@ -51,15 +51,21 @@ const updateDataModelValidation = zod.object({
 
 export const createSettingsCrud = ({
     storageOperations,
-    getTenantId
-}: FileManagerConfig): SettingsCRUD => {
+    getTenantId,
+    settingsPermissions
+}: Pick<
+    FileManagerConfig,
+    "storageOperations" | "getTenantId" | "settingsPermissions"
+>): SettingsCRUD => {
     return {
         onSettingsBeforeUpdate: createTopic("fileManager.onSettingsBeforeUpdate"),
         onSettingsAfterUpdate: createTopic("fileManager.onSettingsAfterUpdate"),
         async getSettings() {
             return storageOperations.settings.get({ tenant: getTenantId() });
         },
         async createSettings(data) {
+            await settingsPermissions.ensure();
+
             const results = createDataModelValidation.safeParse(data);
             if (!results.success) {
                 throw createZodError(results.error);
@@ -73,6 +79,7 @@ export const createSettingsCrud = ({
             });
         },
         async updateSettings(data) {
+            await settingsPermissions.ensure();
             const results = updateDataModelValidation.safeParse(data);
             if (!results.success) {
                 throw createZodError(results.error);
@@ -118,6 +125,7 @@ export const createSettingsCrud = ({
             return result;
         },
         async deleteSettings() {
+            await settingsPermissions.ensure();
             await storageOperations.settings.delete({ tenant: getTenantId() });
 
             return true;

packages/api-file-manager/src/createFileManager/system.crud.ts

@@ -1,20 +1,23 @@
 import { createTopic } from "@webiny/pubsub";
 import { NotAuthorizedError } from "@webiny/api-security";
-import {
+import type {
     FileManagerContextObject,
     FileManagerSettings,
     FileManagerSystem,
     SystemCRUD
 } from "~/types";
 import WebinyError from "@webiny/error";
-import { FileManagerConfig } from "~/createFileManager/index";
+import type { FileManagerConfig } from "~/createFileManager/types";
 
 export const createSystemCrud = ({
     storageOperations,
     getTenantId,
     getIdentity,
     WEBINY_VERSION
-}: FileManagerConfig): SystemCRUD => {
+}: Pick<
+    FileManagerConfig,
+    "storageOperations" | "getTenantId" | "getIdentity" | "WEBINY_VERSION"
+>): SystemCRUD => {
     return {
         onSystemBeforeInstall: createTopic("fileManager.onSystemBeforeInstall"),
         onSystemAfterInstall: createTopic("fileManager.onSystemAfterInstall"),

packages/api-file-manager/src/createFileManager/types.ts

@@ -0,0 +1,17 @@
+import type { FileManagerStorageOperations } from "~/types";
+import type { FilesPermissions } from "./permissions/FilesPermissions";
+import type { GetPermissions, SecurityIdentity } from "@webiny/api-security/types";
+import type { FileStorage } from "~/storage/FileStorage";
+import type { SettingsPermissions } from "./permissions/SettingsPermissions";
+
+export interface FileManagerConfig {
+    storageOperations: FileManagerStorageOperations;
+    filesPermissions: FilesPermissions;
+    settingsPermissions: SettingsPermissions;
+    getTenantId: () => string;
+    getLocaleCode: () => string;
+    getIdentity: () => SecurityIdentity;
+    getPermissions: GetPermissions;
+    storage: FileStorage;
+    WEBINY_VERSION: string;
+}

packages/api-file-manager/src/index.ts

@@ -1,10 +1,10 @@
 import { ContextPlugin } from "@webiny/api";
-import { FileManagerConfig } from "~/createFileManager";
-import { FileManagerContext } from "~/types";
+import type { FileManagerContext } from "~/types";
 import { FileManagerContextSetup } from "./FileManagerContextSetup";
-import { setupAssetDelivery, AssetDeliveryParams } from "./delivery/setupAssetDelivery";
+import { AssetDeliveryParams, setupAssetDelivery } from "./delivery/setupAssetDelivery";
 import { createGraphQLSchemaPlugin } from "./graphql";
 import { applyThreatScanning } from "./enterprise/applyThreatScanning";
+import type { FileManagerConfig } from "./createFileManager/types";
 
 export * from "./modelModifier/CmsModelModifier";
 export * from "./plugins";

packages/api-file-manager/src/types.ts

@@ -33,6 +33,10 @@ export interface FilePermission extends SecurityPermission {
     own?: boolean;
 }
 
+export interface SettingsPermission extends SecurityPermission {
+    name: "fm.setting";
+}
+
 export interface FileInput {
     id: string;
 

packages/api-page-builder/src/graphql/crud.ts

@@ -9,7 +9,7 @@ import { createPageElementsCrud } from "./crud/pageElements.crud";
 import { createSettingsCrud } from "./crud/settings.crud";
 import { createSystemCrud } from "./crud/system.crud";
 import { ContextPlugin } from "@webiny/api";
-import { PbContext, PrerenderingHandlers } from "~/graphql/types";
+import { PbContext, PrerenderingHandlers, type SettingsSecurityPermission } from "~/graphql/types";
 import { createTopic } from "@webiny/pubsub";
 import { PageBuilderStorageOperations } from "~/types";
 import WebinyError from "@webiny/error";
@@ -21,6 +21,7 @@ import { PageTemplatesPermissions } from "~/graphql/crud/permissions/PageTemplat
 import { PageBlocksPermissions } from "~/graphql/crud/permissions/PageBlocksPermissions";
 import { GzipContentCompressionPlugin, JsonpackContentCompressionPlugin } from "~/plugins";
 import { createDataSourcesContext } from "~/dataSources/context/createDataSourcesContext";
+import { SettingsPermissions } from "~/graphql/crud/permissions/SettingsPermissions";
 
 export interface CreateCrudParams {
     storageOperations: PageBuilderStorageOperations;
@@ -121,6 +122,13 @@ const setup = (params: CreateCrudParams) => {
             fullAccessPermissionName: "pb.*"
         });
 
+        const settingsPermissions = new SettingsPermissions({
+            getIdentity: () => context.security.getIdentity(),
+            getPermissions: () =>
+                context.security.getPermissions<SettingsSecurityPermission>("pb.settings"),
+            fullAccessPermissionName: "pb.*"
+        });
+
         const system = await createSystemCrud({
             context,
             storageOperations,
@@ -131,7 +139,8 @@ const setup = (params: CreateCrudParams) => {
             context,
             storageOperations,
             getTenantId,
-            getLocaleCode
+            getLocaleCode,
+            settingsPermissions
         });
 
         const menus = createMenuCrud({

packages/api-page-builder/src/graphql/crud/permissions/SettingsPermissions.ts

@@ -0,0 +1,4 @@
+import { AppPermissions } from "@webiny/api-security/utils/AppPermissions";
+import type { SettingsSecurityPermission } from "~/types";
+
+export class SettingsPermissions extends AppPermissions<SettingsSecurityPermission> {}

packages/api-page-builder/src/graphql/crud/settings.crud.ts

@@ -18,6 +18,7 @@ import DataLoader from "dataloader";
 import { createTopic } from "@webiny/pubsub";
 import { createSettingsCreateValidation } from "~/graphql/crud/settings/validation";
 import { createZodError, removeUndefinedValues } from "@webiny/utils";
+import type { SettingsPermissions } from "./permissions/SettingsPermissions";
 
 interface SettingsParams {
     tenant: string;
@@ -37,10 +38,11 @@ export interface CreateSettingsCrudParams {
     storageOperations: PageBuilderStorageOperations;
     getTenantId: () => string;
     getLocaleCode: () => string;
+    settingsPermissions: SettingsPermissions;
 }
 
 export const createSettingsCrud = (params: CreateSettingsCrudParams): SettingsCrud => {
-    const { storageOperations, getLocaleCode, getTenantId } = params;
+    const { storageOperations, getLocaleCode, getTenantId, settingsPermissions } = params;
 
     const settingsDataLoader = new DataLoader<SettingsParams, Settings | null, string>(
         async keys => {
@@ -109,6 +111,8 @@ export const createSettingsCrud = (params: CreateSettingsCrudParams): SettingsCr
         },
 
         async updateSettings(this: PageBuilderContextObject, input) {
+            await settingsPermissions.ensure();
+
             const params = {
                 tenant: getTenantId(),
                 locale: getLocaleCode(),

packages/api-page-builder/src/graphql/types.ts

@@ -922,6 +922,10 @@ export interface PageSecurityPermission extends PbSecurityPermission {
     pw: string;
 }
 
+export interface SettingsSecurityPermission extends PbSecurityPermission {
+    name: "pb.settings";
+}
+
 // Page Builder lifecycle events.
 export interface PageBeforeRenderEvent extends Pick<RenderParams, "paths" | "tags"> {
     args: {