Dokploy/dokploy
1
0
Fork 0
mirror of https://github.com/Dokploy/dokploy.git synced 2026-06-15 20:25:23 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: add cross-org ownership checks to cluster, deployment, backup, and WebSocket endpoints

Browse Source 
Prevents owner/admin users of one organization from accessing servers,
destinations, and Docker Swarm join tokens belonging to other organizations
by validating organizationId on all endpoints that accept serverId or
destinationId as direct input.

- cluster: validate serverId org on getNodes, addWorker, addManager, removeWorker
- deployment: validate serverId org on allByServer
- backup: validate destinationId + serverId org on listBackupFiles
- volume-backups: validate destinationId + serverId org on restoreVolumeBackupWithLogs
- wss: validate server org on docker-container-logs, docker-container-terminal,
  listen-deployment, and terminal WebSocket handlers
- auth: fix TypeScript type for API key metadata parsing
This commit is contained in:
Mauricio Siu
2026-04-24 12:44:42 -06:00
parent d7af82731c
commit 018e2b153e
9 changed files with 104 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
packages/server/src/lib/auth.ts
View File

@@ -481,8 +481,10 @@ export const validateRequest = async (request: IncomingMessage) => {
};
}
const organizationId = JSON.parse(
apiKeyRecord.metadata || "{}",
const organizationId = (
JSON.parse(apiKeyRecord.metadata || "{}") as {
organizationId?: string;
}
).organizationId;
if (!organizationId) {