fix: correct permission checks for compose loadServices and env editing

- Change compose.loadServices permission from service:create to service:read
  since loading services from a compose file is a read-only operation
- Add saveEnvironment endpoint to compose router with envVars:write permission
- Update show-environment.tsx to use saveEnvironment mutations instead of
  generic update mutations for all service types (compose, databases)

Closes #4052

apps/dokploy/components/dashboard/application/environment/show-environment.tsx

@@ -56,17 +56,17 @@ export const ShowEnvironment = ({ id, type }: Props) => {
 	const [isEnvVisible, setIsEnvVisible] = useState(true);
 
 	const mutationMap = {
-		compose: () => api.compose.update.useMutation(),
+		compose: () => api.compose.saveEnvironment.useMutation(),
-		libsql: () => api.libsql.update.useMutation(),
+		libsql: () => api.libsql.saveEnvironment.useMutation(),
-		mariadb: () => api.mariadb.update.useMutation(),
+		mariadb: () => api.mariadb.saveEnvironment.useMutation(),
-		mongo: () => api.mongo.update.useMutation(),
+		mongo: () => api.mongo.saveEnvironment.useMutation(),
-		mysql: () => api.mysql.update.useMutation(),
+		mysql: () => api.mysql.saveEnvironment.useMutation(),
-		postgres: () => api.postgres.update.useMutation(),
+		postgres: () => api.postgres.saveEnvironment.useMutation(),
-		redis: () => api.redis.update.useMutation(),
+		redis: () => api.redis.saveEnvironment.useMutation(),
 	};
 	const { mutateAsync, isPending } = mutationMap[type]
 		? mutationMap[type]()
-		: api.mongo.update.useMutation();
+		: api.mongo.saveEnvironment.useMutation();
 
 	const form = useForm<EnvironmentSchema>({
 		defaultValues: {

apps/dokploy/server/api/routers/compose.ts

@@ -61,6 +61,7 @@ import {
 	apiFindCompose,
 	apiRandomizeCompose,
 	apiRedeployCompose,
+	apiSaveEnvironmentVariablesCompose,
 	apiUpdateCompose,
 	compose as composeTable,
 	environments,
@@ -201,6 +202,31 @@ export const composeRouter = createTRPCRouter({
 			});
 			return updated;
 		}),
+	saveEnvironment: protectedProcedure
+		.input(apiSaveEnvironmentVariablesCompose)
+		.mutation(async ({ input, ctx }) => {
+			await checkServicePermissionAndAccess(ctx, input.composeId, {
+				envVars: ["write"],
+			});
+			const updated = await updateCompose(input.composeId, {
+				env: input.env,
+			});
+
+			if (!updated) {
+				throw new TRPCError({
+					code: "BAD_REQUEST",
+					message: "Error adding environment variables",
+				});
+			}
+
+			await audit(ctx, {
+				action: "update",
+				resourceType: "compose",
+				resourceId: input.composeId,
+				resourceName: updated?.name,
+			});
+			return true;
+		}),
 	delete: protectedProcedure
 		.input(apiDeleteCompose)
 		.mutation(async ({ input, ctx }) => {
@@ -290,7 +316,7 @@ export const composeRouter = createTRPCRouter({
 		.input(apiFetchServices)
 		.query(async ({ input, ctx }) => {
 			await checkServicePermissionAndAccess(ctx, input.composeId, {
-				service: ["create"],
+				service: ["read"],
 			});
 			return await loadServices(input.composeId, input.type);
 		}),

packages/server/src/db/schema/compose.ts

@@ -225,6 +225,13 @@ export const apiUpdateCompose = createSchema
 	})
 	.omit({ serverId: true });
 
+export const apiSaveEnvironmentVariablesCompose = createSchema
+	.pick({
+		composeId: true,
+		env: true,
+	})
+	.required();
+
 export const apiRandomizeCompose = createSchema
 	.pick({
 		composeId: true,