mirror of
https://github.com/Dokploy/dokploy.git
synced 2026-07-08 23:45:22 +02:00
refactor(cloud): add validation to prevent access to resources from another admin
This commit is contained in:
@@ -35,7 +35,6 @@ export const serverRouter = createTRPCRouter({
|
||||
const project = await createServer(input, ctx.user.adminId);
|
||||
return project;
|
||||
} catch (error) {
|
||||
console.log(error);
|
||||
throw new TRPCError({
|
||||
code: "BAD_REQUEST",
|
||||
message: "Error to create the server",
|
||||
@@ -47,7 +46,15 @@ export const serverRouter = createTRPCRouter({
|
||||
one: protectedProcedure
|
||||
.input(apiFindOneServer)
|
||||
.query(async ({ input, ctx }) => {
|
||||
return await findServerById(input.serverId);
|
||||
const server = await findServerById(input.serverId);
|
||||
if (server.adminId !== ctx.user.adminId) {
|
||||
throw new TRPCError({
|
||||
code: "UNAUTHORIZED",
|
||||
message: "You are not authorized to access this server",
|
||||
});
|
||||
}
|
||||
|
||||
return server;
|
||||
}),
|
||||
all: protectedProcedure.query(async ({ ctx }) => {
|
||||
const result = await db
|
||||
@@ -69,7 +76,7 @@ export const serverRouter = createTRPCRouter({
|
||||
|
||||
return result;
|
||||
}),
|
||||
withSSHKey: protectedProcedure.query(async ({ input, ctx }) => {
|
||||
withSSHKey: protectedProcedure.query(async ({ ctx }) => {
|
||||
return await db.query.server.findMany({
|
||||
orderBy: desc(server.createdAt),
|
||||
where: and(
|
||||
@@ -82,20 +89,30 @@ export const serverRouter = createTRPCRouter({
|
||||
.input(apiFindOneServer)
|
||||
.mutation(async ({ input, ctx }) => {
|
||||
try {
|
||||
const server = await findServerById(input.serverId);
|
||||
if (server.adminId !== ctx.user.adminId) {
|
||||
throw new TRPCError({
|
||||
code: "UNAUTHORIZED",
|
||||
message: "You are not authorized to setup this server",
|
||||
});
|
||||
}
|
||||
const currentServer = await serverSetup(input.serverId);
|
||||
return currentServer;
|
||||
} catch (error) {
|
||||
throw new TRPCError({
|
||||
code: "BAD_REQUEST",
|
||||
message: "Error to setup this server",
|
||||
cause: error,
|
||||
});
|
||||
throw error;
|
||||
}
|
||||
}),
|
||||
remove: protectedProcedure
|
||||
.input(apiRemoveServer)
|
||||
.mutation(async ({ input, ctx }) => {
|
||||
try {
|
||||
const server = await findServerById(input.serverId);
|
||||
if (server.adminId !== ctx.user.adminId) {
|
||||
throw new TRPCError({
|
||||
code: "UNAUTHORIZED",
|
||||
message: "You are not authorized to delete this server",
|
||||
});
|
||||
}
|
||||
const activeServers = await haveActiveServices(input.serverId);
|
||||
|
||||
if (activeServers) {
|
||||
@@ -110,28 +127,27 @@ export const serverRouter = createTRPCRouter({
|
||||
|
||||
return currentServer;
|
||||
} catch (error) {
|
||||
throw new TRPCError({
|
||||
code: "BAD_REQUEST",
|
||||
message: "Error to delete this server",
|
||||
cause: error,
|
||||
});
|
||||
throw error;
|
||||
}
|
||||
}),
|
||||
update: protectedProcedure
|
||||
.input(apiUpdateServer)
|
||||
.mutation(async ({ input }) => {
|
||||
.mutation(async ({ input, ctx }) => {
|
||||
try {
|
||||
const server = await findServerById(input.serverId);
|
||||
if (server.adminId !== ctx.user.adminId) {
|
||||
throw new TRPCError({
|
||||
code: "UNAUTHORIZED",
|
||||
message: "You are not authorized to update this server",
|
||||
});
|
||||
}
|
||||
const currentServer = await updateServerById(input.serverId, {
|
||||
...input,
|
||||
});
|
||||
|
||||
return currentServer;
|
||||
} catch (error) {
|
||||
throw new TRPCError({
|
||||
code: "BAD_REQUEST",
|
||||
message: "Error to update this server",
|
||||
cause: error,
|
||||
});
|
||||
throw error;
|
||||
}
|
||||
}),
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user