fix: address code review issues in GitLab preview deployments

edouard-mangel · claude · edouard-mangel · commit 1c4d6a536c36 · 2026-03-29T10:05:19.000+02:00
- checkGitlabMemberPermissions: guard against userId=undefined when GitLab
  username lookup returns no results (prevents malformed API URL)
- gitlab.one tRPC endpoint: add ownership check (organizationId + userId)
  so webhookSecret cannot be read by other authenticated users
- Push Hook: extract added/modified/removed files from commits and pass
  to shouldDeploy so watchPaths filtering works correctly
- Push Hook: add shouldDeploy filtering to compose apps loop (was missing)
- Add tests: userId=undefined guard, watchPaths filtering on push

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/dokploy/__test__/deploy/gitlab.test.ts b/apps/dokploy/__test__/deploy/gitlab.test.ts
@@ -416,6 +416,30 @@ describe("GitLab webhook handler — Push Hook", () => {
 		expect(res.status).toHaveBeenCalledWith(200);
 	});
 
+	it("skips app when watchPaths is set and none of the modified files match", async () => {
+		const appWithWatchPaths = {
+			...FAKE_APP,
+			watchPaths: ["src/**"],
+		};
+		// First call (applications) returns app with watchPaths; second (compose) returns []
+		vi.mocked(db.query.applications.findMany).mockResolvedValueOnce([
+			appWithWatchPaths as any,
+		]);
+		vi.mocked(db.query.applications.findMany).mockResolvedValueOnce([] as any);
+
+		// Push only touches docs/ — does not match src/**
+		const pushPayload = {
+			...makePushPayload(),
+			commits: [{ added: ["docs/readme.md"], modified: [], removed: [] }],
+		};
+		const req = makeReq("Push Hook", pushPayload);
+		const res = makeRes();
+
+		await handler(req, res);
+
+		expect(myQueue.add).not.toHaveBeenCalled();
+	});
+
 	it("returns 200 with no-ops message when no apps match the push", async () => {
 		vi.mocked(db.query.applications.findMany).mockResolvedValue([]);
 		vi.mocked(db.query.compose.findMany).mockResolvedValue([]);
diff --git a/apps/dokploy/__test__/utils/gitlab-preview-utils.test.ts b/apps/dokploy/__test__/utils/gitlab-preview-utils.test.ts
@@ -140,6 +140,25 @@ describe("checkGitlabMemberPermissions", () => {
 		expect(result).toEqual({ hasWriteAccess: false, accessLevel: null });
 	});
 
+	it("returns hasWriteAccess=false when the username lookup returns no users", async () => {
+		// GitLab /users?username=ghost returns [] when user does not exist
+		vi.stubGlobal(
+			"fetch",
+			vi.fn().mockResolvedValueOnce({
+				ok: true,
+				json: async () => [], // no matching user
+			}),
+		);
+
+		const result = await checkGitlabMemberPermissions(
+			FAKE_GITLAB_ID,
+			123,
+			"ghost-user",
+		);
+
+		expect(result).toEqual({ hasWriteAccess: false, accessLevel: null });
+	});
+
 	it("throws when the members API returns a server error (500)", async () => {
 		vi.stubGlobal(
 			"fetch",
diff --git a/apps/dokploy/pages/api/deploy/gitlab.ts b/apps/dokploy/pages/api/deploy/gitlab.ts
@@ -43,6 +43,13 @@ export default async function handler(
 			const branchName = body?.ref?.replace("refs/heads/", "");
 			const deploymentHash = body?.checkout_sha;
 			const pathNamespace = body?.project?.path_with_namespace;
+			const modifiedFiles: string[] = (body?.commits ?? []).flatMap(
+				(commit: any) => [
+					...(commit.added ?? []),
+					...(commit.modified ?? []),
+					...(commit.removed ?? []),
+				],
+			);
 
 			const apps = await db.query.applications.findMany({
 				where: and(
@@ -64,9 +71,7 @@ export default async function handler(
 					server: !!app.serverId,
 				};
 
-				const shouldDeployPaths = shouldDeploy(app.watchPaths, []);
-
-				if (!shouldDeployPaths) {
+				if (!shouldDeploy(app.watchPaths, modifiedFiles)) {
 					continue;
 				}
 
@@ -103,6 +108,10 @@ export default async function handler(
 					server: !!composeApp.serverId,
 				};
 
+				if (!shouldDeploy(composeApp.watchPaths, modifiedFiles)) {
+					continue;
+				}
+
 				if (IS_CLOUD && composeApp.serverId) {
 					jobData.serverId = composeApp.serverId;
 					deploy(jobData).catch((error) => {
diff --git a/apps/dokploy/server/api/routers/gitlab.ts b/apps/dokploy/server/api/routers/gitlab.ts
@@ -50,9 +50,19 @@ export const gitlabRouter = createTRPCRouter({
 				});
 			}
 		}),
-	one: protectedProcedure.input(apiFindOneGitlab).query(async ({ input }) => {
-		return await findGitlabById(input.gitlabId);
-	}),
+	one: protectedProcedure
+		.input(apiFindOneGitlab)
+		.query(async ({ input, ctx }) => {
+			const result = await findGitlabById(input.gitlabId);
+			if (
+				result.gitProvider.organizationId !==
+					ctx.session.activeOrganizationId ||
+				result.gitProvider.userId !== ctx.session.userId
+			) {
+				throw new TRPCError({ code: "FORBIDDEN", message: "Access denied" });
+			}
+			return result;
+		}),
 	gitlabProviders: protectedProcedure.query(async ({ ctx }) => {
 		let result = await db.query.gitlab.findMany({
 			with: {
diff --git a/packages/server/src/utils/providers/gitlab.ts b/packages/server/src/utils/providers/gitlab.ts
@@ -278,6 +278,10 @@ export const checkGitlabMemberPermissions = async (
 	const users = await userResponse.json();
 	const userId = users[0]?.id;
 
+	if (!userId) {
+		return { hasWriteAccess: false, accessLevel: null };
+	}
+
 	// Check project membership
 	const memberResponse = await fetch(
 		`${baseUrl}/api/v4/projects/${projectId}/members/all/${userId}`,
