Merge pull request #1712 from rocket-admin/backend_dashboards_permissions

Implement dashboard permissions validation and add end-to-end tests for dashboard access

Author: Artuomka

backend/src/entities/visualizations/dashboard/use-cases/find-all-dashboards.use.case.ts

@@ -2,6 +2,8 @@ import { Inject, Injectable, NotFoundException, Scope } from '@nestjs/common';
 import AbstractUseCase from '../../../../common/abstract-use.case.js';
 import { IGlobalDatabaseContext } from '../../../../common/application/global-database-context.interface.js';
 import { BaseType } from '../../../../common/data-injection.tokens.js';
+import { CedarAction } from '../../../cedar-authorization/cedar-action-map.js';
+import { CedarAuthorizationService } from '../../../cedar-authorization/cedar-authorization.service.js';
 import { Messages } from '../../../../exceptions/text/messages.js';
 import { FindAllDashboardsDs } from '../data-structures/find-all-dashboards.ds.js';
 import { FoundDashboardDto } from '../dto/found-dashboard.dto.js';
@@ -16,12 +18,13 @@ export class FindAllDashboardsUseCase
 	constructor(
 		@Inject(BaseType.GLOBAL_DB_CONTEXT)
 		protected _dbContext: IGlobalDatabaseContext,
+		private readonly cedarAuthService: CedarAuthorizationService,
 	) {
 		super();
 	}
 
 	public async implementation(inputData: FindAllDashboardsDs): Promise<FoundDashboardDto[]> {
-		const { connectionId, masterPassword } = inputData;
+		const { connectionId, masterPassword, userId } = inputData;
 
 		const foundConnection = await this._dbContext.connectionRepository.findAndDecryptConnection(
 			connectionId,
@@ -35,6 +38,17 @@ export class FindAllDashboardsUseCase
 		const dashboards =
 			await this._dbContext.dashboardRepository.findAllDashboardsWithWidgetsByConnectionId(connectionId);
 
-		return dashboards.map(buildFoundDashboardDto);
+		const accessChecks = await Promise.all(
+			dashboards.map((dashboard) =>
+				this.cedarAuthService.validate({
+					userId,
+					action: CedarAction.DashboardRead,
+					connectionId,
+					dashboardId: dashboard.id,
+				}),
+			),
+		);
+
+		return dashboards.filter((_, index) => accessChecks[index]).map(buildFoundDashboardDto);
 	}
 }

backend/src/guards/dashboard-read.guard.ts

@@ -3,10 +3,13 @@ import {
 	CanActivate,
 	ExecutionContext,
 	ForbiddenException,
+	Inject,
 	Injectable,
 } from '@nestjs/common';
 import { Observable } from 'rxjs';
 import { IRequestWithCognitoInfo } from '../authorization/index.js';
+import { IGlobalDatabaseContext } from '../common/application/global-database-context.interface.js';
+import { BaseType } from '../common/data-injection.tokens.js';
 import { CedarAction } from '../entities/cedar-authorization/cedar-action-map.js';
 import { CedarAuthorizationService } from '../entities/cedar-authorization/cedar-authorization.service.js';
 import { Messages } from '../exceptions/text/messages.js';
@@ -17,6 +20,8 @@ import { validateUuidByRegex } from './utils/validate-uuid-by-regex.js';
 export class DashboardReadGuard implements CanActivate {
 	constructor(
 		private readonly cedarAuthService: CedarAuthorizationService,
+		@Inject(BaseType.GLOBAL_DB_CONTEXT)
+		private readonly _dbContext: IGlobalDatabaseContext,
 	) {}
 
 	canActivate(context: ExecutionContext): boolean | Promise<boolean> | Observable<boolean> {
@@ -35,6 +40,19 @@ export class DashboardReadGuard implements CanActivate {
 			const dashboardId: string = request.params?.dashboardId;
 
 			try {
+				if (!dashboardId) {
+					const isUserInConnection = await this._dbContext.connectionRepository.isUserFromConnection(
+						cognitoUserName,
+						connectionId,
+					);
+					if (isUserInConnection) {
+						resolve(true);
+						return;
+					}
+					reject(new ForbiddenException(Messages.DONT_HAVE_PERMISSIONS));
+					return;
+				}
+
 				const allowed = await this.cedarAuthService.validate({
 					userId: cognitoUserName,
 					action: CedarAction.DashboardRead,