Prevent modifying app permissions via the collection endpoint (#25684)

5d3f8279 · metamben · GitHub · e5c19bfe · 5d3f8279 · 5d3f8279
Unverified Commit 5d3f8279 authored 2 years ago by metamben Committed by GitHub 2 years ago
--- a/src/metabase/models/collection/graph.clj
+++ b/src/metabase/models/collection/graph.clj
@@ -9,6 +9,7 @@
            [metabase.models.permissions-group :refer [PermissionsGroup]]
            [metabase.util :as u]
            [metabase.util.honeysql-extensions :as hx]
+            [metabase.util.i18n :as i18n :refer [tru]]
            [metabase.util.schema :as su]
            [schema.core :as s]
            [toucan.db :as db]))
@@ -93,6 +94,18 @@

 ;;; -------------------------------------------------- Update Graph --------------------------------------------------

+(defn- check-no-app-collections [changes]
+  (let [coll-ids (into #{}
+                       (comp (mapcat second)
+                             (map first)
+                             (filter int?))
+                       changes)]
+    (when-let [app-ids (and (seq coll-ids)
+                            (db/select-ids 'App :collection_id [:in coll-ids]))]
+      (throw (ex-info (tru "Cannot set app permissions using this endpoint")
+                      {:status-code 400
+                       :app-ids app-ids})))))
+
 (s/defn ^:private update-collection-permissions!
  [collection-namespace :- (s/maybe su/KeywordOrString)
   group-id             :- su/IntGreaterThanZero
@@ -134,6 +147,7 @@
         [diff-old changes] (data/diff old-perms new-perms)]
     (perms/log-permissions-changes diff-old changes)
     (perms/check-revision-numbers old-graph new-graph)
+     (check-no-app-collections changes)
     (when (seq changes)
       (db/transaction
         (doseq [[group-id changes] changes]

--- a/test/metabase/models/collection/graph_test.clj
+++ b/test/metabase/models/collection/graph_test.clj
@@ -3,7 +3,7 @@
            [clojure.test :refer :all]
            [medley.core :as m]
            [metabase.api.common :refer [*current-user-id*]]
-            [metabase.models :refer [User]]
+            [metabase.models :refer [App User]]
            [metabase.models.collection :as collection :refer [Collection]]
            [metabase.models.collection-permission-graph-revision :as c-perm-revision
             :refer [CollectionPermissionGraphRevision]]
@@ -434,3 +434,12 @@
    (with-n-temp-users-with-personal-collections 2000
      (is (>= (db/count Collection :personal_owner_id [:not= nil]) 2000))
      (is (map? (graph/graph))))))
+
+(deftest modify-perms-for-app-collections-test
+  (testing "that we cannot modify perms for app collections"
+    (mt/with-temp* [Collection [{coll-id :id}]
+                    App [_app {:collection_id coll-id}]]
+      (is (thrown-with-msg? clojure.lang.ExceptionInfo #"Cannot set app permissions using this endpoint"
+                            (graph/update-graph! (assoc-in (graph/graph)
+                                                           [:groups (u/the-id (perms-group/all-users)) coll-id]
+                                                           :read)))))))