fix: security patch (#651)

lunary-ai · Nov 12, 2024 · ded72a9 · ded72a9
1 parent 265388e
commit ded72a9
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/packages/backend/src/api/v1/runs/index.ts b/packages/backend/src/api/v1/runs/index.ts
@@ -2,7 +2,7 @@ import sql from "@/src/utils/db";
 import { Context } from "koa";
 import Router from "koa-router";
 
-import { checkAccess } from "@/src/utils/authorization";
+import { checkAccess, checkProjectAccess } from "@/src/utils/authorization";
 import { convertChecksToSQL } from "@/src/utils/checks";
 import { jsonrepair } from "jsonrepair";
 import { Feedback, Score, deserializeLogic } from "shared";
@@ -1016,8 +1016,14 @@ runs.patch(
   checkAccess("logs", "update"),
   async (ctx: Context) => {
     const { id: runId } = ctx.params;
+    const { projectId, userId } = ctx.state;
     const { label, value, comment } = Score.parse(ctx.request.body);
 
+    const hasProjectAccess = await checkProjectAccess(projectId, userId);
+    if (!hasProjectAccess) {
+      ctx.throw(401, "Unauthorized");
+    }
+
     let [existingScore] =
       await sql`select * from run_score where run_id = ${runId} and label = ${label}`;