From 7a76db2bc403b3f832d4fc3e6618279a8b950730 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Thu, 13 Oct 2022 11:06:42 +0000 Subject: [PATCH] Expose team membership secret to api/console user --- app/controllers/api/teams.php | 35 ++++++++++++++++++- .../Utopia/Response/Model/Membership.php | 6 ++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/app/controllers/api/teams.php b/app/controllers/api/teams.php index a42b9d317e..ac31cfd34b 100644 --- a/app/controllers/api/teams.php +++ b/app/controllers/api/teams.php @@ -449,8 +449,19 @@ App::post('/v1/teams/:teamId/memberships') $events ->setParam('teamId', $team->getId()) ->setParam('membershipId', $membership->getId()) + ->setPayload($response->output( + $membership + ->setAttribute('teamName', $team->getAttribute('name')) + ->setAttribute('userName', $invitee->getAttribute('name')) + ->setAttribute('userEmail', $invitee->getAttribute('email')) + ->setAttribute('secret', $secret), + Response::MODEL_MEMBERSHIP + )) ; + // Hide secret for clients + $membership->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $secret : ''); + $response ->setStatusCode(Response::STATUS_CODE_CREATED) ->dynamic( @@ -486,6 +497,9 @@ App::get('/v1/teams/:teamId/memberships') throw new Exception(Exception::TEAM_NOT_FOUND); } + $isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles()); + $isAppUser = Auth::isAppUser(Authorization::getRoles()); + $queries = Query::parseQueries($queries); if (!empty($search)) { @@ -525,7 +539,11 @@ App::get('/v1/teams/:teamId/memberships') $memberships = array_filter($memberships, fn(Document $membership) => !empty($membership->getAttribute('userId'))); - $memberships = array_map(function ($membership) use ($dbForProject, $team) { + $memberships = array_map(function ($membership) use ($dbForProject, $team, $isPrivilegedUser, $isAppUser) { + + // Hide secret for clients + $membership->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $membership->getAttribute('secret') : ''); + $user = $dbForProject->getDocument('users', $membership->getAttribute('userId')); $membership @@ -572,8 +590,14 @@ App::get('/v1/teams/:teamId/memberships/:membershipId') throw new Exception(Exception::MEMBERSHIP_NOT_FOUND); } + $isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles()); + $isAppUser = Auth::isAppUser(Authorization::getRoles()); + $user = $dbForProject->getDocument('users', $membership->getAttribute('userId')); + // Hide secret for clients + $membership->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $membership->getAttribute('secret') : ''); + $membership ->setAttribute('teamName', $team->getAttribute('name')) ->setAttribute('userName', $user->getAttribute('name')) @@ -645,6 +669,9 @@ App::patch('/v1/teams/:teamId/memberships/:membershipId') ->setParam('teamId', $team->getId()) ->setParam('membershipId', $membership->getId()); + // Hide secret for clients + $membership->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $membership->getAttribute('secret') : ''); + $response->dynamic( $membership ->setAttribute('teamName', $team->getAttribute('name')) @@ -718,6 +745,9 @@ App::patch('/v1/teams/:teamId/memberships/:membershipId/status') throw new Exception(Exception::MEMBERSHIP_ALREADY_CONFIRMED); } + $isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles()); + $isAppUser = Auth::isAppUser(Authorization::getRoles()); + $membership // Attach user to team ->setAttribute('joined', DateTime::now()) ->setAttribute('confirm', true) @@ -779,6 +809,9 @@ App::patch('/v1/teams/:teamId/memberships/:membershipId/status') ->addCookie(Auth::$cookieName, Auth::encodeSession($user->getId(), $secret), (new \DateTime($expire))->getTimestamp(), '/', Config::getParam('cookieDomain'), ('https' == $protocol), true, Config::getParam('cookieSamesite')) ; + // Hide secret for clients + $membership->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $membership->getAttribute('secret') : ''); + $response->dynamic( $membership ->setAttribute('teamName', $team->getAttribute('name')) diff --git a/src/Appwrite/Utopia/Response/Model/Membership.php b/src/Appwrite/Utopia/Response/Model/Membership.php index 118864e804..a6734c6a4a 100644 --- a/src/Appwrite/Utopia/Response/Model/Membership.php +++ b/src/Appwrite/Utopia/Response/Model/Membership.php @@ -83,6 +83,12 @@ class Membership extends Model 'example' => 'admin', 'array' => true, ]) + ->addRule('secret', [ + 'type' => self::TYPE_STRING, + 'description' => 'Token secret key. This will return an empty string unless the response is returned using an API key or as part of a webhook payload.', + 'default' => '', + 'example' => '', + ]) ; }