diff --git a/src/lib/middleware/rbac-middleware.test.ts b/src/lib/middleware/rbac-middleware.test.ts index b07b9ef229..10794d2993 100644 --- a/src/lib/middleware/rbac-middleware.test.ts +++ b/src/lib/middleware/rbac-middleware.test.ts @@ -332,3 +332,36 @@ test('DELETE_TAG_TYPE does not need projectId', async () => { undefined, ); }); + +test('should not expect featureName for UPDATE_FEATURE when projectId specified', async () => { + const projectId = 'some-project-33'; + + const accessService = { + hasPermission: jest.fn(), + }; + + const func = rbacMiddleware(config, { featureToggleStore }, accessService); + + const cb = jest.fn(); + const req: any = { + user: new User({ + username: 'user', + id: 1, + }), + params: {}, + body: { + project: projectId, + }, + }; + + func(req, undefined, cb); + + await req.checkRbac(perms.UPDATE_FEATURE); + + expect(accessService.hasPermission).toHaveBeenCalledWith( + req.user, + perms.UPDATE_FEATURE, + projectId, + undefined, + ); +}); diff --git a/src/lib/middleware/rbac-middleware.ts b/src/lib/middleware/rbac-middleware.ts index 4c20d8240c..af26f21875 100644 --- a/src/lib/middleware/rbac-middleware.ts +++ b/src/lib/middleware/rbac-middleware.ts @@ -63,7 +63,10 @@ const rbacMiddleware = ( // Temporary workaround to figure out projectId for feature toggle updates. // will be removed in Unleash v5.0 - if ([DELETE_FEATURE, UPDATE_FEATURE].includes(permission)) { + if ( + !projectId && + [DELETE_FEATURE, UPDATE_FEATURE].includes(permission) + ) { const { featureName } = params; projectId = await featureToggleStore.getProjectId(featureName); } else if (