feat: Prevent editing of built in roles

2025-02-19 00:15:43 +01:00 · 2022-01-13 10:23:12 +02:00 · 2022-01-13 10:23:12 +02:00 · bdf0d386d5
commit bdf0d386d5
parent a85ca86761
2 changed files with 33 additions and 1 deletions
--- a/src/lib/services/access-service.ts
+++ b/src/lib/services/access-service.ts
@ -26,6 +26,7 @@ import RoleInUseError from '../error/role-in-use-error';
 import { roleSchema } from '../schema/role-schema';
 import { CUSTOM_ROLE_TYPE } from '../util/constants';
 import { DEFAULT_PROJECT } from '../types/project';
+import InvalidOperationError from '../error/invalid-operation-error';

 export const ALL_PROJECTS = '*';
 export const ALL_ENVS = '*';
@ -411,7 +412,7 @@ export class AccessService {
            id: role.id,
            name: role.name,
            description: role.description,
-            roleType: 'custom',
+            roleType: CUSTOM_ROLE_TYPE,
        };
        const rolePermissions = role.permissions;
        const newRole = await this.roleStore.update(baseRole);
@ -450,11 +451,23 @@ export class AccessService {
        return Promise.resolve();
    }

+    async validateRoleIsNotBuiltIn(roleId: number): Promise<void> {
+        const role = await this.store.get(roleId);
+        if (role.type !== CUSTOM_ROLE_TYPE) {
+            throw new InvalidOperationError(
+                'You can not change built in roles.',
+            );
+        }
+    }
+
    async validateRole(
        role: IRoleCreation,
        existingId?: number,
    ): Promise<IRoleCreation> {
        const cleanedRole = await roleSchema.validateAsync(role);
+        if (existingId) {
+            await this.validateRoleIsNotBuiltIn(existingId);
+        }
        await this.validateRoleIsUnique(role.name, existingId);
        return cleanedRole;
    }
--- a/src/test/e2e/services/access-service.e2e.test.ts
+++ b/src/test/e2e/services/access-service.e2e.test.ts
@ -756,3 +756,22 @@ test('Should be allowed move feature toggle to project when the user has access'
        projectOrigin.id,
    );
 });
+
+test('Should not be allowed to edit a built in role', async () => {
+    expect.assertions(1);
+
+    const editRole = await accessService.getRoleByName(RoleName.EDITOR);
+    const roleUpdate = {
+        id: editRole.id,
+        name: 'NoLongerTheEditor',
+        description: 'Ha!',
+    };
+
+    try {
+        await accessService.updateRole(roleUpdate);
+    } catch (e) {
+        expect(e.toString()).toBe(
+            'InvalidOperationError: You can not change built in roles.',
+        );
+    }
+});