fix: unauthorized disable feature (#5982)

## About the changes This was spotted while testing automated actions. Steps to reproduce: 1. Add an editor user 2. Get a PAT for the editor user 3. As Admin create a feature in a project where the editor user is not a member and enable the feature 4. Try using the editor's PAT to modify the feature 5. As the editor create a project (you'd be made owner) and try the same request but just change the project name for the new project just created (don't change anything else) **Expected behavior**: you can't disable the feature **Actual behavior**: the feature is disabled This does not happen when trying to turn on a flag because during the turn-on process we do validate if the feature belongs to project when we call updateStrategy: c18a7c0dc2/src/lib/features/feature-toggle/feature-toggle-service.ts (L1751-L1764)
2025-10-27 11:02:16 +01:00 · 2024-01-22 12:50:14 +01:00 · 2024-01-22 12:50:14 +01:00 · c5afa8ff11
commit c5afa8ff11
parent 055bab8e7c
2 changed files with 9 additions and 2 deletions
--- a/src/lib/features/feature-toggle/feature-toggle-service.ts
+++ b/src/lib/features/feature-toggle/feature-toggle-service.ts
@ -1732,6 +1732,10 @@ class FeatureToggleService {
        user?: IUser,
        shouldActivateDisabledStrategies = false,
    ): Promise<FeatureToggle> {
+        await this.validateFeatureBelongsToProject({
+            featureName,
+            projectId: project,
+        });
        const hasEnvironment =
            await this.featureEnvironmentStore.featureHasEnvironment(
                environment,
--- a/src/lib/services/access-service.ts
+++ b/src/lib/services/access-service.ts
@ -65,6 +65,9 @@ export type IdPermissionRef = Pick<IPermission, 'id' | 'environment'>;
 export type NamePermissionRef = Pick<IPermission, 'name' | 'environment'>;
 export type PermissionRef = IdPermissionRef | NamePermissionRef;

+type APIUser = Pick<IUser, 'id' | 'permissions'> & { isAPI: true };
+type NonAPIUser = Pick<IUser, 'id'> & { isAPI?: false };
+
 export interface IRoleCreation {
    name: string;
    description: string;
@ -150,7 +153,7 @@ export class AccessService {
     * @param projectId
     */
    async hasPermission(
-        user: Pick<IUser, 'id' | 'permissions' | 'isAPI'>,
+        user: APIUser | NonAPIUser,
        permission: string | string[],
        projectId?: string,
        environment?: string,
@ -198,7 +201,7 @@ export class AccessService {
    }

    async getPermissionsForUser(
-        user: Pick<IUser, 'id' | 'isAPI' | 'permissions'>,
+        user: APIUser | NonAPIUser,
    ): Promise<IUserPermission[]> {
        if (user.isAPI) {
            return user.permissions?.map((p) => ({