From dc33f3a7fcda54489386e75bf80e6107f07764af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nuno=20G=C3=B3is?= <github@nunogois.com>
Date: Tue, 18 Jun 2024 10:16:26 +0100
Subject: [PATCH] fix: backend check on the service layer

---
 src/lib/features/project/project-service.ts | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/lib/features/project/project-service.ts b/src/lib/features/project/project-service.ts
index 0a9ce5721b..cca524d571 100644
--- a/src/lib/features/project/project-service.ts
+++ b/src/lib/features/project/project-service.ts
@@ -52,6 +52,7 @@ import {
     SYSTEM_USER_ID,
     type ProjectCreated,
     type IProjectOwnersReadModel,
+    ADMIN,
 } from '../../types';
 import type {
     IProjectAccessModel,
@@ -838,16 +839,21 @@ export default class ProjectService {
     }
 
     private async isAllowedToAddAccess(
-        userAddingAccess: number,
+        userAddingAccess: IAuditUser,
         projectId: string,
         rolesBeingAdded: number[],
     ): Promise<boolean> {
+        const userPermissions =
+            await this.accessService.getPermissionsForUser(userAddingAccess);
+        if (userPermissions.some(({ permission }) => permission === ADMIN)) {
+            return true;
+        }
         const userRoles = await this.accessService.getAllProjectRolesForUser(
-            userAddingAccess,
+            userAddingAccess.id,
             projectId,
         );
         if (
-            this.isAdmin(userAddingAccess, userRoles) ||
+            this.isAdmin(userAddingAccess.id, userRoles) ||
             this.isProjectOwner(userRoles, projectId)
         ) {
             return true;
@@ -864,7 +870,7 @@ export default class ProjectService {
         users: number[],
         auditUser: IAuditUser,
     ): Promise<void> {
-        if (await this.isAllowedToAddAccess(auditUser.id, projectId, roles)) {
+        if (await this.isAllowedToAddAccess(auditUser, projectId, roles)) {
             await this.accessService.addAccessToProject(
                 roles,
                 groups,
@@ -915,7 +921,7 @@ export default class ProjectService {
             await this.validateAtLeastOneOwner(projectId, ownerRole);
         }
         const isAllowedToAssignRoles = await this.isAllowedToAddAccess(
-            auditUser.id,
+            auditUser,
             projectId,
             newRoles,
         );
@@ -966,7 +972,7 @@ export default class ProjectService {
             await this.validateAtLeastOneOwner(projectId, ownerRole);
         }
         const isAllowedToAssignRoles = await this.isAllowedToAddAccess(
-            auditUser.id,
+            auditUser,
             projectId,
             newRoles,
         );