diff --git a/integration-tests/tests/api/oidc-integrations/crud.spec.ts b/integration-tests/tests/api/oidc-integrations/crud.spec.ts index e14ec85c1e..72937e69ee 100644 --- a/integration-tests/tests/api/oidc-integrations/crud.spec.ts +++ b/integration-tests/tests/api/oidc-integrations/crud.spec.ts @@ -150,7 +150,7 @@ describe('create', () => { expect(errors).toEqual( expect.arrayContaining([ expect.objectContaining({ - message: `No access (reason: "Missing organization:integrations permission")`, + message: `No access (reason: "Missing permission for performing 'oidc:modify' on resource")`, }), ]), ); @@ -545,7 +545,7 @@ describe('delete', () => { expect(errors).toEqual( expect.arrayContaining([ expect.objectContaining({ - message: `No access (reason: "Missing organization:integrations permission")`, + message: `No access (reason: "Missing permission for performing 'oidc:modify' on resource")`, }), ]), ); @@ -742,7 +742,7 @@ describe('update', () => { expect(errors).toEqual( expect.arrayContaining([ expect.objectContaining({ - message: `No access (reason: "Missing organization:integrations permission")`, + message: `No access (reason: "Missing permission for performing 'oidc:modify' on resource")`, }), ]), ); diff --git a/packages/services/api/src/modules/auth/lib/authz.ts b/packages/services/api/src/modules/auth/lib/authz.ts index ebdc0159b8..6422791472 100644 --- a/packages/services/api/src/modules/auth/lib/authz.ts +++ b/packages/services/api/src/modules/auth/lib/authz.ts @@ -103,7 +103,7 @@ export abstract class Session { for (const action of actions) { if (isActionMatch(action, args.action)) { if (permission.effect === 'deny') { - throw new AccessError(`Missing permissions '${args.action}' on resource.`); + throw new AccessError(`Missing permission for performing '${args.action}' on resource`); } else { isAllowed = true; } @@ -112,7 +112,7 @@ export abstract class Session { } if (!isAllowed) { - throw new AccessError(`Missing permissions '${args.action}' on resource.`); + throw new AccessError(`Missing permission for performing '${args.action}' on resource`); } } } @@ -235,7 +235,8 @@ const actionDefinitions = { 'project:delete': defaultProjectIdentity, 'alert:modify': defaultProjectIdentity, 'project:updateSlug': defaultProjectIdentity, - 'schemaLinting:manage': defaultProjectIdentity, + 'schemaLinting:manageOrganization': defaultProjectIdentity, + 'schemaLinting:manageProject': defaultProjectIdentity, 'target:create': defaultProjectIdentity, 'target:delete': defaultTargetIdentity, 'schemaCheck:create': schemaCheckOrPublishIdentity, diff --git a/packages/services/api/src/modules/auth/lib/legacy-permissions.ts b/packages/services/api/src/modules/auth/lib/legacy-permissions.ts index 73837d3cf5..3af211e876 100644 --- a/packages/services/api/src/modules/auth/lib/legacy-permissions.ts +++ b/packages/services/api/src/modules/auth/lib/legacy-permissions.ts @@ -21,6 +21,7 @@ export function transformLegacyPolicies( action: ['support:manageTickets'], resource: [`hrn:${organizationId}:*`], }); + break; } case OrganizationAccessScope.SETTINGS: { policies.push({ diff --git a/packages/services/api/src/modules/auth/lib/supertokens-strategy.ts b/packages/services/api/src/modules/auth/lib/supertokens-strategy.ts index 8c37403772..305d29846f 100644 --- a/packages/services/api/src/modules/auth/lib/supertokens-strategy.ts +++ b/packages/services/api/src/modules/auth/lib/supertokens-strategy.ts @@ -1,8 +1,8 @@ import SessionNode from 'supertokens-node/recipe/session/index.js'; import * as zod from 'zod'; -import { User } from '@hive/api'; import type { FastifyReply, FastifyRequest, ServiceLogger } from '@hive/service-common'; import { captureException } from '@sentry/node'; +import type { User } from '../../../shared/entities'; import { AccessError, HiveError } from '../../../shared/errors'; import { isUUID } from '../../../shared/is-uuid'; import type { Storage } from '../../shared/providers/storage';