Merge pull request #1816 from akto-api-security/feature/test_role_del…

…etion_admin_check feat: now users can only delete their own test roles unless it's admin
akto-api-security · Dec 12, 2024 · 8d848c1 · 8d848c1
2 parents 959dbca + 66e4576
commit 8d848c1
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/apps/dashboard/src/main/java/com/akto/action/testing/TestRolesAction.java b/apps/dashboard/src/main/java/com/akto/action/testing/TestRolesAction.java
@@ -1,10 +1,13 @@
 package com.akto.action.testing;
 
 import com.akto.action.UserAction;
+import com.akto.dao.RBACDao;
 import com.akto.dao.context.Context;
 import com.akto.dao.testing.EndpointLogicalGroupDao;
 import com.akto.dao.testing.TestRolesDao;
 import com.akto.dao.testing.config.TestCollectionPropertiesDao;
+import com.akto.dto.RBAC;
+import com.akto.dto.User;
 import com.akto.dto.testing.config.TestCollectionProperty;
 import com.akto.dto.RecordedLoginFlowInput;
 import com.akto.dto.data_types.Conditions;
@@ -136,6 +139,22 @@ public String deleteTestRole() {
             return ERROR.toUpperCase();
         }
 
+        User user = getSUser();
+        if(user == null) {
+            addActionError("User not found.");
+            return ERROR.toUpperCase();
+        }
+
+        boolean noAccess = !user.getLogin().equals(role.getCreatedBy());
+
+        if(noAccess) {
+            RBAC.Role currentRoleForUser = RBACDao.getCurrentRoleForUser(user.getId(), Context.accountId.get());
+            if (!currentRoleForUser.equals(RBAC.Role.ADMIN)) {
+                addActionError("You do not have permission to delete this role.");
+                return ERROR.toUpperCase();
+            }
+        }
+
         Bson roleFilterQ = Filters.eq(TestRoles.NAME, roleName);
         DeleteResult delete = TestRolesDao.instance.deleteAll(roleFilterQ);
         loggerMaker.infoAndAddToDb("Deleted role: " + roleName + " : " + delete, LoggerMaker.LogDb.DASHBOARD);