don't pass group ID to get repositories call

mindersec · Sep 25, 2023 · a5a5476 · a5a5476
1 parent 43ced75
commit a5a5476
Show file tree

Hide file tree

Showing 6 changed files with 1,602 additions and 1,650 deletions.
diff --git a/docs/docs/protodocs/proto.md b/docs/docs/protodocs/proto.md
diff --git a/internal/controlplane/handlers_repositories.go b/internal/controlplane/handlers_repositories.go
@@ -258,20 +258,6 @@ func (s *Server) GetRepositoryById(ctx context.Context,
 		return nil, status.Errorf(codes.InvalidArgument, "repository id not specified")
 	}
 
-	// if we do not have a group, check if we can infer it
-	if in.GroupId == 0 {
-		group, err := auth.GetDefaultGroup(ctx)
-		if err != nil {
-			return nil, status.Errorf(codes.InvalidArgument, "cannot infer group id")
-		}
-		in.GroupId = group
-	}
-
-	// check if user is authorized
-	if !IsRequestAuthorized(ctx, in.GroupId) {
-		return nil, status.Errorf(codes.PermissionDenied, "user is not authorized to access this resource")
-	}
-
 	// read the repository
 	repo, err := s.store.GetRepositoryByID(ctx, in.RepositoryId)
 	if errors.Is(err, sql.ErrNoRows) {
@@ -280,7 +266,10 @@ func (s *Server) GetRepositoryById(ctx context.Context,
 		return nil, status.Errorf(codes.Internal, "cannot read repository: %v", err)
 	}
 
-	if repo.GroupID != in.GroupId {
+	groupID := repo.GroupID
+
+	// check if user is authorized
+	if !IsRequestAuthorized(ctx, groupID) {
 		return nil, status.Errorf(codes.PermissionDenied, "user is not authorized to access this resource")
 	}
 

diff --git a/pkg/generated/openapi/mediator/v1/mediator.swagger.json b/pkg/generated/openapi/mediator/v1/mediator.swagger.json