letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
83239104e0139b5ecf3606e44e540857ee9d1ac6
pn-new-crm/src/lib/db/migrations/0041_role_permissions_edit_keys.sql

59 lines
1.9 KiB
MySQL
Raw Normal View History

fix(security): tier-0 audit blockers (next CVE, role gate, perm traps, key validation, rate limits) Closes the five highest-risk findings from docs/audit-comprehensive-2026-05-05.md so the platform is not exposed while the rest of the audit backlog (1 CRIT + 18 HIGH + 32 MED + 23 LOW) is worked through: * CVE-2025-29927 — bump next 15.1.0 → 15.2.9; nginx strips X-Middleware-Subrequest at the edge as defense-in-depth. * Cross-tenant role escalation — POST/PATCH/DELETE on /admin/roles now require super-admin (was: any holder of admin.manage_users). Adds shared `requireSuperAdmin(ctx)` helper. * Silent-403 traps — `documents.edit` and `files.edit` keys added to RolePermissions; seeded role values updated; migration 0041 backfills the new keys on every existing roles+port_role_overrides JSONB. File routes remap the dead `create` action to `upload` / `manage_folders`. * Berth-PDF / brochure register endpoints — reject body.storageKey unless it matches the namespace the matching presign endpoint issued (prevents repointing a tenant's PDF at foreign-port bytes). * Portal auth rate limits — sign-in 5/15min/(ip,email), forgot-password 3/hr/IP, activate/reset/set-password 10/hr/IP. Adds `enforcePublicRateLimit()` for non-`withAuth` routes. Test status unchanged: 1168/1168 vitest, tsc clean. Refs: docs/audit-comprehensive-2026-05-05.md (CRITICAL, HIGH §§1–4) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 18:33:13 +02:00
-- Backfill the new `documents.edit` and `files.edit` permission keys on
-- every existing row in `roles.permissions`. The schema (RolePermissions
-- in src/lib/db/schema/users.ts) added these keys to close the silent-403
-- traps on PATCH /api/v1/documents/[id], /cancel, /remind, /watchers, and
-- PATCH /api/v1/files/[id] — each used a permission key that did not exist
-- in the schema, so withPermission()'s `resourcePerms[action]` returned
-- undefined and 403'd every non-superadmin call.
--
-- Backfill rule:
-- documents.edit ← documents.create (anyone who can create can edit)
-- files.edit ← files.upload (same rationale)
--
-- jsonb_set with create_missing=true (the default) inserts the key only
-- when it's absent, so re-runs are idempotent and the migration is safe
-- against a partial run.
UPDATE roles
SET permissions = jsonb_set(
permissions,
'{documents,edit}',
COALESCE(permissions->'documents'->'create', 'false'::jsonb),
true
)
WHERE permissions->'documents' IS NOT NULL
AND NOT (permissions->'documents' ? 'edit');
UPDATE roles
SET permissions = jsonb_set(
permissions,
'{files,edit}',
COALESCE(permissions->'files'->'upload', 'false'::jsonb),
true
)
WHERE permissions->'files' IS NOT NULL
AND NOT (permissions->'files' ? 'edit');
-- Same backfill on per-port overrides (`port_role_overrides.permissions`)
-- so an override that flipped a sibling permission stays consistent.
UPDATE port_role_overrides
SET permissions = jsonb_set(
permissions,
'{documents,edit}',
COALESCE(permissions->'documents'->'create', 'false'::jsonb),
true
)
WHERE permissions->'documents' IS NOT NULL
AND NOT (permissions->'documents' ? 'edit');
UPDATE port_role_overrides
SET permissions = jsonb_set(
permissions,
'{files,edit}',
COALESCE(permissions->'files'->'upload', 'false'::jsonb),
true
)
WHERE permissions->'files' IS NOT NULL
AND NOT (permissions->'files' ? 'edit');
Reference in New Issue Copy Permalink