Merge pull request #170 from Dolu89/feature/fix-project-security

fix: add verification that current user is a member of the project
2026-01-24 08:44:28 +01:00 · 2022-09-25 18:18:13 +03:00
parent 38641be9ab 942bb8f114
commit 6fee8f2dfe
1 changed files with 6 additions and 1 deletions
--- a/api/functions/graphql/types/project.js
+++ b/api/functions/graphql/types/project.js
@@ -766,7 +766,12 @@ const updateProject = extendType({
                    },
                })

-                // Maker can't project info
+                // Verifying current user is a member
+                if (!project.members.some((m) => m.userId === user.id)) {
+                    throw new ApolloError("You don't have permission to update this project")
+                }
+
+                // Maker can't change project info
                if (project.members.find((m) => m.userId === user.id)?.role === ROLE_MAKER) {
                    throw new ApolloError("Makers can't change project info")
                }