diff --git a/src/dashboard/guards/dashboard-permission.guard.ts b/src/dashboard/guards/dashboard-permission.guard.ts index f9159cf..b97cb1b 100644 --- a/src/dashboard/guards/dashboard-permission.guard.ts +++ b/src/dashboard/guards/dashboard-permission.guard.ts @@ -13,7 +13,10 @@ export const DashboardPermissionGuard = (type?: PermissionType) => { throw new UnauthorizedException(); } - const dashboardId = request.params.id ?? request.params.dashboardId; + const dashboardId = request.params.id ?? request.params.dashboardId ?? request.body?.dashboardId; + if (!dashboardId) { + return false; + } const permission = await this.repository.findOne({ where: { userId: user.id, diff --git a/src/pipeline/pipeline.controller.ts b/src/pipeline/pipeline.controller.ts index e6baf65..1ef4213 100644 --- a/src/pipeline/pipeline.controller.ts +++ b/src/pipeline/pipeline.controller.ts @@ -30,19 +30,9 @@ export class PipelineController { @InjectRepository(Permission) private readonly permissionRepository: Repository, ) {} + @UseGuards(DashboardPermissionGuard(PermissionType.Admin)) @Post('/create') async create(@Body() args: CreatePipelineDto) { - const permission = await this.permissionRepository - .createQueryBuilder('p') - .innerJoin('p.dashboard', 'd', 'd.id = p.dashboard_id') - .where('d.id =:id', { id: args.dashboardId }) - .andWhere('p.type =:type', { type: PermissionType.Admin }) - .getOne(); - - if (!permission) { - throw new ForbiddenException(); - } - const pipelines = await this.repository.find({ where: { dashboardId: args.dashboardId,