fix #3414 - 404 on access to private models

quantified-uncertainty · Nov 8, 2024 · 5c1c949 · 5c1c949
1 parent 0a7d808
commit 5c1c949
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 4 deletions.
diff --git a/packages/hub/src/app/models/[owner]/[slug]/EditModelPage.tsx b/packages/hub/src/app/models/[owner]/[slug]/EditModelPage.tsx
@@ -36,6 +36,7 @@ export const EditModelPage: FC<{
     `,
     query
   );
+
   const model = extractFromGraphqlErrorUnion(result, "Model");
   const typename = model.currentRevision.content.__typename;
 

diff --git a/packages/hub/src/app/not-found.tsx b/packages/hub/src/app/not-found.tsx
@@ -1,6 +1,4 @@
 export default function NotFound() {
-  // Note: Next.js (13.4.9) in dev mode doesn't reload this page correctly.
-  // Restart `next dev` process if you edit this component.
   return (
     <div className="grid flex-1 place-items-center">
       <div className="flex h-10 items-center gap-4">

diff --git a/packages/hub/src/graphql/queries/model.ts b/packages/hub/src/graphql/queries/model.ts
@@ -2,6 +2,7 @@ import { builder } from "@/graphql/builder";
 import { prisma } from "@/prisma";
 
 import { NotFoundError } from "../errors/NotFoundError";
+import { modelWhereHasAccess } from "../helpers/modelHelpers";
 
 builder.queryField("model", (t) =>
   t.prismaFieldWithInput({
@@ -13,13 +14,14 @@ builder.queryField("model", (t) =>
     errors: {
       types: [NotFoundError],
     },
-    async resolve(query, _, { input }) {
+    async resolve(query, _, { input }, { session }) {
       const model = await prisma.model.findFirst({
         ...query,
         where: {
           slug: input.slug,
           owner: { slug: input.owner },
-          // no need to check access - will be checked by Model authScopes
+          // intentionally checking access - see https://github.com/quantified-uncertainty/squiggle/issues/3414
+          ...modelWhereHasAccess(session),
         },
       });
       if (!model) {
-Original file line number
+Diff line change
@@ Expand Up / @@ -36,6 +36,7 @@ export const EditModelPage: FC<{ @@
         `,
         query
       );
       const model = extractFromGraphqlErrorUnion(result, "Model");
       const typename = model.currentRevision.content.__typename;
@@ Expand Down @@