Merge pull request #9908 from Budibase/fix/invite-codes-leak

fix tenant filtering issue
2024-08-08 06:37:55 +12:00 · 2023-03-07 10:19:22 +00:00 · 2023-03-07 10:19:22 +00:00 · 779f765970
commit 779f765970
parent 82397dc516 63e7d9d97e
3 changed files with 11 additions and 15 deletions
--- a/packages/frontend-core/src/api/user.js
+++ b/packages/frontend-core/src/api/user.js
@ -194,8 +194,7 @@ export const buildUserEndpoints = API => ({
  },

  /**
-   * Retrieves the invitation associated with a provided code.
-   * @param code The unique code for the target invite
+   * Retrieves all user invitations for the current tenant.
   */
  getUserInvites: async () => {
    return await API.get({
--- a/packages/worker/src/api/controllers/global/users.ts
+++ b/packages/worker/src/api/controllers/global/users.ts
@ -341,7 +341,7 @@ export const getUserInvites = async (ctx: any) => {
  let invites
  try {
    // Restricted to the currently authenticated tenant
-    invites = await getInviteCodes([ctx.user.tenantId])
+    invites = await getInviteCodes()
  } catch (e) {
    ctx.throw(400, "There was a problem fetching invites")
  }
--- a/packages/worker/src/utilities/redis.ts
+++ b/packages/worker/src/utilities/redis.ts
@ -1,4 +1,5 @@
-import { redis, utils } from "@budibase/backend-core"
+import { redis, utils, tenancy } from "@budibase/backend-core"
+import env from "../environment"

 function getExpirySecondsForDB(db: string) {
  switch (db) {
@ -129,10 +130,9 @@ export async function checkInviteCode(
 }

 /** 
-  Get all currently available user invitations.
-  @return {Object[]} A list of all objects containing invite metadata
+  Get all currently available user invitations for the current tenant.
 **/
-export async function getInviteCodes(tenantIds?: string[]) {
+export async function getInviteCodes() {
  const client = await getClient(redis.utils.Databases.INVITATIONS)
  const invites: any[] = await client.scan()

@ -142,12 +142,9 @@ export async function getInviteCodes(tenantIds?: string[]) {
      code: invite.key,
    }
  })
-  return results.reduce((acc, invite) => {
-    if (tenantIds?.length && tenantIds.includes(invite.info.tenantId)) {
-      acc.push(invite)
-    } else {
-      acc.push(invite)
-    }
-    return acc
-  }, [])
+  if (!env.MULTI_TENANCY) {
+    return results
+  }
+  const tenantId = tenancy.getTenantId()
+  return results.filter(invite => tenantId === invite.info.tenantId)
 }