🐛 Fix authorization of API keys

staart · Jun 22, 2019 · 5edab54 · 5edab54
1 parent 20009b7
commit 5edab54
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 3 deletions.
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "staart",
-  "version": "1.0.29",
+  "version": "1.0.30",
   "main": "index.js",
   "repository": "[email protected]:AnandChowdhary/staart.git",
   "author": "Anand Chowdhary <[email protected]>",

diff --git a/src/helpers/authorization.ts b/src/helpers/authorization.ts
@@ -84,7 +84,8 @@ const canUserOrganization = async (
     // An organization manager can do anything but delete
     if (
       membership.role == MembershipRole.MANAGER &&
-      action != Authorizations.DELETE
+      action != Authorizations.DELETE &&
+      action != Authorizations.DELETE_SECURE
     )
       allowed = true;
 

diff --git a/src/rest/organization.ts b/src/rest/organization.ts
@@ -497,7 +497,14 @@ export const createApiKeyForUser = async (
   access: ApiKeyAccess,
   locals: Locals
 ) => {
-  if (await can(userId, Authorizations.CREATE_SECURE, "user", organizationId)) {
+  if (
+    await can(
+      userId,
+      Authorizations.CREATE_SECURE,
+      "organization",
+      organizationId
+    )
+  ) {
     const apiKey = await createApiKey({ organizationId, access });
     await createEvent(
       {