Fix Security Bug: No permissions applied to version endpoints (#5008)

List,Delete, and Revert endpoints for editing endpoints by version were set to allow anonymous, meaning no authorisation policies were applied. I have changed these to apply permissions as per the rest of the API.
elsa-workflows · Feb 28, 2024 · 875afd4 · 875afd4
1 parent f695b36
commit 875afd4
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 9 deletions.
diff --git a/src/modules/Elsa.Workflows.Api/Endpoints/WorkflowDefinitions/Version/Delete.cs b/src/modules/Elsa.Workflows.Api/Endpoints/WorkflowDefinitions/Version/Delete.cs
@@ -1,4 +1,5 @@
-using Elsa.Workflows.Management.Contracts;
+using Elsa.Abstractions;
+using Elsa.Workflows.Management.Contracts;
 using FastEndpoints;
 using JetBrains.Annotations;
 
@@ -8,7 +9,7 @@ namespace Elsa.Workflows.Api.Endpoints.WorkflowDefinitions.Version;
 /// Deletes a specific version of a workflow definition.
 /// </summary>
 [PublicAPI]
-public class DeleteVersion : EndpointWithoutRequest
+public class DeleteVersion : ElsaEndpointWithoutRequest
 {
     private readonly IWorkflowDefinitionManager _workflowDefinitionManager;
 
@@ -22,7 +23,7 @@ public DeleteVersion(IWorkflowDefinitionManager workflowDefinitionManager)
     public override void Configure()
     {
         Delete("workflow-definitions/{definitionId}/version/{version}");
-        AllowAnonymous();
+        ConfigurePermissions("delete:workflow-definitions");
     }
 
     /// <inheritdoc />

diff --git a/src/modules/Elsa.Workflows.Api/Endpoints/WorkflowDefinitions/Version/List.cs b/src/modules/Elsa.Workflows.Api/Endpoints/WorkflowDefinitions/Version/List.cs
@@ -1,4 +1,5 @@
-using Elsa.Common.Entities;
+using Elsa.Abstractions;
+using Elsa.Common.Entities;
 using Elsa.Common.Models;
 using Elsa.Workflows.Management.Contracts;
 using Elsa.Workflows.Management.Filters;
@@ -9,7 +10,7 @@
 namespace Elsa.Workflows.Api.Endpoints.WorkflowDefinitions.Version;
 
 [PublicAPI]
-internal class ListVersions : EndpointWithoutRequest
+internal class ListVersions : ElsaEndpointWithoutRequest
 {
     private readonly IWorkflowDefinitionStore _store;
 
@@ -21,7 +22,7 @@ public ListVersions(IWorkflowDefinitionStore store)
     public override void Configure()
     {
         Get("workflow-definitions/{definitionId}/versions");
-        AllowAnonymous();
+        ConfigurePermissions("read:workflow-definitions");
     }
 
     public override async Task HandleAsync(CancellationToken cancellationToken)

diff --git a/src/modules/Elsa.Workflows.Api/Endpoints/WorkflowDefinitions/Version/Revert.cs b/src/modules/Elsa.Workflows.Api/Endpoints/WorkflowDefinitions/Version/Revert.cs
@@ -1,11 +1,12 @@
-using Elsa.Workflows.Management.Contracts;
+using Elsa.Abstractions;
+using Elsa.Workflows.Management.Contracts;
 using FastEndpoints;
 using JetBrains.Annotations;
 
 namespace Elsa.Workflows.Api.Endpoints.WorkflowDefinitions.Version;
 
 [PublicAPI]
-internal class RevertVersion : EndpointWithoutRequest
+internal class RevertVersion : ElsaEndpointWithoutRequest
 {
     private readonly IWorkflowDefinitionManager _workflowDefinitionManager;
 
@@ -17,7 +18,7 @@ public RevertVersion(IWorkflowDefinitionManager workflowDefinitionManager)
     public override void Configure()
     {
         Post("workflow-definitions/{definitionId}/revert/{version}");
-        AllowAnonymous();
+        ConfigurePermissions("publish:workflow-definitions");
     }
 
     public override async Task HandleAsync(CancellationToken ct)