From a299e3055628a8cda7650238471549dc94faf6a6 Mon Sep 17 00:00:00 2001 From: Rory Powell Date: Wed, 29 Sep 2021 16:41:58 +0100 Subject: [PATCH 1/2] Respect tenant in url in UI app. Reject tenant and session mismatch --- .../builder/src/pages/builder/_layout.svelte | 21 +++++++++++++++++++ packages/builder/src/stores/portal/auth.js | 1 + 2 files changed, 22 insertions(+) diff --git a/packages/builder/src/pages/builder/_layout.svelte b/packages/builder/src/pages/builder/_layout.svelte index 4b296854b6..f4715b3017 100644 --- a/packages/builder/src/pages/builder/_layout.svelte +++ b/packages/builder/src/pages/builder/_layout.svelte @@ -9,10 +9,31 @@ $: hasAdminUser = $admin?.checklist?.adminUser?.checked $: tenantSet = $auth.tenantSet $: cloud = $admin.cloud + $: user = $auth.user + + const validateTenantId = async () => { + // set the tenant from the url in the cloud + const tenantId = window.location.host.split(".")[0] + + if (!tenantId.includes("localhost:")) { + // user doesn't have permission to access this tenant - kick them out + if (user && user.tenantId && user.tenantId !== tenantId) { + await auth.logout() + await auth.setOrganisation(null) + } else { + await auth.setOrganisation(tenantId) + } + } + } onMount(async () => { await auth.checkAuth() await admin.init() + + if (cloud && multiTenancyEnabled) { + await validateTenantId() + } + loaded = true }) diff --git a/packages/builder/src/stores/portal/auth.js b/packages/builder/src/stores/portal/auth.js index 95157e3f93..f522095473 100644 --- a/packages/builder/src/stores/portal/auth.js +++ b/packages/builder/src/stores/portal/auth.js @@ -80,6 +80,7 @@ export function createAuthStore() { return { subscribe: store.subscribe, + setOrganisation: setOrganisation, checkQueryString: async () => { const urlParams = new URLSearchParams(window.location.search) if (urlParams.has("tenantId")) { From 2ceca6b4fbf4f7fe8160cd695291b9028d7481ad Mon Sep 17 00:00:00 2001 From: Rory Powell Date: Wed, 29 Sep 2021 17:13:29 +0100 Subject: [PATCH 2/2] Review feedback - shortcut user?.tenantId !== tenantId --- packages/builder/src/pages/builder/_layout.svelte | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/builder/src/pages/builder/_layout.svelte b/packages/builder/src/pages/builder/_layout.svelte index f4715b3017..5a8e5e2fc9 100644 --- a/packages/builder/src/pages/builder/_layout.svelte +++ b/packages/builder/src/pages/builder/_layout.svelte @@ -17,7 +17,7 @@ if (!tenantId.includes("localhost:")) { // user doesn't have permission to access this tenant - kick them out - if (user && user.tenantId && user.tenantId !== tenantId) { + if (user?.tenantId !== tenantId) { await auth.logout() await auth.setOrganisation(null) } else {