fix(custom-blocks): dedupe redundant workspace lookup in POST admin check#5429
Conversation
…heck hasWorkspaceAdminAccess + a separate getWorkspaceWithOwner call each independently re-fetched the workspace row for the same (userId, workspaceId) pair. Consolidated into a single checkWorkspaceAccess call, matching the pattern the GET handler in this same file already uses. access.canAdmin is logically identical to hasWorkspaceAdminAccess's result (admin is the top PERMISSION_RANK, nothing else satisfies it) — no behavior change, one fewer DB round-trip per publish request.
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryLow Risk Overview Authorization still gates on admin ( Reviewed by Cursor Bugbot for commit 8a3e4ea. Configure here. |
Summary
POST /api/custom-blockshandler calledhasWorkspaceAdminAccess(userId, workspaceId)then separately calledgetWorkspaceWithOwner(workspaceId)again just to readorganizationId— two independent DB fetches of the same workspace row for the same requestcheckWorkspaceAccesscall, matching the exact pattern theGEThandler in this same file already uses a few lines aboveaccess.canAdminis logically identical tohasWorkspaceAdminAccess()'s result — verified againstPERMISSION_RANK/permissionSatisfiesin@sim/platform-authz/workspace:adminis the top rank (3), sopermissionSatisfies(p, 'admin')can only be true whenp === 'admin', same as the old checkType of Change
Testing
bunx tsc --noEmitcleanbunx biome checkcleanbun run check:react-querypassesChecklist