From d47af749a6dbf8ba970c3044a8a2fb2b39f2515a Mon Sep 17 00:00:00 2001 From: Julian Waller Date: Tue, 10 Dec 2024 15:42:58 +0000 Subject: [PATCH] chore: fix missed security check --- meteor/server/api/userActions.ts | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/meteor/server/api/userActions.ts b/meteor/server/api/userActions.ts index 0816952ca13..43dc0a46c66 100644 --- a/meteor/server/api/userActions.ts +++ b/meteor/server/api/userActions.ts @@ -45,10 +45,10 @@ import { NrcsIngestCacheType } from '@sofie-automation/corelib/dist/dataModel/Nr import { verifyHashedToken } from './singleUseTokens' import { QuickLoopMarker } from '@sofie-automation/corelib/dist/dataModel/RundownPlaylist' import { runIngestOperation } from './ingest/lib' -import { RundownPlaylistContentWriteAccess } from '../security/rundownPlaylist' import { IngestJobs } from '@sofie-automation/corelib/dist/worker/ingest' import { UserPermissions } from '@sofie-automation/meteor-lib/dist/userPermissions' import { assertConnectionHasOneOfPermissions } from '../security/auth' +import { checkAccessToRundown } from '../security/check' const PERMISSIONS_FOR_PLAYOUT_USERACTION: Array = ['studio'] const PERMISSIONS_FOR_BUCKET_MODIFICATION: Array = ['studio'] @@ -1315,11 +1315,10 @@ class ServerUserActionAPI 'executeUserChangeOperation', { operationTarget, operation }, async () => { - const access = await RundownPlaylistContentWriteAccess.rundown(this, rundownId) - if (!access.rundown) throw new Error(`Rundown "${rundownId}" not found`) + const rundown = await checkAccessToRundown(this.connection, rundownId) - await runIngestOperation(access.rundown.studioId, IngestJobs.UserExecuteChangeOperation, { - rundownExternalId: access.rundown.externalId, + await runIngestOperation(rundown.studioId, IngestJobs.UserExecuteChangeOperation, { + rundownExternalId: rundown.externalId, operationTarget, operation, })