From ded72a95c220904a151d27daf3c67e8644e386c6 Mon Sep 17 00:00:00 2001
From: Hugues Chocart <chocart.hugues@icloud.com>
Date: Tue, 12 Nov 2024 20:31:55 +0800
Subject: [PATCH] fix: security patch (#651)

---
 packages/backend/src/api/v1/runs/index.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/packages/backend/src/api/v1/runs/index.ts b/packages/backend/src/api/v1/runs/index.ts
index 3aa99e16..2190b382 100644
--- a/packages/backend/src/api/v1/runs/index.ts
+++ b/packages/backend/src/api/v1/runs/index.ts
@@ -2,7 +2,7 @@ import sql from "@/src/utils/db";
 import { Context } from "koa";
 import Router from "koa-router";
 
-import { checkAccess } from "@/src/utils/authorization";
+import { checkAccess, checkProjectAccess } from "@/src/utils/authorization";
 import { convertChecksToSQL } from "@/src/utils/checks";
 import { jsonrepair } from "jsonrepair";
 import { Feedback, Score, deserializeLogic } from "shared";
@@ -1016,8 +1016,14 @@ runs.patch(
   checkAccess("logs", "update"),
   async (ctx: Context) => {
     const { id: runId } = ctx.params;
+    const { projectId, userId } = ctx.state;
     const { label, value, comment } = Score.parse(ctx.request.body);
 
+    const hasProjectAccess = await checkProjectAccess(projectId, userId);
+    if (!hasProjectAccess) {
+      ctx.throw(401, "Unauthorized");
+    }
+
     let [existingScore] =
       await sql`select * from run_score where run_id = ${runId} and label = ${label}`;