From 29851491f6d8b7a198b27f3a58a303ddaa3b2e9c Mon Sep 17 00:00:00 2001 From: Mauricio Siu Date: Tue, 2 Jun 2026 02:04:36 -0600 Subject: [PATCH] chore: update version to v0.29.7 in package.json and enhance permission tests Bumped the version of dokploy to v0.29.7. Updated test descriptions for clarity, specifically renaming the test suite to reflect the roles of "owner" and "admin." Added new tests to ensure that members are denied access to various org-level enterprise resources, improving coverage and validation of permission checks. --- .../permissions/check-permission.test.ts | 64 ++++++++++++++++--- apps/dokploy/package.json | 2 +- 2 files changed, 55 insertions(+), 11 deletions(-) diff --git a/apps/dokploy/__test__/permissions/check-permission.test.ts b/apps/dokploy/__test__/permissions/check-permission.test.ts index 7f14e2d0e..b471ccda0 100644 --- a/apps/dokploy/__test__/permissions/check-permission.test.ts +++ b/apps/dokploy/__test__/permissions/check-permission.test.ts @@ -58,7 +58,7 @@ beforeEach(() => { vi.clearAllMocks(); }); -describe("static roles bypass enterprise resources", () => { +describe("owner and admin bypass enterprise resources", () => { it("owner bypasses deployment.read", async () => { memberToReturn = mockMemberData("owner"); await expect( @@ -73,15 +73,8 @@ describe("static roles bypass enterprise resources", () => { ).resolves.toBeUndefined(); }); - it("member bypasses schedule.delete", async () => { - memberToReturn = mockMemberData("member"); - await expect( - checkPermission(ctx, { schedule: ["delete"] }), - ).resolves.toBeUndefined(); - }); - - it("member bypasses multiple enterprise permissions at once", async () => { - memberToReturn = mockMemberData("member"); + it("owner bypasses multiple enterprise permissions at once", async () => { + memberToReturn = mockMemberData("owner"); await expect( checkPermission(ctx, { deployment: ["read"], @@ -92,6 +85,57 @@ describe("static roles bypass enterprise resources", () => { }); }); +describe("member is denied org-level enterprise resources (CVE: bypass via staticRoles)", () => { + it("member is denied registry.read", async () => { + memberToReturn = mockMemberData("member"); + await expect( + checkPermission(ctx, { registry: ["read"] }), + ).rejects.toThrow(); + }); + + it("member is denied certificate.read", async () => { + memberToReturn = mockMemberData("member"); + await expect( + checkPermission(ctx, { certificate: ["read"] }), + ).rejects.toThrow(); + }); + + it("member is denied destination.read", async () => { + memberToReturn = mockMemberData("member"); + await expect( + checkPermission(ctx, { destination: ["read"] }), + ).rejects.toThrow(); + }); + + it("member is denied notification.read", async () => { + memberToReturn = mockMemberData("member"); + await expect( + checkPermission(ctx, { notification: ["read"] }), + ).rejects.toThrow(); + }); + + it("member is denied auditLog.read", async () => { + memberToReturn = mockMemberData("member"); + await expect( + checkPermission(ctx, { auditLog: ["read"] }), + ).rejects.toThrow(); + }); + + it("member is denied server.read", async () => { + memberToReturn = mockMemberData("member"); + await expect( + checkPermission(ctx, { server: ["read"] }), + ).rejects.toThrow(); + }); + + it("member is denied registry.create", async () => { + memberToReturn = mockMemberData("member"); + await expect( + checkPermission(ctx, { registry: ["create"] }), + ).rejects.toThrow(); + }); +}); + describe("static roles validate free-tier resources", () => { it("owner passes project.create", async () => { memberToReturn = mockMemberData("owner"); diff --git a/apps/dokploy/package.json b/apps/dokploy/package.json index 5ff0ccbe2..c271f32bd 100644 --- a/apps/dokploy/package.json +++ b/apps/dokploy/package.json @@ -1,6 +1,6 @@ { "name": "dokploy", - "version": "v0.29.6", + "version": "v0.29.7", "private": true, "license": "Apache-2.0", "type": "module",