Enforce PermissionSysconsoleWriteBilling in self serve workspace deletion (#23691)

2025-02-25 18:55:24 -06:00 · 2023-06-12 10:33:11 -04:00 · 2023-06-12 10:33:11 -04:00 · 37196a6a26
commit 37196a6a26
parent 59d5df6bce
1 changed files with 5 additions and 0 deletions
--- a/server/channels/api4/cloud.go
+++ b/server/channels/api4/cloud.go
@ -875,6 +875,11 @@ func selfServeDeleteWorkspace(c *Context, w http.ResponseWriter, r *http.Request
 	}
 	defer r.Body.Close()

+	if !c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionSysconsoleWriteBilling) {
+		c.SetPermissionError(model.PermissionSysconsoleWriteBilling)
+		return
+	}
+
 	var deleteRequest *model.WorkspaceDeletionRequest
 	if err = json.Unmarshal(bodyBytes, &deleteRequest); err != nil {
 		c.Err = model.NewAppError("Api4.selfServeDeleteWorkspace", "api.cloud.app_error", nil, err.Error(), http.StatusInternalServerError)