Make GetWorkspaceSetting return non-sensitive values to low-privileged users

2025-10-29 23:23:29 +01:00 · 2025-10-29 23:23:29 +01:00 · 2ed02b2340
parent aae0e56c60
commit 2ed02b2340
1 changed files with 29 additions and 10 deletions
--- a/server/router/api/v1/workspace_service.go
+++ b/server/router/api/v1/workspace_service.go
@ -64,15 +64,34 @@ func (s *APIV1Service) GetWorkspaceSetting(ctx context.Context, request *v1pb.Ge
 		return nil, status.Errorf(codes.NotFound, "workspace setting not found")
 	}

-	// For storage setting, only host can get it.
+	// For storage setting, filter based on user role.
 	if workspaceSetting.Key == storepb.WorkspaceSettingKey_STORAGE {
 		user, err := s.GetCurrentUser(ctx)
 		if err != nil {
 			return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
 		}
-		if user == nil || user.Role != store.RoleHost {
+		if user == nil {
 			return nil, status.Errorf(codes.PermissionDenied, "permission denied")
 		}
+
+		// Host can see everything, regular users only see enable_s3_image_thumbnails.
+		if user.Role != store.RoleHost {
+			// Convert and filter for non-host users.
+			convertedSetting := convertWorkspaceStorageSettingFromStore(workspaceSetting.GetStorageSetting())
+			// Clear sensitive fields.
+			convertedSetting.StorageType = v1pb.WorkspaceSetting_StorageSetting_STORAGE_TYPE_UNSPECIFIED
+			convertedSetting.FilepathTemplate = ""
+			convertedSetting.UploadSizeLimitMb = 0
+			convertedSetting.S3Config = nil
+			// Keep only EnableS3ImageThumbnails.
+
+			return &v1pb.WorkspaceSetting{
+				Name: fmt.Sprintf("workspace/settings/%s", workspaceSetting.Key.String()),
+				Value: &v1pb.WorkspaceSetting_StorageSetting_{
+					StorageSetting: convertedSetting,
+				},
+			}, nil
+		}
 	}

 	return convertWorkspaceSettingFromStore(workspaceSetting), nil
@ -211,10 +230,10 @@ func convertWorkspaceStorageSettingFromStore(settingpb *storepb.WorkspaceStorage
 		return nil
 	}
 	setting := &v1pb.WorkspaceSetting_StorageSetting{
-		StorageType:              v1pb.WorkspaceSetting_StorageSetting_StorageType(settingpb.StorageType),
-		FilepathTemplate:         settingpb.FilepathTemplate,
-		UploadSizeLimitMb:        settingpb.UploadSizeLimitMb,
-		EnableS3ImageThumbnails:  settingpb.EnableS3ImageThumbnails,
+		StorageType:             v1pb.WorkspaceSetting_StorageSetting_StorageType(settingpb.StorageType),
+		FilepathTemplate:        settingpb.FilepathTemplate,
+		UploadSizeLimitMb:       settingpb.UploadSizeLimitMb,
+		EnableS3ImageThumbnails: settingpb.EnableS3ImageThumbnails,
 	}
 	if settingpb.S3Config != nil {
 		setting.S3Config = &v1pb.WorkspaceSetting_StorageSetting_S3Config{
@ -234,10 +253,10 @@ func convertWorkspaceStorageSettingToStore(setting *v1pb.WorkspaceSetting_Storag
 		return nil
 	}
 	settingpb := &storepb.WorkspaceStorageSetting{
-		StorageType:              storepb.WorkspaceStorageSetting_StorageType(setting.StorageType),
-		FilepathTemplate:         setting.FilepathTemplate,
-		UploadSizeLimitMb:        setting.UploadSizeLimitMb,
-		EnableS3ImageThumbnails:  setting.EnableS3ImageThumbnails,
+		StorageType:             storepb.WorkspaceStorageSetting_StorageType(setting.StorageType),
+		FilepathTemplate:        setting.FilepathTemplate,
+		UploadSizeLimitMb:       setting.UploadSizeLimitMb,
+		EnableS3ImageThumbnails: setting.EnableS3ImageThumbnails,
 	}
 	if setting.S3Config != nil {
 		settingpb.S3Config = &storepb.StorageS3Config{