From 29fb64a2be1f49b806ed9073bd0ccb8e331b5022 Mon Sep 17 00:00:00 2001
From: tygao <tygao@amazon.com>
Date: Fri, 18 Aug 2023 18:30:20 +0800
Subject: [PATCH] chore: pass right access

Signed-off-by: tygao <tygao@amazon.com>
---
 .../workspace_saved_objects_client_wrapper.ts | 32 ++++++++++++-------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts b/src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
index e5cfb73e7ec2..b10dc6ac6f00 100644
--- a/src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
+++ b/src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
@@ -96,8 +96,6 @@ export class WorkspaceSavedObjectsClientWrapper {
   ) {
     // PermissionMode here is an array which is merged by workspace type required permission and other saved object required permission.
     // So we only need to do one permission check no matter its type.
-    let permitted = true;
-
     for (const { id, type } of objects) {
       const validateResult = await this.permissionControl.validate(
         request,
@@ -108,10 +106,9 @@ export class WorkspaceSavedObjectsClientWrapper {
         this.formatWorkspacePermissionModeToStringArray(permissionMode)
       );
       if (!validateResult?.result) {
-        permitted = false;
-        break;
+        return false;
       }
-      return permitted;
+      return true;
     }
   }
 
@@ -152,7 +149,6 @@ export class WorkspaceSavedObjectsClientWrapper {
     if (!workspaces || workspaces.length === 0) {
       return false;
     }
-    let permitted = false;
     for (const workspaceId of workspaces) {
       const validateResult = await this.permissionControl.validate(
         request,
@@ -163,11 +159,10 @@ export class WorkspaceSavedObjectsClientWrapper {
         this.formatWorkspacePermissionModeToStringArray(permissionMode)
       );
       if (validateResult?.result) {
-        permitted = true;
-        break;
+        return true;
       }
     }
-    return permitted;
+    return false;
   }
 
   /**
@@ -197,7 +192,11 @@ export class WorkspaceSavedObjectsClientWrapper {
         const objectsPermitted = await this.validateMultiObjectsPermissions(
           [{ type, id }],
           wrapperOptions.request,
-          [WorkspacePermissionMode.Management, WorkspacePermissionMode.Write]
+          [
+            WorkspacePermissionMode.Management,
+            WorkspacePermissionMode.LibraryWrite,
+            WorkspacePermissionMode.Write,
+          ]
         );
         if (!objectsPermitted) {
           throw generateSavedObjectsPermissionError();
@@ -221,6 +220,7 @@ export class WorkspaceSavedObjectsClientWrapper {
       if (!workspacePermitted) {
         await this.validateSingleObjectPermissions(id, type, wrapperOptions.request, [
           WorkspacePermissionMode.Management,
+          WorkspacePermissionMode.LibraryWrite,
           WorkspacePermissionMode.Write,
         ]);
       }
@@ -243,7 +243,11 @@ export class WorkspaceSavedObjectsClientWrapper {
             object.id,
             object.type,
             wrapperOptions.request,
-            [WorkspacePermissionMode.Management, WorkspacePermissionMode.Write]
+            [
+              WorkspacePermissionMode.Management,
+              WorkspacePermissionMode.LibraryWrite,
+              WorkspacePermissionMode.Write,
+            ]
           );
         }
       }
@@ -294,7 +298,11 @@ export class WorkspaceSavedObjectsClientWrapper {
       const workspacePermitted = await this.validateAtLeastOnePermittedWorkspaces(
         objectToGet.workspaces,
         wrapperOptions.request,
-        [WorkspacePermissionMode.Read]
+        [
+          WorkspacePermissionMode.LibraryRead,
+          WorkspacePermissionMode.LibraryWrite,
+          WorkspacePermissionMode.Management,
+        ]
       );
 
       if (!workspacePermitted) {