Apply workspace permission check when saving object (#59)

* feat: Apply workspace permission check when saving object

Signed-off-by: tygao <tygao@amazon.com>

* feat: add bulk update p ermission check

Signed-off-by: tygao <tygao@amazon.com>

---------

Signed-off-by: tygao <tygao@amazon.com>

src/core/server/workspaces/saved_objects/workspace_saved_objects_client_wrapper.ts

@@ -17,6 +17,9 @@ import {
   SavedObjectsCreateOptions,
   SavedObjectsDeleteOptions,
   SavedObjectsFindOptions,
+  SavedObjectsUpdateOptions,
+  SavedObjectsBulkUpdateOptions,
+  SavedObjectsBulkUpdateObject,
 } from 'opensearch-dashboards/server';
 import {
   WorkspacePermissionControl,
@@ -167,6 +170,39 @@ export class WorkspaceSavedObjectsClientWrapper {
       return await wrapperOptions.client.find<T>(options);
     };
 
+    const updateWithWorkspacePermissionControl = async <T = unknown>(
+      type: string,
+      id: string,
+      attributes: T,
+      options?: SavedObjectsUpdateOptions
+    ) => {
+      if (isWorkspacesLikeAttributes(attributes)) {
+        await this.validateMultiWorkspacesPermissions(
+          attributes.workspaces,
+          wrapperOptions.request,
+          WorkspacePermissionMode.Admin
+        );
+      }
+      return await wrapperOptions.client.update<T>(type, id, attributes, options);
+    };
+
+    const bulkUpdateWithWorkspacePermissionControl = async <T = unknown>(
+      objects: Array<SavedObjectsBulkUpdateObject<T>>,
+      options: SavedObjectsBulkUpdateOptions = {}
+    ) => {
+      const objectToBulkUpdate = await wrapperOptions.client.bulkGet<T>(objects, options);
+      for (const object of objectToBulkUpdate.saved_objects) {
+        if (isWorkspacesLikeAttributes(object.attributes)) {
+          await this.validateMultiWorkspacesPermissions(
+            object.attributes.workspaces,
+            wrapperOptions.request,
+            WorkspacePermissionMode.Admin
+          );
+        }
+      }
+      return await wrapperOptions.client.bulkUpdate(objects, options);
+    };
+
     return {
       ...wrapperOptions.client,
       get: getWithWorkspacePermissionControl,
@@ -179,8 +215,8 @@ export class WorkspaceSavedObjectsClientWrapper {
       create: createWithWorkspacePermissionControl,
       bulkCreate: bulkCreateWithWorkspacePermissionControl,
       delete: deleteWithWorkspacePermissionControl,
-      update: wrapperOptions.client.update,
-      bulkUpdate: wrapperOptions.client.bulkUpdate,
+      update: updateWithWorkspacePermissionControl,
+      bulkUpdate: bulkUpdateWithWorkspacePermissionControl,
     };
   };