Skip to content

Commit bcf7331

Browse files
authored
fix(contracts): allow org tokens to create contracts (#2748)
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
1 parent 60bc31b commit bcf7331

1 file changed

Lines changed: 13 additions & 2 deletions

File tree

app/controlplane/internal/service/workflowcontract.go

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -121,8 +121,8 @@ func (s *WorkflowContractService) Create(ctx context.Context, req *pb.WorkflowCo
121121

122122
// If setting is enabled, only org admins can create contracts (org-level or project-level)
123123
if org.RestrictContractCreationToOrgAdmins {
124-
if !isUserOrgAdmin(ctx) {
125-
return nil, errors.Forbidden("forbidden", "contract creation is restricted to organization administrators. Please contact your administrator")
124+
if !canCreateContractsInRestrictedMode(ctx) {
125+
return nil, errors.Forbidden("forbidden", "contract creation is restricted to organization administrators and service accounts. Please contact your administrator")
126126
}
127127
}
128128

@@ -170,6 +170,17 @@ func (s *WorkflowContractService) Create(ctx context.Context, req *pb.WorkflowCo
170170
return &pb.WorkflowContractServiceCreateResponse{Result: bizWorkFlowContractToPb(schema)}, nil
171171
}
172172

173+
func canCreateContractsInRestrictedMode(ctx context.Context) bool {
174+
// it's an org-scoped API token
175+
token := entities.CurrentAPIToken(ctx)
176+
if token != nil {
177+
return token.ProjectID == nil
178+
}
179+
180+
// or it's an admin user
181+
return isUserOrgAdmin(ctx)
182+
}
183+
173184
func (s *WorkflowContractService) Update(ctx context.Context, req *pb.WorkflowContractServiceUpdateRequest) (*pb.WorkflowContractServiceUpdateResponse, error) {
174185
currentOrg, err := requireCurrentOrg(ctx)
175186
if err != nil {

0 commit comments

Comments
 (0)