fix(webapp): enforce write:runs on single-run cancel and replay actions

Wrap the dashboard cancel and replay resource-route actions in
dashboardAction with an authorization block (write:runs), resolving the
run's organization for the auth scope from Postgres with a mollifier
buffer fallback. The existing org-membership queries are retained as the
tenancy boundary; the RBAC check layers on top and only enforces under the
enterprise plugin.

Author: matt-aitken

apps/webapp/app/routes/resources.taskruns.$runParam.cancel.ts

@@ -1,10 +1,10 @@
 import { parse } from "@conform-to/zod";
-import { type ActionFunction, json } from "@remix-run/node";
+import { json } from "@remix-run/node";
 import { z } from "zod";
-import { prisma } from "~/db.server";
+import { $replica, prisma } from "~/db.server";
 import { redirectWithErrorMessage, redirectWithSuccessMessage } from "~/models/message.server";
 import { logger } from "~/services/logger.server";
-import { requireUserId } from "~/services/session.server";
+import { dashboardAction } from "~/services/routeBuilders/dashboardBuilder";
 import { CancelTaskRunService } from "~/v3/services/cancelTaskRun.server";
 import { getMollifierBuffer } from "~/v3/mollifier/mollifierBuffer.server";
 
@@ -16,104 +16,130 @@ const ParamSchema = z.object({
   runParam: z.string(),
 });
 
-export const action: ActionFunction = async ({ request, params }) => {
-  const userId = await requireUserId(request);
-  const { runParam } = ParamSchema.parse(params);
+// Resolve the run's organization so the RBAC auth scope can resolve the
+// user's role in it. The run may not be in Postgres yet (buffered during a
+// burst), so fall back to the buffer entry's org.
+async function resolveRunOrganizationId(runParam: string): Promise<string | null> {
+  const run = await $replica.taskRun.findFirst({
+    where: { friendlyId: runParam },
+    select: { project: { select: { organizationId: true } } },
+  });
+  if (run) {
+    return run.project.organizationId;
+  }
 
-  const formData = await request.formData();
-  const submission = parse(formData, { schema: cancelSchema });
+  const buffer = getMollifierBuffer();
+  const entry = buffer ? await buffer.getEntry(runParam) : null;
+  return entry?.orgId ?? null;
+}
 
-  if (!submission.value) {
-    return json(submission);
-  }
+export const action = dashboardAction(
+  {
+    params: ParamSchema,
+    context: async (params) => {
+      const organizationId = await resolveRunOrganizationId(params.runParam);
+      return organizationId ? { organizationId } : {};
+    },
+    authorization: { action: "write", resource: { type: "runs" } },
+  },
+  async ({ request, params, user }) => {
+    const { runParam } = params;
+
+    const formData = await request.formData();
+    const submission = parse(formData, { schema: cancelSchema });
+
+    if (!submission.value) {
+      return json(submission);
+    }
 
-  try {
-    const taskRun = await prisma.taskRun.findFirst({
-      where: {
-        friendlyId: runParam,
-        project: {
-          organization: {
-            members: {
-              some: {
-                userId,
+    try {
+      const taskRun = await prisma.taskRun.findFirst({
+        where: {
+          friendlyId: runParam,
+          project: {
+            organization: {
+              members: {
+                some: {
+                  userId: user.id,
+                },
               },
             },
           },
         },
-      },
-    });
+      });
 
-    if (taskRun) {
-      const cancelRunService = new CancelTaskRunService();
-      await cancelRunService.call(taskRun);
-      return redirectWithSuccessMessage(submission.value.redirectUrl, request, `Canceled run`);
-    }
+      if (taskRun) {
+        const cancelRunService = new CancelTaskRunService();
+        await cancelRunService.call(taskRun);
+        return redirectWithSuccessMessage(submission.value.redirectUrl, request, `Canceled run`);
+      }
 
-    // PG miss — try the mollifier buffer. The customer can hit cancel
-    // on a buffered run from the dashboard during the burst window.
-    // Snapshot a `mark_cancelled` patch; the drainer's
-    // bifurcation routes the run to `engine.createCancelledRun` on
-    // next pop.
-    const buffer = getMollifierBuffer();
-    const entry = buffer ? await buffer.getEntry(runParam) : null;
-    if (!entry) {
-      submission.error = { runParam: ["Run not found"] };
-      return json(submission);
-    }
+      // PG miss — try the mollifier buffer. The customer can hit cancel
+      // on a buffered run from the dashboard during the burst window.
+      // Snapshot a `mark_cancelled` patch; the drainer's
+      // bifurcation routes the run to `engine.createCancelledRun` on
+      // next pop.
+      const buffer = getMollifierBuffer();
+      const entry = buffer ? await buffer.getEntry(runParam) : null;
+      if (!entry) {
+        submission.error = { runParam: ["Run not found"] };
+        return json(submission);
+      }
 
-    // Dashboard auth: verify the requesting user is a member of the
-    // buffered run's org. The API path scopes by env id from the
-    // authenticated request; the dashboard route uses org-membership
-    // because the URL doesn't carry an envId.
-    const member = await prisma.orgMember.findFirst({
-      where: { userId, organizationId: entry.orgId },
-      select: { id: true },
-    });
-    if (!member) {
-      submission.error = { runParam: ["Run not found"] };
-      return json(submission);
-    }
+      // Tenancy: verify the requesting user is a member of the buffered
+      // run's org. The API path scopes by env id from the authenticated
+      // request; the dashboard route uses org-membership because the URL
+      // doesn't carry an envId.
+      const member = await prisma.orgMember.findFirst({
+        where: { userId: user.id, organizationId: entry.orgId },
+        select: { id: true },
+      });
+      if (!member) {
+        submission.error = { runParam: ["Run not found"] };
+        return json(submission);
+      }
 
-    const result = await buffer!.mutateSnapshot(runParam, {
-      type: "mark_cancelled",
-      cancelledAt: new Date().toISOString(),
-      cancelReason: "Canceled by user",
-    });
-    if (result === "applied_to_snapshot") {
-      return redirectWithSuccessMessage(submission.value.redirectUrl, request, `Canceled run`);
-    }
-    // "not_found" or "busy" — both indicate the drainer raced us between
-    // the getEntry check above and mutateSnapshot. On "not_found" the
-    // entry was just popped and the PG row is in flight; on "busy" the
-    // drainer is mid-materialisation. Either way the customer should
-    // retry — by then the PG row exists and the regular cancel path at
-    // the top of this action takes over.
-    return redirectWithErrorMessage(
-      submission.value.redirectUrl,
-      request,
-      "Run is materialising — retry in a moment"
-    );
-  } catch (error) {
-    if (error instanceof Error) {
-      logger.error("Failed to cancel run", {
-        error: {
-          name: error.name,
-          message: error.message,
-          stack: error.stack,
-        },
+      const result = await buffer!.mutateSnapshot(runParam, {
+        type: "mark_cancelled",
+        cancelledAt: new Date().toISOString(),
+        cancelReason: "Canceled by user",
       });
+      if (result === "applied_to_snapshot") {
+        return redirectWithSuccessMessage(submission.value.redirectUrl, request, `Canceled run`);
+      }
+      // "not_found" or "busy" — both indicate the drainer raced us between
+      // the getEntry check above and mutateSnapshot. On "not_found" the
+      // entry was just popped and the PG row is in flight; on "busy" the
+      // drainer is mid-materialisation. Either way the customer should
+      // retry — by then the PG row exists and the regular cancel path at
+      // the top of this action takes over.
       return redirectWithErrorMessage(
         submission.value.redirectUrl,
         request,
-        `Failed to cancel run, ${error.message}`
-      );
-    } else {
-      logger.error("Failed to cancel run", { error });
-      return redirectWithErrorMessage(
-        submission.value.redirectUrl,
-        request,
-        `Failed to cancel run, ${JSON.stringify(error)}`
+        "Run is materialising — retry in a moment"
       );
+    } catch (error) {
+      if (error instanceof Error) {
+        logger.error("Failed to cancel run", {
+          error: {
+            name: error.name,
+            message: error.message,
+            stack: error.stack,
+          },
+        });
+        return redirectWithErrorMessage(
+          submission.value.redirectUrl,
+          request,
+          `Failed to cancel run, ${error.message}`
+        );
+      } else {
+        logger.error("Failed to cancel run", { error });
+        return redirectWithErrorMessage(
+          submission.value.redirectUrl,
+          request,
+          `Failed to cancel run, ${JSON.stringify(error)}`
+        );
+      }
     }
   }
-};
+);