From 87dac54f1e2b6099224d0b843428654c5961d59b Mon Sep 17 00:00:00 2001
From: Finley Ge <32237950+FinleyGe@users.noreply.github.com>
Date: Thu, 25 Jul 2024 13:52:16 +0800
Subject: [PATCH] fix: outlink manage can delete/update others (#2158)

* fix: outlink manage be able to delete/update others

* fix: remove enum validation for teamMemberSchema.
because the old data has the role property, which may cause unknown bug

* perf: change findAndRemove to deleteOne
---
 .../support/permission/auth/openapi.ts        |  2 +-
 .../support/permission/publish/authLink.ts    |  8 ++--
 .../support/user/team/teamMemberSchema.ts     |  4 +-
 .../src/pages/api/support/openapi/delete.ts   | 39 +++++++++----------
 4 files changed, 26 insertions(+), 27 deletions(-)

diff --git a/packages/service/support/permission/auth/openapi.ts b/packages/service/support/permission/auth/openapi.ts
index 2908c2eb4..c24d2e964 100644
--- a/packages/service/support/permission/auth/openapi.ts
+++ b/packages/service/support/permission/auth/openapi.ts
@@ -25,7 +25,7 @@ export async function authOpenApiKeyCrud({
   const { openapi, permission } = await (async () => {
     const openapi = await MongoOpenApi.findOne({ _id: id, teamId });
     if (!openapi) {
-      throw new Error(OpenApiErrEnum.unExist);
+      return Promise.reject(OpenApiErrEnum.unExist);
     }
 
     if (!!openapi.appId) {
diff --git a/packages/service/support/permission/publish/authLink.ts b/packages/service/support/permission/publish/authLink.ts
index 58b7236e3..eb1938a4b 100644
--- a/packages/service/support/permission/publish/authLink.ts
+++ b/packages/service/support/permission/publish/authLink.ts
@@ -3,14 +3,14 @@ import { OutLinkSchema } from '@fastgpt/global/support/outLink/type';
 import { parseHeaderCert } from '../controller';
 import { MongoOutLink } from '../../outLink/schema';
 import { OutLinkErrEnum } from '@fastgpt/global/common/error/code/outLink';
-import { ManagePermissionVal } from '@fastgpt/global/support/permission/constant';
+import { OwnerPermissionVal } from '@fastgpt/global/support/permission/constant';
 import { authAppByTmbId } from '../app/auth';
 import { AuthModeType, AuthResponseType } from '../type';
 
 /* crud outlink permission */
 export async function authOutLinkCrud({
   outLinkId,
-  per,
+  per = OwnerPermissionVal,
   ...props
 }: AuthModeType & {
   outLinkId: string;
@@ -26,13 +26,13 @@ export async function authOutLinkCrud({
   const { app, outLink } = await (async () => {
     const outLink = await MongoOutLink.findOne({ _id: outLinkId, teamId });
     if (!outLink) {
-      throw new Error(OutLinkErrEnum.unExist);
+      return Promise.reject(OutLinkErrEnum.unExist);
     }
 
     const { app } = await authAppByTmbId({
       tmbId,
       appId: outLink.appId,
-      per: ManagePermissionVal
+      per: per
     });
 
     return {
diff --git a/packages/service/support/user/team/teamMemberSchema.ts b/packages/service/support/user/team/teamMemberSchema.ts
index 95df79e48..d14fb1b5b 100644
--- a/packages/service/support/user/team/teamMemberSchema.ts
+++ b/packages/service/support/user/team/teamMemberSchema.ts
@@ -25,8 +25,8 @@ const TeamMemberSchema = new Schema({
     default: 'Member'
   },
   role: {
-    type: String,
-    enum: Object.keys(TeamMemberRoleMap)
+    type: String
+    // enum: Object.keys(TeamMemberRoleMap) // disable enum validation for old data
   },
   status: {
     type: String,
diff --git a/projects/app/src/pages/api/support/openapi/delete.ts b/projects/app/src/pages/api/support/openapi/delete.ts
index 9ea1ce039..2ad4ba34a 100644
--- a/projects/app/src/pages/api/support/openapi/delete.ts
+++ b/projects/app/src/pages/api/support/openapi/delete.ts
@@ -1,29 +1,28 @@
-import type { NextApiRequest, NextApiResponse } from 'next';
-import { jsonRes } from '@fastgpt/service/common/response';
-import { connectToDatabase } from '@/service/mongo';
 import { MongoOpenApi } from '@fastgpt/service/support/openapi/schema';
 import { authOpenApiKeyCrud } from '@fastgpt/service/support/permission/auth/openapi';
 import { OwnerPermissionVal } from '@fastgpt/global/support/permission/constant';
 import { CommonErrEnum } from '@fastgpt/global/common/error/code/common';
+import type { ApiRequestProps, ApiResponseType } from '@fastgpt/service/type/next';
+import { NextAPI } from '@/service/middleware/entry';
 
-export default async function handler(req: NextApiRequest, res: NextApiResponse) {
-  try {
-    await connectToDatabase();
-    const { id } = req.query as { id: string };
+export type OpenAPIDeleteQuery = { id: string };
+export type OpenAPIDeleteBody = {};
+export type OpenAPIDeleteResponse = {};
 
-    if (!id) {
-      return Promise.reject(CommonErrEnum.missingParams);
-    }
+async function handler(
+  req: ApiRequestProps<OpenAPIDeleteBody, OpenAPIDeleteQuery>,
+  _res: ApiResponseType<any>
+): Promise<OpenAPIDeleteResponse> {
+  const { id } = req.query as { id: string };
 
-    await authOpenApiKeyCrud({ req, authToken: true, id, per: OwnerPermissionVal });
-
-    await MongoOpenApi.findOneAndRemove({ _id: id });
-
-    jsonRes(res);
-  } catch (err) {
-    jsonRes(res, {
-      code: 500,
-      error: err
-    });
+  if (!id) {
+    return Promise.reject(CommonErrEnum.missingParams);
   }
+
+  await authOpenApiKeyCrud({ req, authToken: true, id, per: OwnerPermissionVal });
+
+  await MongoOpenApi.deleteOne({ _id: id });
+  return {};
 }
+
+export default NextAPI(handler);