fix: outlink manage can delete/update others (#2158)

* fix: outlink manage be able to delete/update others

* fix: remove enum validation for teamMemberSchema.
because the old data has the role property, which may cause unknown bug

* perf: change findAndRemove to deleteOne

packages/service/support/permission/auth/openapi.ts

@@ -25,7 +25,7 @@ export async function authOpenApiKeyCrud({
   const { openapi, permission } = await (async () => {
     const openapi = await MongoOpenApi.findOne({ _id: id, teamId });
     if (!openapi) {
-      throw new Error(OpenApiErrEnum.unExist);
+      return Promise.reject(OpenApiErrEnum.unExist);
     }
 
     if (!!openapi.appId) {

packages/service/support/permission/publish/authLink.ts

@@ -3,14 +3,14 @@ import { OutLinkSchema } from '@fastgpt/global/support/outLink/type';
 import { parseHeaderCert } from '../controller';
 import { MongoOutLink } from '../../outLink/schema';
 import { OutLinkErrEnum } from '@fastgpt/global/common/error/code/outLink';
-import { ManagePermissionVal } from '@fastgpt/global/support/permission/constant';
+import { OwnerPermissionVal } from '@fastgpt/global/support/permission/constant';
 import { authAppByTmbId } from '../app/auth';
 import { AuthModeType, AuthResponseType } from '../type';
 
 /* crud outlink permission */
 export async function authOutLinkCrud({
   outLinkId,
-  per,
+  per = OwnerPermissionVal,
   ...props
 }: AuthModeType & {
   outLinkId: string;
@@ -26,13 +26,13 @@ export async function authOutLinkCrud({
   const { app, outLink } = await (async () => {
     const outLink = await MongoOutLink.findOne({ _id: outLinkId, teamId });
     if (!outLink) {
-      throw new Error(OutLinkErrEnum.unExist);
+      return Promise.reject(OutLinkErrEnum.unExist);
     }
 
     const { app } = await authAppByTmbId({
       tmbId,
       appId: outLink.appId,
-      per: ManagePermissionVal
+      per: per
     });
 
     return {

packages/service/support/user/team/teamMemberSchema.ts

@@ -25,8 +25,8 @@ const TeamMemberSchema = new Schema({
     default: 'Member'
   },
   role: {
-    type: String,
+    type: String
-    enum: Object.keys(TeamMemberRoleMap)
+    // enum: Object.keys(TeamMemberRoleMap) // disable enum validation for old data
   },
   status: {
     type: String,

projects/app/src/pages/api/support/openapi/delete.ts

@@ -1,29 +1,28 @@
-import type { NextApiRequest, NextApiResponse } from 'next';
-import { jsonRes } from '@fastgpt/service/common/response';
-import { connectToDatabase } from '@/service/mongo';
 import { MongoOpenApi } from '@fastgpt/service/support/openapi/schema';
 import { authOpenApiKeyCrud } from '@fastgpt/service/support/permission/auth/openapi';
 import { OwnerPermissionVal } from '@fastgpt/global/support/permission/constant';
 import { CommonErrEnum } from '@fastgpt/global/common/error/code/common';
+import type { ApiRequestProps, ApiResponseType } from '@fastgpt/service/type/next';
+import { NextAPI } from '@/service/middleware/entry';
 
-export default async function handler(req: NextApiRequest, res: NextApiResponse) {
+export type OpenAPIDeleteQuery = { id: string };
-  try {
+export type OpenAPIDeleteBody = {};
-    await connectToDatabase();
+export type OpenAPIDeleteResponse = {};
-    const { id } = req.query as { id: string };
 
-    if (!id) {
+async function handler(
-      return Promise.reject(CommonErrEnum.missingParams);
+  req: ApiRequestProps<OpenAPIDeleteBody, OpenAPIDeleteQuery>,
-    }
+  _res: ApiResponseType<any>
+): Promise<OpenAPIDeleteResponse> {
+  const { id } = req.query as { id: string };
 
-    await authOpenApiKeyCrud({ req, authToken: true, id, per: OwnerPermissionVal });
+  if (!id) {
-
+    return Promise.reject(CommonErrEnum.missingParams);
-    await MongoOpenApi.findOneAndRemove({ _id: id });
-
-    jsonRes(res);
-  } catch (err) {
-    jsonRes(res, {
-      code: 500,
-      error: err
-    });
   }
+
+  await authOpenApiKeyCrud({ req, authToken: true, id, per: OwnerPermissionVal });
+
+  await MongoOpenApi.deleteOne({ _id: id });
+  return {};
 }
+
+export default NextAPI(handler);