Check if user has access to deploy

2025-09-04 12:04:20 +08:00 · 2025-08-05 18:31:42 -03:00 · 2025-08-05 18:31:42 -03:00 · 17f4ecefa1
commit 17f4ecefa1
parent 1d15d03e2b
3 changed files with 44 additions and 7 deletions
--- a/lib/livebook/hubs/team_client.ex
+++ b/lib/livebook/hubs/team_client.ex
@ -164,6 +164,17 @@ defmodule Livebook.Hubs.TeamClient do
    GenServer.call(registry_name(id), {:check_app_access, groups, slug})
  end

+  @doc """
+  Returns if the given user has access to deploy apps to Teams.
+  """
+  @spec authorized_user_to_deploy?(String.t(), pos_integer() | nil, String.t()) :: boolean()
+  def authorized_user_to_deploy?(id, user_id, deployment_group_id) do
+    GenServer.call(
+      registry_name(id),
+      {:check_deployment_authorization, user_id, deployment_group_id}
+    )
+  end
+
  @doc """
  Returns if the Team client is connected.
  """
@ -338,6 +349,30 @@ defmodule Livebook.Hubs.TeamClient do
    end
  end

+  def handle_call({:check_deployment_authorization, user_id, id}, _caller, state) do
+    # App servers/Offline instances should not be able to deploy apps
+    if state.deployment_group_id || user_id == nil do
+      {:reply, false, state}
+    else
+      case fetch_deployment_group(id, state) do
+        {:ok, deployment_group} ->
+          deployment_user = %Teams.DeploymentUser{
+            user_id: to_string(user_id),
+            deployment_group_id: id
+          }
+
+          authorized? =
+            not deployment_group.deploy_auth or
+              deployment_user in deployment_group.deployment_users
+
+          {:reply, authorized?, state}
+
+        _ ->
+          {:reply, false, state}
+      end
+    end
+  end
+
  @impl true
  def handle_info(:connected, state) do
    Hubs.Broadcasts.hub_connected(state.hub.id)
--- a/lib/livebook/teams.ex
+++ b/lib/livebook/teams.ex
@ -294,4 +294,12 @@ defmodule Livebook.Teams do
  defp add_external_errors(struct, errors_map) do
    struct |> Ecto.Changeset.change() |> add_external_errors(errors_map)
  end
+
+  @doc """
+  Deploys the given app deployment to given deployment group using a deploy key.
+  """
+  @spec authorized_user_to_deploy?(Team.t(), Teams.DeploymentGroup.t()) :: boolean()
+  def authorized_user_to_deploy?(%Team{} = team, %Teams.DeploymentGroup{} = deployment_group) do
+    TeamClient.authorized_user_to_deploy?(team.id, team.user_id, deployment_group.id)
+  end
 end
--- a/lib/livebook_web/live/session_live/app_teams_live.ex
+++ b/lib/livebook_web/live/session_live/app_teams_live.ex
@ -250,7 +250,7 @@ defmodule LivebookWeb.SessionLive.AppTeamsLive do
              deployment_group={deployment_group}
              num_agents={@num_agents}
              num_app_deployments={@num_app_deployments}
-              authorized={authorized_for_deployment_group?(deployment_group)}
+              authorized={Teams.authorized_user_to_deploy?(@hub, deployment_group)}
              selectable
            />
          </div>
@ -573,10 +573,4 @@ defmodule LivebookWeb.SessionLive.AppTeamsLive do
      String.replace(acc, "%{#{key}}", to_string(value))
    end)
  end
-
-  # TODO: Replace with actual authorization logic from Livebook Teams
-  # For now, simulate that "production" and "staging" deployment groups require authorization
-  defp authorized_for_deployment_group?(deployment_group) do
-    deployment_group.name not in ["production", "staging"]
-  end
 end