From ec4703a8d5c3d497fbae8b80e5bd38b24083d79b Mon Sep 17 00:00:00 2001
From: Conrad Irwin <conrad.irwin@gmail.com>
Date: Thu, 23 May 2024 16:59:04 -0600
Subject: [PATCH] Add missing access control check (#12213)

Release Notes:

- N/A
---
 crates/collab/src/db/queries/projects.rs | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/crates/collab/src/db/queries/projects.rs b/crates/collab/src/db/queries/projects.rs
index 2a7c3e1f8c..5a68f632f9 100644
--- a/crates/collab/src/db/queries/projects.rs
+++ b/crates/collab/src/db/queries/projects.rs
@@ -66,6 +66,16 @@ impl Database {
                     .await?
                     .ok_or_else(|| anyhow!("no remote project"))?;
 
+                let (_, dev_server) = dev_server_project::Entity::find_by_id(dev_server_project_id)
+                    .find_also_related(dev_server::Entity)
+                    .one(&*tx)
+                    .await?
+                    .ok_or_else(|| anyhow!("no dev_server_project"))?;
+
+                if !dev_server.is_some_and(|dev_server| dev_server.user_id == participant.user_id) {
+                    return Err(anyhow!("not your dev server"))?;
+                }
+
                 if project.room_id.is_some() {
                     return Err(anyhow!("project already shared"))?;
                 };
@@ -77,7 +87,6 @@ impl Database {
                 .exec(&*tx)
                 .await?;
 
-                // todo! check user is a project-collaborator
                 let room = self.get_room(room_id, &tx).await?;
                 return Ok((project.id, room));
             }