Add security policy to template endpoints (#2095)

MarceloRGonc · web-flow · commit 5a18b8476763 · 2026-03-10T15:36:56.000Z
Fixes OPS-3881.
diff --git a/packages/server/api/src/app/flow-template/flow-template.controller.ts b/packages/server/api/src/app/flow-template/flow-template.controller.ts
@@ -2,9 +2,10 @@ import {
   FastifyPluginAsyncTypebox,
   Type,
 } from '@fastify/type-provider-typebox';
-import { OpenOpsId, PrincipalType } from '@openops/shared';
+import { OpenOpsId, Permission, PrincipalType } from '@openops/shared';
 import { FastifyRequest } from 'fastify';
 import { entitiesMustBeOwnedByCurrentProject } from '../authentication/authorization';
+import { getProjectScopedRoutePolicy } from '../core/security/route-policies/route-security-policy-factory';
 import { flowTemplateService } from './flow-template.service';
 
 export const flowTemplateController: FastifyPluginAsyncTypebox = async (
@@ -17,6 +18,10 @@ export const flowTemplateController: FastifyPluginAsyncTypebox = async (
     {
       config: {
         allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+        security: getProjectScopedRoutePolicy({
+          allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+          permission: Permission.READ_TEMPLATE,
+        }),
       },
       schema: {
         tags: ['flow-templates'],
@@ -53,6 +58,10 @@ export const flowTemplateController: FastifyPluginAsyncTypebox = async (
     {
       config: {
         allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+        security: getProjectScopedRoutePolicy({
+          allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+          permission: Permission.READ_TEMPLATE,
+        }),
       },
       schema: {
         tags: ['flow-templates'],
@@ -73,6 +82,10 @@ export const flowTemplateController: FastifyPluginAsyncTypebox = async (
     {
       config: {
         allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+        security: getProjectScopedRoutePolicy({
+          allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+          permission: Permission.WRITE_TEMPLATE,
+        }),
       },
       schema: {
         body: {
diff --git a/packages/shared/src/lib/common/security/permission.ts b/packages/shared/src/lib/common/security/permission.ts
@@ -22,6 +22,10 @@ export enum Permission {
   WRITE_FOLDER = 'folder:write',
   DELETE_FOLDER = 'folder:delete',
 
+  // Templates
+  READ_TEMPLATE = 'template:read',
+  WRITE_TEMPLATE = 'template:write',
+
   // Users
   WRITE_USER = 'user:write',
 
