Add security policy to block endpoints (#2087)

Fixes OPS-3879.

Author: MarceloRGonc

packages/server/api/src/app/block-variable/block-variable-module.ts

@@ -5,10 +5,12 @@ import {
 import {
   flowHelper,
   groupStepOutputsById,
+  Permission,
   PrincipalType,
 } from '@openops/shared';
 import { engineRunner } from 'server-worker';
 import { accessTokenManager } from '../authentication/context/access-token-manager';
+import { getProjectScopedRoutePolicy } from '../core/security/route-policies/route-security-policy-factory';
 import { flowService } from '../flows/flow/flow.service';
 import { flowStepTestOutputService } from '../flows/step-test-output/flow-step-test-output.service';
 
@@ -58,6 +60,10 @@ const blockVariableController: FastifyPluginAsyncTypebox = async (app) => {
 const ExecuteVariableRequest = {
   config: {
     allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+      permission: Permission.READ_FLOW,
+    }),
   },
   schema: {
     description:

packages/server/api/src/app/blocks/base-block-module.ts

@@ -20,11 +20,13 @@ import {
   ListVersionRequestQuery,
   ListVersionsResponse,
   OpsEdition,
+  Permission,
   PrincipalType,
   PUBLIC_ROUTE_POLICY,
 } from '@openops/shared';
 import { engineRunner } from 'server-worker';
 import { accessTokenManager } from '../authentication/context/access-token-manager';
+import { getProjectScopedRoutePolicy } from '../core/security/route-policies/route-security-policy-factory';
 import { flagService } from '../flags/flag.service';
 import { flowService } from '../flows/flow/flow.service';
 import { flowStepTestOutputService } from '../flows/step-test-output/flow-step-test-output.service';
@@ -241,6 +243,10 @@ const ListCategoriesRequest = {
 const OptionsBlockRequest = {
   config: {
     allowedPrincipals: [PrincipalType.USER],
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER],
+      permission: Permission.READ_FLOW,
+    }),
   },
   schema: {
     operationId: 'Execute Block Properties',
@@ -251,6 +257,11 @@ const OptionsBlockRequest = {
 };
 
 const DeleteBlockRequest = {
+  config: {
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER],
+    }),
+  },
   schema: {
     description:
       'Delete a custom block from the system. This endpoint permanently removes a block and its associated metadata. This operation cannot be undone and will affect any flows using this block. Use with caution as it may impact existing flows.',

packages/server/api/src/app/blocks/community-block-module.ts

@@ -2,6 +2,7 @@ import { FastifyPluginAsyncTypebox } from '@fastify/type-provider-typebox';
 import { BlockMetadataModel } from '@openops/blocks-framework';
 import { AddBlockRequestBody, PrincipalType } from '@openops/shared';
 import { StatusCodes } from 'http-status-codes';
+import { getProjectScopedRoutePolicy } from '../core/security/route-policies/route-security-policy-factory';
 import { blockService } from './block-service';
 
 export const communityBlocksModule: FastifyPluginAsyncTypebox = async (app) => {
@@ -14,6 +15,9 @@ const communityBlocksController: FastifyPluginAsyncTypebox = async (app) => {
     {
       config: {
         allowedPrincipals: [PrincipalType.USER],
+        security: getProjectScopedRoutePolicy({
+          allowedPrincipals: [PrincipalType.USER],
+        }),
       },
       schema: {
         body: AddBlockRequestBody,