Merge pull request #819 from sparrowapp-dev/revert-804-SPRW-1952-vulnerability-user-team-enumeration-via-chained-idor

Astitva877 · web-flow · commit 1b68885cc8b0 · 2025-09-23T17:14:28.000+05:30
Revert "fix:  SPRW-1951 &amp; 1952 [Vulnerability] Sensitive Information Disclosure via Public Workspace API"
diff --git a/src/modules/identity/services/team.service.ts b/src/modules/identity/services/team.service.ts
@@ -430,11 +430,6 @@ export class TeamService {
     userId: string,
     currentUser: DecodedUserObject,
   ): Promise<WithId<Team>[]> {
-    if (currentUser?._id.toString() !== userId.toString()) {
-      throw new BadRequestException(
-        "You are not authorised to fetch the team details of this particular user",
-      );
-    }
     const user = await this.userRepository.getUserById(userId, currentUser);
     if (!user) {
       throw new BadRequestException(
diff --git a/src/modules/workspace/services/workspace.service.ts b/src/modules/workspace/services/workspace.service.ts
@@ -94,11 +94,6 @@ export class WorkspaceService {
     userId: string,
     currentUser: DecodedUserObject,
   ): Promise<Workspace[]> {
-    if (currentUser?._id.toString() !== userId.toString()) {
-      throw new BadRequestException(
-        "You are not authorised to fetch the workspace details of this particular user",
-      );
-    }
     const user = await this.userRepository.getUserById(userId, currentUser);
     if (!user) {
       throw new BadRequestException(
@@ -262,7 +257,7 @@ export class WorkspaceService {
     }
     throw new BadRequestException("You don't have access of this Workspace");
   }
-
+  
   /**
    * Creates a new workspace in the database
    * @param {CreateOrUpdateWorkspaceDto} workspaceData
@@ -286,16 +281,12 @@ export class WorkspaceService {
     }
     const planData = teamData?.plan;
     const uuid = new ObjectId();
-    const ws = {
+    const  ws = {
       id: uuid,
       name: workspaceData.name,
     };
-    const res = await this.teamRepository.updateTeamWorkspaceCountById(
-      teamId,
-      planData,
-      ws,
-    );
-    if (!res) {
+    const res = await this.teamRepository.updateTeamWorkspaceCountById(teamId, planData, ws);
+    if(!res){
       throw new ForbiddenException("Plan limit reached");
     }
     const createEnvironmentDto: CreateEnvironmentDto = {
