From f9752256887fa50bb81fd57794cac1365810ec5a Mon Sep 17 00:00:00 2001 From: James Willis Date: Fri, 22 May 2026 13:29:13 +0100 Subject: [PATCH 1/2] feat(ep): restrict resource-creation endpoints to admin emails only POST /api/v1/projects, /workspaces, /teams, and clone routes now require the requesting user to be in ADMIN_EMAILS, using the existing adminOnly middleware. --- platform/wab/src/wab/server/AppServer.ts | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/platform/wab/src/wab/server/AppServer.ts b/platform/wab/src/wab/server/AppServer.ts index 9eb7d59bc..ba0125184 100644 --- a/platform/wab/src/wab/server/AppServer.ts +++ b/platform/wab/src/wab/server/AppServer.ts @@ -1566,16 +1566,18 @@ export function addMainAppServerRoutes( safeCast(authRoutes.teamApiUserAuth), withNext(listProjects) ); - app.post("/api/v1/projects", cmCors, withNext(createProject)); + app.post("/api/v1/projects", cmCors, adminOnly, withNext(createProject)); app.post( "/api/v1/projects/create-project-with-hostless-packages", + adminOnly, withNext(createProjectWithHostlessPackages) ); - app.post("/api/v1/projects/:projectId/clone", cmCors, createWriteRateLimiter(), withNext(cloneProject)); + app.post("/api/v1/projects/:projectId/clone", cmCors, adminOnly, createWriteRateLimiter(), withNext(cloneProject)); app.post( "/api/v1/templates/:projectId/clone", cmCors, safeCast(authRoutes.teamApiUserAuth), + adminOnly, withNext(clonePublishedTemplate) ); // Import includes capabilities to keep the project id, allow data source op issuing, @@ -1691,6 +1693,7 @@ export function addMainAppServerRoutes( app.post( "/api/v1/teams", safeCast(authRoutes.teamApiUserAuth), + adminOnly, withNext(teamRoutes.createTeam) ); app.get( @@ -1744,6 +1747,7 @@ export function addMainAppServerRoutes( "/api/v1/workspaces", cmCors, safeCast(authRoutes.teamApiUserAuth), + adminOnly, createWorkspace ); app.get("/api/v1/workspaces/:workspaceId", cmCors, getWorkspace); From c8cb4e0a348571a70e977a59252423c55dc2f336 Mon Sep 17 00:00:00 2001 From: James Willis Date: Fri, 22 May 2026 13:38:07 +0100 Subject: [PATCH 2/2] feat(ep): restrict only workspace and team creation to admin emails Project endpoints remain open for EP provisioned users who need to create and manage projects themselves. --- platform/wab/src/wab/server/AppServer.ts | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/platform/wab/src/wab/server/AppServer.ts b/platform/wab/src/wab/server/AppServer.ts index ba0125184..2b7442b89 100644 --- a/platform/wab/src/wab/server/AppServer.ts +++ b/platform/wab/src/wab/server/AppServer.ts @@ -1566,18 +1566,16 @@ export function addMainAppServerRoutes( safeCast(authRoutes.teamApiUserAuth), withNext(listProjects) ); - app.post("/api/v1/projects", cmCors, adminOnly, withNext(createProject)); + app.post("/api/v1/projects", cmCors, withNext(createProject)); app.post( "/api/v1/projects/create-project-with-hostless-packages", - adminOnly, withNext(createProjectWithHostlessPackages) ); - app.post("/api/v1/projects/:projectId/clone", cmCors, adminOnly, createWriteRateLimiter(), withNext(cloneProject)); + app.post("/api/v1/projects/:projectId/clone", cmCors, createWriteRateLimiter(), withNext(cloneProject)); app.post( "/api/v1/templates/:projectId/clone", cmCors, safeCast(authRoutes.teamApiUserAuth), - adminOnly, withNext(clonePublishedTemplate) ); // Import includes capabilities to keep the project id, allow data source op issuing,