fix: download audit log certificate (#1268)

Previously, it wasn't possible to download an audit log of a document uploaded by another user because the function used the ID of the user making the request to retrieve the document. However, the document uploaded by another user has that user's ID, not the ID of the user making the request.
2025-11-10 04:22:32 +10:00 · 2024-08-09 04:19:48 +02:00
parent e5f73452b3
commit 0244f021ab
4 changed files with 23 additions and 5 deletions
--- a/apps/web/src/app/(dashboard)/documents/[id]/logs/document-logs-page-view.tsx
+++ b/apps/web/src/app/(dashboard)/documents/[id]/logs/document-logs-page-view.tsx
@ -139,7 +139,7 @@ export const DocumentLogsPageView = async ({ params, team }: DocumentLogsPageVie
            documentStatus={document.status}
          />

-          <DownloadAuditLogButton documentId={document.id} />
+          <DownloadAuditLogButton teamId={team?.id} documentId={document.id} />
        </div>
      </div>

--- a/apps/web/src/app/(dashboard)/documents/[id]/logs/download-audit-log-button.tsx
+++ b/apps/web/src/app/(dashboard)/documents/[id]/logs/download-audit-log-button.tsx
@ -9,10 +9,15 @@ import { useToast } from '@documenso/ui/primitives/use-toast';

 export type DownloadAuditLogButtonProps = {
  className?: string;
+  teamId?: number;
  documentId: number;
 };

-export const DownloadAuditLogButton = ({ className, documentId }: DownloadAuditLogButtonProps) => {
+export const DownloadAuditLogButton = ({
+  className,
+  teamId,
+  documentId,
+}: DownloadAuditLogButtonProps) => {
  const { toast } = useToast();

  const { mutateAsync: downloadAuditLogs, isLoading } =
@ -20,7 +25,7 @@ export const DownloadAuditLogButton = ({ className, documentId }: DownloadAuditL

  const onDownloadAuditLogsClick = async () => {
    try {
-      const { url } = await downloadAuditLogs({ documentId });
+      const { url } = await downloadAuditLogs({ teamId, documentId });

      const iframe = Object.assign(document.createElement('iframe'), {
        src: url,
--- a/packages/trpc/server/document-router/router.ts
+++ b/packages/trpc/server/document-router/router.ts
@ -29,6 +29,7 @@ import {
  ZCreateDocumentMutationSchema,
  ZDeleteDraftDocumentMutationSchema as ZDeleteDocumentMutationSchema,
  ZDownloadAuditLogsMutationSchema,
+  ZDownloadCertificateMutationSchema,
  ZFindDocumentAuditLogsQuerySchema,
  ZGetDocumentByIdQuerySchema,
  ZGetDocumentByTokenQuerySchema,
@ -411,7 +412,14 @@ export const documentRouter = router({
          id: documentId,
          userId: ctx.user.id,
          teamId,
+        }).catch(() => null);
+
+        if (!document || document.teamId !== teamId) {
+          throw new TRPCError({
+            code: 'FORBIDDEN',
+            message: 'You do not have access to this document.',
          });
+        }

        const encrypted = encryptSecondaryData({
          data: document.id.toString(),
@ -433,7 +441,7 @@ export const documentRouter = router({
    }),

  downloadCertificate: authenticatedProcedure
-    .input(ZDownloadAuditLogsMutationSchema)
+    .input(ZDownloadCertificateMutationSchema)
    .mutation(async ({ input, ctx }) => {
      try {
        const { documentId, teamId } = input;
--- a/packages/trpc/server/document-router/schema.ts
+++ b/packages/trpc/server/document-router/schema.ts
@ -172,6 +172,11 @@ export const ZDownloadAuditLogsMutationSchema = z.object({
  teamId: z.number().optional(),
 });

+export const ZDownloadCertificateMutationSchema = z.object({
+  documentId: z.number(),
+  teamId: z.number().optional(),
+});
+
 export const ZMoveDocumentsToTeamSchema = z.object({
  documentId: z.number(),
  teamId: z.number(),