Fix(auth): Forbid index creation on alternates routes

Forbid index creation on alternates routes when the action `index.create` is not given fix #2024
2025-07-03 11:57:07 +02:00 · 2021-12-15 14:52:33 +01:00 · 2021-12-15 14:52:33 +01:00 · a845cd8880
commit a845cd8880
parent 845d3114ea
11 changed files with 213 additions and 23 deletions
--- a/meilisearch-lib/src/index_controller/dump_actor/compat/v3.rs
+++ b/meilisearch-lib/src/index_controller/dump_actor/compat/v3.rs
@ -74,11 +74,13 @@ impl From<Update> for TaskContent {
                primary_key,
                // document count is unknown for legacy updates
                documents_count: 0,
+                allow_index_creation: true,
            },
            Update::Settings(settings) => TaskContent::SettingsUpdate {
                settings,
                // There is no way to know now, so we assume it isn't
                is_deletion: false,
+                allow_index_creation: true,
            },
            Update::ClearDocuments => TaskContent::DocumentDeletion(DocumentDeletion::Clear),
        }
--- a/meilisearch-lib/src/index_controller/mod.rs
+++ b/meilisearch-lib/src/index_controller/mod.rs
@ -119,6 +119,7 @@ pub enum Update {
        settings: Settings<Unchecked>,
        /// Indicates whether the update was a deletion
        is_deletion: bool,
+        allow_index_creation: bool,
    },
    DocumentAddition {
        #[derivative(Debug = "ignore")]
@ -126,6 +127,7 @@ pub enum Update {
        primary_key: Option<String>,
        method: IndexDocumentsMethod,
        format: DocumentAdditionFormat,
+        allow_index_creation: bool,
    },
    DeleteIndex,
    CreateIndex {
@ -340,15 +342,18 @@ where
            Update::Settings {
                settings,
                is_deletion,
+                allow_index_creation,
            } => TaskContent::SettingsUpdate {
                settings,
                is_deletion,
+                allow_index_creation,
            },
            Update::DocumentAddition {
                mut payload,
                primary_key,
                format,
                method,
+                allow_index_creation,
            } => {
                let mut buffer = Vec::new();
                while let Some(bytes) = payload.next().await {
@ -380,6 +385,7 @@ where
                    merge_strategy: method,
                    primary_key,
                    documents_count,
+                    allow_index_creation,
                }
            }
            Update::DeleteIndex => TaskContent::IndexDeletion,
--- a/meilisearch-lib/src/index_resolver/mod.rs
+++ b/meilisearch-lib/src/index_resolver/mod.rs
@ -188,13 +188,18 @@ where
                content_uuid,
                merge_strategy,
                primary_key,
+                allow_index_creation,
                ..
            } => {
                let primary_key = primary_key.clone();
                let content_uuid = *content_uuid;
                let method = *merge_strategy;

-                let index = self.get_or_create_index(index_uid, task.id).await?;
+                let index = if *allow_index_creation {
+                    self.get_or_create_index(index_uid, task.id).await?
+                } else {
+                    self.get_index(index_uid.into_inner()).await?
+                };
                let file_store = self.file_store.clone();
                let result = spawn_blocking(move || {
                    index.update_documents(method, content_uuid, primary_key, file_store)
@ -227,8 +232,9 @@ where
            TaskContent::SettingsUpdate {
                settings,
                is_deletion,
+                allow_index_creation,
            } => {
-                let index = if *is_deletion {
+                let index = if *is_deletion || !*allow_index_creation {
                    self.get_index(index_uid.into_inner()).await?
                } else {
                    self.get_or_create_index(index_uid, task.id).await?
@ -503,8 +509,8 @@ mod test {

                match &task.content {
                    // an unexisting index should trigger an index creation in the folllowing cases:
-                    TaskContent::DocumentAddition { .. }
-                    | TaskContent::SettingsUpdate { is_deletion: false, .. }
+                    TaskContent::DocumentAddition { allow_index_creation: true, .. }
+                    | TaskContent::SettingsUpdate { allow_index_creation: true, is_deletion: false, .. }
                    | TaskContent::IndexCreation { .. } if !index_exists => {
                        index_store
                            .expect_create()
@ -566,6 +572,8 @@ mod test {
                    || (!index_exists && matches!(task.content, TaskContent::IndexDeletion
                                                                | TaskContent::DocumentDeletion(_)
                                                                | TaskContent::SettingsUpdate { is_deletion: true, ..}
+                                                                | TaskContent::SettingsUpdate { allow_index_creation: false, ..}
+                                                                | TaskContent::DocumentAddition { allow_index_creation: false, ..}
                                                                | TaskContent::IndexUpdate { .. } ))
                {
                    assert!(result.is_err(), "{:?}", result);
--- a/meilisearch-lib/src/tasks/task.rs
+++ b/meilisearch-lib/src/tasks/task.rs
@ -134,12 +134,14 @@ pub enum TaskContent {
        merge_strategy: IndexDocumentsMethod,
        primary_key: Option<String>,
        documents_count: usize,
+        allow_index_creation: bool,
    },
    DocumentDeletion(DocumentDeletion),
    SettingsUpdate {
        settings: Settings<Unchecked>,
        /// Indicates whether the task was a deletion
        is_deletion: bool,
+        allow_index_creation: bool,
    },
    IndexDeletion,
    IndexCreation {