fix: assert perms for catalog routes

maxakuru · maxakuru · commit e0ab216e6b3e · 2025-02-20T16:27:08.000-08:00
diff --git a/src/routes/catalog/remove.js b/src/routes/catalog/remove.js
@@ -10,6 +10,7 @@
  * governing permissions and limitations under the License.
  */
 
+import { assertAuthorization } from '../../utils/auth.js';
 import { errorResponse, errorWithResponse } from '../../utils/http.js';
 import StorageClient from './StorageClient.js';
 
@@ -30,6 +31,8 @@ export default async function remove(ctx) {
     throw errorWithResponse(400, 'Helix API key is required to delete or unpublish products.');
   }
 
+  await assertAuthorization(ctx);
+
   const storage = StorageClient.fromContext(ctx);
   const deleteResults = await storage.deleteProducts([sku]);
 
diff --git a/src/routes/catalog/update.js b/src/routes/catalog/update.js
@@ -13,6 +13,7 @@
 import { assertValidProduct, hasUppercase } from '../../utils/product.js';
 import { errorResponse } from '../../utils/http.js';
 import StorageClient from './StorageClient.js';
+import { assertAuthorization } from '../../utils/auth.js';
 
 /**
  * Handles a PUT request to update a product.
@@ -40,6 +41,8 @@ export default async function update(ctx) {
 
   assertValidProduct(product);
 
+  await assertAuthorization(ctx);
+
   const storage = StorageClient.fromContext(ctx);
   const saveResults = await storage.saveProducts([product]);
 
