feat: add permission check when updating workspace

Signed-off-by: tygao <tygao@amazon.com>

src/core/server/workspaces/saved_objects/workspace_saved_objects_client_wrapper.ts

@@ -19,6 +19,11 @@ import {
   SavedObjectsDeleteOptions,
   SavedObjectsFindOptions,
   SavedObjectsShareObjects,
+  SavedObjectsUpdateOptions,
+  SavedObjectsUpdateResponse,
+  SavedObjectsBulkUpdateObject,
+  SavedObjectsBulkUpdateResponse,
+  SavedObjectsBulkUpdateOptions,
 } from 'opensearch-dashboards/server';
 import { SavedObjectsPermissionControlContract } from '../../saved_objects/permission_control/client';
 import { WORKSPACE_TYPE } from '../constants';
@@ -60,6 +65,28 @@ export class WorkspaceSavedObjectsClientWrapper {
 
     return [permission];
   }
+  private async validateSingleWorkspacePermissions(
+    workspaceId: string | undefined,
+    request: OpenSearchDashboardsRequest,
+    permissionMode: PermissionMode | PermissionMode[]
+  ) {
+    if (!workspaceId) {
+      return;
+    }
+    if (
+      !(await this.permissionControl.validate(
+        request,
+        {
+          type: WORKSPACE_TYPE,
+          id: workspaceId,
+        },
+        this.formatPermissionModeToStringArray(permissionMode)
+      ))
+    ) {
+      throw generateWorkspacePermissionError();
+    }
+  }
+
   private async validateMultiWorkspacesPermissions(
     workspaces: string[] | undefined,
     request: OpenSearchDashboardsRequest,
@@ -129,6 +156,13 @@ export class WorkspaceSavedObjectsClientWrapper {
       id: string,
       options: SavedObjectsDeleteOptions = {}
     ) => {
+      if (this.isRelatedToWorkspace(type)) {
+        await this.validateSingleWorkspacePermissions(id, wrapperOptions.request, [
+          PermissionMode.LibraryWrite,
+          PermissionMode.Management,
+        ]);
+      }
+
       const objectToDeleted = await wrapperOptions.client.get(type, id, options);
       await this.validateMultiWorkspacesPermissions(
         objectToDeleted.workspaces,
@@ -138,6 +172,37 @@ export class WorkspaceSavedObjectsClientWrapper {
       return await wrapperOptions.client.delete(type, id, options);
     };
 
+    const updateWithWorkspacePermissionControl = async <T = unknown>(
+      type: string,
+      id: string,
+      attributes: Partial<T>,
+      options: SavedObjectsUpdateOptions = {}
+    ): Promise<SavedObjectsUpdateResponse<T>> => {
+      if (this.isRelatedToWorkspace(type)) {
+        await this.validateSingleWorkspacePermissions(id, wrapperOptions.request, [
+          PermissionMode.LibraryWrite,
+          PermissionMode.Management,
+        ]);
+      }
+      return await wrapperOptions.client.update(type, id, attributes, options);
+    };
+
+    const bulkUpdateWithWorkspacePermissionControl = async <T = unknown>(
+      objects: Array<SavedObjectsBulkUpdateObject<T>>,
+      options?: SavedObjectsBulkUpdateOptions
+    ): Promise<SavedObjectsBulkUpdateResponse<T>> => {
+      for (const object of objects) {
+        if (this.isRelatedToWorkspace(object.type)) {
+          await this.validateSingleWorkspacePermissions(object.id, wrapperOptions.request, [
+            PermissionMode.LibraryWrite,
+            PermissionMode.Management,
+          ]);
+        }
+      }
+
+      return await wrapperOptions.client.bulkUpdate(objects, options);
+    };
+
     const bulkCreateWithWorkspacePermissionControl = async <T = unknown>(
       objects: Array<SavedObjectsBulkCreateObject<T>>,
       options: SavedObjectsCreateOptions = {}
@@ -279,8 +344,8 @@ export class WorkspaceSavedObjectsClientWrapper {
       create: createWithWorkspacePermissionControl,
       bulkCreate: bulkCreateWithWorkspacePermissionControl,
       delete: deleteWithWorkspacePermissionControl,
-      update: wrapperOptions.client.update,
-      bulkUpdate: wrapperOptions.client.bulkUpdate,
+      update: updateWithWorkspacePermissionControl,
+      bulkUpdate: bulkUpdateWithWorkspacePermissionControl,
       addToWorkspaces: addToWorkspacesWithPermissionControl,
     };
   };