A bunch of server actions atm are not secured at all. While easy to forget, these things are basically API endpoints, and atm for a lot of actions just about anyone can access them.
Requirements
Add authentication checks to all server actions
Move exports of non-client called functions out of files with "use server"
Add authorization checks to relevant server actions
Sends authorization error with generic "You are not authorized to perform this action." message
Motivation
A bunch of server actions atm are not secured at all. While easy to forget, these things are basically API endpoints, and atm for a lot of actions just about anyone can access them.
Requirements
"use server"Acceptance Criteria
Missing authentication & Authorization checks
[ ] All the actions for the formbuilder: https://github.com/pubpub/platform/blob/605cb02e1bb2cdb12ce13fbd6991797dd8e9c78e/core/app/components/FormBuilder/actions.ts#L15-L16
[ ] All
fieldsserver actions https://github.com/pubpub/platform/blob/bd08a370f26b47b434ac5cc3fe7adb815b9d68e0/core/app/c/%5BcommunitySlug%5D/fields/actions.ts#L1-L73[ ] The
moveandassignactions https://github.com/pubpub/platform/blob/e8baa1b18ce0777f3831e5659297701c91f67ab5/core/app/c/%5BcommunitySlug%5D/stages/components/lib/actions.ts#L1-L50[ ] All the
stages/manageactions https://github.com/pubpub/platform/blob/e8baa1b18ce0777f3831e5659297701c91f67ab5/core/app/c/%5BcommunitySlug%5D/stages/manage/actions.ts#L1-L296[ ] All the
typesactions https://github.com/pubpub/platform/blob/180712d166b9dd231fe6ef5958fd30701690dfa7/core/app/c/%5BcommunitySlug%5D/types/actions.ts#L1-L78[ ] The
_updatePubfunction should be moved tolib/server/pub.ts. Currently it's exported and therefore a server action https://github.com/pubpub/platform/blob/b9914b22cc7eeb55f9986cafaf6bf9f42789b4ac/core/app/components/pubs/PubEditor/actions.ts#L46-L56Missing authorization checks (in addition to the above)
(can't find that very quickly, should probably be rethought anyway once we have our new permissions model in place)