From 976e058328eb4599ded3d1a40afa873680e7f520 Mon Sep 17 00:00:00 2001
From: Andrey Kud <a-kud@users.noreply.github.com>
Date: Tue, 5 Dec 2023 16:24:16 -0500
Subject: [PATCH] fix: avoid create custom entities with the same name (#2791)

* fix: avoid create custom entities with the same name

* fix: use exact spelling

* fix: validate input as is
---
 .../hooks/before-create-one-object.hook.ts       | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/server/src/metadata/object-metadata/hooks/before-create-one-object.hook.ts b/server/src/metadata/object-metadata/hooks/before-create-one-object.hook.ts
index bd51df233..b8ce7b638 100644
--- a/server/src/metadata/object-metadata/hooks/before-create-one-object.hook.ts
+++ b/server/src/metadata/object-metadata/hooks/before-create-one-object.hook.ts
@@ -1,4 +1,8 @@
-import { Injectable, UnauthorizedException } from '@nestjs/common';
+import {
+  ForbiddenException,
+  Injectable,
+  UnauthorizedException,
+} from '@nestjs/common';
 
 import {
   BeforeCreateOneHook,
@@ -7,6 +11,8 @@ import {
 
 import { CreateObjectInput } from 'src/metadata/object-metadata/dtos/create-object.input';
 
+const coreObjectNames = ['featureFlag', 'refreshToken', 'workspace', 'user'];
+
 @Injectable()
 export class BeforeCreateOneObject<T extends CreateObjectInput>
   implements BeforeCreateOneHook<T, any>
@@ -21,6 +27,14 @@ export class BeforeCreateOneObject<T extends CreateObjectInput>
       throw new UnauthorizedException();
     }
 
+    if (
+      coreObjectNames.includes(instance.input.nameSingular) ||
+      coreObjectNames.includes(instance.input.namePlural)
+    ) {
+      throw new ForbiddenException(
+        'You cannot create an object with this name.',
+      );
+    }
     instance.input.workspaceId = workspaceId;
     return instance;
   }