From 2e0ea5692533fbef449d26292596276544d97fbd Mon Sep 17 00:00:00 2001
From: Sam Machin <sam@sammachin.com>
Date: Thu, 28 Aug 2025 13:46:42 +0100
Subject: [PATCH] Fix API for Carriers & SIP Gateways (#492)

* allow account api keys to get/post sip gateways

* require sp sid when creating carriers

* allow account level api keys to query carriers

* lookup and set the service_provider_sid on account create carrier
---
 lib/routes/api/accounts.js          | 3 +++
 lib/routes/api/service-providers.js | 8 +++++++-
 lib/routes/api/sip-gateways.js      | 3 +--
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/lib/routes/api/accounts.js b/lib/routes/api/accounts.js
index c3863f1..4b90588 100644
--- a/lib/routes/api/accounts.js
+++ b/lib/routes/api/accounts.js
@@ -161,6 +161,9 @@ router.post('/:sid/VoipCarriers', async(req, res) => {
   try {
     const account_sid = parseAccountSid(req);
     await validateRequest(req, account_sid);
+    // Set the service_provder_sid to the relevent value for the account
+    const account = await Account.retrieve(req.user.account_sid);
+    payload.service_provider_sid = account[0].service_provider_sid;
 
     logger.debug({payload}, 'POST /:sid/VoipCarriers');
     const uuid = await VoipCarrier.make({
diff --git a/lib/routes/api/service-providers.js b/lib/routes/api/service-providers.js
index 1e1c295..3b90766 100644
--- a/lib/routes/api/service-providers.js
+++ b/lib/routes/api/service-providers.js
@@ -46,10 +46,16 @@ async function validateRetrieve(req) {
       return;
     }
 
-    if (req.user.hasScope('service_provider') || req.user.hasScope('account')) {
+    if (req.user.hasScope('service_provider')) {
       if (service_provider_sid === req.user.service_provider_sid) return;
     }
 
+    if (req.user.hasScope('account')) {
+      const results = await Account.retrieve(req.user.account_sid);
+      if (service_provider_sid === results[0].service_provider_sid) return;
+    }
+
+
     throw new DbErrorForbidden('insufficient permissions');
   } catch (error) {
     throw error;
diff --git a/lib/routes/api/sip-gateways.js b/lib/routes/api/sip-gateways.js
index 6371342..1246270 100644
--- a/lib/routes/api/sip-gateways.js
+++ b/lib/routes/api/sip-gateways.js
@@ -18,8 +18,7 @@ const checkUserScope = async(req, voip_carrier_sid) => {
     const carrier = await lookupCarrierBySid(voip_carrier_sid);
     if (!carrier) throw new DbErrorBadRequest('invalid voip_carrier_sid');
 
-    if ((!carrier.service_provider_sid || carrier.service_provider_sid === req.user.service_provider_sid) &&
-      (!carrier.account_sid || carrier.account_sid === req.user.account_sid)) {
+    if (!carrier.account_sid || carrier.account_sid === req.user.account_sid) {
 
       if (req.method !== 'GET' && !carrier.account_sid) {
         throw new DbErrorForbidden('insufficient privileges');