fix: Restrict updating/deleting of shared but not owned credentials (#7950)

## Summary

Fix shared members being able to edit and delete credentials they don't
own

#### How to test the change:
1. ...


## Issues fixed
Include links to Github issue or Community forum post or **Linear
ticket**:
> Important in order to close automatically and provide context to
reviewers

...


## Review / Merge checklist
- [x] PR title and summary are descriptive. **Remember, the title
automatically goes into the changelog. Use `(no-changelog)` otherwise.**
([conventions](https://github.com/n8n-io/n8n/blob/master/.github/pull_request_title_conventions.md))
- [ ] [Docs updated](https://github.com/n8n-io/n8n-docs) or follow-up
ticket created.
- [x] Tests included.
> A bug is not considered fixed, unless a test is added to prevent it
from happening again. A feature is not complete without tests.
  >
> *(internal)* You can use Slack commands to trigger [e2e
tests](https://www.notion.so/n8n/How-to-use-Test-Instances-d65f49dfc51f441ea44367fb6f67eb0a?pvs=4#a39f9e5ba64a48b58a71d81c837e8227)
or [deploy test
instance](https://www.notion.so/n8n/How-to-use-Test-Instances-d65f49dfc51f441ea44367fb6f67eb0a?pvs=4#f6a177d32bde4b57ae2da0b8e454bfce)
or [deploy early access version on
Cloud](https://www.notion.so/n8n/Cloudbot-3dbe779836004972b7057bc989526998?pvs=4#fef2d36ab02247e1a0f65a74f6fb534e).

packages/cli/src/credentials/credentials.controller.ts

@@ -15,6 +15,7 @@ import { InternalHooks } from '@/InternalHooks';
 import { listQueryMiddleware } from '@/middlewares';
 import { Logger } from '@/Logger';
 import { NotFoundError } from '@/errors/response-errors/not-found.error';
+import { UnauthorizedError } from '@/errors/response-errors/unauthorized.error';
 
 export const credentialsController = express.Router();
 credentialsController.use('/', EECredentialsController);
@@ -142,10 +143,15 @@ credentialsController.patch(
 	ResponseHelper.send(async (req: CredentialRequest.Update): Promise<ICredentialsDb> => {
 		const { id: credentialId } = req.params;
 
-		const sharing = await CredentialsService.getSharing(req.user, credentialId, {
-			allowGlobalScope: true,
-			globalScope: 'credential:update',
-		});
+		const sharing = await CredentialsService.getSharing(
+			req.user,
+			credentialId,
+			{
+				allowGlobalScope: true,
+				globalScope: 'credential:update',
+			},
+			['credentials', 'role'],
+		);
 
 		if (!sharing) {
 			Container.get(Logger).info(
@@ -160,6 +166,17 @@ credentialsController.patch(
 			);
 		}
 
+		if (sharing.role.name !== 'owner' && !(await req.user.hasGlobalScope('credential:update'))) {
+			Container.get(Logger).info(
+				'Attempt to update credential blocked due to lack of permissions',
+				{
+					credentialId,
+					userId: req.user.id,
+				},
+			);
+			throw new UnauthorizedError('You can only update credentials owned by you');
+		}
+
 		const { credentials: credential } = sharing;
 
 		const decryptedData = CredentialsService.decrypt(credential);
@@ -195,10 +212,15 @@ credentialsController.delete(
 	ResponseHelper.send(async (req: CredentialRequest.Delete) => {
 		const { id: credentialId } = req.params;
 
-		const sharing = await CredentialsService.getSharing(req.user, credentialId, {
-			allowGlobalScope: true,
-			globalScope: 'credential:delete',
-		});
+		const sharing = await CredentialsService.getSharing(
+			req.user,
+			credentialId,
+			{
+				allowGlobalScope: true,
+				globalScope: 'credential:delete',
+			},
+			['credentials', 'role'],
+		);
 
 		if (!sharing) {
 			Container.get(Logger).info(
@@ -213,6 +235,17 @@ credentialsController.delete(
 			);
 		}
 
+		if (sharing.role.name !== 'owner' && !(await req.user.hasGlobalScope('credential:delete'))) {
+			Container.get(Logger).info(
+				'Attempt to delete credential blocked due to lack of permissions',
+				{
+					credentialId,
+					userId: req.user.id,
+				},
+			);
+			throw new UnauthorizedError('You can only remove credentials owned by you');
+		}
+
 		const { credentials: credential } = sharing;
 
 		await CredentialsService.delete(credential);