diff --git a/server/middleware/src/spaceSecurity.ts b/server/middleware/src/spaceSecurity.ts index 25e3af9288..04e447e047 100644 --- a/server/middleware/src/spaceSecurity.ts +++ b/server/middleware/src/spaceSecurity.ts @@ -503,6 +503,14 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar const isSpace = this.context.hierarchy.isDerived(_class, core.class.Space) const field = this.getKey(domain) + if ( + ctx.contextData.admin === true && + this.context.hierarchy.isDerived(_class, core.class.Space) && + (newQuery as DocumentQuery).members !== undefined + ) { + delete (newQuery as any).members + } + let clientFilterSpaces: Set> | undefined if (!this.skipFindCheck && !isSystem(account) && account.role !== AccountRole.DocGuest && domain !== DOMAIN_MODEL) { @@ -558,6 +566,12 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar } } } + if (ctx.contextData.admin === true && this.context.hierarchy.isDerived(_class, core.class.Space)) { + // We need to add amin to all spaces. + for (const d of findResult) { + ;(d as unknown as Space).members = [...((d as unknown as Space).members ?? []), ctx.contextData.account._id] + } + } return findResult } diff --git a/server/middleware/src/utils.ts b/server/middleware/src/utils.ts index aa46cea6e0..95e188f5de 100644 --- a/server/middleware/src/utils.ts +++ b/server/middleware/src/utils.ts @@ -20,5 +20,5 @@ export function isOwner (account: Account, ctx: MeasureContext): bo } export function isSystem (account: Account): boolean { - return account._id === core.account.System + return account._id === core.account.System || account._id.startsWith('system:') } diff --git a/server/server/src/client.ts b/server/server/src/client.ts index 3c6de5cf21..ad02db2401 100644 --- a/server/server/src/client.ts +++ b/server/server/src/client.ts @@ -108,34 +108,37 @@ export class ClientSession implements Session { async getAccount (ctx: ClientSessionCtx): Promise { const account = this._pipeline.context.modelDb.getAccountByEmail(this.token.email) if (account === undefined && this.token.extra?.admin === 'true') { - const systemAccount = this._pipeline.context.modelDb.findObject(this.token.email as Ref) - if (systemAccount === undefined) { - // Generate account for admin user - const factory = new TxFactory(core.account.System) - const email = `system:${this.token.email}` - const createTx = factory.createTxCreateDoc( - core.class.Account, - core.space.Model, - { - role: AccountRole.Owner, - email - }, - this.token.email as Ref - ) - this.includeSessionContext(ctx.ctx) - await this._pipeline.tx(ctx.ctx, [createTx]) - const acc = TxProcessor.createDoc2Doc(createTx) - await ctx.sendResponse(acc) - return - } else { - await ctx.sendResponse(systemAccount) - return - } + await ctx.sendResponse(this.getSystemAccount()) + return } await ctx.sendResponse(account) } + private getSystemAccount (): Account { + // Generate account for admin user + const factory = new TxFactory(core.account.System) + const email = `system:${this.token.email}` + const createTx = factory.createTxCreateDoc( + core.class.Account, + core.space.Model, + { + role: AccountRole.Owner, + email + }, + email as Ref + ) + return TxProcessor.createDoc2Doc(createTx) + } + includeSessionContext (ctx: MeasureContext): void { + let account: Account | undefined + if (this.token.extra?.admin === 'true') { + account = this._pipeline.context.modelDb.getAccountByEmail(this.token.email) + if (account === undefined) { + account = this.getSystemAccount() + } + } + const contextData = new SessionDataImpl( this.token.email, this.sessionId, @@ -149,7 +152,8 @@ export class ClientSession implements Session { false, new Map(), new Map(), - this._pipeline.context.modelDb + this._pipeline.context.modelDb, + account ) ctx.contextData = contextData }