TSK-1144 Fix tx security (#2971)

Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>
2025-01-23 20:13:20 +00:00 · 2023-04-13 13:30:03 +06:00 · 2023-04-13 13:30:03 +06:00 · 2467b82d78
commit 2467b82d78
parent ec2e505e28
2 changed files with 38 additions and 9 deletions
--- a/server/middleware/src/private.ts
+++ b/server/middleware/src/private.ts
@ -16,6 +16,7 @@
 import core, {
  AttachedDoc,
  Class,
+  DOMAIN_TX,
  Doc,
  DocumentQuery,
  FindOptions,
@ -71,7 +72,8 @@ export class PrivateMiddleware extends BaseMiddleware implements Middleware {
    options?: FindOptions<T>
  ): Promise<FindResult<T>> {
    let newQuery = query
-    const domain = this.storage.hierarchy.getDomain(_class)
+    const hierarchy = this.storage.hierarchy
+    const domain = hierarchy.getDomain(_class)
    if (this.targetDomains.includes(domain)) {
      const account = await getUser(this.storage, ctx)
      if (account._id !== core.account.System) {
@ -82,6 +84,23 @@ export class PrivateMiddleware extends BaseMiddleware implements Middleware {
      }
    }
    const findResult = await this.provideFindAll(ctx, _class, newQuery, options)
+    if (domain === DOMAIN_TX) {
+      const account = await getUser(this.storage, ctx)
+      if (account._id !== core.account.System) {
+        const targetClasses = new Set(
+          hierarchy.getDescendants(core.class.Doc).filter((p) => {
+            const domain = hierarchy.findDomain(p)
+            return domain != null && this.targetDomains.includes(domain)
+          })
+        )
+        ;(findResult as FindResult<Doc> as FindResult<Tx>).filter(
+          (p) =>
+            !hierarchy.isDerived(p._class, core.class.TxCUD) ||
+            !targetClasses.has((p as TxCUD<Doc>).objectClass) ||
+            p.modifiedBy === account._id
+        )
+      }
+    }
    if (options?.lookup !== undefined) {
      for (const object of findResult) {
        if (object.$lookup !== undefined) {
--- a/server/middleware/src/spaceSecurity.ts
+++ b/server/middleware/src/spaceSecurity.ts
@ -238,16 +238,26 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
      if (isSpace) {
        await this.handleTx(ctx, cudTx as TxCUD<Space>)
      }
-      const space = this.privateSpaces[tx.objectSpace]
-      if (space !== undefined) {
-        const account = await getUser(this.storage, ctx)
-        if (!isOwner(account)) {
-          const allowed = this.allowedSpaces[account._id]
-          if (allowed === undefined || !allowed.includes(isSpace ? (cudTx.objectId as Ref<Space>) : tx.objectSpace)) {
-            throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {}))
+      const account = await getUser(this.storage, ctx)
+      if (tx.objectSpace === (account._id as string)) {
+        targets = [account.email]
+      } else {
+        const space = this.privateSpaces[tx.objectSpace]
+        if (space !== undefined) {
+          targets = await this.getTargets(space.members)
+          if (!isOwner(account)) {
+            const allowed = this.allowedSpaces[account._id]
+            if (allowed === undefined || !allowed.includes(isSpace ? (cudTx.objectId as Ref<Space>) : tx.objectSpace)) {
+              throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {}))
+            }
+          } else {
+            if (targets === undefined) {
+              targets = [account.email]
+            } else if (!targets.includes(account.email)) {
+              targets.push(account.email)
+            }
          }
        }
-        targets = await this.getTargets(this.privateSpaces[tx.objectSpace]?.members)
      }
    }