wieerwill/platform
1
0
Fork 0
mirror of https://github.com/hcengineering/platform.git synced 2025-06-08 00:37:42 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

TSK-1144 Fix tx security (#2971)

Browse Source 
Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>
This commit is contained in:
Denis Bykhov 2023-04-13 13:30:03 +06:00 committed by GitHub
parent ec2e505e28
commit 2467b82d78
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 38 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
server/middleware/src/private.ts
View File

@ -16,6 +16,7 @@
import core, { import core, {
AttachedDoc, AttachedDoc,
Class, Class,
DOMAIN_TX,
Doc, Doc,
DocumentQuery, DocumentQuery,
FindOptions, FindOptions,
@ -71,7 +72,8 @@ export class PrivateMiddleware extends BaseMiddleware implements Middleware {
options?: FindOptions<T> options?: FindOptions<T>
): Promise<FindResult<T>> { ): Promise<FindResult<T>> {
let newQuery = query let newQuery = query
const domain = this.storage.hierarchy.getDomain(_class) const hierarchy = this.storage.hierarchy
const domain = hierarchy.getDomain(_class)
if (this.targetDomains.includes(domain)) { if (this.targetDomains.includes(domain)) {
const account = await getUser(this.storage, ctx) const account = await getUser(this.storage, ctx)
if (account._id !== core.account.System) { if (account._id !== core.account.System) {
@ -82,6 +84,23 @@ export class PrivateMiddleware extends BaseMiddleware implements Middleware {
} }
} }
const findResult = await this.provideFindAll(ctx, _class, newQuery, options) const findResult = await this.provideFindAll(ctx, _class, newQuery, options)
if (domain === DOMAIN_TX) {
const account = await getUser(this.storage, ctx)
if (account._id !== core.account.System) {
const targetClasses = new Set(
hierarchy.getDescendants(core.class.Doc).filter((p) => {
const domain = hierarchy.findDomain(p)
return domain != null && this.targetDomains.includes(domain)
})
)
;(findResult as FindResult<Doc> as FindResult<Tx>).filter(
(p) =>
!hierarchy.isDerived(p._class, core.class.TxCUD) ||
!targetClasses.has((p as TxCUD<Doc>).objectClass) ||
p.modifiedBy === account._id
)
}
}
if (options?.lookup !== undefined) { if (options?.lookup !== undefined) {
for (const object of findResult) { for (const object of findResult) {
if (object.$lookup !== undefined) { if (object.$lookup !== undefined) {

26
server/middleware/src/spaceSecurity.ts
View File

@ -238,16 +238,26 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
if (isSpace) { if (isSpace) {
await this.handleTx(ctx, cudTx as TxCUD<Space>) await this.handleTx(ctx, cudTx as TxCUD<Space>)
} }
const space = this.privateSpaces[tx.objectSpace] const account = await getUser(this.storage, ctx)
if (space !== undefined) { if (tx.objectSpace === (account._id as string)) {
const account = await getUser(this.storage, ctx) targets = [account.email]
if (!isOwner(account)) { } else {
const allowed = this.allowedSpaces[account._id] const space = this.privateSpaces[tx.objectSpace]
if (allowed === undefined || !allowed.includes(isSpace ? (cudTx.objectId as Ref<Space>) : tx.objectSpace)) { if (space !== undefined) {
throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {})) targets = await this.getTargets(space.members)
if (!isOwner(account)) {
const allowed = this.allowedSpaces[account._id]
if (allowed === undefined || !allowed.includes(isSpace ? (cudTx.objectId as Ref<Space>) : tx.objectSpace)) {
throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {}))
}
} else {
if (targets === undefined) {
targets = [account.email]
} else if (!targets.includes(account.email)) {
targets.push(account.email)
}
} }
} }
targets = await this.getTargets(this.privateSpaces[tx.objectSpace]?.members)
} }
} }