wieerwill/platform
1
0
Fork 0
mirror of https://github.com/hcengineering/platform.git synced 2025-01-24 20:40:59 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

Fix space security (#5557)

Browse Source 
Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>
This commit is contained in:
Denis Bykhov 2024-05-09 13:02:04 +05:00 committed by GitHub
parent b4aceb7af3
commit 361f63c9dd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
server/middleware/src/spaceSecurity.ts
View File

@ -331,7 +331,7 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
if (!isOwner(account, ctx)) {
const cudTx = tx as TxCUD<Doc>
const isSpace = h.isDerived(cudTx.objectClass, core.class.Space)
const allowed = this.allowedSpaces[account._id]
const allowed = this.getAllAllowedSpaces(account, !isSpace)
if (allowed === undefined || !allowed.includes(isSpace ? (cudTx.objectId as Ref<Space>) : tx.objectSpace)) {
throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {}))
}
@ -543,7 +543,7 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
async isUnavailable (ctx: SessionContext, space: Ref<Space>): Promise<boolean> {
const account = await getUser(this.storage, ctx)
if (isSystem(account)) return false
return !this.allowedSpaces[account._id]?.includes(space)
return !this.getAllAllowedSpaces(account, true).includes(space)
}
async filterLookup<T extends Doc>(ctx: SessionContext, lookup: LookupData<T>): Promise<void> {