From 361f63c9dd0ec2c4c95b5f1adc681383749358d4 Mon Sep 17 00:00:00 2001
From: Denis Bykhov <bykhov.denis@gmail.com>
Date: Thu, 9 May 2024 13:02:04 +0500
Subject: [PATCH] Fix space security (#5557)

Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>
---
 server/middleware/src/spaceSecurity.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/middleware/src/spaceSecurity.ts b/server/middleware/src/spaceSecurity.ts
index fb5d9c1a84..5d73b892dd 100644
--- a/server/middleware/src/spaceSecurity.ts
+++ b/server/middleware/src/spaceSecurity.ts
@@ -331,7 +331,7 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
           if (!isOwner(account, ctx)) {
             const cudTx = tx as TxCUD<Doc>
             const isSpace = h.isDerived(cudTx.objectClass, core.class.Space)
-            const allowed = this.allowedSpaces[account._id]
+            const allowed = this.getAllAllowedSpaces(account, !isSpace)
             if (allowed === undefined || !allowed.includes(isSpace ? (cudTx.objectId as Ref<Space>) : tx.objectSpace)) {
               throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {}))
             }
@@ -543,7 +543,7 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
   async isUnavailable (ctx: SessionContext, space: Ref<Space>): Promise<boolean> {
     const account = await getUser(this.storage, ctx)
     if (isSystem(account)) return false
-    return !this.allowedSpaces[account._id]?.includes(space)
+    return !this.getAllAllowedSpaces(account, true).includes(space)
   }
 
   async filterLookup<T extends Doc>(ctx: SessionContext, lookup: LookupData<T>): Promise<void> {