From 3d7a02f316cbaff7c0caba0c35f45a7a51c9c44e Mon Sep 17 00:00:00 2001
From: Denis Bykhov <bykhov.denis@gmail.com>
Date: Wed, 5 Apr 2023 15:40:10 +0600
Subject: [PATCH] Space security respect tx (#2895)

Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>
---
 server/middleware/src/spaceSecurity.ts | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/server/middleware/src/spaceSecurity.ts b/server/middleware/src/spaceSecurity.ts
index 6079e3e4db..5473bd025b 100644
--- a/server/middleware/src/spaceSecurity.ts
+++ b/server/middleware/src/spaceSecurity.ts
@@ -285,6 +285,10 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
     return query
   }
 
+  private getKey<T extends Doc>(_class: Ref<Class<T>>): string {
+    return this.storage.hierarchy.isDerived(_class, core.class.Tx) ? 'objectSpace' : 'space'
+  }
+
   override async findAll<T extends Doc>(
     ctx: SessionContext,
     _class: Ref<Class<T>>,
@@ -293,12 +297,13 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
   ): Promise<FindResult<T>> {
     const newQuery = query
     const account = await getUser(this.storage, ctx)
+    const field = this.getKey(_class)
     if (!isOwner(account)) {
-      if (query.space !== undefined) {
-        newQuery.space = await this.mergeQuery(account, query.space)
+      if (query[field] !== undefined) {
+        ;(newQuery as any)[field] = await this.mergeQuery(account, query[field])
       } else {
         const spaces = await this.getAllAllowedSpaces(account)
-        newQuery.space = { $in: spaces }
+        ;(newQuery as any)[field] = { $in: spaces }
       }
     }
     const findResult = await this.provideFindAll(ctx, _class, newQuery, options)