From 3d7a02f316cbaff7c0caba0c35f45a7a51c9c44e Mon Sep 17 00:00:00 2001 From: Denis Bykhov Date: Wed, 5 Apr 2023 15:40:10 +0600 Subject: [PATCH] Space security respect tx (#2895) Signed-off-by: Denis Bykhov --- server/middleware/src/spaceSecurity.ts | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/server/middleware/src/spaceSecurity.ts b/server/middleware/src/spaceSecurity.ts index 6079e3e4db..5473bd025b 100644 --- a/server/middleware/src/spaceSecurity.ts +++ b/server/middleware/src/spaceSecurity.ts @@ -285,6 +285,10 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar return query } + private getKey(_class: Ref>): string { + return this.storage.hierarchy.isDerived(_class, core.class.Tx) ? 'objectSpace' : 'space' + } + override async findAll( ctx: SessionContext, _class: Ref>, @@ -293,12 +297,13 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar ): Promise> { const newQuery = query const account = await getUser(this.storage, ctx) + const field = this.getKey(_class) if (!isOwner(account)) { - if (query.space !== undefined) { - newQuery.space = await this.mergeQuery(account, query.space) + if (query[field] !== undefined) { + ;(newQuery as any)[field] = await this.mergeQuery(account, query[field]) } else { const spaces = await this.getAllAllowedSpaces(account) - newQuery.space = { $in: spaces } + ;(newQuery as any)[field] = { $in: spaces } } } const findResult = await this.provideFindAll(ctx, _class, newQuery, options)