wieerwill/platform
1
0
Fork 0
mirror of https://github.com/hcengineering/platform.git synced 2025-06-07 00:09:34 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Space security respect tx (#2895)

Browse Source 
Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>
This commit is contained in:
Denis Bykhov 2023-04-05 15:40:10 +06:00 committed by GitHub
parent a212a850ed
commit 3d7a02f316
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
server/middleware/src/spaceSecurity.ts
View File

@ -285,6 +285,10 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
return query return query
} }
private getKey<T extends Doc>(_class: Ref<Class<T>>): string {
return this.storage.hierarchy.isDerived(_class, core.class.Tx) ? 'objectSpace' : 'space'
}
override async findAll<T extends Doc>( override async findAll<T extends Doc>(
ctx: SessionContext, ctx: SessionContext,
_class: Ref<Class<T>>, _class: Ref<Class<T>>,
@ -293,12 +297,13 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
): Promise<FindResult<T>> { ): Promise<FindResult<T>> {
const newQuery = query const newQuery = query
const account = await getUser(this.storage, ctx) const account = await getUser(this.storage, ctx)
const field = this.getKey(_class)
if (!isOwner(account)) { if (!isOwner(account)) {
if (query.space !== undefined) { if (query[field] !== undefined) {
newQuery.space = await this.mergeQuery(account, query.space) ;(newQuery as any)[field] = await this.mergeQuery(account, query[field])
} else { } else {
const spaces = await this.getAllAllowedSpaces(account) const spaces = await this.getAllAllowedSpaces(account)
newQuery.space = { $in: spaces } ;(newQuery as any)[field] = { $in: spaces }
} }
} }
const findResult = await this.provideFindAll(ctx, _class, newQuery, options) const findResult = await this.provideFindAll(ctx, _class, newQuery, options)