hcengineering/platform
1
0
Fork 0
mirror of https://github.com/hcengineering/platform.git synced 2025-01-03 17:05:16 +03:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

UBERF-7985: Fix private targets (#6439)

Browse Source 
Signed-off-by: Andrey Sobolev <haiodo@gmail.com>
This commit is contained in:
Andrey Sobolev 2024-08-29 16:47:29 +07:00 committed by GitHub
parent 63aa456011
commit 1667581b5f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 21 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
server/middleware/src/private.ts
View File

@ -49,20 +49,30 @@ export class PrivateMiddleware extends BaseMiddleware implements Middleware {
return new PrivateMiddleware(storage, next)
}
async tx (ctx: SessionContext, tx: Tx): Promise<TxMiddlewareResult> {
let target: string[] | undefined
isTargetDomain (tx: Tx): boolean {
if (TxProcessor.isExtendsCUD(tx._class)) {
const txCUD = tx as TxCUD<Doc>
const domain = this.storage.hierarchy.getDomain(txCUD.objectClass)
if (this.targetDomains.includes(domain)) {
const account = (await getUser(this.storage, ctx))._id
if (account !== tx.modifiedBy && account !== core.account.System) {
throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {}))
}
const modifiedByAccount = await this.storage.modelDb.findAll(core.class.Account, { _id: tx.modifiedBy })
target = [ctx.userEmail, systemAccountEmail]
if (modifiedByAccount.length > 0 && !target.includes(modifiedByAccount[0].email)) {
target.push(modifiedByAccount[0].email)
return this.targetDomains.includes(domain)
}
return false
}
async tx (ctx: SessionContext, tx: Tx): Promise<TxMiddlewareResult> {
let target: string[] | undefined
if (this.isTargetDomain(tx)) {
const account = (await getUser(this.storage, ctx))._id
if (account !== tx.modifiedBy && account !== core.account.System) {
throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {}))
}
const modifiedByAccount = await this.storage.modelDb.findAll(core.class.Account, { _id: tx.modifiedBy })
target = [ctx.userEmail, systemAccountEmail]
if (modifiedByAccount.length > 0 && !target.includes(modifiedByAccount[0].email)) {
target.push(modifiedByAccount[0].email)
}
ctx.derived.targets.checkDomain = (tx) => {
if (this.isTargetDomain(tx)) {
return target
}
}
}