From 22494252650a05e3ec07ae4444c0fb7138a86322 Mon Sep 17 00:00:00 2001
From: Denis Bykhov <bykhov.denis@gmail.com>
Date: Wed, 15 May 2024 20:40:20 +0500
Subject: [PATCH] Fix spotlight security leak (#5601)

Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>
---
 server/middleware/src/spaceSecurity.ts | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/server/middleware/src/spaceSecurity.ts b/server/middleware/src/spaceSecurity.ts
index b7df818244..2ebefed226 100644
--- a/server/middleware/src/spaceSecurity.ts
+++ b/server/middleware/src/spaceSecurity.ts
@@ -545,7 +545,25 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
     const newQuery = { ...query }
     const account = await getUser(this.storage, ctx)
     if (!isSystem(account)) {
-      newQuery.spaces = this.getAllAllowedSpaces(account, true)
+      const allSpaces = this.getAllAllowedSpaces(account, true)
+      if (query.classes !== undefined) {
+        const res = new Set<Ref<Space>>()
+        const passedDomains = new Set<string>()
+        for (const _class of query.classes) {
+          const domain = this.storage.hierarchy.getDomain(_class)
+          if (passedDomains.has(domain)) {
+            continue
+          }
+          passedDomains.add(domain)
+          const spaces = await this.filterByDomain(domain, allSpaces)
+          for (const space of spaces) {
+            res.add(space)
+          }
+        }
+        newQuery.spaces = [...res]
+      } else {
+        newQuery.spaces = allSpaces
+      }
     }
     const result = await this.provideSearchFulltext(ctx, newQuery, options)
     return result