mirror of
https://github.com/hcengineering/platform.git
synced 2024-12-27 21:43:20 +03:00
Space security respect tx (#2895)
Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>
This commit is contained in:
parent
a212a850ed
commit
3d7a02f316
@ -285,6 +285,10 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
|
||||
return query
|
||||
}
|
||||
|
||||
private getKey<T extends Doc>(_class: Ref<Class<T>>): string {
|
||||
return this.storage.hierarchy.isDerived(_class, core.class.Tx) ? 'objectSpace' : 'space'
|
||||
}
|
||||
|
||||
override async findAll<T extends Doc>(
|
||||
ctx: SessionContext,
|
||||
_class: Ref<Class<T>>,
|
||||
@ -293,12 +297,13 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
|
||||
): Promise<FindResult<T>> {
|
||||
const newQuery = query
|
||||
const account = await getUser(this.storage, ctx)
|
||||
const field = this.getKey(_class)
|
||||
if (!isOwner(account)) {
|
||||
if (query.space !== undefined) {
|
||||
newQuery.space = await this.mergeQuery(account, query.space)
|
||||
if (query[field] !== undefined) {
|
||||
;(newQuery as any)[field] = await this.mergeQuery(account, query[field])
|
||||
} else {
|
||||
const spaces = await this.getAllAllowedSpaces(account)
|
||||
newQuery.space = { $in: spaces }
|
||||
;(newQuery as any)[field] = { $in: spaces }
|
||||
}
|
||||
}
|
||||
const findResult = await this.provideFindAll(ctx, _class, newQuery, options)
|
||||
|
Loading…
Reference in New Issue
Block a user