hcengineering/platform
1
0
Fork 0
mirror of https://github.com/hcengineering/platform.git synced 2024-11-26 13:47:26 +03:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Space security respect tx (#2895)

Browse Source 
Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>
This commit is contained in:
Denis Bykhov 2023-04-05 15:40:10 +06:00 committed by GitHub
parent a212a850ed
commit 3d7a02f316
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
server/middleware/src/spaceSecurity.ts
View File

@ -285,6 +285,10 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
return query
}
private getKey<T extends Doc>(_class: Ref<Class<T>>): string {
return this.storage.hierarchy.isDerived(_class, core.class.Tx) ? 'objectSpace' : 'space'
}
override async findAll<T extends Doc>(
ctx: SessionContext,
_class: Ref<Class<T>>,
@ -293,12 +297,13 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
): Promise<FindResult<T>> {
const newQuery = query
const account = await getUser(this.storage, ctx)
const field = this.getKey(_class)
if (!isOwner(account)) {
if (query.space !== undefined) {
newQuery.space = await this.mergeQuery(account, query.space)
if (query[field] !== undefined) {
;(newQuery as any)[field] = await this.mergeQuery(account, query[field])
} else {
const spaces = await this.getAllAllowedSpaces(account)
newQuery.space = { $in: spaces }
;(newQuery as any)[field] = { $in: spaces }
}
}
const findResult = await this.provideFindAll(ctx, _class, newQuery, options)