Change access control logic for document in Postgres adapter (#7186)

2024-12-22 11:01:54 +03:00 · 2024-11-19 09:11:12 +05:00 · 2024-11-19 09:11:12 +05:00 · 46e0f217bf
commit 46e0f217bf
parent 5e10da812d
3 changed files with 11 additions and 3 deletions
--- a/models/notification/src/migration.ts
+++ b/models/notification/src/migration.ts
@ -429,6 +429,12 @@ export const notificationOperation: MigrateOperation = {
            objectClass: notification.class.BrowserNotification
          })
        }
+      },
+      {
+        state: 'migrate-dnc-space',
+        func: async (client) => {
+          await client.update(DOMAIN_DOC_NOTIFY, { space: core.space.Space }, { space: core.space.Workspace })
+        }
      }
    ])
  },
--- a/server/postgres/src/storage.ts
+++ b/server/postgres/src/storage.ts
@ -477,14 +477,15 @@ abstract class PostgresAdapterBase implements DbAdapter {
    if (sessionContext !== undefined && sessionContext.isTriggerCtx !== true) {
      if (sessionContext.admin !== true && sessionContext.account !== undefined) {
        const acc = sessionContext.account
-        if (isOwner(acc) || acc.role === AccountRole.DocGuest) {
+        if (acc.role === AccountRole.DocGuest || acc._id === core.account.System) {
          return
        }
        if (query.space === acc._id) return
+        if (domain === DOMAIN_SPACE && isOwner(acc)) return
        const key = domain === DOMAIN_SPACE ? '_id' : domain === DOMAIN_TX ? "data ->> 'objectSpace'" : 'space'
        const privateCheck = domain === DOMAIN_SPACE ? ' OR sec.private = false' : ''
        const q = `(sec.members @> '{"${acc._id}"}' OR sec."_class" = '${core.class.SystemSpace}'${privateCheck})`
-        return `INNER JOIN ${translateDomain(DOMAIN_SPACE)} AS sec ON sec._id = ${domain}.${escapeBackticks(key)} AND sec."workspaceId" = '${this.workspaceId.name}' AND ${q}`
+        return `INNER JOIN ${translateDomain(DOMAIN_SPACE)} AS sec ON sec._id = ${domain}.${key} AND sec."workspaceId" = '${this.workspaceId.name}' AND ${q}`
      }
    }
  }
@ -1034,7 +1035,7 @@ abstract class PostgresAdapterBase implements DbAdapter {
      return res.length === 0 ? undefined : res.join(' AND ')
    }
    return type === 'common'
-      ? `${tkey} = '${value}'`
+      ? `${tkey} = '${escapeBackticks(value)}'`
      : type === 'array'
        ? `${tkey} @> '${typeof value === 'string' ? '{"' + value + '"}' : value}'`
        : `${tkey} @> '${typeof value === 'string' ? '"' + value + '"' : value}'`
--- a/server/postgres/src/utils.ts
+++ b/server/postgres/src/utils.ts
@ -351,6 +351,7 @@ export function parseUpdate<T extends Doc> (
 }

 export function escapeBackticks (str: string): string {
+  if (typeof str !== 'string') return str
  return str.replaceAll("'", "''")
 }