hcengineering/platform
1
0
Fork 0
mirror of https://github.com/hcengineering/platform.git synced 2024-12-22 19:11:33 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Change access control logic for document in Postgres adapter (#7186)

Browse Source
This commit is contained in:
Denis Bykhov 2024-11-19 09:11:12 +05:00 committed by GitHub
parent 5e10da812d
commit 46e0f217bf
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
models/notification/src/migration.ts
View File

@ -429,6 +429,12 @@ export const notificationOperation: MigrateOperation = {
objectClass: notification.class.BrowserNotification objectClass: notification.class.BrowserNotification
}) })
} }
},
{
state: 'migrate-dnc-space',
func: async (client) => {
await client.update(DOMAIN_DOC_NOTIFY, { space: core.space.Space }, { space: core.space.Workspace })
}
} }
]) ])
}, },

7
server/postgres/src/storage.ts
View File

@ -477,14 +477,15 @@ abstract class PostgresAdapterBase implements DbAdapter {
if (sessionContext !== undefined && sessionContext.isTriggerCtx !== true) { if (sessionContext !== undefined && sessionContext.isTriggerCtx !== true) {
if (sessionContext.admin !== true && sessionContext.account !== undefined) { if (sessionContext.admin !== true && sessionContext.account !== undefined) {
const acc = sessionContext.account const acc = sessionContext.account
if (isOwner(acc) || acc.role === AccountRole.DocGuest) { if (acc.role === AccountRole.DocGuest || acc._id === core.account.System) {
return return
} }
if (query.space === acc._id) return if (query.space === acc._id) return
if (domain === DOMAIN_SPACE && isOwner(acc)) return
const key = domain === DOMAIN_SPACE ? '_id' : domain === DOMAIN_TX ? "data ->> 'objectSpace'" : 'space' const key = domain === DOMAIN_SPACE ? '_id' : domain === DOMAIN_TX ? "data ->> 'objectSpace'" : 'space'
const privateCheck = domain === DOMAIN_SPACE ? ' OR sec.private = false' : '' const privateCheck = domain === DOMAIN_SPACE ? ' OR sec.private = false' : ''
const q = `(sec.members @> '{"${acc._id}"}' OR sec."_class" = '${core.class.SystemSpace}'${privateCheck})` const q = `(sec.members @> '{"${acc._id}"}' OR sec."_class" = '${core.class.SystemSpace}'${privateCheck})`
return `INNER JOIN ${translateDomain(DOMAIN_SPACE)} AS sec ON sec._id = ${domain}.${escapeBackticks(key)} AND sec."workspaceId" = '${this.workspaceId.name}' AND ${q}` return `INNER JOIN ${translateDomain(DOMAIN_SPACE)} AS sec ON sec._id = ${domain}.${key} AND sec."workspaceId" = '${this.workspaceId.name}' AND ${q}`
} }
} }
} }
@ -1034,7 +1035,7 @@ abstract class PostgresAdapterBase implements DbAdapter {
return res.length === 0 ? undefined : res.join(' AND ') return res.length === 0 ? undefined : res.join(' AND ')
} }
return type === 'common' return type === 'common'
? `${tkey} = '${value}'` ? `${tkey} = '${escapeBackticks(value)}'`
: type === 'array' : type === 'array'
? `${tkey} @> '${typeof value === 'string' ? '{"' + value + '"}' : value}'` ? `${tkey} @> '${typeof value === 'string' ? '{"' + value + '"}' : value}'`
: `${tkey} @> '${typeof value === 'string' ? '"' + value + '"' : value}'` : `${tkey} @> '${typeof value === 'string' ? '"' + value + '"' : value}'`

1
server/postgres/src/utils.ts
View File

@ -351,6 +351,7 @@ export function parseUpdate<T extends Doc> (
} }
export function escapeBackticks (str: string): string { export function escapeBackticks (str: string): string {
if (typeof str !== 'string') return str
return str.replaceAll("'", "''") return str.replaceAll("'", "''")
} }