Skipping checking permission of relations that are not being updated

2024-10-03 19:53:33 +13:00 · 2023-07-13 22:28:08 +05:30 · 2023-07-13 22:28:08 +05:30 · 0fc0255a38
commit 0fc0255a38
parent 3d62652e1e
1 changed files with 26 additions and 3 deletions
--- a/app/controllers/api/databases.php
+++ b/app/controllers/api/databases.php
@ -3293,8 +3293,9 @@ App::patch('/v1/databases/:databaseId/collections/:collectionId/documents/:docum
        $data['$id'] = $document->getId();                      // Make sure user doesn't switch document unique ID
        $data['$permissions'] = $permissions;
        $newDocument = new Document($data);
+        $oldDocumentToBeUpdated = $document;

-        $checkPermissions = function (Document $collection, Document $document, Document $old, string $permission) use (&$checkPermissions, $dbForProject, $database) {
+        $checkPermissions = function (Document $collection, Document $document, Document $old, string $permission) use (&$checkPermissions, $dbForProject, $database, $newDocument, $oldDocumentToBeUpdated) {
            $documentSecurity = $collection->getAttribute('documentSecurity', false);
            $validator = new Authorization($permission);

@ -3310,9 +3311,31 @@ App::patch('/v1/databases/:databaseId/collections/:collectionId/documents/:docum
                }
            }

-            $relationships = \array_filter(
+            $relationships = array_filter(
                $collection->getAttribute('attributes', []),
-                fn($attribute) => $attribute->getAttribute('type') === Database::VAR_RELATIONSHIP
+                function (Document $attribute) use ($oldDocumentToBeUpdated, $newDocument) {
+                    if ($attribute->getAttribute('type') === Database::VAR_RELATIONSHIP) {
+                        $relationKey = $attribute->getAttribute('key');
+
+                        $oldRelationDocument = $oldDocumentToBeUpdated[$relationKey] ?? [];
+                        $newRelationDocuemntFromRequestData = $newDocument[$relationKey] ?? [];
+
+                        if (count($oldRelationDocument) !== count($newRelationDocuemntFromRequestData)) {
+                                // Return true if a difference is found in the relationships
+                                return true;
+                        }
+
+                        foreach ($oldRelationDocument as $key => $obj1) {
+                            $obj2 = $newRelationDocuemntFromRequestData[$key] ?? null;
+                            if (($obj1 instanceof Document && $obj2 instanceof Document && $obj1->getArrayCopy() !== $obj2->getArrayCopy())  || !($obj2 instanceof Document)) {
+                                // Return true if a difference is found in the relationships
+                                return true;
+                            }
+                        }
+                    }
+
+                    return false;
+                }
            );

            foreach ($relationships as $relationship) {