From 1aa36b6b2c025eb72870983b510c9a18c3d77d61 Mon Sep 17 00:00:00 2001 From: Jake Barnby Date: Tue, 16 Aug 2022 21:08:14 +1200 Subject: [PATCH] Simplify permission checks --- app/controllers/api/databases.php | 19 ++++--------- app/controllers/api/storage.php | 46 +++++++++++-------------------- 2 files changed, 21 insertions(+), 44 deletions(-) diff --git a/app/controllers/api/databases.php b/app/controllers/api/databases.php index cd1a4b16f8..38856dcbcf 100644 --- a/app/controllers/api/databases.php +++ b/app/controllers/api/databases.php @@ -2188,11 +2188,8 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents/:documen throw new Exception(Exception::DOCUMENT_NOT_FOUND); } - if ($documentSecurity) { - $valid |= $validator->isValid($document->getRead()); - } - if (!$valid) { - throw new Exception('Unauthorized permissions', 401, Exception::USER_UNAUTHORIZED); + if ($documentSecurity && !$validator->isValid($document->getRead())) { + throw new Exception(Exception::USER_UNAUTHORIZED); } /** @@ -2362,10 +2359,7 @@ App::patch('/v1/databases/:databaseId/collections/:collectionId/documents/:docum throw new Exception(Exception::DOCUMENT_NOT_FOUND); } - if ($documentSecurity) { - $valid |= $validator->isValid($document->getUpdate()); - } - if (!$valid) { + if ($documentSecurity && !$validator->isValid($document->getUpdate())) { throw new Exception(Exception::USER_UNAUTHORIZED); } @@ -2490,11 +2484,8 @@ App::delete('/v1/databases/:databaseId/collections/:collectionId/documents/:docu throw new Exception(Exception::DOCUMENT_NOT_FOUND); } - if ($documentSecurity) { - $valid |= $validator->isValid($document->getDelete()); - } - if (!$valid) { - throw new Exception('Unauthorized permissions', 401, Exception::USER_UNAUTHORIZED); + if ($documentSecurity && !$validator->isValid($document->getDelete())) { + throw new Exception(Exception::USER_UNAUTHORIZED); } $dbForProject->deleteDocument('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $documentId); diff --git a/app/controllers/api/storage.php b/app/controllers/api/storage.php index 121fa50359..120bd1947b 100644 --- a/app/controllers/api/storage.php +++ b/app/controllers/api/storage.php @@ -394,6 +394,8 @@ App::post('/v1/storage/buckets/:bucketId/files') */ $permissions = PermissionsProcessor::aggregate($permissions, 'file'); + \var_dump($permissions); + /** * Add permissions for current the user for any missing types * from the allowed permissions for this resource type. @@ -417,6 +419,8 @@ App::post('/v1/storage/buckets/:bucketId/files') } } } + + \var_dump($permissions); // Users can only manage their own roles, API keys and Admin users can manage any $roles = Authorization::getRoles(); @@ -790,11 +794,8 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId') throw new Exception(Exception::STORAGE_FILE_NOT_FOUND); } - if ($fileSecurity) { - $valid |= $validator->isValid($file->getRead()); - } - if (!$valid) { - throw new Exception('Unauthorized permissions', 401, Exception::USER_UNAUTHORIZED); + if ($fileSecurity && !$validator->isValid($file->getRead())) { + throw new Exception(Exception::USER_UNAUTHORIZED); } $usage @@ -874,11 +875,8 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/preview') throw new Exception(Exception::STORAGE_FILE_NOT_FOUND); } - if ($fileSecurity) { - $valid |= $validator->isValid($file->getRead()); - } - if (!$valid) { - throw new Exception('Unauthorized permissions', 401, Exception::USER_UNAUTHORIZED); + if ($fileSecurity && !$validator->isValid($file->getRead())) { + throw new Exception(Exception::USER_UNAUTHORIZED); } $path = $file->getAttribute('path'); @@ -1029,11 +1027,8 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/download') throw new Exception(Exception::STORAGE_FILE_NOT_FOUND); } - if ($bucket->getAttribute('fileSecurity', false)) { - $valid |= $validator->isValid($file->getRead()); - } - if (!$valid) { - throw new Exception('Unauthorized permissions', 401, Exception::USER_UNAUTHORIZED); + if ($fileSecurity && !$validator->isValid($file->getRead())) { + throw new Exception(Exception::USER_UNAUTHORIZED); } $path = $file->getAttribute('path', ''); @@ -1167,11 +1162,8 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/view') throw new Exception(Exception::STORAGE_FILE_NOT_FOUND); } - if ($fileSecurity) { - $valid |= $validator->isValid($file->getRead()); - } - if (!$valid) { - throw new Exception('Unauthorized permissions', 401, Exception::USER_UNAUTHORIZED); + if ($fileSecurity && !$validator->isValid($file->getRead())) { + throw new Exception(Exception::USER_UNAUTHORIZED); } $mimes = Config::getParam('storage-mimes'); @@ -1319,11 +1311,8 @@ App::put('/v1/storage/buckets/:bucketId/files/:fileId') throw new Exception(Exception::STORAGE_FILE_NOT_FOUND); } - if ($fileSecurity) { - $valid |= $validator->isValid($file->getUpdate()); - } - if (!$valid) { - throw new Exception('Unauthorized permissions', 401, Exception::USER_UNAUTHORIZED); + if ($fileSecurity && !$validator->isValid($file->getUpdate())) { + throw new Exception(Exception::USER_UNAUTHORIZED); } // Users can only manage their own roles, API keys and Admin users can manage any @@ -1410,11 +1399,8 @@ App::delete('/v1/storage/buckets/:bucketId/files/:fileId') throw new Exception(Exception::STORAGE_FILE_NOT_FOUND); } - if ($fileSecurity) { - $valid |= $validator->isValid($file->getDelete()); - } - if (!$valid) { - throw new Exception('Unauthorized permissions', 401, Exception::USER_UNAUTHORIZED); + if ($fileSecurity && !$validator->isValid($file->getDelete())) { + throw new Exception(Exception::USER_UNAUTHORIZED); } $deviceDeleted = false;