diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index 5bc6bbc222..dd009864a7 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -163,6 +163,11 @@ App::post('/v1/account') $user = Authorization::skip(fn() => $dbForProject->createDocument('users', $user)); try { $target = Authorization::skip(fn() => $dbForProject->createDocument('targets', new Document([ + '$permissions' => [ + Permission::read(Role::user($user->getId())), + Permission::update(Role::user($user->getId())), + Permission::delete(Role::user($user->getId())), + ], 'userId' => $user->getId(), 'userInternalId' => $user->getInternalId(), 'providerType' => MESSAGE_TYPE_EMAIL, @@ -707,7 +712,7 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect') $userDoc = Authorization::skip(fn() => $dbForProject->createDocument('users', $user)); $dbForProject->createDocument('targets', new Document([ '$permissions' => [ - Permission::read(Role::any()), + Permission::read(Role::user($user->getId())), Permission::update(Role::user($user->getId())), Permission::delete(Role::user($user->getId())), ], @@ -1699,6 +1704,11 @@ App::post('/v1/account/tokens/phone') Authorization::skip(fn () => $dbForProject->createDocument('users', $user)); try { $target = Authorization::skip(fn() => $dbForProject->createDocument('targets', new Document([ + '$permissions' => [ + Permission::read(Role::user($user->getId())), + Permission::update(Role::user($user->getId())), + Permission::delete(Role::user($user->getId())), + ], 'userId' => $user->getId(), 'userInternalId' => $user->getInternalId(), 'providerType' => MESSAGE_TYPE_SMS, diff --git a/app/controllers/api/users.php b/app/controllers/api/users.php index 942641a68a..9a9e37c32f 100644 --- a/app/controllers/api/users.php +++ b/app/controllers/api/users.php @@ -115,6 +115,11 @@ function createUser(string $hash, mixed $hashOptions, string $userId, ?string $e if ($email) { try { $target = $dbForProject->createDocument('targets', new Document([ + '$permissions' => [ + Permission::read(Role::user($user->getId())), + Permission::update(Role::user($user->getId())), + Permission::delete(Role::user($user->getId())), + ], 'userId' => $user->getId(), 'userInternalId' => $user->getInternalId(), 'providerType' => 'email', @@ -132,6 +137,11 @@ function createUser(string $hash, mixed $hashOptions, string $userId, ?string $e if ($phone) { try { $target = $dbForProject->createDocument('targets', new Document([ + '$permissions' => [ + Permission::read(Role::user($user->getId())), + Permission::update(Role::user($user->getId())), + Permission::delete(Role::user($user->getId())), + ], 'userId' => $user->getId(), 'userInternalId' => $user->getInternalId(), 'providerType' => 'sms', @@ -498,6 +508,11 @@ App::post('/v1/users/:userId/targets') try { $target = $dbForProject->createDocument('targets', new Document([ '$id' => $targetId, + '$permissions' => [ + Permission::read(Role::user($user->getId())), + Permission::update(Role::user($user->getId())), + Permission::delete(Role::user($user->getId())), + ], 'providerId' => $providerId ?? null, 'providerInternalId' => $provider->getInternalId() ?? null, 'providerType' => $providerType, @@ -1227,6 +1242,11 @@ App::patch('/v1/users/:userId/email') } else { if (\strlen($email) !== 0) { $target = $dbForProject->createDocument('targets', new Document([ + '$permissions' => [ + Permission::read(Role::user($user->getId())), + Permission::update(Role::user($user->getId())), + Permission::delete(Role::user($user->getId())), + ], 'userId' => $user->getId(), 'userInternalId' => $user->getInternalId(), 'providerType' => 'email', @@ -1305,6 +1325,11 @@ App::patch('/v1/users/:userId/phone') } else { if (\strlen($number) !== 0) { $target = $dbForProject->createDocument('targets', new Document([ + '$permissions' => [ + Permission::read(Role::user($user->getId())), + Permission::update(Role::user($user->getId())), + Permission::delete(Role::user($user->getId())), + ], 'userId' => $user->getId(), 'userInternalId' => $user->getInternalId(), 'providerType' => 'sms',