From 4eb298e4e07333df0c0eee1c390e7c009b9c91cc Mon Sep 17 00:00:00 2001
From: Torsten Dittmann <torsten.dittmann@googlemail.com>
Date: Tue, 27 Apr 2021 09:12:59 +0200
Subject: [PATCH] fix: executions permission validation

---
 app/controllers/api/functions.php  | 4 ++--
 src/Appwrite/Database/Database.php | 5 +++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/app/controllers/api/functions.php b/app/controllers/api/functions.php
index fb2446732..7596893af 100644
--- a/app/controllers/api/functions.php
+++ b/app/controllers/api/functions.php
@@ -802,7 +802,7 @@ App::get('/v1/functions/:functionId/executions')
         /** @var Appwrite\Utopia\Response $response */
         /** @var Appwrite\Database\Database $projectDB */
         
-        $function = $projectDB->getDocument($functionId);
+        $function = $projectDB->getDocument($functionId, true, true, 'execute');
 
         if (empty($function->getId()) || Database::SYSTEM_COLLECTION_FUNCTIONS != $function->getCollection()) {
             throw new Exception('Function not found', 404);
@@ -844,7 +844,7 @@ App::get('/v1/functions/:functionId/executions/:executionId')
         /** @var Appwrite\Utopia\Response $response */
         /** @var Appwrite\Database\Database $projectDB */
         
-        $function = $projectDB->getDocument($functionId);
+        $function = $projectDB->getDocument($functionId, true, true, 'execute');
 
         if (empty($function->getId()) || Database::SYSTEM_COLLECTION_FUNCTIONS != $function->getCollection()) {
             throw new Exception('Function not found', 404);
diff --git a/src/Appwrite/Database/Database.php b/src/Appwrite/Database/Database.php
index d0defdec0..4137c6ee2 100644
--- a/src/Appwrite/Database/Database.php
+++ b/src/Appwrite/Database/Database.php
@@ -196,17 +196,18 @@ class Database
      * @param string $id
      * @param bool $mock is mocked data allowed?
      * @param bool $decode enable decoding?
+     * @param string $permission permissions to read
      *
      * @return Document
      */
-    public function getDocument($id, bool $mock = true, bool $decode = true)
+    public function getDocument($id, bool $mock = true, bool $decode = true, string $permission = 'read')
     {
         if (\is_null($id)) {
             return new Document();
         }
 
         $document = new Document((isset($this->mocks[$id]) && $mock) ? $this->mocks[$id] : $this->adapter->getDocument($id));
-        $validator = new Authorization($document, 'read');
+        $validator = new Authorization($document, $permission);
 
         if (!$validator->isValid($document->getPermissions())) { // Check if user has read access to this document
             return new Document();