CodeMirror/appwrite
1
0
Fork 0
mirror of synced 2024-10-01 01:37:56 +13:00
Code Issues Projects Releases Wiki Activity

Return 404 if a user doesn't have access to a collection

Browse source 
It is better to return 404 so that an end user doesn't know if the
collection actually exists but they don't have access or they really
don't have access.
This commit is contained in:
Steven Nguyen 2023-04-18 17:34:39 -07:00
parent 50bb69290f
commit 611dd9b86c
No known key found for this signature in database
3 changed files with 12 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
app/controllers/api/databases.php
View file

@ -2886,12 +2886,19 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents')
$collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId));
if ($collection->isEmpty() || !$collection->getAttribute('enabled')) {
if (!($mode === APP_MODE_ADMIN && Auth::isPrivilegedUser(Authorization::getRoles()))) {
throw new Exception(Exception::COLLECTION_NOT_FOUND);
if (!($mode === APP_MODE_ADMIN && Auth::isPrivilegedUser(Authorization::getRoles()))) {
if (!$collection->getAttribute('documentSecurity', false)) {
$validator = new Authorization(Database::PERMISSION_READ);
if (!$validator->isValid($collection->getRead())) {
$collection = new Document();
}
}
}
if ($collection->isEmpty() || !$collection->getAttribute('enabled')) {
throw new Exception(Exception::COLLECTION_NOT_FOUND);
}
// Validate queries
$queriesValidator = new Documents($collection->getAttribute('attributes'), $collection->getAttribute('indexes'));
$validQueries = $queriesValidator->isValid($queries);

4
tests/e2e/Services/Databases/DatabasesBase.php
View file

@ -2853,9 +2853,7 @@ trait DatabasesBase
]);
// Current user has no collection permissions and document permissions are disabled
$this->assertEquals(200, $documentsUser2['headers']['status-code']);
$this->assertEquals(0, $documentsUser2['body']['total']);
$this->assertEquals(true, empty($documentsUser2['body']['documents']));
$this->assertEquals(404, $documentsUser2['headers']['status-code']);
// Enable document permissions
$collection = $this->client->call(CLient::METHOD_PUT, '/databases/' . $databaseId . '/collections/' . $collectionId, [

2
tests/e2e/Services/Databases/DatabasesPermissionsTeamTest.php
View file

@ -176,7 +176,7 @@ class DatabasesPermissionsTeamTest extends Scope
if ($success) {
$this->assertCount(1, $documents['body']['documents']);
} else {
$this->assertCount(0, $documents['body']['documents']);
$this->assertEquals(404, $documents['headers']['status-code']);
}
}