Return 404 if a user doesn't have access to a collection
It is better to return 404 so that an end user doesn't know if the collection actually exists but they don't have access or they really don't have access.
This commit is contained in:
parent
50bb69290f
commit
611dd9b86c
3 changed files with 12 additions and 7 deletions
|
@ -2886,12 +2886,19 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents')
|
|||
|
||||
$collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId));
|
||||
|
||||
if ($collection->isEmpty() || !$collection->getAttribute('enabled')) {
|
||||
if (!($mode === APP_MODE_ADMIN && Auth::isPrivilegedUser(Authorization::getRoles()))) {
|
||||
throw new Exception(Exception::COLLECTION_NOT_FOUND);
|
||||
if (!($mode === APP_MODE_ADMIN && Auth::isPrivilegedUser(Authorization::getRoles()))) {
|
||||
if (!$collection->getAttribute('documentSecurity', false)) {
|
||||
$validator = new Authorization(Database::PERMISSION_READ);
|
||||
if (!$validator->isValid($collection->getRead())) {
|
||||
$collection = new Document();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($collection->isEmpty() || !$collection->getAttribute('enabled')) {
|
||||
throw new Exception(Exception::COLLECTION_NOT_FOUND);
|
||||
}
|
||||
|
||||
// Validate queries
|
||||
$queriesValidator = new Documents($collection->getAttribute('attributes'), $collection->getAttribute('indexes'));
|
||||
$validQueries = $queriesValidator->isValid($queries);
|
||||
|
|
|
@ -2853,9 +2853,7 @@ trait DatabasesBase
|
|||
]);
|
||||
|
||||
// Current user has no collection permissions and document permissions are disabled
|
||||
$this->assertEquals(200, $documentsUser2['headers']['status-code']);
|
||||
$this->assertEquals(0, $documentsUser2['body']['total']);
|
||||
$this->assertEquals(true, empty($documentsUser2['body']['documents']));
|
||||
$this->assertEquals(404, $documentsUser2['headers']['status-code']);
|
||||
|
||||
// Enable document permissions
|
||||
$collection = $this->client->call(CLient::METHOD_PUT, '/databases/' . $databaseId . '/collections/' . $collectionId, [
|
||||
|
|
|
@ -176,7 +176,7 @@ class DatabasesPermissionsTeamTest extends Scope
|
|||
if ($success) {
|
||||
$this->assertCount(1, $documents['body']['documents']);
|
||||
} else {
|
||||
$this->assertCount(0, $documents['body']['documents']);
|
||||
$this->assertEquals(404, $documents['headers']['status-code']);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue