diff --git a/app/controllers/api/databases.php b/app/controllers/api/databases.php index 66ac7ccf60..6e4273362c 100644 --- a/app/controllers/api/databases.php +++ b/app/controllers/api/databases.php @@ -3197,13 +3197,13 @@ App::patch('/v1/databases/:databaseId/collections/:collectionId/documents/:docum } $data = \array_merge($document->getArrayCopy(), $data); // Merge existing data with new data + $data['$collection'] = $collection->getId(); // Make sure user doesn't switch collectionID $data['$createdAt'] = $document->getCreatedAt(); // Make sure user doesn't switch createdAt $data['$id'] = $document->getId(); // Make sure user doesn't switch document unique ID $data['$permissions'] = $permissions; - $data['$collection'] = $document->getAttribute('$collection'); // Attribute $collection is required for Utopia. Copying it from old version of document $newDocument = new Document($data); - $setCollection = (function (Document $collection, Document $document) use (&$setCollection, $dbForProject, $database) { + $setCollection = function (Document $collection, Document $document) use (&$setCollection, $dbForProject, $database) { $relationships = \array_filter( $collection->getAttribute('attributes', []), fn($attribute) => $attribute->getAttribute('type') === Database::VAR_RELATIONSHIP @@ -3267,9 +3267,10 @@ App::patch('/v1/databases/:databaseId/collections/:collectionId/documents/:docum $document->setAttribute($relationship->getAttribute('key'), \reset($relations)); } } - }); + }; $setCollection($collection, $newDocument); + try { $document = $dbForProject->withRequestTimestamp( $requestTimestamp, diff --git a/docker-compose.yml b/docker-compose.yml index 25781932f1..7b37f9fed7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -84,7 +84,7 @@ services: - ./docs:/usr/src/code/docs - ./public:/usr/src/code/public - ./src:/usr/src/code/src - - ./dev:/usr/local/dev + - ./dev:/usr/src/code/dev depends_on: - mariadb - redis diff --git a/tests/e2e/Services/Databases/DatabasesCustomClientTest.php b/tests/e2e/Services/Databases/DatabasesCustomClientTest.php index a1af48a0ea..046312fec2 100644 --- a/tests/e2e/Services/Databases/DatabasesCustomClientTest.php +++ b/tests/e2e/Services/Databases/DatabasesCustomClientTest.php @@ -548,6 +548,7 @@ class DatabasesCustomClientTest extends Scope ] ] ]); + $this->assertEquals(201, $parentDocument['headers']['status-code']); // This is the point of this test. We should be allowed to do this action, and it should not fail on permission check @@ -578,7 +579,24 @@ class DatabasesCustomClientTest extends Scope $this->assertEquals(200, $response['headers']['status-code']); $this->assertEquals(11, $response['body'][$collection2['body']['$id']]['collection3']['Rating']); - // Update collection 2 document + + // We should not be allowed to update the document as we do not have permission for collection 2. + $response = $this->client->call(Client::METHOD_PATCH, '/databases/' . $databaseId . '/collections/' . $collection1['body']['$id'] . '/documents/' . $collection1['body']['$id'], array_merge([ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ], $this->getHeaders()), [ + 'data' => [ + 'Title' => 'Captain America', + $collection2['body']['$id'] => [ + '$id' => ID::custom($collection2['body']['$id']), + 'Rating' => '11', + $collection3['body']['$id'] => null, + ] + ] + ]); + + $this->assertEquals(401, $response['headers']['status-code']); + // We should not be allowed to update the document as we do not have permission for collection 2. $response = $this->client->call(Client::METHOD_PATCH, '/databases/' . $databaseId . '/collections/' . $collection2['body']['$id'] . '/documents/' . $collection2['body']['$id'], array_merge([ 'content-type' => 'application/json',