Don't add create permission to documents/files if missing
This commit is contained in:
parent
c66a1991d8
commit
737ebe408c
3 changed files with 26 additions and 11 deletions
|
@ -1872,7 +1872,14 @@ App::post('/v1/databases/:databaseId/collections/:collectionId/documents')
|
|||
throw new Exception('Unauthorized permissions', 401, Exception::USER_UNAUTHORIZED);
|
||||
}
|
||||
|
||||
$permissions = PermissionsProcessor::addDefaultsIfNeeded($permissions, $user->getId());
|
||||
$permissions = PermissionsProcessor::addDefaultsIfNeeded(
|
||||
$permissions,
|
||||
$user->getId(),
|
||||
allowedPermissions: \array_filter(
|
||||
Database::PERMISSIONS,
|
||||
fn ($permission) => $permission !== Database::PERMISSION_CREATE
|
||||
),
|
||||
);
|
||||
$permissions = PermissionsProcessor::handleAggregates($permissions);
|
||||
|
||||
if ($documentSecurity) {
|
||||
|
|
|
@ -357,7 +357,14 @@ App::post('/v1/storage/buckets/:bucketId/files')
|
|||
throw new Exception('Bucket not found', 404, Exception::STORAGE_BUCKET_NOT_FOUND);
|
||||
}
|
||||
|
||||
$permissions = PermissionsProcessor::addDefaultsIfNeeded($permissions, $user->getId());
|
||||
$permissions = PermissionsProcessor::addDefaultsIfNeeded(
|
||||
$permissions,
|
||||
$user->getId(),
|
||||
allowedPermissions: \array_filter(
|
||||
Database::PERMISSIONS,
|
||||
fn ($permission) => $permission !== Database::PERMISSION_CREATE
|
||||
),
|
||||
);
|
||||
$permissions = PermissionsProcessor::handleAggregates($permissions);
|
||||
|
||||
$validator = new Authorization('create');
|
||||
|
|
|
@ -32,22 +32,23 @@ class PermissionsProcessor
|
|||
return $permissions;
|
||||
}
|
||||
|
||||
public static function addDefaultsIfNeeded(?array $permissions, string $userId): array
|
||||
public static function addDefaultsIfNeeded(
|
||||
?array $permissions,
|
||||
string $userId,
|
||||
array $allowedPermissions = Database::PERMISSIONS
|
||||
): array
|
||||
{
|
||||
if (\is_null($permissions)) {
|
||||
$permissions = [];
|
||||
if (!empty($userId)) {
|
||||
$permissions = [
|
||||
'read(user:' . $userId . ')',
|
||||
'create(user:' . $userId . ')',
|
||||
'update(user:' . $userId . ')',
|
||||
'delete(user:' . $userId . ')',
|
||||
];
|
||||
foreach ($allowedPermissions as $permission) {
|
||||
$permissions[] = $permission . '(' . $userId . ')';
|
||||
}
|
||||
}
|
||||
return $permissions;
|
||||
}
|
||||
foreach (Database::PERMISSIONS as $permission) {
|
||||
// Default any missing permissions to the current user
|
||||
foreach ($allowedPermissions as $permission) {
|
||||
// Default any missing allowed permissions to the current user
|
||||
if (empty(\preg_grep("#^{$permission}\(.+\)$#", $permissions)) && !empty($userId)) {
|
||||
$permissions[] = $permission . '(user:' . $userId . ')';
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue