Don't add create permission to documents/files if missing

2024-09-28 23:41:23 +12:00 · 2022-08-13 18:34:04 +12:00 · 2022-08-13 18:34:04 +12:00 · 737ebe408c
commit 737ebe408c
parent c66a1991d8
3 changed files with 26 additions and 11 deletions
--- a/app/controllers/api/databases.php
+++ b/app/controllers/api/databases.php
@ -1872,7 +1872,14 @@ App::post('/v1/databases/:databaseId/collections/:collectionId/documents')
            throw new Exception('Unauthorized permissions', 401, Exception::USER_UNAUTHORIZED);
        }

-        $permissions = PermissionsProcessor::addDefaultsIfNeeded($permissions, $user->getId());
+        $permissions = PermissionsProcessor::addDefaultsIfNeeded(
+            $permissions,
+            $user->getId(),
+            allowedPermissions: \array_filter(
+                Database::PERMISSIONS,
+                fn ($permission) => $permission !== Database::PERMISSION_CREATE
+            ),
+        );
        $permissions = PermissionsProcessor::handleAggregates($permissions);

        if ($documentSecurity) {
--- a/app/controllers/api/storage.php
+++ b/app/controllers/api/storage.php
@ -357,7 +357,14 @@ App::post('/v1/storage/buckets/:bucketId/files')
            throw new Exception('Bucket not found', 404, Exception::STORAGE_BUCKET_NOT_FOUND);
        }

-        $permissions = PermissionsProcessor::addDefaultsIfNeeded($permissions, $user->getId());
+        $permissions = PermissionsProcessor::addDefaultsIfNeeded(
+            $permissions,
+            $user->getId(),
+            allowedPermissions: \array_filter(
+                Database::PERMISSIONS,
+                fn ($permission) => $permission !== Database::PERMISSION_CREATE
+            ),
+        );
        $permissions = PermissionsProcessor::handleAggregates($permissions);

        $validator = new Authorization('create');
--- a/src/Appwrite/Permissions/PermissionsProcessor.php
+++ b/src/Appwrite/Permissions/PermissionsProcessor.php
@ -32,22 +32,23 @@ class PermissionsProcessor
        return $permissions;
    }

-    public static function addDefaultsIfNeeded(?array $permissions, string $userId): array
+    public static function addDefaultsIfNeeded(
+        ?array $permissions, 
+        string $userId, 
+        array $allowedPermissions = Database::PERMISSIONS
+    ): array
    {
        if (\is_null($permissions)) {
            $permissions = [];
            if (!empty($userId)) {
-                $permissions = [
-                    'read(user:' . $userId . ')',
-                    'create(user:' . $userId . ')',
-                    'update(user:' . $userId . ')',
-                    'delete(user:' . $userId . ')',
-                ];
+                foreach ($allowedPermissions as $permission) {
+                    $permissions[] = $permission . '(' . $userId . ')';
+                }
            }
            return $permissions;
        }
-        foreach (Database::PERMISSIONS as $permission) {
-            // Default any missing permissions to the current user
+        foreach ($allowedPermissions as $permission) {
+            // Default any missing allowed permissions to the current user
            if (empty(\preg_grep("#^{$permission}\(.+\)$#", $permissions)) && !empty($userId)) {
                $permissions[] = $permission . '(user:' . $userId . ')';
            }