CodeMirror/appwrite
1
0
Fork 0
mirror of synced 2024-10-01 17:58:02 +13:00
Code Issues Projects Releases Wiki Activity

Fix console/API key checks

Browse source
This commit is contained in:
Jake Barnby 2023-08-08 15:46:01 -04:00
parent ff83751450
commit b196914638
No known key found for this signature in database
GPG key ID: C437A8CC85B96E9C
4 changed files with 77 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
app/controllers/api/databases.php
View file

@ -2664,12 +2664,13 @@ App::post('/v1/databases/:databaseId/collections/:collectionId/documents')
$database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId));
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if ($database->isEmpty() || !$database->getAttribute('enabled')) {
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::DATABASE_NOT_FOUND);
}
}
@ -2677,7 +2678,7 @@ App::post('/v1/databases/:databaseId/collections/:collectionId/documents')
$collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId));
if ($collection->isEmpty() || !$collection->getAttribute('enabled')) {
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::COLLECTION_NOT_FOUND);
}
}
@ -2889,19 +2890,20 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents')
$database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId));
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if ($database->isEmpty() || !$database->getAttribute('enabled')) {
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::DATABASE_NOT_FOUND);
}
}
$collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId));
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!($isAdminMode && ($isAPIKey || $isPrivilegedUser))) {
if (!$collection->getAttribute('documentSecurity', false)) {
$validator = new Authorization(Database::PERMISSION_READ);
if (!$validator->isValid($collection->getRead())) {
@ -2911,7 +2913,7 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents')
}
if ($collection->isEmpty() || !$collection->getAttribute('enabled')) {
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::COLLECTION_NOT_FOUND);
}
}
@ -3031,12 +3033,14 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents/:documen
$database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId));
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if ($database->isEmpty() || !$database->getAttribute('enabled')) {
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::DATABASE_NOT_FOUND);
}
}
@ -3044,7 +3048,7 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents/:documen
$collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId));
if ($collection->isEmpty() || !$collection->getAttribute('enabled')) {
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::COLLECTION_NOT_FOUND);
}
}
@ -3249,12 +3253,14 @@ App::patch('/v1/databases/:databaseId/collections/:collectionId/documents/:docum
$database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId));
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if ($database->isEmpty() || !$database->getAttribute('enabled')) {
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::DATABASE_NOT_FOUND);
}
}
@ -3262,7 +3268,7 @@ App::patch('/v1/databases/:databaseId/collections/:collectionId/documents/:docum
$collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId));
if ($collection->isEmpty() || !$collection->getAttribute('enabled')) {
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::COLLECTION_NOT_FOUND);
}
}
@ -3493,12 +3499,14 @@ App::delete('/v1/databases/:databaseId/collections/:collectionId/documents/:docu
$database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId));
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if ($database->isEmpty() || !$database->getAttribute('enabled')) {
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::DATABASE_NOT_FOUND);
}
}
@ -3506,7 +3514,7 @@ App::delete('/v1/databases/:databaseId/collections/:collectionId/documents/:docu
$collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId));
if ($collection->isEmpty() || !$collection->getAttribute('enabled')) {
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::COLLECTION_NOT_FOUND);
}
}

21
app/controllers/api/functions.php
View file

@ -1038,11 +1038,12 @@ App::post('/v1/functions/:functionId/executions')
$function = Authorization::skip(fn () => $dbForProject->getDocument('functions', $functionId));
if ($function->isEmpty() || !$function->getAttribute('enabled')) {
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::FUNCTION_NOT_FOUND);
}
}
@ -1237,11 +1238,12 @@ App::get('/v1/functions/:functionId/executions')
$function = Authorization::skip(fn () => $dbForProject->getDocument('functions', $functionId));
if ($function->isEmpty() || !$function->getAttribute('enabled')) {
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::FUNCTION_NOT_FOUND);
}
}
@ -1313,11 +1315,12 @@ App::get('/v1/functions/:functionId/executions/:executionId')
$function = Authorization::skip(fn () => $dbForProject->getDocument('functions', $functionId));
if ($function->isEmpty() || !$function->getAttribute('enabled')) {
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::FUNCTION_NOT_FOUND);
}
}

56
app/controllers/api/storage.php
View file

@ -365,11 +365,12 @@ App::post('/v1/storage/buckets/:bucketId/files')
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || !$bucket->getAttribute('enabled')) {
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
}
}
@ -699,11 +700,12 @@ App::get('/v1/storage/buckets/:bucketId/files')
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || !$bucket->getAttribute('enabled')) {
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
}
}
@ -781,11 +783,12 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId')
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || !$bucket->getAttribute('enabled')) {
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
}
}
@ -856,11 +859,12 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/preview')
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || !$bucket->getAttribute('enabled')) {
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
}
}
@ -1008,11 +1012,12 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/download')
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || !$bucket->getAttribute('enabled')) {
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
}
}
@ -1154,11 +1159,12 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/view')
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || !$bucket->getAttribute('enabled')) {
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
}
}
@ -1319,11 +1325,12 @@ App::put('/v1/storage/buckets/:bucketId/files/:fileId')
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || !$bucket->getAttribute('enabled')) {
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
}
}
@ -1430,11 +1437,12 @@ App::delete('/v1/storage/buckets/:bucketId/files/:fileId')
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || !$bucket->getAttribute('enabled')) {
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
}
}

7
app/controllers/shared/api.php
View file

@ -232,11 +232,12 @@ App::init()
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || !$bucket->getAttribute('enabled')) {
$isAdminMode = $mode === APP_MODE_ADMIN;
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAdminMode = $mode === APP_MODE_ADMIN;
$isConsole = $isAdminMode && $isPrivilegedUser;
if (!($isAdminMode && ($isAppUser || $isPrivilegedUser))) {
if (!$isConsole && !$isAPIKey) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
}
}