Bad request for create permission on document/file
This commit is contained in:
parent
68cc919aaa
commit
bdc8202422
5 changed files with 31 additions and 8 deletions
|
@ -88,6 +88,11 @@ return [
|
|||
'description' => 'The request cannot be fulfilled with the current protocol. Please check the value of the _APP_OPTIONS_FORCE_HTTPS environment variable.',
|
||||
'code' => 500,
|
||||
],
|
||||
Exception::GENERAL_PERMISSION_INVALID => [
|
||||
'name' => Exception::GENERAL_PERMISSION_INVALID,
|
||||
'description' => 'The provided permissions are invalid for this resource type. Documents and files cannot contain a create permission.',
|
||||
'code' => 400,
|
||||
],
|
||||
|
||||
/** User Errors */
|
||||
Exception::USER_COUNT_EXCEEDED => [
|
||||
|
|
|
@ -1878,8 +1878,12 @@ App::post('/v1/databases/:databaseId/collections/:collectionId/documents')
|
|||
fn ($permission) => $permission !== Database::PERMISSION_CREATE
|
||||
),
|
||||
);
|
||||
|
||||
$permissions = PermissionsProcessor::handleAggregates($permissions);
|
||||
|
||||
if (!PermissionsProcessor::allowedForResourceType('document', $permissions)) {
|
||||
throw new Exception('Invalid permission', 400, Exception::GENERAL_PERMISSION_INVALID);
|
||||
}
|
||||
if (!PermissionsProcessor::allowedForUserType($permissions)) {
|
||||
throw new Exception('Permissions must be one of: (' . \implode(', ', Authorization::getRoles()) . ')', 400, Exception::USER_UNAUTHORIZED);
|
||||
}
|
||||
|
|
|
@ -5,6 +5,7 @@ use Appwrite\ClamAV\Network;
|
|||
use Appwrite\Event\Audit;
|
||||
use Appwrite\Event\Delete;
|
||||
use Appwrite\Event\Event;
|
||||
use Appwrite\Permissions\Permissions;
|
||||
use Appwrite\Permissions\PermissionsProcessor;
|
||||
use Appwrite\Utopia\Database\Validator\CustomId;
|
||||
use Appwrite\OpenSSL\OpenSSL;
|
||||
|
@ -357,6 +358,11 @@ App::post('/v1/storage/buckets/:bucketId/files')
|
|||
throw new Exception('Bucket not found', 404, Exception::STORAGE_BUCKET_NOT_FOUND);
|
||||
}
|
||||
|
||||
$validator = new Authorization('create');
|
||||
if (!$validator->isValid($bucket->getCreate())) {
|
||||
throw new Exception('Unauthorized permissions', 401, Exception::USER_UNAUTHORIZED);
|
||||
}
|
||||
|
||||
$permissions = PermissionsProcessor::addDefaultsIfNeeded(
|
||||
$permissions,
|
||||
$user->getId(),
|
||||
|
@ -365,13 +371,12 @@ App::post('/v1/storage/buckets/:bucketId/files')
|
|||
fn ($permission) => $permission !== Database::PERMISSION_CREATE
|
||||
),
|
||||
);
|
||||
|
||||
$permissions = PermissionsProcessor::handleAggregates($permissions);
|
||||
|
||||
$validator = new Authorization('create');
|
||||
if (!$validator->isValid($bucket->getCreate())) {
|
||||
throw new Exception('Unauthorized permissions', 401, Exception::USER_UNAUTHORIZED);
|
||||
if (!PermissionsProcessor::allowedForResourceType('file', $permissions)) {
|
||||
throw new Exception('Invalid permission', 400, Exception::GENERAL_PERMISSION_INVALID);
|
||||
}
|
||||
|
||||
if (!PermissionsProcessor::allowedForUserType($permissions)) {
|
||||
throw new Exception('Permissions must be one of: (' . \implode(', ', Authorization::getRoles()) . ')', 400, Exception::USER_UNAUTHORIZED);
|
||||
}
|
||||
|
|
|
@ -47,7 +47,8 @@ class Exception extends \Exception
|
|||
public const GENERAL_ROUTE_NOT_FOUND = 'general_route_not_found';
|
||||
public const GENERAL_CURSOR_NOT_FOUND = 'general_cursor_not_found';
|
||||
public const GENERAL_SERVER_ERROR = 'general_server_error';
|
||||
public const GENERAL_PROTOCOL_UNSUPPORTED = 'general_protocol_unsupported';
|
||||
public const GENERAL_PROTOCOL_UNSUPPORTED = 'general_protocol_unsupported';
|
||||
public const GENERAL_PERMISSION_INVALID = 'general_permission_invalid';
|
||||
|
||||
/** Users */
|
||||
public const USER_COUNT_EXCEEDED = 'user_count_exceeded';
|
||||
|
|
|
@ -4,7 +4,6 @@ namespace Appwrite\Permissions;
|
|||
|
||||
use Appwrite\Auth\Auth;
|
||||
use Utopia\Database\Database;
|
||||
use Utopia\Database\Document;
|
||||
use Utopia\Database\Validator\Authorization;
|
||||
|
||||
class PermissionsProcessor
|
||||
|
@ -33,8 +32,8 @@ class PermissionsProcessor
|
|||
}
|
||||
|
||||
public static function addDefaultsIfNeeded(
|
||||
?array $permissions,
|
||||
string $userId,
|
||||
?array $permissions,
|
||||
string $userId,
|
||||
array $allowedPermissions = Database::PERMISSIONS
|
||||
): array
|
||||
{
|
||||
|
@ -76,4 +75,13 @@ class PermissionsProcessor
|
|||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
public static function allowedForResourceType(string $resourceType, array $permissions): bool
|
||||
{
|
||||
return match ($resourceType) {
|
||||
'document',
|
||||
'file' => empty(\preg_grep("#^create\(.+\)$#", $permissions)),
|
||||
default => true
|
||||
};
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue