Bad request for create permission on document/file

2024-09-28 23:41:23 +12:00 · 2022-08-14 02:24:28 +12:00 · 2022-08-14 02:24:28 +12:00 · bdc8202422
commit bdc8202422
parent 68cc919aaa
5 changed files with 31 additions and 8 deletions
--- a/app/config/errors.php
+++ b/app/config/errors.php
@ -88,6 +88,11 @@ return [
        'description' => 'The request cannot be fulfilled with the current protocol. Please check the value of the _APP_OPTIONS_FORCE_HTTPS environment variable.',
        'code' => 500,
    ],
+    Exception::GENERAL_PERMISSION_INVALID => [
+        'name' => Exception::GENERAL_PERMISSION_INVALID,
+        'description' => 'The provided permissions are invalid for this resource type. Documents and files cannot contain a create permission.',
+        'code' => 400,
+    ],

    /** User Errors */
    Exception::USER_COUNT_EXCEEDED => [
--- a/app/controllers/api/databases.php
+++ b/app/controllers/api/databases.php
@ -1878,8 +1878,12 @@ App::post('/v1/databases/:databaseId/collections/:collectionId/documents')
                fn ($permission) => $permission !== Database::PERMISSION_CREATE
            ),
        );
+        
        $permissions = PermissionsProcessor::handleAggregates($permissions);

+        if (!PermissionsProcessor::allowedForResourceType('document', $permissions)) {
+            throw new Exception('Invalid permission', 400, Exception::GENERAL_PERMISSION_INVALID);
+        }
        if (!PermissionsProcessor::allowedForUserType($permissions)) {
            throw new Exception('Permissions must be one of: (' . \implode(', ', Authorization::getRoles()) . ')', 400, Exception::USER_UNAUTHORIZED);
        }
--- a/app/controllers/api/storage.php
+++ b/app/controllers/api/storage.php
@ -5,6 +5,7 @@ use Appwrite\ClamAV\Network;
 use Appwrite\Event\Audit;
 use Appwrite\Event\Delete;
 use Appwrite\Event\Event;
+use Appwrite\Permissions\Permissions;
 use Appwrite\Permissions\PermissionsProcessor;
 use Appwrite\Utopia\Database\Validator\CustomId;
 use Appwrite\OpenSSL\OpenSSL;
@ -357,6 +358,11 @@ App::post('/v1/storage/buckets/:bucketId/files')
            throw new Exception('Bucket not found', 404, Exception::STORAGE_BUCKET_NOT_FOUND);
        }

+        $validator = new Authorization('create');
+        if (!$validator->isValid($bucket->getCreate())) {
+            throw new Exception('Unauthorized permissions', 401, Exception::USER_UNAUTHORIZED);
+        }
+
        $permissions = PermissionsProcessor::addDefaultsIfNeeded(
            $permissions,
            $user->getId(),
@ -365,13 +371,12 @@ App::post('/v1/storage/buckets/:bucketId/files')
                fn ($permission) => $permission !== Database::PERMISSION_CREATE
            ),
        );
+
        $permissions = PermissionsProcessor::handleAggregates($permissions);

-        $validator = new Authorization('create');
-        if (!$validator->isValid($bucket->getCreate())) {
-            throw new Exception('Unauthorized permissions', 401, Exception::USER_UNAUTHORIZED);
+        if (!PermissionsProcessor::allowedForResourceType('file', $permissions)) {
+            throw new Exception('Invalid permission', 400, Exception::GENERAL_PERMISSION_INVALID);
        }
-
        if (!PermissionsProcessor::allowedForUserType($permissions)) {
            throw new Exception('Permissions must be one of: (' . \implode(', ', Authorization::getRoles()) . ')', 400, Exception::USER_UNAUTHORIZED);
        }
--- a/src/Appwrite/Extend/Exception.php
+++ b/src/Appwrite/Extend/Exception.php
@ -47,7 +47,8 @@ class Exception extends \Exception
    public const GENERAL_ROUTE_NOT_FOUND           = 'general_route_not_found';
    public const GENERAL_CURSOR_NOT_FOUND          = 'general_cursor_not_found';
    public const GENERAL_SERVER_ERROR              = 'general_server_error';
-    public const GENERAL_PROTOCOL_UNSUPPORTED       = 'general_protocol_unsupported';
+    public const GENERAL_PROTOCOL_UNSUPPORTED      = 'general_protocol_unsupported';
+    public const GENERAL_PERMISSION_INVALID        = 'general_permission_invalid';

    /** Users */
    public const USER_COUNT_EXCEEDED               = 'user_count_exceeded';
--- a/src/Appwrite/Permissions/PermissionsProcessor.php
+++ b/src/Appwrite/Permissions/PermissionsProcessor.php
@ -4,7 +4,6 @@ namespace Appwrite\Permissions;

 use Appwrite\Auth\Auth;
 use Utopia\Database\Database;
-use Utopia\Database\Document;
 use Utopia\Database\Validator\Authorization;

 class PermissionsProcessor
@ -33,8 +32,8 @@ class PermissionsProcessor
    }

    public static function addDefaultsIfNeeded(
-        ?array $permissions, 
-        string $userId, 
+        ?array $permissions,
+        string $userId,
        array $allowedPermissions = Database::PERMISSIONS
    ): array
    {
@ -76,4 +75,13 @@ class PermissionsProcessor
        }
        return true;
    }
+
+    public static function allowedForResourceType(string $resourceType, array $permissions): bool
+    {
+        return match ($resourceType) {
+            'document',
+            'file' => empty(\preg_grep("#^create\(.+\)$#", $permissions)),
+            default => true
+        };
+    }
 }