Merge branch 'main' into feat-zoho-oauth

2024-07-02 05:00:33 +12:00 · 2024-01-02 13:17:25 +05:30 · 2024-01-02 13:17:25 +05:30 · c2a76cd560
parent c4ab4ca16a 3236e9eabe
commit c2a76cd560
2 changed files with 23 additions and 8 deletions
--- a/app/controllers/api/storage.php
+++ b/app/controllers/api/storage.php
@ -628,7 +628,17 @@ App::post('/v1/storage/buckets/:bucketId/files')
                        ->setAttribute('metadata', $metadata)
                        ->setAttribute('chunksUploaded', $chunksUploaded);

-                    $file = $dbForProject->updateDocument('bucket_' . $bucket->getInternalId(), $fileId, $file);
+                    /**
+                     * Validate create permission and skip authorization in updateDocument
+                     * Without this, the file creation will fail when user doesn't have update permission
+                     * However as with chunk upload even if we are updating, we are essentially creating a file
+                     * adding it's new chunk so we validate create permission instead of update
+                     */
+                    $validator = new Authorization(Database::PERMISSION_CREATE);
+                    if (!$validator->isValid($bucket->getCreate())) {
+                        throw new Exception(Exception::USER_UNAUTHORIZED);
+                    }
+                    $file = Authorization::skip(fn() => $dbForProject->updateDocument('bucket_' . $bucket->getInternalId(), $fileId, $file));
                }
            } catch (AuthorizationException) {
                throw new Exception(Exception::USER_UNAUTHORIZED);
@ -665,7 +675,17 @@ App::post('/v1/storage/buckets/:bucketId/files')
                        ->setAttribute('chunksUploaded', $chunksUploaded)
                        ->setAttribute('metadata', $metadata);

-                    $file = $dbForProject->updateDocument('bucket_' . $bucket->getInternalId(), $fileId, $file);
+                    /**
+                     * Validate create permission and skip authorization in updateDocument
+                     * Without this, the file creation will fail when user doesn't have update permission
+                     * However as with chunk upload even if we are updating, we are essentially creating a file
+                     * adding it's new chunk so we validate create permission instead of update
+                     */
+                    $validator = new Authorization(Database::PERMISSION_CREATE);
+                    if (!$validator->isValid($bucket->getCreate())) {
+                        throw new Exception(Exception::USER_UNAUTHORIZED);
+                    }
+                    $file = Authorization::skip(fn() => $dbForProject->updateDocument('bucket_' . $bucket->getInternalId(), $fileId, $file));
                }
            } catch (AuthorizationException) {
                throw new Exception(Exception::USER_UNAUTHORIZED);
--- a/tests/e2e/Services/Storage/StorageBase.php
+++ b/tests/e2e/Services/Storage/StorageBase.php
@ -74,10 +74,7 @@ trait StorageBase
            'name' => 'Test Bucket 2',
            'fileSecurity' => true,
            'permissions' => [
-                Permission::read(Role::any()),
                Permission::create(Role::any()),
-                Permission::update(Role::any()),
-                Permission::delete(Role::any()),
            ],
        ]);
        $this->assertEquals(201, $bucket2['headers']['status-code']);
@ -110,9 +107,7 @@ trait StorageBase
                'fileId' => $fileId,
                'file' => $curlFile,
                'permissions' => [
-                    Permission::read(Role::any()),
-                    Permission::update(Role::any()),
-                    Permission::delete(Role::any()),
+                    Permission::read(Role::any())
                ],
            ]);
            $counter++;