From d23a2e20402b1a2933cc92a1634f359b7cfbc6c9 Mon Sep 17 00:00:00 2001 From: Jake Barnby Date: Wed, 29 Mar 2023 16:05:53 +1300 Subject: [PATCH] Database side permission check for list document count --- app/controllers/api/databases.php | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/app/controllers/api/databases.php b/app/controllers/api/databases.php index 883847c830..a49db96799 100644 --- a/app/controllers/api/databases.php +++ b/app/controllers/api/databases.php @@ -2808,9 +2808,19 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents') unset($filterQueries[$key]); } } - $documents = Authorization::skip(fn () => $dbForProject->find('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $queries)); - $total = Authorization::skip(fn () => $dbForProject->count('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $filterQueries, APP_LIMIT_COUNT)); + + $documentSecurity = $collection->getAttribute('documentSecurity', false); + $validator = new Authorization(Database::PERMISSION_READ); + $valid = $validator->isValid($collection->getRead()); + + if (!$valid) { + $total = $documentSecurity + ? $dbForProject->count('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $filterQueries, APP_LIMIT_COUNT) + : 0; + } else { + $total = Authorization::skip(fn() => $dbForProject->count('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $filterQueries, APP_LIMIT_COUNT)); + } // Add $collectionId and $databaseId for all documents $processDocument = function (Document $collection, Document $document) use (&$processDocument, $dbForProject, $database): bool { @@ -2871,7 +2881,6 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents') foreach ($documents as $index => $document) { if (!$processDocument($collection, $document)) { unset($documents[$index]); - $total--; } }