Catch AuthorzationExceptions from database to throw 401 instead of 500
This commit is contained in:
parent
a373297a6b
commit
e6e126dff4
2 changed files with 58 additions and 10 deletions
|
@ -2067,7 +2067,11 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents/:documen
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($documentSecurity && !$valid) {
|
if ($documentSecurity && !$valid) {
|
||||||
$document = $dbForProject->getDocument('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $documentId);
|
try {
|
||||||
|
$document = $dbForProject->getDocument('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $documentId);
|
||||||
|
} catch (AuthorizationException) {
|
||||||
|
throw new Exception(Exception::USER_UNAUTHORIZED);
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
$document = Authorization::skip(fn () => $dbForProject->getDocument('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $documentId));
|
$document = Authorization::skip(fn () => $dbForProject->getDocument('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $documentId));
|
||||||
}
|
}
|
||||||
|
@ -2081,7 +2085,6 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents/:documen
|
||||||
*/
|
*/
|
||||||
$document->setAttribute('$collection', $collectionId);
|
$document->setAttribute('$collection', $collectionId);
|
||||||
|
|
||||||
|
|
||||||
$response->dynamic($document, Response::MODEL_DOCUMENT);
|
$response->dynamic($document, Response::MODEL_DOCUMENT);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
@ -2292,6 +2295,8 @@ App::patch('/v1/databases/:databaseId/collections/:collectionId/documents/:docum
|
||||||
* Reset $collection attribute to remove prefix.
|
* Reset $collection attribute to remove prefix.
|
||||||
*/
|
*/
|
||||||
$document->setAttribute('$collection', $collectionId);
|
$document->setAttribute('$collection', $collectionId);
|
||||||
|
} catch (AuthorizationException) {
|
||||||
|
throw new Exception(Exception::USER_UNAUTHORIZED);
|
||||||
} catch (DuplicateException) {
|
} catch (DuplicateException) {
|
||||||
throw new Exception(Exception::DOCUMENT_ALREADY_EXISTS);
|
throw new Exception(Exception::DOCUMENT_ALREADY_EXISTS);
|
||||||
} catch (StructureException $exception) {
|
} catch (StructureException $exception) {
|
||||||
|
@ -2363,7 +2368,11 @@ App::delete('/v1/databases/:databaseId/collections/:collectionId/documents/:docu
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($documentSecurity && !$valid) {
|
if ($documentSecurity && !$valid) {
|
||||||
$dbForProject->deleteDocument('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $documentId);
|
try {
|
||||||
|
$dbForProject->deleteDocument('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $documentId);
|
||||||
|
} catch (AuthorizationException) {
|
||||||
|
throw new Exception(Exception::USER_UNAUTHORIZED);
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
Authorization::skip(fn() => $dbForProject->deleteDocument('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $documentId));
|
Authorization::skip(fn() => $dbForProject->deleteDocument('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $documentId));
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,6 +14,7 @@ use Utopia\Database\Database;
|
||||||
use Utopia\Database\Document;
|
use Utopia\Database\Document;
|
||||||
use Utopia\Database\DateTime;
|
use Utopia\Database\DateTime;
|
||||||
use Utopia\Database\Exception\Duplicate;
|
use Utopia\Database\Exception\Duplicate;
|
||||||
|
use Utopia\Database\Exception\Authorization as AuthorizationException;
|
||||||
use Utopia\Database\Exception\Duplicate as DuplicateException;
|
use Utopia\Database\Exception\Duplicate as DuplicateException;
|
||||||
use Utopia\Database\Exception\Structure as StructureException;
|
use Utopia\Database\Exception\Structure as StructureException;
|
||||||
use Utopia\Database\ID;
|
use Utopia\Database\ID;
|
||||||
|
@ -571,6 +572,8 @@ App::post('/v1/storage/buckets/:bucketId/files')
|
||||||
|
|
||||||
$file = $dbForProject->updateDocument('bucket_' . $bucket->getInternalId(), $fileId, $file);
|
$file = $dbForProject->updateDocument('bucket_' . $bucket->getInternalId(), $fileId, $file);
|
||||||
}
|
}
|
||||||
|
} catch (AuthorizationException) {
|
||||||
|
throw new Exception(Exception::USER_UNAUTHORIZED);
|
||||||
} catch (StructureException $exception) {
|
} catch (StructureException $exception) {
|
||||||
throw new Exception(Exception::DOCUMENT_INVALID_STRUCTURE, $exception->getMessage());
|
throw new Exception(Exception::DOCUMENT_INVALID_STRUCTURE, $exception->getMessage());
|
||||||
} catch (DuplicateException) {
|
} catch (DuplicateException) {
|
||||||
|
@ -605,6 +608,8 @@ App::post('/v1/storage/buckets/:bucketId/files')
|
||||||
|
|
||||||
$file = $dbForProject->updateDocument('bucket_' . $bucket->getInternalId(), $fileId, $file);
|
$file = $dbForProject->updateDocument('bucket_' . $bucket->getInternalId(), $fileId, $file);
|
||||||
}
|
}
|
||||||
|
} catch (AuthorizationException) {
|
||||||
|
throw new Exception(Exception::USER_UNAUTHORIZED);
|
||||||
} catch (StructureException $exception) {
|
} catch (StructureException $exception) {
|
||||||
throw new Exception(Exception::DOCUMENT_INVALID_STRUCTURE, $exception->getMessage());
|
throw new Exception(Exception::DOCUMENT_INVALID_STRUCTURE, $exception->getMessage());
|
||||||
} catch (DuplicateException) {
|
} catch (DuplicateException) {
|
||||||
|
@ -741,7 +746,11 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId')
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($fileSecurity && !$valid) {
|
if ($fileSecurity && !$valid) {
|
||||||
$file = $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId);
|
try {
|
||||||
|
$file = $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId);
|
||||||
|
} catch (AuthorizationException) {
|
||||||
|
throw new Exception(Exception::USER_UNAUTHORIZED);
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
$file = Authorization::skip(fn() => $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId));
|
$file = Authorization::skip(fn() => $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId));
|
||||||
}
|
}
|
||||||
|
@ -820,7 +829,11 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/preview')
|
||||||
$key = \md5($fileId . $width . $height . $gravity . $quality . $borderWidth . $borderColor . $borderRadius . $opacity . $rotation . $background . $output);
|
$key = \md5($fileId . $width . $height . $gravity . $quality . $borderWidth . $borderColor . $borderRadius . $opacity . $rotation . $background . $output);
|
||||||
|
|
||||||
if ($fileSecurity && !$valid) {
|
if ($fileSecurity && !$valid) {
|
||||||
$file = $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId);
|
try {
|
||||||
|
$file = $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId);
|
||||||
|
} catch (AuthorizationException) {
|
||||||
|
throw new Exception(Exception::USER_UNAUTHORIZED);
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
$file = Authorization::skip(fn() => $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId));
|
$file = Authorization::skip(fn() => $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId));
|
||||||
}
|
}
|
||||||
|
@ -954,7 +967,11 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/download')
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($fileSecurity && !$valid) {
|
if ($fileSecurity && !$valid) {
|
||||||
$file = $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId);
|
try {
|
||||||
|
$file = $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId);
|
||||||
|
} catch (AuthorizationException) {
|
||||||
|
throw new Exception(Exception::USER_UNAUTHORIZED);
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
$file = Authorization::skip(fn() => $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId));
|
$file = Authorization::skip(fn() => $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId));
|
||||||
}
|
}
|
||||||
|
@ -1085,7 +1102,11 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/view')
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($fileSecurity && !$valid) {
|
if ($fileSecurity && !$valid) {
|
||||||
$file = $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId);
|
try {
|
||||||
|
$file = $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId);
|
||||||
|
} catch (AuthorizationException) {
|
||||||
|
throw new Exception(Exception::USER_UNAUTHORIZED);
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
$file = Authorization::skip(fn() => $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId));
|
$file = Authorization::skip(fn() => $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId));
|
||||||
}
|
}
|
||||||
|
@ -1270,7 +1291,15 @@ App::put('/v1/storage/buckets/:bucketId/files/:fileId')
|
||||||
|
|
||||||
$file->setAttribute('$permissions', $permissions);
|
$file->setAttribute('$permissions', $permissions);
|
||||||
|
|
||||||
$file = $dbForProject->updateDocument('bucket_' . $bucket->getInternalId(), $fileId, $file);
|
if ($fileSecurity && !$valid) {
|
||||||
|
try {
|
||||||
|
$file = $dbForProject->updateDocument('bucket_' . $bucket->getInternalId(), $fileId, $file);
|
||||||
|
} catch (AuthorizationException) {
|
||||||
|
throw new Exception(Exception::USER_UNAUTHORIZED);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$file = Authorization::skip(fn() => $dbForProject->updateDocument('bucket_' . $bucket->getInternalId(), $fileId, $file));
|
||||||
|
}
|
||||||
|
|
||||||
$events
|
$events
|
||||||
->setParam('bucketId', $bucket->getId())
|
->setParam('bucketId', $bucket->getId())
|
||||||
|
@ -1325,6 +1354,11 @@ App::delete('/v1/storage/buckets/:bucketId/files/:fileId')
|
||||||
throw new Exception(Exception::STORAGE_FILE_NOT_FOUND);
|
throw new Exception(Exception::STORAGE_FILE_NOT_FOUND);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Make sure we don't delete the file before the document permission check occurs
|
||||||
|
if ($fileSecurity && !$valid && !$validator->isValid($file->getDelete())) {
|
||||||
|
throw new Exception(Exception::USER_UNAUTHORIZED);
|
||||||
|
}
|
||||||
|
|
||||||
$deviceDeleted = false;
|
$deviceDeleted = false;
|
||||||
if ($file->getAttribute('chunksTotal') !== $file->getAttribute('chunksUploaded')) {
|
if ($file->getAttribute('chunksTotal') !== $file->getAttribute('chunksUploaded')) {
|
||||||
$deviceDeleted = $deviceFiles->abort(
|
$deviceDeleted = $deviceFiles->abort(
|
||||||
|
@ -1341,8 +1375,13 @@ App::delete('/v1/storage/buckets/:bucketId/files/:fileId')
|
||||||
->setResource('file/' . $fileId)
|
->setResource('file/' . $fileId)
|
||||||
;
|
;
|
||||||
|
|
||||||
if ($fileSecurity && !$valid) {
|
// Don't need to check valid here because we already ensured validity
|
||||||
$deleted = $dbForProject->deleteDocument('bucket_' . $bucket->getInternalId(), $fileId);
|
if ($fileSecurity) {
|
||||||
|
try {
|
||||||
|
$deleted = $dbForProject->deleteDocument('bucket_' . $bucket->getInternalId(), $fileId);
|
||||||
|
} catch (AuthorizationException) {
|
||||||
|
throw new Exception(Exception::USER_UNAUTHORIZED);
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
$deleted = Authorization::skip(fn() => $dbForProject->deleteDocument('bucket_' . $bucket->getInternalId(), $fileId));
|
$deleted = Authorization::skip(fn() => $dbForProject->deleteDocument('bucket_' . $bucket->getInternalId(), $fileId));
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue