CodeMirror/budibase
1
0
Fork 0
mirror of synced 2024-06-16 01:14:48 +12:00
Code Issues Projects Releases Wiki Activity

Fix loophole where any user could load all screen and layout definitions via app package call

Browse source
This commit is contained in:
Andrew Kingston 2021-06-30 21:54:48 +01:00
parent a36ddac591
commit 632fb636f2
1 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
packages/server/src/api/controllers/application.js
View file

@ -164,7 +164,15 @@ exports.fetchAppDefinition = async function (ctx) {
exports.fetchAppPackage = async function (ctx) {
const db = new CouchDB(ctx.params.appId)
const application = await db.get(DocumentTypes.APP_METADATA)
const [layouts, screens] = await Promise.all([getLayouts(db), getScreens(db)])
const layouts = await getLayouts(db)
let screens = await getScreens(db)
// Only filter screens if the user is not a builder
if (!ctx.user.builder?.global) {
const userRoleId = getUserRoleId(ctx)
const accessController = new AccessController(ctx.params.appId)
screens = await accessController.checkScreensAccess(screens, userRoleId)
}
ctx.body = {
application,