From a508a27475f771890c3f6ec1191f7af989f48d88 Mon Sep 17 00:00:00 2001 From: Regev Brody Date: Sun, 7 Jun 2020 23:58:12 +0300 Subject: [PATCH] fix: validate permissions when listing assets (#1928) * fix: assets permission issues #1926 --- server/graph/resolvers/asset.js | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/server/graph/resolvers/asset.js b/server/graph/resolvers/asset.js index 1e8e6e23..05b3d921 100644 --- a/server/graph/resolvers/asset.js +++ b/server/graph/resolvers/asset.js @@ -20,18 +20,27 @@ module.exports = { if (args.kind !== 'ALL') { cond.kind = args.kind.toLowerCase() } - const result = await WIKI.models.assets.query().where(cond) - return result.map(a => ({ + const folderHierarchy = await WIKI.models.assetFolders.getHierarchy(args.folderId) + const folderPath = folderHierarchy.map(h => h.slug).join('/') + const results = await WIKI.models.assets.query().where(cond) + return _.filter(results, r => { + const path = folderPath ? `${folderPath}/${r.filename}` : r.filename + return WIKI.auth.checkAccess(context.req.user, ['read:assets'], { path }) + }).map(a => ({ ...a, kind: a.kind.toUpperCase() })) }, async folders(obj, args, context) { - const result = await WIKI.models.assetFolders.query().where({ + const results = await WIKI.models.assetFolders.query().where({ parentId: args.parentFolderId === 0 ? null : args.parentFolderId }) - // TODO: Filter by page rules - return result + const parentHierarchy = await WIKI.models.assetFolders.getHierarchy(args.parentFolderId) + const parentPath = parentHierarchy.map(h => h.slug).join('/') + return _.filter(results, r => { + const path = parentPath ? `${parentPath}/${r.slug}` : r.slug + return WIKI.auth.checkAccess(context.req.user, ['read:assets'], { path }); + }) } }, AssetMutation: {