From a508a27475f771890c3f6ec1191f7af989f48d88 Mon Sep 17 00:00:00 2001
From: Regev Brody <regevbr@gmail.com>
Date: Sun, 7 Jun 2020 23:58:12 +0300
Subject: [PATCH] fix: validate permissions when listing assets (#1928)

* fix: assets permission issues #1926
---
 server/graph/resolvers/asset.js | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/server/graph/resolvers/asset.js b/server/graph/resolvers/asset.js
index 1e8e6e23..05b3d921 100644
--- a/server/graph/resolvers/asset.js
+++ b/server/graph/resolvers/asset.js
@@ -20,18 +20,27 @@ module.exports = {
       if (args.kind !== 'ALL') {
         cond.kind = args.kind.toLowerCase()
       }
-      const result = await WIKI.models.assets.query().where(cond)
-      return result.map(a => ({
+      const folderHierarchy = await WIKI.models.assetFolders.getHierarchy(args.folderId)
+      const folderPath = folderHierarchy.map(h => h.slug).join('/')
+      const results = await WIKI.models.assets.query().where(cond)
+      return _.filter(results, r => {
+        const path = folderPath ? `${folderPath}/${r.filename}` : r.filename
+        return WIKI.auth.checkAccess(context.req.user, ['read:assets'], { path })
+      }).map(a => ({
         ...a,
         kind: a.kind.toUpperCase()
       }))
     },
     async folders(obj, args, context) {
-      const result = await WIKI.models.assetFolders.query().where({
+      const results = await WIKI.models.assetFolders.query().where({
         parentId: args.parentFolderId === 0 ? null : args.parentFolderId
       })
-      // TODO: Filter by page rules
-      return result
+      const parentHierarchy = await WIKI.models.assetFolders.getHierarchy(args.parentFolderId)
+      const parentPath = parentHierarchy.map(h => h.slug).join('/')
+      return _.filter(results, r => {
+        const path = parentPath ? `${parentPath}/${r.slug}` : r.slug
+        return WIKI.auth.checkAccess(context.req.user, ['read:assets'], { path });
+      })
     }
   },
   AssetMutation: {