fix: validate permissions when listing assets (#1928)

* fix: assets permission issues #1926
pull/2012/head
Regev Brody 5 years ago committed by GitHub
parent b2fe025785
commit a508a27475
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -20,18 +20,27 @@ module.exports = {
if (args.kind !== 'ALL') { if (args.kind !== 'ALL') {
cond.kind = args.kind.toLowerCase() cond.kind = args.kind.toLowerCase()
} }
const result = await WIKI.models.assets.query().where(cond) const folderHierarchy = await WIKI.models.assetFolders.getHierarchy(args.folderId)
return result.map(a => ({ const folderPath = folderHierarchy.map(h => h.slug).join('/')
const results = await WIKI.models.assets.query().where(cond)
return _.filter(results, r => {
const path = folderPath ? `${folderPath}/${r.filename}` : r.filename
return WIKI.auth.checkAccess(context.req.user, ['read:assets'], { path })
}).map(a => ({
...a, ...a,
kind: a.kind.toUpperCase() kind: a.kind.toUpperCase()
})) }))
}, },
async folders(obj, args, context) { async folders(obj, args, context) {
const result = await WIKI.models.assetFolders.query().where({ const results = await WIKI.models.assetFolders.query().where({
parentId: args.parentFolderId === 0 ? null : args.parentFolderId parentId: args.parentFolderId === 0 ? null : args.parentFolderId
}) })
// TODO: Filter by page rules const parentHierarchy = await WIKI.models.assetFolders.getHierarchy(args.parentFolderId)
return result const parentPath = parentHierarchy.map(h => h.slug).join('/')
return _.filter(results, r => {
const path = parentPath ? `${parentPath}/${r.slug}` : r.slug
return WIKI.auth.checkAccess(context.req.user, ['read:assets'], { path });
})
} }
}, },
AssetMutation: { AssetMutation: {

Loading…
Cancel
Save