From c2722c2626624a8376cda614a1c5cc768843c30b Mon Sep 17 00:00:00 2001
From: Lucas Aymon <32235434+lucas-it@users.noreply.github.com>
Date: Mon, 25 Apr 2022 20:13:16 +0200
Subject: [PATCH 1/2] feat: check create folder permissions

---
 server/graph/resolvers/asset.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/server/graph/resolvers/asset.js b/server/graph/resolvers/asset.js
index 91efbdda..c289fa3b 100644
--- a/server/graph/resolvers/asset.js
+++ b/server/graph/resolvers/asset.js
@@ -55,6 +55,15 @@ module.exports = {
           parentId: parentFolderId,
           slug: folderSlug
         }).first()
+
+        const hierarchy = parentFolderId ? await WIKI.models.assetFolders.getHierarchy(parentFolderId) : []
+
+        // Check target folder permissions
+        const folderTargetPath = parentFolderId ? hierarchy.map(h => h.slug).join('/') + `/${folderSlug}` : folderSlug
+        if (!WIKI.auth.checkAccess(context.req.user, ['write:assets'], { path: folderTargetPath })) {
+          throw new WIKI.Error.AssetCreateFolderForbidden()
+        }
+
         if (!result) {
           await WIKI.models.assetFolders.query().insert({
             slug: folderSlug,

From 1eeac84189339d21d663a26e3c0c64ce8d74d708 Mon Sep 17 00:00:00 2001
From: Lucas Aymon <32235434+lucas-it@users.noreply.github.com>
Date: Mon, 25 Apr 2022 20:13:57 +0200
Subject: [PATCH 2/2] feat: add error

---
 server/helpers/error.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/server/helpers/error.js b/server/helpers/error.js
index f9a81779..be2353ab 100644
--- a/server/helpers/error.js
+++ b/server/helpers/error.js
@@ -1,6 +1,10 @@
 const CustomError = require('custom-error-instance')
 
 module.exports = {
+  AssetCreateFolderForbidden: CustomError('AssetCreateFolderForbidden', {
+    message: 'You are not authorized to create this folder.',
+    code: 2010
+  }),
   AssetDeleteForbidden: CustomError('AssetDeleteForbidden', {
     message: 'You are not authorized to delete this asset.',
     code: 2003