From 749171cff3894191514f067b215050a2e515d9ae Mon Sep 17 00:00:00 2001 From: Tom Winter Date: Wed, 4 Sep 2024 10:41:10 +0200 Subject: [PATCH] fix: correct permission check on attachment uploads --- .../document/document.controller.ts | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/restricted-endpoints/document/document.controller.ts b/src/restricted-endpoints/document/document.controller.ts index 9a2b944..5d5ec86 100644 --- a/src/restricted-endpoints/document/document.controller.ts +++ b/src/restricted-endpoints/document/document.controller.ts @@ -102,11 +102,21 @@ export class DocumentController { @Query() queryParams?: any, ): Promise { const userAbility = this.permissionService.getAbilityFor(user); - const document = await firstValueFrom( + + let documentToReturn: DatabaseDocument = await firstValueFrom( this.couchdbService.get(db, docId, queryParams), ); - if (userAbility.can('read', document)) { - return document; + + let documentForPermissionCheck: DatabaseDocument = documentToReturn; + + if (db === 'app-attachments') { + documentForPermissionCheck = await firstValueFrom( + this.couchdbService.get('app', docId, queryParams), + ); + } + + if (userAbility.can('read', documentForPermissionCheck)) { + return documentToReturn; } else { throw new UnauthorizedException('unauthorized', 'User is not permitted'); }