feat: add segment query checking

ForestAdmin · Jun 16, 2021 · 0a72503 · 0a72503
1 parent fcb7c02
commit 0a72503
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/src/services/permissions-checker.js b/src/services/permissions-checker.js
@@ -40,7 +40,20 @@ class PermissionsChecker {
     });
   }
 
-  static async _isCollectionBrowseAllowed(collectionPermissions, permissionInfos) {
+  static async _isCollectionBrowseAllowed(permissions, permissionInfos) {
+    const { collection: collectionPermissions, segments } = permissions;
+
+    // NOTICE: Security - Segment Query check additional permission
+    if (permissionInfos.segmentQuery) {
+      // NOTICE: The segmentQuery should be in the segments
+      if (!segments) {
+        return false;
+      }
+      if (!segments.includes(permissionInfos.segmentQuery)) {
+        return false;
+      }
+    }
+
     return collectionPermissions
       && permissionInfos
       && PermissionsChecker
@@ -52,9 +65,8 @@ class PermissionsChecker {
       case 'actions':
         return PermissionsChecker._isSmartActionAllowed(permissions.actions, permissionInfos);
       case 'browseEnabled':
-        console.log('browseEnabled CHECKING', JSON.stringify(permissions));
         return PermissionsChecker
-          ._isCollectionBrowseAllowed(permissions.collection, permissionInfos);
+          ._isCollectionBrowseAllowed(permissions, permissionInfos);
       case 'liveQueries':
         return PermissionsChecker._isLiveQueryAllowed(permissions.stats.queries, permissionInfos);
       case 'statWithParameters':