Fix issue with permissions to allow a PB creator to view his own non-…

…public record
cubing · Dec 28, 2021 · b18a981 · b18a981
1 parent b27c776
commit b18a981
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 6 deletions.
diff --git a/backend/functions/schema.ts b/backend/functions/schema.ts
@@ -1,8 +1,18 @@
 // Query builder (Typescript version >= 4.1.3 required)
-/* const queryResult = executeGiraffeql({
+const queryResult = executeGiraffeql({
   // Start typing here to get hints
-  
-}); */
+  getUser: {
+    id: true,
+    name: true,
+    createdBy: {
+      id: true,
+      name: true,
+    },
+    __args: {
+      id: 9,
+    },
+  },
+});
 
 export function executeGiraffeql<Key extends keyof Root>(
   query: GetQuery<Key>

diff --git a/backend/functions/src/schema/models/personalBest/service.ts b/backend/functions/src/schema/models/personalBest/service.ts
@@ -46,14 +46,18 @@ export class PersonalBestService extends PaginatedService {
   groupByFieldsMap = {};
 
   accessControl: AccessControlMap = {
-    get: async ({ args, fieldPath }) => {
+    get: async ({ req, args, fieldPath }) => {
       // check the createdBy.isPublic to see if true
+      // OR if createdBy is current user
       const result = await this.lookupRecord(
-        ["createdBy.isPublic"],
+        ["createdBy.isPublic", "createdBy.id"],
         args,
         fieldPath
       );
-      return result["createdBy.isPublic"] === true;
+      return (
+        result["createdBy.isPublic"] === true ||
+        result["createdBy.id"] === req.user?.id
+      );
     },
 
     getMultiple: ({ req, args, query }) => {