Skip to content

Commit

Permalink
fix: create permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
@7sete7
7sete7 committed Apr 15, 2024
1 parent 5433b6a commit b8fe158
Showing 1 changed file with 34 additions and 34 deletions.
68 changes: 34 additions & 34 deletions src/imports/data/data.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -815,40 +815,6 @@ export async function create({ authTokenId, document, data, contextUser, upsert,
return errorReturn(`[${document}] Data must have at least one field`);
}

tracingSpan?.addEvent('Calculating create permissions');
const fieldPermissionResult = Object.keys(data).map(fieldName => {
const accessField = getFieldPermissions(access, fieldName);
if (accessField.isCreatable !== true) {
return errorReturn(`[${document}] You don't have permission to create field ${fieldName}`);
}

const accessFieldConditions = getFieldConditions(access, fieldName);
if (accessFieldConditions.CREATE != null) {
const getConditionFilterResult = filterConditionToFn(accessFieldConditions.CREATE, metaObject, { user });

if (getConditionFilterResult.success === false) {
return getConditionFilterResult;
}

const isAllowToCreateField = getConditionFilterResult.data(data);

if (isAllowToCreateField === false) {
return errorReturn(`[${document}] You don't have permission to create field ${fieldName}`);
}
}

return successReturn();
});

if (fieldPermissionResult.some(result => result.success === false)) {
return errorReturn(
fieldPermissionResult
.filter(result => result.success === false)
.map(result => result.errors)
.flat(),
);
}

if (data._user != null) {
if (isArray(data._user) === false) {
return errorReturn(`[${document}] _user must be array`);
Expand Down Expand Up @@ -908,6 +874,40 @@ export async function create({ authTokenId, document, data, contextUser, upsert,
cleanedData._user = validateUserResult.data;
}

tracingSpan?.addEvent('Calculating create permissions');
const fieldPermissionResult = Object.keys(cleanedData).map(fieldName => {
const accessField = getFieldPermissions(access, fieldName);
if (accessField.isCreatable !== true) {
return errorReturn(`[${document}] You don't have permission to create field ${fieldName}`);
}

const accessFieldConditions = getFieldConditions(access, fieldName);
if (accessFieldConditions.CREATE != null) {
const getConditionFilterResult = filterConditionToFn(accessFieldConditions.CREATE, metaObject, { user });

if (getConditionFilterResult.success === false) {
return getConditionFilterResult;
}

const isAllowToCreateField = getConditionFilterResult.data(cleanedData);

if (isAllowToCreateField === false) {
return errorReturn(`[${document}] You don't have permission to create field ${fieldName}`);
}
}

return successReturn();
});

if (fieldPermissionResult.some(result => result.success === false)) {
return errorReturn(
fieldPermissionResult
.filter(result => result.success === false)
.map(result => result.errors)
.flat(),
);
}

const emailsToSend = [];

tracingSpan.addEvent('Validate&ProcessValueFor lookups');
Expand Down

0 comments on commit b8fe158

Please sign in to comment.