首頁 探索 說明
登入
mirrors
/
wikijs
镜像来自 https://github.com/Requarks/wiki.git
2
0
複刻 0
檔案 問題管理 0 Wiki
瀏覽代碼

fix: validate permissions when listing assets (#1928)

* fix: assets permission issues #1926
Regev Brody 5 年之前
父節點
b2fe025785
當前提交
a508a27475
共有 1 個文件被更改,包括 14 次插入5 次删除
分割檢視 顯示文件統計
  1. 14 5
      server/graph/resolvers/asset.js

+ 14 - 5
server/graph/resolvers/asset.js
查看文件 

@@ -20,18 +20,27 @@ module.exports = {
 
       if (args.kind !== 'ALL') {
 
         cond.kind = args.kind.toLowerCase()
 
       }
 
-      const result = await WIKI.models.assets.query().where(cond)
 
-      return result.map(a => ({
 
+      const folderHierarchy = await WIKI.models.assetFolders.getHierarchy(args.folderId)
 
+      const folderPath = folderHierarchy.map(h => h.slug).join('/')
 
+      const results = await WIKI.models.assets.query().where(cond)
 
+      return _.filter(results, r => {
 
+        const path = folderPath ? `${folderPath}/${r.filename}` : r.filename
 
+        return WIKI.auth.checkAccess(context.req.user, ['read:assets'], { path })
 
+      }).map(a => ({
 
         ...a,
 
         kind: a.kind.toUpperCase()
 
       }))
 
     },
 
     async folders(obj, args, context) {
 
-      const result = await WIKI.models.assetFolders.query().where({
 
+      const results = await WIKI.models.assetFolders.query().where({
 
         parentId: args.parentFolderId === 0 ? null : args.parentFolderId
 
       })
 
-      // TODO: Filter by page rules
 
-      return result
 
+      const parentHierarchy = await WIKI.models.assetFolders.getHierarchy(args.parentFolderId)
 
+      const parentPath = parentHierarchy.map(h => h.slug).join('/')
 
+      return _.filter(results, r => {
 
+        const path = parentPath ? `${parentPath}/${r.slug}` : r.slug
 
+        return WIKI.auth.checkAccess(context.req.user, ['read:assets'], { path });
 
+      })
 
     }
 
   },
 
   AssetMutation: {