Appwrite/appwrite
1
0
Fork 0
mirror of https://github.com/appwrite/appwrite.git synced 2026-05-26 13:51:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix permissions and accompanying tests

Browse Source
This commit is contained in:
Bradley Schofield
2024-12-03 16:40:03 +09:00
parent fbbf846eb9
commit e2ab6a05ab
2 changed files with 74 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/api/databases.php
+37 -29
View File
@@ -2919,38 +2919,46 @@ App::post('/v1/databases/:databaseId/collections/:collectionId/documents')
Database::PERMISSION_DELETE,
];
// Map aggregate permissions to into the set of individual permissions they represent.
$permissions = Permission::aggregate($permissions, $allowedPermissions);
// Add permissions for current the user if none were provided.
if (\is_null($permissions)) {
$permissions = [];
if (!empty($user->getId())) {
foreach ($allowedPermissions as $permission) {
$permissions[] = (new Permission($permission, 'user', $user->getId()))->toString();
}
$setPermissions = function (Document $document, ?array $permissions) use ($user, $allowedPermissions, $isAPIKey, $isPrivilegedUser, $isBulk) {
// Map aggregate permissions to into the set of individual permissions they represent.
if ($isBulk) {
$permissions = $document['$permissions'] ?? null;
}
}
// Users can only manage their own roles, API keys and Admin users can manage any
if (!$isAPIKey && !$isPrivilegedUser) {
foreach (Database::PERMISSIONS as $type) {
foreach ($permissions as $permission) {
$permission = Permission::parse($permission);
if ($permission->getPermission() != $type) {
continue;
}
$role = (new Role(
$permission->getRole(),
$permission->getIdentifier(),
$permission->getDimension()
))->toString();
if (!Authorization::isRole($role)) {
throw new Exception(Exception::USER_UNAUTHORIZED, 'Permissions must be one of: (' . \implode(', ', Authorization::getRoles()) . ')');
$permissions = Permission::aggregate($permissions, $allowedPermissions);
// Add permissions for current the user if none were provided.
if (\is_null($permissions)) {
$permissions = [];
if (!empty($user->getId())) {
foreach ($allowedPermissions as $permission) {
$permissions[] = (new Permission($permission, 'user', $user->getId()))->toString();
}
}
}
}
// Users can only manage their own roles, API keys and Admin users can manage any
if (!$isAPIKey && !$isPrivilegedUser) {
foreach (Database::PERMISSIONS as $type) {
foreach ($permissions as $permission) {
$permission = Permission::parse($permission);
if ($permission->getPermission() != $type) {
continue;
}
$role = (new Role(
$permission->getRole(),
$permission->getIdentifier(),
$permission->getDimension()
))->toString();
if (!Authorization::isRole($role)) {
throw new Exception(Exception::USER_UNAUTHORIZED, 'Permissions must be one of: (' . \implode(', ', Authorization::getRoles()) . ')');
}
}
}
}
$document->setAttribute('$permissions', $permissions);
};
$checkPermissions = function (Document $collection, Document $document, string $permission) use (&$checkPermissions, $dbForProject, $database) {
$documentSecurity = $collection->getAttribute('documentSecurity', false);
@@ -3032,9 +3040,8 @@ App::post('/v1/databases/:databaseId/collections/:collectionId/documents')
}
};
$documents = array_map(function ($document) use ($collection, $permissions, $checkPermissions, $isBulk, $documentId) {
$documents = array_map(function ($document) use ($collection, $permissions, $checkPermissions, $isBulk, $documentId, $setPermissions) {
$document['$collection'] = $collection->getId();
$document['$permissions'] = $permissions;
if (!$isBulk) {
$document['$id'] = $documentId == 'unique()' ? ID::unique() : $documentId;
@@ -3048,6 +3055,7 @@ App::post('/v1/databases/:databaseId/collections/:collectionId/documents')
$document = new Document($document);
$setPermissions($document, $permissions);
$checkPermissions($collection, $document, Database::PERMISSION_CREATE);
return $document;
tests/e2e/Services/Databases/DatabasesCustomClientTest.php
+37 -13
View File
@@ -914,7 +914,7 @@ class DatabasesCustomClientTest extends Scope
]), [
'collectionId' => ID::unique(),
'name' => 'Bulk Create',
'documentSecurity' => true,
'documentSecurity' => false,
'permissions' => [
Permission::read(Role::any()),
Permission::delete(Role::any()),
@@ -1029,22 +1029,34 @@ class DatabasesCustomClientTest extends Scope
[
'$id' => ID::unique(),
'number' => 1,
'$permissions' => [
Permission::create(Role::user('aaaaaa')),
Permission::read(Role::user('aaaaaa')),
Permission::update(Role::user('aaaaaa')),
Permission::delete(Role::user('aaaaaa')),
]
],
[
'$id' => ID::unique(),
'number' => 2,
'$permissions' => [
Permission::create(Role::user('aaaaaa')),
Permission::read(Role::user('aaaaaa')),
Permission::update(Role::user('aaaaaa')),
Permission::delete(Role::user('aaaaaa')),
]
],
[
'$id' => ID::unique(),
'number' => 3,
'$permissions' => [
Permission::create(Role::user('aaaaaa')),
Permission::read(Role::user('aaaaaa')),
Permission::update(Role::user('aaaaaa')),
Permission::delete(Role::user('aaaaaa')),
]
],
],
'permissions' => [
Permission::write(Role::user('aaaaaa')),
Permission::read(Role::user('aaaaaa')),
Permission::update(Role::user('aaaaaa')),
Permission::delete(Role::user('aaaaaa')),
]
]);
$this->assertEquals(401, $response['headers']['status-code']);
@@ -1058,22 +1070,34 @@ class DatabasesCustomClientTest extends Scope
[
'$id' => ID::unique(),
'number' => 1,
'$permissions' => [
Permission::create(Role::user($this->getUser()['$id'])),
Permission::read(Role::user($this->getUser()['$id'])),
Permission::update(Role::user($this->getUser()['$id'])),
Permission::delete(Role::user($this->getUser()['$id'])),
]
],
[
'$id' => ID::unique(),
'number' => 2,
'$permissions' => [
Permission::create(Role::user($this->getUser()['$id'])),
Permission::read(Role::user($this->getUser()['$id'])),
Permission::update(Role::user($this->getUser()['$id'])),
Permission::delete(Role::user($this->getUser()['$id'])),
]
],
[
'$id' => ID::unique(),
'number' => 3,
'$permissions' => [
Permission::create(Role::user($this->getUser()['$id'])),
Permission::read(Role::user($this->getUser()['$id'])),
Permission::update(Role::user($this->getUser()['$id'])),
Permission::delete(Role::user($this->getUser()['$id'])),
]
],
],
'permissions' => [
Permission::write(Role::user($this->getUser()['$id'])),
Permission::read(Role::user($this->getUser()['$id'])),
Permission::update(Role::user($this->getUser()['$id'])),
Permission::delete(Role::user($this->getUser()['$id'])),
]
]);
$this->assertEquals(201, $response['headers']['status-code']);