diff --git a/app/controllers/api/databases.php b/app/controllers/api/databases.php index fb55aca844..3378d011c9 100644 --- a/app/controllers/api/databases.php +++ b/app/controllers/api/databases.php @@ -4257,10 +4257,11 @@ App::put('/v1/databases/:databaseId/collections/:collectionId/documents/:documen ->param('permissions', null, new Permissions(APP_LIMIT_ARRAY_PARAMS_SIZE, [Database::PERMISSION_READ, Database::PERMISSION_UPDATE, Database::PERMISSION_DELETE, Database::PERMISSION_WRITE]), 'An array of permissions strings. By default, the current permissions are inherited. [Learn more about permissions](https://appwrite.io/docs/permissions).', true) ->inject('requestTimestamp') ->inject('response') + ->inject('user') ->inject('dbForProject') ->inject('queueForEvents') ->inject('queueForStatsUsage') - ->action(function (string $databaseId, string $collectionId, string $documentId, string|array $data, ?array $permissions, ?\DateTime $requestTimestamp, Response $response, Database $dbForProject, Event $queueForEvents, StatsUsage $queueForStatsUsage) { + ->action(function (string $databaseId, string $collectionId, string $documentId, string|array $data, ?array $permissions, ?\DateTime $requestTimestamp, Response $response, Document $user, Database $dbForProject, Event $queueForEvents, StatsUsage $queueForStatsUsage) { $data = (\is_string($data)) ? \json_decode($data, true) : $data; // Cast to JSON array if (empty($data) && \is_null($permissions)) { @@ -4280,12 +4281,28 @@ App::put('/v1/databases/:databaseId/collections/:collectionId/documents/:documen throw new Exception(Exception::COLLECTION_NOT_FOUND); } - // Map aggregate permissions into the multiple permissions they represent. - $permissions = Permission::aggregate($permissions, [ + $allowedPermissions = [ Database::PERMISSION_READ, Database::PERMISSION_UPDATE, Database::PERMISSION_DELETE, - ]); + ]; + + $permissions = Permission::aggregate($permissions, $allowedPermissions); + // if no permission, upsert permission from the old document if present (update scenario) else add default permission (create scenario) + if (\is_null($permissions)) { + $oldDocument = Authorization::skip(fn () => $dbForProject->getDocument('database_' . $database->getSequence() . '_collection_' . $collection->getSequence(), $documentId)); + if ($oldDocument->isEmpty()) { + if (!empty($user->getId())) { + $defaultPermissions = []; + foreach ($allowedPermissions as $permission) { + $defaultPermissions[] = (new Permission($permission, 'user', $user->getId()))->toString(); + } + $permissions = $defaultPermissions; + } + } else { + $permissions = $oldDocument->getPermissions(); + } + } // Users can only manage their own roles, API keys and Admin users can manage any $roles = Authorization::getRoles(); diff --git a/tests/e2e/Services/Databases/DatabasesBase.php b/tests/e2e/Services/Databases/DatabasesBase.php index 0b19a8966f..be982ac145 100644 --- a/tests/e2e/Services/Databases/DatabasesBase.php +++ b/tests/e2e/Services/Databases/DatabasesBase.php @@ -1997,35 +1997,159 @@ trait DatabasesBase ]); $this->assertEquals(2, $documents['body']['total']); - // test without passing permissions - $document = $this->client->call(Client::METHOD_PUT, '/databases/' . $databaseId . '/collections/' . $data['moviesId'] . '/documents/' . $documentId, array_merge([ - 'content-type' => 'application/json', - 'x-appwrite-project' => $this->getProject()['$id'], - ], $this->getHeaders()), [ - 'data' => [ - 'title' => 'Thor: Ragnarok', - 'releaseYear' => 2000 - ] - ]); + if ($this->getSide() === 'client') { + // Skipped on server side: Creating a document with no permissions results in an empty permissions array, whereas on client side it assigns permissions to the current user - $this->assertEquals(200, $document['headers']['status-code']); - $this->assertEquals('Thor: Ragnarok', $document['body']['title']); + // test without passing permissions + $document = $this->client->call(Client::METHOD_PUT, '/databases/' . $databaseId . '/collections/' . $data['moviesId'] . '/documents/' . $documentId, array_merge([ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ], $this->getHeaders()), [ + 'data' => [ + 'title' => 'Thor: Ragnarok', + 'releaseYear' => 2000 + ] + ]); - $document = $this->client->call(Client::METHOD_GET, '/databases/' . $databaseId . '/collections/' . $data['moviesId'] . '/documents/' . $documentId, array_merge([ - 'content-type' => 'application/json', - 'x-appwrite-project' => $this->getProject()['$id'], - 'x-appwrite-key' => $this->getProject()['apiKey'] - ])); + $this->assertEquals(200, $document['headers']['status-code']); + $this->assertEquals('Thor: Ragnarok', $document['body']['title']); + $this->assertCount(3, $document['body']['$permissions']); + $permissionsCreated = $document['body']['$permissions']; + // checking the default created permission + $defaultPermission = [ + Permission::read(Role::user($this->getUser()['$id'])), + Permission::update(Role::user($this->getUser()['$id'])), + Permission::delete(Role::user($this->getUser()['$id'])) + ]; + // ignoring the order of the permission and checking the permissions + $this->assertEqualsCanonicalizing($defaultPermission, $permissionsCreated); - $this->assertEquals(200, $document['headers']['status-code']); + $document = $this->client->call(Client::METHOD_GET, '/databases/' . $databaseId . '/collections/' . $data['moviesId'] . '/documents/' . $documentId, array_merge([ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'] + ], $this->getHeaders())); - $deleteResponse = $this->client->call(Client::METHOD_DELETE, '/databases/' . $databaseId . '/collections/' . $data['moviesId'] . '/documents/' . $documentId, array_merge([ - 'content-type' => 'application/json', - 'x-appwrite-project' => $this->getProject()['$id'], - 'x-appwrite-key' => $this->getProject()['apiKey'] - ])); + $this->assertEquals(200, $document['headers']['status-code']); - $this->assertEquals(204, $deleteResponse['headers']['status-code']); + // updating the created doc + $document = $this->client->call(Client::METHOD_PUT, '/databases/' . $databaseId . '/collections/' . $data['moviesId'] . '/documents/' . $documentId, array_merge([ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ], $this->getHeaders()), [ + 'data' => [ + 'title' => 'Thor: Ragnarok', + 'releaseYear' => 2002 + ] + ]); + $this->assertEquals(200, $document['headers']['status-code']); + $this->assertEquals('Thor: Ragnarok', $document['body']['title']); + $this->assertEquals(2002, $document['body']['releaseYear']); + $this->assertCount(3, $document['body']['$permissions']); + $this->assertEquals($permissionsCreated, $document['body']['$permissions']); + + // removing the delete permission + $document = $this->client->call(Client::METHOD_PUT, '/databases/' . $databaseId . '/collections/' . $data['moviesId'] . '/documents/' . $documentId, array_merge([ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ], $this->getHeaders()), [ + 'data' => [ + 'title' => 'Thor: Ragnarok', + 'releaseYear' => 2002 + ], + 'permissions' => [ + Permission::update(Role::user($this->getUser()['$id'])) + ] + ]); + $this->assertEquals(200, $document['headers']['status-code']); + $this->assertEquals('Thor: Ragnarok', $document['body']['title']); + $this->assertEquals(2002, $document['body']['releaseYear']); + $this->assertCount(1, $document['body']['$permissions']); + + $deleteResponse = $this->client->call(Client::METHOD_DELETE, '/databases/' . $databaseId . '/collections/' . $data['moviesId'] . '/documents/' . $documentId, array_merge([ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'] + ], $this->getHeaders())); + + $this->assertEquals(401, $deleteResponse['headers']['status-code']); + + // giving the delete permission + $document = $this->client->call(Client::METHOD_PUT, '/databases/' . $databaseId . '/collections/' . $data['moviesId'] . '/documents/' . $documentId, array_merge([ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ], $this->getHeaders()), [ + 'data' => [ + 'title' => 'Thor: Ragnarok', + 'releaseYear' => 2002 + ], + 'permissions' => [ + Permission::update(Role::user($this->getUser()['$id'])), + Permission::delete(Role::user($this->getUser()['$id'])) + ] + ]); + $this->assertEquals(200, $document['headers']['status-code']); + $this->assertEquals('Thor: Ragnarok', $document['body']['title']); + $this->assertEquals(2002, $document['body']['releaseYear']); + $this->assertCount(2, $document['body']['$permissions']); + + $deleteResponse = $this->client->call(Client::METHOD_DELETE, '/databases/' . $databaseId . '/collections/' . $data['moviesId'] . '/documents/' . $documentId, array_merge([ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'] + ], $this->getHeaders())); + + $this->assertEquals(204, $deleteResponse['headers']['status-code']); + + // upsertion for the related document without passing permissions + // data should get added + $newPersonId = ID::unique(); + $personNoPerm = $this->client->call(Client::METHOD_PUT, '/databases/' . $databaseId . '/collections/' . $person['body']['$id'] . '/documents/' . $newPersonId, array_merge([ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ], $this->getHeaders()), [ + 'data' => [ + 'library' => [ + '$id' => 'library3', + 'libraryName' => 'Library 3', + ], + ], + ]); + + $this->assertEquals('Library 3', $personNoPerm['body']['library']['libraryName']); + $this->assertCount(3, $personNoPerm['body']['library']['$permissions']); + $this->assertCount(3, $personNoPerm['body']['$permissions']); + $documents = $this->client->call(Client::METHOD_GET, '/databases/' . $databaseId . '/collections/' . $person['body']['$id'] . '/documents', array_merge([ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ], $this->getHeaders()), [ + 'queries' => [ + Query::select(['fullName', 'library.*'])->toString() + ], + ]); + $this->assertGreaterThanOrEqual(1, $documents['body']['total']); + $documentsDetails = $documents['body']['documents']; + foreach ($documentsDetails as $doc) { + $this->assertCount(3, $doc['$permissions']); + } + $found = false; + foreach ($documents['body']['documents'] as $doc) { + if (isset($doc['library']['libraryName']) && $doc['library']['libraryName'] === 'Library 3') { + $found = true; + break; + } + } + $this->assertTrue($found, 'Library 3 should be present in the upserted documents.'); + + // Fetch the related library and assert on its permissions (should be default/inherited) + $library3 = $this->client->call(Client::METHOD_GET, '/databases/' . $databaseId . '/collections/' . $library['body']['$id'] . '/documents/library3', array_merge([ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ], $this->getHeaders())); + + $this->assertEquals(200, $library3['headers']['status-code']); + $this->assertEquals('Library 3', $library3['body']['libraryName']); + $this->assertArrayHasKey('$permissions', $library3['body']); + $this->assertCount(3, $library3['body']['$permissions']); + $this->assertNotEmpty($library3['body']['$permissions']); + } } /**