Merge pull request #6329 from artoscinote/ma_SCI_9353

Fix checking asset blob permissions [SCI-9353]
2024-09-20 14:45:56 +08:00 · 2023-10-02 16:38:10 +02:00 · 2023-10-02 16:38:10 +02:00 · 2606e042ff
parent 20be895938 f620a99577
commit 2606e042ff
1 changed files with 2 additions and 2 deletions
--- a/app/controllers/concerns/active_storage/check_blob_permissions.rb
+++ b/app/controllers/concerns/active_storage/check_blob_permissions.rb
@ -17,6 +17,8 @@ module ActiveStorage
    end

    def check_attachment_read_permissions(attachment)
+      current_user.permission_team = attachment.record.team || current_team if attachment.record.respond_to?(:team)
+
      case attachment.record_type
      when 'Asset'
        check_asset_read_permissions(attachment.record)
@ -58,8 +60,6 @@ module ActiveStorage
    def check_tinymce_asset_read_permissions(asset)
      return render_403 unless asset

-      current_user.permission_team = asset.team || current_team
-
      return true if asset.object.nil? && can_read_team?(asset.team)

      case asset.object_type