Fix permission checks for nested storage locations [SCI-10865]

2024-11-15 05:34:53 +08:00 · 2024-09-24 12:32:34 +02:00 · 2024-09-24 12:32:34 +02:00 · 7ca35a9c33
commit 7ca35a9c33
parent a9287105e2
3 changed files with 18 additions and 11 deletions
--- a/app/controllers/storage_location_repository_rows_controller.rb
+++ b/app/controllers/storage_location_repository_rows_controller.rb
@ -102,10 +102,10 @@ class StorageLocationRepositoryRowsController < ApplicationController
  end

  def load_storage_location
-    @storage_location = StorageLocation.viewable_by_user(current_user).find(
+    @storage_location = StorageLocation.find(
      storage_location_repository_row_params[:storage_location_id]
    )
-    render_404 unless @storage_location
+    render_404 unless can_read_storage_location?(@storage_location)
  end

  def load_repository_row
--- a/app/controllers/storage_locations_controller.rb
+++ b/app/controllers/storage_locations_controller.rb
@ -9,13 +9,12 @@ class StorageLocationsController < ApplicationController
  before_action :set_breadcrumbs_items, only: %i(index show)

  def index
+    @parent_location = StorageLocation.find(storage_location_params[:parent_id]) if storage_location_params[:parent_id]
+
+    render_403 if @parent_location && !can_read_storage_location?(@parent_location)
+
    respond_to do |format|
-      format.html do
-        if storage_location_params[:parent_id]
-          @parent_location = StorageLocation.viewable_by_user(current_user)
-                                            .find_by(id: storage_location_params[:parent_id])
-        end
-      end
+      format.html
      format.json do
        storage_locations = Lists::StorageLocationsService.new(current_user, current_team, params).call
        render json: storage_locations, each_serializer: Lists::StorageLocationSerializer,
@ -183,8 +182,8 @@ class StorageLocationsController < ApplicationController
  end

  def load_storage_location
-    @storage_location = StorageLocation.viewable_by_user(current_user).find_by(id: storage_location_params[:id])
-    render_404 unless @storage_location
+    @storage_location = StorageLocation.find(storage_location_params[:id])
+    render_404 unless can_read_storage_location?(@storage_location)
  end

  def check_read_permissions
--- a/app/services/lists/storage_locations_service.rb
+++ b/app/services/lists/storage_locations_service.rb
@ -2,6 +2,8 @@

 module Lists
  class StorageLocationsService < BaseService
+    include Canaid::Helpers::PermissionsHelper
+
    def initialize(user, team, params)
      @user = user
      @team = team
@ -11,11 +13,15 @@ module Lists
    end

    def fetch_records
+      if @parent_id && !can_read_storage_location?(@user, StorageLocation.find(@parent_id))
+        @records = StorageLocation.none
+        return
+      end
+
      @records =
        StorageLocation.joins('LEFT JOIN storage_locations AS sub_locations ' \
                              'ON storage_locations.id = sub_locations.parent_id')
                       .left_joins(:team, :created_by)
-                       .viewable_by_user(@user, @team)
                       .select(shared_sql_select)
                       .select(
                         'storage_locations.*,
@ -24,6 +30,8 @@ module Lists
                        CASE WHEN storage_locations.container THEN -1 ELSE COUNT(sub_locations.id) END AS sub_location_count'
                       )
                       .group(:id)
+
+      @records = @records.viewable_by_user(@user, @team) unless @parent_id
    end

    def filter_records