scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2024-11-15 05:34:53 +08:00
Code Issues Projects Releases Packages Wiki Activity

Fix permission checks for nested storage locations [SCI-10865]

Browse source
This commit is contained in:
Martin Artnik 2024-09-24 12:32:34 +02:00
parent a9287105e2
commit 7ca35a9c33
3 changed files with 18 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/controllers/storage_location_repository_rows_controller.rb
View file

@ -102,10 +102,10 @@ class StorageLocationRepositoryRowsController < ApplicationController
end end
def load_storage_location def load_storage_location
@storage_location = StorageLocation.viewable_by_user(current_user).find( @storage_location = StorageLocation.find(
storage_location_repository_row_params[:storage_location_id] storage_location_repository_row_params[:storage_location_id]
) )
render_404 unless @storage_location render_404 unless can_read_storage_location?(@storage_location)
end end
def load_repository_row def load_repository_row

15
app/controllers/storage_locations_controller.rb
View file

@ -9,13 +9,12 @@ class StorageLocationsController < ApplicationController
before_action :set_breadcrumbs_items, only: %i(index show) before_action :set_breadcrumbs_items, only: %i(index show)
def index def index
@parent_location = StorageLocation.find(storage_location_params[:parent_id]) if storage_location_params[:parent_id]
render_403 if @parent_location && !can_read_storage_location?(@parent_location)
respond_to do |format| respond_to do |format|
format.html do format.html
if storage_location_params[:parent_id]
@parent_location = StorageLocation.viewable_by_user(current_user)
.find_by(id: storage_location_params[:parent_id])
end
end
format.json do format.json do
storage_locations = Lists::StorageLocationsService.new(current_user, current_team, params).call storage_locations = Lists::StorageLocationsService.new(current_user, current_team, params).call
render json: storage_locations, each_serializer: Lists::StorageLocationSerializer, render json: storage_locations, each_serializer: Lists::StorageLocationSerializer,
@ -183,8 +182,8 @@ class StorageLocationsController < ApplicationController
end end
def load_storage_location def load_storage_location
@storage_location = StorageLocation.viewable_by_user(current_user).find_by(id: storage_location_params[:id]) @storage_location = StorageLocation.find(storage_location_params[:id])
render_404 unless @storage_location render_404 unless can_read_storage_location?(@storage_location)
end end
def check_read_permissions def check_read_permissions

10
app/services/lists/storage_locations_service.rb
View file

@ -2,6 +2,8 @@
module Lists module Lists
class StorageLocationsService < BaseService class StorageLocationsService < BaseService
include Canaid::Helpers::PermissionsHelper
def initialize(user, team, params) def initialize(user, team, params)
@user = user @user = user
@team = team @team = team
@ -11,11 +13,15 @@ module Lists
end end
def fetch_records def fetch_records
if @parent_id && !can_read_storage_location?(@user, StorageLocation.find(@parent_id))
@records = StorageLocation.none
return
end
@records = @records =
StorageLocation.joins('LEFT JOIN storage_locations AS sub_locations ' \ StorageLocation.joins('LEFT JOIN storage_locations AS sub_locations ' \
'ON storage_locations.id = sub_locations.parent_id') 'ON storage_locations.id = sub_locations.parent_id')
.left_joins(:team, :created_by) .left_joins(:team, :created_by)
.viewable_by_user(@user, @team)
.select(shared_sql_select) .select(shared_sql_select)
.select( .select(
'storage_locations.*, 'storage_locations.*,
@ -24,6 +30,8 @@ module Lists
CASE WHEN storage_locations.container THEN -1 ELSE COUNT(sub_locations.id) END AS sub_location_count' CASE WHEN storage_locations.container THEN -1 ELSE COUNT(sub_locations.id) END AS sub_location_count'
) )
.group(:id) .group(:id)
@records = @records.viewable_by_user(@user, @team) unless @parent_id
end end
def filter_records def filter_records