fix(backend): Check for public set. Fixes #6538

2024-04-10 17:54:08 +02:00 · 2024-04-10 17:54:08 +02:00 · 3b78abf42f
commit 3b78abf42f
parent 9a1f1a92fc
1 changed files with 16 additions and 6 deletions
--- a/sites/backend/src/models/set.mjs
+++ b/sites/backend/src/models/set.mjs
@ -90,15 +90,25 @@ SetModel.prototype.guardedCreate = async function ({ body, user }) {
 */
 SetModel.prototype.guardedRead = async function ({ params, user }) {
  /*
-   * Enforce RBAC
-   */
-  if (!this.rbac.readSome(user)) return this.setResponse(403, 'insufficientAccessLevel')
-
-  /*
-   * Attempt to read the record from the database
+   * If the set is public, we do not need to enforce RBAC
+   * So let's load it first
   */
  await this.read({ id: parseInt(params.id) })

+  /*
+   * If it's public, return early
+   */
+  if (this.record?.public)
+    return this.setResponse(200, false, {
+      result: 'success',
+      set: this.asSet(),
+    })
+
+  /*
+   * If it's not public, enforce RBAC
+   */
+  if (!this.rbac.readSome(user)) return this.setResponse(403, 'insufficientAccessLevel')
+
  /*
   * If it does not exist, send a 404
   */