From 3b78abf42fedb0a08d13f8f3360de7df291eb06a Mon Sep 17 00:00:00 2001
From: Joost De Cock <joost@joost.at>
Date: Wed, 10 Apr 2024 17:54:08 +0200
Subject: [PATCH] fix(backend): Check for public set. Fixes #6538

---
 sites/backend/src/models/set.mjs | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/sites/backend/src/models/set.mjs b/sites/backend/src/models/set.mjs
index 4a75662ed2d..923f377493f 100644
--- a/sites/backend/src/models/set.mjs
+++ b/sites/backend/src/models/set.mjs
@@ -90,15 +90,25 @@ SetModel.prototype.guardedCreate = async function ({ body, user }) {
  */
 SetModel.prototype.guardedRead = async function ({ params, user }) {
   /*
-   * Enforce RBAC
-   */
-  if (!this.rbac.readSome(user)) return this.setResponse(403, 'insufficientAccessLevel')
-
-  /*
-   * Attempt to read the record from the database
+   * If the set is public, we do not need to enforce RBAC
+   * So let's load it first
    */
   await this.read({ id: parseInt(params.id) })
 
+  /*
+   * If it's public, return early
+   */
+  if (this.record?.public)
+    return this.setResponse(200, false, {
+      result: 'success',
+      set: this.asSet(),
+    })
+
+  /*
+   * If it's not public, enforce RBAC
+   */
+  if (!this.rbac.readSome(user)) return this.setResponse(403, 'insufficientAccessLevel')
+
   /*
    * If it does not exist, send a 404
    */