fix(backend): Check for public set. Fixes #6538
This commit is contained in:
Joost De Cock
parent
9a1f1a92fc
commit
3b78abf42f
1 changed files with 16 additions and 6 deletions
|
|
@ -90,15 +90,25 @@ SetModel.prototype.guardedCreate = async function ({ body, user }) {
|
||||||
*/
|
*/
|
||||||
SetModel.prototype.guardedRead = async function ({ params, user }) {
|
SetModel.prototype.guardedRead = async function ({ params, user }) {
|
||||||
/*
|
/*
|
||||||
* Enforce RBAC
|
* If the set is public, we do not need to enforce RBAC
|
||||||
*/
|
* So let's load it first
|
||||||
if (!this.rbac.readSome(user)) return this.setResponse(403, 'insufficientAccessLevel')
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Attempt to read the record from the database
|
|
||||||
*/
|
*/
|
||||||
await this.read({ id: parseInt(params.id) })
|
await this.read({ id: parseInt(params.id) })
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If it's public, return early
|
||||||
|
*/
|
||||||
|
if (this.record?.public)
|
||||||
|
return this.setResponse(200, false, {
|
||||||
|
result: 'success',
|
||||||
|
set: this.asSet(),
|
||||||
|
})
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If it's not public, enforce RBAC
|
||||||
|
*/
|
||||||
|
if (!this.rbac.readSome(user)) return this.setResponse(403, 'insufficientAccessLevel')
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If it does not exist, send a 404
|
* If it does not exist, send a 404
|
||||||
*/
|
*/
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue