github/directus
1
0
Fork 0
mirror of https://github.com/directus/directus.git synced 2026-01-30 20:28:00 -05:00
Code Issues Packages Projects Releases Wiki Activity

Check permissions before aggregating fields

Browse Source
This commit is contained in:
rijkvanzanten
2021-05-25 14:30:33 -04:00
parent ce9296162c
commit 51bc0a8c9f
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
api/src/services/authorization.ts
View File

@@ -98,6 +98,16 @@ export class AuthorizationService {
const allowedFields = permissions.fields || [];
if (ast.query.aggregate && allowedFields.includes('*') === false) {
for (const [_operation, aliasMap] of Object.entries(ast.query.aggregate)) {
if (!aliasMap) continue;
for (const [column, _alias] of Object.entries(aliasMap)) {
if (allowedFields.includes(column) === false) throw new ForbiddenException();
}
}
}
for (const childNode of ast.children) {
if (childNode.type !== 'field') {
validateFields(childNode);