From 51bc0a8c9f8da76b757348f01e7014a3543f646c Mon Sep 17 00:00:00 2001
From: rijkvanzanten <rijkvanzanten@me.com>
Date: Tue, 25 May 2021 14:30:33 -0400
Subject: [PATCH] Check permissions before aggregating fields

---
 api/src/services/authorization.ts | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/api/src/services/authorization.ts b/api/src/services/authorization.ts
index e1fb861d08..0bdd55960b 100644
--- a/api/src/services/authorization.ts
+++ b/api/src/services/authorization.ts
@@ -98,6 +98,16 @@ export class AuthorizationService {
 
 				const allowedFields = permissions.fields || [];
 
+				if (ast.query.aggregate && allowedFields.includes('*') === false) {
+					for (const [_operation, aliasMap] of Object.entries(ast.query.aggregate)) {
+						if (!aliasMap) continue;
+
+						for (const [column, _alias] of Object.entries(aliasMap)) {
+							if (allowedFields.includes(column) === false) throw new ForbiddenException();
+						}
+					}
+				}
+
 				for (const childNode of ast.children) {
 					if (childNode.type !== 'field') {
 						validateFields(childNode);