Check original field name when aliased (#16234)

* Check original field name when aliased * Rename to aliasMap * Extract original field name * Refactor for legibility Co-authored-by: Rijk van Zanten <rijkvanzanten@me.com> * Fix linting Co-authored-by: rijkvanzanten <rijkvanzanten@me.com>
2026-04-25 03:00:53 -04:00 · 2022-11-14 22:40:15 +08:00
parent 282d5ae54e
commit 6cf77668d1
1 changed files with 10 additions and 3 deletions
--- a/api/src/services/authorization.ts
+++ b/api/src/services/authorization.ts
@@ -212,7 +212,7 @@ export class AuthorizationService {

 			if (ast.type === 'root') {
 				// Validate all required permissions once at the root level
-				checkFieldPermissions(ast.name, schema, action, requiredFieldPermissions);
+				checkFieldPermissions(ast.name, schema, action, requiredFieldPermissions, ast.query.alias);
 			}

 			return requiredFieldPermissions;
@@ -359,7 +359,8 @@ export class AuthorizationService {
 				rootCollection: string,
 				schema: SchemaOverview,
 				action: PermissionsAction,
-				requiredPermissions: Record<string, Set<string>>
+				requiredPermissions: Record<string, Set<string>>,
+				aliasMap?: Record<string, string> | null
 			) {
 				if (accountability?.admin === true) return;

@@ -396,7 +397,13 @@ export class AuthorizationService {
 					for (const field of requiredPermissions[collection]) {
 						if (field.startsWith('$FOLLOW')) continue;
 						const fieldName = stripFunction(field);
-						if (!allowedFields.includes(fieldName)) {
+						let originalFieldName = fieldName;
+
+						if (collection === rootCollection && aliasMap?.[fieldName]) {
+							originalFieldName = aliasMap[fieldName];
+						}
+
+						if (!allowedFields.includes(originalFieldName)) {
 							throw new ForbiddenException();
 						}
 					}