github/directus
1
0
Fork 0
mirror of https://github.com/directus/directus.git synced 2026-02-10 03:25:04 -05:00
Code Issues Packages Projects Releases Wiki Activity

Throw forbidden error on /fields (#4366)

Browse Source 
Fixes #4349
This commit is contained in:
Rijk van Zanten
2021-03-03 17:04:39 -05:00
committed by GitHub
parent a5cb9f6b6a
commit 7ab359eacf
2 changed files with 18 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
api/src/services/collections.ts
View File

@@ -158,6 +158,7 @@ export class CollectionsService {
const collectionItemsService = new ItemsService('directus_collections', {
knex: this.knex,
schema: this.schema,
accountability: this.accountability,
});
let tablesInDatabase = await schemaInspector.tableInfo();
@@ -172,10 +173,6 @@ export class CollectionsService {
tablesInDatabase = tablesInDatabase.filter((table) => {
return collectionsYouHavePermissionToRead.includes(table.name);
});
if (tablesInDatabase.length === 0) {
throw new ForbiddenException();
}
}
const tablesToFetchInfoFor = tablesInDatabase.map((table) => table.name);
@@ -204,7 +201,7 @@ export class CollectionsService {
/**
* @NOTE
* We only suppport updating the content in directus_collections
* We only support updating the content in directus_collections
*/
update(data: Partial<Collection>, keys: string[]): Promise<string[]>;
update(data: Partial<Collection>, key: string): Promise<string>;

17
api/src/services/fields.ts
View File

@@ -1,7 +1,7 @@
import { ALIAS_TYPES } from '../constants';
import database, { schemaInspector } from '../database';
import { Field } from '../types/field';
import { Accountability, AbstractServiceOptions, FieldMeta, Relation, SchemaOverview } from '../types';
import { Accountability, AbstractServiceOptions, FieldMeta, SchemaOverview } from '../types';
import { ItemsService } from '../services/items';
import { ColumnBuilder } from 'knex';
import getLocalType from '../utils/get-local-type';
@@ -36,8 +36,19 @@ export class FieldsService {
this.schema = options.schema;
}
private get hasReadAccess() {
return !!this.schema.permissions.find((permission) => {
return permission.collection === 'directus_fields' && permission.action === 'read';
});
}
async readAll(collection?: string): Promise<Field[]> {
let fields: FieldMeta[];
if (this.accountability && this.accountability.admin !== true && this.hasReadAccess === false) {
throw new ForbiddenException();
}
const nonAuthorizedItemsService = new ItemsService('directus_fields', {
knex: this.knex,
schema: this.schema,
@@ -147,6 +158,10 @@ export class FieldsService {
async readOne(collection: string, field: string) {
if (this.accountability && this.accountability.admin !== true) {
if (this.hasReadAccess === false) {
throw new ForbiddenException();
}
const permissions = this.schema.permissions.find((permission) => {
return permission.action === 'read' && permission.collection === collection;
});