github/directus
1
0
Fork 0
mirror of https://github.com/directus/directus.git synced 2026-01-28 07:48:04 -05:00
Code Issues Packages Projects Releases Wiki Activity

Check if is UUID before check permissions (#10837)

Browse Source 
On checking permissions it reads the value from database, so we need to verify if is UUID before this process
This commit is contained in:
José Varela
2022-01-04 15:04:04 +00:00
committed by GitHub
parent 4c1ac51e8b
commit cc076494ff
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
api/src/services/assets.ts
View File

@@ -44,10 +44,6 @@ export class AssetsService {
const systemPublicKeys = Object.values(publicSettings || {});
if (systemPublicKeys.includes(id) === false && this.accountability?.admin !== true) {
await this.authorizationService.checkAccess('read', 'directus_files', id);
}
/**
* This is a little annoying. Postgres will error out if you're trying to search in `where`
* with a wrong type. In case of directus_files where id is a uuid, we'll have to verify the
@@ -57,6 +53,10 @@ export class AssetsService {
if (isValidUUID === false) throw new ForbiddenException();
if (systemPublicKeys.includes(id) === false && this.accountability?.admin !== true) {
await this.authorizationService.checkAccess('read', 'directus_files', id);
}
const file = (await this.knex.select('*').from('directus_files').where({ id }).first()) as File;
if (!file) throw new ForbiddenException();