From d8cf2bb234abdde2f0bb0063960cb7509cb9b653 Mon Sep 17 00:00:00 2001
From: ian <licitdev@gmail.com>
Date: Thu, 14 Apr 2022 02:37:17 +0800
Subject: [PATCH] Split filter key to get m2a nested collection name (#12739)

* Split filter key to get m2a nested collection name

* Add the collection field to the required permissions

* Adding required permissions to relational table

* Tidy up code
---
 api/src/services/authorization.ts | 55 +++++++++++++++++++++++--------
 1 file changed, 41 insertions(+), 14 deletions(-)

diff --git a/api/src/services/authorization.ts b/api/src/services/authorization.ts
index 9c30f369b8..69ce31fbae 100644
--- a/api/src/services/authorization.ts
+++ b/api/src/services/authorization.ts
@@ -228,6 +228,41 @@ export class AuthorizationService {
 							}
 							// Filter value is not a filter, so we should skip it
 							return result;
+						}
+						// m2a filter in the form of `item:collection`
+						else if (filterKey.includes(':')) {
+							const [field, collectionScope] = filterKey.split(':');
+
+							if (collection) {
+								// Add the `item` field to the required permissions
+								(result[collection] || (result[collection] = new Set())).add(field);
+
+								// Add the `collection` field to the required permissions
+								result[collection].add('collection');
+							} else {
+								const relation = schema.relations.find((relation) => {
+									return (
+										(relation.collection === parentCollection && relation.field === parentField) ||
+										(relation.related_collection === parentCollection && relation.meta?.one_field === parentField)
+									);
+								});
+
+								// Filter key not found in parent collection
+								if (!relation) throw new ForbiddenException();
+
+								const relatedCollectionName =
+									relation.related_collection === parentCollection ? relation.collection : relation.related_collection!;
+
+								// Add the `item` field to the required permissions
+								(result[relatedCollectionName] || (result[relatedCollectionName] = new Set())).add(field);
+
+								// Add the `collection` field to the required permissions
+								result[relatedCollectionName].add('collection');
+							}
+
+							// Continue to parse the filter for nested `collection` afresh
+							const requiredPermissions = extractRequiredFieldPermissions(collectionScope, filterValue);
+							result = mergeRequiredFieldPermissions(result, requiredPermissions);
 						} else {
 							if (collection) {
 								(result[collection] || (result[collection] = new Set())).add(filterKey);
@@ -239,20 +274,12 @@ export class AuthorizationService {
 									);
 								});
 
-								if (relation) {
-									if (relation.related_collection === parentCollection) {
-										(result[relation.collection] || (result[relation.collection] = new Set())).add(filterKey);
-										parentCollection = relation.collection;
-									} else {
-										(result[relation.related_collection!] || (result[relation.related_collection!] = new Set())).add(
-											filterKey
-										);
-										parentCollection = relation.related_collection!;
-									}
-								} else {
-									// Filter key not found in parent collection
-									throw new ForbiddenException();
-								}
+								// Filter key not found in parent collection
+								if (!relation) throw new ForbiddenException();
+
+								parentCollection =
+									relation.related_collection === parentCollection ? relation.collection : relation.related_collection!;
+								(result[parentCollection] || (result[parentCollection] = new Set())).add(filterKey);
 							}
 
 							if (typeof filterValue === 'object') {