Split filter key to get m2a nested collection name (#12739)

* Split filter key to get m2a nested collection name * Add the collection field to the required permissions * Adding required permissions to relational table * Tidy up code
2026-01-25 04:08:00 -05:00 · 2022-04-14 02:37:17 +08:00
parent 8f40973168
commit d8cf2bb234
1 changed files with 41 additions and 14 deletions
--- a/api/src/services/authorization.ts
+++ b/api/src/services/authorization.ts
@@ -228,6 +228,41 @@ export class AuthorizationService {
 							}
 							// Filter value is not a filter, so we should skip it
 							return result;
+						}
+						// m2a filter in the form of `item:collection`
+						else if (filterKey.includes(':')) {
+							const [field, collectionScope] = filterKey.split(':');
+
+							if (collection) {
+								// Add the `item` field to the required permissions
+								(result[collection] || (result[collection] = new Set())).add(field);
+
+								// Add the `collection` field to the required permissions
+								result[collection].add('collection');
+							} else {
+								const relation = schema.relations.find((relation) => {
+									return (
+										(relation.collection === parentCollection && relation.field === parentField) ||
+										(relation.related_collection === parentCollection && relation.meta?.one_field === parentField)
+									);
+								});
+
+								// Filter key not found in parent collection
+								if (!relation) throw new ForbiddenException();
+
+								const relatedCollectionName =
+									relation.related_collection === parentCollection ? relation.collection : relation.related_collection!;
+
+								// Add the `item` field to the required permissions
+								(result[relatedCollectionName] || (result[relatedCollectionName] = new Set())).add(field);
+
+								// Add the `collection` field to the required permissions
+								result[relatedCollectionName].add('collection');
+							}
+
+							// Continue to parse the filter for nested `collection` afresh
+							const requiredPermissions = extractRequiredFieldPermissions(collectionScope, filterValue);
+							result = mergeRequiredFieldPermissions(result, requiredPermissions);
 						} else {
 							if (collection) {
 								(result[collection] || (result[collection] = new Set())).add(filterKey);
@@ -239,20 +274,12 @@ export class AuthorizationService {
 									);
 								});

-								if (relation) {
-									if (relation.related_collection === parentCollection) {
-										(result[relation.collection] || (result[relation.collection] = new Set())).add(filterKey);
-										parentCollection = relation.collection;
-									} else {
-										(result[relation.related_collection!] || (result[relation.related_collection!] = new Set())).add(
-											filterKey
-										);
-										parentCollection = relation.related_collection!;
-									}
-								} else {
-									// Filter key not found in parent collection
-									throw new ForbiddenException();
-								}
+								// Filter key not found in parent collection
+								if (!relation) throw new ForbiddenException();
+
+								parentCollection =
+									relation.related_collection === parentCollection ? relation.collection : relation.related_collection!;
+								(result[parentCollection] || (result[parentCollection] = new Set())).add(filterKey);
 							}

 							if (typeof filterValue === 'object') {