Fix archive button permissions check

Fixes #900
2026-01-23 04:58:00 -05:00 · 2020-11-06 14:57:44 -05:00
parent ee5211ce02
commit dd803a915b
4 changed files with 26 additions and 8 deletions
--- a/app/src/composables/use-permissions.ts
+++ b/app/src/composables/use-permissions.ts
@@ -26,9 +26,14 @@ export function usePermissions(collection: Ref<string>, item: Ref<any>, isNew: R
 	const archiveAllowed = computed(() => {
 		if (!collectionInfo.value?.meta?.archive_field) return false;

-		return isAllowed(collection.value, 'update', {
-			[collectionInfo.value.meta.archive_field]: collectionInfo.value.meta.archive_value,
-		});
+		return isAllowed(
+			collection.value,
+			'update',
+			{
+				[collectionInfo.value.meta.archive_field]: collectionInfo.value.meta.archive_value,
+			},
+			true
+		);
 	});

 	const fields = computed(() => {
--- a/app/src/modules/collections/routes/item.vue
+++ b/app/src/modules/collections/routes/item.vue
@@ -213,7 +213,6 @@ import useShortcut from '@/composables/use-shortcut';
 import { NavigationGuard } from 'vue-router';
 import { useUserStore, usePermissionsStore } from '@/stores';
 import generateJoi from '@/utils/generate-joi';
-import { isAllowed } from '@/utils/is-allowed';
 import { cloneDeep } from 'lodash';
 import { Field } from '@/types';
 import { usePermissions } from '@/composables/use-permissions';
@@ -223,7 +222,7 @@ type Values = {
 };

 export default defineComponent({
-	name: 'collections-detail',
+	name: 'collections-item',
 	components: {
 		CollectionsNavigation,
 		CollectionsNotFound,
--- a/app/src/modules/users/routes/item.vue
+++ b/app/src/modules/users/routes/item.vue
@@ -177,7 +177,6 @@ import { Field } from '@/types';
 import UserInfoSidebarDetail from '../components/user-info-sidebar-detail.vue';
 import { getRootPath } from '@/utils/get-root-path';
 import useShortcut from '@/composables/use-shortcut';
-import { isAllowed } from '@/utils/is-allowed';
 import useCollection from '@/composables/use-collection';
 import { userName } from '@/utils/user-name';
 import { usePermissions } from '@/composables/use-permissions';
--- a/app/src/utils/is-allowed.ts
+++ b/app/src/utils/is-allowed.ts
@@ -2,7 +2,12 @@ import { usePermissionsStore, useUserStore } from '@/stores';
 import { Permission } from '@/types';
 import generateJoi from '@/utils/generate-joi';

-export function isAllowed(collection: string, action: Permission['action'], value: Record<string, any> | null) {
+export function isAllowed(
+	collection: string,
+	action: Permission['action'],
+	value: Record<string, any> | null,
+	strict = false
+) {
 	const permissionsStore = usePermissionsStore();
 	const userStore = useUserStore();

@@ -15,8 +20,18 @@ export function isAllowed(collection: string, action: Permission['action'], valu
 	);

 	if (!permissionInfo) return false;
+	if (!permissionInfo.fields) return false;

-	const schema = generateJoi(permissionInfo.permissions, { allowUnknown: true });
+	if (strict && permissionInfo.fields.includes('*') === false && value) {
+		const allowedFields = permissionInfo.fields;
+		const attemptedFields = Object.keys(value);
+
+		if (attemptedFields.every((field) => allowedFields.includes(field)) === false) return false;
+	}
+
+	const schema = generateJoi(['create', 'update'] ? permissionInfo.validation : permissionInfo.permissions, {
+		allowUnknown: true,
+	});
 	const { error } = schema.validate(value);

 	if (!error) {