diff --git a/domain/category/store.go b/domain/category/store.go index 7164b32c..a8d77998 100644 --- a/domain/category/store.go +++ b/domain/category/store.go @@ -262,8 +262,6 @@ func (s Store) GetSpaceCategorySummary(ctx domain.RequestContext, spaceID string // GetDocumentCategoryMembership returns all space categories associated with given document. func (s Store) GetDocumentCategoryMembership(ctx domain.RequestContext, documentID string) (c []category.Category, err error) { - c = []category.Category{} - err = s.Runtime.Db.Select(&c, s.Bind(` SELECT id, c_refid AS refid, c_orgid AS orgid, c_spaceid AS spaceid, c_name AS name, c_created AS created, c_revised AS revised FROM dmz_category @@ -272,6 +270,7 @@ func (s Store) GetDocumentCategoryMembership(ctx domain.RequestContext, document if err == sql.ErrNoRows { err = nil + c = []category.Category{} } if err != nil { err = errors.Wrap(err, fmt.Sprintf("unable to execute select categories for document %s", documentID)) @@ -280,7 +279,8 @@ func (s Store) GetDocumentCategoryMembership(ctx domain.RequestContext, document return } -// GetSpaceCategoryMembership returns category/document associations within space. +// GetSpaceCategoryMembership returns category/document associations within space, +// for specified user. func (s Store) GetSpaceCategoryMembership(ctx domain.RequestContext, spaceID string) (c []category.Member, err error) { err = s.Runtime.Db.Select(&c, s.Bind(` SELECT id, c_refid AS refid, c_orgid AS orgid, c_spaceid AS spaceid, c_categoryid AS categoryid, c_docid AS documentid, c_created AS created, c_revised AS revised diff --git a/domain/document/endpoint.go b/domain/document/endpoint.go index 26de7ab7..a17cb993 100644 --- a/domain/document/endpoint.go +++ b/domain/document/endpoint.go @@ -33,6 +33,7 @@ import ( "github.com/documize/community/model/activity" "github.com/documize/community/model/attachment" "github.com/documize/community/model/audit" + "github.com/documize/community/model/category" "github.com/documize/community/model/doc" "github.com/documize/community/model/link" "github.com/documize/community/model/page" @@ -556,7 +557,6 @@ func (h *Handler) FetchDocumentData(w http.ResponseWriter, r *http.Request) { return } - // document document, err := h.Store.Document.Get(ctx, id) if err == sql.ErrNoRows { response.WriteNotFoundError(w, method, id) @@ -573,7 +573,7 @@ func (h *Handler) FetchDocumentData(w http.ResponseWriter, r *http.Request) { return } - // Don't serve archived document + // Don't serve archived document. if document.Lifecycle == workflow.LifecycleArchived { response.WriteForbiddenError(w) return @@ -585,6 +585,37 @@ func (h *Handler) FetchDocumentData(w http.ResponseWriter, r *http.Request) { return } + // If document has been assigned one or more categories, + // we check to see if user can view this document. + cat, err := h.Store.Category.GetDocumentCategoryMembership(ctx, document.RefID) + if err != nil && err != sql.ErrNoRows { + response.WriteServerError(w, method, err) + h.Runtime.Log.Error(method, err) + return + } + perm, err := h.Store.Permission.GetUserCategoryPermissions(ctx, ctx.UserID) + if err != nil && err != sql.ErrNoRows { + response.WriteServerError(w, method, err) + h.Runtime.Log.Error(method, err) + return + } + see := []category.Category{} + for _, c := range cat { + for _, p := range perm { + if p.RefID == c.RefID { + see = append(see, c) + break + } + } + } + + // User cannot view document if document has categories assigned + // but user cannot see any of them. + if len(cat) > 0 && len(see) == 0 { + response.WriteForbiddenError(w) + return + } + // permissions perms, err := h.Store.Permission.GetUserSpacePermissions(ctx, document.SpaceID) if err != nil && err != sql.ErrNoRows { diff --git a/domain/permission/store.go b/domain/permission/store.go index e828ffad..eaa210f8 100644 --- a/domain/permission/store.go +++ b/domain/permission/store.go @@ -205,6 +205,7 @@ func (s Store) GetUserCategoryPermissions(ctx domain.RequestContext, userID stri if err == sql.ErrNoRows { err = nil + r = []permission.Permission{} } if err != nil { err = errors.Wrap(err, fmt.Sprintf("unable to execute select category permissions for user %s", userID))