Docker/documize
Docker/documize
1
0
Fork 0
mirror of https://github.com/documize/community.git synced 2025-07-20 21:59:42 +02:00
Code Releases Activity

Ensure doc protected from non-category viewers

Browse source 
Closes #310
This commit is contained in:
HarveyKandola 2019-08-27 15:24:59 +01:00
parent 29d7307537
commit 3b76e10ee0
3 changed files with 37 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

35
domain/document/endpoint.go
View file

@ -33,6 +33,7 @@ import (
"github.com/documize/community/model/activity"
"github.com/documize/community/model/attachment"
"github.com/documize/community/model/audit"
"github.com/documize/community/model/category"
"github.com/documize/community/model/doc"
"github.com/documize/community/model/link"
"github.com/documize/community/model/page"
@ -556,7 +557,6 @@ func (h *Handler) FetchDocumentData(w http.ResponseWriter, r *http.Request) {
return
}
// document
document, err := h.Store.Document.Get(ctx, id)
if err == sql.ErrNoRows {
response.WriteNotFoundError(w, method, id)
@ -573,7 +573,7 @@ func (h *Handler) FetchDocumentData(w http.ResponseWriter, r *http.Request) {
return
}
// Don't serve archived document
// Don't serve archived document.
if document.Lifecycle == workflow.LifecycleArchived {
response.WriteForbiddenError(w)
return
@ -585,6 +585,37 @@ func (h *Handler) FetchDocumentData(w http.ResponseWriter, r *http.Request) {
return
}
// If document has been assigned one or more categories,
// we check to see if user can view this document.
cat, err := h.Store.Category.GetDocumentCategoryMembership(ctx, document.RefID)
if err != nil && err != sql.ErrNoRows {
response.WriteServerError(w, method, err)
h.Runtime.Log.Error(method, err)
return
}
perm, err := h.Store.Permission.GetUserCategoryPermissions(ctx, ctx.UserID)
if err != nil && err != sql.ErrNoRows {
response.WriteServerError(w, method, err)
h.Runtime.Log.Error(method, err)
return
}
see := []category.Category{}
for _, c := range cat {
for _, p := range perm {
if p.RefID == c.RefID {
see = append(see, c)
break
}
}
}
// User cannot view document if document has categories assigned
// but user cannot see any of them.
if len(cat) > 0 && len(see) == 0 {
response.WriteForbiddenError(w)
return
}
// permissions
perms, err := h.Store.Permission.GetUserSpacePermissions(ctx, document.SpaceID)
if err != nil && err != sql.ErrNoRows {