secure category list when viewing document

2025-07-24 07:39:43 +02:00 · 2017-10-04 14:42:07 -04:00 · 2017-10-04 14:42:07 -04:00 · ab7a515b9d
commit ab7a515b9d
parent 1d2109aa44
3 changed files with 41 additions and 2 deletions
--- a/domain/category/endpoint.go
+++ b/domain/category/endpoint.go
@ -378,7 +378,7 @@ func (h *Handler) SetDocumentCategoryMembership(w http.ResponseWriter, r *http.R
 	response.WriteEmpty(w)
 }

-// GetDocumentCategoryMembership returns categories associated with given document.
+// GetDocumentCategoryMembership returns user viewable categories associated with a given document.
 func (h *Handler) GetDocumentCategoryMembership(w http.ResponseWriter, r *http.Request) {
 	method := "category.GetDocumentCategoryMembership"
 	ctx := domain.GetRequestContext(r)
@ -412,7 +412,24 @@ func (h *Handler) GetDocumentCategoryMembership(w http.ResponseWriter, r *http.R
 		cat = []category.Category{}
 	}

-	response.WriteJSON(w, cat)
+	perm, err := h.Store.Permission.GetUserCategoryPermissions(ctx, ctx.UserID)
+	if err != nil {
+		h.Runtime.Log.Error("get user category permissions", err)
+		response.WriteServerError(w, method, err)
+		return
+	}
+
+	see := []category.Category{}
+	for _, c := range cat {
+		for _, p := range perm {
+			if p.RefID == c.RefID {
+				see = append(see, c)
+				break
+			}
+		}
+	}
+
+	response.WriteJSON(w, see)
 }

 // GetSpaceCategoryMembers returns category/document associations within space.
--- a/domain/permission/mysql/store.go
+++ b/domain/permission/mysql/store.go
@ -191,3 +191,24 @@ func (s Scope) GetCategoryUsers(ctx domain.RequestContext, catID string) (u []us

 	return
 }
+
+// GetUserCategoryPermissions returns category permissions for given user.
+func (s Scope) GetUserCategoryPermissions(ctx domain.RequestContext, userID string) (r []permission.Permission, err error) {
+	err = s.Runtime.Db.Select(&r, `
+		SELECT id, orgid, who, whoid, action, scope, location, refid
+			FROM permission WHERE orgid=? AND location='category' AND who='user' AND (whoid=? OR whoid='0')
+		UNION ALL
+		SELECT p.id, p.orgid, p.who, p.whoid, p.action, p.scope, p.location, p.refid
+			FROM permission p LEFT JOIN rolemember r ON p.whoid=r.roleid
+			WHERE p.orgid=? AND p.location='category'  AND p.who='role'`,
+		ctx.OrgID, userID, ctx.OrgID)
+
+	if err == sql.ErrNoRows {
+		err = nil
+	}
+	if err != nil {
+		err = errors.Wrap(err, fmt.Sprintf("unable to execute select category permissions for user %s", userID))
+	}
+
+	return
+}
--- a/domain/storer.go
+++ b/domain/storer.go
@ -93,6 +93,7 @@ type PermissionStorer interface {
 	DeleteSpaceCategoryPermissions(ctx RequestContext, spaceID string) (rows int64, err error)
 	GetCategoryPermissions(ctx RequestContext, catID string) (r []permission.Permission, err error)
 	GetCategoryUsers(ctx RequestContext, catID string) (u []user.User, err error)
+	GetUserCategoryPermissions(ctx RequestContext, userID string) (r []permission.Permission, err error)
 }

 // UserStorer defines required methods for user management