secure category list when viewing document

2025-07-24 07:39:43 +02:00 · 2017-10-04 14:42:07 -04:00 · 2017-10-04 14:42:07 -04:00 · ab7a515b9d
commit ab7a515b9d
parent 1d2109aa44
3 changed files with 41 additions and 2 deletions
--- a/domain/permission/mysql/store.go
+++ b/domain/permission/mysql/store.go
@ -191,3 +191,24 @@ func (s Scope) GetCategoryUsers(ctx domain.RequestContext, catID string) (u []us

 	return
 }
+
+// GetUserCategoryPermissions returns category permissions for given user.
+func (s Scope) GetUserCategoryPermissions(ctx domain.RequestContext, userID string) (r []permission.Permission, err error) {
+	err = s.Runtime.Db.Select(&r, `
+		SELECT id, orgid, who, whoid, action, scope, location, refid
+			FROM permission WHERE orgid=? AND location='category' AND who='user' AND (whoid=? OR whoid='0')
+		UNION ALL
+		SELECT p.id, p.orgid, p.who, p.whoid, p.action, p.scope, p.location, p.refid
+			FROM permission p LEFT JOIN rolemember r ON p.whoid=r.roleid
+			WHERE p.orgid=? AND p.location='category'  AND p.who='role'`,
+		ctx.OrgID, userID, ctx.OrgID)
+
+	if err == sql.ErrNoRows {
+		err = nil
+	}
+	if err != nil {
+		err = errors.Wrap(err, fmt.Sprintf("unable to execute select category permissions for user %s", userID))
+	}
+
+	return
+}