From 0e8d9137edfdcffebf73f84672c1d58ccd3a10a5 Mon Sep 17 00:00:00 2001
From: jtubau <jtubau@verdnatura.es>
Date: Fri, 10 Jan 2025 13:48:03 +0100
Subject: [PATCH] feat: refs #8304 add privilege check for WorkerDms filter
 method

---
 modules/worker/back/methods/worker-dms/filter.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/worker/back/methods/worker-dms/filter.js b/modules/worker/back/methods/worker-dms/filter.js
index 240a905d2..a6e5d67e7 100644
--- a/modules/worker/back/methods/worker-dms/filter.js
+++ b/modules/worker/back/methods/worker-dms/filter.js
@@ -1,5 +1,6 @@
 const ParameterizedSQL = require('loopback-connector').ParameterizedSQL;
 const {mergeFilters, mergeWhere} = require('vn-loopback/util/filter');
+const UserError = require('vn-loopback/util/user-error');
 
 module.exports = Self => {
     Self.remoteMethodCtx('filter', {
@@ -33,7 +34,10 @@ module.exports = Self => {
         const conn = Self.dataSource.connector;
         const userId = ctx.req.accessToken.userId;
         const models = Self.app.models;
+        const hasPrivs = await models.ACL.checkAccessAcl(ctx, 'WorkerDms', 'hasHighPrivs', '*');
 
+        if (!hasPrivs && userId !== id)
+            throw new UserError('You don\'t have enough privileges');
         // Get ids alloweds
         const account = await models.VnUser.findById(userId);