verdnatura/salix
verdnatura
/
salix
3
4
Fork 0
Code Issues Pull Requests 63 Releases Wiki Activity

feat: refs #8304 add privilege check for WorkerDms filter method
gitea/salix/pipeline/pr-dev This commit looks good Details

This commit is contained in:
Jose Antonio Tubau 2025-01-10 13:48:03 +01:00
parent a167e7fada
commit 0e8d9137ed
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/worker/back/methods/worker-dms/filter.js
View File

@ -1,5 +1,6 @@
const ParameterizedSQL = require('loopback-connector').ParameterizedSQL; const ParameterizedSQL = require('loopback-connector').ParameterizedSQL;
const {mergeFilters, mergeWhere} = require('vn-loopback/util/filter'); const {mergeFilters, mergeWhere} = require('vn-loopback/util/filter');
const UserError = require('vn-loopback/util/user-error');
module.exports = Self => { module.exports = Self => {
Self.remoteMethodCtx('filter', { Self.remoteMethodCtx('filter', {
@ -33,7 +34,10 @@ module.exports = Self => {
const conn = Self.dataSource.connector; const conn = Self.dataSource.connector;
const userId = ctx.req.accessToken.userId; const userId = ctx.req.accessToken.userId;
const models = Self.app.models; const models = Self.app.models;
const hasPrivs = await models.ACL.checkAccessAcl(ctx, 'WorkerDms', 'hasHighPrivs', '*');
if (!hasPrivs && userId !== id)
throw new UserError('You don\'t have enough privileges');
// Get ids alloweds // Get ids alloweds
const account = await models.VnUser.findById(userId); const account = await models.VnUser.findById(userId);