feat: refs #8304 add privilege check for WorkerDms filter method

2025-01-10 13:48:03 +01:00 · 2025-01-10 13:48:03 +01:00 · 0e8d9137ed
parent a167e7fada
commit 0e8d9137ed
1 changed files with 4 additions and 0 deletions
--- a/modules/worker/back/methods/worker-dms/filter.js
+++ b/modules/worker/back/methods/worker-dms/filter.js
@ -1,5 +1,6 @@
 const ParameterizedSQL = require('loopback-connector').ParameterizedSQL;
 const {mergeFilters, mergeWhere} = require('vn-loopback/util/filter');
+const UserError = require('vn-loopback/util/user-error');

 module.exports = Self => {
    Self.remoteMethodCtx('filter', {
@ -33,7 +34,10 @@ module.exports = Self => {
        const conn = Self.dataSource.connector;
        const userId = ctx.req.accessToken.userId;
        const models = Self.app.models;
+        const hasPrivs = await models.ACL.checkAccessAcl(ctx, 'WorkerDms', 'hasHighPrivs', '*');

+        if (!hasPrivs && userId !== id)
+            throw new UserError('You don\'t have enough privileges');
        // Get ids alloweds
        const account = await models.VnUser.findById(userId);