Skip to content

Commit 7853c93

Browse files
kodumbeatskodumbeats
committed
Enforce that users cannot add permission roles they do not have
1 parent 252720d commit 7853c93

File tree

1 file changed

+25
-0
lines changed

1 file changed

+25
-0
lines changed

app/controllers/api/database.php

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
use Utopia\Database\Exception\Duplicate as DuplicateException;
2727
use Utopia\Database\Exception\Limit as LimitException;
2828
use Utopia\Database\Exception\Structure as StructureException;
29+
use Appwrite\Auth\Auth;
2930
use Appwrite\Database\Validator\CustomId;
3031
use Appwrite\Network\Validator\Email;
3132
use Appwrite\Network\Validator\IP;
@@ -1575,6 +1576,18 @@ function createAttribute($collectionId, $attribute, $response, $dbForInternal, $
15751576
$data['$read'] = (is_null($read) && !$user->isEmpty()) ? ['user:'.$user->getId()] : $read ?? []; // By default set read permissions for user
15761577
$data['$write'] = (is_null($write) && !$user->isEmpty()) ? ['user:'.$user->getId()] : $write ?? []; // By default set write permissions for user
15771578

1579+
// Users can only add their roles to documents, API keys can add any
1580+
foreach ($data['$read'] as $read) {
1581+
if (!Authorization::isRole('role:'.Auth::USER_ROLE_APP) && !Authorization::isRole($read)) {
1582+
throw new Exception('Read permissions must be one of: ('.\implode(', ', Authorization::getRoles()).')', 400);
1583+
}
1584+
}
1585+
foreach ($data['$write'] as $write) {
1586+
if (!Authorization::isRole('role:'.Auth::USER_ROLE_APP) && !Authorization::isRole($write)) {
1587+
throw new Exception('Write permissions must be one of: ('.\implode(', ', Authorization::getRoles()).')', 400);
1588+
}
1589+
}
1590+
15781591
try {
15791592
if ($collection->getAttribute('permission') === 'collection') {
15801593
/** @var Document $document */
@@ -1813,6 +1826,18 @@ function createAttribute($collectionId, $attribute, $response, $dbForInternal, $
18131826
$data['$read'] = (is_null($read)) ? ($document->getRead() ?? []) : $read; // By default inherit read permissions
18141827
$data['$write'] = (is_null($write)) ? ($document->getWrite() ?? []) : $write; // By default inherit write permissions
18151828

1829+
// Users can only add their roles to documents, API keys can add any
1830+
foreach ($data['$read'] as $read) {
1831+
if (!Authorization::isRole('role:'.Auth::USER_ROLE_APP) && !Authorization::isRole($read)) {
1832+
throw new Exception('Read permissions must be one of: ('.\implode(', ', Authorization::getRoles()).')', 400);
1833+
}
1834+
}
1835+
foreach ($data['$write'] as $write) {
1836+
if (!Authorization::isRole('role:'.Auth::USER_ROLE_APP) && !Authorization::isRole($write)) {
1837+
throw new Exception('Write permissions must be one of: ('.\implode(', ', Authorization::getRoles()).')', 400);
1838+
}
1839+
}
1840+
18161841
try {
18171842
if ($collection->getAttribute('permission') === 'collection') {
18181843
/** @var Document $document */

0 commit comments

Comments
 (0)