yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-11-02 02:44:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix RBAC upload permissions (#10484)

Browse Source 
* Fix fetch of created_by.roles for the upload permissions' check

* Remove console.log

* Add default value for the set roles

* Fetch the author (user) instead of their roles only

* Only populate roles for the author
This commit is contained in:
Jean-Sébastien Herbaux 2021-06-17 12:00:02 +02:00 committed by GitHub
parent d66a49f23c
commit c7c549aee6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
packages/strapi-plugin-upload/controllers/upload/admin.js
View File

@ -199,10 +199,11 @@ const findEntityAndCheckPermissions = async (ability, action, model, id) => {
const pm = strapi.admin.services.permission.createPermissionsManager({ ability, action, model });
const roles = _.has(file, 'created_by.id')
? await strapi.query('role', 'admin').find({ 'users.id': file[CREATED_BY_ATTRIBUTE].id }, [])
: [];
const fileWithRoles = _.set(_.cloneDeep(file), 'created_by.roles', roles);
const author = await strapi.admin.services.user.findOne({ id: file[CREATED_BY_ATTRIBUTE] }, [
'roles',
]);
const fileWithRoles = _.set(_.cloneDeep(file), 'created_by', author);
if (pm.ability.cannot(pm.action, pm.toSubject(fileWithRoles))) {
throw strapi.errors.forbidden();