yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-11-12 00:03:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: sanitize recieved query

Browse Source
This commit is contained in:
Bassel Kanso 2024-01-17 16:21:14 +02:00
parent f07dc6fac4
commit efeb53f7ab
1 changed files with 11 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
packages/core/content-manager/server/src/controllers/relations.ts
View File

@ -126,27 +126,26 @@ export default {
fieldsToSelect.push(PUBLISHED_AT_ATTRIBUTE); fieldsToSelect.push(PUBLISHED_AT_ATTRIBUTE);
} }
const queryParams = {
sort: mainField,
...query,
fields: fieldsToSelect, // cannot select other fields as the user may not have the permissions
filters: {}, // cannot filter for RBAC reasons
};
const permissionChecker = getService('permission-checker').create({ const permissionChecker = getService('permission-checker').create({
userAbility, userAbility,
model: targetedModel.uid, model: targetedModel.uid,
}); });
const permissionQuery = await permissionChecker.sanitizedQuery.read(queryParams); const permissionQuery = await permissionChecker.sanitizedQuery.read(query);
const queryParams = {
sort: mainField,
fields: fieldsToSelect, // cannot select other fields as the user may not have the permissions
...permissionQuery,
};
if (!isEmpty(idsToOmit)) { if (!isEmpty(idsToOmit)) {
addFiltersClause(permissionQuery, { id: { $notIn: idsToOmit } }); addFiltersClause(queryParams, { id: { $notIn: idsToOmit } });
} }
// searching should be allowed only on mainField for permission reasons // searching should be allowed only on mainField for permission reasons
if (_q) { if (_q) {
const _filter = isOperatorOfType('where', query._filter) ? query._filter : '$containsi'; const _filter = isOperatorOfType('where', query._filter) ? query._filter : '$containsi';
addFiltersClause(permissionQuery, { [mainField]: { [_filter]: _q } }); addFiltersClause(queryParams, { [mainField]: { [_filter]: _q } });
} }
if (entityId) { if (entityId) {
@ -169,10 +168,10 @@ export default {
.select(`${alias}.id`) .select(`${alias}.id`)
.getKnexQuery(); .getKnexQuery();
addFiltersClause(permissionQuery, { id: { $notIn: knexSubQuery } }); addFiltersClause(queryParams, { id: { $notIn: knexSubQuery } });
} }
ctx.body = await strapi.entityService.findPage(targetedModel.uid, permissionQuery); ctx.body = await strapi.entityService.findPage(targetedModel.uid, queryParams);
}, },
async findExisting(ctx: any) { async findExisting(ctx: any) {