sinvo/docmost
1
0
Fork 0
mirror of https://github.com/docmost/docmost.git synced 2026-05-19 07:54:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix permission

Browse Source
This commit is contained in:
Philipinho
2026-01-12 15:57:51 +00:00
parent 4b65d4d81d
commit b65b53096a
1 changed files with 4 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/server/src/core/share/share.controller.ts
+4 -14
View File
@@ -2,7 +2,6 @@ import {
BadRequestException, BadRequestException,
Body, Body,
Controller, Controller,
ForbiddenException,
HttpCode, HttpCode,
HttpStatus, HttpStatus,
NotFoundException, NotFoundException,
@@ -11,12 +10,7 @@ import {
} from '@nestjs/common'; } from '@nestjs/common';
import { AuthUser } from '../../common/decorators/auth-user.decorator'; import { AuthUser } from '../../common/decorators/auth-user.decorator';
import { User, Workspace } from '@docmost/db/types/entity.types'; import { User, Workspace } from '@docmost/db/types/entity.types';
import {
SpaceCaslAction,
SpaceCaslSubject,
} from '../casl/interfaces/space-ability.type';
import { AuthWorkspace } from '../../common/decorators/auth-workspace.decorator'; import { AuthWorkspace } from '../../common/decorators/auth-workspace.decorator';
import SpaceAbilityFactory from '../casl/abilities/space-ability.factory';
import { ShareService } from './share.service'; import { ShareService } from './share.service';
import { import {
CreateShareDto, CreateShareDto,
@@ -40,7 +34,6 @@ import { hasLicenseOrEE } from '../../common/helpers';
export class ShareController { export class ShareController {
constructor( constructor(
private readonly shareService: ShareService, private readonly shareService: ShareService,
private readonly spaceAbility: SpaceAbilityFactory,
private readonly shareRepo: ShareRepo, private readonly shareRepo: ShareRepo,
private readonly pageRepo: PageRepo, private readonly pageRepo: PageRepo,
private readonly pagePermissionRepo: PagePermissionRepo, private readonly pagePermissionRepo: PagePermissionRepo,
@@ -100,16 +93,12 @@ export class ShareController {
@AuthUser() user: User, @AuthUser() user: User,
@AuthWorkspace() workspace: Workspace, @AuthWorkspace() workspace: Workspace,
) { ) {
// TODO: look into permission
const page = await this.pageRepo.findById(dto.pageId); const page = await this.pageRepo.findById(dto.pageId);
if (!page) { if (!page) {
throw new NotFoundException('Shared page not found'); throw new NotFoundException('Shared page not found');
} }
const ability = await this.spaceAbility.createForUser(user, page.spaceId); await this.pageAccessService.validateCanView(page, user);
if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Share)) {
throw new ForbiddenException();
}
return this.shareService.getShareForPage(page.id, workspace.id); return this.shareService.getShareForPage(page.id, workspace.id);
} }
@@ -133,8 +122,9 @@ export class ShareController {
await this.pageAccessService.validateCanEdit(page, user); await this.pageAccessService.validateCanEdit(page, user);
// Prevent sharing restricted pages // Prevent sharing restricted pages
const isRestricted = const isRestricted = await this.pagePermissionRepo.hasRestrictedAncestor(
await this.pagePermissionRepo.hasRestrictedAncestor(page.id); page.id,
);
if (isRestricted) { if (isRestricted) {
throw new BadRequestException('Cannot share a restricted page'); throw new BadRequestException('Cannot share a restricted page');
} }