Skip to content

Commit

Permalink
Bypass doc ownership check for admins (#444)
Browse files Browse the repository at this point in the history
  • Loading branch information
@AmirAgassi
AmirAgassi authored Feb 6, 2025
2 parents 4d4ff87 + 735fbc0 commit bac6cce
Showing 1 changed file with 19 additions and 13 deletions.
32 changes: 19 additions & 13 deletions backend/internal/v1/v1_projects/documents.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package v1_projects

import (
"KonferCA/SPUR/db"
"KonferCA/SPUR/internal/permissions"
"KonferCA/SPUR/internal/v1/v1_common"
"fmt"
"io"
Expand Down Expand Up @@ -138,25 +139,30 @@ func (h *Handler) handleGetProjectDocuments(c echo.Context) error {
return v1_common.Fail(c, http.StatusUnauthorized, "Unauthorized", err)
}

// Get company owned by user
company, err := h.server.GetQueries().GetCompanyByUserID(c.Request().Context(), user.ID)
if err != nil {
return v1_common.Fail(c, 404, "Company not found", err)
}

// Get project ID from URL
projectID := c.Param("id")
if projectID == "" {
return v1_common.Fail(c, 400, "Project ID is required", nil)
}

// Verify project belongs to company
_, err = h.server.GetQueries().GetProjectByID(c.Request().Context(), db.GetProjectByIDParams{
ID: projectID,
CompanyID: company.ID,
})
if err != nil {
return v1_common.Fail(c, 404, "Project not found", err)
// Check if user is admin
isAdmin := permissions.HasAllPermissions(uint32(user.Permissions), permissions.PermViewAllProjects)

if !isAdmin {
// Get company owned by user
company, err := h.server.GetQueries().GetCompanyByUserID(c.Request().Context(), user.ID)
if err != nil {
return v1_common.Fail(c, 404, "Company not found", err)
}

// Verify project belongs to company
_, err = h.server.GetQueries().GetProjectByID(c.Request().Context(), db.GetProjectByIDParams{
ID: projectID,
CompanyID: company.ID,
})
if err != nil {
return v1_common.Fail(c, 404, "Project not found", err)
}
}

// Get documents for this project
Expand Down

0 comments on commit bac6cce

Please sign in to comment.