* Fixes an issue that would let the beforeDelete be called when user has no access to the object * Ensure we properly lock user - Improves find method so we can attempt to read for a write poking the right ACL instead of using masterKey - This ensure we do not run beforeDelete/beforeFind/beforeSave in the wrong scenarios * nits * Caps insufficient
This commit is contained in:
Florent Vilmart
GitHub
@@ -869,7 +869,8 @@ class DatabaseController {
|
||||
op,
|
||||
distinct,
|
||||
pipeline,
|
||||
readPreference
|
||||
readPreference,
|
||||
isWrite,
|
||||
}: any = {}): Promise<any> {
|
||||
const isMaster = acl === undefined;
|
||||
const aclGroup = acl || [];
|
||||
@@ -930,7 +931,11 @@ class DatabaseController {
|
||||
}
|
||||
}
|
||||
if (!isMaster) {
|
||||
query = addReadACL(query, aclGroup);
|
||||
if (isWrite) {
|
||||
query = addWriteACL(query, aclGroup);
|
||||
} else {
|
||||
query = addReadACL(query, aclGroup);
|
||||
}
|
||||
}
|
||||
validateQuery(query);
|
||||
if (count) {
|
||||
|
||||
Reference in New Issue
Block a user