fix: correct permission check on attachment uploads (#156)

fixes Aam-Digital/ndb-core#2558
Aam-Digital · Sep 4, 2024 · fe8d6a7 · fe8d6a7
1 parent 4d8619f
commit fe8d6a7
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/src/restricted-endpoints/document/document.controller.ts b/src/restricted-endpoints/document/document.controller.ts
@@ -102,11 +102,21 @@ export class DocumentController {
     @Query() queryParams?: any,
   ): Promise<DatabaseDocument> {
     const userAbility = this.permissionService.getAbilityFor(user);
-    const document = await firstValueFrom(
+
+    let documentToReturn: DatabaseDocument = await firstValueFrom(
       this.couchdbService.get(db, docId, queryParams),
     );
-    if (userAbility.can('read', document)) {
-      return document;
+
+    let documentForPermissionCheck: DatabaseDocument = documentToReturn;
+
+    if (db === 'app-attachments') {
+      documentForPermissionCheck = await firstValueFrom(
+        this.couchdbService.get('app', docId, queryParams),
+      );
+    }
+
+    if (userAbility.can('read', documentForPermissionCheck)) {
+      return documentToReturn;
     } else {
       throw new UnauthorizedException('unauthorized', 'User is not permitted');
     }