fix: correct permission check on attachment uploads (#156)

tomwwinter · web-flow · commit fe8d6a7f7b4d · 2024-09-04T10:54:45.000+02:00
fixes Aam-Digital/ndb-core#2558
diff --git a/src/restricted-endpoints/document/document.controller.ts b/src/restricted-endpoints/document/document.controller.ts
@@ -102,11 +102,21 @@ export class DocumentController {
     @Query() queryParams?: any,
   ): Promise<DatabaseDocument> {
     const userAbility = this.permissionService.getAbilityFor(user);
-    const document = await firstValueFrom(
+
+    let documentToReturn: DatabaseDocument = await firstValueFrom(
       this.couchdbService.get(db, docId, queryParams),
     );
-    if (userAbility.can('read', document)) {
-      return document;
+
+    let documentForPermissionCheck: DatabaseDocument = documentToReturn;
+
+    if (db === 'app-attachments') {
+      documentForPermissionCheck = await firstValueFrom(
+        this.couchdbService.get('app', docId, queryParams),
+      );
+    }
+
+    if (userAbility.can('read', documentForPermissionCheck)) {
+      return documentToReturn;
     } else {
       throw new UnauthorizedException('unauthorized', 'User is not permitted');
     }
