yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed returning sensitive data in documents.info

Browse Source
This commit is contained in:
Tom Moor
2018-05-24 22:15:36 -07:00
parent 2c719df32e
commit e2144051df
3 changed files with 30 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
server/api/documents.js
View File

@@ -10,7 +10,7 @@ import events from '../events';
import policy from '../policies';
const Op = Sequelize.Op;
const { authorize } = policy;
const { authorize, cannot } = policy;
const router = new Router();
router.post('documents.list', auth(), pagination(), async ctx => {
@@ -161,7 +161,7 @@ router.post('documents.info', auth({ required: false }), async ctx => {
const { id, shareId } = ctx.body;
ctx.assertPresent(id || shareId, 'id or shareId is required');
const isPublic = !!shareId;
const user = ctx.state.user;
let document;
if (shareId) {
@@ -177,9 +177,11 @@ router.post('documents.info', auth({ required: false }), async ctx => {
document = share.document;
} else {
document = await Document.findById(id);
authorize(ctx.state.user, 'read', document);
authorize(user, 'read', document);
}
const isPublic = cannot(user, 'read', document);
ctx.body = {
data: await presentDocument(ctx, document, { isPublic }),
};