From f089dc4d7fed99090015f7bc2c1d49fc67bb145a Mon Sep 17 00:00:00 2001 From: Tobie Morgan Hitchcock Date: Sun, 30 Dec 2018 23:03:38 +0100 Subject: [PATCH] Ensure document permissions are rechecked after updating --- db/check.go | 9 +++++++++ db/relate.go | 8 +++++++- db/update.go | 12 +++++++++--- db/upsert.go | 12 +++++++++--- 4 files changed, 34 insertions(+), 7 deletions(-) diff --git a/db/check.go b/db/check.go index ebd831b3..24c794fa 100644 --- a/db/check.go +++ b/db/check.go @@ -141,6 +141,15 @@ func (d *document) allow(ctx context.Context, met method) (ok bool, err error) { return true, nil } + // If this document is being created + // for the first time, then allow this + // check, and recheck after the fields + // have been merged into the document. + + if met == _CREATE && !d.current.Exists("id") { + return true, nil + } + // If we are authenticated using DB, NS, // or KV permissions level, then we can // ignore all permissions checks, but we diff --git a/db/relate.go b/db/relate.go index 95c15c18..97ee8cb4 100644 --- a/db/relate.go +++ b/db/relate.go @@ -118,10 +118,16 @@ func (d *document) runRelate(ctx context.Context, stm *sql.RelateStatement) (int return nil, err } - if d.val.Exi() == false { + if d.val.Exi() == true { met = _UPDATE } + if ok, err = d.allow(ctx, met); err != nil { + return nil, err + } else if ok == false { + return nil, nil + } + if err = d.merge(ctx, met, stm.Data); err != nil { return nil, err } diff --git a/db/update.go b/db/update.go index f99598e7..63e6ca63 100644 --- a/db/update.go +++ b/db/update.go @@ -111,7 +111,7 @@ func (d *document) runUpdate(ctx context.Context, stm *sql.UpdateStatement) (int var ok bool var err error - var met = _UPDATE + var met = _CREATE if err = d.init(ctx); err != nil { return nil, err @@ -125,8 +125,8 @@ func (d *document) runUpdate(ctx context.Context, stm *sql.UpdateStatement) (int return nil, err } - if d.val.Exi() == false { - met = _CREATE + if d.val.Exi() == true { + met = _UPDATE } if ok, err = d.allow(ctx, met); err != nil { @@ -145,6 +145,12 @@ func (d *document) runUpdate(ctx context.Context, stm *sql.UpdateStatement) (int return nil, err } + if ok, err = d.allow(ctx, met); err != nil { + return nil, err + } else if ok == false { + return nil, nil + } + if err = d.storeIndex(ctx); err != nil { return nil, err } diff --git a/db/upsert.go b/db/upsert.go index 88454448..adfe58d7 100644 --- a/db/upsert.go +++ b/db/upsert.go @@ -80,7 +80,7 @@ func (d *document) runUpsert(ctx context.Context, stm *sql.UpsertStatement) (int var ok bool var err error - var met = _UPDATE + var met = _CREATE if err = d.init(ctx); err != nil { return nil, err @@ -94,8 +94,8 @@ func (d *document) runUpsert(ctx context.Context, stm *sql.UpsertStatement) (int return nil, err } - if d.val.Exi() == false { - met = _CREATE + if d.val.Exi() == true { + met = _UPDATE } if ok, err = d.allow(ctx, met); err != nil { @@ -108,6 +108,12 @@ func (d *document) runUpsert(ctx context.Context, stm *sql.UpsertStatement) (int return nil, err } + if ok, err = d.allow(ctx, met); err != nil { + return nil, err + } else if ok == false { + return nil, nil + } + if err = d.storeIndex(ctx); err != nil { return nil, err }