Merge pull request #2390 from appwrite/feat-db-refactor-restrict-assignable-permissions

feat(refactor-db): restrict assignable permissions

app/controllers/api/database.php

@@ -26,6 +26,7 @@ use Utopia\Database\Exception\Authorization as AuthorizationException;
 use Utopia\Database\Exception\Duplicate as DuplicateException;
 use Utopia\Database\Exception\Limit as LimitException;
 use Utopia\Database\Exception\Structure as StructureException;
+use Appwrite\Auth\Auth;
 use Appwrite\Database\Validator\CustomId;
 use Appwrite\Network\Validator\Email;
 use Appwrite\Network\Validator\IP;
@@ -1639,6 +1640,19 @@ App::post('/v1/database/collections/:collectionId/documents')
         $data['$read'] = (is_null($read) && !$user->isEmpty()) ? ['user:'.$user->getId()] : $read ?? []; //  By default set read permissions for user
         $data['$write'] = (is_null($write) && !$user->isEmpty()) ? ['user:'.$user->getId()] : $write ?? []; //  By default set write permissions for user
 
+        // Users can only add their roles to documents, API keys can add any
+        $roles = \array_fill_keys(Authorization::getRoles(), true); // Auth::isAppUser expects roles to be keys, not values of assoc array
+        foreach ($data['$read'] as $read) {
+            if (!Auth::isAppUser($roles) && !Authorization::isRole($read)) {
+                throw new Exception('Read permissions must be one of: ('.\implode(', ', $roles).')', 400);
+            }
+        }
+        foreach ($data['$write'] as $write) {
+            if (!Auth::isAppUser($roles) && !Authorization::isRole($write)) {
+                throw new Exception('Write permissions must be one of: ('.\implode(', ', $roles).')', 400);
+            }
+        }
+
         try {
             if ($collection->getAttribute('permission') === 'collection') {
                 /** @var Document $document */
@@ -1984,6 +1998,19 @@ App::patch('/v1/database/collections/:collectionId/documents/:documentId')
         $data['$read'] = (is_null($read)) ? ($document->getRead() ?? []) : $read; // By default inherit read permissions
         $data['$write'] = (is_null($write)) ? ($document->getWrite() ?? []) : $write; // By default inherit write permissions
 
+        // Users can only add their roles to documents, API keys can add any
+        $roles = \array_fill_keys(Authorization::getRoles(), true); // Auth::isAppUser expects roles to be keys, not values of assoc array
+        foreach ($data['$read'] as $read) {
+            if (!Auth::isAppUser($roles) && !Authorization::isRole($read)) {
+                throw new Exception('Read permissions must be one of: ('.\implode(', ', $roles).')', 400);
+            }
+        }
+        foreach ($data['$write'] as $write) {
+            if (!Auth::isAppUser($roles) && !Authorization::isRole($write)) {
+                throw new Exception('Write permissions must be one of: ('.\implode(', ', $roles).')', 400);
+            }
+        }
+
         try {
             if ($collection->getAttribute('permission') === 'collection') {
                 /** @var Document $document */

tests/e2e/Services/Database/DatabaseBase.php

@@ -1130,8 +1130,8 @@ trait DatabaseBase
                 'releaseYear' => 2017,
                 'actors' => [],
             ],
-            'read' => ['user:'.$this->getUser()['$id'], 'user:testx'],
-            'write' => ['user:'.$this->getUser()['$id'], 'user:testy'],
+            'read' => ['user:'.$this->getUser()['$id']],
+            'write' => ['user:'.$this->getUser()['$id']],
         ]);
 
         $id = $document['body']['$id'];
@@ -1139,8 +1139,8 @@ trait DatabaseBase
         $this->assertEquals($document['headers']['status-code'], 201);
         $this->assertEquals($document['body']['title'], 'Thor: Ragnaroc');
         $this->assertEquals($document['body']['releaseYear'], 2017);
-        $this->assertEquals($document['body']['$read'][1], 'user:testx');
-        $this->assertEquals($document['body']['$write'][1], 'user:testy');
+        $this->assertEquals('user:'.$this->getUser()['$id'], $document['body']['$read'][0]);
+        $this->assertEquals('user:'.$this->getUser()['$id'], $document['body']['$write'][0]);
 
         $document = $this->client->call(Client::METHOD_PATCH, '/database/collections/' . $data['moviesId'] . '/documents/' . $id, array_merge([
             'content-type' => 'application/json',
@@ -1149,11 +1149,15 @@ trait DatabaseBase
             'data' => [
                 'title' => 'Thor: Ragnarok',
             ],
+            'read' => ['role:member'],
+            'write' => ['role:member'],
         ]);
 
         $this->assertEquals($document['headers']['status-code'], 200);
         $this->assertEquals($document['body']['title'], 'Thor: Ragnarok');
         $this->assertEquals($document['body']['releaseYear'], 2017);
+        $this->assertEquals('role:member', $document['body']['$read'][0]);
+        $this->assertEquals('role:member', $document['body']['$write'][0]);
 
         $document = $this->client->call(Client::METHOD_GET, '/database/collections/' . $data['moviesId'] . '/documents/' . $id, array_merge([
             'content-type' => 'application/json',