From 6ed2000478300582f5c79b317e666005e059c1a0 Mon Sep 17 00:00:00 2001 From: shimon Date: Mon, 27 Oct 2025 12:09:23 +0200 Subject: [PATCH 1/2] Update composer.lock and refactor authorization handling in CLI and worker modules. Adjust Docker configuration to include database source path. Modify error handling in general controller and enhance permission setting in document creation. Fix privileged user role retrieval in function execution. Ensure consistent authorization usage across various resources. --- app/cli.php | 10 +++--- app/controllers/general.php | 2 +- app/init/resources.php | 4 ++- app/worker.php | 16 ++++----- composer.lock | 34 +++++++++---------- docker-compose.yml | 1 + .../Collections/Documents/Create.php | 2 +- .../Functions/Http/Executions/Create.php | 2 +- 8 files changed, 35 insertions(+), 36 deletions(-) diff --git a/app/cli.php b/app/cli.php index 08726c2d4d..d30e870c30 100644 --- a/app/cli.php +++ b/app/cli.php @@ -59,6 +59,7 @@ CLI::setResource('pools', function (Registry $register) { CLI::setResource('authorization', function () { $authorization = new Authorization(); + $authorization->disable(); return $authorization; }, []); @@ -133,13 +134,11 @@ CLI::setResource('getProjectDB', function (Group $pools, Database $dbForPlatform if (\in_array($dsn->getHost(), $sharedTables)) { $database - ->setAuthorization($authorization) ->setSharedTables(true) ->setTenant((int)$project->getSequence()) ->setNamespace($dsn->getParam('namespace')); } else { $database - ->setAuthorization($authorization) ->setSharedTables(false) ->setTenant(null) ->setNamespace('_' . $project->getSequence()); @@ -150,18 +149,17 @@ CLI::setResource('getProjectDB', function (Group $pools, Database $dbForPlatform $adapter = new DatabasePool($pools->get($dsn->getHost())); $database = new Database($adapter, $cache); + $database->setAuthorization($authorization); $databases[$dsn->getHost()] = $database; $sharedTables = \explode(',', System::getEnv('_APP_DATABASE_SHARED_TABLES', '')); if (\in_array($dsn->getHost(), $sharedTables)) { $database - ->setAuthorization($authorization) ->setSharedTables(true) ->setTenant((int)$project->getSequence()) ->setNamespace($dsn->getParam('namespace')); } else { $database - ->setAuthorization($authorization) ->setSharedTables(false) ->setTenant(null) ->setNamespace('_' . $project->getSequence()); @@ -186,9 +184,9 @@ CLI::setResource('getLogsDB', function (Group $pools, Cache $cache, Authorizatio $adapter = new DatabasePool($pools->get('logs')); $database = new Database($adapter, $cache); - + $database->setAuthorization($authorization); + $database - ->setAuthorization($authorization) ->setSharedTables(true) ->setNamespace('logsV1') ->setTimeout(APP_DATABASE_TIMEOUT_MILLISECONDS_TASK) diff --git a/app/controllers/general.php b/app/controllers/general.php index b6452abd7f..332f0c1d15 100644 --- a/app/controllers/general.php +++ b/app/controllers/general.php @@ -1175,7 +1175,7 @@ App::error() ->inject('queueForStatsUsage') ->inject('devKey') ->inject('authorization') - ->action(function (Throwable $error, App $utopia, Request $request, Response $response, Document $project, ?Logger $logger, Log $log, StatsUsage $queueForStatsUsage, Authorization $authorization) { + ->action(function (Throwable $error, App $utopia, Request $request, Response $response, Document $project, ?Logger $logger, Log $log, StatsUsage $queueForStatsUsage, Document $devKey, Authorization $authorization) { $version = System::getEnv('_APP_VERSION', 'UNKNOWN'); $route = $utopia->getRoute(); $class = \get_class($error); diff --git a/app/init/resources.php b/app/init/resources.php index 2d5d8059a6..e85b18d80a 100644 --- a/app/init/resources.php +++ b/app/init/resources.php @@ -424,9 +424,10 @@ App::setResource('dbForProject', function (Group $pools, Database $dbForPlatform }, ['pools', 'dbForPlatform', 'cache', 'project', 'authorization']); App::setResource('dbForPlatform', function (Group $pools, Cache $cache, Authorization $authorization) { + $adapter = new DatabasePool($pools->get('console')); $database = new Database($adapter, $cache); - + $database ->setAuthorization($authorization) ->setNamespace('_console') @@ -484,6 +485,7 @@ App::setResource('getProjectDB', function (Group $pools, Database $dbForPlatform $adapter = new DatabasePool($pools->get($dsn->getHost())); $database = new Database($adapter, $cache); + $database->setAuthorization($authorization); $databases[$dsn->getHost()] = $database; $configure($database); diff --git a/app/worker.php b/app/worker.php index c5dcb14a1e..211b4ebfa6 100644 --- a/app/worker.php +++ b/app/worker.php @@ -51,6 +51,7 @@ Server::setResource('register', fn () => $register); Server::setResource('authorization', function () { $authorization = new Authorization(); + $authorization->disable(); return $authorization; }, []); @@ -58,8 +59,9 @@ Server::setResource('dbForPlatform', function (Cache $cache, Registry $register, $pools = $register->get('pools'); $adapter = new DatabasePool($pools->get('console')); $dbForPlatform = new Database($adapter, $cache); - $dbForPlatform->setNamespace('_console'); $dbForPlatform->setAuthorization($authorization); + $dbForPlatform->setNamespace('_console'); + return $dbForPlatform; }, ['cache', 'register', 'authorization']); @@ -91,18 +93,16 @@ Server::setResource('dbForProject', function (Cache $cache, Registry $register, $adapter = new DatabasePool($pools->get($dsn->getHost())); $database = new Database($adapter, $cache); - + $database->setAuthorization($authorization); $sharedTables = \explode(',', System::getEnv('_APP_DATABASE_SHARED_TABLES', '')); if (\in_array($dsn->getHost(), $sharedTables)) { $database - ->setAuthorization($authorization) ->setSharedTables(true) ->setTenant((int)$project->getSequence()) ->setNamespace($dsn->getParam('namespace')); } else { $database - ->setAuthorization($authorization) ->setSharedTables(false) ->setTenant(null) ->setNamespace('_' . $project->getSequence()); @@ -130,18 +130,16 @@ Server::setResource('getProjectDB', function (Group $pools, Database $dbForPlatf if (isset($databases[$dsn->getHost()])) { $database = $databases[$dsn->getHost()]; - + $database->setAuthorization($authorization); $sharedTables = \explode(',', System::getEnv('_APP_DATABASE_SHARED_TABLES', '')); if (\in_array($dsn->getHost(), $sharedTables)) { $database - ->setAuthorization($authorization) ->setSharedTables(true) ->setTenant((int)$project->getSequence()) ->setNamespace($dsn->getParam('namespace')); } else { $database - ->setAuthorization($authorization) ->setSharedTables(false) ->setTenant(null) ->setNamespace('_' . $project->getSequence()); @@ -151,7 +149,9 @@ Server::setResource('getProjectDB', function (Group $pools, Database $dbForPlatf } $adapter = new DatabasePool($pools->get($dsn->getHost())); + $adapter->setAuthorization($authorization); $database = new Database($adapter, $cache); + $database->setAuthorization($authorization); $databases[$dsn->getHost()] = $database; @@ -159,13 +159,11 @@ Server::setResource('getProjectDB', function (Group $pools, Database $dbForPlatf if (\in_array($dsn->getHost(), $sharedTables)) { $database - ->setAuthorization($authorization) ->setSharedTables(true) ->setTenant((int)$project->getSequence()) ->setNamespace($dsn->getParam('namespace')); } else { $database - ->setAuthorization($authorization) ->setSharedTables(false) ->setTenant(null) ->setNamespace('_' . $project->getSequence()); diff --git a/composer.lock b/composer.lock index 4a212ef6f7..1b06775fe8 100644 --- a/composer.lock +++ b/composer.lock @@ -3844,12 +3844,12 @@ "source": { "type": "git", "url": "https://github.com/utopia-php/database.git", - "reference": "4088c1002bbc837fd9299987cce5d460ded210d1" + "reference": "22123ad30782be131ecad4e9298b843d8daf387b" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/utopia-php/database/zipball/4088c1002bbc837fd9299987cce5d460ded210d1", - "reference": "4088c1002bbc837fd9299987cce5d460ded210d1", + "url": "https://api.github.com/repos/utopia-php/database/zipball/22123ad30782be131ecad4e9298b843d8daf387b", + "reference": "22123ad30782be131ecad4e9298b843d8daf387b", "shasum": "" }, "require": { @@ -3894,7 +3894,7 @@ "issues": "https://github.com/utopia-php/database/issues", "source": "https://github.com/utopia-php/database/tree/feat-authorization-instance" }, - "time": "2025-10-20T13:53:53+00:00" + "time": "2025-10-27T08:34:29+00:00" }, { "name": "utopia-php/detector", @@ -5318,16 +5318,16 @@ "packages-dev": [ { "name": "appwrite/sdk-generator", - "version": "1.4.7", + "version": "1.4.12", "source": { "type": "git", "url": "https://github.com/appwrite/sdk-generator.git", - "reference": "a61c8be551e10f4970bf46f75a54e4b0385c550d" + "reference": "efda55836d19b8d5f36ac0df33c83b48af0aa8fd" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/appwrite/sdk-generator/zipball/a61c8be551e10f4970bf46f75a54e4b0385c550d", - "reference": "a61c8be551e10f4970bf46f75a54e4b0385c550d", + "url": "https://api.github.com/repos/appwrite/sdk-generator/zipball/efda55836d19b8d5f36ac0df33c83b48af0aa8fd", + "reference": "efda55836d19b8d5f36ac0df33c83b48af0aa8fd", "shasum": "" }, "require": { @@ -5363,9 +5363,9 @@ "description": "Appwrite PHP library for generating API SDKs for multiple programming languages and platforms", "support": { "issues": "https://github.com/appwrite/sdk-generator/issues", - "source": "https://github.com/appwrite/sdk-generator/tree/1.4.7" + "source": "https://github.com/appwrite/sdk-generator/tree/1.4.12" }, - "time": "2025-10-22T06:03:44+00:00" + "time": "2025-10-25T05:39:48+00:00" }, { "name": "doctrine/annotations", @@ -6069,16 +6069,16 @@ }, { "name": "phpbench/phpbench", - "version": "1.4.1", + "version": "1.4.2", "source": { "type": "git", "url": "https://github.com/phpbench/phpbench.git", - "reference": "78cd98a9aa34e0f8f80ca01972a8b88d2c30194b" + "reference": "bb61ae6c54b3d58642be154eb09f4e73c3511018" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpbench/phpbench/zipball/78cd98a9aa34e0f8f80ca01972a8b88d2c30194b", - "reference": "78cd98a9aa34e0f8f80ca01972a8b88d2c30194b", + "url": "https://api.github.com/repos/phpbench/phpbench/zipball/bb61ae6c54b3d58642be154eb09f4e73c3511018", + "reference": "bb61ae6c54b3d58642be154eb09f4e73c3511018", "shasum": "" }, "require": { @@ -6105,7 +6105,7 @@ "ergebnis/composer-normalize": "^2.39", "friendsofphp/php-cs-fixer": "^3.0", "jangregor/phpstan-prophecy": "^1.0", - "phpspec/prophecy": "dev-master", + "phpspec/prophecy": "^1.22", "phpstan/extension-installer": "^1.1", "phpstan/phpstan": "^1.0", "phpstan/phpstan-phpunit": "^1.0", @@ -6155,7 +6155,7 @@ ], "support": { "issues": "https://github.com/phpbench/phpbench/issues", - "source": "https://github.com/phpbench/phpbench/tree/1.4.1" + "source": "https://github.com/phpbench/phpbench/tree/1.4.2" }, "funding": [ { @@ -6163,7 +6163,7 @@ "type": "github" } ], - "time": "2025-03-12T08:01:40+00:00" + "time": "2025-10-26T14:21:59+00:00" }, { "name": "phpstan/phpstan", diff --git a/docker-compose.yml b/docker-compose.yml index b72f12a116..38685354c1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -89,6 +89,7 @@ services: - ./public:/usr/src/code/public - ./src:/usr/src/code/src - ./dev:/usr/src/code/dev + - ./vendor/utopia-php/database/src:/usr/src/code/vendor/utopia-php/database/src depends_on: - mariadb - redis diff --git a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php index 5a5e3f223b..bc23a0e130 100644 --- a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php +++ b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php @@ -203,7 +203,7 @@ class Create extends Action throw new Exception(Exception::GENERAL_BAD_REQUEST, 'Bulk create is not supported for ' . $this->getSDKNamespace() .' with relationship ' . $this->getStructureContext()); } - $setPermissions = function (Document $document, ?array $permissions) use ($user, $isAPIKey, $isPrivilegedUser, $isBulk) { + $setPermissions = function (Document $document, ?array $permissions) use ($user, $isAPIKey, $isPrivilegedUser, $isBulk, $dbForProject) { $allowedPermissions = [ Database::PERMISSION_READ, Database::PERMISSION_UPDATE, diff --git a/src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php b/src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php index a05dfbd2a4..572736f975 100644 --- a/src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php +++ b/src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php @@ -155,7 +155,7 @@ class Create extends Base $function = $dbForProject->getAuthorization()->skip(fn () => $dbForProject->getDocument('functions', $functionId)); $isAPIKey = Auth::isAppUser($dbForProject->getAuthorization()->getRoles()); - $isPrivilegedUser = Auth::isPrivilegedUser($dbForProject->getAuthorization()->getRole); + $isPrivilegedUser = Auth::isPrivilegedUser($dbForProject->getAuthorization()->getRoles()); if ($function->isEmpty() || (!$function->getAttribute('enabled') && !$isAPIKey && !$isPrivilegedUser)) { throw new Exception(Exception::FUNCTION_NOT_FOUND); From 30d58e6371dbf23a29d7a7cd62b739ab4cd4b72f Mon Sep 17 00:00:00 2001 From: shimon Date: Mon, 27 Oct 2025 16:14:04 +0200 Subject: [PATCH 2/2] Update composer dependencies for utopia-php/audit and utopia-php/database, reflecting new versioning and aliases. Refactor document validation in Create operation to utilize the new authorization method for better security handling. --- composer.json | 2 +- composer.lock | 35 +++++++++++-------- .../Transactions/Operations/Create.php | 7 ++-- 3 files changed, 27 insertions(+), 17 deletions(-) diff --git a/composer.json b/composer.json index f030d0aabf..5225e67d52 100644 --- a/composer.json +++ b/composer.json @@ -48,7 +48,7 @@ "appwrite/php-clamav": "2.0.*", "utopia-php/abuse": "1.*", "utopia-php/analytics": "0.10.*", - "utopia-php/audit": "1.*", + "utopia-php/audit": "dev-feat-auth-single-instance as 1.1.0", "utopia-php/cache": "0.13.*", "utopia-php/cli": "0.15.*", "utopia-php/config": "0.2.*", diff --git a/composer.lock b/composer.lock index 1b06775fe8..5785529265 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "a2f032a3d278c7f493ea4d87d6908258", + "content-hash": "d7f36b787ff2fe013d9b866c3823f6d4", "packages": [ { "name": "adhocore/jwt", @@ -3547,21 +3547,21 @@ }, { "name": "utopia-php/audit", - "version": "1.0.2", + "version": "dev-feat-auth-single-instance", "source": { "type": "git", "url": "https://github.com/utopia-php/audit.git", - "reference": "8c17065c2473d4ca799f65585ca74eb53e1be211" + "reference": "b74a6f8213b444e0af6ce0714ec85ea2859b3508" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/utopia-php/audit/zipball/8c17065c2473d4ca799f65585ca74eb53e1be211", - "reference": "8c17065c2473d4ca799f65585ca74eb53e1be211", + "url": "https://api.github.com/repos/utopia-php/audit/zipball/b74a6f8213b444e0af6ce0714ec85ea2859b3508", + "reference": "b74a6f8213b444e0af6ce0714ec85ea2859b3508", "shasum": "" }, "require": { "php": ">=8.0", - "utopia-php/database": "*" + "utopia-php/database": "dev-feat-authorization-instance as 3.0.2" }, "require-dev": { "laravel/pint": "1.*", @@ -3588,9 +3588,9 @@ ], "support": { "issues": "https://github.com/utopia-php/audit/issues", - "source": "https://github.com/utopia-php/audit/tree/1.0.2" + "source": "https://github.com/utopia-php/audit/tree/feat-auth-single-instance" }, - "time": "2025-10-20T07:14:26+00:00" + "time": "2025-10-27T13:39:14+00:00" }, { "name": "utopia-php/cache", @@ -5318,16 +5318,16 @@ "packages-dev": [ { "name": "appwrite/sdk-generator", - "version": "1.4.12", + "version": "1.4.14", "source": { "type": "git", "url": "https://github.com/appwrite/sdk-generator.git", - "reference": "efda55836d19b8d5f36ac0df33c83b48af0aa8fd" + "reference": "b9405ccaeac5619c76558a82b7bfeb440b665b9f" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/appwrite/sdk-generator/zipball/efda55836d19b8d5f36ac0df33c83b48af0aa8fd", - "reference": "efda55836d19b8d5f36ac0df33c83b48af0aa8fd", + "url": "https://api.github.com/repos/appwrite/sdk-generator/zipball/b9405ccaeac5619c76558a82b7bfeb440b665b9f", + "reference": "b9405ccaeac5619c76558a82b7bfeb440b665b9f", "shasum": "" }, "require": { @@ -5363,9 +5363,9 @@ "description": "Appwrite PHP library for generating API SDKs for multiple programming languages and platforms", "support": { "issues": "https://github.com/appwrite/sdk-generator/issues", - "source": "https://github.com/appwrite/sdk-generator/tree/1.4.12" + "source": "https://github.com/appwrite/sdk-generator/tree/1.4.14" }, - "time": "2025-10-25T05:39:48+00:00" + "time": "2025-10-27T11:17:01+00:00" }, { "name": "doctrine/annotations", @@ -8831,6 +8831,12 @@ } ], "aliases": [ + { + "package": "utopia-php/audit", + "version": "dev-feat-auth-single-instance", + "alias": "1.1.0", + "alias_normalized": "1.1.0.0" + }, { "package": "utopia-php/database", "version": "dev-feat-authorization-instance", @@ -8840,6 +8846,7 @@ ], "minimum-stability": "stable", "stability-flags": { + "utopia-php/audit": 20, "utopia-php/database": 20 }, "prefer-stable": false, diff --git a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Transactions/Operations/Create.php b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Transactions/Operations/Create.php index aa3926817e..bea26a2983 100644 --- a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Transactions/Operations/Create.php +++ b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Transactions/Operations/Create.php @@ -172,9 +172,12 @@ class Create extends Action $documentValid = false; if ($document !== null && !$document->isEmpty() && $documentSecurity) { if ($permissionType === Database::PERMISSION_UPDATE) { - $documentValid = $validator->isValid($document->getUpdate()); + $documentValid = $dbForProject->getAuthorization()->isValid( + new input(Database::PERMISSION_UPDATE, $document->getUpdate())); } elseif ($permissionType === Database::PERMISSION_DELETE) { - $documentValid = $validator->isValid($document->getDelete()); + $documentValid = $dbForProject->getAuthorization()->isValid( + new input(Database::PERMISSION_DELETE, $document->getDelete()) + ); } }