Elgato_dark/appwrite
1
0
Fork 0
mirror of https://github.com/appwrite/appwrite synced 2026-05-23 08:58:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge pull request #5900 from appwrite/fix-collection-disabled-mode-checks

Browse source 
Fix collection disabled mode checks
This commit is contained in:
Jake Barnby 2023-08-22 00:47:47 -04:00 committed by GitHub
commit bda3afdfdf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
15 changed files with 299 additions and 213 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/controllers/api/account.php
View file

@ -900,7 +900,9 @@ App::get('/v1/account/identities')
$queries[] = Query::equal('userInternalId', [$user->getInternalId()]); $queries[] = Query::equal('userInternalId', [$user->getInternalId()]);
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = reset($cursor); $cursor = reset($cursor);
if ($cursor) { if ($cursor) {
/** @var Query $cursor */ /** @var Query $cursor */

235
app/controllers/api/databases.php
View file

@ -26,6 +26,7 @@ use Utopia\Database\Exception\Duplicate as DuplicateException;
use Utopia\Database\Exception\Limit as LimitException; use Utopia\Database\Exception\Limit as LimitException;
use Utopia\Database\Exception\Restricted as RestrictedException; use Utopia\Database\Exception\Restricted as RestrictedException;
use Utopia\Database\Exception\Structure as StructureException; use Utopia\Database\Exception\Structure as StructureException;
use Utopia\Database\Exception\Query as QueryException;
use Utopia\Database\Helpers\ID; use Utopia\Database\Helpers\ID;
use Utopia\Database\Helpers\Permission; use Utopia\Database\Helpers\Permission;
use Utopia\Database\Helpers\Role; use Utopia\Database\Helpers\Role;
@ -356,7 +357,7 @@ function updateAttribute(
); );
} }
$dbForProject->updateDocument('attributes', $db->getInternalId() . '_' . $collection->getInternalId() . '_' . $key, $attribute); $attribute = $dbForProject->updateDocument('attributes', $db->getInternalId() . '_' . $collection->getInternalId() . '_' . $key, $attribute);
$dbForProject->deleteCachedDocument('database_' . $db->getInternalId(), $collection->getId()); $dbForProject->deleteCachedDocument('database_' . $db->getInternalId(), $collection->getId());
$events $events
@ -469,7 +470,9 @@ App::get('/v1/databases')
} }
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = reset($cursor); $cursor = reset($cursor);
if ($cursor) { if ($cursor) {
$databaseId = $cursor->getValue(); $databaseId = $cursor->getValue();
@ -718,7 +721,7 @@ App::post('/v1/databases/:databaseId/collections')
$database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId)); $database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId));
if ($database->isEmpty() || (!$database->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { if ($database->isEmpty()) {
throw new Exception(Exception::DATABASE_NOT_FOUND); throw new Exception(Exception::DATABASE_NOT_FOUND);
} }
@ -779,7 +782,7 @@ App::get('/v1/databases/:databaseId/collections')
$database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId)); $database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId));
if ($database->isEmpty() || (!$database->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { if ($database->isEmpty()) {
throw new Exception(Exception::DATABASE_NOT_FOUND); throw new Exception(Exception::DATABASE_NOT_FOUND);
} }
@ -790,7 +793,9 @@ App::get('/v1/databases/:databaseId/collections')
} }
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = reset($cursor); $cursor = reset($cursor);
if ($cursor) { if ($cursor) {
/** @var Query $cursor */ /** @var Query $cursor */
@ -833,7 +838,7 @@ App::get('/v1/databases/:databaseId/collections/:collectionId')
$database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId)); $database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId));
if ($database->isEmpty() || (!$database->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { if ($database->isEmpty()) {
throw new Exception(Exception::DATABASE_NOT_FOUND); throw new Exception(Exception::DATABASE_NOT_FOUND);
} }
@ -969,7 +974,7 @@ App::put('/v1/databases/:databaseId/collections/:collectionId')
$database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId)); $database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId));
if ($database->isEmpty() || (!$database->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { if ($database->isEmpty()) {
throw new Exception(Exception::DATABASE_NOT_FOUND); throw new Exception(Exception::DATABASE_NOT_FOUND);
} }
@ -1033,7 +1038,7 @@ App::delete('/v1/databases/:databaseId/collections/:collectionId')
$database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId)); $database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId));
if ($database->isEmpty() || (!$database->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { if ($database->isEmpty()) {
throw new Exception(Exception::DATABASE_NOT_FOUND); throw new Exception(Exception::DATABASE_NOT_FOUND);
} }
@ -1645,11 +1650,18 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/attributes')
$queries = Query::parseQueries($queries); $queries = Query::parseQueries($queries);
\array_push($queries, Query::equal('collectionId', [$collectionId]), Query::equal('databaseId', [$databaseId])); \array_push(
$queries,
Query::equal('collectionId', [$collectionId]),
Query::equal('databaseId', [$databaseId])
);
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
$cursor = reset($cursor); return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = \reset($cursor);
if ($cursor) { if ($cursor) {
$attributeId = $cursor->getValue(); $attributeId = $cursor->getValue();
@ -1659,17 +1671,22 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/attributes')
Query::equal('key', [$attributeId]), Query::equal('key', [$attributeId]),
Query::limit(1), Query::limit(1),
])); ]));
if (empty($cursorDocument) || $cursorDocument[0]->isEmpty()) { if (empty($cursorDocument) || $cursorDocument[0]->isEmpty()) {
throw new Exception(Exception::GENERAL_CURSOR_NOT_FOUND, "Attribute '{$attributeId}' for the 'cursor' value not found."); throw new Exception(Exception::GENERAL_CURSOR_NOT_FOUND, "Attribute '{$attributeId}' for the 'cursor' value not found.");
} }
$cursor->setValue($cursorDocument[0]); $cursor->setValue($cursorDocument[0]);
} }
$filterQueries = Query::groupByType($queries)['filters']; $filters = Query::groupByType($queries)['filters'];
$attributes = $dbForProject->find('attributes', $queries);
$total = $dbForProject->count('attributes', $filters, APP_LIMIT_COUNT);
$response->dynamic(new Document([ $response->dynamic(new Document([
'total' => $dbForProject->count('attributes', $filterQueries, APP_LIMIT_COUNT), 'attributes' => $attributes,
'attributes' => $dbForProject->find('attributes', $queries), 'total' => $total,
]), Response::MODEL_ATTRIBUTE_LIST); ]), Response::MODEL_ATTRIBUTE_LIST);
}); });
@ -2474,7 +2491,9 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/indexes')
\array_push($queries, Query::equal('collectionId', [$collectionId]), Query::equal('databaseId', [$databaseId])); \array_push($queries, Query::equal('collectionId', [$collectionId]), Query::equal('databaseId', [$databaseId]));
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = reset($cursor); $cursor = reset($cursor);
if ($cursor) { if ($cursor) {
@ -2647,16 +2666,17 @@ App::post('/v1/databases/:databaseId/collections/:collectionId/documents')
$database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId)); $database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId));
if ($database->isEmpty() || (!$database->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
if ($database->isEmpty() || (!$database->getAttribute('enabled', false) && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::DATABASE_NOT_FOUND); throw new Exception(Exception::DATABASE_NOT_FOUND);
} }
$collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId)); $collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId));
if ($collection->isEmpty() || !$collection->getAttribute('enabled')) { if ($collection->isEmpty() || (!$collection->getAttribute('enabled', false) && !$isAPIKey && !$isPrivilegedUser)) {
if (!($mode === APP_MODE_ADMIN && Auth::isPrivilegedUser(Authorization::getRoles()))) { throw new Exception(Exception::COLLECTION_NOT_FOUND);
throw new Exception(Exception::COLLECTION_NOT_FOUND);
}
} }
$allowedPermissions = [ $allowedPermissions = [
@ -2679,8 +2699,7 @@ App::post('/v1/databases/:databaseId/collections/:collectionId/documents')
} }
// Users can only manage their own roles, API keys and Admin users can manage any // Users can only manage their own roles, API keys and Admin users can manage any
$roles = Authorization::getRoles(); if (!$isAPIKey && !$isPrivilegedUser) {
if (!Auth::isAppUser($roles) && !Auth::isPrivilegedUser($roles)) {
foreach (Database::PERMISSIONS as $type) { foreach (Database::PERMISSIONS as $type) {
foreach ($permissions as $permission) { foreach ($permissions as $permission) {
$permission = Permission::parse($permission); $permission = Permission::parse($permission);
@ -2693,7 +2712,7 @@ App::post('/v1/databases/:databaseId/collections/:collectionId/documents')
$permission->getDimension() $permission->getDimension()
))->toString(); ))->toString();
if (!Authorization::isRole($role)) { if (!Authorization::isRole($role)) {
throw new Exception(Exception::USER_UNAUTHORIZED, 'Permissions must be one of: (' . \implode(', ', $roles) . ')'); throw new Exception(Exception::USER_UNAUTHORIZED, 'Permissions must be one of: (' . \implode(', ', Authorization::getRoles()) . ')');
} }
} }
} }
@ -2861,40 +2880,30 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents')
->inject('dbForProject') ->inject('dbForProject')
->inject('mode') ->inject('mode')
->action(function (string $databaseId, string $collectionId, array $queries, Response $response, Database $dbForProject, string $mode) { ->action(function (string $databaseId, string $collectionId, array $queries, Response $response, Database $dbForProject, string $mode) {
$database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId)); $database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId));
if ($database->isEmpty() || (!$database->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
if ($database->isEmpty() || (!$database->getAttribute('enabled', false) && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::DATABASE_NOT_FOUND); throw new Exception(Exception::DATABASE_NOT_FOUND);
} }
$collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId)); $collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId));
if (!($mode === APP_MODE_ADMIN && Auth::isPrivilegedUser(Authorization::getRoles()))) { if ($collection->isEmpty() || (!$collection->getAttribute('enabled', false) && !$isAPIKey && !$isPrivilegedUser)) {
if (!$collection->getAttribute('documentSecurity', false)) {
$validator = new Authorization(Database::PERMISSION_READ);
if (!$validator->isValid($collection->getRead())) {
$collection = new Document();
}
}
}
if ($collection->isEmpty() || !$collection->getAttribute('enabled')) {
throw new Exception(Exception::COLLECTION_NOT_FOUND); throw new Exception(Exception::COLLECTION_NOT_FOUND);
} }
// Validate queries
$queriesValidator = new Documents($collection->getAttribute('attributes'), $collection->getAttribute('indexes'));
$validQueries = $queriesValidator->isValid($queries);
if (!$validQueries) {
throw new Exception(Exception::GENERAL_ARGUMENT_INVALID, $queriesValidator->getDescription());
}
$queries = Query::parseQueries($queries); $queries = Query::parseQueries($queries);
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
$cursor = reset($cursor); return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = \reset($cursor);
if ($cursor) { if ($cursor) {
$documentId = $cursor->getValue(); $documentId = $cursor->getValue();
@ -2907,13 +2916,19 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents')
$cursor->setValue($cursorDocument); $cursor->setValue($cursorDocument);
} }
$filterQueries = Query::groupByType($queries)['filters']; $filters = Query::groupByType($queries)['filters'];
$documents = $dbForProject->find('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $queries); try {
$total = $dbForProject->count('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $filterQueries, APP_LIMIT_COUNT); $documents = $dbForProject->find('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $queries);
$total = $dbForProject->count('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $filters, APP_LIMIT_COUNT);
} catch (AuthorizationException) {
throw new Exception(Exception::USER_UNAUTHORIZED);
} catch (QueryException $e) {
throw new Exception(Exception::GENERAL_ARGUMENT_INVALID, $e->getMessage());
}
// Add $collectionId and $databaseId for all documents // Add $collectionId and $databaseId for all documents
$processDocument = function (Document $collection, Document $document) use (&$processDocument, $dbForProject, $database): bool { $processDocument = (function (Document $collection, Document $document) use (&$processDocument, $dbForProject, $database): bool {
if ($document->isEmpty()) { if ($document->isEmpty()) {
return false; return false;
} }
@ -2958,12 +2973,11 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents')
} }
return true; return true;
}; });
// The linter is forcing this indentation foreach ($documents as $document) {
foreach ($documents as $document) { $processDocument($collection, $document);
$processDocument($collection, $document); }
}
$response->dynamic(new Document([ $response->dynamic(new Document([
'total' => $total, 'total' => $total,
@ -2993,31 +3007,30 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents/:documen
->inject('dbForProject') ->inject('dbForProject')
->inject('mode') ->inject('mode')
->action(function (string $databaseId, string $collectionId, string $documentId, array $queries, Response $response, Database $dbForProject, string $mode) { ->action(function (string $databaseId, string $collectionId, string $documentId, array $queries, Response $response, Database $dbForProject, string $mode) {
$database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId)); $database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId));
if ($database->isEmpty() || (!$database->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
if ($database->isEmpty() || (!$database->getAttribute('enabled', false) && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::DATABASE_NOT_FOUND); throw new Exception(Exception::DATABASE_NOT_FOUND);
} }
$collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId)); $collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId));
if ($collection->isEmpty() || !$collection->getAttribute('enabled')) { if ($collection->isEmpty() || (!$collection->getAttribute('enabled', false) && !$isAPIKey && !$isPrivilegedUser)) {
if (!($mode === APP_MODE_ADMIN && Auth::isPrivilegedUser(Authorization::getRoles()))) { throw new Exception(Exception::COLLECTION_NOT_FOUND);
throw new Exception(Exception::COLLECTION_NOT_FOUND);
}
}
// Validate queries
$queriesValidator = new DocumentQueriesValidator($collection->getAttribute('attributes'));
$validQueries = $queriesValidator->isValid($queries);
if (!$validQueries) {
throw new Exception(Exception::GENERAL_ARGUMENT_INVALID, $queriesValidator->getDescription());
} }
$queries = Query::parseQueries($queries); $queries = Query::parseQueries($queries);
$document = $dbForProject->getDocument('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $documentId, $queries); try {
$document = $dbForProject->getDocument('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $documentId, $queries);
} catch (AuthorizationException) {
throw new Exception(Exception::USER_UNAUTHORIZED);
} catch (QueryException $e) {
throw new Exception(Exception::GENERAL_ARGUMENT_INVALID, $e->getMessage());
}
if ($document->isEmpty()) { if ($document->isEmpty()) {
throw new Exception(Exception::DOCUMENT_NOT_FOUND); throw new Exception(Exception::DOCUMENT_NOT_FOUND);
@ -3204,16 +3217,17 @@ App::patch('/v1/databases/:databaseId/collections/:collectionId/documents/:docum
$database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId)); $database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId));
if ($database->isEmpty() || (!$database->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
if ($database->isEmpty() || (!$database->getAttribute('enabled', false) && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::DATABASE_NOT_FOUND); throw new Exception(Exception::DATABASE_NOT_FOUND);
} }
$collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId)); $collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId));
if ($collection->isEmpty() || !$collection->getAttribute('enabled')) { if ($collection->isEmpty() || (!$collection->getAttribute('enabled', false) && !$isAPIKey && !$isPrivilegedUser)) {
if (!($mode === APP_MODE_ADMIN && Auth::isPrivilegedUser(Authorization::getRoles()))) { throw new Exception(Exception::COLLECTION_NOT_FOUND);
throw new Exception(Exception::COLLECTION_NOT_FOUND);
}
} }
// Read permission should not be required for update // Read permission should not be required for update
@ -3233,7 +3247,7 @@ App::patch('/v1/databases/:databaseId/collections/:collectionId/documents/:docum
// Users can only manage their own roles, API keys and Admin users can manage any // Users can only manage their own roles, API keys and Admin users can manage any
$roles = Authorization::getRoles(); $roles = Authorization::getRoles();
if (!Auth::isAppUser($roles) && !Auth::isPrivilegedUser($roles) && !\is_null($permissions)) { if (!$isAPIKey && !$isPrivilegedUser && !\is_null($permissions)) {
foreach (Database::PERMISSIONS as $type) { foreach (Database::PERMISSIONS as $type) {
foreach ($permissions as $permission) { foreach ($permissions as $permission) {
$permission = Permission::parse($permission); $permission = Permission::parse($permission);
@ -3256,10 +3270,7 @@ App::patch('/v1/databases/:databaseId/collections/:collectionId/documents/:docum
$permissions = $document->getPermissions() ?? []; $permissions = $document->getPermissions() ?? [];
} }
$data = \array_merge($document->getArrayCopy(), $data); // Merge existing data with new data $data['$id'] = $documentId;
$data['$collection'] = $document->getAttribute('$collection'); // Make sure user doesn't switch collectionID
$data['$createdAt'] = $document->getCreatedAt(); // Make sure user doesn't switch createdAt
$data['$id'] = $document->getId(); // Make sure user doesn't switch document unique ID
$data['$permissions'] = $permissions; $data['$permissions'] = $permissions;
$newDocument = new Document($data); $newDocument = new Document($data);
@ -3422,19 +3433,19 @@ App::delete('/v1/databases/:databaseId/collections/:collectionId/documents/:docu
->inject('deletes') ->inject('deletes')
->inject('mode') ->inject('mode')
->action(function (string $databaseId, string $collectionId, string $documentId, ?\DateTime $requestTimestamp, Response $response, Database $dbForProject, Event $events, Delete $deletes, string $mode) { ->action(function (string $databaseId, string $collectionId, string $documentId, ?\DateTime $requestTimestamp, Response $response, Database $dbForProject, Event $events, Delete $deletes, string $mode) {
$database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId)); $database = Authorization::skip(fn() => $dbForProject->getDocument('databases', $databaseId));
if ($database->isEmpty() || (!$database->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
if ($database->isEmpty() || (!$database->getAttribute('enabled', false) && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::DATABASE_NOT_FOUND); throw new Exception(Exception::DATABASE_NOT_FOUND);
} }
$collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId)); $collection = Authorization::skip(fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId));
if ($collection->isEmpty() || !$collection->getAttribute('enabled')) { if ($collection->isEmpty() || (!$collection->getAttribute('enabled', false) && !$isAPIKey && !$isPrivilegedUser)) {
if (!($mode === APP_MODE_ADMIN && Auth::isPrivilegedUser(Authorization::getRoles()))) { throw new Exception(Exception::COLLECTION_NOT_FOUND);
throw new Exception(Exception::COLLECTION_NOT_FOUND);
}
} }
// Read permission should not be required for delete // Read permission should not be required for delete
@ -3444,68 +3455,18 @@ App::delete('/v1/databases/:databaseId/collections/:collectionId/documents/:docu
throw new Exception(Exception::DOCUMENT_NOT_FOUND); throw new Exception(Exception::DOCUMENT_NOT_FOUND);
} }
$checkPermissions = function (Document $collection, Document $document) use (&$checkPermissions, $dbForProject, $database) { $dbForProject->withRequestTimestamp($requestTimestamp, function () use ($dbForProject, $database, $collection, $documentId) {
$documentSecurity = $collection->getAttribute('documentSecurity', false);
$validator = new Authorization(Database::PERMISSION_DELETE);
$valid = $validator->isValid($collection->getDelete());
if (!$documentSecurity && !$valid) {
throw new Exception(Exception::USER_UNAUTHORIZED);
}
$valid = $valid || $validator->isValid($document->getDelete());
if ($documentSecurity && !$valid) {
throw new Exception(Exception::USER_UNAUTHORIZED);
}
$relationships = \array_filter(
$collection->getAttribute('attributes', []),
fn($attribute) => $attribute->getAttribute('type') === Database::VAR_RELATIONSHIP
);
foreach ($relationships as $relationship) {
$related = $document->getAttribute($relationship->getAttribute('key'));
if (empty($related)) {
continue;
}
if (!\is_array($related)) {
$related = [$related];
}
$relatedCollectionId = $relationship->getAttribute('relatedCollection');
$relatedCollection = Authorization::skip(
fn() => $dbForProject->getDocument('database_' . $database->getInternalId(), $relatedCollectionId)
);
foreach ($related as $relation) {
if (
$relation instanceof Document
&& $relationship->getAttribute('onDelete') === Database::RELATION_MUTATE_CASCADE
) {
$checkPermissions($relatedCollection, $relation);
}
}
}
};
$checkPermissions($collection, $document);
Authorization::skip(fn() => $dbForProject->withRequestTimestamp($requestTimestamp, function () use ($dbForProject, $database, $collection, $documentId) {
try { try {
$dbForProject->deleteDocument( $dbForProject->deleteDocument(
'database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), 'database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(),
$documentId $documentId
); );
} catch (AuthorizationException) {
throw new Exception(Exception::USER_UNAUTHORIZED);
} catch (RestrictedException) { } catch (RestrictedException) {
throw new Exception(Exception::DOCUMENT_DELETE_RESTRICTED); throw new Exception(Exception::DOCUMENT_DELETE_RESTRICTED);
} }
})); });
$dbForProject->deleteCachedDocument(
'database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(),
$documentId
);
// Add $collectionId and $databaseId for all documents // Add $collectionId and $databaseId for all documents
$processDocument = function (Document $collection, Document $document) use (&$processDocument, $dbForProject, $database) { $processDocument = function (Document $collection, Document $document) use (&$processDocument, $dbForProject, $database) {

42
app/controllers/api/functions.php
View file

@ -138,7 +138,9 @@ App::get('/v1/functions')
} }
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = reset($cursor); $cursor = reset($cursor);
if ($cursor) { if ($cursor) {
/** @var Query $cursor */ /** @var Query $cursor */
@ -778,7 +780,9 @@ App::get('/v1/functions/:functionId/deployments')
$queries[] = Query::equal('resourceType', ['functions']); $queries[] = Query::equal('resourceType', ['functions']);
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = reset($cursor); $cursor = reset($cursor);
if ($cursor) { if ($cursor) {
/** @var Query $cursor */ /** @var Query $cursor */
@ -998,13 +1002,13 @@ App::post('/v1/functions/:functionId/executions')
->inject('queueForFunctions') ->inject('queueForFunctions')
->inject('queueForUsage') ->inject('queueForUsage')
->action(function (string $functionId, string $data, bool $async, Response $response, Document $project, Database $dbForProject, Document $user, Event $events, string $mode, Func $queueForFunctions, Usage $queueForUsage) { ->action(function (string $functionId, string $data, bool $async, Response $response, Document $project, Database $dbForProject, Document $user, Event $events, string $mode, Func $queueForFunctions, Usage $queueForUsage) {
$function = Authorization::skip(fn () => $dbForProject->getDocument('functions', $functionId)); $function = Authorization::skip(fn () => $dbForProject->getDocument('functions', $functionId));
if ($function->isEmpty() || !$function->getAttribute('enabled')) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
if (!($mode === APP_MODE_ADMIN && Auth::isPrivilegedUser(Authorization::getRoles()))) { $isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
throw new Exception(Exception::FUNCTION_NOT_FOUND);
} if ($function->isEmpty() || (!$function->getAttribute('enabled') && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::FUNCTION_NOT_FOUND);
} }
$runtimes = Config::getParam('runtimes', []); $runtimes = Config::getParam('runtimes', []);
@ -1192,13 +1196,13 @@ App::get('/v1/functions/:functionId/executions')
->inject('dbForProject') ->inject('dbForProject')
->inject('mode') ->inject('mode')
->action(function (string $functionId, array $queries, string $search, Response $response, Database $dbForProject, string $mode) { ->action(function (string $functionId, array $queries, string $search, Response $response, Database $dbForProject, string $mode) {
$function = Authorization::skip(fn () => $dbForProject->getDocument('functions', $functionId)); $function = Authorization::skip(fn () => $dbForProject->getDocument('functions', $functionId));
if ($function->isEmpty() || !$function->getAttribute('enabled')) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
if (!($mode === APP_MODE_ADMIN && Auth::isPrivilegedUser(Authorization::getRoles()))) { $isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
throw new Exception(Exception::FUNCTION_NOT_FOUND);
} if ($function->isEmpty() || (!$function->getAttribute('enabled') && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::FUNCTION_NOT_FOUND);
} }
$queries = Query::parseQueries($queries); $queries = Query::parseQueries($queries);
@ -1211,7 +1215,9 @@ App::get('/v1/functions/:functionId/executions')
$queries[] = Query::equal('functionId', [$function->getId()]); $queries[] = Query::equal('functionId', [$function->getId()]);
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = reset($cursor); $cursor = reset($cursor);
if ($cursor) { if ($cursor) {
/** @var Query $cursor */ /** @var Query $cursor */
@ -1264,13 +1270,13 @@ App::get('/v1/functions/:functionId/executions/:executionId')
->inject('dbForProject') ->inject('dbForProject')
->inject('mode') ->inject('mode')
->action(function (string $functionId, string $executionId, Response $response, Database $dbForProject, string $mode) { ->action(function (string $functionId, string $executionId, Response $response, Database $dbForProject, string $mode) {
$function = Authorization::skip(fn () => $dbForProject->getDocument('functions', $functionId)); $function = Authorization::skip(fn () => $dbForProject->getDocument('functions', $functionId));
if ($function->isEmpty() || !$function->getAttribute('enabled')) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
if (!($mode === APP_MODE_ADMIN && Auth::isPrivilegedUser(Authorization::getRoles()))) { $isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
throw new Exception(Exception::FUNCTION_NOT_FOUND);
} if ($function->isEmpty() || (!$function->getAttribute('enabled') && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::FUNCTION_NOT_FOUND);
} }
$execution = $dbForProject->getDocument('executions', $executionId); $execution = $dbForProject->getDocument('executions', $executionId);

4
app/controllers/api/migrations.php
View file

@ -380,7 +380,9 @@ App::get('/v1/migrations')
} }
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = reset($cursor); $cursor = reset($cursor);
if ($cursor) { if ($cursor) {
/** @var Query $cursor */ /** @var Query $cursor */

4
app/controllers/api/projects.php
View file

@ -245,7 +245,9 @@ App::get('/v1/projects')
} }
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = reset($cursor); $cursor = reset($cursor);
if ($cursor) { if ($cursor) {
/** @var Query $cursor */ /** @var Query $cursor */

53
app/controllers/api/storage.php
View file

@ -166,7 +166,9 @@ App::get('/v1/storage/buckets')
} }
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = reset($cursor); $cursor = reset($cursor);
if ($cursor) { if ($cursor) {
/** @var Query $cursor */ /** @var Query $cursor */
@ -354,10 +356,12 @@ App::post('/v1/storage/buckets/:bucketId/files')
->inject('deviceFiles') ->inject('deviceFiles')
->inject('deviceLocal') ->inject('deviceLocal')
->action(function (string $bucketId, string $fileId, mixed $file, ?array $permissions, Request $request, Response $response, Database $dbForProject, Document $user, Event $events, string $mode, Device $deviceFiles, Device $deviceLocal) { ->action(function (string $bucketId, string $fileId, mixed $file, ?array $permissions, Request $request, Response $response, Database $dbForProject, Document $user, Event $events, string $mode, Device $deviceFiles, Device $deviceLocal) {
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId)); $bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND); throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
} }
@ -682,10 +686,12 @@ App::get('/v1/storage/buckets/:bucketId/files')
->inject('dbForProject') ->inject('dbForProject')
->inject('mode') ->inject('mode')
->action(function (string $bucketId, array $queries, string $search, Response $response, Database $dbForProject, string $mode) { ->action(function (string $bucketId, array $queries, string $search, Response $response, Database $dbForProject, string $mode) {
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId)); $bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND); throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
} }
@ -703,7 +709,9 @@ App::get('/v1/storage/buckets/:bucketId/files')
} }
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = reset($cursor); $cursor = reset($cursor);
if ($cursor) { if ($cursor) {
/** @var Query $cursor */ /** @var Query $cursor */
@ -756,10 +764,12 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId')
->inject('dbForProject') ->inject('dbForProject')
->inject('mode') ->inject('mode')
->action(function (string $bucketId, string $fileId, Response $response, Database $dbForProject, string $mode) { ->action(function (string $bucketId, string $fileId, Response $response, Database $dbForProject, string $mode) {
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId)); $bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND); throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
} }
@ -826,7 +836,10 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/preview')
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId)); $bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND); throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
} }
@ -970,7 +983,10 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/download')
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId)); $bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND); throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
} }
@ -1105,10 +1121,12 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/view')
->inject('mode') ->inject('mode')
->inject('deviceFiles') ->inject('deviceFiles')
->action(function (string $bucketId, string $fileId, Response $response, Request $request, Database $dbForProject, string $mode, Device $deviceFiles) { ->action(function (string $bucketId, string $fileId, Response $response, Request $request, Database $dbForProject, string $mode, Device $deviceFiles) {
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId)); $bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND); throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
} }
@ -1262,10 +1280,12 @@ App::put('/v1/storage/buckets/:bucketId/files/:fileId')
->inject('mode') ->inject('mode')
->inject('events') ->inject('events')
->action(function (string $bucketId, string $fileId, ?string $name, ?array $permissions, Response $response, Database $dbForProject, Document $user, string $mode, Event $events) { ->action(function (string $bucketId, string $fileId, ?string $name, ?array $permissions, Response $response, Database $dbForProject, Document $user, string $mode, Event $events) {
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId)); $bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND); throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
} }
@ -1368,7 +1388,10 @@ App::delete('/v1/storage/buckets/:bucketId/files/:fileId')
->action(function (string $bucketId, string $fileId, Response $response, Database $dbForProject, Event $events, string $mode, Device $deviceFiles, Delete $deletes) { ->action(function (string $bucketId, string $fileId, Response $response, Database $dbForProject, Event $events, string $mode, Device $deviceFiles, Delete $deletes) {
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId)); $bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND); throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
} }

8
app/controllers/api/teams.php
View file

@ -153,7 +153,9 @@ App::get('/v1/teams')
} }
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = reset($cursor); $cursor = reset($cursor);
if ($cursor) { if ($cursor) {
/** @var Query $cursor */ /** @var Query $cursor */
@ -649,7 +651,9 @@ App::get('/v1/teams/:teamId/memberships')
$queries[] = Query::equal('teamId', [$teamId]); $queries[] = Query::equal('teamId', [$teamId]);
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = reset($cursor); $cursor = reset($cursor);
if ($cursor) { if ($cursor) {
/** @var Query $cursor */ /** @var Query $cursor */

8
app/controllers/api/users.php
View file

@ -396,7 +396,9 @@ App::get('/v1/users')
} }
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = reset($cursor); $cursor = reset($cursor);
if ($cursor) { if ($cursor) {
/** @var Query $cursor */ /** @var Query $cursor */
@ -656,7 +658,9 @@ App::get('/v1/users/identities')
} }
// Get cursor document if there was a cursor query // Get cursor document if there was a cursor query
$cursor = Query::getByType($queries, [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]); $cursor = \array_filter($queries, function ($query) {
return \in_array($query->getMethod(), [Query::TYPE_CURSORAFTER, Query::TYPE_CURSORBEFORE]);
});
$cursor = reset($cursor); $cursor = reset($cursor);
if ($cursor) { if ($cursor) {
/** @var Query $cursor */ /** @var Query $cursor */

5
app/controllers/shared/api.php
View file

@ -282,7 +282,10 @@ App::init()
$bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId)); $bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId));
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { $isAPIKey = Auth::isAppUser(Authorization::getRoles());
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && !$isAPIKey && !$isPrivilegedUser)) {
throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND); throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
} }

4
app/init.php
View file

@ -286,7 +286,7 @@ Database::addFilter(
return $value; return $value;
}, },
function (mixed $value, Document $attribute) { function (mixed $value, Document $attribute) {
$formatOptions = json_decode($attribute->getAttribute('formatOptions', '[]'), true); $formatOptions = \json_decode($attribute->getAttribute('formatOptions', '[]'), true);
if (isset($formatOptions['elements'])) { if (isset($formatOptions['elements'])) {
$attribute->setAttribute('elements', $formatOptions['elements']); $attribute->setAttribute('elements', $formatOptions['elements']);
} }
@ -356,7 +356,7 @@ Database::addFilter(
->find('indexes', [ ->find('indexes', [
Query::equal('collectionInternalId', [$document->getInternalId()]), Query::equal('collectionInternalId', [$document->getInternalId()]),
Query::equal('databaseInternalId', [$document->getAttribute('databaseInternalId')]), Query::equal('databaseInternalId', [$document->getAttribute('databaseInternalId')]),
Query::limit(64), Query::limit($database->getLimitForIndexes()),
]); ]);
} }
); );

2
composer.json
View file

@ -50,7 +50,7 @@
"utopia-php/cli": "0.15.*", "utopia-php/cli": "0.15.*",
"utopia-php/config": "0.2.*", "utopia-php/config": "0.2.*",
"utopia-php/database": "0.42.*", "utopia-php/database": "0.42.*",
"utopia-php/domains": "1.1.*", "utopia-php/domains": "0.3.*",
"utopia-php/dsn": "0.1.*", "utopia-php/dsn": "0.1.*",
"utopia-php/framework": "0.28.*", "utopia-php/framework": "0.28.*",
"utopia-php/image": "0.5.*", "utopia-php/image": "0.5.*",

39
composer.lock generated
View file

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically" "This file is @generated automatically"
], ],
"content-hash": "2098172fc4b71eb0d41dcdbfea2f5061", "content-hash": "3c637b7058e55050f09ff2af72c11fdb",
"packages": [ "packages": [
{ {
"name": "adhocore/jwt", "name": "adhocore/jwt",
@ -1557,19 +1557,20 @@
}, },
{ {
"name": "utopia-php/database", "name": "utopia-php/database",
"version": "0.42.1", "version": "0.42.3",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/utopia-php/database.git", "url": "https://github.com/utopia-php/database.git",
"reference": "9ff69a9b9eadc581771798833d423829c9d8cc90" "reference": "ab0e2f8ad46884f69b354cd8ee84a1a75fee26d1"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/utopia-php/database/zipball/9ff69a9b9eadc581771798833d423829c9d8cc90", "url": "https://api.github.com/repos/utopia-php/database/zipball/ab0e2f8ad46884f69b354cd8ee84a1a75fee26d1",
"reference": "9ff69a9b9eadc581771798833d423829c9d8cc90", "reference": "ab0e2f8ad46884f69b354cd8ee84a1a75fee26d1",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
"ext-mbstring": "*",
"ext-pdo": "*", "ext-pdo": "*",
"php": ">=8.0", "php": ">=8.0",
"utopia-php/cache": "0.8.*", "utopia-php/cache": "0.8.*",
@ -1607,29 +1608,31 @@
], ],
"support": { "support": {
"issues": "https://github.com/utopia-php/database/issues", "issues": "https://github.com/utopia-php/database/issues",
"source": "https://github.com/utopia-php/database/tree/0.42.1" "source": "https://github.com/utopia-php/database/tree/0.42.3"
}, },
"time": "2023-08-14T16:09:09+00:00" "time": "2023-08-22T02:15:28+00:00"
}, },
{ {
"name": "utopia-php/domains", "name": "utopia-php/domains",
"version": "v1.1.0", "version": "0.3.2",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/utopia-php/domains.git", "url": "https://github.com/utopia-php/domains.git",
"reference": "1665e1d9932afa3be63b5c1e0dcfe01fe77d8e73" "reference": "aaa8c9a96c69ccb397997b1f4f2299c66f77eefb"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/utopia-php/domains/zipball/1665e1d9932afa3be63b5c1e0dcfe01fe77d8e73", "url": "https://api.github.com/repos/utopia-php/domains/zipball/aaa8c9a96c69ccb397997b1f4f2299c66f77eefb",
"reference": "1665e1d9932afa3be63b5c1e0dcfe01fe77d8e73", "reference": "aaa8c9a96c69ccb397997b1f4f2299c66f77eefb",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
"php": ">=7.1" "php": ">=8.0",
"utopia-php/framework": "0.*.*"
}, },
"require-dev": { "require-dev": {
"phpunit/phpunit": "^7.0" "laravel/pint": "1.2.*",
"phpunit/phpunit": "^9.3"
}, },
"type": "library", "type": "library",
"autoload": { "autoload": {
@ -1645,6 +1648,10 @@
{ {
"name": "Eldad Fux", "name": "Eldad Fux",
"email": "eldad@appwrite.io" "email": "eldad@appwrite.io"
},
{
"name": "Wess Cope",
"email": "wess@appwrite.io"
} }
], ],
"description": "Utopia Domains library is simple and lite library for parsing web domains. This library is aiming to be as simple and easy to learn and use.", "description": "Utopia Domains library is simple and lite library for parsing web domains. This library is aiming to be as simple and easy to learn and use.",
@ -1661,9 +1668,9 @@
], ],
"support": { "support": {
"issues": "https://github.com/utopia-php/domains/issues", "issues": "https://github.com/utopia-php/domains/issues",
"source": "https://github.com/utopia-php/domains/tree/master" "source": "https://github.com/utopia-php/domains/tree/0.3.2"
}, },
"time": "2020-02-23T07:40:02+00:00" "time": "2023-07-19T16:39:24+00:00"
}, },
{ {
"name": "utopia-php/dsn", "name": "utopia-php/dsn",
@ -5377,5 +5384,5 @@
"platform-overrides": { "platform-overrides": {
"php": "8.0" "php": "8.0"
}, },
"plugin-api-version": "2.2.0" "plugin-api-version": "2.3.0"
} }

71
tests/e2e/Services/Databases/DatabasesBase.php
View file

@ -344,6 +344,63 @@ trait DatabasesBase
$this->assertEquals(400, $response['headers']['status-code']); $this->assertEquals(400, $response['headers']['status-code']);
} }
public function testUpdateAttributeEnum(): void
{
$database = $this->client->call(Client::METHOD_POST, '/databases', [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
'x-appwrite-key' => $this->getProject()['apiKey']
], [
'databaseId' => ID::unique(),
'name' => 'Test Database 2'
]);
$players = $this->client->call(Client::METHOD_POST, '/databases/' . $database['body']['$id'] . '/collections', array_merge([
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
'x-appwrite-key' => $this->getProject()['apiKey']
]), [
'collectionId' => ID::unique(),
'name' => 'Players',
'documentSecurity' => true,
'permissions' => [
Permission::create(Role::user($this->getUser()['$id'])),
],
]);
// Create enum attribute
$attribute = $this->client->call(Client::METHOD_POST, '/databases/' . $database['body']['$id'] . '/collections/' . $players['body']['$id'] . '/attributes/enum', array_merge([
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
'x-appwrite-key' => $this->getProject()['apiKey'],
]), [
'key' => 'position',
'elements' => ['goalkeeper', 'defender', 'midfielder', 'forward'],
'required' => true,
'array' => false,
]);
$this->assertEquals(202, $attribute['headers']['status-code']);
$this->assertEquals($attribute['body']['key'], 'position');
$this->assertEquals($attribute['body']['elements'], ['goalkeeper', 'defender', 'midfielder', 'forward']);
\sleep(2);
// Update enum attribute
$attribute = $this->client->call(Client::METHOD_PATCH, '/databases/' . $database['body']['$id'] . '/collections/' . $players['body']['$id'] . '/attributes/enum/' . $attribute['body']['key'], array_merge([
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
'x-appwrite-key' => $this->getProject()['apiKey'],
]), [
'elements' => ['goalkeeper', 'defender', 'midfielder', 'forward', 'coach'],
'required' => true,
'default' => null
]);
$this->assertEquals(200, $attribute['headers']['status-code']);
$this->assertEquals($attribute['body']['elements'], ['goalkeeper', 'defender', 'midfielder', 'forward', 'coach']);
}
/** /**
* @depends testCreateAttributes * @depends testCreateAttributes
*/ */
@ -2862,8 +2919,6 @@ trait DatabasesBase
$collectionId = $collection['body']['$id']; $collectionId = $collection['body']['$id'];
sleep(2);
$attribute = $this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections/' . $collectionId . '/attributes/string', array_merge([ $attribute = $this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections/' . $collectionId . '/attributes/string', array_merge([
'content-type' => 'application/json', 'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'], 'x-appwrite-project' => $this->getProject()['$id'],
@ -2877,8 +2932,7 @@ trait DatabasesBase
$this->assertEquals(202, $attribute['headers']['status-code'], 202); $this->assertEquals(202, $attribute['headers']['status-code'], 202);
$this->assertEquals('attribute', $attribute['body']['key']); $this->assertEquals('attribute', $attribute['body']['key']);
// wait for db to add attribute \sleep(2);
sleep(2);
$index = $this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections/' . $collectionId . '/indexes', array_merge([ $index = $this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections/' . $collectionId . '/indexes', array_merge([
'content-type' => 'application/json', 'content-type' => 'application/json',
@ -2893,8 +2947,7 @@ trait DatabasesBase
$this->assertEquals(202, $index['headers']['status-code']); $this->assertEquals(202, $index['headers']['status-code']);
$this->assertEquals('key_attribute', $index['body']['key']); $this->assertEquals('key_attribute', $index['body']['key']);
// wait for db to add attribute \sleep(2);
sleep(2);
$document1 = $this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections/' . $collectionId . '/documents', array_merge([ $document1 = $this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections/' . $collectionId . '/documents', array_merge([
'content-type' => 'application/json', 'content-type' => 'application/json',
@ -2993,7 +3046,7 @@ trait DatabasesBase
'cookie' => 'a_session_' . $this->getProject()['$id'] . '=' . $session2, 'cookie' => 'a_session_' . $this->getProject()['$id'] . '=' . $session2,
]); ]);
// Current user has no collection permissions and document permissions are disabled // other2 has no collection permissions and document permissions are disabled
$this->assertEquals(404, $document3GetWithDocumentRead['headers']['status-code']); $this->assertEquals(404, $document3GetWithDocumentRead['headers']['status-code']);
$documentsUser2 = $this->client->call(Client::METHOD_GET, '/databases/' . $databaseId . '/collections/' . $collectionId . '/documents', [ $documentsUser2 = $this->client->call(Client::METHOD_GET, '/databases/' . $databaseId . '/collections/' . $collectionId . '/documents', [
@ -3003,8 +3056,8 @@ trait DatabasesBase
'cookie' => 'a_session_' . $this->getProject()['$id'] . '=' . $session2, 'cookie' => 'a_session_' . $this->getProject()['$id'] . '=' . $session2,
]); ]);
// Current user has no collection permissions and document permissions are disabled // other2 has no collection permissions and document permissions are disabled
$this->assertEquals(404, $documentsUser2['headers']['status-code']); $this->assertEquals(401, $documentsUser2['headers']['status-code']);
// Enable document permissions // Enable document permissions
$collection = $this->client->call(CLient::METHOD_PUT, '/databases/' . $databaseId . '/collections/' . $collectionId, [ $collection = $this->client->call(CLient::METHOD_PUT, '/databases/' . $databaseId . '/collections/' . $collectionId, [

31
tests/e2e/Services/Databases/DatabasesConsoleClientTest.php
View file

@ -29,6 +29,7 @@ class DatabasesConsoleClientTest extends Scope
$this->assertTrue($database['body']['enabled']); $this->assertTrue($database['body']['enabled']);
$databaseId = $database['body']['$id']; $databaseId = $database['body']['$id'];
/** /**
* Test for SUCCESS * Test for SUCCESS
*/ */
@ -51,7 +52,7 @@ class DatabasesConsoleClientTest extends Scope
$this->assertEquals($movies['body']['name'], 'Movies'); $this->assertEquals($movies['body']['name'], 'Movies');
/** /**
* Test When database is disabled but can still create collections * Test when database is disabled but can still create collections
*/ */
$database = $this->client->call(Client::METHOD_PUT, '/databases/' . $databaseId, array_merge([ $database = $this->client->call(Client::METHOD_PUT, '/databases/' . $databaseId, array_merge([
'content-type' => 'application/json', 'content-type' => 'application/json',
@ -78,6 +79,17 @@ class DatabasesConsoleClientTest extends Scope
'documentSecurity' => true, 'documentSecurity' => true,
]); ]);
/**
* Test when collection is disabled but can still modify collections
*/
$database = $this->client->call(Client::METHOD_PUT, '/databases/' . $databaseId . '/collections/' . $movies['body']['$id'], array_merge([
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], $this->getHeaders()), [
'name' => 'Movies',
'enabled' => false,
]);
$this->assertEquals(201, $tvShows['headers']['status-code']); $this->assertEquals(201, $tvShows['headers']['status-code']);
$this->assertEquals($tvShows['body']['name'], 'TvShows'); $this->assertEquals($tvShows['body']['name'], 'TvShows');
@ -87,11 +99,12 @@ class DatabasesConsoleClientTest extends Scope
/** /**
* @depends testCreateCollection * @depends testCreateCollection
* @param array $data * @param array $data
* @throws \Exception
*/ */
public function testListCollection(array $data) public function testListCollection(array $data)
{ {
/** /**
* Test When database is disabled but can still call list collections * Test when database is disabled but can still call list collections
*/ */
$databaseId = $data['databaseId']; $databaseId = $data['databaseId'];
@ -108,6 +121,8 @@ class DatabasesConsoleClientTest extends Scope
/** /**
* @depends testCreateCollection * @depends testCreateCollection
* @param array $data * @param array $data
* @throws \Exception
* @throws \Exception
*/ */
public function testGetCollection(array $data) public function testGetCollection(array $data)
{ {
@ -115,7 +130,7 @@ class DatabasesConsoleClientTest extends Scope
$moviesCollectionId = $data['moviesId']; $moviesCollectionId = $data['moviesId'];
/** /**
* Test When database is disabled but can still call get collection * Test when database and collection are disabled but can still call get collection
*/ */
$collection = $this->client->call(Client::METHOD_GET, '/databases/' . $databaseId . '/collections/' . $moviesCollectionId, array_merge([ $collection = $this->client->call(Client::METHOD_GET, '/databases/' . $databaseId . '/collections/' . $moviesCollectionId, array_merge([
'content-type' => 'application/json', 'content-type' => 'application/json',
@ -125,12 +140,14 @@ class DatabasesConsoleClientTest extends Scope
$this->assertEquals(200, $collection['headers']['status-code']); $this->assertEquals(200, $collection['headers']['status-code']);
$this->assertEquals('Movies', $collection['body']['name']); $this->assertEquals('Movies', $collection['body']['name']);
$this->assertEquals($moviesCollectionId, $collection['body']['$id']); $this->assertEquals($moviesCollectionId, $collection['body']['$id']);
$this->assertTrue($collection['body']['enabled']); $this->assertFalse($collection['body']['enabled']);
} }
/** /**
* @depends testCreateCollection * @depends testCreateCollection
* @param array $data * @param array $data
* @throws \Exception
* @throws \Exception
*/ */
public function testUpdateCollection(array $data) public function testUpdateCollection(array $data)
{ {
@ -138,7 +155,7 @@ class DatabasesConsoleClientTest extends Scope
$moviesCollectionId = $data['moviesId']; $moviesCollectionId = $data['moviesId'];
/** /**
* Test When database is disabled but can still call update collection * Test When database and collection are disabled but can still call update collection
*/ */
$collection = $this->client->call(Client::METHOD_PUT, '/databases/' . $databaseId . '/collections/' . $moviesCollectionId, array_merge([ $collection = $this->client->call(Client::METHOD_PUT, '/databases/' . $databaseId . '/collections/' . $moviesCollectionId, array_merge([
'content-type' => 'application/json', 'content-type' => 'application/json',
@ -157,6 +174,8 @@ class DatabasesConsoleClientTest extends Scope
/** /**
* @depends testCreateCollection * @depends testCreateCollection
* @param array $data * @param array $data
* @throws \Exception
* @throws \Exception
*/ */
public function testDeleteCollection(array $data) public function testDeleteCollection(array $data)
{ {
@ -164,7 +183,7 @@ class DatabasesConsoleClientTest extends Scope
$tvShowsId = $data['tvShowsId']; $tvShowsId = $data['tvShowsId'];
/** /**
* Test When database is disabled but can still call Delete collection * Test when database and collection are disabled but can still call delete collection
*/ */
$response = $this->client->call(Client::METHOD_DELETE, '/databases/' . $databaseId . '/collections/' . $tvShowsId, array_merge([ $response = $this->client->call(Client::METHOD_DELETE, '/databases/' . $databaseId . '/collections/' . $tvShowsId, array_merge([
'content-type' => 'application/json', 'content-type' => 'application/json',

2
tests/e2e/Services/Databases/DatabasesPermissionsTeamTest.php
View file

@ -176,7 +176,7 @@ class DatabasesPermissionsTeamTest extends Scope
if ($success) { if ($success) {
$this->assertCount(1, $documents['body']['documents']); $this->assertCount(1, $documents['body']['documents']);
} else { } else {
$this->assertEquals(404, $documents['headers']['status-code']); $this->assertEquals(401, $documents['headers']['status-code']);
} }
} }