From 4eb298e4e07333df0c0eee1c390e7c009b9c91cc Mon Sep 17 00:00:00 2001
From: Torsten Dittmann <torsten.dittmann@googlemail.com>
Date: Tue, 27 Apr 2021 09:12:59 +0200
Subject: [PATCH 1/2] fix: executions permission validation

---
 app/controllers/api/functions.php  | 4 ++--
 src/Appwrite/Database/Database.php | 5 +++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/app/controllers/api/functions.php b/app/controllers/api/functions.php
index fb24467324..7596893af5 100644
--- a/app/controllers/api/functions.php
+++ b/app/controllers/api/functions.php
@@ -802,7 +802,7 @@ App::get('/v1/functions/:functionId/executions')
         /** @var Appwrite\Utopia\Response $response */
         /** @var Appwrite\Database\Database $projectDB */
         
-        $function = $projectDB->getDocument($functionId);
+        $function = $projectDB->getDocument($functionId, true, true, 'execute');
 
         if (empty($function->getId()) || Database::SYSTEM_COLLECTION_FUNCTIONS != $function->getCollection()) {
             throw new Exception('Function not found', 404);
@@ -844,7 +844,7 @@ App::get('/v1/functions/:functionId/executions/:executionId')
         /** @var Appwrite\Utopia\Response $response */
         /** @var Appwrite\Database\Database $projectDB */
         
-        $function = $projectDB->getDocument($functionId);
+        $function = $projectDB->getDocument($functionId, true, true, 'execute');
 
         if (empty($function->getId()) || Database::SYSTEM_COLLECTION_FUNCTIONS != $function->getCollection()) {
             throw new Exception('Function not found', 404);
diff --git a/src/Appwrite/Database/Database.php b/src/Appwrite/Database/Database.php
index d0defdec03..4137c6ee20 100644
--- a/src/Appwrite/Database/Database.php
+++ b/src/Appwrite/Database/Database.php
@@ -196,17 +196,18 @@ class Database
      * @param string $id
      * @param bool $mock is mocked data allowed?
      * @param bool $decode enable decoding?
+     * @param string $permission permissions to read
      *
      * @return Document
      */
-    public function getDocument($id, bool $mock = true, bool $decode = true)
+    public function getDocument($id, bool $mock = true, bool $decode = true, string $permission = 'read')
     {
         if (\is_null($id)) {
             return new Document();
         }
 
         $document = new Document((isset($this->mocks[$id]) && $mock) ? $this->mocks[$id] : $this->adapter->getDocument($id));
-        $validator = new Authorization($document, 'read');
+        $validator = new Authorization($document, $permission);
 
         if (!$validator->isValid($document->getPermissions())) { // Check if user has read access to this document
             return new Document();

From f2426aa473f3fda6a0cf608b5d5cafd17ce47611 Mon Sep 17 00:00:00 2001
From: Torsten Dittmann <torsten.dittmann@googlemail.com>
Date: Tue, 27 Apr 2021 09:28:42 +0200
Subject: [PATCH 2/2] fix: use authorization control instead of arguments

---
 app/controllers/api/functions.php  | 8 ++++++--
 src/Appwrite/Database/Database.php | 5 ++---
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/app/controllers/api/functions.php b/app/controllers/api/functions.php
index 7596893af5..2fa454c49e 100644
--- a/app/controllers/api/functions.php
+++ b/app/controllers/api/functions.php
@@ -802,7 +802,9 @@ App::get('/v1/functions/:functionId/executions')
         /** @var Appwrite\Utopia\Response $response */
         /** @var Appwrite\Database\Database $projectDB */
         
-        $function = $projectDB->getDocument($functionId, true, true, 'execute');
+        Authorization::disable();
+        $function = $projectDB->getDocument($functionId);
+        Authorization::reset();
 
         if (empty($function->getId()) || Database::SYSTEM_COLLECTION_FUNCTIONS != $function->getCollection()) {
             throw new Exception('Function not found', 404);
@@ -844,7 +846,9 @@ App::get('/v1/functions/:functionId/executions/:executionId')
         /** @var Appwrite\Utopia\Response $response */
         /** @var Appwrite\Database\Database $projectDB */
         
-        $function = $projectDB->getDocument($functionId, true, true, 'execute');
+        Authorization::disable();
+        $function = $projectDB->getDocument($functionId);
+        Authorization::reset();
 
         if (empty($function->getId()) || Database::SYSTEM_COLLECTION_FUNCTIONS != $function->getCollection()) {
             throw new Exception('Function not found', 404);
diff --git a/src/Appwrite/Database/Database.php b/src/Appwrite/Database/Database.php
index 4137c6ee20..d0defdec03 100644
--- a/src/Appwrite/Database/Database.php
+++ b/src/Appwrite/Database/Database.php
@@ -196,18 +196,17 @@ class Database
      * @param string $id
      * @param bool $mock is mocked data allowed?
      * @param bool $decode enable decoding?
-     * @param string $permission permissions to read
      *
      * @return Document
      */
-    public function getDocument($id, bool $mock = true, bool $decode = true, string $permission = 'read')
+    public function getDocument($id, bool $mock = true, bool $decode = true)
     {
         if (\is_null($id)) {
             return new Document();
         }
 
         $document = new Document((isset($this->mocks[$id]) && $mock) ? $this->mocks[$id] : $this->adapter->getDocument($id));
-        $validator = new Authorization($document, $permission);
+        $validator = new Authorization($document, 'read');
 
         if (!$validator->isValid($document->getPermissions())) { // Check if user has read access to this document
             return new Document();