MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix loophole where any user could load all screen and layout definitions via app package call

This commit is contained in:
Andrew Kingston 2021-06-30 21:54:48 +01:00
parent ca032aa6fe
commit 54fe305031
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
packages/server/src/api/controllers/application.js
View File

@ -164,7 +164,15 @@ exports.fetchAppDefinition = async function (ctx) {
exports.fetchAppPackage = async function (ctx) { exports.fetchAppPackage = async function (ctx) {
const db = new CouchDB(ctx.params.appId) const db = new CouchDB(ctx.params.appId)
const application = await db.get(DocumentTypes.APP_METADATA) const application = await db.get(DocumentTypes.APP_METADATA)
const [layouts, screens] = await Promise.all([getLayouts(db), getScreens(db)]) const layouts = await getLayouts(db)
let screens = await getScreens(db)
// Only filter screens if the user is not a builder
if (!ctx.user.builder?.global) {
const userRoleId = getUserRoleId(ctx)
const accessController = new AccessController(ctx.params.appId)
screens = await accessController.checkScreensAccess(screens, userRoleId)
}
ctx.body = { ctx.body = {
application, application,