From 7d6d1fd15121e35c3be8a6a28c12ec080d5d9001 Mon Sep 17 00:00:00 2001 From: Khor Shu Heng <32997938+khorshuheng@users.noreply.github.com> Date: Thu, 17 Oct 2024 17:03:12 +0800 Subject: [PATCH] chore: add access control to appflowy web related endpoint (#896) --- src/api/workspace.rs | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/api/workspace.rs b/src/api/workspace.rs index ae90718e9..5865cd668 100644 --- a/src/api/workspace.rs +++ b/src/api/workspace.rs @@ -880,6 +880,14 @@ async fn get_page_view_handler( .get_user_uid(&user_uuid) .await .map_err(AppResponseError::from)?; + let has_access = state + .workspace_access_control + .enforce_action(&uid, &workspace_uuid.to_string(), Action::Read) + .await?; + if !has_access { + return Err(AppError::NotEnoughPermissions.into()); + } + let page_collab = get_page_view_collab( &state.pg_pool, state.collab_access_control_storage.clone(), @@ -1457,6 +1465,13 @@ async fn get_workspace_folder_handler( let depth = query.depth.unwrap_or(1); let uid = state.user_cache.get_user_uid(&user_uuid).await?; let workspace_id = workspace_id.into_inner(); + let has_access = state + .workspace_access_control + .enforce_action(&uid, &workspace_id.to_string(), Action::Read) + .await?; + if !has_access { + return Err(AppError::NotEnoughPermissions.into()); + } let root_view_id = if let Some(root_view_id) = query.root_view_id.as_ref() { root_view_id.to_string() } else {