fix(server): blob controller permission (#6746)

2026-02-13 21:05:19 +00:00 · 2024-04-30 03:46:59 +00:00
parent 9b28e7313f
commit a14194c482
5 changed files with 295 additions and 9 deletions
--- a/packages/backend/server/src/core/workspaces/controller.ts
+++ b/packages/backend/server/src/core/workspaces/controller.ts
@@ -43,7 +43,13 @@ export class WorkspacesController {
  ) {
    // if workspace is public or have any public page, then allow to access
    // otherwise, check permission
-    if (!(await this.permission.tryCheckWorkspace(workspaceId, user?.id))) {
+    if (
+      !(await this.permission.isPublicAccessible(
+        workspaceId,
+        workspaceId,
+        user?.id
+      ))
+    ) {
      throw new ForbiddenException('Permission denied');
    }

@@ -81,7 +87,7 @@ export class WorkspacesController {
    const docId = new DocID(guid, ws);
    if (
      // if a user has the permission
-      !(await this.permission.isAccessible(
+      !(await this.permission.isPublicAccessible(
        docId.workspace,
        docId.guid,
        user?.id
--- a/packages/backend/server/src/core/workspaces/permission.ts
+++ b/packages/backend/server/src/core/workspaces/permission.ts
@@ -84,7 +84,11 @@ export class PermissionService {
  /**
   * check if a doc binary is accessible by a user
   */
-  async isAccessible(ws: string, id: string, user?: string): Promise<boolean> {
+  async isPublicAccessible(
+    ws: string,
+    id: string,
+    user?: string
+  ): Promise<boolean> {
    if (ws === id) {
      // if workspace is public or have any public page, then allow to access
      const [isPublicWorkspace, publicPages] = await Promise.all([