From b0726e9a137f78e61de43e46285983eb27123d6a Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Thu, 25 Nov 2021 09:26:25 -0800 Subject: [PATCH] Fixed server file permissions for device groups, #3294 --- meshuser.js | 27 ++++++++++++--------------- webserver.js | 16 +++++----------- 2 files changed, 17 insertions(+), 26 deletions(-) diff --git a/meshuser.js b/meshuser.js index af494cb9..4d722975 100644 --- a/meshuser.js +++ b/meshuser.js @@ -6799,22 +6799,19 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use try { files.filetree.f[user._id].f = readFilesRec(parent.path.join(parent.filespath, domainx + '/user-' + usersplit[2])); } catch (e) { } } - // Add files for each mesh // TODO: Get all meshes including groups!! - for (var i in user.links) { - if ((user.links[i].rights & 32) != 0) { // Check that we have file permissions - var mesh = parent.meshes[i]; - if (mesh) { - var meshsplit = mesh._id.split('/'); - files.filetree.f[mesh._id] = { t: 4, n: mesh.name, f: {} }; - files.filetree.f[mesh._id].maxbytes = parent.getQuota(mesh._id, domain); + // Add files for each mesh + const meshes = parent.GetAllMeshWithRights(user, MESHRIGHT_SERVERFILES); + for (var i in meshes) { + const mesh = meshes[i]; + var meshsplit = mesh._id.split('/'); + files.filetree.f[mesh._id] = { t: 4, n: mesh.name, f: {} }; + files.filetree.f[mesh._id].maxbytes = parent.getQuota(mesh._id, domain); - // Read all files recursively - try { - files.filetree.f[mesh._id].f = readFilesRec(parent.path.join(parent.filespath, domainx + '/mesh-' + meshsplit[2])); - } catch (e) { - files.filetree.f[mesh._id].f = {}; // Got an error, return empty folder. We will create the folder only when needed. - } - } + // Read all files recursively + try { + files.filetree.f[mesh._id].f = readFilesRec(parent.path.join(parent.filespath, domainx + '/mesh-' + meshsplit[2])); + } catch (e) { + files.filetree.f[mesh._id].f = {}; // Got an error, return empty folder. We will create the folder only when needed. } } diff --git a/webserver.js b/webserver.js index 26e49f25..b79c8b36 100644 --- a/webserver.js +++ b/webserver.js @@ -7050,20 +7050,14 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if (i.startsWith('mesh/')) { // Grant access to a device group thru a direct link const m = obj.meshes[i]; - if ((m) && (m.deleted == null) && ((rights == null) || ((user.links[i].rights & rights) != 0))) { - if (r.indexOf(m) == -1) { r.push(m); } - } + if ((m) && (r.indexOf(m) == -1) && (m.deleted == null) && ((rights == null) || ((user.links[i].rights & rights) != 0))) { r.push(m); } } else if (i.startsWith('ugrp/')) { // Grant access to a device group thru a user group const g = obj.userGroups[i]; - if (g && (g.links != null) && ((rights == null) || ((user.links[i].rights & rights) != 0))) { - for (var j in g.links) { - if (j.startsWith('mesh/')) { - const m = obj.meshes[j]; - if ((m) && (m.deleted == null)) { - if (r.indexOf(m) == -1) { r.push(m); } - } - } + for (var j in g.links) { + if (j.startsWith('mesh/') && ((rights == null) || ((g.links[j].rights != null) && (g.links[j].rights & rights) != 0))) { + const m = obj.meshes[j]; + if ((m) && (m.deleted == null) && (r.indexOf(m) == -1)) { r.push(m); } } } }