From 630ae7290a318f99e7838b344b0868f22419f40c Mon Sep 17 00:00:00 2001 From: joker-x Date: Sat, 29 Aug 2020 23:50:38 +0200 Subject: [PATCH] Enforce manageTemplates global permission in templates model --- server/models/templates.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/server/models/templates.js b/server/models/templates.js index b6c53174..363c8811 100644 --- a/server/models/templates.js +++ b/server/models/templates.js @@ -20,6 +20,7 @@ function hash(entity) { } async function getByIdTx(tx, context, id, withPermissions = true) { + shares.enforceGlobalPermission(context, 'manageTemplates'); await shares.enforceEntityPermissionTx(tx, context, 'template', id, 'view'); const entity = await tx('templates').where('id', id).first(); entity.data = JSON.parse(entity.data); @@ -38,6 +39,7 @@ async function getById(context, id, withPermissions = true) { } async function _listDTAjax(context, namespaceId, params) { + shares.enforceGlobalPermission(context, 'manageTemplates'); return await dtHelpers.ajaxListWithPermissions( context, [{ entityTypeId: 'template', requiredOperations: ['view'] }], @@ -70,6 +72,7 @@ async function _validateAndPreprocess(tx, entity) { } async function create(context, entity) { + shares.enforceGlobalPermission(context, 'manageTemplates'); return await knex.transaction(async tx => { await shares.enforceEntityPermissionTx(tx, context, 'namespace', entity.namespace, 'createTemplate'); @@ -114,6 +117,7 @@ async function create(context, entity) { } async function updateWithConsistencyCheck(context, entity) { + shares.enforceGlobalPermission(context, 'manageTemplates'); await knex.transaction(async tx => { await shares.enforceEntityPermissionTx(tx, context, 'template', entity.id, 'edit'); @@ -143,6 +147,7 @@ async function updateWithConsistencyCheck(context, entity) { } async function remove(context, id) { + shares.enforceGlobalPermission(context, 'manageTemplates'); await knex.transaction(async tx => { await shares.enforceEntityPermissionTx(tx, context, 'template', id, 'delete');