From 7aa7b1ac41c2b7c34773b1cd8e6f27eaaea475c4 Mon Sep 17 00:00:00 2001 From: joker-x Date: Sat, 29 Aug 2020 23:46:04 +0200 Subject: [PATCH] Enforce manageLists global permission in lists model --- server/models/lists.js | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/server/models/lists.js b/server/models/lists.js index ada16cf8..67ef8a71 100644 --- a/server/models/lists.js +++ b/server/models/lists.js @@ -27,6 +27,7 @@ function hash(entity) { async function _listDTAjax(context, namespaceId, params) { + shares.enforceGlobalPermission(context, 'manageLists'); const campaignEntityType = entitySettings.getEntityType('campaign'); return await dtHelpers.ajaxListWithPermissions( @@ -68,6 +69,7 @@ async function listByNamespaceDTAjax(context, namespaceId, params) { } async function listWithSegmentByCampaignDTAjax(context, campaignId, params) { + shares.enforceGlobalPermission(context, 'manageLists'); return await dtHelpers.ajaxListWithPermissions( context, [{ entityTypeId: 'list', requiredOperations: ['view'] }], @@ -84,6 +86,7 @@ async function listWithSegmentByCampaignDTAjax(context, campaignId, params) { } async function getByIdTx(tx, context, id) { + shares.enforceGlobalPermission(context, 'manageLists'); await shares.enforceEntityPermissionTx(tx, context, 'list', id, 'view'); const entity = await tx('lists').where('id', id).first(); return entity; @@ -97,6 +100,7 @@ async function getById(context, id) { } async function getByIdWithListFields(context, id) { + shares.enforceGlobalPermission(context, 'manageLists'); return await knex.transaction(async tx => { const entity = await getByIdTx(tx, context, id); entity.permissions = await shares.getPermissionsTx(tx, context, 'list', id); @@ -106,6 +110,7 @@ async function getByIdWithListFields(context, id) { } async function getByCidTx(tx, context, cid) { + shares.enforceGlobalPermission(context, 'manageLists'); const entity = await tx('lists').where('cid', cid).first(); if (!entity) { shares.throwPermissionDenied(); @@ -122,6 +127,7 @@ async function getByCid(context, cid) { } async function getByNamespaceIdTx(tx, context, namespaceId) { + shares.enforceGlobalPermission(context, 'manageLists'); // FIXME - this methods is rather suboptimal if there are many lists. It quite needs permission caching in shares.js const rows = await tx('lists').where('namespace', namespaceId); @@ -153,6 +159,7 @@ async function _validateAndPreprocess(tx, entity) { } async function create(context, entity) { + shares.enforceGlobalPermission(context, 'manageLists'); return await knex.transaction(async tx => { await shares.enforceEntityPermissionTx(tx, context, 'namespace', entity.namespace, 'createList'); @@ -248,6 +255,7 @@ async function create(context, entity) { } async function updateWithConsistencyCheck(context, entity) { + shares.enforceGlobalPermission(context, 'manageLists'); await knex.transaction(async tx => { await shares.enforceEntityPermissionTx(tx, context, 'list', entity.id, 'edit'); @@ -274,6 +282,7 @@ async function updateWithConsistencyCheck(context, entity) { } async function remove(context, id) { + shares.enforceGlobalPermission(context, 'manageLists'); await knex.transaction(async tx => { await shares.enforceEntityPermissionTx(tx, context, 'list', id, 'delete');