From e0edcda3dd69aa06b7aaaab0cf4b5643bbfe5e44 Mon Sep 17 00:00:00 2001
From: joker-x <ivan@sinanimodelucro.org>
Date: Sat, 29 Aug 2020 23:30:57 +0200
Subject: [PATCH] Enforce manageReports global permission in reports model

---
 server/models/reports.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server/models/reports.js b/server/models/reports.js
index 90983580..be16c99a 100644
--- a/server/models/reports.js
+++ b/server/models/reports.js
@@ -25,6 +25,7 @@ function hash(entity) {
 }
 
 async function getByIdWithTemplate(context, id, withPermissions = true) {
+    shares.enforceGlobalPermission(context, 'manageReports');
     return await knex.transaction(async tx => {
         await shares.enforceEntityPermissionTx(tx, context, 'report', id, 'view');
 
@@ -46,6 +47,7 @@ async function getByIdWithTemplate(context, id, withPermissions = true) {
 }
 
 async function listDTAjax(context, params) {
+    shares.enforceGlobalPermission(context, 'manageReports');
     return await dtHelpers.ajaxListWithPermissions(
         context,
         [
@@ -64,6 +66,7 @@ async function listDTAjax(context, params) {
 }
 
 async function create(context, entity) {
+    shares.enforceGlobalPermission(context, 'manageReports');
     let id;
     await knex.transaction(async tx => {
         await shares.enforceEntityPermissionTx(tx, context, 'namespace', entity.namespace, 'createReport');
@@ -85,6 +88,7 @@ async function create(context, entity) {
 }
 
 async function updateWithConsistencyCheck(context, entity) {
+    shares.enforceGlobalPermission(context, 'manageReports');
     await knex.transaction(async tx => {
         await shares.enforceEntityPermissionTx(tx, context, 'report', entity.id, 'edit');
         await shares.enforceEntityPermissionTx(tx, context, 'reportTemplate', entity.report_template, 'execute');
@@ -120,6 +124,7 @@ async function updateWithConsistencyCheck(context, entity) {
 }
 
 async function removeTx(tx, context, id) {
+    shares.enforceGlobalPermission(context, 'manageReports');
     await shares.enforceEntityPermissionTx(tx, context, 'report', id, 'delete');
 
     const report = await tx('reports').where('id', id).first();