Skip to content

Commit 27b4b41

Browse files
committed
fix: add missing checkAccess to the get_resource_foreign_data api
AdminForth/1731/security-audit
1 parent 6f96295 commit 27b4b41

1 file changed

Lines changed: 13 additions & 0 deletions

File tree

adminforth/modules/restApi.ts

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1823,6 +1823,19 @@ export default class AdminForthRestAPI implements IAdminForthRestAPI {
18231823
if (rawFilterError) {
18241824
return rawFilterError;
18251825
}
1826+
const meta = { requestBody: body, pk: undefined };
1827+
const { allowedActions } = await interpretResource(
1828+
adminUser,
1829+
resource,
1830+
meta,
1831+
ActionCheckSource.ListRequest,
1832+
this.adminforth
1833+
);
1834+
const { allowed, error } = checkAccess(AllowedActionsEnum.list, allowedActions);
1835+
if (!allowed) {
1836+
return { error };
1837+
}
1838+
18261839

18271840
const targetResourceIds = columnConfig.foreignResource.resourceId ? [columnConfig.foreignResource.resourceId] : columnConfig.foreignResource.polymorphicResources.filter(pr => pr.resourceId !== null).map((pr) => pr.resourceId);
18281841
const targetResources = targetResourceIds.map((trId) => this.adminforth.config.resources.find((res) => res.resourceId == trId));

0 commit comments

Comments
 (0)