fix(server): check app auth by createdBy (#1453)

labring · Aug 11, 2023 · e2be923 · e2be923
1 parent 57800c4
commit e2be923
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/server/src/application/application.service.ts b/server/src/application/application.service.ts
@@ -137,8 +137,15 @@ export class ApplicationService {
       .collection<Application>('Application')
       .aggregate()
       .match({
-        phase: { $ne: ApplicationPhase.Deleted },
-        appid: { $in: doc.map((v) => v.appid) },
+        $and: [
+          {
+            $or: [
+              { appid: { $in: doc.map((v) => v.appid) } },
+              { createdBy: userid },
+            ],
+          },
+          { phase: { $ne: ApplicationPhase.Deleted } },
+        ],
       })
       .lookup({
         from: 'ApplicationBundle',

diff --git a/server/src/authentication/application.auth.guard.ts b/server/src/authentication/application.auth.guard.ts
@@ -31,7 +31,7 @@ export class ApplicationAuthGuard implements CanActivate {
     }
 
     const ok = await this.checkGroupAuth(appid, user, context)
-    if (!ok) {
+    if (!ok && !app.createdBy.equals(user._id)) {
       return false
     }