ENHANCEMENT Use batch permission checker for canView for files

Fixes silverstripe/silverstripe-graphql#117
silverstripe · Sep 7, 2017 · 74643a2 · 74643a2
1 parent 4679997
commit 74643a2
Showing 1 changed file with 13 additions and 10 deletions.
diff --git a/code/GraphQL/FolderTypeCreator.php b/code/GraphQL/FolderTypeCreator.php
@@ -122,9 +122,9 @@ public function getChildrenConnection()
     }
 
     /**
-     * @param $object
+     * @param Folder $object
      * @param array $args
-     * @param $context
+     * @param array $context
      * @param ResolveInfo $info
      * @param Connection $childrenConnection
      * @return mixed
@@ -148,6 +148,7 @@ public function resolveChildrenConnection(
             ));
         }
 
+        /** @var DataList $list */
         $list = Versioned::get_by_stage(File::class, 'Stage');
         $filterInputType = new FileFilterInputTypeCreator($this->manager);
 
@@ -167,20 +168,22 @@ public function resolveChildrenConnection(
             }
         });
 
+        // Filter by permission
+        $ids = $list->column('ID');
+        $permissionChecker = File::singleton()->getPermissionChecker();
+        $canViewIDs = array_keys(array_filter($permissionChecker->canViewMultiple(
+            $ids,
+            $context['currentUser']
+        )));
+        // Filter by visible IDs (or force empty set if none are visible)
+        $list = $list->filter('ID', $canViewIDs ?: 0);
+
         // Apply pagination
         $return = $childrenConnection->resolveList(
             $list,
             $args
         );
 
-        // Filter by permission. Converts from DataList to ArrayList
-        // TODO Add more records if records are filtered out here
-        /** @var Filterable $resolvedList */
-        $resolvedList = $return['edges'];
-        $return['edges'] = $resolvedList->filterByCallback(function (File $file) use ($context) {
-            return $file->canView($context['currentUser']);
-        });
-
         return $return;
     }