Make sure document permissions are not checked if not enabled

ajwad-shaikh · Aug 22, 2023 · 9edcf42 · 9edcf42
1 parent 3e04b0a
commit 9edcf42
Showing 1 changed file with 7 additions and 9 deletions.
diff --git a/src/Database/Database.php b/src/Database/Database.php
@@ -4062,8 +4062,13 @@ public function find(string $collection, array $queries = [], ?int $timeout = nu
  }
 
  $authorization = new Authorization(self::PERMISSION_READ);
+ $documentSecurity = $collection->getAttribute('documentSecurity', false);
  $skipAuth = $authorization->isValid($collection->getRead());
 
+ if (!$skipAuth && !$documentSecurity) {
+ throw new AuthorizationException($validator->getDescription());
+ }
+
  $relationships = \array_filter(
  $collection->getAttribute('attributes', []),
  fn (Document $attribute) => $attribute->getAttribute('type') === self::VAR_RELATIONSHIP
@@ -4092,7 +4097,6 @@ public function find(string $collection, array $queries = [], ?int $timeout = nu
 
  $selections = $this->validateSelections($collection, $selects);
  $nestedSelections = [];
- $nestedQueries = [];
 
  foreach ($queries as $index => &$query) {
  switch ($query->getMethod()) {
@@ -4129,14 +4133,14 @@ public function find(string $collection, array $queries = [], ?int $timeout = nu
  break;
  default:
  if (\str_contains($query->getAttribute(), '.')) {
- $nestedQueries[] = $query;
  unset($queries[$index]);
  }
  break;
  }
  }
 
  $queries = \array_values($queries);
+
  $getResults = fn () => $this->adapter->find(
  $collection->getId(),
  $queries,
@@ -4151,13 +4155,7 @@ public function find(string $collection, array $queries = [], ?int $timeout = nu
 
  $results = $skipAuth ? Authorization::skip($getResults) : $getResults();
 
- $attributes = $collection->getAttribute('attributes', []);
-
- $relationships = $this->resolveRelationships
- ? \array_filter($attributes, fn (Document $attribute) => $attribute->getAttribute('type') === self::VAR_RELATIONSHIP)
- : [];
-
- foreach ($results as $index => &$node) {
+ foreach ($results as &$node) {
  if ($this->resolveRelationships && (empty($selects) || !empty($nestedSelections))) {
  $node = $this->silent(fn () => $this->populateDocumentRelationships($collection, $node, $nestedSelections));
  }