Ling0925
/
buster
mirror of https://github.com/buster-so/buster.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix /reports/[id] to return the correct permission

This commit is contained in:
Wells Bunker 2025-09-16 16:05:09 -06:00
parent 5152635ef5
commit 866963bcb7
No known key found for this signature in database
GPG Key ID: DB16D6F2679B78FC
2 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
apps/server/src/api/v2/reports/[id]/GET.ts
View File

@ -1,4 +1,4 @@
import { hasAssetPermission } from '@buster/access-controls';
import { checkPermission } from '@buster/access-controls';
import { getReport, getReportMetadata } from '@buster/database';
import type { GetReportResponse } from '@buster/server-shared/reports';
import { Hono } from 'hono';
@ -23,7 +23,7 @@ export async function getReportHandler(
}
// Check access using existing asset permission system
const hasAccess = await hasAssetPermission({
const assetPermissionResult = await checkPermission({
userId: user.id,
assetId: reportId,
assetType: 'report_file',
@ -32,12 +32,16 @@ export async function getReportHandler(
workspaceSharing: reportData.workspaceSharing,
});
if (!hasAccess) {
if (!assetPermissionResult.hasAccess) {
throw new HTTPException(403, { message: 'You do not have access to this report' });
}
// If access is granted, get the full report data
const report = await getReport({ reportId, userId: user.id });
const report = await getReport({
reportId,
userId: user.id,
permissionRole: assetPermissionResult.effectiveRole,
});
const response: GetReportResponse = report;

6
packages/database/src/queries/reports/get-report.ts
View File

@ -2,6 +2,7 @@ import { and, eq, isNull } from 'drizzle-orm';
import { z } from 'zod';
import { db } from '../../connection';
import {
assetPermissionRoleEnum,
assetPermissions,
collections,
collectionsToAssets,
@ -14,6 +15,7 @@ import { getOrganizationMemberCount, getUserOrganizationId } from '../organizati
export const GetReportInputSchema = z.object({
reportId: z.string().uuid('Report ID must be a valid UUID'),
userId: z.string().uuid('User ID must be a valid UUID'),
permissionRole: z.enum(assetPermissionRoleEnum.enumValues).optional(),
});
type GetReportInput = z.infer<typeof GetReportInputSchema>;
@ -21,7 +23,7 @@ type GetReportInput = z.infer<typeof GetReportInputSchema>;
export async function getReport(input: GetReportInput) {
const validated = GetReportInputSchema.parse(input);
const { reportId, userId } = validated;
const { reportId, userId, permissionRole } = validated;
const userOrg = await getUserOrganizationId(userId);
@ -144,7 +146,7 @@ export async function getReport(input: GetReportInput) {
versions: versionHistoryArray,
collections: reportCollectionsResult,
individual_permissions: individualPermissionsResult,
permission: userPermission ?? 'can_view',
permission: permissionRole ? permissionRole : (userPermission ?? 'can_view'),
workspace_member_count: workspaceMemberCount,
};