Ling0925
/
buster
mirror of https://github.com/buster-so/buster.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix /reports/[id] to return the correct permission

This commit is contained in:
Wells Bunker 2025-09-16 16:05:09 -06:00
parent 5152635ef5
commit 866963bcb7
No known key found for this signature in database
GPG Key ID: DB16D6F2679B78FC
2 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
apps/server/src/api/v2/reports/[id]/GET.ts
View File

@ -1,4 +1,4 @@
import { hasAssetPermission } from '@buster/access-controls'; import { checkPermission } from '@buster/access-controls';
import { getReport, getReportMetadata } from '@buster/database'; import { getReport, getReportMetadata } from '@buster/database';
import type { GetReportResponse } from '@buster/server-shared/reports'; import type { GetReportResponse } from '@buster/server-shared/reports';
import { Hono } from 'hono'; import { Hono } from 'hono';
@ -23,7 +23,7 @@ export async function getReportHandler(
} }
// Check access using existing asset permission system // Check access using existing asset permission system
const hasAccess = await hasAssetPermission({ const assetPermissionResult = await checkPermission({
userId: user.id, userId: user.id,
assetId: reportId, assetId: reportId,
assetType: 'report_file', assetType: 'report_file',
@ -32,12 +32,16 @@ export async function getReportHandler(
workspaceSharing: reportData.workspaceSharing, workspaceSharing: reportData.workspaceSharing,
}); });
if (!hasAccess) { if (!assetPermissionResult.hasAccess) {
throw new HTTPException(403, { message: 'You do not have access to this report' }); throw new HTTPException(403, { message: 'You do not have access to this report' });
} }
// If access is granted, get the full report data // If access is granted, get the full report data
const report = await getReport({ reportId, userId: user.id }); const report = await getReport({
reportId,
userId: user.id,
permissionRole: assetPermissionResult.effectiveRole,
});
const response: GetReportResponse = report; const response: GetReportResponse = report;

6
packages/database/src/queries/reports/get-report.ts
View File

@ -2,6 +2,7 @@ import { and, eq, isNull } from 'drizzle-orm';
import { z } from 'zod'; import { z } from 'zod';
import { db } from '../../connection'; import { db } from '../../connection';
import { import {
assetPermissionRoleEnum,
assetPermissions, assetPermissions,
collections, collections,
collectionsToAssets, collectionsToAssets,
@ -14,6 +15,7 @@ import { getOrganizationMemberCount, getUserOrganizationId } from '../organizati
export const GetReportInputSchema = z.object({ export const GetReportInputSchema = z.object({
reportId: z.string().uuid('Report ID must be a valid UUID'), reportId: z.string().uuid('Report ID must be a valid UUID'),
userId: z.string().uuid('User ID must be a valid UUID'), userId: z.string().uuid('User ID must be a valid UUID'),
permissionRole: z.enum(assetPermissionRoleEnum.enumValues).optional(),
}); });
type GetReportInput = z.infer<typeof GetReportInputSchema>; type GetReportInput = z.infer<typeof GetReportInputSchema>;
@ -21,7 +23,7 @@ type GetReportInput = z.infer<typeof GetReportInputSchema>;
export async function getReport(input: GetReportInput) { export async function getReport(input: GetReportInput) {
const validated = GetReportInputSchema.parse(input); const validated = GetReportInputSchema.parse(input);
const { reportId, userId } = validated; const { reportId, userId, permissionRole } = validated;
const userOrg = await getUserOrganizationId(userId); const userOrg = await getUserOrganizationId(userId);
@ -144,7 +146,7 @@ export async function getReport(input: GetReportInput) {
versions: versionHistoryArray, versions: versionHistoryArray,
collections: reportCollectionsResult, collections: reportCollectionsResult,
individual_permissions: individualPermissionsResult, individual_permissions: individualPermissionsResult,
permission: userPermission ?? 'can_view', permission: permissionRole ? permissionRole : (userPermission ?? 'can_view'),
workspace_member_count: workspaceMemberCount, workspace_member_count: workspaceMemberCount,
}; };