feat(reactions): add permission check when fetching all reactions

2024-03-11 22:38:38 +01:00 · 2024-03-11 22:38:38 +01:00 · 49b174e19f
parent 5c846ea990
commit 49b174e19f
1 changed files with 14 additions and 3 deletions
--- a/pkg/models/reaction.go
+++ b/pkg/models/reaction.go
@ -17,11 +17,13 @@
 package models

 import (
-	"code.vikunja.io/api/pkg/user"
-	"code.vikunja.io/web"
 	"time"
+
+	"code.vikunja.io/web"
 	"xorm.io/builder"
 	"xorm.io/xorm"
+
+	"code.vikunja.io/api/pkg/user"
 )

 type ReactionKind int
@ -74,7 +76,16 @@ type ReactionMap map[string][]*user.User
 // @Failure 403 {object} web.HTTPError "The user does not have access to the entity"
 // @Failure 500 {object} models.Message "Internal error"
 // @Router /{kind}/{id}/reactions [get]
-func (r *Reaction) ReadAll(s *xorm.Session, _ web.Auth, _ string, _ int, _ int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) {
+func (r *Reaction) ReadAll(s *xorm.Session, a web.Auth, _ string, _ int, _ int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) {
+
+	can, _, err := r.CanRead(s, a)
+	if err != nil {
+		return nil, 0, 0, err
+	}
+	if !can {
+		return nil, 0, 0, ErrGenericForbidden{}
+	}
+
 	reactions := []*Reaction{}
 	err = s.Where("entity_id = ? AND entity_kind = ?", r.EntityID, r.EntityKind).Find(&reactions)
 	if err != nil {