feat(reactions): add permission check when fetching all reactions
This commit is contained in:
parent
5c846ea990
commit
49b174e19f
|
@ -17,11 +17,13 @@
|
||||||
package models
|
package models
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"code.vikunja.io/api/pkg/user"
|
|
||||||
"code.vikunja.io/web"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"code.vikunja.io/web"
|
||||||
"xorm.io/builder"
|
"xorm.io/builder"
|
||||||
"xorm.io/xorm"
|
"xorm.io/xorm"
|
||||||
|
|
||||||
|
"code.vikunja.io/api/pkg/user"
|
||||||
)
|
)
|
||||||
|
|
||||||
type ReactionKind int
|
type ReactionKind int
|
||||||
|
@ -74,7 +76,16 @@ type ReactionMap map[string][]*user.User
|
||||||
// @Failure 403 {object} web.HTTPError "The user does not have access to the entity"
|
// @Failure 403 {object} web.HTTPError "The user does not have access to the entity"
|
||||||
// @Failure 500 {object} models.Message "Internal error"
|
// @Failure 500 {object} models.Message "Internal error"
|
||||||
// @Router /{kind}/{id}/reactions [get]
|
// @Router /{kind}/{id}/reactions [get]
|
||||||
func (r *Reaction) ReadAll(s *xorm.Session, _ web.Auth, _ string, _ int, _ int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) {
|
func (r *Reaction) ReadAll(s *xorm.Session, a web.Auth, _ string, _ int, _ int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) {
|
||||||
|
|
||||||
|
can, _, err := r.CanRead(s, a)
|
||||||
|
if err != nil {
|
||||||
|
return nil, 0, 0, err
|
||||||
|
}
|
||||||
|
if !can {
|
||||||
|
return nil, 0, 0, ErrGenericForbidden{}
|
||||||
|
}
|
||||||
|
|
||||||
reactions := []*Reaction{}
|
reactions := []*Reaction{}
|
||||||
err = s.Where("entity_id = ? AND entity_kind = ?", r.EntityID, r.EntityKind).Find(&reactions)
|
err = s.Where("entity_id = ? AND entity_kind = ?", r.EntityID, r.EntityKind).Find(&reactions)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user