ami/tl-vikunja
1
0
Fork 0
Code Activity

Fixed rights check on lists and namespaces (#62)

Browse Source
This commit is contained in:
konrad
2019-03-08 21:31:37 +00:00
committed by Gitea
parent 65f428fe78
commit eb4d38b5b8
14 changed files with 118 additions and 161 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/models/list_users_readall.go
View File

@ -32,26 +32,26 @@ import "code.vikunja.io/web"
// @Failure 403 {object} code.vikunja.io/web.HTTPError "No right to see the list."
// @Failure 500 {object} models.Message "Internal error"
// @Router /lists/{id}/users [get]
func (ul *ListUser) ReadAll(search string, a web.Auth, page int) (interface{}, error) {
func (lu *ListUser) ReadAll(search string, a web.Auth, page int) (interface{}, error) {
u, err := getUserWithError(a)
if err != nil {
return nil, err
}
// Check if the user has access to the list
l := &List{ID: ul.ListID}
l := &List{ID: lu.ListID}
if err := l.GetSimpleByID(); err != nil {
return nil, err
}
if !l.CanRead(u) {
return nil, ErrNeedToHaveListReadAccess{UserID: u.ID, ListID: ul.ListID}
return nil, ErrNeedToHaveListReadAccess{UserID: u.ID, ListID: lu.ListID}
}
// Get all users
all := []*UserWithRight{}
err = x.
Join("INNER", "users_list", "user_id = users.id").
Where("users_list.list_id = ?", ul.ListID).
Where("users_list.list_id = ?", lu.ListID).
Limit(getLimitFromPageIndex(page)).
Where("users.username LIKE ?", "%"+search+"%").
Find(&all)