3pp-mirror/penpot
1
0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2025-05-20 14:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

🐛 Set proper permission check on retrieving team users.

Browse source
This commit is contained in:
Andrey Antukh 2021-01-19 12:53:31 +01:00 committed by Alonso Torres
parent 4fbd2e6caa
commit 15edabc977
2 changed files with 3 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
backend/src/app/rpc/queries/teams.clj
View file

@ -147,10 +147,10 @@
(with-open [conn (db/open pool)] (with-open [conn (db/open pool)]
(if team-id (if team-id
(do (do
(check-edition-permissions! conn profile-id team-id) (check-read-permissions! conn profile-id team-id)
(retrieve-users conn team-id)) (retrieve-users conn team-id))
(let [{team-id :id} (retrieve-team-for-file conn file-id)] (let [{team-id :id} (retrieve-team-for-file conn file-id)]
(check-edition-permissions! conn profile-id team-id) (check-read-permissions! conn profile-id team-id)
(retrieve-users conn team-id))))) (retrieve-users conn team-id)))))
;; This is a similar query to team members but can contain more data ;; This is a similar query to team members but can contain more data

3
frontend/src/app/main/ui.cljs
View file

@ -239,10 +239,9 @@
(defmethod ptk/handle-error :authorization (defmethod ptk/handle-error :authorization
[error] [error]
(st/emit! (rt/nav :login))
(ts/schedule (ts/schedule
(st/emitf (dm/show {:content "Not authorized to see this content." (st/emitf (dm/show {:content "Not authorized to see this content."
:timeout 3000 :timeout 2000
:type :error})))) :type :error}))))
(defmethod ptk/handle-error :assertion (defmethod ptk/handle-error :assertion