@@ -1758,8 +1758,10 @@ export class DatabaseConnection extends events.EventEmitter {
17581758 await this . connect ( span ) ;
17591759 const user : TokenUser = await Crypt . verityToken ( q . jwt ) ;
17601760 if ( user . dblocked && ! user . HasRoleName ( "admins" ) ) throw new Error ( "Access denied (db locked) could be due to hitting quota limit for " + user . username ) ;
1761- if ( ! DatabaseConnection . hasAuthorization ( user , ( q . item as Base ) , Rights . update ) ) {
1762- throw new Error ( "Access denied, no authorization to UpdateOne with current ACL" ) ;
1761+ if ( q . query === null || q . query === undefined ) {
1762+ if ( ! DatabaseConnection . hasAuthorization ( user , ( q . item as Base ) , Rights . update ) ) {
1763+ throw new Error ( "Access denied, no authorization to UpdateOne with current ACL" ) ;
1764+ }
17631765 }
17641766 if ( q . collectionname === "files" ) { q . collectionname = "fs.files" ; }
17651767
@@ -1883,9 +1885,12 @@ export class DatabaseConnection extends events.EventEmitter {
18831885 }
18841886 }
18851887 }
1886- if ( q . item . _acl === null || q . item . _acl === undefined ) {
1888+ if ( q . item . _acl === null || q . item . _acl === undefined || ! Array . isArray ( q . item . _acl ) ) {
18871889 q . item . _acl = original . _acl ;
18881890 q . item . _version = original . _version ;
1891+ if ( ! DatabaseConnection . hasAuthorization ( user , ( q . item as Base ) , Rights . update ) ) {
1892+ throw new Error ( "Access denied, no authorization to UpdateOne with current ACL" ) ;
1893+ }
18891894 }
18901895 q . item = this . ensureResource ( q . item , q . collectionname ) ;
18911896 if ( user . _id != WellknownIds . root && original . _type != q . item . _type && ! await this . CheckEntityRestriction ( user , q . collectionname , q . item , span ) ) {
@@ -1940,9 +1945,13 @@ export class DatabaseConnection extends events.EventEmitter {
19401945 }
19411946 }
19421947 }
1943- if ( ( q . item as any ) . metadata . _acl === null || ( q . item as any ) . metadata . _acl === undefined ) {
1948+ if ( ( q . item as any ) . metadata . _acl === null || ( q . item as any ) . metadata . _acl === undefined || ! Array . isArray ( ( q . item as any ) . metadata . _acl ) ) {
19441949 ( q . item as any ) . metadata . _acl = ( original as any ) . metadata . _acl ;
19451950 ( q . item as any ) . metadata . _version = ( original as any ) . metadata . _version ;
1951+ if ( ! DatabaseConnection . hasAuthorization ( user , ( q . item as any ) . metadata , Rights . update ) ) {
1952+ throw new Error ( "Access denied, no authorization to UpdateOne with current ACL" ) ;
1953+ }
1954+
19461955 }
19471956 ( q . item as any ) . metadata = this . ensureResource ( ( q . item as any ) . metadata , q . collectionname ) ;
19481957 DatabaseConnection . traversejsonencode ( q . item ) ;
@@ -3144,7 +3153,7 @@ export class DatabaseConnection extends events.EventEmitter {
31443153 return true ;
31453154 }
31463155
3147- if ( item . _acl != null && item . _acl != undefined ) {
3156+ if ( item . _acl != null && item . _acl != undefined && Array . isArray ( item . _acl ) ) {
31483157 if ( typeof item . _acl === 'string' || item . _acl instanceof String ) {
31493158 item . _acl = JSON . parse ( ( item . _acl as any ) ) ;
31503159 }
0 commit comments