From 051b7d45befc331af3f73a669b2bb6467505902f Mon Sep 17 00:00:00 2001
From: Jarrod Flesch <jarrodmflesch@gmail.com>
Date: Wed, 24 Nov 2021 15:19:21 -0500
Subject: [PATCH] feat: applies upload access control to all auto-generated
 image sizes

---
 src/auth/getExecuteStaticAccess.ts | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/auth/getExecuteStaticAccess.ts b/src/auth/getExecuteStaticAccess.ts
index 8947c46ff0..3c9a01b7e6 100644
--- a/src/auth/getExecuteStaticAccess.ts
+++ b/src/auth/getExecuteStaticAccess.ts
@@ -1,4 +1,5 @@
 import { Response, NextFunction } from 'express';
+import { Where } from '../types';
 import executeAccess from './executeAccess';
 import { Forbidden } from '../errors';
 import { PayloadRequest } from '../express/types';
@@ -11,19 +12,33 @@ const getExecuteStaticAccess = ({ config, Model }) => async (req: PayloadRequest
       if (typeof accessResult === 'object') {
         const filename = decodeURI(req.path).replace(/^\/|\/$/g, '');
 
-        const queryToBuild = {
+        const queryToBuild: { where: Where } = {
           where: {
             and: [
               {
-                filename: {
-                  equals: filename,
-                },
+                or: [
+                  {
+                    filename: {
+                      equals: filename,
+                    },
+                  },
+                ],
               },
               accessResult,
             ],
           },
         };
 
+        if (config.upload.imageSizes) {
+          config.upload.imageSizes.forEach(({ name }) => {
+            queryToBuild.where.and[0].or.push({
+              [`sizes.${name}.filename`]: {
+                equals: filename,
+              },
+            });
+          });
+        }
+
         const query = await Model.buildQuery(queryToBuild, req.locale);
         const doc = await Model.findOne(query);