feat: applies upload access control to all auto-generated image sizes

2021-11-24 15:19:21 -05:00
parent da6e1df293
commit 051b7d45be
1 changed files with 19 additions and 4 deletions
--- a/src/auth/getExecuteStaticAccess.ts
+++ b/src/auth/getExecuteStaticAccess.ts
@@ -1,4 +1,5 @@
 import { Response, NextFunction } from 'express';
+import { Where } from '../types';
 import executeAccess from './executeAccess';
 import { Forbidden } from '../errors';
 import { PayloadRequest } from '../express/types';
@@ -11,19 +12,33 @@ const getExecuteStaticAccess = ({ config, Model }) => async (req: PayloadRequest
      if (typeof accessResult === 'object') {
        const filename = decodeURI(req.path).replace(/^\/|\/$/g, '');

-        const queryToBuild = {
+        const queryToBuild: { where: Where } = {
          where: {
            and: [
              {
-                filename: {
-                  equals: filename,
-                },
+                or: [
+                  {
+                    filename: {
+                      equals: filename,
+                    },
+                  },
+                ],
              },
              accessResult,
            ],
          },
        };

+        if (config.upload.imageSizes) {
+          config.upload.imageSizes.forEach(({ name }) => {
+            queryToBuild.where.and[0].or.push({
+              [`sizes.${name}.filename`]: {
+                equals: filename,
+              },
+            });
+          });
+        }
+
        const query = await Model.buildQuery(queryToBuild, req.locale);
        const doc = await Model.findOne(query);