From 457249c4e3cf2e34271f6047e639109f90b688a9 Mon Sep 17 00:00:00 2001 From: Markus Brueckner Date: Mon, 17 Feb 2025 09:04:24 +0100 Subject: [PATCH] fix broken permissions check for shared surveys Closes #20 --- src/db/survey.ts | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/db/survey.ts b/src/db/survey.ts index 8ba36a4..5a1476c 100644 --- a/src/db/survey.ts +++ b/src/db/survey.ts @@ -170,7 +170,14 @@ export async function addSkill(surveyId: number, title: string, description: str /// Check whether a given user has at least the given access level to the given survey. This is based on a database query and doesn't need the survey object already to be loaded export async function hasAccess(surveyId: number, userId: number, accessLevel: AccessLevel): Promise { - const result = await db.select().from(surveyPermissionsTable).where(and(eq(surveyPermissionsTable.surveyId, surveyId), eq(surveyPermissionsTable.user, userId), gte(surveyPermissionsTable.access, accessLevel))); + const result = await db.select().from(surveyPermissionsTable).where( + and( + eq(surveyPermissionsTable.surveyId, surveyId), + or( + eq(surveyPermissionsTable.user, userId), + isNull(surveyPermissionsTable.user) + ), + gte(surveyPermissionsTable.access, accessLevel))); return result.length > 0; }