Merge pull request #1079 from frknbasaran/server-1561

ar2rsawseen · web-flow · commit f08f905ce979 · 2019-10-16T18:01:51.000+03:00
[server-1561] added user access control for collections from app_rest…
diff --git a/plugins/dbviewer/api/api.js b/plugins/dbviewer/api/api.js
@@ -250,13 +250,24 @@ var common = require('../../../api/utils/common.js'),
             var apps = [];
             if (params.qstring.app_id) {
                 //if app_id was provided, we need to check if user has access for this app_id
-                if (params.member.global_admin || (params.member.user_of && params.member.user_of.indexOf(params.qstring.app_id) !== -1)) {
+                // is user_of array contain current app_id?
+                var isUserOf = params.member.user_of && params.member.user_of.indexOf(params.qstring.app_id) !== -1;
+                var isRestricted = params.member.app_restrict && params.member.app_restrict[params.qstring.app_id] && params.member.app_restrict[params.qstring.app_id].indexOf("#/manage/db");
+                if (params.member.global_admin || isUserOf && !isRestricted) {
                     apps = [params.qstring.app_id];
                 }
             }
             else {
                 //use whatever user has permission for
                 apps = params.member.user_of || [];
+                // also check for app based restrictions
+                if (params.member.app_restrict) {
+                    for (var app_id in params.member.app_restrict) {
+                        if (params.member.app_restrict[app_id].indexOf("#/manage/db") !== -1 && apps.indexOf(app_id) !== -1) {
+                            apps.splice(apps.indexOf(app_id), 1);
+                        }
+                    }
+                }
             }
             var appList = [];
             if (collection.indexOf("events") === 0 || collection.indexOf("drill_events") === 0) {
diff --git a/plugins/dbviewer/frontend/public/javascripts/countly.views.js b/plugins/dbviewer/frontend/public/javascripts/countly.views.js
@@ -83,7 +83,9 @@ window.DBViewerView = countlyView.extend({
         $('#app-list').prepend('<div data-value="all" class="app-option item" data-localize=""><span class="app-title-in-dropdown">' + $.i18n.map["common.all"] + '</span></div>');
         // append list items
         for (var key in countlyGlobal.apps) {
-            $('#app-list').append('<div data-value="' + countlyGlobal.apps[key]._id + '" class="app-option item" data-localize=""><span class="app-title-in-dropdown">' + countlyGlobal.apps[key].name + '</span></div>');
+            if (!countlyGlobal.member.app_restrict || (countlyGlobal.member.app_restrict && !countlyGlobal.member.app_restrict[key])) {
+                $('#app-list').append('<div data-value="' + countlyGlobal.apps[key]._id + '" class="app-option item" data-localize=""><span class="app-title-in-dropdown">' + countlyGlobal.apps[key].name + '</span></div>');
+            }
         }
         // set height 
         if ($('#dbviewer').height() < (window.innerHeight - 150)) {
