[#6201] expanded the hidden fields check and allow targetting hidden fields in the List API rule

2025-11-24 07:04:51 +02:00 · 2024-12-29 17:31:58 +02:00
parent 2af9b554ad
commit a8952cfca2
6 changed files with 159 additions and 14 deletions
--- a/apis/record_crud.go
+++ b/apis/record_crud.go
@@ -59,23 +59,27 @@ func recordsList(e *core.RequestEvent) error {
 		return err
 	}

-	fieldsResolver := core.NewRecordFieldResolver(
-		e.App,
-		collection,
-		requestInfo,
-		// hidden fields are searchable only by superusers
-		requestInfo.HasSuperuserAuth(),
-	)
+	query := e.App.RecordQuery(collection)

-	searchProvider := search.NewProvider(fieldsResolver).
-		Query(e.App.RecordQuery(collection))
+	fieldsResolver := core.NewRecordFieldResolver(e.App, collection, requestInfo, true)

-	if !requestInfo.HasSuperuserAuth() && collection.ListRule != nil {
-		searchProvider.AddFilter(search.FilterData(*collection.ListRule))
+	if !requestInfo.HasSuperuserAuth() && collection.ListRule != nil && *collection.ListRule != "" {
+		expr, err := search.FilterData(*collection.ListRule).BuildExpr(fieldsResolver)
+		if err != nil {
+			return err
+		}
+		query.AndWhere(expr)
+
+		// will be applied by the search provider right before executing the query
+		// fieldsResolver.UpdateQuery(query)
 	}

-	records := []*core.Record{}
+	// hidden fields are searchable only by superusers
+	fieldsResolver.SetAllowHiddenFields(requestInfo.HasSuperuserAuth())

+	searchProvider := search.NewProvider(fieldsResolver).Query(query)
+
+	records := []*core.Record{}
 	result, err := searchProvider.ParseAndExec(e.Request.URL.Query().Encode(), &records)
 	if err != nil {
 		return firstApiError(err, e.BadRequestError("", err))
@@ -109,7 +113,7 @@ func recordsList(e *core.RequestEvent) error {
 			len(e.Records) == 0 &&
 			checkRateLimit(e.RequestEvent, "@pb_list_timing_check_"+collection.Id, listTimingRateLimitRule) != nil {
 			e.App.Logger().Debug("Randomized throttle because of too many failed searches", "collectionId", collection.Id)
-			randomizedThrottle(100)
+			randomizedThrottle(150)
 		}

 		return e.JSON(http.StatusOK, e.Result)
--- a/apis/record_crud_test.go
+++ b/apis/record_crud_test.go
@@ -259,6 +259,47 @@ func TestRecordCrudList(t *testing.T) {
 				"OnRecordEnrich":       4,
 			},
 		},
+		{
+			Name:   "authenticated regular record that matches the collection list rule with hidden field",
+			Method: http.MethodGet,
+			URL:    "/api/collections/demo3/records",
+			Headers: map[string]string{
+				// clients, test@example.com
+				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6ImdrMzkwcWVnczR5NDd3biIsInR5cGUiOiJhdXRoIiwiY29sbGVjdGlvbklkIjoidjg1MXE0cjc5MHJoa25sIiwiZXhwIjoyNTI0NjA0NDYxLCJyZWZyZXNoYWJsZSI6dHJ1ZX0.0ONnm_BsvPRZyDNT31GN1CKUB6uQRxvVvQ-Wc9AZfG0",
+			},
+			BeforeTestFunc: func(t testing.TB, app *tests.TestApp, e *core.ServeEvent) {
+				col, err := app.FindCollectionByNameOrId("demo3")
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				// mock hidden field
+				col.Fields.GetByName("title").SetHidden(true)
+
+				col.ListRule = types.Pointer("title ~ 'test'")
+
+				if err = app.Save(col); err != nil {
+					t.Fatal(err)
+				}
+			},
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"page":1`,
+				`"perPage":30`,
+				`"totalPages":1`,
+				`"totalItems":4`,
+				`"items":[{`,
+				`"id":"1tmknxy2868d869"`,
+				`"id":"lcl9d87w22ml6jy"`,
+				`"id":"7nwo8tuiatetxdm"`,
+				`"id":"mk5fmymtx4wsprk"`,
+			},
+			ExpectedEvents: map[string]int{
+				"*":                    0,
+				"OnRecordsListRequest": 1,
+				"OnRecordEnrich":       4,
+			},
+		},
 		{
 			Name:   "authenticated regular record filtering with a hidden field",
 			Method: http.MethodGet,