updated changelog formatting and temp moved the admin only rule checks to the record_helpers

2025-11-24 15:14:30 +02:00 · 2023-12-10 21:06:02 +02:00
parent 98c8c98603
commit b0f027d27a
5 changed files with 67 additions and 48 deletions
--- a/apis/record_crud.go
+++ b/apis/record_crud.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"log/slog"
 	"net/http"
-	"strings"

 	"github.com/labstack/echo/v5"
 	"github.com/pocketbase/dbx"
@@ -43,13 +42,13 @@ func (api *recordApi) list(c echo.Context) error {
 		return NewNotFoundError("", "Missing collection context.")
 	}

+	requestInfo := RequestInfo(c)
+
 	// forbid users and guests to query special filter/sort fields
-	if err := api.checkForForbiddenQueryFields(c); err != nil {
+	if err := checkForAdminOnlyRuleFields(requestInfo); err != nil {
 		return err
 	}

-	requestInfo := RequestInfo(c)
-
 	if requestInfo.Admin == nil && collection.ListRule == nil {
 		// only admins can access if the rule is nil
 		return NewForbiddenError("Only admins can perform this action.", nil)
@@ -409,21 +408,3 @@ func (api *recordApi) delete(c echo.Context) error {
 		})
 	})
 }
-
-func (api *recordApi) checkForForbiddenQueryFields(c echo.Context) error {
-	admin, _ := c.Get(ContextAdminKey).(*models.Admin)
-	if admin != nil {
-		return nil // admins are allowed to query everything
-	}
-
-	decodedQuery := c.QueryParam(search.FilterQueryParam) + c.QueryParam(search.SortQueryParam)
-	forbiddenFields := []string{"@collection.", "@request."}
-
-	for _, field := range forbiddenFields {
-		if strings.Contains(decodedQuery, field) {
-			return NewForbiddenError("Only admins can filter by @collection and @request query params", nil)
-		}
-	}
-
-	return nil
-}