payload
Version:
Node, React, Headless CMS and Application Framework built on Next.js
52 lines (51 loc) • 1.51 kB
JavaScript
// @ts-strict-ignore
import executeAccess from '../auth/executeAccess.js';
import { Forbidden } from '../errors/Forbidden.js';
export const checkFileAccess = async ({ collection, filename, req })=>{
if (filename.includes('../') || filename.includes('..\\')) {
throw new Forbidden(req.t);
}
const { config } = collection;
const accessResult = await executeAccess({
data: {
filename
},
isReadingStaticFile: true,
req
}, config.access.read);
if (typeof accessResult === 'object') {
const queryToBuild = {
and: [
{
or: [
{
filename: {
equals: filename
}
}
]
},
accessResult
]
};
if (config.upload.imageSizes) {
config.upload.imageSizes.forEach(({ name })=>{
queryToBuild.and[0].or.push({
[`sizes.${name}.filename`]: {
equals: filename
}
});
});
}
const doc = await req.payload.db.findOne({
collection: config.slug,
req,
where: queryToBuild
});
if (!doc) {
throw new Forbidden(req.t);
}
return doc;
}
};
//# sourceMappingURL=checkFileAccess.js.map