fix: let permitted users delete others' flows (#1417)

2023-11-08 16:55:30 +01:00
parent e1fac78aba
commit 2d52cab693
1 changed files with 7 additions and 3 deletions
--- a/packages/backend/src/graphql/mutations/delete-flow.ts
+++ b/packages/backend/src/graphql/mutations/delete-flow.ts
@@ -1,4 +1,5 @@
 import Context from '../../types/express/context';
+import Flow from '../../models/flow';
 import Execution from '../../models/execution';
 import ExecutionStep from '../../models/execution-step';
 import globalVariable from '../../helpers/global-variable';
@@ -15,10 +16,13 @@ const deleteFlow = async (
  params: Params,
  context: Context
 ) => {
-  context.currentUser.can('delete', 'Flow');
+  const conditions = context.currentUser.can('delete', 'Flow');
+  const isCreator = conditions.isCreator;
+  const allFlows = Flow.query();
+  const userFlows = context.currentUser.$relatedQuery('flows');
+  const baseQuery = isCreator ? userFlows : allFlows;

-  const flow = await context.currentUser
-    .$relatedQuery('flows')
+  const flow = await baseQuery
    .findOne({
      id: params.input.id,
    })