From 525b2baf061404fbf46fc302a34e2168ff0c2bc4 Mon Sep 17 00:00:00 2001
From: Ali BARIN <ali.barin53@gmail.com>
Date: Tue, 22 Aug 2023 14:09:21 +0000
Subject: [PATCH] fix(mutations/execute-flow): correct permission check

---
 .../backend/src/graphql/mutations/execute-flow.ts     | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/packages/backend/src/graphql/mutations/execute-flow.ts b/packages/backend/src/graphql/mutations/execute-flow.ts
index 0bd09f7d..a172b0ee 100644
--- a/packages/backend/src/graphql/mutations/execute-flow.ts
+++ b/packages/backend/src/graphql/mutations/execute-flow.ts
@@ -1,5 +1,6 @@
 import Context from '../../types/express/context';
 import testRun from '../../services/test-run';
+import Step from '../../models/step';
 
 type Params = {
   input: {
@@ -12,12 +13,16 @@ const executeFlow = async (
   params: Params,
   context: Context
 ) => {
-  context.currentUser.can('update', 'Flow');
+  const conditions = context.currentUser.can('update', 'Flow');
+  const isCreator = conditions.isCreator;
+  const allSteps = Step.query();
+  const userSteps = context.currentUser.$relatedQuery('steps');
+  const baseQuery = isCreator ? userSteps : allSteps;
 
   const { stepId } = params.input;
 
-  const untilStep = await context.currentUser
-    .$relatedQuery('steps')
+  const untilStep = await baseQuery
+    .clone()
     .findById(stepId)
     .throwIfNotFound();