fix(storage): authorization checks not consistent with db permissions

ConduitPlatform · Nov 15, 2023 · 2202583 · 2202583
1 parent 87cc95c
commit 2202583
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/modules/storage/src/handlers/file.ts b/modules/storage/src/handlers/file.ts
@@ -47,7 +47,7 @@ export class FileHandlers {
       if (action === 'create' && request.queryParams.scope) {
         const allowed = await this.grpcSdk.authorization?.can({
           subject: `User:${request.context.user._id}`,
-          actions: [action],
+          actions: ['read'],
           resource: request.params.scope,
         });
         if (!allowed || !allowed.allow) {
@@ -75,7 +75,7 @@ export class FileHandlers {
       if (request.queryParams.scope) {
         const allowed = await this.grpcSdk.authorization?.can({
           subject: `User:${request.context.user._id}`,
-          actions: ['create'],
+          actions: ['read'],
           resource: request.params.scope,
         });
         if (!allowed || !allowed.allow) {