From c2722c2626624a8376cda614a1c5cc768843c30b Mon Sep 17 00:00:00 2001
From: Lucas Aymon <32235434+lucas-it@users.noreply.github.com>
Date: Mon, 25 Apr 2022 20:13:16 +0200
Subject: [PATCH] feat: check create folder permissions

---
 server/graph/resolvers/asset.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/server/graph/resolvers/asset.js b/server/graph/resolvers/asset.js
index 91efbdda..c289fa3b 100644
--- a/server/graph/resolvers/asset.js
+++ b/server/graph/resolvers/asset.js
@@ -55,6 +55,15 @@ module.exports = {
           parentId: parentFolderId,
           slug: folderSlug
         }).first()
+
+        const hierarchy = parentFolderId ? await WIKI.models.assetFolders.getHierarchy(parentFolderId) : []
+
+        // Check target folder permissions
+        const folderTargetPath = parentFolderId ? hierarchy.map(h => h.slug).join('/') + `/${folderSlug}` : folderSlug
+        if (!WIKI.auth.checkAccess(context.req.user, ['write:assets'], { path: folderTargetPath })) {
+          throw new WIKI.Error.AssetCreateFolderForbidden()
+        }
+
         if (!result) {
           await WIKI.models.assetFolders.query().insert({
             slug: folderSlug,