From 7d6d1fd15121e35c3be8a6a28c12ec080d5d9001 Mon Sep 17 00:00:00 2001
From: Khor Shu Heng <32997938+khorshuheng@users.noreply.github.com>
Date: Thu, 17 Oct 2024 17:03:12 +0800
Subject: [PATCH] chore: add access control to appflowy web related endpoint
 (#896)

---
 src/api/workspace.rs | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/api/workspace.rs b/src/api/workspace.rs
index ae90718e9..5865cd668 100644
--- a/src/api/workspace.rs
+++ b/src/api/workspace.rs
@@ -880,6 +880,14 @@ async fn get_page_view_handler(
     .get_user_uid(&user_uuid)
     .await
     .map_err(AppResponseError::from)?;
+  let has_access = state
+    .workspace_access_control
+    .enforce_action(&uid, &workspace_uuid.to_string(), Action::Read)
+    .await?;
+  if !has_access {
+    return Err(AppError::NotEnoughPermissions.into());
+  }
+
   let page_collab = get_page_view_collab(
     &state.pg_pool,
     state.collab_access_control_storage.clone(),
@@ -1457,6 +1465,13 @@ async fn get_workspace_folder_handler(
   let depth = query.depth.unwrap_or(1);
   let uid = state.user_cache.get_user_uid(&user_uuid).await?;
   let workspace_id = workspace_id.into_inner();
+  let has_access = state
+    .workspace_access_control
+    .enforce_action(&uid, &workspace_id.to_string(), Action::Read)
+    .await?;
+  if !has_access {
+    return Err(AppError::NotEnoughPermissions.into());
+  }
   let root_view_id = if let Some(root_view_id) = query.root_view_id.as_ref() {
     root_view_id.to_string()
   } else {