From b939d1e4205e523b89e01b3722fbc6f64ec02067 Mon Sep 17 00:00:00 2001 From: msukkari Date: Sun, 26 Oct 2025 21:11:42 -0700 Subject: [PATCH] enforce permitted user check even when no where clause --- packages/web/src/prisma.ts | 40 +++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/packages/web/src/prisma.ts b/packages/web/src/prisma.ts index 860d23fa..f4d253e9 100644 --- a/packages/web/src/prisma.ts +++ b/packages/web/src/prisma.ts @@ -27,27 +27,27 @@ export const userScopedPrismaClientExtension = (userId?: string) => { query: { ...(env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && hasEntitlement('permission-syncing') ? { repo: { - $allOperations({ args, query }) { - if ('where' in args) { - args.where = { - ...args.where, - OR: [ - // Only include repos that are permitted to the user - ...(userId ? [ - { - permittedUsers: { - some: { - userId, - } - } - }, - ] : []), - // or are public. + async $allOperations({ args, query }) { + // eslint-disable-next-line @typescript-eslint/no-explicit-any + const argsWithWhere = args as any; + argsWithWhere.where = { + ...(argsWithWhere.where || {}), + OR: [ + // Only include repos that are permitted to the user + ...(userId ? [ { - isPublic: true, - } - ] - } + permittedUsers: { + some: { + userId, + } + } + }, + ] : []), + // or are public. + { + isPublic: true, + } + ] } return query(args);