Merge pull request #3632 from BookStackApp/ownable_permission_fix

Fixed failed permission checks due to non-loaded fields
2025-06-13 00:41:59 +03:00 · 2022-08-10 17:59:46 +01:00
parent 031c67ba58 16eedc8264
commit 375abca1ee
6 changed files with 42 additions and 6 deletions
--- a/app/Http/Controllers/FavouriteController.php
+++ b/app/Http/Controllers/FavouriteController.php
@ -87,7 +87,7 @@ class FavouriteController extends Controller

        $modelInstance = $model->newQuery()
            ->where('id', '=', $modelInfo['id'])
-            ->first(['id', 'name']);
+            ->first(['id', 'name', 'restricted', 'owned_by']);

        $inaccessibleEntity = ($modelInstance instanceof Entity && !userCan('view', $modelInstance));
        if (is_null($modelInstance) || $inaccessibleEntity) {