Fix(auth): Forbid index creation on alternates routes

Forbid index creation on alternates routes when the action `index.create` is not given fix #2024
2025-07-03 03:47:02 +02:00 · 2021-12-15 14:52:33 +01:00 · 2021-12-15 14:52:33 +01:00 · a845cd8880
commit a845cd8880
parent 845d3114ea
11 changed files with 213 additions and 23 deletions
--- a/meilisearch-http/src/routes/indexes/documents.rs
+++ b/meilisearch-http/src/routes/indexes/documents.rs
@ -173,6 +173,7 @@ pub async fn add_documents(
        &req,
    );

+    let allow_index_creation = meilisearch.filters().allow_index_creation;
    let task = document_addition(
        extract_mime_type(&req)?,
        meilisearch,
@ -180,6 +181,7 @@ pub async fn add_documents(
        params.primary_key,
        body,
        IndexDocumentsMethod::ReplaceDocuments,
+        allow_index_creation,
    )
    .await?;

@ -203,6 +205,7 @@ pub async fn update_documents(
        &req,
    );

+    let allow_index_creation = meilisearch.filters().allow_index_creation;
    let task = document_addition(
        extract_mime_type(&req)?,
        meilisearch,
@ -210,6 +213,7 @@ pub async fn update_documents(
        params.into_inner().primary_key,
        body,
        IndexDocumentsMethod::UpdateDocuments,
+        allow_index_creation,
    )
    .await?;

@ -223,6 +227,7 @@ async fn document_addition(
    primary_key: Option<String>,
    body: Payload,
    method: IndexDocumentsMethod,
+    allow_index_creation: bool,
 ) -> Result<SummarizedTaskView, ResponseError> {
    let format = match mime_type
        .as_ref()
@ -250,6 +255,7 @@ async fn document_addition(
        primary_key,
        method,
        format,
+        allow_index_creation,
    };

    let task = meilisearch.register_update(index_uid, update).await?.into();
--- a/meilisearch-http/src/routes/indexes/settings.rs
+++ b/meilisearch-http/src/routes/indexes/settings.rs
@ -34,9 +34,12 @@ macro_rules! make_setting_route {
                    $attr: Setting::Reset,
                    ..Default::default()
                };
+
+                let allow_index_creation = meilisearch.filters().allow_index_creation;
                let update = Update::Settings {
                    settings,
                    is_deletion: true,
+                    allow_index_creation,
                };
                let task: SummarizedTaskView = meilisearch
                    .register_update(index_uid.into_inner(), update)
@ -66,9 +69,11 @@ macro_rules! make_setting_route {
                    ..Default::default()
                };

+                let allow_index_creation = meilisearch.filters().allow_index_creation;
                let update = Update::Settings {
                    settings,
                    is_deletion: false,
+                    allow_index_creation,
                };
                let task: SummarizedTaskView = meilisearch
                    .register_update(index_uid.into_inner(), update)
@ -272,9 +277,11 @@ pub async fn update_all(
        Some(&req),
    );

+    let allow_index_creation = meilisearch.filters().allow_index_creation;
    let update = Update::Settings {
        settings,
        is_deletion: false,
+        allow_index_creation,
    };
    let task: SummarizedTaskView = meilisearch
        .register_update(index_uid.into_inner(), update)
@ -300,9 +307,11 @@ pub async fn delete_all(
 ) -> Result<HttpResponse, ResponseError> {
    let settings = Settings::cleared().into_unchecked();

+    let allow_index_creation = data.filters().allow_index_creation;
    let update = Update::Settings {
        settings,
        is_deletion: true,
+        allow_index_creation,
    };
    let task: SummarizedTaskView = data
        .register_update(index_uid.into_inner(), update)