From 2ce57356766a78a18ebb1fecc8896d6ac039acb2 Mon Sep 17 00:00:00 2001 From: Julien Fontanet Date: Fri, 8 Apr 2016 11:05:17 +0200 Subject: [PATCH] Fix ACLs in API calls (fix vatesfr/xo-web#870). --- src/api.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/api.js b/src/api.js index 2b1180131..5f69e666e 100644 --- a/src/api.js +++ b/src/api.js @@ -113,7 +113,10 @@ function resolveParams (method, params) { // Register this new value. params[key] = object - if (!permissions) { + // Permission default to 'administrate' but can be set to a falsy + // value (except null or undefined which trigger the default + // value) to simply do a resolve without checking any permissions. + if (permission) { permissions.push([ object.id, permission ]) } })