From f2b65fad3d1c4f525d63996f1b4f0e82a610e236 Mon Sep 17 00:00:00 2001
From: Leonardo Viva <leonardo.leal@konecty.com>
Date: Tue, 11 Jun 2024 16:37:07 -0300
Subject: [PATCH] fix: apply permissions when empty fields

---
 src/imports/data/api/find.ts | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/imports/data/api/find.ts b/src/imports/data/api/find.ts
index 11c28e6..bdd118f 100644
--- a/src/imports/data/api/find.ts
+++ b/src/imports/data/api/find.ts
@@ -22,7 +22,7 @@ import { KonectyResult, KonectyResultError, KonectyResultSuccess } from '@import
 import { convertStringOfFieldsSeparatedByCommaIntoObjectToFind } from '@imports/utils/convertStringOfFieldsSeparatedByCommaIntoObjectToFind';
 import { errorReturn, successReturn } from '@imports/utils/return';
 import { Span } from '@opentelemetry/api';
-import { Collection, Filter, FindOptions } from 'mongodb';
+import { Collection, Document, Filter, FindOptions } from 'mongodb';
 import { Readable } from 'node:stream';
 import addDetailFieldsIntoAggregate from '../populateDetailFields/intoAggregate';
 
@@ -130,9 +130,10 @@ export default async function find<AsStream extends boolean = false>({
 
 		const emptyFields = Object.keys(fieldsObject).length === 0;
 
-		const queryOptions: FindOptions = {
+		const queryOptions: FindOptions & { projection: Document } = {
 			limit: _isNaN(limit) || limit == null || Number(limit) <= 0 ? DEFAULT_PAGE_SIZE : parseInt(String(limit), 10),
 			skip: parseInt(String(start ?? 0), 10),
+			projection: {},
 			...applyIfMongoVersionGreaterThanOrEqual(6, () => ({ allowDiskUse: true })),
 		};
 
@@ -252,7 +253,11 @@ export default async function find<AsStream extends boolean = false>({
 			aggregateStages.push({ $project: queryOptions.projection });
 
 			// Only check permissions on fields that are in the projection
-			conditionsKeys = conditionsKeys.filter(key => has(queryOptions.projection, key));
+			if (emptyFields) {
+				conditionsKeys = conditionsKeys.filter(key => !queryOptions.projection[key]);
+			} else {
+				conditionsKeys = conditionsKeys.filter(key => queryOptions.projection[key]);
+			}
 		}
 
 		const cursor = collection.aggregate(aggregateStages, { allowDiskUse: true });