mirror/puter
1
0
Fork 0
mirror of https://github.com/HeyPuter/puter.git synced 2026-04-26 09:18:38 -05:00
Code Issues Packages Projects Releases Wiki Activity

Short-circuit the permission check for users accessing their own files

Browse Source
This commit is contained in:
Nariman Jelveh
2025-09-11 21:41:42 -07:00
parent 9582297547
commit 7511a1518c
1 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/backend/src/services/auth/ACLService.js
+16
View File
@@ -360,6 +360,22 @@ class ACLService extends BaseService {
return false;
}
// PERF: Short-circuit the permission check for users accessing their own files.
// Since the filesystem structure guarantees ownership within a user's home directory,
// we can safely grant access without a database lookup for the fsentry.
if (actor.type instanceof UserActorType) {
const username = actor.type.user.username;
const path_selector = fsNode.get_selector_of_type(NodePathSelector);
if (path_selector) {
const path = path_selector.value;
// If the path starts with the user's own home directory, grant access immediately.
if (path === `/${username}` || path.startsWith(`/${username}/`)) {
return true;
}
}
}
// Hard rule: anyone and anything can read /user/public directories
if ( this.global_config.enable_public_folders ) {
const public_modes = Object.freeze(['read', 'list', 'see']);