fix(zero):scope core workspace queries

surfsense_web/zero/queries/automations.ts

@@ -1,12 +1,16 @@
 import { defineQuery } from "@rocicorp/zero";
 import { z } from "zod";
 import { zql } from "../schema/index";
+import { constrainToAllowedSpaces } from "./authz";
 
 // Mirrors chat byThread: client passes the parent id, the REST route still
 // authorizes via `automation_id -> search_space`. No search_space_id on the
 // table by design.
 export const automationRunQueries = {
-	byAutomation: defineQuery(z.object({ automationId: z.number() }), ({ args: { automationId } }) =>
-		zql.automation_runs.where("automationId", automationId).orderBy("createdAt", "desc")
+	byAutomation: defineQuery(z.object({ automationId: z.number() }), ({ args: { automationId }, ctx }) =>
+		zql.automation_runs
+			.where("automationId", automationId)
+			.whereExists("automation", (q) => constrainToAllowedSpaces(q, ctx))
+			.orderBy("createdAt", "desc")
 	),
 };

surfsense_web/zero/queries/chat.ts

@@ -1,21 +1,31 @@
 import { defineQuery } from "@rocicorp/zero";
 import { z } from "zod";
 import { zql } from "../schema/index";
+import { constrainToAllowedSpaces } from "./authz";
 
 export const messageQueries = {
-	byThread: defineQuery(z.object({ threadId: z.number() }), ({ args: { threadId } }) =>
-		zql.new_chat_messages.where("threadId", threadId).orderBy("createdAt", "asc")
+	byThread: defineQuery(z.object({ threadId: z.number() }), ({ args: { threadId }, ctx }) =>
+		zql.new_chat_messages
+			.where("threadId", threadId)
+			.whereExists("thread", (q) => constrainToAllowedSpaces(q, ctx))
+			.orderBy("createdAt", "asc")
 	),
 };
 
 export const commentQueries = {
-	byThread: defineQuery(z.object({ threadId: z.number() }), ({ args: { threadId } }) =>
-		zql.chat_comments.where("threadId", threadId).orderBy("createdAt", "asc")
+	byThread: defineQuery(z.object({ threadId: z.number() }), ({ args: { threadId }, ctx }) =>
+		zql.chat_comments
+			.where("threadId", threadId)
+			.whereExists("thread", (q) => constrainToAllowedSpaces(q, ctx))
+			.orderBy("createdAt", "asc")
 	),
 };
 
 export const chatSessionQueries = {
-	byThread: defineQuery(z.object({ threadId: z.number() }), ({ args: { threadId } }) =>
-		zql.chat_session_state.where("threadId", threadId).one()
+	byThread: defineQuery(z.object({ threadId: z.number() }), ({ args: { threadId }, ctx }) =>
+		zql.chat_session_state
+			.where("threadId", threadId)
+			.whereExists("thread", (q) => constrainToAllowedSpaces(q, ctx))
+			.one()
 	),
 };

surfsense_web/zero/queries/documents.ts

@@ -1,15 +1,20 @@
 import { defineQuery } from "@rocicorp/zero";
 import { z } from "zod";
 import { zql } from "../schema/index";
+import { canReadSpace, constrainToAllowedSpaces, denySpace } from "./authz";
 
 export const documentQueries = {
-	bySpace: defineQuery(z.object({ searchSpaceId: z.number() }), ({ args: { searchSpaceId } }) =>
-		zql.documents.where("searchSpaceId", searchSpaceId).orderBy("createdAt", "desc")
-	),
+	bySpace: defineQuery(z.object({ searchSpaceId: z.number() }), ({ args: { searchSpaceId }, ctx }) => {
+		const query = zql.documents.where("searchSpaceId", searchSpaceId);
+		if (!canReadSpace(ctx, searchSpaceId)) return denySpace(query).orderBy("createdAt", "desc");
+		return constrainToAllowedSpaces(query, ctx).orderBy("createdAt", "desc");
+	}),
 };
 
 export const connectorQueries = {
-	bySpace: defineQuery(z.object({ searchSpaceId: z.number() }), ({ args: { searchSpaceId } }) =>
-		zql.search_source_connectors.where("searchSpaceId", searchSpaceId).orderBy("createdAt", "desc")
-	),
+	bySpace: defineQuery(z.object({ searchSpaceId: z.number() }), ({ args: { searchSpaceId }, ctx }) => {
+		const query = zql.search_source_connectors.where("searchSpaceId", searchSpaceId);
+		if (!canReadSpace(ctx, searchSpaceId)) return denySpace(query).orderBy("createdAt", "desc");
+		return constrainToAllowedSpaces(query, ctx).orderBy("createdAt", "desc");
+	}),
 };