From 6d50ac19038c49fc94032b035a5eda1c28108a9f Mon Sep 17 00:00:00 2001 From: Jake Barnby Date: Fri, 13 Mar 2026 01:56:32 +1300 Subject: [PATCH] Force strict equivalence in mongo role checks --- src/Database/Adapter/Mongo.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Database/Adapter/Mongo.php b/src/Database/Adapter/Mongo.php index 52acc9541..6ab7e7186 100644 --- a/src/Database/Adapter/Mongo.php +++ b/src/Database/Adapter/Mongo.php @@ -2026,7 +2026,7 @@ public function find(Document $collection, array $queries = [], ?int $limit = 25 // permissions if ($this->authorization->getStatus()) { $roles = \implode('|', $this->authorization->getRoles()); - $filters['_permissions']['$in'] = [new Regex("{$forPermission}\\(\".*(?:{$roles}).*\"\\)", 'i')]; + $filters['_permissions']['$in'] = [new Regex("{$forPermission}\\(\"(?:{$roles})\"\\)", 'i')]; } $options = []; @@ -2287,7 +2287,7 @@ public function count(Document $collection, array $queries = [], ?int $max = nul // Add permissions filter if authorization is enabled if ($this->authorization->getStatus()) { $roles = \implode('|', $this->authorization->getRoles()); - $filters['_permissions']['$in'] = [new Regex("read\\(\".*(?:{$roles}).*\"\\)", 'i')]; + $filters['_permissions']['$in'] = [new Regex("read\\(\"(?:{$roles})\"\\)", 'i')]; } /** @@ -2377,7 +2377,7 @@ public function sum(Document $collection, string $attribute, array $queries = [] // permissions if ($this->authorization->getStatus()) { // skip if authorization is disabled $roles = \implode('|', $this->authorization->getRoles()); - $filters['_permissions']['$in'] = [new Regex("read\\(\".*(?:{$roles}).*\"\\)", 'i')]; + $filters['_permissions']['$in'] = [new Regex("read\\(\"(?:{$roles})\"\\)", 'i')]; } // using aggregation to get sum an attribute as described in