From 5c0800aca485cddfe966b8e7dfd3d1f4faf07707 Mon Sep 17 00:00:00 2001
From: John Swanson <john.swanson@metabase.com>
Date: Thu, 22 Aug 2024 06:38:04 -0700
Subject: [PATCH] Don't allow viewing a timeline without coll perms (#46863)

If we don't have access to the collection, we shouldn't have access to
the timelines.
---
 src/metabase/api/collection.clj | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/metabase/api/collection.clj b/src/metabase/api/collection.clj
index 2eaa6f1fbb9..6806b2a2416 100644
--- a/src/metabase/api/collection.clj
+++ b/src/metabase/api/collection.clj
@@ -1115,6 +1115,7 @@
   [include archived]
   {include  [:maybe [:= "events"]]
    archived [:maybe :boolean]}
+  (api/read-check collection/root-collection)
   (timeline/timelines-for-collection nil {:timeline/events?   (= include "events")
                                           :timeline/archived? archived}))
 
@@ -1124,6 +1125,7 @@
   {id       ms/PositiveInt
    include  [:maybe [:= "events"]]
    archived [:maybe :boolean]}
+  (api/read-check (t2/select-one :model/Collection :id id))
   (timeline/timelines-for-collection id {:timeline/events?   (= include "events")
                                          :timeline/archived? archived}))
 
-- 
GitLab