From af6ddffa1dd996d669251baa368eef60fff6920d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Wed, 4 Mar 2026 23:37:59 +0100
Subject: [PATCH] Check that user has general access rights to partdb

See #1283
---
 src/Controller/TypeaheadController.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Controller/TypeaheadController.php b/src/Controller/TypeaheadController.php
index 39821f59..b84f3dc0 100644
--- a/src/Controller/TypeaheadController.php
+++ b/src/Controller/TypeaheadController.php
@@ -71,7 +71,10 @@ class TypeaheadController extends AbstractController
     #[Route(path: '/builtInResources/search', name: 'typeahead_builtInRessources')]
     public function builtInResources(Request $request, BuiltinAttachmentsFinder $finder): JsonResponse
     {
-        $query = $request->get('query');
+        //Ensure that the user can access Part-DB at all
+        $this->denyAccessUnlessGranted('HAS_ACCESS_PERMISSIONS');
+
+        $query = $request->query->getString('query');
         $array = $finder->find($query);
 
         $result = [];