fix: Document published notification potentially sent to users without permission to view document

2020-11-05 19:49:05 -08:00
parent fdaa36c9fd
commit 0125a5361d
2 changed files with 85 additions and 1 deletions
--- a/server/services/notifications.test.js
+++ b/server/services/notifications.test.js
@ -1,7 +1,7 @@
 /* eslint-disable flowtype/require-valid-file-annotation */
 import mailer from "../mailer";
 import { View, NotificationSetting } from "../models";
-import { buildDocument, buildUser } from "../test/factories";
+import { buildDocument, buildCollection, buildUser } from "../test/factories";
 import { flushdb } from "../test/support";
 import NotificationsService from "./notifications";

@ -12,6 +12,83 @@ const Notifications = new NotificationsService();
 beforeEach(() => flushdb());
 beforeEach(jest.resetAllMocks);

+describe("documents.publish", () => {
+  test("should not send a notification to author", async () => {
+    const user = await buildUser();
+    const document = await buildDocument({
+      teamId: user.teamId,
+      lastModifiedById: user.id,
+    });
+
+    await NotificationSetting.create({
+      userId: user.id,
+      teamId: user.teamId,
+      event: "documents.publish",
+    });
+
+    await Notifications.on({
+      name: "documents.publish",
+      documentId: document.id,
+      collectionId: document.collectionId,
+      teamId: document.teamId,
+      actorId: document.createdById,
+    });
+
+    expect(mailer.documentNotification).not.toHaveBeenCalled();
+  });
+
+  test("should send a notification to other users in team", async () => {
+    const user = await buildUser();
+    const document = await buildDocument({
+      teamId: user.teamId,
+    });
+
+    await NotificationSetting.create({
+      userId: user.id,
+      teamId: user.teamId,
+      event: "documents.publish",
+    });
+
+    await Notifications.on({
+      name: "documents.publish",
+      documentId: document.id,
+      collectionId: document.collectionId,
+      teamId: document.teamId,
+      actorId: document.createdById,
+    });
+
+    expect(mailer.documentNotification).toHaveBeenCalled();
+  });
+
+  test("should not send a notification to users without collection access", async () => {
+    const user = await buildUser();
+    const collection = await buildCollection({
+      teamId: user.teamId,
+      private: true,
+    });
+    const document = await buildDocument({
+      teamId: user.teamId,
+      collectionId: collection.id,
+    });
+
+    await NotificationSetting.create({
+      userId: user.id,
+      teamId: user.teamId,
+      event: "documents.publish",
+    });
+
+    await Notifications.on({
+      name: "documents.publish",
+      documentId: document.id,
+      collectionId: document.collectionId,
+      teamId: document.teamId,
+      actorId: document.createdById,
+    });
+
+    expect(mailer.documentNotification).not.toHaveBeenCalled();
+  });
+});
+
 describe("documents.update.debounced", () => {
  test("should send a notification to other collaborator", async () => {
    const document = await buildDocument();