Fixes: Share links in private collections visible in share listing

server/api/shares.js

@@ -25,6 +25,7 @@ router.post('shares.list', auth(), pagination(), async ctx => {
 
   if (user.isAdmin) delete where.userId;
 
+  const collectionIds = await user.collectionIds();
   const shares = await Share.findAll({
     where,
     order: [[sort, direction]],
@@ -33,6 +34,9 @@ router.post('shares.list', auth(), pagination(), async ctx => {
         model: Document,
         required: true,
         as: 'document',
+        where: {
+          collectionId: collectionIds,
+        },
       },
       {
         model: User,

server/api/shares.test.js

@@ -50,7 +50,7 @@ describe('#shares.list', async () => {
     expect(body.data.length).toEqual(0);
   });
 
-  it('admins should only return shares created by all users', async () => {
+  it('admins should return shares created by all users', async () => {
     const { admin, document } = await seed();
     const share = await buildShare({
       documentId: document.id,
@@ -67,6 +67,25 @@ describe('#shares.list', async () => {
     expect(body.data[0].documentTitle).toBe(document.title);
   });
 
+  it('admins should not return shares in collection not a member of', async () => {
+    const { admin, document, collection } = await seed();
+    await buildShare({
+      documentId: document.id,
+      teamId: admin.teamId,
+    });
+
+    collection.private = true;
+    await collection.save();
+
+    const res = await server.post('/api/shares.list', {
+      body: { token: admin.getJwtToken() },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.length).toEqual(0);
+  });
+
   it('should require authentication', async () => {
     const res = await server.post('/api/shares.list');
     const body = await res.json();