feat: Added ability to disable sharing at collection (#1875)

* feat: Added ability to disable sharing at collection * fix: Disable all previous share links when disabling collection share Language * fix: Disable document sharing for read-only collection members * wip * test * fix: Clear policies after updating sharing settings * chore: Less ambiguous language * feat: Allow setting sharing choice on collection creation
2021-02-09 19:04:03 -08:00
parent cc90c8de1c
commit 097359bf7c
20 changed files with 227 additions and 33 deletions
--- a/server/api/collections.js
+++ b/server/api/collections.js
@ -34,6 +34,7 @@ router.post("collections.create", auth(), async (ctx) => {
    name,
    color,
    description,
+    sharing,
    icon,
    sort = Collection.DEFAULT_SORT,
  } = ctx.body;
@ -55,6 +56,7 @@ router.post("collections.create", auth(), async (ctx) => {
    teamId: user.teamId,
    createdById: user.id,
    private: isPrivate,
+    sharing,
    sort,
  });

@ -452,7 +454,7 @@ router.post("collections.export_all", auth(), async (ctx) => {
 });

 router.post("collections.update", auth(), async (ctx) => {
-  let { id, name, description, icon, color, sort } = ctx.body;
+  let { id, name, description, icon, color, sort, sharing } = ctx.body;
  const isPrivate = ctx.body.private;

  if (color) {
@ -498,6 +500,9 @@ router.post("collections.update", auth(), async (ctx) => {
  if (isPrivate !== undefined) {
    collection.private = isPrivate;
  }
+  if (sharing !== undefined) {
+    collection.sharing = sharing;
+  }
  if (sort !== undefined) {
    collection.sort = sort;
  }
--- a/server/api/collections.test.js
+++ b/server/api/collections.test.js
@ -876,6 +876,18 @@ describe("#collections.create", () => {
    expect(body.policies[0].abilities.export).toBeTruthy();
  });

+  it("should allow setting sharing to false", async () => {
+    const { user } = await seed();
+    const res = await server.post("/api/collections.create", {
+      body: { token: user.getJwtToken(), name: "Test", sharing: false },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.id).toBeTruthy();
+    expect(body.data.sharing).toBe(false);
+  });
+
  it("should return correct policies with private collection", async () => {
    const { user } = await seed();
    const res = await server.post("/api/collections.create", {
--- a/server/api/documents.js
+++ b/server/api/documents.js
@ -488,6 +488,11 @@ async function loadDocument({ id, shareId, user }) {
      authorize(user, "read", document);
    }

+    const collection = await Collection.findByPk(document.collectionId);
+    if (!collection.sharing) {
+      throw new AuthorizationError();
+    }
+
    const team = await Team.findByPk(document.teamId);
    if (!team.sharing) {
      throw new AuthorizationError();
--- a/server/api/documents.test.js
+++ b/server/api/documents.test.js
@ -112,6 +112,23 @@ describe("#documents.info", () => {
    expect(res.status).toEqual(403);
  });

+  it("should not return document from shareId if sharing is disabled for collection", async () => {
+    const { document, collection, user } = await seed();
+    const share = await buildShare({
+      documentId: document.id,
+      teamId: document.teamId,
+      userId: user.id,
+    });
+
+    collection.sharing = false;
+    await collection.save();
+
+    const res = await server.post("/api/documents.info", {
+      body: { shareId: share.id },
+    });
+    expect(res.status).toEqual(403);
+  });
+
  it("should not return document from revoked shareId", async () => {
    const { document, user } = await seed();
    const share = await buildShare({
--- a/server/api/shares.test.js
+++ b/server/api/shares.test.js
@ -202,7 +202,7 @@ describe("#shares.create", () => {
    expect(body.data.id).toBe(share.id);
  });

-  it("should not allow creating a share record if disabled", async () => {
+  it("should not allow creating a share record if team sharing disabled", async () => {
    const { user, document, team } = await seed();
    await team.update({ sharing: false });
    const res = await server.post("/api/shares.create", {
@ -211,6 +211,15 @@ describe("#shares.create", () => {
    expect(res.status).toEqual(403);
  });

+  it("should not allow creating a share record if collection sharing disabled", async () => {
+    const { user, collection, document } = await seed();
+    await collection.update({ sharing: false });
+    const res = await server.post("/api/shares.create", {
+      body: { token: user.getJwtToken(), documentId: document.id },
+    });
+    expect(res.status).toEqual(403);
+  });
+
  it("should require authentication", async () => {
    const { document } = await seed();
    const res = await server.post("/api/shares.create", {