diff --git a/server/api/documents.js b/server/api/documents.js index ed676330..cc771f21 100644 --- a/server/api/documents.js +++ b/server/api/documents.js @@ -4,7 +4,11 @@ import Sequelize from "sequelize"; import { subtractDate } from "../../shared/utils/date"; import documentImporter from "../commands/documentImporter"; import documentMover from "../commands/documentMover"; -import { NotFoundError, InvalidRequestError } from "../errors"; +import { + NotFoundError, + InvalidRequestError, + AuthorizationError, +} from "../errors"; import auth from "../middlewares/authentication"; import { Backlink, @@ -17,6 +21,7 @@ import { Star, User, View, + Team, } from "../models"; import policy from "../policies"; import { @@ -454,6 +459,11 @@ async function loadDocument({ id, shareId, user }) { if (!share.published) { authorize(user, "read", document); } + + const team = await Team.findByPk(document.teamId); + if (!team.sharing) { + throw new AuthorizationError(); + } } else { document = await Document.findByPk(id, { userId: user ? user.id : undefined, diff --git a/server/api/documents.test.js b/server/api/documents.test.js index 2c2ba9e7..2bba6688 100644 --- a/server/api/documents.test.js +++ b/server/api/documents.test.js @@ -95,6 +95,23 @@ describe("#documents.info", () => { expect(body.data.updatedBy).toEqual(undefined); }); + it("should not return document from shareId if sharing is disabled for team", async () => { + const { document, team, user } = await seed(); + const share = await buildShare({ + documentId: document.id, + teamId: document.teamId, + userId: user.id, + }); + + team.sharing = false; + await team.save(); + + const res = await server.post("/api/documents.info", { + body: { shareId: share.id }, + }); + expect(res.status).toEqual(403); + }); + it("should not return document from revoked shareId", async () => { const { document, user } = await seed(); const share = await buildShare({