fix: Disabling public sharing should disable all existing share links

Issue came through customer support

server/api/documents.js

@@ -4,7 +4,11 @@ import Sequelize from "sequelize";
 import { subtractDate } from "../../shared/utils/date";
 import documentImporter from "../commands/documentImporter";
 import documentMover from "../commands/documentMover";
-import { NotFoundError, InvalidRequestError } from "../errors";
+import {
+  NotFoundError,
+  InvalidRequestError,
+  AuthorizationError,
+} from "../errors";
 import auth from "../middlewares/authentication";
 import {
   Backlink,
@@ -17,6 +21,7 @@ import {
   Star,
   User,
   View,
+  Team,
 } from "../models";
 import policy from "../policies";
 import {
@@ -454,6 +459,11 @@ async function loadDocument({ id, shareId, user }) {
     if (!share.published) {
       authorize(user, "read", document);
     }
+
+    const team = await Team.findByPk(document.teamId);
+    if (!team.sharing) {
+      throw new AuthorizationError();
+    }
   } else {
     document = await Document.findByPk(id, {
       userId: user ? user.id : undefined,

server/api/documents.test.js

@@ -95,6 +95,23 @@ describe("#documents.info", () => {
     expect(body.data.updatedBy).toEqual(undefined);
   });
 
+  it("should not return document from shareId if sharing is disabled for team", async () => {
+    const { document, team, user } = await seed();
+    const share = await buildShare({
+      documentId: document.id,
+      teamId: document.teamId,
+      userId: user.id,
+    });
+
+    team.sharing = false;
+    await team.save();
+
+    const res = await server.post("/api/documents.info", {
+      body: { shareId: share.id },
+    });
+    expect(res.status).toEqual(403);
+  });
+
   it("should not return document from revoked shareId", async () => {
     const { document, user } = await seed();
     const share = await buildShare({