fix: prevent access to docs in trash from deleted private collections (#2431)

* Check for collection in deleted document * Add tests * Use update policy * Set paranoid to false when fetching deleted doc * Update policy
2021-08-26 09:35:59 +05:30
parent d335670b91
commit 22ba4d0f48
4 changed files with 77 additions and 2 deletions
--- a/server/api/documents.js
+++ b/server/api/documents.js
@ -585,6 +585,7 @@ async function loadDocument({
    }

    if (document.deletedAt) {
+      // don't send data if user cannot restore deleted doc
      authorize(user, "restore", document);
    } else {
      authorize(user, "read", document);