fix: prevent access to docs in trash from deleted private collections (#2431)

* Check for collection in deleted document * Add tests * Use update policy * Set paranoid to false when fetching deleted doc * Update policy
2021-08-26 09:35:59 +05:30
parent d335670b91
commit 22ba4d0f48
4 changed files with 77 additions and 2 deletions
--- a/server/models/Document.js
+++ b/server/models/Document.js
@ -163,7 +163,7 @@ Document.associate = (models) => {
      },
    },
  });
-  Document.addScope("withCollection", (userId) => {
+  Document.addScope("withCollection", (userId, paranoid = true) => {
    if (userId) {
      return {
        include: [
@ -172,6 +172,7 @@ Document.associate = (models) => {
              method: ["withMembership", userId],
            }),
            as: "collection",
+            paranoid,
          },
        ],
      };
@ -221,7 +222,7 @@ Document.findByPk = async function (id, options = {}) {
  const scope = this.scope(
    "withUnpublished",
    {
-      method: ["withCollection", options.userId],
+      method: ["withCollection", options.userId, options.paranoid],
    },
    {
      method: ["withViews", options.userId],