coop-cloud-chaos-patchs/outline
coop-cloud-chaos-patchs
/
outline
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix: Update document policy to disable sharing for read-only users (#1638) 

* fix: Update document policy to disable sharing for read-only users

* test: Update test for new permission logic
This commit is contained in:
Tom Moor 2020-11-10 20:35:41 -08:00 committed by GitHub
parent 5e7bbdc111
commit 26e6db1afd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
server/api/shares.test.js
View File

@ -149,9 +149,10 @@ describe("#shares.create", () => {
expect(body.data.documentTitle).toBe(document.title);
});
it("should allow creating a share record for document in read-only collection", async () => {
it("should not allow creating a share record with read-only permissions", async () => {
const { user, document, collection } = await seed();
collection.private = true;
await collection.save();
await CollectionUser.create({
@ -164,11 +165,7 @@ describe("#shares.create", () => {
const res = await server.post("/api/shares.create", {
body: { token: user.getJwtToken(), documentId: document.id },
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.published).toBe(false);
expect(body.data.documentTitle).toBe(document.title);
expect(res.status).toEqual(403);
});
it("should allow creating a share record if link previously revoked", async () => {

23
server/policies/document.js
View File

@ -16,18 +16,6 @@ allow(User, ["read", "download"], Document, (user, document) => {
return user.teamId === document.teamId;
});
allow(User, ["share"], Document, (user, document) => {
if (document.archivedAt) return false;
if (document.deletedAt) return false;
// existence of collection option is not required here to account for share tokens
if (document.collection && cannot(user, "read", document.collection)) {
return false;
}
return user.teamId === document.teamId;
});
allow(User, ["star", "unstar"], Document, (user, document) => {
if (document.archivedAt) return false;
if (document.deletedAt) return false;
@ -43,15 +31,14 @@ allow(User, ["star", "unstar"], Document, (user, document) => {
return user.teamId === document.teamId;
});
allow(User, "update", Document, (user, document) => {
allow(User, ["update", "share"], Document, (user, document) => {
if (document.archivedAt) return false;
if (document.deletedAt) return false;
invariant(
document.collection,
"collection is missing, did you forget to include in the query scope?"
);
if (cannot(user, "update", document.collection)) return false;
// existence of collection option is not required here to account for share tokens
if (document.collection && cannot(user, "update", document.collection)) {
return false;
}
return user.teamId === document.teamId;
});