fix: Update document policy to disable sharing for read-only users (#1638)
* fix: Update document policy to disable sharing for read-only users * test: Update test for new permission logic
This commit is contained in:
parent
5e7bbdc111
commit
26e6db1afd
|
@ -149,9 +149,10 @@ describe("#shares.create", () => {
|
||||||
expect(body.data.documentTitle).toBe(document.title);
|
expect(body.data.documentTitle).toBe(document.title);
|
||||||
});
|
});
|
||||||
|
|
||||||
it("should allow creating a share record for document in read-only collection", async () => {
|
it("should not allow creating a share record with read-only permissions", async () => {
|
||||||
const { user, document, collection } = await seed();
|
const { user, document, collection } = await seed();
|
||||||
collection.private = true;
|
collection.private = true;
|
||||||
|
|
||||||
await collection.save();
|
await collection.save();
|
||||||
|
|
||||||
await CollectionUser.create({
|
await CollectionUser.create({
|
||||||
|
@ -164,11 +165,7 @@ describe("#shares.create", () => {
|
||||||
const res = await server.post("/api/shares.create", {
|
const res = await server.post("/api/shares.create", {
|
||||||
body: { token: user.getJwtToken(), documentId: document.id },
|
body: { token: user.getJwtToken(), documentId: document.id },
|
||||||
});
|
});
|
||||||
const body = await res.json();
|
expect(res.status).toEqual(403);
|
||||||
|
|
||||||
expect(res.status).toEqual(200);
|
|
||||||
expect(body.data.published).toBe(false);
|
|
||||||
expect(body.data.documentTitle).toBe(document.title);
|
|
||||||
});
|
});
|
||||||
|
|
||||||
it("should allow creating a share record if link previously revoked", async () => {
|
it("should allow creating a share record if link previously revoked", async () => {
|
||||||
|
|
|
@ -16,18 +16,6 @@ allow(User, ["read", "download"], Document, (user, document) => {
|
||||||
return user.teamId === document.teamId;
|
return user.teamId === document.teamId;
|
||||||
});
|
});
|
||||||
|
|
||||||
allow(User, ["share"], Document, (user, document) => {
|
|
||||||
if (document.archivedAt) return false;
|
|
||||||
if (document.deletedAt) return false;
|
|
||||||
|
|
||||||
// existence of collection option is not required here to account for share tokens
|
|
||||||
if (document.collection && cannot(user, "read", document.collection)) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
return user.teamId === document.teamId;
|
|
||||||
});
|
|
||||||
|
|
||||||
allow(User, ["star", "unstar"], Document, (user, document) => {
|
allow(User, ["star", "unstar"], Document, (user, document) => {
|
||||||
if (document.archivedAt) return false;
|
if (document.archivedAt) return false;
|
||||||
if (document.deletedAt) return false;
|
if (document.deletedAt) return false;
|
||||||
|
@ -43,15 +31,14 @@ allow(User, ["star", "unstar"], Document, (user, document) => {
|
||||||
return user.teamId === document.teamId;
|
return user.teamId === document.teamId;
|
||||||
});
|
});
|
||||||
|
|
||||||
allow(User, "update", Document, (user, document) => {
|
allow(User, ["update", "share"], Document, (user, document) => {
|
||||||
if (document.archivedAt) return false;
|
if (document.archivedAt) return false;
|
||||||
if (document.deletedAt) return false;
|
if (document.deletedAt) return false;
|
||||||
|
|
||||||
invariant(
|
// existence of collection option is not required here to account for share tokens
|
||||||
document.collection,
|
if (document.collection && cannot(user, "update", document.collection)) {
|
||||||
"collection is missing, did you forget to include in the query scope?"
|
return false;
|
||||||
);
|
}
|
||||||
if (cannot(user, "update", document.collection)) return false;
|
|
||||||
|
|
||||||
return user.teamId === document.teamId;
|
return user.teamId === document.teamId;
|
||||||
});
|
});
|
||||||
|
|
Reference in New Issue