From 70287de6d72f598486de88bcf72f88df7aa7f602 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Sat, 5 Jan 2019 23:04:09 -0800
Subject: [PATCH] Fixes: Cannot load document in private collection from share
 link when signed in with user that cannot access

---
 server/api/documents.test.js | 21 ++++++++++++++++++++-
 server/policies/document.js  |  4 ++--
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/server/api/documents.test.js b/server/api/documents.test.js
index 57a108be..4c244107 100644
--- a/server/api/documents.test.js
+++ b/server/api/documents.test.js
@@ -86,7 +86,7 @@ describe('#documents.info', async () => {
     expect(res.status).toEqual(400);
   });
 
-  it('should return documents from shareId with token', async () => {
+  it('should return document from shareId with token', async () => {
     const { user, document, collection } = await seed();
     const share = await buildShare({
       documentId: document.id,
@@ -105,6 +105,25 @@ describe('#documents.info', async () => {
     expect(body.data.updatedBy.id).toEqual(user.id);
   });
 
+  it('should return document from shareId in collection not a member of', async () => {
+    const { user, document, collection } = await seed();
+    const share = await buildShare({
+      documentId: document.id,
+      teamId: document.teamId,
+    });
+
+    collection.private = true;
+    await collection.save();
+
+    const res = await server.post('/api/documents.info', {
+      body: { token: user.getJwtToken(), shareId: share.id },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.id).toEqual(document.id);
+  });
+
   it('should require authorization without token', async () => {
     const { document } = await seed();
     const res = await server.post('/api/documents.info', {
diff --git a/server/policies/document.js b/server/policies/document.js
index 67546148..17b5d4da 100644
--- a/server/policies/document.js
+++ b/server/policies/document.js
@@ -2,7 +2,7 @@
 import policy from './policy';
 import { Document, Revision, User } from '../models';
 
-const { allow, authorize } = policy;
+const { allow, cannot } = policy;
 
 allow(User, 'create', Document);
 
@@ -12,7 +12,7 @@ allow(
   Document,
   (user, document) => {
     if (document.collection) {
-      authorize(user, 'read', document.collection);
+      if (cannot(user, 'read', document.collection)) return false;
     }
 
     return user.teamId === document.teamId;