Fixes: Cannot load document in private collection from share link when signed in with user that cannot access

server/api/documents.test.js

@@ -86,7 +86,7 @@ describe('#documents.info', async () => {
     expect(res.status).toEqual(400);
   });
 
-  it('should return documents from shareId with token', async () => {
+  it('should return document from shareId with token', async () => {
     const { user, document, collection } = await seed();
     const share = await buildShare({
       documentId: document.id,
@@ -105,6 +105,25 @@ describe('#documents.info', async () => {
     expect(body.data.updatedBy.id).toEqual(user.id);
   });
 
+  it('should return document from shareId in collection not a member of', async () => {
+    const { user, document, collection } = await seed();
+    const share = await buildShare({
+      documentId: document.id,
+      teamId: document.teamId,
+    });
+
+    collection.private = true;
+    await collection.save();
+
+    const res = await server.post('/api/documents.info', {
+      body: { token: user.getJwtToken(), shareId: share.id },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.id).toEqual(document.id);
+  });
+
   it('should require authorization without token', async () => {
     const { document } = await seed();
     const res = await server.post('/api/documents.info', {

server/policies/document.js

@@ -2,7 +2,7 @@
 import policy from './policy';
 import { Document, Revision, User } from '../models';
 
-const { allow, authorize } = policy;
+const { allow, cannot } = policy;
 
 allow(User, 'create', Document);
 
@@ -12,7 +12,7 @@ allow(
   Document,
   (user, document) => {
     if (document.collection) {
-      authorize(user, 'read', document.collection);
+      if (cannot(user, 'read', document.collection)) return false;
     }
 
     return user.teamId === document.teamId;