fix: Remove export permission for read-only users (#2220)

server/api/collections.test.js

@@ -284,7 +284,7 @@ describe("#collections.export", () => {
       createdById: user.id,
       collectionId: collection.id,
       userId: user.id,
-      permission: "read",
+      permission: "read_write",
     });
 
     const res = await server.post("/api/collections.export", {
@@ -305,7 +305,7 @@ describe("#collections.export", () => {
     await group.addUser(user, { through: { createdById: user.id } });
 
     await collection.addGroup(group, {
-      through: { permission: "read", createdById: user.id },
+      through: { permission: "read_write", createdById: user.id },
     });
 
     const res = await server.post("/api/collections.export", {

server/policies/collection.js

@@ -25,7 +25,7 @@ allow(User, "move", Collection, (user, collection) => {
   throw new AdminRequiredError();
 });
 
-allow(User, ["read", "export"], Collection, (user, collection) => {
+allow(User, "read", Collection, (user, collection) => {
   if (!collection || user.teamId !== collection.teamId) return false;
 
   if (!collection.permission) {
@@ -47,7 +47,7 @@ allow(User, ["read", "export"], Collection, (user, collection) => {
   return true;
 });
 
-allow(User, "share", Collection, (user, collection) => {
+allow(User, ["share", "export"], Collection, (user, collection) => {
   if (user.isViewer) return false;
   if (!collection || user.teamId !== collection.teamId) return false;
   if (!collection.sharing) return false;

server/policies/collection.test.js

@@ -59,7 +59,7 @@ describe("read permission", () => {
     });
     const abilities = serialize(user, collection);
     expect(abilities.read).toEqual(true);
-    expect(abilities.export).toEqual(true);
+    expect(abilities.export).toEqual(false);
     expect(abilities.update).toEqual(false);
     expect(abilities.share).toEqual(false);
   });