Collection Permissions (#829)

see https://github.com/outline/outline/issues/668
2019-01-05 13:37:33 -08:00
parent 8978915423
commit 8c02b0028c
53 changed files with 1379 additions and 214 deletions
--- a/server/api/documents.js
+++ b/server/api/documents.js
@ -14,14 +14,39 @@ const { authorize, cannot } = policy;
 const router = new Router();

 router.post('documents.list', auth(), pagination(), async ctx => {
-  let { sort = 'updatedAt', direction, collection, user } = ctx.body;
+  const { sort = 'updatedAt' } = ctx.body;
+  const collectionId = ctx.body.collection;
+  const createdById = ctx.body.user;
+  let direction = ctx.body.direction;
  if (direction !== 'ASC') direction = 'DESC';

-  let where = { teamId: ctx.state.user.teamId };
-  if (collection) where = { ...where, collectionId: collection };
-  if (user) where = { ...where, createdById: user };
+  // always filter by the current team
+  const user = ctx.state.user;
+  let where = { teamId: user.teamId };

-  const starredScope = { method: ['withStarred', ctx.state.user.id] };
+  // if a specific user is passed then add to filters. If the user doesn't
+  // exist in the team then nothing will be returned, so no need to check auth
+  if (createdById) {
+    ctx.assertUuid(createdById, 'user must be a UUID');
+    where = { ...where, createdById };
+  }
+
+  // if a specific collection is passed then we need to check auth to view it
+  if (collectionId) {
+    ctx.assertUuid(collectionId, 'collection must be a UUID');
+
+    where = { ...where, collectionId };
+    const collection = await Collection.findById(collectionId);
+    authorize(user, 'read', collection);
+
+    // otherwise, filter by all collections the user has access to
+  } else {
+    const collectionIds = await user.collectionIds();
+    where = { ...where, collectionId: collectionIds };
+  }
+
+  // add the users starred state to the response by default
+  const starredScope = { method: ['withStarred', user.id] };
  const documents = await Document.scope('defaultScope', starredScope).findAll({
    where,
    order: [[sort, direction]],
@ -40,16 +65,21 @@ router.post('documents.list', auth(), pagination(), async ctx => {
 });

 router.post('documents.pinned', auth(), pagination(), async ctx => {
-  let { sort = 'updatedAt', direction, collection } = ctx.body;
+  const { sort = 'updatedAt' } = ctx.body;
+  const collectionId = ctx.body.collection;
+  let direction = ctx.body.direction;
  if (direction !== 'ASC') direction = 'DESC';
-  ctx.assertPresent(collection, 'collection is required');
+  ctx.assertUuid(collectionId, 'collection is required');

  const user = ctx.state.user;
+  const collection = await Collection.findById(collectionId);
+  authorize(user, 'read', collection);
+
  const starredScope = { method: ['withStarred', user.id] };
  const documents = await Document.scope('defaultScope', starredScope).findAll({
    where: {
      teamId: user.teamId,
-      collectionId: collection,
+      collectionId,
      pinnedById: {
        // $FlowFixMe
        [Op.ne]: null,
@ -75,6 +105,8 @@ router.post('documents.viewed', auth(), pagination(), async ctx => {
  if (direction !== 'ASC') direction = 'DESC';

  const user = ctx.state.user;
+  const collectionIds = await user.collectionIds();
+
  const views = await View.findAll({
    where: { userId: user.id },
    order: [[sort, direction]],
@ -82,6 +114,9 @@ router.post('documents.viewed', auth(), pagination(), async ctx => {
      {
        model: Document,
        required: true,
+        where: {
+          collectionId: collectionIds,
+        },
        include: [
          {
            model: Star,
@ -111,13 +146,28 @@ router.post('documents.starred', auth(), pagination(), async ctx => {
  if (direction !== 'ASC') direction = 'DESC';

  const user = ctx.state.user;
+  const collectionIds = await user.collectionIds();
+
  const views = await Star.findAll({
-    where: { userId: user.id },
+    where: {
+      userId: user.id,
+    },
    order: [[sort, direction]],
    include: [
      {
        model: Document,
-        include: [{ model: Star, as: 'starred', where: { userId: user.id } }],
+        where: {
+          collectionId: collectionIds,
+        },
+        include: [
+          {
+            model: Star,
+            as: 'starred',
+            where: {
+              userId: user.id,
+            },
+          },
+        ],
      },
    ],
    offset: ctx.state.pagination.offset,
@ -139,9 +189,15 @@ router.post('documents.drafts', auth(), pagination(), async ctx => {
  if (direction !== 'ASC') direction = 'DESC';

  const user = ctx.state.user;
+  const collectionIds = await user.collectionIds();
+
  const documents = await Document.findAll({
-    // $FlowFixMe
-    where: { userId: user.id, publishedAt: { [Op.eq]: null } },
+    where: {
+      userId: user.id,
+      collectionId: collectionIds,
+      // $FlowFixMe
+      publishedAt: { [Op.eq]: null },
+    },
    order: [[sort, direction]],
    offset: ctx.state.pagination.offset,
    limit: ctx.state.pagination.limit,
@ -199,6 +255,7 @@ router.post('documents.revision', auth(), async ctx => {
  let { id, revisionId } = ctx.body;
  ctx.assertPresent(id, 'id is required');
  ctx.assertPresent(revisionId, 'revisionId is required');
+
  const document = await Document.findById(id);
  authorize(ctx.state.user, 'read', document);

@ -346,7 +403,6 @@ router.post('documents.unstar', auth(), async ctx => {
 router.post('documents.create', auth(), async ctx => {
  const { title, text, publish, parentDocument, index } = ctx.body;
  const collectionId = ctx.body.collection;
-  ctx.assertPresent(collectionId, 'collection is required');
  ctx.assertUuid(collectionId, 'collection must be an uuid');
  ctx.assertPresent(title, 'title is required');
  ctx.assertPresent(text, 'text is required');