From aeb97ddcae79df53a8b546e362930832b745c17a Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Wed, 23 May 2018 22:55:01 -0700
Subject: [PATCH] Filter shares.list endpoint by admin

---
 server/api/shares.js      |  7 ++++++-
 server/api/shares.test.js | 26 ++++++++++++++++++++++++--
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/server/api/shares.js b/server/api/shares.js
index 471ac0db..b50f5c1a 100644
--- a/server/api/shares.js
+++ b/server/api/shares.js
@@ -5,6 +5,7 @@ import pagination from './middlewares/pagination';
 import { presentShare } from '../presenters';
 import { Document, User, Share } from '../models';
 import policy from '../policies';
+import { constants } from 'os';
 
 const { authorize } = policy;
 const router = new Router();
@@ -14,8 +15,12 @@ router.post('shares.list', auth(), pagination(), async ctx => {
   if (direction !== 'ASC') direction = 'DESC';
 
   const user = ctx.state.user;
+  const where = { teamId: user.teamId, userId: user.id };
+
+  if (user.isAdmin) delete where.userId;
+
   const shares = await Share.findAll({
-    where: { teamId: user.teamId },
+    where,
     order: [[sort, direction]],
     include: [
       {
diff --git a/server/api/shares.test.js b/server/api/shares.test.js
index c9d78f85..1229e8ca 100644
--- a/server/api/shares.test.js
+++ b/server/api/shares.test.js
@@ -10,12 +10,17 @@ beforeEach(flushdb);
 afterAll(server.close);
 
 describe('#shares.list', async () => {
-  it('should return a list of shares', async () => {
+  it('should only return shares created by user', async () => {
     const { user, document } = await seed();
-    const share = await buildShare({
+    await buildShare({
       documentId: document.id,
       teamId: user.teamId,
     });
+    const share = await buildShare({
+      documentId: document.id,
+      teamId: user.teamId,
+      userId: user.id,
+    });
     const res = await server.post('/api/shares.list', {
       body: { token: user.getJwtToken() },
     });
@@ -27,6 +32,23 @@ describe('#shares.list', async () => {
     expect(body.data[0].documentTitle).toBe(document.title);
   });
 
+  it('admins should only return shares created by all users', async () => {
+    const { admin, document } = await seed();
+    const share = await buildShare({
+      documentId: document.id,
+      teamId: admin.teamId,
+    });
+    const res = await server.post('/api/shares.list', {
+      body: { token: admin.getJwtToken() },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.length).toEqual(1);
+    expect(body.data[0].id).toEqual(share.id);
+    expect(body.data[0].documentTitle).toBe(document.title);
+  });
+
   it('should require authentication', async () => {
     const res = await server.post('/api/shares.list');
     const body = await res.json();