coop-cloud-chaos-patchs/outline
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update team and collection authorization

Browse Source
This commit is contained in:
Tom Moor
2018-02-18 01:14:51 -08:00
parent 2f81eb5e87
commit e84fb5e6ba
17 changed files with 181 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
server/api/collections.js
View File

@ -1,13 +1,14 @@
// @flow
import Router from 'koa-router';
import httpErrors from 'http-errors';
import _ from 'lodash';
import auth from './middlewares/authentication';
import pagination from './middlewares/pagination';
import { presentCollection } from '../presenters';
import { Collection } from '../models';
import policy from '../policies';
const { authorize } = policy;
const router = new Router();
router.post('collections.create', auth(), async ctx => {
@ -32,6 +33,18 @@ router.post('collections.create', auth(), async ctx => {
};
});
router.post('collections.info', auth(), async ctx => {
const { id } = ctx.body;
ctx.assertPresent(id, 'id is required');
const collection = await Collection.scope('withRecentDocuments').findById(id);
authorize(ctx.state.user, 'read', collection);
ctx.body = {
data: await presentCollection(ctx, collection),
};
});
router.post('collections.update', auth(), async ctx => {
const { id, name, color } = ctx.body;
ctx.assertPresent(name, 'name is required');
@ -39,6 +52,8 @@ router.post('collections.update', auth(), async ctx => {
ctx.assertHexColor(color, 'Invalid hex value (please use format #FFFFFF)');
const collection = await Collection.findById(id);
authorize(ctx.state.user, 'update', collection);
collection.name = name;
collection.color = color;
await collection.save();
@ -48,25 +63,6 @@ router.post('collections.update', auth(), async ctx => {
};
});
router.post('collections.info', auth(), async ctx => {
const { id } = ctx.body;
ctx.assertPresent(id, 'id is required');
const user = ctx.state.user;
const collection = await Collection.scope('withRecentDocuments').findOne({
where: {
id,
teamId: user.teamId,
},
});
if (!collection) throw httpErrors.NotFound();
ctx.body = {
data: await presentCollection(ctx, collection),
};
});
router.post('collections.list', auth(), pagination(), async ctx => {
const user = ctx.state.user;
const collections = await Collection.findAll({
@ -94,15 +90,12 @@ router.post('collections.delete', auth(), async ctx => {
const { id } = ctx.body;
ctx.assertPresent(id, 'id is required');
const user = ctx.state.user;
const collection = await Collection.findById(id);
authorize(ctx.state.user, 'delete', collection);
const total = await Collection.count();
if (total === 1) throw httpErrors.BadRequest('Cannot delete last collection');
if (!collection || collection.teamId !== user.teamId)
throw httpErrors.BadRequest();
try {
await collection.destroy();
} catch (e) {