Update team and collection authorization

2018-02-18 01:14:51 -08:00
parent 2f81eb5e87
commit e84fb5e6ba
17 changed files with 181 additions and 135 deletions
--- a/server/policies/collection.js
+++ b/server/policies/collection.js
@ -0,0 +1,25 @@
+// @flow
+import policy from './policy';
+import Collection from '../models/Collection';
+import User from '../models/User';
+
+const { allow } = policy;
+
+allow(User, 'create', Collection);
+
+allow(
+  User,
+  ['read', 'update'],
+  Collection,
+  (user, collection) => collection && user.teamId === collection.teamId
+);
+
+allow(
+  User,
+  'delete',
+  Collection,
+  (user, collection) =>
+    collection &&
+    user.teamId === collection.teamId &&
+    (user.id === collection.creatorId || user.isAdmin)
+);