07a941a65d
* Atom / RSS meta link * Spike * Feeling good about this spike now * Remove document.collection * Remove koa.ctx from all presenters to make them portable outside requests * Remove full serialized model from events Move events.add to controllers for now, will eventually be in commands * collections.create event parentDocument -> parentDocumentId * Fix up deprecated tests * Fixed: Doc creation * documents.move * Handle collection deleted * 💚 * Authorize room join requests * Move starred data structure Account for documents with no context on sockets * Add socket.io-redis * Add WEBSOCKETS_ENABLED env variable to disable websockets entirely for self hosted New installations will default to true, existing installations to false * 💚 No need for promise response here * Reload notice
44 lines
926 B
JavaScript
44 lines
926 B
JavaScript
// @flow
|
|
import policy from './policy';
|
|
import { map } from 'lodash';
|
|
import { Collection, User } from '../models';
|
|
import { AdminRequiredError } from '../errors';
|
|
|
|
const { allow } = policy;
|
|
|
|
allow(User, 'create', Collection);
|
|
|
|
allow(
|
|
User,
|
|
['read', 'publish', 'update', 'export'],
|
|
Collection,
|
|
(user, collection) => {
|
|
if (!collection || user.teamId !== collection.teamId) return false;
|
|
|
|
if (
|
|
collection.private &&
|
|
!map(collection.users, u => u.id).includes(user.id)
|
|
) {
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
);
|
|
|
|
allow(User, 'delete', Collection, (user, collection) => {
|
|
if (!collection || user.teamId !== collection.teamId) return false;
|
|
|
|
if (
|
|
collection.private &&
|
|
!map(collection.users, u => u.id).includes(user.id)
|
|
) {
|
|
return false;
|
|
}
|
|
|
|
if (user.isAdmin) return true;
|
|
if (user.id === collection.creatorId) return true;
|
|
|
|
throw new AdminRequiredError();
|
|
});
|