From 028160d9ade4a990fc07d5f02f420eecea927827 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Sat, 5 Jan 2019 23:13:58 -0800
Subject: [PATCH] Fixes: Share links in private collections visible in share
 listing

---
 server/api/shares.js      |  4 ++++
 server/api/shares.test.js | 21 ++++++++++++++++++++-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/server/api/shares.js b/server/api/shares.js
index 6fc1616d8..9aec6633b 100644
--- a/server/api/shares.js
+++ b/server/api/shares.js
@@ -25,6 +25,7 @@ router.post('shares.list', auth(), pagination(), async ctx => {
 
   if (user.isAdmin) delete where.userId;
 
+  const collectionIds = await user.collectionIds();
   const shares = await Share.findAll({
     where,
     order: [[sort, direction]],
@@ -33,6 +34,9 @@ router.post('shares.list', auth(), pagination(), async ctx => {
         model: Document,
         required: true,
         as: 'document',
+        where: {
+          collectionId: collectionIds,
+        },
       },
       {
         model: User,
diff --git a/server/api/shares.test.js b/server/api/shares.test.js
index b5c01e330..182beb8a9 100644
--- a/server/api/shares.test.js
+++ b/server/api/shares.test.js
@@ -50,7 +50,7 @@ describe('#shares.list', async () => {
     expect(body.data.length).toEqual(0);
   });
 
-  it('admins should only return shares created by all users', async () => {
+  it('admins should return shares created by all users', async () => {
     const { admin, document } = await seed();
     const share = await buildShare({
       documentId: document.id,
@@ -67,6 +67,25 @@ describe('#shares.list', async () => {
     expect(body.data[0].documentTitle).toBe(document.title);
   });
 
+  it('admins should not return shares in collection not a member of', async () => {
+    const { admin, document, collection } = await seed();
+    await buildShare({
+      documentId: document.id,
+      teamId: admin.teamId,
+    });
+
+    collection.private = true;
+    await collection.save();
+
+    const res = await server.post('/api/shares.list', {
+      body: { token: admin.getJwtToken() },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.length).toEqual(0);
+  });
+
   it('should require authentication', async () => {
     const res = await server.post('/api/shares.list');
     const body = await res.json();