From 1caa51f58e8f5b8bd1eb7571b470eb820516f867 Mon Sep 17 00:00:00 2001
From: Apoorv Mishra <apoorvmishra101092@gmail.com>
Date: Tue, 31 Jan 2023 19:46:10 +0530
Subject: [PATCH] Viewer should be allowed to subscribe to a document (#4814)

* fix: viewer should be allowed to subscribe to a document

* fix: allow subscribe only if the user has read permission for collection
---
 server/policies/document.test.ts |  6 +++
 server/policies/document.ts      | 80 ++++++++++++++++++++------------
 2 files changed, 57 insertions(+), 29 deletions(-)

diff --git a/server/policies/document.test.ts b/server/policies/document.test.ts
index 9646286ac..6eea166dc 100644
--- a/server/policies/document.test.ts
+++ b/server/policies/document.test.ts
@@ -59,6 +59,8 @@ describe("read_write collection", () => {
     expect(abilities.delete).toEqual(false);
     expect(abilities.share).toEqual(false);
     expect(abilities.move).toEqual(false);
+    expect(abilities.subscribe).toEqual(true);
+    expect(abilities.unsubscribe).toEqual(true);
   });
 });
 
@@ -85,6 +87,8 @@ describe("read collection", () => {
     expect(abilities.delete).toEqual(false);
     expect(abilities.share).toEqual(false);
     expect(abilities.move).toEqual(false);
+    expect(abilities.subscribe).toEqual(true);
+    expect(abilities.unsubscribe).toEqual(true);
   });
 });
 
@@ -111,6 +115,8 @@ describe("private collection", () => {
     expect(abilities.delete).toEqual(false);
     expect(abilities.share).toEqual(false);
     expect(abilities.move).toEqual(false);
+    expect(abilities.subscribe).toEqual(false);
+    expect(abilities.unsubscribe).toEqual(false);
   });
 });
 
diff --git a/server/policies/document.ts b/server/policies/document.ts
index f7ee39f69..58b4841e7 100644
--- a/server/policies/document.ts
+++ b/server/policies/document.ts
@@ -180,36 +180,58 @@ allow(User, "move", Document, (user, document) => {
   return user.teamId === document.teamId;
 });
 
-allow(
-  User,
-  ["pin", "unpin", "subscribe", "unsubscribe"],
-  Document,
-  (user, document) => {
-    if (!document) {
-      return false;
-    }
-    if (document.archivedAt) {
-      return false;
-    }
-    if (document.deletedAt) {
-      return false;
-    }
-    if (document.template) {
-      return false;
-    }
-    if (!document.publishedAt) {
-      return false;
-    }
-    invariant(
-      document.collection,
-      "collection is missing, did you forget to include in the query scope?"
-    );
-    if (cannot(user, "update", document.collection)) {
-      return false;
-    }
-    return user.teamId === document.teamId;
+allow(User, ["pin", "unpin"], Document, (user, document) => {
+  if (!document) {
+    return false;
   }
-);
+  if (document.archivedAt) {
+    return false;
+  }
+  if (document.deletedAt) {
+    return false;
+  }
+  if (document.template) {
+    return false;
+  }
+  if (!document.publishedAt) {
+    return false;
+  }
+  invariant(
+    document.collection,
+    "collection is missing, did you forget to include in the query scope?"
+  );
+  if (cannot(user, "update", document.collection)) {
+    return false;
+  }
+  return user.teamId === document.teamId;
+});
+
+allow(User, ["subscribe", "unsubscribe"], Document, (user, document) => {
+  if (!document) {
+    return false;
+  }
+  if (document.archivedAt) {
+    return false;
+  }
+  if (document.deletedAt) {
+    return false;
+  }
+  if (document.template) {
+    return false;
+  }
+  if (!document.publishedAt) {
+    return false;
+  }
+  invariant(
+    document.collection,
+    "collection is missing, did you forget to include in the query scope?"
+  );
+  if (cannot(user, "read", document.collection)) {
+    return false;
+  }
+
+  return user.teamId === document.teamId;
+});
 
 allow(User, ["pinToHome"], Document, (user, document) => {
   if (!document) {