fix: Admins cannot query permissions on private collections (#7145)

* fix: Admins have permission to see existence of all collections (in settings) * fix: Current user filtered from suggestions. As an admin managing other collections this is limiting * test
2024-06-25 08:28:32 -04:00
parent beabd32e6a
commit 29a653aaeb
4 changed files with 19 additions and 4 deletions
--- a/server/policies/collection.test.ts
+++ b/server/policies/collection.test.ts
@@ -27,7 +27,7 @@ describe("admin", () => {
    expect(abilities.updateDocument).toEqual(false);
    expect(abilities.createDocument).toEqual(false);
    expect(abilities.share).toEqual(false);
-    expect(abilities.read).toEqual(false);
+    expect(abilities.read).toEqual(true);
    expect(abilities.update).toEqual(true);
  });

--- a/server/policies/collection.ts
+++ b/server/policies/collection.ts
@@ -32,9 +32,24 @@ allow(User, "move", Collection, (actor, collection) =>
  )
 );

+allow(User, "read", Collection, (user, collection) => {
+  if (!collection || user.teamId !== collection.teamId) {
+    return false;
+  }
+  if (user.isAdmin) {
+    return true;
+  }
+
+  if (collection.isPrivate || user.isGuest) {
+    return includesMembership(collection, Object.values(CollectionPermission));
+  }
+
+  return true;
+});
+
 allow(
  User,
-  ["read", "readDocument", "star", "unstar"],
+  ["readDocument", "star", "unstar"],
  Collection,
  (user, collection) => {
    if (!collection || user.teamId !== collection.teamId) {
--- a/server/policies/document.ts
+++ b/server/policies/document.ts
@@ -138,7 +138,7 @@ allow(User, "createChildDocument", Document, (actor, document) =>
    can(actor, "update", document),
    or(
      includesMembership(document, [DocumentPermission.Admin]),
-      can(actor, "read", document?.collection)
+      can(actor, "readDocument", document?.collection)
    ),
    !document?.isDraft,
    !document?.template