fix: comments.info endpoint not accessible to non-admins

closes #6516

server/policies/comment.ts

@@ -8,7 +8,14 @@ allow(User, "createComment", Team, (user, team) => {
   return true;
 });
 
-allow(User, ["read", "update", "delete"], Comment, (user, comment) => {
+allow(User, "read", Comment, (user, comment) => {
+  if (!comment) {
+    return false;
+  }
+  return user.teamId === comment.createdBy.teamId;
+});
+
+allow(User, ["update", "delete"], Comment, (user, comment) => {
   if (!comment) {
     return false;
   }

server/routes/api/comments/comments.test.ts

@@ -1,4 +1,5 @@
 import {
+  buildAdmin,
   buildCollection,
   buildComment,
   buildDocument,
@@ -211,12 +212,42 @@ describe("#comments.info", () => {
   it("should return comment info", async () => {
     const team = await buildTeam();
     const user = await buildUser({ teamId: team.id });
+    const user2 = await buildUser({ teamId: team.id });
     const document = await buildDocument({
       userId: user.id,
       teamId: user.teamId,
     });
     const comment = await buildComment({
+      userId: user2.id,
+      documentId: document.id,
+    });
+    const res = await server.post("/api/comments.info", {
+      body: {
+        token: user.getJwtToken(),
+        id: comment.id,
+      },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.id).toEqual(comment.id);
+    expect(body.data.data).toEqual(comment.data);
+    expect(body.policies.length).toEqual(1);
+    expect(body.policies[0].abilities.read).toEqual(true);
+    expect(body.policies[0].abilities.update).toEqual(false);
+    expect(body.policies[0].abilities.delete).toEqual(false);
+  });
+
+  it("should return comment info for admin", async () => {
+    const team = await buildTeam();
+    const user = await buildAdmin({ teamId: team.id });
+    const user2 = await buildUser({ teamId: team.id });
+    const document = await buildDocument({
       userId: user.id,
+      teamId: user.teamId,
+    });
+    const comment = await buildComment({
+      userId: user2.id,
       documentId: document.id,
     });
     const res = await server.post("/api/comments.info", {

server/routes/api/comments/comments.ts

@@ -69,6 +69,13 @@ router.post(
     });
     authorize(user, "read", comment);
 
+    if (comment.documentId) {
+      const document = await Document.findByPk(comment.documentId, {
+        userId: user.id,
+      });
+      authorize(user, "read", document);
+    }
+
     ctx.body = {
       data: presentComment(comment),
       policies: presentPolicies(user, [comment]),