From 329426d09f41b2b96b07ab001e537dbdb641b970 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Fri, 9 Feb 2024 18:18:14 -0500
Subject: [PATCH] fix: comments.info endpoint not accessible to non-admins

closes #6516
---
 server/policies/comment.ts                  |  9 +++++-
 server/routes/api/comments/comments.test.ts | 31 +++++++++++++++++++++
 server/routes/api/comments/comments.ts      |  7 +++++
 3 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/server/policies/comment.ts b/server/policies/comment.ts
index c468323e5..de666e0fe 100644
--- a/server/policies/comment.ts
+++ b/server/policies/comment.ts
@@ -8,7 +8,14 @@ allow(User, "createComment", Team, (user, team) => {
   return true;
 });
 
-allow(User, ["read", "update", "delete"], Comment, (user, comment) => {
+allow(User, "read", Comment, (user, comment) => {
+  if (!comment) {
+    return false;
+  }
+  return user.teamId === comment.createdBy.teamId;
+});
+
+allow(User, ["update", "delete"], Comment, (user, comment) => {
   if (!comment) {
     return false;
   }
diff --git a/server/routes/api/comments/comments.test.ts b/server/routes/api/comments/comments.test.ts
index 4dcbcea4f..b214a6202 100644
--- a/server/routes/api/comments/comments.test.ts
+++ b/server/routes/api/comments/comments.test.ts
@@ -1,4 +1,5 @@
 import {
+  buildAdmin,
   buildCollection,
   buildComment,
   buildDocument,
@@ -211,12 +212,42 @@ describe("#comments.info", () => {
   it("should return comment info", async () => {
     const team = await buildTeam();
     const user = await buildUser({ teamId: team.id });
+    const user2 = await buildUser({ teamId: team.id });
     const document = await buildDocument({
       userId: user.id,
       teamId: user.teamId,
     });
     const comment = await buildComment({
+      userId: user2.id,
+      documentId: document.id,
+    });
+    const res = await server.post("/api/comments.info", {
+      body: {
+        token: user.getJwtToken(),
+        id: comment.id,
+      },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.id).toEqual(comment.id);
+    expect(body.data.data).toEqual(comment.data);
+    expect(body.policies.length).toEqual(1);
+    expect(body.policies[0].abilities.read).toEqual(true);
+    expect(body.policies[0].abilities.update).toEqual(false);
+    expect(body.policies[0].abilities.delete).toEqual(false);
+  });
+
+  it("should return comment info for admin", async () => {
+    const team = await buildTeam();
+    const user = await buildAdmin({ teamId: team.id });
+    const user2 = await buildUser({ teamId: team.id });
+    const document = await buildDocument({
       userId: user.id,
+      teamId: user.teamId,
+    });
+    const comment = await buildComment({
+      userId: user2.id,
       documentId: document.id,
     });
     const res = await server.post("/api/comments.info", {
diff --git a/server/routes/api/comments/comments.ts b/server/routes/api/comments/comments.ts
index 901ef9dba..78b7d1cdc 100644
--- a/server/routes/api/comments/comments.ts
+++ b/server/routes/api/comments/comments.ts
@@ -69,6 +69,13 @@ router.post(
     });
     authorize(user, "read", comment);
 
+    if (comment.documentId) {
+      const document = await Document.findByPk(comment.documentId, {
+        userId: user.id,
+      });
+      authorize(user, "read", document);
+    }
+
     ctx.body = {
       data: presentComment(comment),
       policies: presentPolicies(user, [comment]),