fix: comments.info endpoint not accessible to non-admins

closes #6516
2024-02-09 18:18:14 -05:00
parent 24ce661b7d
commit 329426d09f
3 changed files with 46 additions and 1 deletions
--- a/server/policies/comment.ts
+++ b/server/policies/comment.ts
@@ -8,7 +8,14 @@ allow(User, "createComment", Team, (user, team) => {
  return true;
 });

-allow(User, ["read", "update", "delete"], Comment, (user, comment) => {
+allow(User, "read", Comment, (user, comment) => {
+  if (!comment) {
+    return false;
+  }
+  return user.teamId === comment.createdBy.teamId;
+});
+
+allow(User, ["update", "delete"], Comment, (user, comment) => {
  if (!comment) {
    return false;
  }