yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: Allow admin edit/update access to all collections (#3335)

Browse Source 
* fix: Allow admin edit/update access to all collections

* test
This commit is contained in:
Tom Moor
2022-04-06 16:49:07 -07:00
committed by GitHub
parent dbfdcd6d23
commit 448f94ed04
2 changed files with 15 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
server/policies/collection.ts
View File

@@ -43,6 +43,9 @@ allow(User, ["read", "star", "unstar"], Collection, (user, collection) => {
if (!collection || user.teamId !== collection.teamId) {
return false;
}
if (user.isAdmin) {
return true;
}
if (!collection.permission) {
invariant(
@@ -71,6 +74,9 @@ allow(User, "share", Collection, (user, collection) => {
if (!collection.sharing) {
return false;
}
if (user.isAdmin) {
return true;
}
if (collection.permission !== "read_write") {
invariant(
@@ -96,6 +102,9 @@ allow(User, ["publish", "update"], Collection, (user, collection) => {
if (!collection || user.teamId !== collection.teamId) {
return false;
}
if (user.isAdmin) {
return true;
}
if (collection.permission !== "read_write") {
invariant(
@@ -121,6 +130,9 @@ allow(User, "delete", Collection, (user, collection) => {
if (!collection || user.teamId !== collection.teamId) {
return false;
}
if (user.isAdmin) {
return true;
}
if (collection.permission !== "read_write") {
invariant(
@@ -136,9 +148,6 @@ allow(User, "delete", Collection, (user, collection) => {
);
}
if (user.isAdmin) {
return true;
}
if (user.id === collection.createdById) {
return true;
}

6
server/routes/api/collections.test.ts
View File

@@ -270,14 +270,14 @@ describe("#collections.move", () => {
describe("#collections.export", () => {
it("should not allow export of private collection not a member", async () => {
const { admin } = await seed();
const { user } = await seed();
const collection = await buildCollection({
permission: null,
teamId: admin.teamId,
teamId: user.teamId,
});
const res = await server.post("/api/collections.export", {
body: {
token: admin.getJwtToken(),
token: user.getJwtToken(),
id: collection.id,
},
});