From 448f94ed04539d6e23702f31e160430d2f913bfe Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Wed, 6 Apr 2022 16:49:07 -0700
Subject: [PATCH] fix: Allow admin edit/update access to all collections
 (#3335)

* fix: Allow admin edit/update access to all collections

* test
---
 server/policies/collection.ts         | 15 ++++++++++++---
 server/routes/api/collections.test.ts |  6 +++---
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/server/policies/collection.ts b/server/policies/collection.ts
index 7a3cb0145..6ccdcf0e5 100644
--- a/server/policies/collection.ts
+++ b/server/policies/collection.ts
@@ -43,6 +43,9 @@ allow(User, ["read", "star", "unstar"], Collection, (user, collection) => {
   if (!collection || user.teamId !== collection.teamId) {
     return false;
   }
+  if (user.isAdmin) {
+    return true;
+  }
 
   if (!collection.permission) {
     invariant(
@@ -71,6 +74,9 @@ allow(User, "share", Collection, (user, collection) => {
   if (!collection.sharing) {
     return false;
   }
+  if (user.isAdmin) {
+    return true;
+  }
 
   if (collection.permission !== "read_write") {
     invariant(
@@ -96,6 +102,9 @@ allow(User, ["publish", "update"], Collection, (user, collection) => {
   if (!collection || user.teamId !== collection.teamId) {
     return false;
   }
+  if (user.isAdmin) {
+    return true;
+  }
 
   if (collection.permission !== "read_write") {
     invariant(
@@ -121,6 +130,9 @@ allow(User, "delete", Collection, (user, collection) => {
   if (!collection || user.teamId !== collection.teamId) {
     return false;
   }
+  if (user.isAdmin) {
+    return true;
+  }
 
   if (collection.permission !== "read_write") {
     invariant(
@@ -136,9 +148,6 @@ allow(User, "delete", Collection, (user, collection) => {
     );
   }
 
-  if (user.isAdmin) {
-    return true;
-  }
   if (user.id === collection.createdById) {
     return true;
   }
diff --git a/server/routes/api/collections.test.ts b/server/routes/api/collections.test.ts
index 44a534225..83ef11467 100644
--- a/server/routes/api/collections.test.ts
+++ b/server/routes/api/collections.test.ts
@@ -270,14 +270,14 @@ describe("#collections.move", () => {
 
 describe("#collections.export", () => {
   it("should not allow export of private collection not a member", async () => {
-    const { admin } = await seed();
+    const { user } = await seed();
     const collection = await buildCollection({
       permission: null,
-      teamId: admin.teamId,
+      teamId: user.teamId,
     });
     const res = await server.post("/api/collections.export", {
       body: {
-        token: admin.getJwtToken(),
+        token: user.getJwtToken(),
         id: collection.id,
       },
     });