Prepping /document.info for public docs

2016-05-30 12:36:37 -07:00
parent d2ca72c8f3
commit 5ffa61791b
3 changed files with 45 additions and 31 deletions
--- a/server/api/authentication.js
+++ b/server/api/authentication.js
@@ -30,26 +30,27 @@ export default function auth({ require = true } = {}) {
      throw httpErrors.Unauthorized('Authentication required');
    }

-    // Get user without verifying payload signature
-    let payload;
-    try {
-      payload = JWT.decode(token);
-    } catch(_e) {
-      throw httpErrors.Unauthorized('Unable to decode JWT token');
-    }
-    console.log(payload)
-    const user = await User.findOne({
-      where: { id: payload.id },
-    });
+    if (token && require) {
+      // Get user without verifying payload signature
+      let payload;
+      try {
+        payload = JWT.decode(token);
+      } catch(_e) {
+        throw httpErrors.Unauthorized('Unable to decode JWT token');
+      }
+      const user = await User.findOne({
+        where: { id: payload.id },
+      });

-    try {
-      JWT.verify(token, user.jwtSecret);
-    } catch(e) {
-      throw httpErrors.Unauthorized('Invalid token');
-    }
+      try {
+        JWT.verify(token, user.jwtSecret);
+      } catch(e) {
+        throw httpErrors.Unauthorized('Invalid token');
+      }

-    ctx.state.token = token;
-    ctx.state.user = user;
+      ctx.state.token = token;
+      ctx.state.user = user;
+    }

    return next();
  };
--- a/server/api/documents.js
+++ b/server/api/documents.js
@@ -8,23 +8,35 @@ import { Document, Atlas } from '../models';

 const router = new Router();

-router.post('documents.info', auth(), async (ctx) => {
+router.post('documents.info', auth({ require: false }), async (ctx) => {
  let { id } = ctx.request.body;
  ctx.assertPresent(id, 'id is required');

-  const team = await ctx.state.user.getTeam();
  const document = await Document.findOne({
    where: {
      id: id,
-      teamId: team.id,
    },
  });

-  if (!document) throw httpErrors.NotFound();
+  // Don't expose private documents outside the team
+  if (document.private) {
+    if (!ctx.state.user) throw httpErrors.NotFound();

-  ctx.body = {
-    data: await presentDocument(document, true),
-  };
+    const team = await ctx.state.user.getTeam();
+    if (document.teamId !== team.id) {
+      if (!document) throw httpErrors.NotFound();
+    }
+
+    ctx.body = {
+      data: await presentDocument(document, true),
+    };
+  } else {
+    ctx.body = {
+      data: await presentDocument(document),
+    };
+  }
+
+  if (!document) throw httpErrors.NotFound();
 });