Add additional future-proofing auth checks for creation

server/api/collections.js

@@ -18,6 +18,7 @@ router.post('collections.create', auth(), async ctx => {
     ctx.assertHexColor(color, 'Invalid hex value (please use format #FFFFFF)');
 
   const user = ctx.state.user;
+  authorize(user, 'create', Collection);
 
   const collection = await Collection.create({
     name,

server/api/documents.js

@@ -198,12 +198,15 @@ router.post('documents.create', auth(), async ctx => {
   if (index) ctx.assertPositiveInteger(index, 'index must be an integer (>=0)');
 
   const user = ctx.state.user;
+  authorize(user, 'create', Document);
+
   const ownerCollection = await Collection.findOne({
     where: {
       id: collection,
       teamId: user.teamId,
     },
   });
+  authorize(user, 'publish', ownerCollection);
 
   if (!ownerCollection) throw httpErrors.BadRequest();
 

server/policies/collection.js

@@ -8,7 +8,7 @@ allow(User, 'create', Collection);
 
 allow(
   User,
-  ['read', 'update'],
+  ['read', 'publish', 'update'],
   Collection,
   (user, collection) => collection && user.teamId === collection.teamId
 );