From 7a0aa0ecf871eb89648727613534565fb4db59d3 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Sun, 18 Feb 2018 11:08:43 -0800
Subject: [PATCH] Add additional future-proofing auth checks for creation

---
 server/api/collections.js     | 1 +
 server/api/documents.js       | 3 +++
 server/policies/collection.js | 2 +-
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/server/api/collections.js b/server/api/collections.js
index d7a203f82..44b2add50 100644
--- a/server/api/collections.js
+++ b/server/api/collections.js
@@ -18,6 +18,7 @@ router.post('collections.create', auth(), async ctx => {
     ctx.assertHexColor(color, 'Invalid hex value (please use format #FFFFFF)');
 
   const user = ctx.state.user;
+  authorize(user, 'create', Collection);
 
   const collection = await Collection.create({
     name,
diff --git a/server/api/documents.js b/server/api/documents.js
index 58939d9c3..219a783da 100644
--- a/server/api/documents.js
+++ b/server/api/documents.js
@@ -198,12 +198,15 @@ router.post('documents.create', auth(), async ctx => {
   if (index) ctx.assertPositiveInteger(index, 'index must be an integer (>=0)');
 
   const user = ctx.state.user;
+  authorize(user, 'create', Document);
+
   const ownerCollection = await Collection.findOne({
     where: {
       id: collection,
       teamId: user.teamId,
     },
   });
+  authorize(user, 'publish', ownerCollection);
 
   if (!ownerCollection) throw httpErrors.BadRequest();
 
diff --git a/server/policies/collection.js b/server/policies/collection.js
index ffc9a4226..5bdb091a0 100644
--- a/server/policies/collection.js
+++ b/server/policies/collection.js
@@ -8,7 +8,7 @@ allow(User, 'create', Collection);
 
 allow(
   User,
-  ['read', 'update'],
+  ['read', 'publish', 'update'],
   Collection,
   (user, collection) => collection && user.teamId === collection.teamId
 );