Add missing authorization on views endpoints

Updated ApiKeys authorization to match elsewhere

server/api/views.js

@@ -1,24 +1,26 @@
 // @flow
 import Router from 'koa-router';
-import httpErrors from 'http-errors';
 import auth from './middlewares/authentication';
 import { presentView } from '../presenters';
 import { View, Document } from '../models';
+import policy from '../policies';
 
+const { authorize } = policy;
 const router = new Router();
 
 router.post('views.list', auth(), async ctx => {
   const { id } = ctx.body;
   ctx.assertPresent(id, 'id is required');
 
+  const user = ctx.state.user;
+  const document = await Document.findById(id);
+  authorize(user, 'read', document);
+
   const views = await View.findAll({
-    where: {
-      documentId: id,
-    },
+    where: { documentId: id },
     order: [['updatedAt', 'DESC']],
   });
 
-  // Collectiones
   let users = [];
   let count = 0;
   await Promise.all(
@@ -42,11 +44,13 @@ router.post('views.create', auth(), async ctx => {
 
   const user = ctx.state.user;
   const document = await Document.findById(id);
-
-  if (!document || document.teamId !== user.teamId)
-    throw httpErrors.BadRequest();
+  authorize(user, 'read', document);
 
   await View.increment({ documentId: document.id, userId: user.id });
+
+  ctx.body = {
+    success: true,
+  };
 });
 
 export default router;