From 89f8df619cf2373cbb4b4726b473696fa85efec5 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Sun, 13 Jun 2021 14:41:29 -0700
Subject: [PATCH] fix: Remove export permission for read-only users (#2220)

---
 server/api/collections.test.js     | 4 ++--
 server/policies/collection.js      | 4 ++--
 server/policies/collection.test.js | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/server/api/collections.test.js b/server/api/collections.test.js
index aab3fe442..529661bee 100644
--- a/server/api/collections.test.js
+++ b/server/api/collections.test.js
@@ -284,7 +284,7 @@ describe("#collections.export", () => {
       createdById: user.id,
       collectionId: collection.id,
       userId: user.id,
-      permission: "read",
+      permission: "read_write",
     });
 
     const res = await server.post("/api/collections.export", {
@@ -305,7 +305,7 @@ describe("#collections.export", () => {
     await group.addUser(user, { through: { createdById: user.id } });
 
     await collection.addGroup(group, {
-      through: { permission: "read", createdById: user.id },
+      through: { permission: "read_write", createdById: user.id },
     });
 
     const res = await server.post("/api/collections.export", {
diff --git a/server/policies/collection.js b/server/policies/collection.js
index 87b1a6231..3f8efc919 100644
--- a/server/policies/collection.js
+++ b/server/policies/collection.js
@@ -25,7 +25,7 @@ allow(User, "move", Collection, (user, collection) => {
   throw new AdminRequiredError();
 });
 
-allow(User, ["read", "export"], Collection, (user, collection) => {
+allow(User, "read", Collection, (user, collection) => {
   if (!collection || user.teamId !== collection.teamId) return false;
 
   if (!collection.permission) {
@@ -47,7 +47,7 @@ allow(User, ["read", "export"], Collection, (user, collection) => {
   return true;
 });
 
-allow(User, "share", Collection, (user, collection) => {
+allow(User, ["share", "export"], Collection, (user, collection) => {
   if (user.isViewer) return false;
   if (!collection || user.teamId !== collection.teamId) return false;
   if (!collection.sharing) return false;
diff --git a/server/policies/collection.test.js b/server/policies/collection.test.js
index 0d85b779d..e746a2aa9 100644
--- a/server/policies/collection.test.js
+++ b/server/policies/collection.test.js
@@ -59,7 +59,7 @@ describe("read permission", () => {
     });
     const abilities = serialize(user, collection);
     expect(abilities.read).toEqual(true);
-    expect(abilities.export).toEqual(true);
+    expect(abilities.export).toEqual(false);
     expect(abilities.update).toEqual(false);
     expect(abilities.share).toEqual(false);
   });