Collection Permissions (#829)

see https://github.com/outline/outline/issues/668
2019-01-05 13:37:33 -08:00
parent 8978915423
commit 8c02b0028c
53 changed files with 1379 additions and 214 deletions
--- a/server/policies/collection.js
+++ b/server/policies/collection.js
@@ -1,5 +1,6 @@
 // @flow
 import policy from './policy';
+import { map } from 'lodash';
 import { Collection, User } from '../models';
 import { AdminRequiredError } from '../errors';

@@ -11,12 +12,27 @@ allow(
  User,
  ['read', 'publish', 'update', 'export'],
  Collection,
-  (user, collection) => collection && user.teamId === collection.teamId
+  (user, collection) => {
+    if (!collection || user.teamId !== collection.teamId) return false;
+
+    if (
+      collection.private &&
+      !map(collection.users, u => u.id).includes(user.id)
+    )
+      return false;
+
+    return true;
+  }
 );

 allow(User, 'delete', Collection, (user, collection) => {
  if (!collection || user.teamId !== collection.teamId) return false;
-  if (user.id === collection.creatorId) return true;
+
+  if (collection.private && !map(collection.users, u => u.id).includes(user.id))
+    return false;
+
  if (user.isAdmin) return true;
+  if (user.id === collection.creatorId) return true;
+
  throw new AdminRequiredError();
 });
--- a/server/policies/document.js
+++ b/server/policies/document.js
@@ -2,7 +2,7 @@
 import policy from './policy';
 import { Document, Revision, User } from '../models';

-const { allow } = policy;
+const { allow, authorize } = policy;

 allow(User, 'create', Document);

@@ -10,7 +10,13 @@ allow(
  User,
  ['read', 'update', 'delete', 'share'],
  Document,
-  (user, document) => user.teamId === document.teamId
+  (user, document) => {
+    if (document.collection) {
+      authorize(user, 'read', document.collection);
+    }
+
+    return user.teamId === document.teamId;
+  }
 );

 allow(