fix: Open permissions for guests that have collection manage permission (#7075)
* fix: Opens up permissions for guests that have collection manage permission * tsc * tests
This commit is contained in:
Tom Moor
GitHub
@@ -316,7 +316,8 @@ describe("archived document", () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
describe("read document", () => {
|
describe("read document", () => {
|
||||||
it("should allow read permissions for team member", async () => {
|
for (const role of Object.values(UserRole)) {
|
||||||
|
it(`should allow read permissions for ${role}`, async () => {
|
||||||
const team = await buildTeam();
|
const team = await buildTeam();
|
||||||
const user = await buildUser({ teamId: team.id });
|
const user = await buildUser({ teamId: team.id });
|
||||||
const collection = await buildCollection({
|
const collection = await buildCollection({
|
||||||
@@ -350,12 +351,14 @@ describe("read document", () => {
|
|||||||
expect(abilities.share).toEqual(false);
|
expect(abilities.share).toEqual(false);
|
||||||
expect(abilities.move).toEqual(false);
|
expect(abilities.move).toEqual(false);
|
||||||
});
|
});
|
||||||
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
describe("read_write document", () => {
|
describe("read_write document", () => {
|
||||||
it("should allow write permissions for team member", async () => {
|
for (const role of Object.values(UserRole)) {
|
||||||
|
it(`should allow write permissions for ${role}`, async () => {
|
||||||
const team = await buildTeam();
|
const team = await buildTeam();
|
||||||
const user = await buildUser({ teamId: team.id });
|
const user = await buildUser({ teamId: team.id, role });
|
||||||
const collection = await buildCollection({
|
const collection = await buildCollection({
|
||||||
teamId: team.id,
|
teamId: team.id,
|
||||||
permission: null,
|
permission: null,
|
||||||
@@ -387,12 +390,17 @@ describe("read_write document", () => {
|
|||||||
expect(abilities.share).toEqual(false);
|
expect(abilities.share).toEqual(false);
|
||||||
expect(abilities.move).toEqual(false);
|
expect(abilities.move).toEqual(false);
|
||||||
});
|
});
|
||||||
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
describe("manage document", () => {
|
describe("manage document", () => {
|
||||||
it("should allow write permissions, user management, and sub-document creation", async () => {
|
for (const role of Object.values(UserRole)) {
|
||||||
|
it(`should allow write permissions, user management, and sub-document creation for ${role}`, async () => {
|
||||||
const team = await buildTeam();
|
const team = await buildTeam();
|
||||||
const user = await buildUser({ teamId: team.id });
|
const user = await buildUser({
|
||||||
|
teamId: team.id,
|
||||||
|
role,
|
||||||
|
});
|
||||||
const collection = await buildCollection({
|
const collection = await buildCollection({
|
||||||
teamId: team.id,
|
teamId: team.id,
|
||||||
permission: null,
|
permission: null,
|
||||||
@@ -421,7 +429,8 @@ describe("manage document", () => {
|
|||||||
expect(abilities.createChildDocument).toEqual(true);
|
expect(abilities.createChildDocument).toEqual(true);
|
||||||
expect(abilities.manageUsers).toEqual(true);
|
expect(abilities.manageUsers).toEqual(true);
|
||||||
expect(abilities.archive).toEqual(true);
|
expect(abilities.archive).toEqual(true);
|
||||||
expect(abilities.move).toEqual(true);
|
expect(abilities.move).toEqual(false);
|
||||||
expect(abilities.share).toEqual(false);
|
expect(abilities.share).toEqual(false);
|
||||||
});
|
});
|
||||||
|
}
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -35,10 +35,9 @@ allow(User, "read", Document, (actor, document) =>
|
|||||||
);
|
);
|
||||||
|
|
||||||
allow(User, ["listRevisions", "listViews"], Document, (actor, document) =>
|
allow(User, ["listRevisions", "listViews"], Document, (actor, document) =>
|
||||||
and(
|
or(
|
||||||
//
|
and(can(actor, "read", document), !actor.isGuest),
|
||||||
can(actor, "read", document),
|
and(can(actor, "update", document), actor.isGuest)
|
||||||
!actor.isGuest
|
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@@ -83,7 +82,6 @@ allow(User, "share", Document, (actor, document) =>
|
|||||||
isTeamMutable(actor),
|
isTeamMutable(actor),
|
||||||
!!document?.isActive,
|
!!document?.isActive,
|
||||||
!document?.template,
|
!document?.template,
|
||||||
!actor.isGuest,
|
|
||||||
or(!document?.collection, can(actor, "share", document?.collection))
|
or(!document?.collection, can(actor, "share", document?.collection))
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
@@ -114,12 +112,21 @@ allow(User, "publish", Document, (actor, document) =>
|
|||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
allow(User, ["move", "duplicate", "manageUsers"], Document, (actor, document) =>
|
allow(User, ["manageUsers", "duplicate"], Document, (actor, document) =>
|
||||||
and(
|
and(
|
||||||
!actor.isGuest,
|
|
||||||
can(actor, "update", document),
|
can(actor, "update", document),
|
||||||
or(
|
or(
|
||||||
includesMembership(document, [DocumentPermission.Admin]),
|
includesMembership(document, [DocumentPermission.Admin]),
|
||||||
|
can(actor, "updateDocument", document?.collection),
|
||||||
|
!!document?.isDraft && actor.id === document?.createdById
|
||||||
|
)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
allow(User, "move", Document, (actor, document) =>
|
||||||
|
and(
|
||||||
|
can(actor, "update", document),
|
||||||
|
or(
|
||||||
can(actor, "updateDocument", document?.collection),
|
can(actor, "updateDocument", document?.collection),
|
||||||
and(!!document?.isDraft && actor.id === document?.createdById)
|
and(!!document?.isDraft && actor.id === document?.createdById)
|
||||||
)
|
)
|
||||||
@@ -134,8 +141,7 @@ allow(User, "createChildDocument", Document, (actor, document) =>
|
|||||||
can(actor, "read", document?.collection)
|
can(actor, "read", document?.collection)
|
||||||
),
|
),
|
||||||
!document?.isDraft,
|
!document?.isDraft,
|
||||||
!document?.template,
|
!document?.template
|
||||||
!actor.isGuest
|
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@@ -164,7 +170,6 @@ allow(User, "delete", Document, (actor, document) =>
|
|||||||
and(
|
and(
|
||||||
isTeamModel(actor, document),
|
isTeamModel(actor, document),
|
||||||
isTeamMutable(actor),
|
isTeamMutable(actor),
|
||||||
!actor.isGuest,
|
|
||||||
!document?.isDeleted,
|
!document?.isDeleted,
|
||||||
or(
|
or(
|
||||||
can(actor, "unarchive", document),
|
can(actor, "unarchive", document),
|
||||||
@@ -193,7 +198,6 @@ allow(User, ["restore", "permanentDelete"], Document, (actor, document) =>
|
|||||||
|
|
||||||
allow(User, "archive", Document, (actor, document) =>
|
allow(User, "archive", Document, (actor, document) =>
|
||||||
and(
|
and(
|
||||||
!actor.isGuest,
|
|
||||||
!document?.template,
|
!document?.template,
|
||||||
!document?.isDraft,
|
!document?.isDraft,
|
||||||
!!document?.isActive,
|
!!document?.isActive,
|
||||||
@@ -207,7 +211,6 @@ allow(User, "archive", Document, (actor, document) =>
|
|||||||
|
|
||||||
allow(User, "unarchive", Document, (actor, document) =>
|
allow(User, "unarchive", Document, (actor, document) =>
|
||||||
and(
|
and(
|
||||||
!actor.isGuest,
|
|
||||||
!document?.template,
|
!document?.template,
|
||||||
!document?.isDraft,
|
!document?.isDraft,
|
||||||
!document?.isDeleted,
|
!document?.isDeleted,
|
||||||
|
|||||||
Reference in New Issue
Block a user