yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: Always show share button (#2469)

Browse Source 
This is to enable the share page also for internal team members.

closes #2444
This commit is contained in:
Wesley
2021-08-23 08:20:29 +02:00
committed by GitHub
parent d8ad2fc1a2
commit a50471959b
4 changed files with 48 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
server/api/documents.js
View File

@@ -36,7 +36,7 @@ import { sequelize } from "../sequelize";
import pagination from "./middlewares/pagination";
const Op = Sequelize.Op;
const { authorize, cannot } = policy;
const { authorize, cannot, can } = policy;
const router = new Router();
router.post("documents.list", auth(), pagination(), async (ctx) => {
@@ -534,10 +534,20 @@ async function loadDocument({
document = share.document;
}
// "published" === on the public internet. So if the share isn't published
// then we must have permission to read the document
// If the user has access to read the document, we can just update
// the last access date and return the document without additional checks.
const canReadDocument = can(user, "read", document);
if (canReadDocument) {
await share.update({ lastAccessedAt: new Date() });
return { document, share, collection };
}
// "published" === on the public internet.
// We already know that there's either no logged in user or the user doesn't
// have permission to read the document, so we can throw an error.
if (!share.published) {
authorize(user, "read", document);
throw new AuthorizationError();
}
// It is possible to disable sharing at the collection so we must check

21
server/api/documents.test.js
View File

@@ -235,6 +235,27 @@ describe("#documents.info", () => {
expect(res.status).toEqual(403);
});
it("should return document from shareId if public sharing is disabled but the user has permission to read", async () => {
const { document, collection, team, user } = await seed();
const share = await buildShare({
documentId: document.id,
teamId: document.teamId,
userId: user.id,
});
team.sharing = false;
await team.save();
collection.sharing = false;
await collection.save();
const res = await server.post("/api/documents.info", {
body: { token: user.getJwtToken(), shareId: share.id },
});
expect(res.status).toEqual(200);
});
it("should not return document from revoked shareId", async () => {
const { document, user } = await seed();
const share = await buildShare({