Policies refactor, guest roles (#6732)

server/routes/api/documents/documents.test.ts

@@ -2564,30 +2564,6 @@ describe("#documents.restore", () => {
     expect(body.data.archivedAt).toEqual(null);
   });
 
-  it("should not add restored templates to collection structure", async () => {
-    const user = await buildUser();
-    const collection = await buildCollection({
-      teamId: user.teamId,
-    });
-    const template = await buildDocument({
-      teamId: user.teamId,
-      collectionId: collection.id,
-      template: true,
-    });
-    await template.archive(user.id);
-    const res = await server.post("/api/documents.restore", {
-      body: {
-        token: user.getJwtToken(),
-        id: template.id,
-      },
-    });
-    const body = await res.json();
-    expect(res.status).toEqual(200);
-    expect(body.data.archivedAt).toEqual(null);
-    await collection.reload();
-    expect(collection.documentStructure).toEqual(null);
-  });
-
   it("should restore archived when previous parent is archived", async () => {
     const user = await buildUser();
     const document = await buildDocument({

server/routes/api/groups/__snapshots__/groups.test.ts.snap

@@ -2,8 +2,8 @@
 
 exports[`#groups.add_user should require admin 1`] = `
 {
-  "error": "admin_required",
-  "message": "An admin role is required to access this resource",
+  "error": "authorization_error",
+  "message": "Authorization error",
   "ok": false,
   "status": 403,
 }
@@ -56,8 +56,8 @@ exports[`#groups.memberships should require authentication 1`] = `
 
 exports[`#groups.remove_user should require admin 1`] = `
 {
-  "error": "admin_required",
-  "message": "An admin role is required to access this resource",
+  "error": "authorization_error",
+  "message": "Authorization error",
   "ok": false,
   "status": 403,
 }

server/routes/api/groups/groups.ts

@@ -27,6 +27,7 @@ router.post(
   async (ctx: APIContext<T.GroupsListReq>) => {
     const { direction, sort, userId, name } = ctx.input.body;
     const { user } = ctx.state.auth;
+    authorize(user, "listGroups", user.team);
 
     let where: WhereOptions<Group> = {
       teamId: user.teamId,

server/routes/api/revisions/revisions.ts

@@ -32,14 +32,14 @@ router.post(
       const document = await Document.findByPk(revision.documentId, {
         userId: user.id,
       });
-      authorize(user, "read", document);
+      authorize(user, "listRevisions", document);
       after = revision;
       before = await revision.before();
     } else if (documentId) {
       const document = await Document.findByPk(documentId, {
         userId: user.id,
       });
-      authorize(user, "read", document);
+      authorize(user, "listRevisions", document);
       after = Revision.buildFromDocument(document);
       after.id = RevisionHelper.latestId(document.id);
       after.user = document.updatedBy;
@@ -75,7 +75,7 @@ router.post(
     const document = await Document.findByPk(revision.documentId, {
       userId: user.id,
     });
-    authorize(user, "read", document);
+    authorize(user, "listRevisions", document);
 
     let before;
     if (compareToId) {
@@ -126,7 +126,7 @@ router.post(
     const document = await Document.findByPk(documentId, {
       userId: user.id,
     });
-    authorize(user, "read", document);
+    authorize(user, "listRevisions", document);
 
     const revisions = await Revision.findAll({
       where: {

server/routes/api/shares/shares.ts

@@ -99,6 +99,8 @@ router.post(
   async (ctx: APIContext<T.SharesListReq>) => {
     const { sort, direction } = ctx.input.body;
     const { user } = ctx.state.auth;
+    authorize(user, "listShares", user.team);
+
     const where: WhereOptions<Share> = {
       teamId: user.teamId,
       userId: user.id,
@@ -169,6 +171,8 @@ router.post(
     const { documentId, published, urlId, includeChildDocuments } =
       ctx.input.body;
     const { user } = ctx.state.auth;
+    authorize(user, "createShare", user.team);
+
     const document = await Document.findByPk(documentId, {
       userId: user.id,
     });

server/routes/api/users/__snapshots__/users.test.ts.snap

@@ -2,8 +2,8 @@
 
 exports[`#users.activate should require admin 1`] = `
 {
-  "error": "admin_required",
-  "message": "An admin role is required to access this resource",
+  "error": "authorization_error",
+  "message": "Authorization error",
   "ok": false,
   "status": 403,
 }
@@ -29,8 +29,8 @@ exports[`#users.demote should not allow demoting self 1`] = `
 
 exports[`#users.demote should require admin 1`] = `
 {
-  "error": "admin_required",
-  "message": "An admin role is required to access this resource",
+  "error": "authorization_error",
+  "message": "Authorization error",
   "ok": false,
   "status": 403,
 }
@@ -38,8 +38,8 @@ exports[`#users.demote should require admin 1`] = `
 
 exports[`#users.promote should require admin 1`] = `
 {
-  "error": "admin_required",
-  "message": "An admin role is required to access this resource",
+  "error": "authorization_error",
+  "message": "Authorization error",
   "ok": false,
   "status": 403,
 }
@@ -56,8 +56,8 @@ exports[`#users.suspend should not allow suspending the user themselves 1`] = `
 
 exports[`#users.suspend should require admin 1`] = `
 {
-  "error": "admin_required",
-  "message": "An admin role is required to access this resource",
+  "error": "authorization_error",
+  "message": "Authorization error",
   "ok": false,
   "status": 403,
 }

server/routes/api/users/users.test.ts

@@ -182,7 +182,7 @@ describe("#users.list", () => {
     expect(res.status).toEqual(200);
     expect(body.data.length).toEqual(2);
     expect(body.data[0].email).toEqual(undefined);
-    expect(body.data[1].email).toEqual(undefined);
+    expect(body.data[1].email).toEqual(user.email);
   });
 });
 

server/routes/api/views/views.ts

@@ -23,7 +23,7 @@ router.post(
     const document = await Document.findByPk(documentId, {
       userId: user.id,
     });
-    authorize(user, "read", document);
+    authorize(user, "listViews", document);
 
     if (!document.insightsEnabled) {
       throw ValidationError("Insights are not enabled for this document");