fix: Allow deleting attachments not linked to documents when owned by user

closes #1729
2020-12-20 11:39:09 -08:00
parent 117d278d16
commit decbe4f643
4 changed files with 93 additions and 6 deletions
--- a/server/policies/attachment.js
+++ b/server/policies/attachment.js
@@ -0,0 +1,14 @@
+// @flow
+import { Attachment, User } from "../models";
+import policy from "./policy";
+
+const { allow } = policy;
+
+allow(User, "create", Attachment);
+
+allow(User, "delete", Attachment, (actor, attachment) => {
+  if (!attachment || attachment.teamId !== actor.teamId) return false;
+  if (actor.isAdmin) return true;
+  if (actor.id === attachment.userId) return true;
+  return false;
+});
--- a/server/policies/index.js
+++ b/server/policies/index.js
@@ -1,7 +1,8 @@
 // @flow
-import { Team, User, Collection, Document, Group } from "../models";
+import { Attachment, Team, User, Collection, Document, Group } from "../models";
 import policy from "./policy";
 import "./apiKey";
+import "./attachment";
 import "./collection";
 import "./document";
 import "./integration";
@@ -24,7 +25,7 @@ type Policy = {
 */
 export function serialize(
  model: User,
-  target: Team | Collection | Document | Group
+  target: Attachment | Team | Collection | Document | Group
 ): Policy {
  let output = {};