yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
main
outline/server/policies/collection.ts
Tom Moor 29a653aaeb fix: Admins cannot query permissions on private collections (#7145) 
* fix: Admins have permission to see existence of all collections (in settings)

* fix: Current user filtered from suggestions. As an admin managing other collections this is limiting

* test
2024-06-25 05:28:32 -07:00

168 lines
3.5 KiB
TypeScript
Raw Permalink Blame History

import invariant from "invariant";
import some from "lodash/some";
import { CollectionPermission, DocumentPermission } from "@shared/types";
import { Collection, User, Team } from "@server/models";
import { allow, _can as can } from "./cancan";
import { and, isTeamAdmin, isTeamModel, isTeamMutable, or } from "./utils";
allow(User, "createCollection", Team, (actor, team) =>
and(
isTeamModel(actor, team),
isTeamMutable(actor),
!actor.isGuest,
!actor.isViewer,
or(actor.isAdmin, !!team?.memberCollectionCreate)
)
);
allow(User, "importCollection", Team, (actor, team) =>
and(
//
isTeamAdmin(actor, team),
isTeamMutable(actor)
)
);
allow(User, "move", Collection, (actor, collection) =>
and(
//
isTeamAdmin(actor, collection),
isTeamMutable(actor),
!collection?.deletedAt
)
);
allow(User, "read", Collection, (user, collection) => {
if (!collection || user.teamId !== collection.teamId) {
return false;
}
if (user.isAdmin) {
return true;
}
if (collection.isPrivate || user.isGuest) {
return includesMembership(collection, Object.values(CollectionPermission));
}
return true;
});
allow(
User,
["readDocument", "star", "unstar"],
Collection,
(user, collection) => {
if (!collection || user.teamId !== collection.teamId) {
return false;
}
if (collection.isPrivate || user.isGuest) {
return includesMembership(
collection,
Object.values(CollectionPermission)
);
}
return true;
}
);
allow(User, "export", Collection, (actor, collection) =>
and(
//
can(actor, "read", collection),
!actor.isViewer,
!actor.isGuest
)
);
allow(User, "share", Collection, (user, collection) => {
if (
!collection ||
user.isGuest ||
user.teamId !== collection.teamId ||
!isTeamMutable(user)
) {
return false;
}
if (!collection.sharing) {
return false;
}
if (!collection.isPrivate && user.isAdmin) {
return true;
}
if (
collection.permission !== CollectionPermission.ReadWrite ||
user.isViewer
) {
return includesMembership(collection, [
CollectionPermission.ReadWrite,
CollectionPermission.Admin,
]);
}
return true;
});
allow(
User,
["updateDocument", "createDocument", "deleteDocument"],
Collection,
(user, collection) => {
if (
!collection ||
user.teamId !== collection.teamId ||
!isTeamMutable(user)
) {
return false;
}
if (!collection.isPrivate && user.isAdmin) {
return true;
}
if (
collection.permission !== CollectionPermission.ReadWrite ||
user.isViewer ||
user.isGuest
) {
return includesMembership(collection, [
CollectionPermission.ReadWrite,
CollectionPermission.Admin,
]);
}
return true;
}
);
allow(User, ["update", "delete"], Collection, (user, collection) => {
if (!collection || user.isGuest || user.teamId !== collection.teamId) {
return false;
}
if (user.isAdmin) {
return true;
}
return includesMembership(collection, [CollectionPermission.Admin]);
});
function includesMembership(
collection: Collection | null,
permissions: (CollectionPermission | DocumentPermission)[]
) {
if (!collection) {
return false;
}
invariant(
collection.memberships,
"Development: collection memberships not preloaded, did you forget `withMembership` scope?"
);
return some(
[...collection.memberships, ...collection.collectionGroupMemberships],
(m) => permissions.includes(m.permission)
);
}
Reference in New Issue View Git Blame Copy Permalink