From 6d408a991fa53a6569dc0c5cab14a2bcf6e421d3 Mon Sep 17 00:00:00 2001
From: Alexandru Munteanu <alexandru.munt@gmail.com>
Date: Tue, 19 Jun 2018 08:56:36 +0300
Subject: [PATCH] latest changes

---
 .../xpub-faraday/config/authsome-helpers.js   |   4 +
 packages/xpub-faraday/config/authsome-mode.js | 108 ++++++++++++++++--
 2 files changed, 102 insertions(+), 10 deletions(-)

diff --git a/packages/xpub-faraday/config/authsome-helpers.js b/packages/xpub-faraday/config/authsome-helpers.js
index cdd620a0d..f2cb6e483 100644
--- a/packages/xpub-faraday/config/authsome-helpers.js
+++ b/packages/xpub-faraday/config/authsome-helpers.js
@@ -80,6 +80,9 @@ const heIsInvitedToFragment = async ({ user, Team, collectionId }) =>
     t => t.members.includes(user.id) && t.object.id === collectionId,
   )
 
+const getUserPermissions = async ({ user, Team, mapFn = x => x }) =>
+  (await Promise.all(user.teams.map(teamId => Team.find(teamId)))).map(mapFn)
+
 module.exports = {
   filterObjectData,
   parseAuthorsData,
@@ -87,5 +90,6 @@ module.exports = {
   getTeamsByPermissions,
   filterRefusedInvitations,
   //
+  getUserPermissions,
   heIsInvitedToFragment,
 }
diff --git a/packages/xpub-faraday/config/authsome-mode.js b/packages/xpub-faraday/config/authsome-mode.js
index 8a3475b04..7d779340c 100644
--- a/packages/xpub-faraday/config/authsome-mode.js
+++ b/packages/xpub-faraday/config/authsome-mode.js
@@ -1,8 +1,10 @@
-const get = require('lodash/get')
-const pickBy = require('lodash/pickBy')
-const omit = require('lodash/omit')
+const { get, pickBy, omit } = require('lodash')
+const config = require('config')
+
 const helpers = require('./authsome-helpers')
 
+const statuses = config.get('statuses')
+
 async function teamPermissions(user, operation, object, context) {
   const { models } = context
   const permissions = ['handlingEditor', 'author', 'reviewer']
@@ -111,6 +113,8 @@ function unauthenticatedUser(operation, object) {
   return false
 }
 
+const publicStatusesPermissions = ['author', 'reviewer']
+
 async function authenticatedUser(user, operation, object, context) {
   // Allow the authenticated user to POST a collection (but not with a 'filtered' property)
   if (operation === 'POST' && object.path === '/collections') {
@@ -119,13 +123,97 @@ async function authenticatedUser(user, operation, object, context) {
     }
   }
 
-  // get fragments for invited reviewers
-  if (
-    operation === 'GET' &&
-    get(object, 'type') === 'fragment' &&
-    get(object, 'invitations').some(i => i.userId === user.id)
-  ) {
-    return true
+  if (operation === 'GET') {
+    if (get(object, 'path') === '/collections') {
+      return {
+        filter: async collections => {
+          const userPermissions = await helpers.getUserPermissions({
+            user,
+            Team: context.models.Team,
+            mapFn: t => ({
+              objectId: t.object.id,
+              objectType: t.object.type,
+              permissions: t.teamType.permissions,
+            }),
+          })
+          return collections.filter(collection => {
+            if (collection.owners.includes(user.id)) {
+              return true
+            }
+            const collectionPermission = userPermissions.find(
+              p => p.objectId === collection.id,
+            )
+            if (collectionPermission) {
+              return true
+            }
+
+            const fragmentPermission = userPermissions.find(p =>
+              collection.fragments.includes(p.objectId),
+            )
+            if (fragmentPermission) {
+              return true
+            }
+            return false
+          })
+        },
+      }
+    }
+
+    if (get(object, 'type') === 'collection') {
+      return {
+        filter: async collection => {
+          const status = get(collection, 'status') || 'draft'
+          const userPermissions = await helpers.getUserPermissions({
+            user,
+            Team: context.models.Team,
+            mapFn: t => ({
+              objectId: t.object.id,
+              objectType: t.object.type,
+              permissions: t.teamType.permissions,
+            }),
+          })
+          if (collection.owners.map(o => o.id).includes(user.id)) {
+            return collection
+          }
+
+          const collectionPermission = userPermissions.find(
+            p => p.objectId === collection.id,
+          )
+          if (publicStatusesPermissions.includes(get(collectionPermission))) {
+            collection.visibleStatus = statuses[status].public
+          }
+          return collection
+        },
+      }
+    }
+
+    if (get(object, 'type') === 'fragment') {
+      const userPermissions = await helpers.getUserPermissions({
+        user,
+        Team: context.models.Team,
+        mapFn: t => ({
+          objectId: t.object.id,
+          objectType: t.object.type,
+          permissions: t.teamType.permissions,
+        }),
+      })
+
+      const permission = userPermissions.find(
+        p => p.objectId === object.id || p.objectId === object.collectionId,
+      )
+
+      if (!permission) return false
+
+      return {
+        filter: fragment => {
+          if (permission.permissions === 'reviewer') {
+            fragment.files = omit(fragment.files, ['coverLetter'])
+            fragment.authors = fragment.authors.map(a => omit(a, ['email']))
+          }
+          return fragment
+        },
+      }
+    }
   }
 
   // TODO: in the future give him the non draft version of the fragment
-- 
GitLab