latest changes

6d408a99 · Alexandru Munteanu · 64d39c14 · 6d408a99 · 6d408a99
Commit 6d408a99 authored 6 years ago by Alexandru Munteanu
--- a/packages/xpub-faraday/config/authsome-helpers.js
+++ b/packages/xpub-faraday/config/authsome-helpers.js
@@ -80,6 +80,9 @@ const heIsInvitedToFragment = async ({ user, Team, collectionId }) =>
    t => t.members.includes(user.id) && t.object.id === collectionId,
  )

+const getUserPermissions = async ({ user, Team, mapFn = x => x }) =>
+  (await Promise.all(user.teams.map(teamId => Team.find(teamId)))).map(mapFn)
+
 module.exports = {
  filterObjectData,
  parseAuthorsData,
@@ -87,5 +90,6 @@ module.exports = {
  getTeamsByPermissions,
  filterRefusedInvitations,
  //
+  getUserPermissions,
  heIsInvitedToFragment,
 }
--- a/packages/xpub-faraday/config/authsome-mode.js
+++ b/packages/xpub-faraday/config/authsome-mode.js
-const get = require('lodash/get')
-const pickBy = require('lodash/pickBy')
-const omit = require('lodash/omit')
+const { get, pickBy, omit } = require('lodash')
+const config = require('config')
+
 const helpers = require('./authsome-helpers')

+const statuses = config.get('statuses')
+
 async function teamPermissions(user, operation, object, context) {
  const { models } = context
  const permissions = ['handlingEditor', 'author', 'reviewer']
@@ -111,6 +113,8 @@ function unauthenticatedUser(operation, object) {
  return false
 }

+const publicStatusesPermissions = ['author', 'reviewer']
+
 async function authenticatedUser(user, operation, object, context) {
  // Allow the authenticated user to POST a collection (but not with a 'filtered' property)
  if (operation === 'POST' && object.path === '/collections') {
@@ -119,13 +123,97 @@ async function authenticatedUser(user, operation, object, context) {
    }
  }

-  // get fragments for invited reviewers
-  if (
-    operation === 'GET' &&
-    get(object, 'type') === 'fragment' &&
-    get(object, 'invitations').some(i => i.userId === user.id)
-  ) {
-    return true
+  if (operation === 'GET') {
+    if (get(object, 'path') === '/collections') {
+      return {
+        filter: async collections => {
+          const userPermissions = await helpers.getUserPermissions({
+            user,
+            Team: context.models.Team,
+            mapFn: t => ({
+              objectId: t.object.id,
+              objectType: t.object.type,
+              permissions: t.teamType.permissions,
+            }),
+          })
+          return collections.filter(collection => {
+            if (collection.owners.includes(user.id)) {
+              return true
+            }
+            const collectionPermission = userPermissions.find(
+              p => p.objectId === collection.id,
+            )
+            if (collectionPermission) {
+              return true
+            }
+
+            const fragmentPermission = userPermissions.find(p =>
+              collection.fragments.includes(p.objectId),
+            )
+            if (fragmentPermission) {
+              return true
+            }
+            return false
+          })
+        },
+      }
+    }
+
+    if (get(object, 'type') === 'collection') {
+      return {
+        filter: async collection => {
+          const status = get(collection, 'status') || 'draft'
+          const userPermissions = await helpers.getUserPermissions({
+            user,
+            Team: context.models.Team,
+            mapFn: t => ({
+              objectId: t.object.id,
+              objectType: t.object.type,
+              permissions: t.teamType.permissions,
+            }),
+          })
+          if (collection.owners.map(o => o.id).includes(user.id)) {
+            return collection
+          }
+
+          const collectionPermission = userPermissions.find(
+            p => p.objectId === collection.id,
+          )
+          if (publicStatusesPermissions.includes(get(collectionPermission))) {
+            collection.visibleStatus = statuses[status].public
+          }
+          return collection
+        },
+      }
+    }
+
+    if (get(object, 'type') === 'fragment') {
+      const userPermissions = await helpers.getUserPermissions({
+        user,
+        Team: context.models.Team,
+        mapFn: t => ({
+          objectId: t.object.id,
+          objectType: t.object.type,
+          permissions: t.teamType.permissions,
+        }),
+      })
+
+      const permission = userPermissions.find(
+        p => p.objectId === object.id || p.objectId === object.collectionId,
+      )
+
+      if (!permission) return false
+
+      return {
+        filter: fragment => {
+          if (permission.permissions === 'reviewer') {
+            fragment.files = omit(fragment.files, ['coverLetter'])
+            fragment.authors = fragment.authors.map(a => omit(a, ['email']))
+          }
+          return fragment
+        },
+      }
+    }
  }

  // TODO: in the future give him the non draft version of the fragment