From 70e1d1e223bd0bd816965c66e49c0c0cb3ea059b Mon Sep 17 00:00:00 2001
From: Sebastian Mihalache <sebastian.mihalache@gmail.con>
Date: Tue, 29 May 2018 14:05:18 +0300
Subject: [PATCH] fix author access

---
 .../xpub-faraday/config/authsome-helpers.js   |  7 +---
 packages/xpub-faraday/config/authsome-mode.js | 40 +++++++++----------
 2 files changed, 19 insertions(+), 28 deletions(-)

diff --git a/packages/xpub-faraday/config/authsome-helpers.js b/packages/xpub-faraday/config/authsome-helpers.js
index 3604124b1..1b7642bfc 100644
--- a/packages/xpub-faraday/config/authsome-helpers.js
+++ b/packages/xpub-faraday/config/authsome-helpers.js
@@ -60,12 +60,7 @@ const filterObjectData = (
   return object
 }
 
-const getTeamsByPermissions = async (
-  teamIds = [],
-  permissions,
-  TeamModel,
-  object,
-) => {
+const getTeamsByPermissions = async (teamIds = [], permissions, TeamModel) => {
   const teams = await Promise.all(
     teamIds.map(async teamId => {
       const team = await TeamModel.find(teamId)
diff --git a/packages/xpub-faraday/config/authsome-mode.js b/packages/xpub-faraday/config/authsome-mode.js
index df0eb9dcc..826a9b3b2 100644
--- a/packages/xpub-faraday/config/authsome-mode.js
+++ b/packages/xpub-faraday/config/authsome-mode.js
@@ -9,7 +9,6 @@ async function teamPermissions(user, operation, object, context) {
     user.teams,
     permissions,
     context.models.Team,
-    object,
   )
 
   let collectionsPermissions = await Promise.all(
@@ -20,8 +19,12 @@ async function teamPermissions(user, operation, object, context) {
         permission: team.teamType.permissions,
       }
       const objectType = get(object, 'type')
-      if (objectType === 'fragment' && collection.fragments.includes(object.id))
-        collPerm.fragmentId = object.id
+      if (objectType === 'fragment') {
+        if (collection.fragments.includes(object.id))
+          collPerm.fragmentId = object.id
+        else return null
+      }
+
       if (objectType === 'collection')
         if (object.id !== collection.id) return null
       return collPerm
@@ -111,13 +114,6 @@ async function authenticatedUser(user, operation, object, context) {
     return true
   }
 
-  // Allow the authenticated user to GET collections they own
-  if (operation === 'GET' && object === '/collections/') {
-    return {
-      filter: collection => collection.owners.includes(user.id),
-    }
-  }
-
   if (operation === 'GET' && get(object, 'type') === 'collection') {
     if (object.owners.includes(user.id)) return true
     const owner = object.owners.find(own => own.id === user.id)
@@ -216,18 +212,18 @@ async function authenticatedUser(user, operation, object, context) {
     }
   }
 
-  if (get(object, 'type') === 'collection') {
-    if (['GET', 'DELETE'].includes(operation)) {
-      return true
-    }
-
-    // Only allow filtered updating (mirroring filtered creation) for non-admin users)
-    if (operation === 'PATCH') {
-      return {
-        filter: collection => omit(collection, 'filtered'),
-      }
-    }
-  }
+  // if (get(object, 'type') === 'collection') {
+  //   if (['GET', 'DELETE'].includes(operation)) {
+  //     return true
+  //   }
+
+  //   // Only allow filtered updating (mirroring filtered creation) for non-admin users)
+  //   if (operation === 'PATCH') {
+  //     return {
+  //       filter: collection => omit(collection, 'filtered'),
+  //     }
+  //   }
+  // }
 
   // A user can GET, DELETE and PATCH itself
   if (get(object, 'type') === 'user' && get(object, 'id') === user.id) {
-- 
GitLab