Skip to content
Snippets Groups Projects
Commit 70e1d1e2 authored by Sebastian Mihalache's avatar Sebastian Mihalache
Browse files

fix author access

parent 48e17cf7
No related branches found
No related tags found
1 merge request!10Sprint #12
Hide whitespace changes
Inline Side-by-side
packages/xpub-faraday/config/authsome-helpers.js
+ 1
6
View file @ 70e1d1e2
...@@ -60,12 +60,7 @@ const filterObjectData = ( ...@@ -60,12 +60,7 @@ const filterObjectData = (
return object return object
} }
const getTeamsByPermissions = async ( const getTeamsByPermissions = async (teamIds = [], permissions, TeamModel) => {
teamIds = [],
permissions,
TeamModel,
object,
) => {
const teams = await Promise.all( const teams = await Promise.all(
teamIds.map(async teamId => { teamIds.map(async teamId => {
const team = await TeamModel.find(teamId) const team = await TeamModel.find(teamId)
......
packages/xpub-faraday/config/authsome-mode.js
+ 18
22
View file @ 70e1d1e2
...@@ -9,7 +9,6 @@ async function teamPermissions(user, operation, object, context) { ...@@ -9,7 +9,6 @@ async function teamPermissions(user, operation, object, context) {
user.teams, user.teams,
permissions, permissions,
context.models.Team, context.models.Team,
object,
) )
let collectionsPermissions = await Promise.all( let collectionsPermissions = await Promise.all(
...@@ -20,8 +19,12 @@ async function teamPermissions(user, operation, object, context) { ...@@ -20,8 +19,12 @@ async function teamPermissions(user, operation, object, context) {
permission: team.teamType.permissions, permission: team.teamType.permissions,
} }
const objectType = get(object, 'type') const objectType = get(object, 'type')
if (objectType === 'fragment' && collection.fragments.includes(object.id)) if (objectType === 'fragment') {
collPerm.fragmentId = object.id if (collection.fragments.includes(object.id))
collPerm.fragmentId = object.id
else return null
}
if (objectType === 'collection') if (objectType === 'collection')
if (object.id !== collection.id) return null if (object.id !== collection.id) return null
return collPerm return collPerm
...@@ -111,13 +114,6 @@ async function authenticatedUser(user, operation, object, context) { ...@@ -111,13 +114,6 @@ async function authenticatedUser(user, operation, object, context) {
return true return true
} }
// Allow the authenticated user to GET collections they own
if (operation === 'GET' && object === '/collections/') {
return {
filter: collection => collection.owners.includes(user.id),
}
}
if (operation === 'GET' && get(object, 'type') === 'collection') { if (operation === 'GET' && get(object, 'type') === 'collection') {
if (object.owners.includes(user.id)) return true if (object.owners.includes(user.id)) return true
const owner = object.owners.find(own => own.id === user.id) const owner = object.owners.find(own => own.id === user.id)
...@@ -216,18 +212,18 @@ async function authenticatedUser(user, operation, object, context) { ...@@ -216,18 +212,18 @@ async function authenticatedUser(user, operation, object, context) {
} }
} }
if (get(object, 'type') === 'collection') { // if (get(object, 'type') === 'collection') {
if (['GET', 'DELETE'].includes(operation)) { // if (['GET', 'DELETE'].includes(operation)) {
return true // return true
} // }
// Only allow filtered updating (mirroring filtered creation) for non-admin users) // // Only allow filtered updating (mirroring filtered creation) for non-admin users)
if (operation === 'PATCH') { // if (operation === 'PATCH') {
return { // return {
filter: collection => omit(collection, 'filtered'), // filter: collection => omit(collection, 'filtered'),
} // }
} // }
} // }
// A user can GET, DELETE and PATCH itself // A user can GET, DELETE and PATCH itself
if (get(object, 'type') === 'user' && get(object, 'id') === user.id) { if (get(object, 'type') === 'user' && get(object, 'id') === user.id) {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment