diff --git a/packages/component-invite/config/authsome-helpers.js b/packages/component-invite/config/authsome-helpers.js
new file mode 100644
index 0000000000000000000000000000000000000000..5b6633a6150b55db19f733b1ef65351640ae6ccb
--- /dev/null
+++ b/packages/component-invite/config/authsome-helpers.js
@@ -0,0 +1,28 @@
+const omit = require('lodash/omit')
+const config = require('config')
+const get = require('lodash/get')
+
+const statuses = config.get('statuses')
+
+const publicStatusesPermissions = ['author', 'reviewer']
+
+module.exports = {
+ parseReviewerAuthors: (coll, matchingCollPerm) => {
+ if (['reviewer'].includes(matchingCollPerm.permission)) {
+ coll.authors = coll.authors.map(a => omit(a, ['email']))
+ }
+ },
+ setPublicStatuses: (coll, matchingCollPerm) => {
+ const status = get(coll, 'status') || 'draft'
+ coll.visibleStatus = statuses[status].public
+ if (!publicStatusesPermissions.includes(matchingCollPerm.permission)) {
+ coll.visibleStatus = statuses[coll.status].private
+ }
+ },
+ filterRefusedInvitations: (coll, user) => {
+ const matchingInv = coll.invitations.find(inv => inv.userId === user.id)
+ if (matchingInv === undefined) return null
+ if (matchingInv.hasAnswer === true && !matchingInv.isAccepted) return null
+ return coll
+ },
+}
diff --git a/packages/component-invite/config/authsome-mode.js b/packages/component-invite/config/authsome-mode.js
new file mode 100644
index 0000000000000000000000000000000000000000..3d3f15f68fc572760b30c203169dd71f40b1e43a
--- /dev/null
+++ b/packages/component-invite/config/authsome-mode.js
@@ -0,0 +1,224 @@
+const get = require('lodash/get')
+const pickBy = require('lodash/pickBy')
+const omit = require('lodash/omit')
+const helpers = require('./authsome-helpers')
+
+async function teamPermissions(user, operation, object, context) {
+ const permissions = ['handlingEditor', 'author', 'reviewer']
+ const teams = await Promise.all(
+ user.teams.map(async teamId => {
+ const team = await context.models.Team.find(teamId)
+ if (permissions.includes(team.teamType.permissions)) {
+ return team
+ }
+ return null
+ }),
+ )
+
+ const collectionsPermissions = teams.filter(Boolean).map(team => ({
+ id: team.object.id,
+ permission: team.teamType.permissions,
+ }))
+
+ if (collectionsPermissions.length > 0) {
+ return {
+ filter: filterParam => {
+ if (!filterParam.length) return filterParam
+
+ const collections = filterParam
+ .map(coll => {
+ const matchingCollPerm = collectionsPermissions.find(
+ collPerm => coll.id === collPerm.id,
+ )
+ if (matchingCollPerm === undefined) {
+ return null
+ }
+ helpers.setPublicStatuses(coll, matchingCollPerm)
+ helpers.parseReviewerAuthors(coll, matchingCollPerm)
+ if (
+ ['reviewer', 'handlingEditor'].includes(
+ matchingCollPerm.permission,
+ )
+ ) {
+ return helpers.filterRefusedInvitations(coll, user)
+ }
+ return coll
+ })
+ .filter(Boolean)
+ return collections
+ },
+ }
+ }
+
+ return {}
+}
+
+function unauthenticatedUser(operation, object) {
+ // Public/unauthenticated users can GET /collections, filtered by 'published'
+ if (operation === 'GET' && object && object.path === '/collections') {
+ return {
+ filter: collections =>
+ collections.filter(collection => collection.published),
+ }
+ }
+
+ // Public/unauthenticated users can GET /collections/:id/fragments, filtered by 'published'
+ if (
+ operation === 'GET' &&
+ object &&
+ object.path === '/collections/:id/fragments'
+ ) {
+ return {
+ filter: fragments => fragments.filter(fragment => fragment.published),
+ }
+ }
+
+ // and filtered individual collection's properties: id, title, source, content, owners
+ if (operation === 'GET' && object && object.type === 'collection') {
+ if (object.published) {
+ return {
+ filter: collection =>
+ pickBy(collection, (_, key) =>
+ ['id', 'title', 'owners'].includes(key),
+ ),
+ }
+ }
+ }
+
+ if (operation === 'GET' && object && object.type === 'fragment') {
+ if (object.published) {
+ return {
+ filter: fragment =>
+ pickBy(fragment, (_, key) =>
+ ['id', 'title', 'source', 'presentation', 'owners'].includes(key),
+ ),
+ }
+ }
+ }
+
+ return false
+}
+
+async function authenticatedUser(user, operation, object, context) {
+ // Allow the authenticated user to POST a collection (but not with a 'filtered' property)
+ if (operation === 'POST' && object.path === '/collections') {
+ return {
+ filter: collection => omit(collection, 'filtered'),
+ }
+ }
+
+ // Allow the authenticated user to GET collections they own
+ if (operation === 'GET' && object === '/collections/') {
+ return {
+ filter: collection => collection.owners.includes(user.id),
+ }
+ }
+
+ // Allow owners of a collection to GET its teams, e.g.
+ // GET /api/collections/1/teams
+ if (operation === 'GET' && get(object, 'path') === '/teams') {
+ const collectionId = get(object, 'params.collectionId')
+ if (collectionId) {
+ const collection = await context.models.Collection.find(collectionId)
+ if (collection.owners.includes(user.id)) {
+ return true
+ }
+ }
+ }
+
+ if (
+ operation === 'GET' &&
+ get(object, 'type') === 'team' &&
+ get(object, 'object.type') === 'collection'
+ ) {
+ const collection = await context.models.Collection.find(
+ get(object, 'object.id'),
+ )
+ if (collection.owners.includes(user.id)) {
+ return true
+ }
+ }
+
+ // Advanced example
+ // Allow authenticated users to create a team based around a collection
+ // if they are one of the owners of this collection
+ if (['POST', 'PATCH'].includes(operation) && get(object, 'type') === 'team') {
+ if (get(object, 'object.type') === 'collection') {
+ const collection = await context.models.Collection.find(
+ get(object, 'object.id'),
+ )
+ if (collection.owners.includes(user.id)) {
+ return true
+ }
+ }
+ }
+
+ // only allow the HE to create an invitation
+ if (operation === 'POST' && get(object, 'type') === 'collection') {
+ const collection = await context.models.Collection.find(get(object, 'id'))
+ if (collection.handlingEditor.id === user.id) {
+ return true
+ }
+ return false
+ }
+
+ if (user.teams.length !== 0) {
+ const permissions = await teamPermissions(user, operation, object, context)
+
+ if (permissions) {
+ return permissions
+ }
+ }
+
+ if (get(object, 'type') === 'fragment') {
+ const fragment = object
+
+ if (fragment.owners.includes(user.id)) {
+ return true
+ }
+ }
+
+ if (get(object, 'type') === 'collection') {
+ if (['GET', 'DELETE'].includes(operation)) {
+ return true
+ }
+
+ // Only allow filtered updating (mirroring filtered creation) for non-admin users)
+ if (operation === 'PATCH') {
+ return {
+ filter: collection => omit(collection, 'filtered'),
+ }
+ }
+ }
+
+ // A user can GET, DELETE and PATCH itself
+ if (get(object, 'type') === 'user' && get(object, 'id') === user.id) {
+ if (['GET', 'DELETE', 'PATCH'].includes(operation)) {
+ return true
+ }
+ }
+ // If no individual permissions exist (above), fallback to unauthenticated
+ // user's permission
+ return unauthenticatedUser(operation, object)
+}
+
+const authsomeMode = async (userId, operation, object, context) => {
+ if (!userId) {
+ return unauthenticatedUser(operation, object)
+ }
+
+ // It's up to us to retrieve the relevant models for our
+ // authorization/authsome mode, e.g.
+ const user = await context.models.User.find(userId)
+
+ // Admins and editor in chiefs can do anything
+ if (user && (user.admin === true || user.editorInChief === true)) return true
+
+ if (user) {
+ return authenticatedUser(user, operation, object, context)
+ }
+
+ return false
+}
+
+module.exports = authsomeMode
diff --git a/packages/component-invite/config/default.js b/packages/component-invite/config/default.js
index 27fee757472f0eb6c28960974e260631de59a933..7afbb2f22c26d8ae4d9f314989bc4a02189360f7 100644
--- a/packages/component-invite/config/default.js
+++ b/packages/component-invite/config/default.js
@@ -1,4 +1,17 @@
+const path = require('path')
+
module.exports = {
+ authsome: {
+ mode: path.resolve(__dirname, 'authsome-mode.js'),
+ teams: {
+ handlingEditor: {
+ name: 'Handling Editors',
+ },
+ reviewer: {
+ name: 'Reviewer',
+ },
+ },
+ },
mailer: {
from: 'test@example.com',
},
diff --git a/packages/component-invite/config/test.js b/packages/component-invite/config/test.js
index b9d4165e677621eae6c9660f532d4332bb90d326..0eb54780a931f66f1b611d9a4d51552908ece2c3 100644
--- a/packages/component-invite/config/test.js
+++ b/packages/component-invite/config/test.js
@@ -1,4 +1,17 @@
+const path = require('path')
+
module.exports = {
+ authsome: {
+ mode: path.resolve(__dirname, 'authsome-mode.js'),
+ teams: {
+ handlingEditor: {
+ name: 'Handling Editors',
+ },
+ reviewer: {
+ name: 'Reviewer',
+ },
+ },
+ },
mailer: {
from: 'test@example.com',
},
diff --git a/packages/component-invite/src/helpers/authsome.js b/packages/component-invite/src/helpers/authsome.js
index 7ae32a08c8916d1388051a88a7fae7bef78a746d..212cee2a3ea23a424b1f77dde2f7dd4cf888b2a0 100644
--- a/packages/component-invite/src/helpers/authsome.js
+++ b/packages/component-invite/src/helpers/authsome.js
@@ -3,6 +3,27 @@ const Authsome = require('authsome')
const mode = require(config.get('authsome.mode'))
-const authsome = new Authsome({ ...config.authsome, mode }, {})
+const getAuthsome = models =>
+ new Authsome(
+ { ...config.authsome, mode },
+ {
+ // restrict methods passed to mode since these have to be shimmed on client
+ // any changes here should be reflected in the `withAuthsome` component of `pubsweet-client`
+ models: {
+ Collection: {
+ find: id => models.Collection.find(id),
+ },
+ Fragment: {
+ find: id => models.Fragment.find(id),
+ },
+ User: {
+ find: id => models.User.find(id),
+ },
+ Team: {
+ find: id => models.Team.find(id),
+ },
+ },
+ },
+ )
-module.exports = authsome
+module.exports = { getAuthsome }
diff --git a/packages/component-invite/src/routes/collectionsInvitations/post.js b/packages/component-invite/src/routes/collectionsInvitations/post.js
index 73a588a3be1b40554dd9d6d9bebc11a042e6ff16..3775cd1105c77359de6202fff7716a47e12c11f2 100644
--- a/packages/component-invite/src/routes/collectionsInvitations/post.js
+++ b/packages/component-invite/src/routes/collectionsInvitations/post.js
@@ -7,6 +7,7 @@ const config = require('config')
const mailService = require('pubsweet-component-mail-service')
const userHelper = require('../../helpers/User')
const invitationHelper = require('../../helpers/Invitation')
+const authsomeHelper = require('../../helpers/authsome')
const configRoles = config.get('roles')
@@ -25,6 +26,8 @@ module.exports = models => async (req, res) => {
return
}
const reqUser = await models.User.find(req.user)
+ const authsome = authsomeHelper.getAuthsome(models)
+
if (email === reqUser.email && !reqUser.admin) {
logger.error(`${reqUser.email} tried to invite his own email`)
return res.status(400).json({ error: 'Cannot invite yourself' })
@@ -41,6 +44,11 @@ module.exports = models => async (req, res) => {
})
}
+ const canPost = await authsome.can(req.user, 'POST', collection)
+ if (!canPost)
+ return res.status(403).json({
+ error: 'Unauthorized.',
+ })
const baseUrl = `${req.protocol}://${req.get('host')}`
const params = {
baseUrl,
diff --git a/packages/component-invite/src/tests/collectionsInvitations/post.test.js b/packages/component-invite/src/tests/collectionsInvitations/post.test.js
index f15832969d072bcb9715572b352229b503d8e059..ec7524458eec88eeed58cb2523243bfaf33acbf3 100644
--- a/packages/component-invite/src/tests/collectionsInvitations/post.test.js
+++ b/packages/component-invite/src/tests/collectionsInvitations/post.test.js
@@ -156,4 +156,20 @@ describe('Post collections invitations route handler', () => {
`User has already replied to a previous invitation.`,
)
})
+ it('should return an error when the user does not have invitation rights', async () => {
+ const { author } = testFixtures.users
+ const { collection } = testFixtures.collections
+
+ const req = httpMocks.createRequest({
+ body,
+ })
+ req.user = author.id
+ req.params.collectionId = collection.id
+ const res = httpMocks.createResponse()
+ await require(postPath)(models)(req, res)
+
+ expect(res.statusCode).toBe(403)
+ const data = JSON.parse(res._getData())
+ expect(data.error).toEqual('Unauthorized.')
+ })
})
diff --git a/packages/xpub-faraday/config/authsome-mode.js b/packages/xpub-faraday/config/authsome-mode.js
index ac3198fe9a0a7f7ad6101fd96e3325ad5422a78f..3d3f15f68fc572760b30c203169dd71f40b1e43a 100644
--- a/packages/xpub-faraday/config/authsome-mode.js
+++ b/packages/xpub-faraday/config/authsome-mode.js
@@ -153,6 +153,15 @@ async function authenticatedUser(user, operation, object, context) {
}
}
+ // only allow the HE to create an invitation
+ if (operation === 'POST' && get(object, 'type') === 'collection') {
+ const collection = await context.models.Collection.find(get(object, 'id'))
+ if (collection.handlingEditor.id === user.id) {
+ return true
+ }
+ return false
+ }
+
if (user.teams.length !== 0) {
const permissions = await teamPermissions(user, operation, object, context)