From 857c3cbfb3aca12560b3939a5909757ee0666020 Mon Sep 17 00:00:00 2001
From: Sebastian Mihalache <sebastian.mihalache@gmail.con>
Date: Fri, 11 May 2018 11:51:26 +0300
Subject: [PATCH] fix authsome

---
 packages/component-invite/config/authsome-mode.js        | 9 ++++++++-
 .../component-manuscript-manager/config/authsome-mode.js | 9 ++++++++-
 packages/xpub-faraday/config/authsome-mode.js            | 9 ++++++++-
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/packages/component-invite/config/authsome-mode.js b/packages/component-invite/config/authsome-mode.js
index 3498bc042..762998f83 100644
--- a/packages/component-invite/config/authsome-mode.js
+++ b/packages/component-invite/config/authsome-mode.js
@@ -102,6 +102,13 @@ async function authenticatedUser(user, operation, object, context) {
     }
   }
 
+  if (
+    operation === 'POST' &&
+    object.path === '/collections/:collectionId/fragments'
+  ) {
+    return true
+  }
+
   // Allow the authenticated user to GET collections they own
   if (operation === 'GET' && object === '/collections/') {
     return {
@@ -183,7 +190,7 @@ async function authenticatedUser(user, operation, object, context) {
     return false
   }
 
-  if (user.teams.length !== 0) {
+  if (user.teams.length !== 0 && operation === 'GET') {
     const permissions = await teamPermissions(user, operation, object, context)
 
     if (permissions) {
diff --git a/packages/component-manuscript-manager/config/authsome-mode.js b/packages/component-manuscript-manager/config/authsome-mode.js
index 3498bc042..762998f83 100644
--- a/packages/component-manuscript-manager/config/authsome-mode.js
+++ b/packages/component-manuscript-manager/config/authsome-mode.js
@@ -102,6 +102,13 @@ async function authenticatedUser(user, operation, object, context) {
     }
   }
 
+  if (
+    operation === 'POST' &&
+    object.path === '/collections/:collectionId/fragments'
+  ) {
+    return true
+  }
+
   // Allow the authenticated user to GET collections they own
   if (operation === 'GET' && object === '/collections/') {
     return {
@@ -183,7 +190,7 @@ async function authenticatedUser(user, operation, object, context) {
     return false
   }
 
-  if (user.teams.length !== 0) {
+  if (user.teams.length !== 0 && operation === 'GET') {
     const permissions = await teamPermissions(user, operation, object, context)
 
     if (permissions) {
diff --git a/packages/xpub-faraday/config/authsome-mode.js b/packages/xpub-faraday/config/authsome-mode.js
index 3498bc042..762998f83 100644
--- a/packages/xpub-faraday/config/authsome-mode.js
+++ b/packages/xpub-faraday/config/authsome-mode.js
@@ -102,6 +102,13 @@ async function authenticatedUser(user, operation, object, context) {
     }
   }
 
+  if (
+    operation === 'POST' &&
+    object.path === '/collections/:collectionId/fragments'
+  ) {
+    return true
+  }
+
   // Allow the authenticated user to GET collections they own
   if (operation === 'GET' && object === '/collections/') {
     return {
@@ -183,7 +190,7 @@ async function authenticatedUser(user, operation, object, context) {
     return false
   }
 
-  if (user.teams.length !== 0) {
+  if (user.teams.length !== 0 && operation === 'GET') {
     const permissions = await teamPermissions(user, operation, object, context)
 
     if (permissions) {
-- 
GitLab