add EiC authsome policy

packages/xpub-faraday/config/authsome-mode.js

@@ -52,7 +52,7 @@ function unauthenticatedUser(operation, object) {
 
 const createPaths = ['/collections', '/collections/:collectionId/fragments']
 
-async function authenticatedUser(user, operation, object, context) {
+async function applyAuthenticatedUserPolicy(user, operation, object, context) {
   if (operation === 'GET') {
     if (get(object, 'path') === '/collections') {
       return {
@@ -247,6 +247,23 @@ async function authenticatedUser(user, operation, object, context) {
   return unauthenticatedUser(operation, object)
 }
 
+async function applyEditorInChiefPolicy(user, operation, object, context) {
+  if (operation === 'GET') {
+    if (get(object, 'type') === 'collection') {
+      return {
+        filter: collection => ({
+          ...collection,
+          visibleStatus: get(
+            statuses,
+            `${collection.status}.editorInChief.label`,
+          ),
+        }),
+      }
+    }
+  }
+  return true
+}
+
 const authsomeMode = async (userId, operation, object, context) => {
   if (!userId) {
     return unauthenticatedUser(operation, object)
@@ -256,11 +273,12 @@ const authsomeMode = async (userId, operation, object, context) => {
   // authorization/authsome mode, e.g.
   const user = await context.models.User.find(userId)
 
-  // Admins and editor in chiefs can do anything
-  if (user && (user.admin || user.editorInChief)) return true
+  if (get(user, 'admin') || get(user, 'editorInChief')) {
+    return applyEditorInChiefPolicy(user, operation, object, context)
+  }
 
   if (user) {
-    return authenticatedUser(user, operation, object, context)
+    return applyAuthenticatedUserPolicy(user, operation, object, context)
   }
 
   return false