add EiC authsome policy

93a5b319 · Alexandru Munteanu · b74266f2 · 93a5b319
Commit 93a5b319 authored 6 years ago by Alexandru Munteanu
--- a/packages/xpub-faraday/config/authsome-mode.js
+++ b/packages/xpub-faraday/config/authsome-mode.js
@@ -52,7 +52,7 @@ function unauthenticatedUser(operation, object) {
 const createPaths = ['/collections', '/collections/:collectionId/fragments']
-async function authenticatedUser(user, operation, object, context) {
+async function applyAuthenticatedUserPolicy(user, operation, object, context) {
  if (operation === 'GET') {
    if (get(object, 'path') === '/collections') {
      return {
@@ -247,6 +247,23 @@ async function authenticatedUser(user, operation, object, context) {
  return unauthenticatedUser(operation, object)
 }
+async function applyEditorInChiefPolicy(user, operation, object, context) {
+  if (operation === 'GET') {
+    if (get(object, 'type') === 'collection') {
+      return {
+        filter: collection => ({
+          ...collection,
+          visibleStatus: get(
+            statuses,
+            `${collection.status}.editorInChief.label`,
+          ),
+        }),
+      }
+    }
+  }
+  return true
+}
 const authsomeMode = async (userId, operation, object, context) => {
  if (!userId) {
    return unauthenticatedUser(operation, object)
@@ -256,11 +273,12 @@ const authsomeMode = async (userId, operation, object, context) => {
  // authorization/authsome mode, e.g.
  const user = await context.models.User.find(userId)
-  // Admins and editor in chiefs can do anything
+  if (get(user, 'admin') || get(user, 'editorInChief')) {
-  if (user && (user.admin || user.editorInChief)) return true
+    return applyEditorInChiefPolicy(user, operation, object, context)
+  }
  if (user) {
-    return authenticatedUser(user, operation, object, context)
+    return applyAuthenticatedUserPolicy(user, operation, object, context)
  }
  return false