fix(authsome-mode): deny access to manuscript from link

a9883542 · Mihail Hagiu · 70184d67 · a9883542
Commit a9883542 authored 6 years ago by Mihail Hagiu
--- a/packages/xpub-faraday/config/authsome-mode.js
+++ b/packages/xpub-faraday/config/authsome-mode.js
@@ -342,6 +342,11 @@ async function applyAdminPolicy(user, operation, object, context) {
 async function applyEditorInChiefPolicy(user, operation, object, context) {
  if (operation === 'GET') {
    if (get(object, 'type') === 'collection') {
+      if (
+        !filterDraftCollections(object) ||
+        !filterTechnicalChecksCollections(object)
+      )
+        return false
      return {
        filter: collection => ({
          ...collection,
@@ -353,6 +358,17 @@ async function applyEditorInChiefPolicy(user, operation, object, context) {
      }
    }

+    if (get(object, 'type') === 'fragment') {
+      const collection = await context.models.Collection.find(
+        get(object, 'collectionId'),
+      )
+      if (
+        !filterDraftCollections(collection) ||
+        !filterTechnicalChecksCollections(collection)
+      )
+        return false
+    }
+
    if (get(object, 'path') === '/api/users') {
      return helpers.getUsersList({ UserModel: context.models.User, user })
    }