From a9883542e5ae178b455b020336aa574d95777350 Mon Sep 17 00:00:00 2001
From: Mihail Hagiu <mihail.hagiu@thinslices.com>
Date: Tue, 11 Dec 2018 16:25:08 +0200
Subject: [PATCH] fix(authsome-mode): deny access to manuscript from link

---
 packages/xpub-faraday/config/authsome-mode.js | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/packages/xpub-faraday/config/authsome-mode.js b/packages/xpub-faraday/config/authsome-mode.js
index 07e4319c8..a01f22101 100644
--- a/packages/xpub-faraday/config/authsome-mode.js
+++ b/packages/xpub-faraday/config/authsome-mode.js
@@ -342,6 +342,11 @@ async function applyAdminPolicy(user, operation, object, context) {
 async function applyEditorInChiefPolicy(user, operation, object, context) {
   if (operation === 'GET') {
     if (get(object, 'type') === 'collection') {
+      if (
+        !filterDraftCollections(object) ||
+        !filterTechnicalChecksCollections(object)
+      )
+        return false
       return {
         filter: collection => ({
           ...collection,
@@ -353,6 +358,17 @@ async function applyEditorInChiefPolicy(user, operation, object, context) {
       }
     }
 
+    if (get(object, 'type') === 'fragment') {
+      const collection = await context.models.Collection.find(
+        get(object, 'collectionId'),
+      )
+      if (
+        !filterDraftCollections(collection) ||
+        !filterTechnicalChecksCollections(collection)
+      )
+        return false
+    }
+
     if (get(object, 'path') === '/api/users') {
       return helpers.getUsersList({ UserModel: context.models.User, user })
     }
-- 
GitLab