added ownership checks for /links endpoint

JiscSD · Oct 12, 2023 · 6f933a5 · 6f933a5
1 parent 93d31fb
commit 6f933a5
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 10 deletions.
diff --git a/api/src/components/publication/__tests__/getPublication.test.ts b/api/src/components/publication/__tests__/getPublication.test.ts
@@ -20,17 +20,15 @@ describe('View publications + versions', () => {
             apiKey: '987654321'
         });
 
-        expect(getPublication.status).toEqual(200);
-        expect(getPublication.body.versions.every((version) => version.currentStatus === 'LIVE'));
+        expect(getPublication.status).toEqual(403);
     });
 
     test('Cannot view publication version in DRAFT without API key', async () => {
         const getPublication = await testUtils.agent.get('/publications/publication-1').query({
             apiKey: '987654321'
         });
 
-        expect(getPublication.status).toEqual(200);
-        expect(getPublication.body.versions.some((version) => version.currentStatus === 'DRAFT')).toEqual(false);
+        expect(getPublication.status).toEqual(403);
     });
 
     test.todo('Any user can see a LIVE publication');

diff --git a/api/src/components/publication/controller.ts b/api/src/components/publication/controller.ts
@@ -97,10 +97,27 @@ export const getLinksForPublication = async (
 ): Promise<I.JSONResponse> => {
     const publicationId = event.pathParameters.id;
     const directLinks = event.queryStringParameters?.direct === 'true';
+    const user = event.user;
+    let includeDraft = false;
 
     try {
+        if (directLinks) {
+            if (user) {
+                const latestVersion = await publicationVersionService.get(publicationId, 'latest');
+
+                // if latest version is a DRAFT, check if user can see it
+                if (
+                    latestVersion?.currentStatus === 'DRAFT' &&
+                    (user.id === latestVersion?.createdBy ||
+                        latestVersion?.coAuthors.some((coAuthor) => coAuthor.linkedUser === user.id))
+                ) {
+                    includeDraft = true;
+                }
+            }
+        }
+
         const { publication, linkedFrom, linkedTo } = directLinks
-            ? await publicationService.getDirectLinksForPublication(publicationId)
+            ? await publicationService.getDirectLinksForPublication(publicationId, includeDraft)
             : await publicationService.getLinksForPublication(publicationId);
 
         if (!publication) {

diff --git a/api/src/components/publication/service.ts b/api/src/components/publication/service.ts
@@ -634,15 +634,22 @@ export const getLinksForPublication = async (id: string): Promise<I.PublicationW
     };
 };
 
-export const getDirectLinksForPublication = async (id: string): Promise<I.PublicationWithLinks> => {
+export const getDirectLinksForPublication = async (
+    id: string,
+    includeDraft = false
+): Promise<I.PublicationWithLinks> => {
+    const publicationFilter: Prisma.PublicationVersionWhereInput = includeDraft
+        ? { isLatestVersion: true }
+        : { isLatestLiveVersion: true };
+
     const publication = await client.prisma.publication.findUnique({
         where: {
             id
         },
         include: {
             versions: {
                 where: {
-                    isLatestVersion: true
+                    ...publicationFilter
                 },
                 include: {
                     coAuthors: {

diff --git a/api/src/components/publicationVersion/controller.ts b/api/src/components/publicationVersion/controller.ts
@@ -244,7 +244,7 @@ export const updateStatus = async (
         });
 
         const references = await referenceService.getAllByPublicationVersion(updatedVersion.id);
-        const { linkedTo } = await publicationService.getDirectLinksForPublication(publicationVersion.versionOf);
+        const { linkedTo } = await publicationService.getDirectLinksForPublication(publicationVersion.versionOf, true);
 
         // Publication version is live, so update the DOI
         await helpers.updateDOI(publicationVersion.publication.doi, publicationVersion, linkedTo, references);

diff --git a/api/src/components/publicationVersion/service.ts b/api/src/components/publicationVersion/service.ts
@@ -280,7 +280,7 @@ export const checkIsReadyToPublish = async (publicationVersion: I.PublicationVer
         return false;
     }
 
-    const { linkedTo } = await publicationService.getDirectLinksForPublication(publicationVersion.versionOf);
+    const { linkedTo } = await publicationService.getDirectLinksForPublication(publicationVersion.versionOf, true);
     const topics = await publicationService.getPublicationTopics(publicationVersion.versionOf);
 
     const hasAtLeastOneLinkOrTopic =
@@ -320,7 +320,7 @@ export const checkIsReadyToRequestApprovals = async (publicationVersion: I.Publi
         return false;
     }
 
-    const { linkedTo } = await publicationService.getDirectLinksForPublication(publicationVersion.versionOf);
+    const { linkedTo } = await publicationService.getDirectLinksForPublication(publicationVersion.versionOf, true);
     const topics = await publicationService.getPublicationTopics(publicationVersion.versionOf);
 
     const hasAtLeastOneLinkOrTopic =