fix: download audit log certificate (#1268)

Previously, it wasn't possible to download an audit log of a document
uploaded by another user because the function used the ID of the user
making the request to retrieve the document. However, the document
uploaded by another user has that user's ID, not the ID of the user
making the request.

packages/trpc/server/document-router/router.ts

@@ -29,6 +29,7 @@ import {
   ZCreateDocumentMutationSchema,
   ZDeleteDraftDocumentMutationSchema as ZDeleteDocumentMutationSchema,
   ZDownloadAuditLogsMutationSchema,
+  ZDownloadCertificateMutationSchema,
   ZFindDocumentAuditLogsQuerySchema,
   ZGetDocumentByIdQuerySchema,
   ZGetDocumentByTokenQuerySchema,
@@ -411,7 +412,14 @@ export const documentRouter = router({
           id: documentId,
           userId: ctx.user.id,
           teamId,
-        });
+        }).catch(() => null);
+
+        if (!document || document.teamId !== teamId) {
+          throw new TRPCError({
+            code: 'FORBIDDEN',
+            message: 'You do not have access to this document.',
+          });
+        }
 
         const encrypted = encryptSecondaryData({
           data: document.id.toString(),
@@ -433,7 +441,7 @@ export const documentRouter = router({
     }),
 
   downloadCertificate: authenticatedProcedure
-    .input(ZDownloadAuditLogsMutationSchema)
+    .input(ZDownloadCertificateMutationSchema)
     .mutation(async ({ input, ctx }) => {
       try {
         const { documentId, teamId } = input;

packages/trpc/server/document-router/schema.ts

@@ -172,6 +172,11 @@ export const ZDownloadAuditLogsMutationSchema = z.object({
   teamId: z.number().optional(),
 });
 
+export const ZDownloadCertificateMutationSchema = z.object({
+  documentId: z.number(),
+  teamId: z.number().optional(),
+});
+
 export const ZMoveDocumentsToTeamSchema = z.object({
   documentId: z.number(),
   teamId: z.number(),