From 031a7b9e3639c6cb0805366e0e95cba5a27ac806 Mon Sep 17 00:00:00 2001
From: David Nguyen <davidngu28@gmail.com>
Date: Fri, 13 Jun 2025 01:02:40 +1000
Subject: [PATCH] fix: visibility

---
 .../document/get-document-by-id.ts            | 81 +++++++++----------
 1 file changed, 40 insertions(+), 41 deletions(-)

diff --git a/packages/lib/server-only/document/get-document-by-id.ts b/packages/lib/server-only/document/get-document-by-id.ts
index 875bf5ed1..74aa6e5a1 100644
--- a/packages/lib/server-only/document/get-document-by-id.ts
+++ b/packages/lib/server-only/document/get-document-by-id.ts
@@ -1,5 +1,5 @@
 import type { Prisma } from '@prisma/client';
-import { TeamMemberRole } from '@prisma/client';
+import { DocumentStatus, TeamMemberRole } from '@prisma/client';
 import { match } from 'ts-pattern';
 
 import { prisma } from '@documenso/prisma';
@@ -83,10 +83,46 @@ export const getDocumentWhereInput = async ({
 }: GetDocumentWhereInputOptions) => {
   const team = await getTeamById({ teamId, userId });
 
+  const user = await prisma.user.findFirstOrThrow({
+    where: {
+      id: userId,
+    },
+  });
+
+  const teamVisibilityFilters = match(team.currentTeamRole)
+    .with(TeamMemberRole.ADMIN, () => [
+      DocumentVisibility.EVERYONE,
+      DocumentVisibility.MANAGER_AND_ABOVE,
+      DocumentVisibility.ADMIN,
+    ])
+    .with(TeamMemberRole.MANAGER, () => [
+      DocumentVisibility.EVERYONE,
+      DocumentVisibility.MANAGER_AND_ABOVE,
+    ])
+    .otherwise(() => [DocumentVisibility.EVERYONE]);
+
   const documentOrInput: Prisma.DocumentWhereInput[] = [
+    // Allow access if they own the document.
     {
-      userId: userId,
-      teamId: team.id,
+      userId,
+    },
+    // Or, if they belong to the team that the document is associated with.
+    {
+      visibility: {
+        in: teamVisibilityFilters,
+      },
+      teamId,
+    },
+    // Or, if they are a recipient of the document.
+    {
+      status: {
+        not: DocumentStatus.DRAFT,
+      },
+      recipients: {
+        some: {
+          email: user.email,
+        },
+      },
     },
   ];
 
@@ -113,45 +149,8 @@ export const getDocumentWhereInput = async ({
     OR: documentOrInput,
   };
 
-  const user = await prisma.user.findFirstOrThrow({
-    where: {
-      id: userId,
-    },
-  });
-
-  const visibilityFilters = [
-    ...match(team.currentTeamRole)
-      .with(TeamMemberRole.ADMIN, () => [
-        { visibility: DocumentVisibility.EVERYONE },
-        { visibility: DocumentVisibility.MANAGER_AND_ABOVE },
-        { visibility: DocumentVisibility.ADMIN },
-      ])
-      .with(TeamMemberRole.MANAGER, () => [
-        { visibility: DocumentVisibility.EVERYONE },
-        { visibility: DocumentVisibility.MANAGER_AND_ABOVE },
-      ])
-      .otherwise(() => [{ visibility: DocumentVisibility.EVERYONE }]),
-    {
-      OR: [
-        {
-          recipients: {
-            some: {
-              email: user.email,
-            },
-          },
-        },
-        {
-          userId: user.id,
-        },
-      ],
-    },
-  ];
-
   return {
-    documentWhereInput: {
-      ...documentWhereInput,
-      // OR: [...visibilityFilters],
-    },
+    documentWhereInput,
     team,
   };
 };