fix: document visibility logic (#1521)

Update the logic of document visibility logic and added some tests & updated some existing ones.
2025-11-12 15:53:02 +10:00 · 2024-12-16 09:10:40 +02:00
parent 861e9c976b
commit 2245812f0b
7 changed files with 303 additions and 57 deletions
--- a/packages/lib/server-only/document/create-document.ts
+++ b/packages/lib/server-only/document/create-document.ts
@ -89,17 +89,16 @@ export const createDocument = async ({
    globalVisibility: DocumentVisibility | null | undefined,
    userRole: TeamMemberRole,
  ): DocumentVisibility => {
-    const defaultVisibility = globalVisibility ?? DocumentVisibility.EVERYONE;
+    if (globalVisibility) {
+      return globalVisibility;
+    }

    if (userRole === TeamMemberRole.ADMIN) {
-      return defaultVisibility;
+      return DocumentVisibility.ADMIN;
    }

    if (userRole === TeamMemberRole.MANAGER) {
-      if (defaultVisibility === DocumentVisibility.ADMIN) {
-        return DocumentVisibility.MANAGER_AND_ABOVE;
-      }
-      return defaultVisibility;
+      return DocumentVisibility.MANAGER_AND_ABOVE;
    }

    return DocumentVisibility.EVERYONE;
--- a/packages/lib/server-only/document/update-document-settings.ts
+++ b/packages/lib/server-only/document/update-document-settings.ts
@ -91,39 +91,43 @@ export const updateDocumentSettings = async ({

  if (teamId) {
    const currentUserRole = document.team?.members[0]?.role;
+    const isDocumentOwner = document.userId === userId;
+    const requestedVisibility = data.visibility;

-    match(currentUserRole)
-      .with(TeamMemberRole.ADMIN, () => true)
-      .with(TeamMemberRole.MANAGER, () => {
-        const allowedVisibilities: DocumentVisibility[] = [
-          DocumentVisibility.EVERYONE,
-          DocumentVisibility.MANAGER_AND_ABOVE,
-        ];
+    if (!isDocumentOwner) {
+      match(currentUserRole)
+        .with(TeamMemberRole.ADMIN, () => true)
+        .with(TeamMemberRole.MANAGER, () => {
+          const allowedVisibilities: DocumentVisibility[] = [
+            DocumentVisibility.EVERYONE,
+            DocumentVisibility.MANAGER_AND_ABOVE,
+          ];

-        if (
-          !allowedVisibilities.includes(document.visibility) ||
-          (data.visibility && !allowedVisibilities.includes(data.visibility))
-        ) {
+          if (
+            !allowedVisibilities.includes(document.visibility) ||
+            (requestedVisibility && !allowedVisibilities.includes(requestedVisibility))
+          ) {
+            throw new AppError(AppErrorCode.UNAUTHORIZED, {
+              message: 'You do not have permission to update the document visibility',
+            });
+          }
+        })
+        .with(TeamMemberRole.MEMBER, () => {
+          if (
+            document.visibility !== DocumentVisibility.EVERYONE ||
+            (requestedVisibility && requestedVisibility !== DocumentVisibility.EVERYONE)
+          ) {
+            throw new AppError(AppErrorCode.UNAUTHORIZED, {
+              message: 'You do not have permission to update the document visibility',
+            });
+          }
+        })
+        .otherwise(() => {
          throw new AppError(AppErrorCode.UNAUTHORIZED, {
-            message: 'You do not have permission to update the document visibility',
+            message: 'You do not have permission to update the document',
          });
-        }
-      })
-      .with(TeamMemberRole.MEMBER, () => {
-        if (
-          document.visibility !== DocumentVisibility.EVERYONE ||
-          (data.visibility && data.visibility !== DocumentVisibility.EVERYONE)
-        ) {
-          throw new AppError(AppErrorCode.UNAUTHORIZED, {
-            message: 'You do not have permission to update the document visibility',
-          });
-        }
-      })
-      .otherwise(() => {
-        throw new AppError(AppErrorCode.UNAUTHORIZED, {
-          message: 'You do not have permission to update the document',
        });
-      });
+    }
  }

  const { documentAuthOption } = extractDocumentAuthMethods({