fix: allow non authors to view brief (#2966)

Author: idoshamun

__tests__/posts.ts

@@ -15,7 +15,6 @@ import {
   ArticlePost,
   Bookmark,
   BookmarkList,
-  BRIEFING_SOURCE,
   clearPostTranslations,
   Comment,
   Feed,
@@ -104,7 +103,6 @@ import { Product, ProductType } from '../src/entity/Product';
 import { BriefingModel, BriefingType } from '../src/integrations/feed';
 import { UserBriefingRequest } from '@dailydotdev/schema';
 import { addDays } from 'date-fns';
-import { BriefPost } from '../src/entity/posts/BriefPost';
 
 jest.mock('../src/common/pubsub', () => ({
   ...(jest.requireActual('../src/common/pubsub') as Record<string, unknown>),
@@ -1245,54 +1243,6 @@ describe('query post', () => {
     );
   });
 
-  it('should throw when brief post is from other user', async () => {
-    loggedUser = '1';
-
-    await saveFixtures(con, BriefPost, [
-      {
-        id: 'pbriefanotherauthor',
-        shortId: 'pbfaa',
-        title: 'pbriefanotherauthor',
-        score: 0,
-        sourceId: BRIEFING_SOURCE,
-        createdAt: new Date('2021-09-22T07:15:51.247Z'),
-        private: true,
-        visible: true,
-        authorId: '2',
-      },
-    ]);
-
-    return testQueryErrorCode(
-      client,
-      { query: QUERY('pbriefanotherauthor') },
-      'FORBIDDEN',
-    );
-  });
-
-  it('should throw for anonymous user accessing brief', async () => {
-    loggedUser = null;
-
-    await saveFixtures(con, BriefPost, [
-      {
-        id: 'pbriefanotherauthor',
-        shortId: 'pbfaa',
-        title: 'pbriefanotherauthor',
-        score: 0,
-        sourceId: BRIEFING_SOURCE,
-        createdAt: new Date('2021-09-22T07:15:51.247Z'),
-        private: true,
-        visible: true,
-        authorId: '2',
-      },
-    ]);
-
-    return testQueryErrorCode(
-      client,
-      { query: QUERY('pbriefanotherauthor') },
-      'FORBIDDEN',
-    );
-  });
-
   describe('clickbaitTitleDetected', () => {
     const LOCAL_QUERY = /* GraphQL */ `
       query Post($id: ID!) {

src/schema/posts.ts

@@ -1780,13 +1780,7 @@ export const resolvers: IResolvers<unknown, BaseContext> = traceResolvers<
         sourceTypesWithMembers.includes(postSource.type)
       ) {
         try {
-          await ensureSourcePermissions(
-            ctx,
-            partialPost.sourceId,
-            undefined,
-            undefined,
-            partialPost,
-          );
+          await ensureSourcePermissions(ctx, partialPost.sourceId);
         } catch (permissionError) {
           if (permissionError instanceof ForbiddenError) {
             const forbiddenError = permissionError as ForbiddenError;
@@ -1950,13 +1944,7 @@ export const resolvers: IResolvers<unknown, BaseContext> = traceResolvers<
       const post = await ctx.con
         .getRepository(Post)
         .findOneByOrFail([{ id: args.id }, { slug: args.id }]);
-      await ensureSourcePermissions(
-        ctx,
-        post.sourceId,
-        undefined,
-        undefined,
-        post,
-      );
+      await ensureSourcePermissions(ctx, post.sourceId);
 
       return queryPaginatedByDate(
         ctx,
@@ -3043,13 +3031,7 @@ export const resolvers: IResolvers<unknown, BaseContext> = traceResolvers<
       ctx: AuthContext,
     ): Promise<GQLEmptyResponse> => {
       const post = await ctx.con.getRepository(Post).findOneByOrFail({ id });
-      await ensureSourcePermissions(
-        ctx,
-        post.sourceId,
-        undefined,
-        undefined,
-        post,
-      );
+      await ensureSourcePermissions(ctx, post.sourceId);
       if (post.type !== PostType.Article) {
         await notifyView(
           ctx.log,

src/schema/sources.ts

@@ -3,9 +3,9 @@ import { IResolvers } from '@graphql-tools/utils';
 import { ConnectionArguments } from 'graphql-relay';
 import { AuthContext, BaseContext, Context } from '../Context';
 import {
+  BRIEFING_SOURCE,
   createSharePost,
   NotificationPreferenceSource,
-  PostType,
   REPUTATION_THRESHOLD,
   Source,
   SourceFeed,
@@ -14,9 +14,8 @@ import {
   SourceMemberFlagsPublic,
   SquadSource,
   User,
-  type Post,
 } from '../entity';
-import { BRIEFING_SOURCE, SourceType, SourceUser } from '../entity/Source';
+import { SourceType, SourceUser } from '../entity/Source';
 import {
   SourceMemberRoles,
   sourceRoleRank,
@@ -1188,7 +1187,6 @@ export const ensureSourcePermissions = async (
   sourceId: string | undefined,
   permission: SourcePermissions = SourcePermissions.View,
   validateRankAgainstId?: string,
-  post?: Pick<Post, 'type' | 'authorId' | 'private' | 'sourceId'>,
 ): Promise<Source> => {
   if (sourceId) {
     const source = await ctx.con
@@ -1202,18 +1200,6 @@ export const ensureSourcePermissions = async (
       return source;
     }
 
-    if (
-      permission == SourcePermissions.View &&
-      source.id === BRIEFING_SOURCE &&
-      post?.type === PostType.Brief
-    ) {
-      if (!ctx.userId || post.authorId !== ctx.userId) {
-        throw new ForbiddenError('Access denied!');
-      }
-
-      return source;
-    }
-
     const sourceMember = ctx.userId
       ? await ctx.con
           .getRepository(SourceMember)