fix: check anon when accessing brief (#2964)

Author: capJavert

__tests__/posts.ts

@@ -123,7 +123,7 @@ jest.mock('../src/common/typedPubsub', () => ({
 let con: DataSource;
 let state: GraphQLTestingState;
 let client: GraphQLTestClient;
-let loggedUser: string = null;
+let loggedUser: string | null = null;
 let isTeamMember = false;
 let isPlus = false;
 let roles: Roles[] = [];
@@ -1245,7 +1245,7 @@ describe('query post', () => {
     );
   });
 
-  it('should throw not found when brief post is from other user', async () => {
+  it('should throw when brief post is from other user', async () => {
     loggedUser = '1';
 
     await saveFixtures(con, BriefPost, [
@@ -1269,6 +1269,30 @@ describe('query post', () => {
     );
   });
 
+  it('should throw for anonymous user accessing brief', async () => {
+    loggedUser = null;
+
+    await saveFixtures(con, BriefPost, [
+      {
+        id: 'pbriefanotherauthor',
+        shortId: 'pbfaa',
+        title: 'pbriefanotherauthor',
+        score: 0,
+        sourceId: BRIEFING_SOURCE,
+        createdAt: new Date('2021-09-22T07:15:51.247Z'),
+        private: true,
+        visible: true,
+        authorId: '2',
+      },
+    ]);
+
+    return testQueryErrorCode(
+      client,
+      { query: QUERY('pbriefanotherauthor') },
+      'FORBIDDEN',
+    );
+  });
+
   describe('clickbaitTitleDetected', () => {
     const LOCAL_QUERY = /* GraphQL */ `
       query Post($id: ID!) {

src/schema/sources.ts

@@ -1205,10 +1205,9 @@ export const ensureSourcePermissions = async (
     if (
       permission == SourcePermissions.View &&
       source.id === BRIEFING_SOURCE &&
-      ctx.userId &&
       post?.type === PostType.Brief
     ) {
-      if (post.authorId !== ctx.userId) {
+      if (!ctx.userId || post.authorId !== ctx.userId) {
         throw new ForbiddenError('Access denied!');
       }