From 82879aaa60b4dc07b39170db33842433ddbe3e6e Mon Sep 17 00:00:00 2001
From: Stefan Zermatten <stefanzermatten@gmail.com>
Date: Sun, 24 Jul 2022 15:12:12 +0200
Subject: [PATCH] Added admin override to view permission

---
 app/imports/api/sharing/sharingPermissions.js | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/app/imports/api/sharing/sharingPermissions.js b/app/imports/api/sharing/sharingPermissions.js
index 6f48ed4b..58629c62 100644
--- a/app/imports/api/sharing/sharingPermissions.js
+++ b/app/imports/api/sharing/sharingPermissions.js
@@ -35,7 +35,7 @@ export function assertOwnership(doc, userId){
 export function assertEditPermission(doc, userId) {
   assertIdValid(userId);
   assertdocExists(doc);
-  let user = Meteor.users.findOne(userId, {
+  const user = Meteor.users.findOne(userId, {
     fields: {
       'services.patreon': 1,
       'roles': 1,
@@ -83,6 +83,7 @@ export function assertViewPermission(doc, userId) {
   assertdocExists(doc);
   if (doc.public) return true;
   assertIdValid(userId);
+
   if (
     doc.owner === userId ||
     _.contains(doc.readers, userId) ||
@@ -90,6 +91,17 @@ export function assertViewPermission(doc, userId) {
   ){
     return true;
   } else {
+    
+    // Admin override
+    const user = Meteor.users.findOne(userId, {
+      fields: {
+        'roles': 1,
+      }
+    });
+    if (user.roles && user.roles.includes('admin')){
+      return true;
+    }
+
     throw new Meteor.Error('View permission denied',
       'You do not have permission to view this document');
   }