Merge pull request #1580 from sharelatex/ta-entity-create-form-fix-2

Fix Publisher Creation Form Take2

GitOrigin-RevId: a51512cc48067f50ba05fa371ed1d759d3fca985

services/web/app/coffee/Features/UserMembership/UserMembershipAuthorization.coffee

@@ -77,6 +77,12 @@ module.exports = UserMembershipAuthorization =
 			return UserMembershipAuthorization.requireTeamMetricsAccess(req, res, next)
 		requireAccessToEntity(req.query.resource_type, req.query.resource_id, req, res, next)
 
+	requireEntityCreationAccess: (req, res, next) ->
+		loggedInUser = AuthenticationController.getSessionUser(req)
+		unless loggedInUser and hasEntityCreationAccess(loggedInUser)
+			return AuthorizationMiddlewear.redirectToRestricted req, res, next
+		next()
+
 requireAccessToEntity = (entityName, entityId, req, res, next, requiredStaffAccess=null) ->
 	loggedInUser = AuthenticationController.getSessionUser(req)
 	unless loggedInUser
@@ -93,7 +99,7 @@ requireAccessToEntity = (entityName, entityId, req, res, next, requiredStaffAcce
 		if entityExists # user doesn't have access to entity
 			return AuthorizationMiddleware.redirectToRestricted(req, res, next)
 
-		if loggedInUser.isAdmin and entityConfig.canCreate
+		if hasEntityCreationAccess(loggedInUser) and entityConfig.canCreate
 			# entity doesn't exists, admin can create it
 			return res.redirect "/entities/#{entityName}/create/#{entityId}"
 
@@ -112,3 +118,8 @@ getEntity = (entityName, entityId, user, requiredStaffAccess, callback = (error,
 		UserMembershipHandler.getEntityWithoutAuthorizationCheck entityId, entityConfig, (error, entity)->
 			return callback(error) if error?
 			callback(null, null, entityConfig, entity?)
+
+hasEntityCreationAccess = (user) ->
+	user.isAdmin or
+		user.staffAccess?['institutionManagement'] or
+		user.staffAccess?['publisherManagement']

services/web/app/coffee/Features/UserMembership/UserMembershipRouter.coffee

@@ -2,7 +2,6 @@ UserMembershipAuthorization = require './UserMembershipAuthorization'
 UserMembershipController = require './UserMembershipController'
 SubscriptionGroupController = require '../Subscription/SubscriptionGroupController'
 TeamInvitesController = require '../Subscription/TeamInvitesController'
-AuthorizationMiddleware = require('../Authorization/AuthorizationMiddleware')
 RateLimiterMiddleware = require('../Security/RateLimiterMiddleware')
 
 module.exports =
@@ -69,8 +68,8 @@ module.exports =
 
 		# create new entitites
 		webRouter.get "/entities/:name/create/:id",
-			UserMembershipAuthorization.requirePublisherManagementAccess,
+			UserMembershipAuthorization.requireEntityCreationAccess,
 			UserMembershipController.new
 		webRouter.post "/entities/:name/create/:id",
-			UserMembershipAuthorization.requirePublisherManagementAccess,
+			UserMembershipAuthorization.requireEntityCreationAccess,
 			UserMembershipController.create

services/web/test/unit/coffee/UserMembership/UserMembershipAuthorizationTests.coffee

@@ -67,6 +67,15 @@ describe "UserMembershipAuthorization", ->
 				expect(path).to.match /create/
 				done()
 
+		it 'handle entity not found a non-admin can create', (done) ->
+			@user.staffAccess = { institutionManagement: true }
+			@UserMembershipHandler.getEntity.yields(null, null)
+			@UserMembershipHandler.getEntityWithoutAuthorizationCheck.yields(null, null)
+			@UserMembershipAuthorization.requirePublisherMetricsAccess @req, redirect: (path) =>
+				expect(path).to.extist
+				expect(path).to.match /create/
+				done()
+
 		it 'handle entity not found an admin cannot create', (done) ->
 			@user.isAdmin = true
 			@UserMembershipHandler.getEntity.yields(null, null)