From d264137cbc51955320c48bad0bd868116832de79 Mon Sep 17 00:00:00 2001
From: Dave Bouwman <dave@davebouwman.com>
Date: Fri, 24 Jan 2020 14:40:50 -0700
Subject: [PATCH] fix(sharing): only item owner, group owner or group admin can
 unshare

Add additional clause limiting unsharing to item owner, group owner or group admin

AFFECTS PACKAGES:
@esri/arcgis-rest-portal
---
 .../src/sharing/group-sharing.ts              | 30 +++++++++---
 .../test/sharing/group-sharing.test.ts        | 48 +++++++++++++++++++
 2 files changed, 71 insertions(+), 7 deletions(-)

diff --git a/packages/arcgis-rest-portal/src/sharing/group-sharing.ts b/packages/arcgis-rest-portal/src/sharing/group-sharing.ts
index 30c5b68636..592a1979b9 100644
--- a/packages/arcgis-rest-portal/src/sharing/group-sharing.ts
+++ b/packages/arcgis-rest-portal/src/sharing/group-sharing.ts
@@ -103,14 +103,30 @@ function changeGroupSharing(
                 `This item can not be ${requestOptions.action}d by ${username} as they are not a member of the specified group ${requestOptions.groupId}.`
               );
             } else {
-              // they are some level of member or org-admin
-              // but only item owners can share/unshare items w/ shared editing groups
-              if (isSharedEditingGroup && itemOwner !== username) {
-                throw Error(
-                  `This item can not be ${requestOptions.action}d to shared editing group ${requestOptions.groupId} by ${username} as they not the item owner.`
-                );
+              // ...they are some level of membership or org-admin
+
+              // if the current user does not own the item, we had more checks...
+              if (itemOwner !== username) {
+                // only item owners can share/unshare items w/ shared editing groups
+                if (isSharedEditingGroup) {
+                  throw Error(
+                    `This item can not be ${requestOptions.action}d to shared editing group ${requestOptions.groupId} by ${username} as they not the item owner.`
+                  );
+                }
+                // only item-owners, group-admin's, group-owners can unshare an item from a normal group
+                if (
+                  requestOptions.action === "unshare" &&
+                  membership !== "admin" &&
+                  membership !== "owner"
+                ) {
+                  throw Error(
+                    `This item can not be ${requestOptions.action}d from group ${requestOptions.groupId} by ${username} as they not the item owner, group admin or group owner.`
+                  );
+                }
               }
-              // at this point, the user should be able to share the item to the group
+
+              // at this point, the user *should* be able to take the action
+
               // only question is what url to use
 
               // default to the non-owner url...
diff --git a/packages/arcgis-rest-portal/test/sharing/group-sharing.test.ts b/packages/arcgis-rest-portal/test/sharing/group-sharing.test.ts
index 0b3e1fecff..47c0941526 100644
--- a/packages/arcgis-rest-portal/test/sharing/group-sharing.test.ts
+++ b/packages/arcgis-rest-portal/test/sharing/group-sharing.test.ts
@@ -71,6 +71,14 @@ export const GroupMemberResponse = {
   }
 };
 
+export const GroupNonMemberResponse = {
+  id: "tb6",
+  title: "fake group",
+  userMembership: {
+    memberType: "none"
+  }
+};
+
 export const GroupAdminResponse = {
   id: "tb6",
   title: "fake group",
@@ -271,6 +279,46 @@ describe("shareItemWithGroup() ::", () => {
     });
   });
 
+  it("should fail unshare an item with a group by org administrator thats not a group member ", done => {
+    fetchMock.once(
+      "https://myorg.maps.arcgis.com/sharing/rest/community/users/jsmith?f=json&token=fake-token",
+      OrgAdminUserResponse
+    );
+
+    fetchMock.once("https://myorg.maps.arcgis.com/sharing/rest/search", {
+      total: 1,
+      results: [
+        {
+          id: "n3v"
+        }
+      ]
+    });
+
+    // called when we determine if the user is a member of the group
+    fetchMock.get(
+      "https://myorg.maps.arcgis.com/sharing/rest/community/groups/t6b?f=json&token=fake-token",
+      GroupNonMemberResponse
+    );
+    unshareItemWithGroup({
+      authentication: MOCK_USER_SESSION,
+      id: "n3v",
+      groupId: "t6b",
+      owner: "vader"
+    })
+      .then(_ => {
+        fail();
+      })
+      .catch(e => {
+        expect(fetchMock.done()).toBeTruthy(
+          "All fetchMocks should have been called"
+        );
+        expect(e.message).toBe(
+          "This item can not be unshared from group t6b by jsmith as they not the item owner, group admin or group owner."
+        );
+        done();
+      });
+  });
+
   it("should share an item with a group by group owner/admin", done => {
     fetchMock.once(
       "https://myorg.maps.arcgis.com/sharing/rest/community/users/jsmith?f=json&token=fake-token",