fix(noteController): should check permission when user view note

Signed-off-by: BoHong Li <raccoon@hackmd.io>

Author: a60814billy

lib/note/index.js

@@ -77,13 +77,27 @@ async function showNote (req, res) {
   return responseCodiMD(res, note)
 }
 
+function canViewNote (note, isLogin, userId) {
+  if (note.permission === 'private') {
+    return note.ownerId === userId
+  }
+  if (note.permission === 'limited' || note.permission === 'protected') {
+    return isLogin
+  }
+  return true
+}
+
 async function showPublishNote (req, res) {
   const shortid = req.params.shortid
 
   const note = await getNoteById(shortid, {
     includeUser: true
   })
 
+  if (!canViewNote(note, req.isAuthenticated(), req.user ? req.user.id : null)) {
+    return errorForbidden(req)
+  }
+
   if (!note) {
     return errorNotFound(res)
   }
@@ -130,10 +144,15 @@ async function noteActions (req, res) {
   const noteId = req.params.noteId
 
   const note = await getNoteById(noteId)
+
   if (!note) {
     return errorNotFound(res)
   }
 
+  if (!canViewNote(note, req.isAuthenticated(), req.user ? req.user.id : null)) {
+    return errorForbidden(req)
+  }
+
   const action = req.params.action
   switch (action) {
     case 'publish':