From 50c7fabeb6b6d6eefbbb6c990233a193f2f21dbc Mon Sep 17 00:00:00 2001
From: Harvey Kandola <harvey@documize.com>
Date: Wed, 18 Jul 2018 12:43:49 -0400
Subject: [PATCH] Protect document activity and revisions from external users

---
 gui/app/pods/document/index/controller.js | 1 +
 gui/app/services/session.js               | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/gui/app/pods/document/index/controller.js b/gui/app/pods/document/index/controller.js
index d0d4b4a2..79b8953b 100644
--- a/gui/app/pods/document/index/controller.js
+++ b/gui/app/pods/document/index/controller.js
@@ -24,6 +24,7 @@ export default Controller.extend(Tooltips, Notifier, {
 	tab: 'content',
 	queryParams: ['currentPageId'],
 	showRevisions: computed('permissions', 'document.protection', function() {
+		if (!this.get('session.viewUsers')) return false;
 		if (this.get('document.protection') === this.get('constants').ProtectionType.None) return true;
 		if (this.get('document.protection') === this.get('constants').ProtectionType.Review && this.get('permissions.documentApprove')) return true;
 
diff --git a/gui/app/services/session.js b/gui/app/services/session.js
index 0a212409..6e85ec83 100644
--- a/gui/app/services/session.js
+++ b/gui/app/services/session.js
@@ -79,6 +79,12 @@ export default SimpleAuthSession.extend({
 			this.get('session.content.authenticated.user.viewUsers') === true;
 	}),
 
+	viewUsers: computed('session.content.authenticated.user', function () {
+		return this.get('session.authenticator') !== 'authenticator:anonymous' &&
+			this.get('session.content.authenticated.user.id') !== '0' &&
+			this.get('session.content.authenticated.user.viewUsers') === true;
+	}),
+
 	init() {
 		this._super(...arguments);