Exclude draft versions from non-lifecycle users

Only show draft documents to those with lifecycle permissions.

Closes #242

build.sh

@@ -49,10 +49,10 @@ for arch in amd64 ; do
     for os in darwin linux windows ; do
         if [ "$os" == "windows" ] ; then
             echo "Compiling documize-community-$os-$arch.exe"
-            env GOOS=$os GOARCH=$arch GODEBUG=tls13=1 go build -ldflags="-s -w" -gcflags="all=-trimpath=$GOPATH" -o bin/documize-community-$os-$arch.exe ./edition/community.go
+            env GOOS=$os GOARCH=$arch GODEBUG=tls13=1 go build -gcflags="all=-trimpath=$GOPATH" -o bin/documize-community-$os-$arch.exe ./edition/community.go
         else
             echo "Compiling documize-community-$os-$arch"
-            env GOOS=$os GOARCH=$arch GODEBUG=tls13=1 go build -ldflags="-s -w" -gcflags="all=-trimpath=$GOPATH" -o bin/documize-community-$os-$arch ./edition/community.go
+            env GOOS=$os GOARCH=$arch GODEBUG=tls13=1 go build -gcflags="all=-trimpath=$GOPATH" -o bin/documize-community-$os-$arch ./edition/community.go
         fi
     done
 done

domain/document/endpoint.go

@@ -586,6 +586,12 @@ func (h *Handler) FetchDocumentData(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Check if draft document can been seen by user.
+	if document.Lifecycle == workflow.LifecycleDraft && !permission.CanViewDrafts(ctx, *h.Store, document.SpaceID) {
+		response.WriteForbiddenError(w)
+		return
+	}
+
 	// permissions
 	perms, err := h.Store.Permission.GetUserSpacePermissions(ctx, document.SpaceID)
 	if err != nil && err != sql.ErrNoRows {
@@ -633,14 +639,26 @@ func (h *Handler) FetchDocumentData(w http.ResponseWriter, r *http.Request) {
 
 	// Get version information for this document.
 	v := []doc.Version{}
-
 	if len(document.GroupID) > 0 {
-		v, err = h.Store.Document.GetVersions(ctx, document.GroupID)
+		// Get versions.
-		if err != nil && err != sql.ErrNoRows {
+		vt, err := h.Store.Document.GetVersions(ctx, document.GroupID)
+		if err != nil {
 			response.WriteServerError(w, method, err)
 			h.Runtime.Log.Error(method, err)
 			return
 		}
+		// What about draft document versions?
+		if record.DocumentLifecycle {
+			// We can see and manage document lifecycle so take all versions.
+			v = vt
+		} else {
+			// Only send back LIVE content because user cannot drafts.
+			for i := range vt {
+				if vt[i].Lifecycle == workflow.LifecycleLive {
+					v = append(v, vt[i])
+				}
+			}
+		}
 	}
 
 	// Prepare response.

domain/document/store.go

@@ -316,7 +316,7 @@ func (s Store) GetVersions(ctx domain.RequestContext, groupID string) (v []doc.V
 	v = []doc.Version{}
 
 	err = s.Runtime.Db.Select(&v, s.Bind(`
-        SELECT c_versionid AS versionid, c_refid As documentid
+        SELECT c_versionid AS versionid, c_refid As documentid, c_lifecycle AS lifecycle
 		FROM dmz_doc
 		WHERE c_orgid=? AND c_groupid=?
         ORDER BY c_versionorder`),

model/doc/doc.go

@@ -107,6 +107,7 @@ type SitemapDocument struct {
 
 // Version points to a version of a document.
 type Version struct {
-	VersionID  string `json:"versionId"`
+	VersionID  string             `json:"versionId"`
-	DocumentID string `json:"documentId"`
+	DocumentID string             `json:"documentId"`
+	Lifecycle  workflow.Lifecycle `json:"lifecycle"`
 }