Improve user membership policy check (#11687)

server/policies/userMembership.ts

@@ -1,11 +1,10 @@
 import { User, UserMembership } from "@server/models";
 import { allow } from "./cancan";
-import { isOwner, or } from "./utils";
+import { and, isOwner, isTeamModel, or } from "./utils";
 
 allow(User, ["update", "delete"], UserMembership, (actor, membership) =>
-  or(
-    //
-    isOwner(actor, membership),
-    actor.isAdmin
+  and(
+    isTeamModel(actor, membership?.user),
+    or(isOwner(actor, membership), actor.isAdmin)
   )
 );

server/routes/api/userMemberships/userMemberships.ts

@@ -24,7 +24,7 @@ router.post(
   async (ctx: APIContext<T.UserMembershipsListReq>) => {
     const { user } = ctx.state.auth;
 
-    const memberships = await UserMembership.findAll({
+    const memberships = await UserMembership.scope("withUser").findAll({
       where: {
         userId: user.id,
         documentId: {
@@ -72,9 +72,12 @@ router.post(
     const { transaction } = ctx.state;
 
     const { user } = ctx.state.auth;
-    const membership = await UserMembership.findByPk(id, {
+    const membership = await UserMembership.scope("withUser").findByPk(id, {
       transaction,
-      lock: transaction.LOCK.UPDATE,
+      lock: {
+        level: transaction.LOCK.UPDATE,
+        of: UserMembership,
+      },
       rejectOnEmpty: true,
     });
     authorize(user, "update", membership);

shared/i18n/locales/en_US/translation.json

@@ -89,6 +89,8 @@
   "Search in document": "Search in document",
   "Print": "Print",
   "Print document": "Print document",
+  "Present": "Present",
+  "Present document": "Present document",
   "Templatize": "Templatize",
   "Create template": "Create template",
   "Open random document": "Open random document",
@@ -836,6 +838,9 @@
   "This document will be permanently deleted in <2></2> unless restored.": "This document will be permanently deleted in <2></2> unless restored.",
   "Deleted by {{userName}}": "Deleted by {{userName}}",
   "Observing {{ userName }}": "Observing {{ userName }}",
+  "Previous slide": "Previous slide",
+  "Next slide": "Next slide",
+  "Toggle fullscreen": "Toggle fullscreen",
   "Backlinks": "Backlinks",
   "This document is large which may affect performance": "This document is large which may affect performance",
   "Are you sure about that? Deleting the <em>{{ documentTitle }}</em> document will delete all of its history</em>.": "Are you sure about that? Deleting the <em>{{ documentTitle }}</em> document will delete all of its history</em>.",