From 3d3c4cbfb51649e4d46466a0b8e1446c6a202d82 Mon Sep 17 00:00:00 2001
From: Spencer Norman <spencern@gmail.com>
Date: Thu, 1 Nov 2018 17:53:41 -0600
Subject: [PATCH] fix: dashboard routes available for unauthed users

Dashboard routes would be rendered for unauthenticated users who directly enter a url. This commit fixes that issue.
---
 .../core/core/server/publications/collections/packages.js    | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/imports/plugins/core/core/server/publications/collections/packages.js b/imports/plugins/core/core/server/publications/collections/packages.js
index 5238bfa0252..8dce34fe023 100644
--- a/imports/plugins/core/core/server/publications/collections/packages.js
+++ b/imports/plugins/core/core/server/publications/collections/packages.js
@@ -35,6 +35,11 @@ function transform(doc, userId) {
       registry.permissions = [...permissions];
       if (registry.route) {
         registry.permissions.push(registry.name || `${doc.name}/${registry.template}`);
+
+        // Delete the route if the user doesn't have the correct permissions
+        if (Roles.userIsInRole(userId, registry.permissions, doc.shopId) === false) {
+          delete registry.route;
+        }
       }
 
       // We no longer use a settingsKey for "enabled" for some registry types.