From bb3a8525db3764e99b3fd6d62606d7f9ab7d2113 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=A4fer?= <git@roschaefer.de>
Date: Fri, 5 Apr 2019 02:23:27 +0200
Subject: [PATCH] Only admins are allowed to query all notifications

---
 backend/src/middleware/permissionsMiddleware.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/backend/src/middleware/permissionsMiddleware.js b/backend/src/middleware/permissionsMiddleware.js
index 736ce20a9..495bc9145 100644
--- a/backend/src/middleware/permissionsMiddleware.js
+++ b/backend/src/middleware/permissionsMiddleware.js
@@ -44,6 +44,7 @@ const isAuthor = rule({ cache: 'no_cache' })(async (parent, args, { user, driver
 // Permissions
 const permissions = shield({
   Query: {
+    Notification: isAdmin,
     statistics: allow,
     currentUser: allow,
     Post: or(onlyEnabledContent, isModerator)