yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: Add groups and group permissions (#1204)

Browse Source 
* WIP - got one API test to pass yay

* adds group update endpoint

* added group policies

* adds groups.list API

* adds groups.info

* remove comment

* WIP

* tests for delete

* adds group membership list

* adds tests for groups list

* add and remove user endpoints for group

* ask some questions

* fix up some issues around primary keys

* remove export from group permissions

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* remove random file

* only create events on actual updates, add tests to ensure

* adds uniqueness validation to group name

* throw validation errors on model and let it pass through the controller

* fix linting

* WIP

* WIP

* WIP

* WIP

* WIP basic edit and delete

* basic CRUD for groups and memberships in place

* got member counts working

* add member count and limit the number of users sent over teh wire to 6

* factor avatar with AvatarWithPresence into its own class

* wip

* WIP avatars in group lists

* WIP collection groups

* add and remove group endpoints

* wip add collection groups

* wip get group adding to collections to work

* wip get updating collection group memberships to work

* wip get new group modal working

* add tests for collection index

* include collection groups in the withmemberships scope

* tie permissions to group memberships

* remove unused import

* Update app/components/GroupListItem.js

update title copy

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update server/migrations/20191211044318-create-groups.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update server/api/groups.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update server/api/groups.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/menus/CollectionMenu.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update server/models/Group.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* minor fixes

* Update app/scenes/CollectionMembers/AddGroupsToCollection.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/menus/GroupMenu.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/menus/GroupMenu.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/menus/GroupMenu.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/scenes/Collection.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/scenes/CollectionMembers/CollectionMembers.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/scenes/GroupNew.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/scenes/GroupNew.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/scenes/Settings/Groups.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update server/api/documents.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/scenes/CollectionMembers/components/CollectionGroupMemberListItem.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* address comments

* WIP - getting websocket stuff up and running

* socket event for group deletion

* wrapped up cascading deletes

* lint

* flow

* fix: UI feedback

* fix: Facepile size

* fix: Lots of missing await's

* Allow clicking facepile on group list item to open members

* remove unused route push, grammar

* fix: Remove bad analytics events
feat: Add group events to audit log

* collection. -> collections.

* Add groups to entity websocket events (sync create/update/delete) between clients

* fix: Users should not be able to see groups they are not a member of

* fix: Not caching errors in UI when changing group memberships

* fix: Hide unusable UI

* test

* fix: Tweak language

* feat: Automatically open 'add member' modal after creating group

Co-authored-by: Tom Moor <tom.moor@gmail.com>
This commit is contained in:
Nan Yu
2020-03-14 20:48:32 -07:00
committed by GitHub
parent 6c451a34d4
commit 142303b3de
81 changed files with 4259 additions and 257 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
server/api/__snapshots__/collections.test.js.snap
View File

@@ -1,5 +1,13 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP
exports[`#collections.add_group should require group in team 1`] = `
Object {
"error": "authorization_error",
"message": "Authorization error",
"ok": false,
}
`;
exports[`#collections.add_user should require user in team 1`] = `
Object {
"error": "authorization_error",
@@ -44,6 +52,15 @@ Object {
}
`;
exports[`#collections.group_memberships should require authentication 1`] = `
Object {
"error": "authentication_required",
"message": "Authentication required",
"ok": false,
"status": 401,
}
`;
exports[`#collections.info should require authentication 1`] = `
Object {
"error": "authentication_required",
@@ -71,6 +88,14 @@ Object {
}
`;
exports[`#collections.remove_group should require group in team 1`] = `
Object {
"error": "authorization_error",
"message": "Authorization error",
"ok": false,
}
`;
exports[`#collections.remove_user should require user in team 1`] = `
Object {
"error": "authorization_error",

88
server/api/__snapshots__/groups.test.js.snap Normal file
View File

@@ -0,0 +1,88 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP
exports[`#groups.add_user should require admin 1`] = `
Object {
"error": "admin_required",
"message": "An admin role is required to access this resource",
"ok": false,
"status": 403,
}
`;
exports[`#groups.add_user should require user in team 1`] = `
Object {
"error": "authorization_error",
"message": "Authorization error",
"ok": false,
}
`;
exports[`#groups.delete should require authentication 1`] = `
Object {
"error": "authentication_required",
"message": "Authentication required",
"ok": false,
"status": 401,
}
`;
exports[`#groups.info should require authentication 1`] = `
Object {
"error": "authentication_required",
"message": "Authentication required",
"ok": false,
"status": 401,
}
`;
exports[`#groups.list should require authentication 1`] = `
Object {
"error": "authentication_required",
"message": "Authentication required",
"ok": false,
"status": 401,
}
`;
exports[`#groups.memberships should require authentication 1`] = `
Object {
"error": "authentication_required",
"message": "Authentication required",
"ok": false,
"status": 401,
}
`;
exports[`#groups.remove_user should require admin 1`] = `
Object {
"error": "admin_required",
"message": "An admin role is required to access this resource",
"ok": false,
"status": 403,
}
`;
exports[`#groups.remove_user should require user in team 1`] = `
Object {
"error": "authorization_error",
"message": "Authorization error",
"ok": false,
}
`;
exports[`#groups.update should require authentication 1`] = `
Object {
"error": "authentication_required",
"message": "Authentication required",
"ok": false,
"status": 401,
}
`;
exports[`#groups.update when user is admin fails with validation error when name already taken 1`] = `
Object {
"error": "",
"message": "The name of this group is already in use (isUniqueNameInTeam)",
"ok": false,
}
`;

164
server/api/collections.js
View File

@@ -9,8 +9,18 @@ import {
presentUser,
presentPolicies,
presentMembership,
presentGroup,
presentCollectionGroupMembership,
} from '../presenters';
import { Collection, CollectionUser, Team, Event, User } from '../models';
import {
Collection,
CollectionUser,
CollectionGroup,
Team,
Event,
User,
Group,
} from '../models';
import { ValidationError } from '../errors';
import { exportCollections } from '../logistics';
import { archiveCollection, archiveCollections } from '../utils/zip';
@@ -79,6 +89,148 @@ router.post('collections.info', auth(), async ctx => {
};
});
router.post('collections.add_group', auth(), async ctx => {
const { id, groupId, permission = 'read_write' } = ctx.body;
ctx.assertUuid(id, 'id is required');
ctx.assertUuid(groupId, 'groupId is required');
const collection = await Collection.scope({
method: ['withMembership', ctx.state.user.id],
}).findByPk(id);
authorize(ctx.state.user, 'update', collection);
const group = await Group.findByPk(groupId);
authorize(ctx.state.user, 'read', group);
let membership = await CollectionGroup.findOne({
where: {
collectionId: id,
groupId,
},
});
if (!membership) {
membership = await CollectionGroup.create({
collectionId: id,
groupId,
permission,
createdById: ctx.state.user.id,
});
} else if (permission) {
membership.permission = permission;
await membership.save();
}
await Event.create({
name: 'collections.add_group',
collectionId: collection.id,
teamId: collection.teamId,
actorId: ctx.state.user.id,
data: { name: group.name, groupId },
ip: ctx.request.ip,
});
ctx.body = {
data: {
collectionGroupMemberships: [
presentCollectionGroupMembership(membership),
],
},
};
});
router.post('collections.remove_group', auth(), async ctx => {
const { id, groupId } = ctx.body;
ctx.assertUuid(id, 'id is required');
ctx.assertUuid(groupId, 'groupId is required');
const collection = await Collection.scope({
method: ['withMembership', ctx.state.user.id],
}).findByPk(id);
authorize(ctx.state.user, 'update', collection);
const group = await Group.findByPk(groupId);
authorize(ctx.state.user, 'read', group);
await collection.removeGroup(group);
await Event.create({
name: 'collections.remove_group',
collectionId: collection.id,
teamId: collection.teamId,
actorId: ctx.state.user.id,
data: { name: group.name, groupId },
ip: ctx.request.ip,
});
ctx.body = {
success: true,
};
});
router.post(
'collections.group_memberships',
auth(),
pagination(),
async ctx => {
const { id, query, permission } = ctx.body;
ctx.assertUuid(id, 'id is required');
const user = ctx.state.user;
const collection = await Collection.scope({
method: ['withMembership', user.id],
}).findByPk(id);
authorize(user, 'read', collection);
let where = {
collectionId: id,
};
let groupWhere;
if (query) {
groupWhere = {
name: {
[Op.iLike]: `%${query}%`,
},
};
}
if (permission) {
where = {
...where,
permission,
};
}
const memberships = await CollectionGroup.findAll({
where,
order: [['createdAt', 'DESC']],
offset: ctx.state.pagination.offset,
limit: ctx.state.pagination.limit,
include: [
{
model: Group,
as: 'group',
where: groupWhere,
required: true,
},
],
});
ctx.body = {
pagination: ctx.state.pagination,
data: {
collectionGroupMemberships: memberships.map(
presentCollectionGroupMembership
),
groups: memberships.map(membership => presentGroup(membership.group)),
},
};
}
);
router.post('collections.add_user', auth(), async ctx => {
const { id, userId, permission = 'read_write' } = ctx.body;
ctx.assertUuid(id, 'id is required');
@@ -302,9 +454,11 @@ router.post('collections.update', auth(), async ctx => {
}
const user = ctx.state.user;
const collection = await Collection.scope({
method: ['withMembership', user.id],
}).findByPk(id);
authorize(user, 'update', collection);
// we're making this collection private right now, ensure that the current
@@ -328,6 +482,7 @@ router.post('collections.update', auth(), async ctx => {
collection.description = description;
collection.color = color;
collection.private = isPrivate;
await collection.save();
await Event.create({
@@ -342,11 +497,7 @@ router.post('collections.update', auth(), async ctx => {
// must reload to update collection membership for correct policy calculation
// if the privacy level has changed. Otherwise skip this query for speed.
if (isPrivacyChanged) {
await collection.reload({
scope: {
method: ['withMembership', user.id],
},
});
await collection.reload();
}
ctx.body = {
@@ -385,6 +536,7 @@ router.post('collections.delete', auth(), async ctx => {
const collection = await Collection.scope({
method: ['withMembership', user.id],
}).findByPk(id);
authorize(user, 'delete', collection);
const total = await Collection.count();

407
server/api/collections.test.js
View File

@@ -2,8 +2,8 @@
import TestServer from 'fetch-test-server';
import app from '../app';
import { flushdb, seed } from '../test/support';
import { buildUser, buildCollection } from '../test/factories';
import { Collection, CollectionUser } from '../models';
import { buildUser, buildGroup, buildCollection } from '../test/factories';
import { Collection, CollectionUser, CollectionGroup } from '../models';
const server = new TestServer(app.callback());
beforeEach(flushdb);
@@ -32,7 +32,7 @@ describe('#collections.list', async () => {
expect(body.policies[0].abilities.read).toEqual(true);
});
it('should not return private collections not a member of', async () => {
it('should not return private collections actor is not a member of', async () => {
const { user, collection } = await seed();
await buildCollection({
private: true,
@@ -48,13 +48,50 @@ describe('#collections.list', async () => {
expect(body.data[0].id).toEqual(collection.id);
});
it('should return private collections member of', async () => {
const { user } = await seed();
it('should return private collections actor is a member of', async () => {
const user = await buildUser();
await buildCollection({
private: true,
teamId: user.teamId,
userId: user.id,
});
await buildCollection({
private: true,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post('/api/collections.list', {
body: { token: user.getJwtToken() },
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(2);
expect(body.policies.length).toEqual(2);
expect(body.policies[0].abilities.read).toEqual(true);
});
it('should return private collections actor is a group-member of', async () => {
const user = await buildUser();
await buildCollection({
private: true,
teamId: user.teamId,
userId: user.id,
});
const collection = await buildCollection({
private: true,
teamId: user.teamId,
});
const group = await buildGroup({ teamId: user.teamId });
await group.addUser(user, { through: { createdById: user.id } });
await collection.addGroup(group, {
through: { permission: 'read', createdById: user.id },
});
const res = await server.post('/api/collections.list', {
body: { token: user.getJwtToken() },
});
@@ -81,7 +118,7 @@ describe('#collections.export', async () => {
expect(res.status).toEqual(403);
});
it('should allow export of private collection', async () => {
it('should allow export of private collection when the actor is a member', async () => {
const { user, collection } = await seed();
collection.private = true;
await collection.save();
@@ -100,6 +137,27 @@ describe('#collections.export', async () => {
expect(res.status).toEqual(200);
});
it('should allow export of private collection when the actor is a group member', async () => {
const user = await buildUser();
const collection = await buildCollection({
private: true,
teamId: user.teamId,
});
const group = await buildGroup({ teamId: user.teamId });
await group.addUser(user, { through: { createdById: user.id } });
await collection.addGroup(group, {
through: { permission: 'read', createdById: user.id },
});
const res = await server.post('/api/collections.export', {
body: { token: user.getJwtToken(), id: collection.id },
});
expect(res.status).toEqual(200);
});
it('should require authentication', async () => {
const res = await server.post('/api/collections.export');
const body = await res.json();
@@ -221,6 +279,145 @@ describe('#collections.add_user', async () => {
});
});
describe('#collections.add_group', async () => {
it('should add group to collection', async () => {
const user = await buildUser({ isAdmin: true });
const collection = await buildCollection({
teamId: user.teamId,
userId: user.id,
private: true,
});
const group = await buildGroup({ teamId: user.teamId });
const res = await server.post('/api/collections.add_group', {
body: {
token: user.getJwtToken(),
id: collection.id,
groupId: group.id,
},
});
const groups = await collection.getGroups();
expect(groups.length).toEqual(1);
expect(res.status).toEqual(200);
});
it('should require group in team', async () => {
const user = await buildUser();
const collection = await buildCollection({
teamId: user.teamId,
userId: user.id,
private: true,
});
const group = await buildGroup();
const res = await server.post('/api/collections.add_group', {
body: {
token: user.getJwtToken(),
id: collection.id,
groupId: group.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
it('should require authentication', async () => {
const res = await server.post('/api/collections.add_group');
expect(res.status).toEqual(401);
});
it('should require authorization', async () => {
const collection = await buildCollection();
const user = await buildUser();
const group = await buildGroup({ teamId: user.teamId });
const res = await server.post('/api/collections.add_group', {
body: {
token: user.getJwtToken(),
id: collection.id,
groupId: group.id,
},
});
expect(res.status).toEqual(403);
});
});
describe('#collections.remove_group', async () => {
it('should remove group from collection', async () => {
const user = await buildUser({ isAdmin: true });
const collection = await buildCollection({
teamId: user.teamId,
userId: user.id,
private: true,
});
const group = await buildGroup({ teamId: user.teamId });
await server.post('/api/collections.add_group', {
body: {
token: user.getJwtToken(),
id: collection.id,
groupId: group.id,
},
});
let users = await collection.getGroups();
expect(users.length).toEqual(1);
const res = await server.post('/api/collections.remove_group', {
body: {
token: user.getJwtToken(),
id: collection.id,
groupId: group.id,
},
});
users = await collection.getGroups();
expect(res.status).toEqual(200);
expect(users.length).toEqual(0);
});
it('should require group in team', async () => {
const user = await buildUser();
const collection = await buildCollection({
teamId: user.teamId,
private: true,
});
const group = await buildGroup();
const res = await server.post('/api/collections.remove_group', {
body: {
token: user.getJwtToken(),
id: collection.id,
groupId: group.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
it('should require authentication', async () => {
const res = await server.post('/api/collections.remove_group');
expect(res.status).toEqual(401);
});
it('should require authorization', async () => {
const { collection } = await seed();
const user = await buildUser();
const group = await buildGroup({ teamId: user.teamId });
const res = await server.post('/api/collections.remove_group', {
body: {
token: user.getJwtToken(),
id: collection.id,
groupId: group.id,
},
});
expect(res.status).toEqual(403);
});
});
describe('#collections.remove_user', async () => {
it('should remove user from collection', async () => {
const user = await buildUser();
@@ -334,6 +531,155 @@ describe('#collections.users', async () => {
});
});
describe('#collections.group_memberships', async () => {
it('should return groups in private collection', async () => {
const user = await buildUser();
const group = await buildGroup({ teamId: user.teamId });
const collection = await buildCollection({
private: true,
teamId: user.teamId,
});
await CollectionUser.create({
createdById: user.id,
collectionId: collection.id,
userId: user.id,
permission: 'read_write',
});
await CollectionGroup.create({
createdById: user.id,
collectionId: collection.id,
groupId: group.id,
permission: 'read_write',
});
const res = await server.post('/api/collections.group_memberships', {
body: { token: user.getJwtToken(), id: collection.id },
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.groups.length).toEqual(1);
expect(body.data.groups[0].id).toEqual(group.id);
expect(body.data.collectionGroupMemberships.length).toEqual(1);
expect(body.data.collectionGroupMemberships[0].permission).toEqual(
'read_write'
);
});
it('should allow filtering groups in collection by name', async () => {
const user = await buildUser();
const group = await buildGroup({ name: 'will find', teamId: user.teamId });
const group2 = await buildGroup({ name: 'wont find', teamId: user.teamId });
const collection = await buildCollection({
private: true,
teamId: user.teamId,
});
await CollectionUser.create({
createdById: user.id,
collectionId: collection.id,
userId: user.id,
permission: 'read_write',
});
await CollectionGroup.create({
createdById: user.id,
collectionId: collection.id,
groupId: group.id,
permission: 'read_write',
});
await CollectionGroup.create({
createdById: user.id,
collectionId: collection.id,
groupId: group2.id,
permission: 'read_write',
});
const res = await server.post('/api/collections.group_memberships', {
body: {
token: user.getJwtToken(),
id: collection.id,
query: 'will',
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.groups.length).toEqual(1);
expect(body.data.groups[0].id).toEqual(group.id);
});
it('should allow filtering groups in collection by permission', async () => {
const user = await buildUser();
const group = await buildGroup({ teamId: user.teamId });
const group2 = await buildGroup({ teamId: user.teamId });
const collection = await buildCollection({
private: true,
teamId: user.teamId,
});
await CollectionUser.create({
createdById: user.id,
collectionId: collection.id,
userId: user.id,
permission: 'read_write',
});
await CollectionGroup.create({
createdById: user.id,
collectionId: collection.id,
groupId: group.id,
permission: 'read_write',
});
await CollectionGroup.create({
createdById: user.id,
collectionId: collection.id,
groupId: group2.id,
permission: 'maintainer',
});
const res = await server.post('/api/collections.group_memberships', {
body: {
token: user.getJwtToken(),
id: collection.id,
permission: 'maintainer',
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.groups.length).toEqual(1);
expect(body.data.groups[0].id).toEqual(group2.id);
});
it('should require authentication', async () => {
const res = await server.post('/api/collections.group_memberships');
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it('should require authorization', async () => {
const user = await buildUser();
const collection = await buildCollection({
private: true,
teamId: user.teamId,
});
const res = await server.post('/api/collections.group_memberships', {
body: { token: user.getJwtToken(), id: collection.id },
});
expect(res.status).toEqual(403);
});
});
describe('#collections.memberships', async () => {
it('should return members in private collection', async () => {
const { collection, user } = await seed();
@@ -641,6 +987,29 @@ describe('#collections.update', async () => {
expect(body.policies.length).toBe(1);
});
it('allows editing by read-write collection group user', async () => {
const user = await buildUser();
const collection = await buildCollection({
private: true,
teamId: user.teamId,
});
const group = await buildGroup({ teamId: user.teamId });
await group.addUser(user, { through: { createdById: user.id } });
await collection.addGroup(group, {
through: { permission: 'read_write', createdById: user.id },
});
const res = await server.post('/api/collections.update', {
body: { token: user.getJwtToken(), id: collection.id, name: 'Test' },
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.name).toBe('Test');
expect(body.policies.length).toBe(1);
});
it('does not allow editing by read-only collection user', async () => {
const { user, collection } = await seed();
collection.private = true;
@@ -704,4 +1073,30 @@ describe('#collections.delete', async () => {
expect(res.status).toEqual(200);
expect(body.success).toBe(true);
});
it('allows deleting by read-write collection group user', async () => {
const user = await buildUser();
const collection = await buildCollection({
private: true,
teamId: user.teamId,
});
await buildCollection({
teamId: user.teamId,
});
const group = await buildGroup({ teamId: user.teamId });
await group.addUser(user, { through: { createdById: user.id } });
await collection.addGroup(group, {
through: { permission: 'read_write', createdById: user.id },
});
const res = await server.post('/api/collections.delete', {
body: { token: user.getJwtToken(), id: collection.id },
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.success).toBe(true);
});
});

1
server/api/documents.js
View File

@@ -121,6 +121,7 @@ router.post('documents.pinned', auth(), pagination(), async ctx => {
const collection = await Collection.scope({
method: ['withMembership', user.id],
}).findByPk(collectionId);
authorize(user, 'read', collection);
const starredScope = { method: ['withStarred', user.id] };

18
server/api/documents.test.js
View File

@@ -47,9 +47,12 @@ describe('#documents.info', async () => {
});
it('should not return published document in collection not a member of', async () => {
const { user, document, collection } = await seed();
collection.private = true;
await collection.save();
const user = await buildUser();
const collection = await buildCollection({
private: true,
teamId: user.teamId,
});
const document = await buildDocument({ collectionId: collection.id });
const res = await server.post('/api/documents.info', {
body: { token: user.getJwtToken(), id: document.id },
@@ -381,13 +384,16 @@ describe('#documents.pinned', async () => {
});
it('should not return pinned documents in private collections not a member of', async () => {
const { user, collection } = await seed();
collection.private = true;
await collection.save();
const collection = await buildCollection({
private: true,
});
const user = await buildUser({ teamId: collection.teamId });
const res = await server.post('/api/documents.pinned', {
body: { token: user.getJwtToken(), collectionId: collection.id },
});
expect(res.status).toEqual(403);
});

291
server/api/groups.js Normal file
View File

@@ -0,0 +1,291 @@
// @flow
import Router from 'koa-router';
import auth from '../middlewares/authentication';
import pagination from './middlewares/pagination';
import { Op } from '../sequelize';
import { MAX_AVATAR_DISPLAY } from '../../shared/constants';
import {
presentGroup,
presentPolicies,
presentUser,
presentGroupMembership,
} from '../presenters';
import { User, Event, Group, GroupUser } from '../models';
import policy from '../policies';
const { authorize } = policy;
const router = new Router();
router.post('groups.list', auth(), pagination(), async ctx => {
const user = ctx.state.user;
let groups = await Group.findAll({
where: {
teamId: user.teamId,
},
order: [['updatedAt', 'DESC']],
offset: ctx.state.pagination.offset,
limit: ctx.state.pagination.limit,
});
if (!user.isAdmin) {
groups = groups.filter(
group => group.groupMemberships.filter(gm => gm.userId === user.id).length
);
}
ctx.body = {
pagination: ctx.state.pagination,
data: {
groups: groups.map(presentGroup),
groupMemberships: groups
.map(g => g.groupMemberships.slice(0, MAX_AVATAR_DISPLAY))
.flat()
.map(presentGroupMembership),
},
policies: presentPolicies(user, groups),
};
});
router.post('groups.info', auth(), async ctx => {
const { id } = ctx.body;
ctx.assertUuid(id, 'id is required');
const user = ctx.state.user;
const group = await Group.findByPk(id);
authorize(user, 'read', group);
ctx.body = {
data: presentGroup(group),
policies: presentPolicies(user, [group]),
};
});
router.post('groups.create', auth(), async ctx => {
const { name } = ctx.body;
ctx.assertPresent(name, 'name is required');
const user = ctx.state.user;
authorize(user, 'create', Group);
let group = await Group.create({
name,
teamId: user.teamId,
createdById: user.id,
});
// reload to get default scope
group = await Group.findByPk(group.id);
await Event.create({
name: 'groups.create',
actorId: user.id,
teamId: user.teamId,
modelId: group.id,
data: { name: group.name },
ip: ctx.request.ip,
});
ctx.body = {
data: presentGroup(group),
policies: presentPolicies(user, [group]),
};
});
router.post('groups.update', auth(), async ctx => {
const { id, name } = ctx.body;
ctx.assertPresent(name, 'name is required');
ctx.assertUuid(id, 'id is required');
const user = ctx.state.user;
const group = await Group.findByPk(id);
authorize(user, 'update', group);
group.name = name;
if (group.changed()) {
await group.save();
await Event.create({
name: 'groups.update',
teamId: user.teamId,
actorId: user.id,
modelId: group.id,
data: { name },
ip: ctx.request.ip,
});
}
ctx.body = {
data: presentGroup(group),
policies: presentPolicies(user, [group]),
};
});
router.post('groups.delete', auth(), async ctx => {
const { id } = ctx.body;
ctx.assertUuid(id, 'id is required');
const { user } = ctx.state;
const group = await Group.findByPk(id);
authorize(user, 'delete', group);
await group.destroy();
await Event.create({
name: 'groups.delete',
actorId: user.id,
modelId: group.id,
teamId: group.teamId,
data: { name: group.name },
ip: ctx.request.ip,
});
ctx.body = {
success: true,
};
});
router.post('groups.memberships', auth(), pagination(), async ctx => {
const { id, query, permission } = ctx.body;
ctx.assertUuid(id, 'id is required');
const user = ctx.state.user;
const group = await Group.findByPk(id);
authorize(user, 'read', group);
let where = {
groupId: id,
};
let userWhere;
if (query) {
userWhere = {
name: {
[Op.iLike]: `%${query}%`,
},
};
}
if (permission) {
where = {
...where,
permission,
};
}
const memberships = await GroupUser.findAll({
where,
order: [['createdAt', 'DESC']],
offset: ctx.state.pagination.offset,
limit: ctx.state.pagination.limit,
include: [
{
model: User,
as: 'user',
where: userWhere,
required: true,
},
],
});
ctx.body = {
pagination: ctx.state.pagination,
data: {
groupMemberships: memberships.map(presentGroupMembership),
users: memberships.map(membership => presentUser(membership.user)),
},
};
});
router.post('groups.add_user', auth(), async ctx => {
const { id, userId } = ctx.body;
ctx.assertUuid(id, 'id is required');
ctx.assertUuid(userId, 'userId is required');
const user = await User.findByPk(userId);
authorize(ctx.state.user, 'read', user);
let group = await Group.findByPk(id);
authorize(ctx.state.user, 'update', group);
let membership = await GroupUser.findOne({
where: {
groupId: id,
userId,
},
});
if (!membership) {
await group.addUser(user, {
through: { createdById: ctx.state.user.id },
});
// reload to get default scope
membership = await GroupUser.findOne({
where: {
groupId: id,
userId,
},
});
// reload to get default scope
group = await Group.findByPk(id);
await Event.create({
name: 'groups.add_user',
userId,
teamId: user.teamId,
modelId: group.id,
actorId: ctx.state.user.id,
data: { name: user.name },
ip: ctx.request.ip,
});
}
ctx.body = {
data: {
users: [presentUser(user)],
groupMemberships: [presentGroupMembership(membership)],
groups: [presentGroup(group)],
},
};
});
router.post('groups.remove_user', auth(), async ctx => {
const { id, userId } = ctx.body;
ctx.assertUuid(id, 'id is required');
ctx.assertUuid(userId, 'userId is required');
let group = await Group.findByPk(id);
authorize(ctx.state.user, 'update', group);
const user = await User.findByPk(userId);
authorize(ctx.state.user, 'read', user);
await group.removeUser(user);
await Event.create({
name: 'groups.remove_user',
userId,
modelId: group.id,
teamId: user.teamId,
actorId: ctx.state.user.id,
data: { name: user.name },
ip: ctx.request.ip,
});
// reload to get default scope
group = await Group.findByPk(id);
ctx.body = {
data: {
groups: [presentGroup(group)],
},
};
});
export default router;

460
server/api/groups.test.js Normal file
View File

@@ -0,0 +1,460 @@
/* eslint-disable flowtype/require-valid-file-annotation */
import TestServer from 'fetch-test-server';
import app from '../app';
import { flushdb } from '../test/support';
import { buildUser, buildGroup } from '../test/factories';
import { Event } from '../models';
const server = new TestServer(app.callback());
beforeEach(flushdb);
afterAll(server.close);
describe('#groups.create', async () => {
it('should create a group', async () => {
const name = 'hello I am a group';
const user = await buildUser({ isAdmin: true });
const res = await server.post('/api/groups.create', {
body: { token: user.getJwtToken(), name },
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.name).toEqual(name);
});
});
describe('#groups.update', async () => {
it('should require authentication', async () => {
const group = await buildGroup();
const res = await server.post('/api/groups.update', {
body: { id: group.id, name: 'Test' },
});
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it('should require admin', async () => {
const group = await buildGroup();
const user = await buildUser();
const res = await server.post('/api/groups.update', {
body: { token: user.getJwtToken(), id: group.id, name: 'Test' },
});
expect(res.status).toEqual(403);
});
it('should require authorization', async () => {
const group = await buildGroup();
const user = await buildUser({ isAdmin: true });
const res = await server.post('/api/groups.update', {
body: { token: user.getJwtToken(), id: group.id, name: 'Test' },
});
expect(res.status).toEqual(403);
});
describe('when user is admin', async () => {
let user, group;
beforeEach(async () => {
user = await buildUser({ isAdmin: true });
group = await buildGroup({ teamId: user.teamId });
});
it('allows admin to edit a group', async () => {
const res = await server.post('/api/groups.update', {
body: { token: user.getJwtToken(), id: group.id, name: 'Test' },
});
const events = await Event.findAll();
expect(events.length).toEqual(1);
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.name).toBe('Test');
});
it('does not create an event if the update is a noop', async () => {
const res = await server.post('/api/groups.update', {
body: { token: user.getJwtToken(), id: group.id, name: group.name },
});
const events = await Event.findAll();
expect(events.length).toEqual(0);
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.name).toBe(group.name);
});
it('fails with validation error when name already taken', async () => {
await buildGroup({
teamId: user.teamId,
name: 'test',
});
const res = await server.post('/api/groups.update', {
body: {
token: user.getJwtToken(),
id: group.id,
name: 'TEST',
},
});
const body = await res.json();
expect(res.status).toEqual(400);
expect(body).toMatchSnapshot();
});
});
});
describe('#groups.list', async () => {
it('should require authentication', async () => {
const res = await server.post('/api/groups.list');
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it('should return groups with memberships preloaded', async () => {
const user = await buildUser();
const group = await buildGroup({ teamId: user.teamId });
await group.addUser(user, { through: { createdById: user.id } });
const res = await server.post('/api/groups.list', {
body: { token: user.getJwtToken() },
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data['groups'].length).toEqual(1);
expect(body.data['groups'][0].id).toEqual(group.id);
expect(body.data['groupMemberships'].length).toEqual(1);
expect(body.data['groupMemberships'][0].groupId).toEqual(group.id);
expect(body.data['groupMemberships'][0].user.id).toEqual(user.id);
expect(body.policies.length).toEqual(1);
expect(body.policies[0].abilities.read).toEqual(true);
});
});
describe('#groups.info', async () => {
it('should return group if admin', async () => {
const user = await buildUser({ isAdmin: true });
const group = await buildGroup({ teamId: user.teamId });
const res = await server.post('/api/groups.info', {
body: { token: user.getJwtToken(), id: group.id },
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toEqual(group.id);
});
it('should return group if member', async () => {
const user = await buildUser();
const group = await buildGroup({ teamId: user.teamId });
await group.addUser(user, { through: { createdById: user.id } });
const res = await server.post('/api/groups.info', {
body: { token: user.getJwtToken(), id: group.id },
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toEqual(group.id);
});
it('should not return group if non-member, non-admin', async () => {
const user = await buildUser();
const group = await buildGroup({ teamId: user.teamId });
const res = await server.post('/api/groups.info', {
body: { token: user.getJwtToken(), id: group.id },
});
expect(res.status).toEqual(403);
});
it('should require authentication', async () => {
const res = await server.post('/api/groups.info');
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it('should require authorization', async () => {
const user = await buildUser();
const group = await buildGroup();
const res = await server.post('/api/groups.info', {
body: { token: user.getJwtToken(), id: group.id },
});
expect(res.status).toEqual(403);
});
});
describe('#groups.delete', async () => {
it('should require authentication', async () => {
const group = await buildGroup();
const res = await server.post('/api/groups.delete', {
body: { id: group.id },
});
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it('should require admin', async () => {
const group = await buildGroup();
const user = await buildUser();
const res = await server.post('/api/groups.delete', {
body: { token: user.getJwtToken(), id: group.id },
});
expect(res.status).toEqual(403);
});
it('should require authorization', async () => {
const group = await buildGroup();
const user = await buildUser({ isAdmin: true });
const res = await server.post('/api/groups.delete', {
body: { token: user.getJwtToken(), id: group.id },
});
expect(res.status).toEqual(403);
});
it('allows admin to delete a group', async () => {
const user = await buildUser({ isAdmin: true });
const group = await buildGroup({ teamId: user.teamId });
const res = await server.post('/api/groups.delete', {
body: { token: user.getJwtToken(), id: group.id },
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.success).toEqual(true);
});
});
describe('#groups.memberships', async () => {
it('should return members in a group', async () => {
const user = await buildUser();
const group = await buildGroup({ teamId: user.teamId });
await group.addUser(user, { through: { createdById: user.id } });
const res = await server.post('/api/groups.memberships', {
body: { token: user.getJwtToken(), id: group.id },
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.users.length).toEqual(1);
expect(body.data.users[0].id).toEqual(user.id);
expect(body.data.groupMemberships.length).toEqual(1);
expect(body.data.groupMemberships[0].user.id).toEqual(user.id);
});
it('should allow filtering members in group by name', async () => {
const user = await buildUser();
const user2 = await buildUser({ name: "Won't find" });
const group = await buildGroup({ teamId: user.teamId });
await group.addUser(user, { through: { createdById: user.id } });
await group.addUser(user2, { through: { createdById: user.id } });
const res = await server.post('/api/groups.memberships', {
body: {
token: user.getJwtToken(),
id: group.id,
query: user.name.slice(0, 3),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.users.length).toEqual(1);
expect(body.data.users[0].id).toEqual(user.id);
});
it('should require authentication', async () => {
const res = await server.post('/api/groups.memberships');
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it('should require authorization', async () => {
const user = await buildUser();
const group = await buildGroup();
const res = await server.post('/api/groups.memberships', {
body: { token: user.getJwtToken(), id: group.id },
});
expect(res.status).toEqual(403);
});
});
describe('#groups.add_user', async () => {
it('should add user to group', async () => {
const user = await buildUser({ isAdmin: true });
const group = await buildGroup({
teamId: user.teamId,
});
const res = await server.post('/api/groups.add_user', {
body: {
token: user.getJwtToken(),
id: group.id,
userId: user.id,
},
});
const users = await group.getUsers();
expect(res.status).toEqual(200);
expect(users.length).toEqual(1);
});
it('should require authentication', async () => {
const res = await server.post('/api/groups.add_user');
expect(res.status).toEqual(401);
});
it('should require user in team', async () => {
const user = await buildUser({ isAdmin: true });
const group = await buildGroup({
teamId: user.teamId,
});
const anotherUser = await buildUser();
const res = await server.post('/api/groups.add_user', {
body: {
token: user.getJwtToken(),
id: group.id,
userId: anotherUser.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
it('should require admin', async () => {
const user = await buildUser();
const group = await buildGroup({
teamId: user.teamId,
});
const anotherUser = await buildUser({ teamId: user.teamId });
const res = await server.post('/api/groups.add_user', {
body: {
token: user.getJwtToken(),
id: group.id,
userId: anotherUser.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
});
describe('#groups.remove_user', async () => {
it('should remove user from group', async () => {
const user = await buildUser({ isAdmin: true });
const group = await buildGroup({
teamId: user.teamId,
});
await server.post('/api/groups.add_user', {
body: {
token: user.getJwtToken(),
id: group.id,
userId: user.id,
},
});
const users = await group.getUsers();
expect(users.length).toEqual(1);
const res = await server.post('/api/groups.remove_user', {
body: {
token: user.getJwtToken(),
id: group.id,
userId: user.id,
},
});
const users1 = await group.getUsers();
expect(res.status).toEqual(200);
expect(users1.length).toEqual(0);
});
it('should require authentication', async () => {
const res = await server.post('/api/groups.remove_user');
expect(res.status).toEqual(401);
});
it('should require user in team', async () => {
const user = await buildUser({ isAdmin: true });
const group = await buildGroup({
teamId: user.teamId,
});
const anotherUser = await buildUser();
const res = await server.post('/api/groups.remove_user', {
body: {
token: user.getJwtToken(),
id: group.id,
userId: anotherUser.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
it('should require admin', async () => {
const user = await buildUser();
const group = await buildGroup({
teamId: user.teamId,
});
const anotherUser = await buildUser({
teamId: user.teamId,
});
const res = await server.post('/api/groups.remove_user', {
body: {
token: user.getJwtToken(),
id: group.id,
userId: anotherUser.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
});

3
server/api/index.js
View File

@@ -12,6 +12,7 @@ import views from './views';
import hooks from './hooks';
import apiKeys from './apiKeys';
import shares from './shares';
import groups from './groups';
import team from './team';
import integrations from './integrations';
import notificationSettings from './notificationSettings';
@@ -51,6 +52,8 @@ router.use('/', integrations.routes());
router.use('/', notificationSettings.routes());
router.use('/', attachments.routes());
router.use('/', utils.routes());
router.use('/', groups.routes());
router.post('*', ctx => {
ctx.throw(new NotFoundError('Endpoint not found'));
});

20
server/api/users.js
View File

@@ -9,7 +9,6 @@ import {
publicS3Endpoint,
makeCredential,
} from '../utils/s3';
import { ValidationError } from '../errors';
import { Attachment, Event, User, Team } from '../models';
import auth from '../middlewares/authentication';
import pagination from './middlewares/pagination';
@@ -177,11 +176,7 @@ router.post('users.demote', auth(), async ctx => {
authorize(ctx.state.user, 'demote', user);
const team = await Team.findByPk(teamId);
try {
await team.removeAdmin(user);
} catch (err) {
throw new ValidationError(err.message);
}
await team.removeAdmin(user);
await Event.create({
name: 'users.demote',
@@ -207,11 +202,7 @@ router.post('users.suspend', auth(), async ctx => {
authorize(ctx.state.user, 'suspend', user);
const team = await Team.findByPk(teamId);
try {
await team.suspendUser(user, admin);
} catch (err) {
throw new ValidationError(err.message);
}
await team.suspendUser(user, admin);
await Event.create({
name: 'users.suspend',
@@ -278,12 +269,7 @@ router.post('users.delete', auth(), async ctx => {
if (id) user = await User.findByPk(id);
authorize(ctx.state.user, 'delete', user);
try {
await user.destroy();
} catch (err) {
throw new ValidationError(err.message);
}
await user.destroy();
await Event.create({
name: 'users.delete',
actorId: user.id,