feat: Add groups and group permissions (#1204)

* WIP - got one API test to pass yay

* adds group update endpoint

* added group policies

* adds groups.list API

* adds groups.info

* remove comment

* WIP

* tests for delete

* adds group membership list

* adds tests for groups list

* add and remove user endpoints for group

* ask some questions

* fix up some issues around primary keys

* remove export from group permissions

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* remove random file

* only create events on actual updates, add tests to ensure

* adds uniqueness validation to group name

* throw validation errors on model and let it pass through the controller

* fix linting

* WIP

* WIP

* WIP

* WIP

* WIP basic edit and delete

* basic CRUD for groups and memberships in place

* got member counts working

* add member count and limit the number of users sent over teh wire to 6

* factor avatar with AvatarWithPresence into its own class

* wip

* WIP avatars in group lists

* WIP collection groups

* add and remove group endpoints

* wip add collection groups

* wip get group adding to collections to work

* wip get updating collection group memberships to work

* wip get new group modal working

* add tests for collection index

* include collection groups in the withmemberships scope

* tie permissions to group memberships

* remove unused import

* Update app/components/GroupListItem.js

update title copy

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update server/migrations/20191211044318-create-groups.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update server/api/groups.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update server/api/groups.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/menus/CollectionMenu.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update server/models/Group.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* minor fixes

* Update app/scenes/CollectionMembers/AddGroupsToCollection.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/menus/GroupMenu.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/menus/GroupMenu.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/menus/GroupMenu.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/scenes/Collection.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/scenes/CollectionMembers/CollectionMembers.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/scenes/GroupNew.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/scenes/GroupNew.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/scenes/Settings/Groups.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update server/api/documents.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* Update app/scenes/CollectionMembers/components/CollectionGroupMemberListItem.js

Co-Authored-By: Tom Moor <tom.moor@gmail.com>

* address comments

* WIP - getting websocket stuff up and running

* socket event for group deletion

* wrapped up cascading deletes

* lint

* flow

* fix: UI feedback

* fix: Facepile size

* fix: Lots of missing await's

* Allow clicking facepile on group list item to open members

* remove unused route push, grammar

* fix: Remove bad analytics events
feat: Add group events to audit log

* collection. -> collections.

* Add groups to entity websocket events (sync create/update/delete) between clients

* fix: Users should not be able to see groups they are not a member of

* fix: Not caching errors in UI when changing group memberships

* fix: Hide unusable UI

* test

* fix: Tweak language

* feat: Automatically open 'add member' modal after creating group

Co-authored-by: Tom Moor <tom.moor@gmail.com>

server/policies/collection.js

@@ -1,6 +1,7 @@
 // @flow
 import invariant from 'invariant';
 import policy from './policy';
+import { concat, some } from 'lodash';
 import { Collection, User } from '../models';
 import { AdminRequiredError } from '../errors';
 
@@ -11,11 +12,20 @@ allow(User, 'create', Collection);
 allow(User, ['read', 'export'], Collection, (user, collection) => {
   if (!collection || user.teamId !== collection.teamId) return false;
 
-  if (
-    collection.private &&
-    (!collection.memberships || !collection.memberships.length)
-  ) {
-    return false;
+  if (collection.private) {
+    invariant(
+      collection.memberships,
+      'membership should be preloaded, did you forget withMembership scope?'
+    );
+
+    const allMemberships = concat(
+      collection.memberships,
+      collection.collectionGroupMemberships
+    );
+
+    return some(allMemberships, m =>
+      ['read', 'read_write', 'maintainer'].includes(m.permission)
+    );
   }
 
   return true;
@@ -29,10 +39,14 @@ allow(User, ['publish', 'update'], Collection, (user, collection) => {
       collection.memberships,
       'membership should be preloaded, did you forget withMembership scope?'
     );
-    if (!collection.memberships.length) return false;
 
-    return ['read_write', 'maintainer'].includes(
-      collection.memberships[0].permission
+    const allMemberships = concat(
+      collection.memberships,
+      collection.collectionGroupMemberships
+    );
+
+    return some(allMemberships, m =>
+      ['read_write', 'maintainer'].includes(m.permission)
     );
   }
 
@@ -47,15 +61,14 @@ allow(User, 'delete', Collection, (user, collection) => {
       collection.memberships,
       'membership should be preloaded, did you forget withMembership scope?'
     );
-    if (!collection.memberships.length) return false;
+    const allMemberships = concat(
+      collection.memberships,
+      collection.collectionGroupMemberships
+    );
 
-    if (
-      !['read_write', 'maintainer'].includes(
-        collection.memberships[0].permission
-      )
-    ) {
-      return false;
-    }
+    return some(allMemberships, m =>
+      ['read_write', 'maintainer'].includes(m.permission)
+    );
   }
 
   if (user.isAdmin) return true;

server/policies/group.js

@@ -0,0 +1,26 @@
+// @flow
+import policy from './policy';
+import { Group, User } from '../models';
+import { AdminRequiredError } from '../errors';
+
+const { allow } = policy;
+
+allow(User, ['create'], Group, actor => {
+  if (actor.isAdmin) return true;
+  throw new AdminRequiredError();
+});
+
+allow(User, ['update', 'delete'], Group, (actor, group) => {
+  if (!group || actor.teamId !== group.teamId) return false;
+  if (actor.isAdmin) return true;
+  throw new AdminRequiredError();
+});
+
+allow(User, ['read'], Group, (actor, group) => {
+  if (!group || actor.teamId !== group.teamId) return false;
+  if (actor.isAdmin) return true;
+  if (group.groupMemberships.filter(gm => gm.userId === actor.id).length) {
+    return true;
+  }
+  return false;
+});

server/policies/index.js

@@ -1,5 +1,5 @@
 // @flow
-import { Team, User, Collection, Document } from '../models';
+import { Team, User, Collection, Document, Group } from '../models';
 import policy from './policy';
 import './apiKey';
 import './collection';
@@ -9,6 +9,7 @@ import './notificationSetting';
 import './share';
 import './user';
 import './team';
+import './group';
 
 const { can, abilities } = policy;
 
@@ -17,13 +18,13 @@ type Policy = {
 };
 
 /*
-* Given a user and a model – output an object which describes the actions the 
+* Given a user and a model – output an object which describes the actions the
 * user may take against the model. This serialized policy is used for testing
 * and sent in API responses to allow clients to adjust which UI is displayed.
 */
 export function serialize(
   model: User,
-  target: Team | Collection | Document
+  target: Team | Collection | Document | Group
 ): Policy {
   let output = {};
 

server/policies/team.js

@@ -22,6 +22,12 @@ allow(User, 'invite', Team, user => {
   return false;
 });
 
+// ??? policy for creating new groups, I don't know how to do this other than on the team level
+allow(User, 'group', Team, user => {
+  if (user.isAdmin) return true;
+  throw new AdminRequiredError();
+});
+
 allow(User, ['update', 'export'], Team, (user, team) => {
   if (!team || user.teamId !== team.id) return false;
   if (user.isAdmin) return true;