Individual document sharing with permissions (#5814)

Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Tom Moor <tom@getoutline.com>
2024-01-31 07:18:22 +05:30
parent 717c9b5d64
commit 1490c3a14b
91 changed files with 4004 additions and 1166 deletions
--- a/server/routes/api/attachments/attachments.test.ts
+++ b/server/routes/api/attachments/attachments.test.ts
@@ -1,5 +1,5 @@
 import { AttachmentPreset, CollectionPermission } from "@shared/types";
-import { UserPermission } from "@server/models";
+import { UserMembership } from "@server/models";
 import Attachment from "@server/models/Attachment";
 import {
  buildUser,
@@ -123,7 +123,7 @@ describe("#attachments.create", () => {
        collectionId: collection.id,
      });

-      await UserPermission.create({
+      await UserMembership.create({
        createdById: user.id,
        collectionId: collection.id,
        userId: user.id,
--- a/server/routes/api/collections/collections.test.ts
+++ b/server/routes/api/collections/collections.test.ts
@@ -1,6 +1,6 @@
 import { CollectionPermission } from "@shared/types";
 import { colorPalette } from "@shared/utils/collections";
-import { Document, UserPermission, GroupPermission } from "@server/models";
+import { Document, UserMembership, GroupPermission } from "@server/models";
 import {
  buildUser,
  buildAdmin,
@@ -310,7 +310,7 @@ describe("#collections.export", () => {
    const collection = await buildCollection({ teamId: team.id });
    collection.permission = null;
    await collection.save();
-    await UserPermission.create({
+    await UserMembership.create({
      createdById: admin.id,
      collectionId: collection.id,
      userId: admin.id,
@@ -772,7 +772,7 @@ describe("#collections.group_memberships", () => {
      permission: null,
      teamId: user.teamId,
    });
-    await UserPermission.create({
+    await UserMembership.create({
      createdById: user.id,
      collectionId: collection.id,
      userId: user.id,
@@ -816,7 +816,7 @@ describe("#collections.group_memberships", () => {
      permission: null,
      teamId: user.teamId,
    });
-    await UserPermission.create({
+    await UserMembership.create({
      createdById: user.id,
      collectionId: collection.id,
      userId: user.id,
@@ -859,7 +859,7 @@ describe("#collections.group_memberships", () => {
      permission: null,
      teamId: user.teamId,
    });
-    await UserPermission.create({
+    await UserMembership.create({
      createdById: user.id,
      collectionId: collection.id,
      userId: user.id,
@@ -952,7 +952,7 @@ describe("#collections.memberships", () => {
    const user2 = await buildUser({
      name: "Won't find",
    });
-    await UserPermission.create({
+    await UserMembership.create({
      createdById: user2.id,
      collectionId: collection.id,
      userId: user2.id,
@@ -979,13 +979,13 @@ describe("#collections.memberships", () => {
      teamId: team.id,
    });
    const user2 = await buildUser();
-    await UserPermission.create({
+    await UserMembership.create({
      createdById: user.id,
      collectionId: collection.id,
      userId: user.id,
      permission: CollectionPermission.ReadWrite,
    });
-    await UserPermission.create({
+    await UserMembership.create({
      createdById: user2.id,
      collectionId: collection.id,
      userId: user2.id,
@@ -1052,7 +1052,7 @@ describe("#collections.info", () => {
    });
    collection.permission = null;
    await collection.save();
-    await UserPermission.destroy({
+    await UserMembership.destroy({
      where: {
        collectionId: collection.id,
        userId: user.id,
@@ -1076,7 +1076,7 @@ describe("#collections.info", () => {
    });
    collection.permission = null;
    await collection.save();
-    await UserPermission.create({
+    await UserMembership.create({
      collectionId: collection.id,
      userId: user.id,
      createdById: user.id,
@@ -1368,7 +1368,7 @@ describe("#collections.update", () => {
    const collection = await buildCollection({ teamId: team.id });
    collection.permission = null;
    await collection.save();
-    await UserPermission.create({
+    await UserMembership.create({
      collectionId: collection.id,
      userId: admin.id,
      createdById: admin.id,
@@ -1397,7 +1397,7 @@ describe("#collections.update", () => {
    const collection = await buildCollection({ teamId: team.id });
    collection.permission = null;
    await collection.save();
-    await UserPermission.create({
+    await UserMembership.create({
      collectionId: collection.id,
      userId: admin.id,
      createdById: admin.id,
@@ -1458,7 +1458,7 @@ describe("#collections.update", () => {
    });
    collection.permission = null;
    await collection.save();
-    await UserPermission.update(
+    await UserMembership.update(
      {
        createdById: user.id,
        permission: CollectionPermission.Read,
--- a/server/routes/api/collections/collections.ts
+++ b/server/routes/api/collections/collections.ts
@@ -16,7 +16,7 @@ import { transaction } from "@server/middlewares/transaction";
 import validate from "@server/middlewares/validate";
 import {
  Collection,
-  UserPermission,
+  UserMembership,
  GroupPermission,
  Team,
  Event,
@@ -397,7 +397,7 @@ router.post(
    const user = await User.findByPk(userId);
    authorize(actor, "read", user);

-    let membership = await UserPermission.findOne({
+    let membership = await UserMembership.findOne({
      where: {
        collectionId: id,
        userId,
@@ -407,7 +407,7 @@ router.post(
    });

    if (!membership) {
-      membership = await UserPermission.create(
+      membership = await UserMembership.create(
        {
          collectionId: id,
          userId,
@@ -514,7 +514,7 @@ router.post(
    }).findByPk(id);
    authorize(user, "read", collection);

-    let where: WhereOptions<UserPermission> = {
+    let where: WhereOptions<UserMembership> = {
      collectionId: id,
    };
    let userWhere;
@@ -544,8 +544,8 @@ router.post(
    };

    const [total, memberships] = await Promise.all([
-      UserPermission.count(options),
-      UserPermission.findAll({
+      UserMembership.count(options),
+      UserMembership.findAll({
        ...options,
        order: [["createdAt", "DESC"]],
        offset: ctx.state.pagination.offset,
@@ -656,7 +656,7 @@ router.post(
      permission !== CollectionPermission.ReadWrite &&
      collection.permission === CollectionPermission.ReadWrite
    ) {
-      await UserPermission.findOrCreate({
+      await UserMembership.findOrCreate({
        where: {
          collectionId: collection.id,
          userId: user.id,
--- a/server/routes/api/documents/documents.test.ts
+++ b/server/routes/api/documents/documents.test.ts
@@ -1,12 +1,12 @@
 import { faker } from "@faker-js/faker";
 import { addMinutes, subDays } from "date-fns";
-import { CollectionPermission } from "@shared/types";
+import { CollectionPermission, DocumentPermission } from "@shared/types";
 import {
  Document,
  View,
  Revision,
  Backlink,
-  UserPermission,
+  UserMembership,
  SearchQuery,
  Event,
  User,
@@ -28,6 +28,10 @@ import { getTestServer } from "@server/test/support";

 const server = getTestServer();

+beforeEach(async () => {
+  await buildDocument();
+});
+
 describe("#documents.info", () => {
  it("should fail if both id and shareId are absent", async () => {
    const res = await server.post("/api/documents.info", {
@@ -907,7 +911,7 @@ describe("#documents.list", () => {
      collectionId: collection.id,
    });

-    await UserPermission.update(
+    await UserMembership.update(
      {
        userId: user.id,
        permission: CollectionPermission.Read,
@@ -1068,6 +1072,85 @@ describe("#documents.drafts", () => {
 });

 describe("#documents.search_titles", () => {
+  it("should include individually shared drafts with a user in search results", async () => {
+    const user = await buildUser();
+    // create a private collection
+    const collection = await buildCollection({
+      createdById: user.id,
+      teamId: user.teamId,
+      permission: null,
+    });
+    // create a draft in collection
+    const document = await buildDocument({
+      collectionId: collection.id,
+      teamId: user.teamId,
+      createdById: user.id,
+      title: "Some title",
+    });
+    document.publishedAt = null;
+    await document.save();
+    const member = await buildUser({
+      teamId: user.teamId,
+    });
+    // add member to the document
+    await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+    const res = await server.post("/api/documents.search_titles", {
+      body: {
+        token: member.getJwtToken(),
+        query: "title",
+        includeDrafts: true,
+      },
+    });
+    const body = await res.json();
+    expect(body.data).toHaveLength(1);
+    expect(body.data[0].id).toEqual(document.id);
+    expect(res.status).toEqual(200);
+  });
+
+  it("should include individually shared docs with a user in search results", async () => {
+    const user = await buildUser();
+    // create a private collection
+    const collection = await buildCollection({
+      createdById: user.id,
+      teamId: user.teamId,
+      permission: null,
+    });
+    // create document in that private collection
+    const document = await buildDocument({
+      collectionId: collection.id,
+      teamId: user.teamId,
+      createdById: user.id,
+      title: "Some title",
+    });
+    const member = await buildUser({
+      teamId: user.teamId,
+    });
+    // add member to the document
+    await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+    const res = await server.post("/api/documents.search_titles", {
+      body: {
+        token: member.getJwtToken(),
+        query: "title",
+      },
+    });
+    const body = await res.json();
+    expect(body.data).toHaveLength(1);
+    expect(body.data[0].id).toEqual(document.id);
+    expect(res.status).toEqual(200);
+  });
+
  it("should fail without query", async () => {
    const user = await buildUser();
    const res = await server.post("/api/documents.search_titles", {
@@ -1615,7 +1698,7 @@ describe("#documents.search", () => {
      permission: null,
    });

-    await UserPermission.create({
+    await UserMembership.create({
      createdById: user.id,
      collectionId: collection.id,
      userId: user.id,
@@ -1745,6 +1828,85 @@ describe("#documents.search", () => {
    expect(searchQuery[0].results).toBe(0);
    expect(searchQuery[0].source).toBe("app");
  });
+
+  it("should include individually shared docs with a user in search results", async () => {
+    const user = await buildUser();
+    // create a private collection
+    const collection = await buildCollection({
+      createdById: user.id,
+      teamId: user.teamId,
+      permission: null,
+    });
+    // create document in that private collection
+    const document = await buildDocument({
+      collectionId: collection.id,
+      teamId: user.teamId,
+      createdById: user.id,
+      title: "Some title",
+    });
+    const member = await buildUser({
+      teamId: user.teamId,
+    });
+    // add member to the document
+    await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+    const res = await server.post("/api/documents.search", {
+      body: {
+        token: member.getJwtToken(),
+        query: "title",
+      },
+    });
+    const body = await res.json();
+    expect(body.data).toHaveLength(1);
+    expect(body.data[0].document.id).toEqual(document.id);
+    expect(res.status).toEqual(200);
+  });
+
+  it("should include individually shared drafts with a user in search results", async () => {
+    const user = await buildUser();
+    // create a private collection
+    const collection = await buildCollection({
+      createdById: user.id,
+      teamId: user.teamId,
+      permission: null,
+    });
+    // create a draft in collection
+    const document = await buildDocument({
+      collectionId: collection.id,
+      teamId: user.teamId,
+      createdById: user.id,
+      title: "Some title",
+    });
+    document.publishedAt = null;
+    await document.save();
+    const member = await buildUser({
+      teamId: user.teamId,
+    });
+    // add member to the document
+    await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+    const res = await server.post("/api/documents.search", {
+      body: {
+        token: member.getJwtToken(),
+        query: "title",
+        includeDrafts: true,
+      },
+    });
+    const body = await res.json();
+    expect(body.data).toHaveLength(1);
+    expect(body.data[0].document.id).toEqual(document.id);
+    expect(res.status).toEqual(200);
+  });
 });

 describe("#documents.templatize", () => {
@@ -1990,7 +2152,7 @@ describe("#documents.viewed", () => {
      documentId: document.id,
      userId: user.id,
    });
-    await UserPermission.destroy({
+    await UserMembership.destroy({
      where: {
        userId: user.id,
        collectionId: collection.id,
@@ -2889,6 +3051,7 @@ describe("#documents.update", () => {
    const user = await buildUser({ teamId: team.id });
    const document = await buildDraftDocument({
      teamId: team.id,
+      userId: user.id,
      collectionId: null,
    });

@@ -2920,6 +3083,7 @@ describe("#documents.update", () => {
      title: "title",
      text: "text",
      teamId: team.id,
+      userId: user.id,
      collectionId: null,
    });
    const res = await server.post("/api/documents.update", {
@@ -3012,6 +3176,7 @@ describe("#documents.update", () => {
    });
    const template = await buildDocument({
      teamId: user.teamId,
+      userId: user.id,
      collectionId: collection.id,
      template: true,
      publishedAt: null,
@@ -3045,7 +3210,7 @@ describe("#documents.update", () => {
      userId: user.id,
      teamId: user.teamId,
    });
-    await UserPermission.update(
+    await UserMembership.update(
      {
        userId: user.id,
        permission: CollectionPermission.ReadWrite,
@@ -3152,7 +3317,7 @@ describe("#documents.update", () => {
      teamId: team.id,
    });

-    await UserPermission.update(
+    await UserMembership.update(
      {
        createdById: user.id,
        permission: CollectionPermission.ReadWrite,
@@ -3190,7 +3355,7 @@ describe("#documents.update", () => {
      collectionId: collection.id,
      teamId: team.id,
    });
-    await UserPermission.update(
+    await UserMembership.update(
      {
        createdById: user.id,
        permission: CollectionPermission.Read,
@@ -3226,7 +3391,7 @@ describe("#documents.update", () => {
    });
    collection.permission = CollectionPermission.Read;
    await collection.save();
-    await UserPermission.destroy({
+    await UserMembership.destroy({
      where: {
        userId: user.id,
        collectionId: collection.id,
@@ -3455,6 +3620,7 @@ describe("#documents.delete", () => {
    const user = await buildUser();
    const document = await buildDraftDocument({
      teamId: user.teamId,
+      userId: user.id,
      deletedAt: null,
    });
    const res = await server.post("/api/documents.delete", {
@@ -3811,19 +3977,19 @@ describe("#documents.users", () => {

    // add people and groups to collection
    await Promise.all([
-      UserPermission.create({
+      UserMembership.create({
        collectionId: collection.id,
        userId: alan.id,
        permission: CollectionPermission.Read,
        createdById: user.id,
      }),
-      UserPermission.create({
+      UserMembership.create({
        collectionId: collection.id,
        userId: bret.id,
        permission: CollectionPermission.Read,
        createdById: user.id,
      }),
-      UserPermission.create({
+      UserMembership.create({
        collectionId: collection.id,
        userId: ken.id,
        permission: CollectionPermission.Read,
@@ -3901,19 +4067,19 @@ describe("#documents.users", () => {

    // add people to collection
    await Promise.all([
-      UserPermission.create({
+      UserMembership.create({
        collectionId: collection.id,
        userId: alan.id,
        permission: CollectionPermission.Read,
        createdById: user.id,
      }),
-      UserPermission.create({
+      UserMembership.create({
        collectionId: collection.id,
        userId: bret.id,
        permission: CollectionPermission.Read,
        createdById: user.id,
      }),
-      UserPermission.create({
+      UserMembership.create({
        collectionId: collection.id,
        userId: ken.id,
        permission: CollectionPermission.Read,
@@ -3942,3 +4108,256 @@ describe("#documents.users", () => {
    expect(memberIds).toContain(ken.id);
  });
 });
+
+describe("#documents.add_user", () => {
+  it("should require id", async () => {
+    const user = await buildUser();
+    const res = await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toEqual("id: Required");
+  });
+
+  it("should require authentication", async () => {
+    const document = await buildDocument();
+    const res = await server.post("/api/documents.add_user", {
+      body: {
+        id: document.id,
+      },
+    });
+    expect(res.status).toEqual(401);
+  });
+
+  it("should fail with status 400 bad request if user attempts to invite themself", async () => {
+    const user = await buildUser();
+    const collection = await buildCollection({
+      teamId: user.teamId,
+      createdById: user.id,
+      permission: null,
+    });
+    const document = await buildDocument({
+      collectionId: collection.id,
+      createdById: user.id,
+      teamId: user.teamId,
+    });
+
+    const res = await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: user.id,
+      },
+    });
+
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toEqual("You cannot invite yourself");
+  });
+
+  it("should succeed with status 200 ok", async () => {
+    const user = await buildUser();
+    const collection = await buildCollection({
+      teamId: user.teamId,
+      createdById: user.id,
+      permission: null,
+    });
+    const document = await buildDocument({
+      collectionId: collection.id,
+      createdById: user.id,
+      teamId: user.teamId,
+    });
+    const member = await buildUser({ teamId: user.teamId });
+
+    const res = await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data).not.toBeFalsy();
+    expect(body.data.users).not.toBeFalsy();
+    expect(body.data.users).toHaveLength(1);
+    expect(body.data.users[0].id).toEqual(member.id);
+    expect(body.data.memberships).not.toBeFalsy();
+    expect(body.data.memberships[0].userId).toEqual(member.id);
+    expect(body.data.memberships[0].documentId).toEqual(document.id);
+    expect(body.data.memberships[0].permission).toEqual(
+      DocumentPermission.ReadWrite
+    );
+  });
+});
+
+describe("#documents.remove_user", () => {
+  it("should require id", async () => {
+    const user = await buildUser();
+    const res = await server.post("/api/documents.remove_user", {
+      body: {
+        token: user.getJwtToken(),
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toEqual("id: Required");
+  });
+
+  it("should require authentication", async () => {
+    const document = await buildDocument();
+    const res = await server.post("/api/documents.remove_user", {
+      body: {
+        id: document.id,
+      },
+    });
+    expect(res.status).toEqual(401);
+  });
+
+  it("should require authorization", async () => {
+    const document = await buildDocument();
+    const user = await buildUser();
+    const anotherUser = await buildUser({
+      teamId: user.teamId,
+    });
+    const res = await server.post("/api/documents.remove_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: anotherUser.id,
+      },
+    });
+    expect(res.status).toEqual(403);
+  });
+
+  it("should remove user from document", async () => {
+    const user = await buildUser();
+    const collection = await buildCollection({
+      teamId: user.teamId,
+      createdById: user.id,
+      permission: null,
+    });
+    const document = await buildDocument({
+      collectionId: collection.id,
+      createdById: user.id,
+      teamId: user.teamId,
+    });
+    const member = await buildUser({
+      teamId: user.teamId,
+    });
+    await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+    let users = await document.$get("users");
+    expect(users.length).toEqual(1);
+    const res = await server.post("/api/documents.remove_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+    users = await document.$get("users");
+    expect(res.status).toEqual(200);
+    expect(users.length).toEqual(0);
+  });
+});
+
+describe("#documents.memberships", () => {
+  let actor: User, document: Document;
+  beforeEach(async () => {
+    actor = await buildUser();
+    const collection = await buildCollection({
+      teamId: actor.teamId,
+      createdById: actor.id,
+      permission: null,
+    });
+    document = await buildDocument({
+      collectionId: collection.id,
+      createdById: actor.id,
+      teamId: actor.teamId,
+    });
+  });
+
+  it("should return members in document", async () => {
+    const members = await Promise.all([
+      buildUser({ teamId: actor.teamId }),
+      buildUser({ teamId: actor.teamId }),
+    ]);
+    await Promise.all([
+      server.post("/api/documents.add_user", {
+        body: {
+          token: actor.getJwtToken(),
+          id: document.id,
+          userId: members[0].id,
+        },
+      }),
+      server.post("/api/documents.add_user", {
+        body: {
+          token: actor.getJwtToken(),
+          id: document.id,
+          userId: members[1].id,
+        },
+      }),
+    ]);
+    const res = await server.post("/api/documents.memberships", {
+      body: {
+        token: actor.getJwtToken(),
+        id: document.id,
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.users.length).toEqual(2);
+    expect(body.data.users.map((u: User) => u.id).includes(members[0].id)).toBe(
+      true
+    );
+    expect(body.data.users.map((u: User) => u.id).includes(members[1].id)).toBe(
+      true
+    );
+  });
+
+  it("should allow filtering members in document by permission", async () => {
+    const members = await Promise.all([
+      buildUser({ teamId: actor.teamId }),
+      buildUser({ teamId: actor.teamId }),
+    ]);
+    await Promise.all([
+      server.post("/api/documents.add_user", {
+        body: {
+          token: actor.getJwtToken(),
+          id: document.id,
+          userId: members[0].id,
+          permission: DocumentPermission.ReadWrite,
+        },
+      }),
+      server.post("/api/documents.add_user", {
+        body: {
+          token: actor.getJwtToken(),
+          id: document.id,
+          userId: members[1].id,
+          permission: DocumentPermission.Read,
+        },
+      }),
+    ]);
+    const res = await server.post("/api/documents.memberships", {
+      body: {
+        token: actor.getJwtToken(),
+        id: document.id,
+        permission: DocumentPermission.Read,
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.users.length).toEqual(1);
+    expect(body.data.users[0].id).toEqual(members[1].id);
+  });
+});
--- a/server/routes/api/documents/documents.ts
+++ b/server/routes/api/documents/documents.ts
@@ -1,11 +1,12 @@
 import path from "path";
+import fractionalIndex from "fractional-index";
 import fs from "fs-extra";
 import invariant from "invariant";
 import JSZip from "jszip";
 import Router from "koa-router";
 import escapeRegExp from "lodash/escapeRegExp";
 import mime from "mime-types";
-import { Op, ScopeOptions, WhereOptions } from "sequelize";
+import { Op, ScopeOptions, Sequelize, WhereOptions } from "sequelize";
 import { TeamPreference } from "@shared/types";
 import { subtractDate } from "@shared/utils/date";
 import slugify from "@shared/utils/slugify";
@@ -40,6 +41,7 @@ import {
  SearchQuery,
  User,
  View,
+  UserMembership,
 } from "@server/models";
 import DocumentHelper from "@server/models/helpers/DocumentHelper";
 import SearchHelper from "@server/models/helpers/SearchHelper";
@@ -48,6 +50,7 @@ import {
  presentCollection,
  presentDocument,
  presentPolicies,
+  presentMembership,
  presentPublicTeam,
  presentUser,
 } from "@server/presenters";
@@ -121,6 +124,17 @@ router.post(
    }

    if (parentDocumentId) {
+      const membership = await UserMembership.findOne({
+        where: {
+          userId: user.id,
+          documentId: parentDocumentId,
+        },
+      });
+
+      if (membership) {
+        delete where.collectionId;
+      }
+
      where = { ...where, parentDocumentId };
    }

@@ -302,7 +316,10 @@ router.post(
      order: [[sort, direction]],
      include: [
        {
-          model: Document,
+          model: Document.scope([
+            "withDrafts",
+            { method: ["withMembership", userId] },
+          ]),
          required: true,
          where: {
            collectionId: collectionIds,
@@ -375,13 +392,7 @@ router.post(
      delete where.updatedAt;
    }

-    const collectionScope: Readonly<ScopeOptions> = {
-      method: ["withCollectionPermissions", user.id],
-    };
-    const documents = await Document.scope([
-      "defaultScope",
-      collectionScope,
-    ]).findAll({
+    const documents = await Document.defaultScopeWithUser(user.id).findAll({
      where,
      order: [[sort, direction]],
      offset: ctx.state.pagination.offset,
@@ -979,6 +990,7 @@ router.post(
    }

    if (publish) {
+      authorize(user, "publish", document);
      if (!document.collectionId) {
        assertPresent(
          collectionId,
@@ -1415,11 +1427,8 @@ router.post(
    let parentDocument;

    if (parentDocumentId) {
-      parentDocument = await Document.findOne({
-        where: {
-          id: parentDocumentId,
-          collectionId: collection?.id,
-        },
+      parentDocument = await Document.findByPk(parentDocumentId, {
+        userId: user.id,
      });
      authorize(user, "read", parentDocument, {
        collection,
@@ -1462,4 +1471,220 @@ router.post(
  }
 );

+router.post(
+  "documents.add_user",
+  auth(),
+  validate(T.DocumentsAddUserSchema),
+  transaction(),
+  async (ctx: APIContext<T.DocumentsAddUserReq>) => {
+    const { auth, transaction } = ctx.state;
+    const actor = auth.user;
+    const { id, userId, permission } = ctx.input.body;
+
+    if (userId === actor.id) {
+      throw ValidationError("You cannot invite yourself");
+    }
+
+    const [document, user] = await Promise.all([
+      Document.findByPk(id, {
+        userId: actor.id,
+        rejectOnEmpty: true,
+        transaction,
+      }),
+      User.findByPk(userId, {
+        rejectOnEmpty: true,
+        transaction,
+      }),
+    ]);
+
+    authorize(actor, "read", user);
+    authorize(actor, "manageUsers", document);
+
+    const UserMemberships = await UserMembership.findAll({
+      where: {
+        userId,
+      },
+      attributes: ["id", "index", "updatedAt"],
+      limit: 1,
+      order: [
+        // using LC_COLLATE:"C" because we need byte order to drive the sorting
+        // find only the first star so we can create an index before it
+        Sequelize.literal('"user_permission"."index" collate "C"'),
+        ["updatedAt", "DESC"],
+      ],
+      transaction,
+    });
+
+    // create membership at the beginning of their "Shared with me" section
+    const index = fractionalIndex(
+      null,
+      UserMemberships.length ? UserMemberships[0].index : null
+    );
+
+    const [membership] = await UserMembership.findOrCreate({
+      where: {
+        documentId: id,
+        userId,
+      },
+      defaults: {
+        index,
+        permission: permission || user.defaultDocumentPermission,
+        createdById: actor.id,
+      },
+      transaction,
+      lock: transaction.LOCK.UPDATE,
+    });
+
+    if (permission) {
+      membership.permission = permission;
+
+      // disconnect from the source if the permission is manually updated
+      membership.sourceId = null;
+
+      await membership.save({ transaction });
+    }
+
+    await Event.create(
+      {
+        name: "documents.add_user",
+        userId,
+        modelId: membership.id,
+        documentId: document.id,
+        teamId: document.teamId,
+        actorId: actor.id,
+        ip: ctx.request.ip,
+      },
+      {
+        transaction,
+      }
+    );
+
+    ctx.body = {
+      data: {
+        users: [presentUser(user)],
+        memberships: [presentMembership(membership)],
+      },
+    };
+  }
+);
+
+router.post(
+  "documents.remove_user",
+  auth(),
+  validate(T.DocumentsRemoveUserSchema),
+  transaction(),
+  async (ctx: APIContext<T.DocumentsRemoveUserReq>) => {
+    const { auth, transaction } = ctx.state;
+    const actor = auth.user;
+    const { id, userId } = ctx.input.body;
+
+    const [document, user] = await Promise.all([
+      Document.findByPk(id, {
+        userId: actor.id,
+        rejectOnEmpty: true,
+        transaction,
+      }),
+      User.findByPk(userId, {
+        rejectOnEmpty: true,
+        transaction,
+      }),
+    ]);
+
+    if (actor.id !== userId) {
+      authorize(actor, "manageUsers", document);
+      authorize(actor, "read", user);
+    }
+
+    const membership = await UserMembership.findOne({
+      where: {
+        documentId: id,
+        userId,
+      },
+      transaction,
+      lock: transaction.LOCK.UPDATE,
+      rejectOnEmpty: true,
+    });
+
+    await membership.destroy({ transaction });
+
+    await Event.create(
+      {
+        name: "documents.remove_user",
+        userId,
+        modelId: membership.id,
+        documentId: document.id,
+        teamId: document.teamId,
+        actorId: actor.id,
+        ip: ctx.request.ip,
+      },
+      { transaction }
+    );
+
+    ctx.body = {
+      success: true,
+    };
+  }
+);
+
+router.post(
+  "documents.memberships",
+  auth(),
+  pagination(),
+  validate(T.DocumentsMembershipsSchema),
+  async (ctx: APIContext<T.DocumentsMembershipsReq>) => {
+    const { id, query, permission } = ctx.input.body;
+    const { user: actor } = ctx.state.auth;
+
+    const document = await Document.findByPk(id, { userId: actor.id });
+    authorize(actor, "update", document);
+
+    let where: WhereOptions<UserMembership> = {
+      documentId: id,
+    };
+    let userWhere;
+
+    if (query) {
+      userWhere = {
+        name: {
+          [Op.iLike]: `%${query}%`,
+        },
+      };
+    }
+
+    if (permission) {
+      where = { ...where, permission };
+    }
+
+    const options = {
+      where,
+      include: [
+        {
+          model: User,
+          as: "user",
+          where: userWhere,
+          required: true,
+        },
+      ],
+    };
+
+    const [total, memberships] = await Promise.all([
+      UserMembership.count(options),
+      UserMembership.findAll({
+        ...options,
+        order: [["createdAt", "DESC"]],
+        offset: ctx.state.pagination.offset,
+        limit: ctx.state.pagination.limit,
+      }),
+    ]);
+
+    ctx.body = {
+      pagination: { ...ctx.state.pagination, total },
+      data: {
+        memberships: memberships.map(presentMembership),
+        users: memberships.map((membership) => presentUser(membership.user)),
+      },
+    };
+  }
+);
+
 export default router;
--- a/server/routes/api/documents/schema.ts
+++ b/server/routes/api/documents/schema.ts
@@ -3,6 +3,7 @@ import formidable from "formidable";
 import isEmpty from "lodash/isEmpty";
 import isUUID from "validator/lib/isUUID";
 import { z } from "zod";
+import { DocumentPermission } from "@shared/types";
 import { SHARE_URL_SLUG_REGEX } from "@shared/utils/urlHelpers";
 import { BaseSchema } from "@server/routes/api/schema";

@@ -353,3 +354,47 @@ export const DocumentsUsersSchema = BaseSchema.extend({
 });

 export type DocumentsUsersReq = z.infer<typeof DocumentsUsersSchema>;
+
+export const DocumentsAddUserSchema = BaseSchema.extend({
+  body: z.object({
+    /** Id of the document to which the user is supposed to be added */
+    id: z.string().uuid(),
+    /** Id of the user who is to be added*/
+    userId: z.string().uuid(),
+    /** Permission to be granted to the added user  */
+    permission: z.nativeEnum(DocumentPermission).optional(),
+  }),
+});
+
+export type DocumentsAddUserReq = z.infer<typeof DocumentsAddUserSchema>;
+
+export const DocumentsRemoveUserSchema = BaseSchema.extend({
+  body: z.object({
+    /** Id of the document from which to remove the user */
+    id: z.string().uuid(),
+    /** Id of the user who is to be removed */
+    userId: z.string().uuid(),
+  }),
+});
+
+export type DocumentsRemoveUserReq = z.infer<typeof DocumentsRemoveUserSchema>;
+
+export const DocumentsSharedWithUserSchema = BaseSchema.extend({
+  body: DocumentsSortParamsSchema,
+});
+
+export type DocumentsSharedWithUserReq = z.infer<
+  typeof DocumentsSharedWithUserSchema
+>;
+
+export const DocumentsMembershipsSchema = BaseSchema.extend({
+  body: z.object({
+    id: z.string().uuid(),
+    query: z.string().optional(),
+    permission: z.nativeEnum(DocumentPermission).optional(),
+  }),
+});
+
+export type DocumentsMembershipsReq = z.infer<
+  typeof DocumentsMembershipsSchema
+>;
--- a/server/routes/api/index.ts
+++ b/server/routes/api/index.ts
@@ -34,6 +34,7 @@ import stars from "./stars";
 import subscriptions from "./subscriptions";
 import teams from "./teams";
 import urls from "./urls";
+import userMemberships from "./userMemberships";
 import users from "./users";
 import views from "./views";

@@ -97,6 +98,7 @@ router.use("/", cron.routes());
 router.use("/", groups.routes());
 router.use("/", fileOperationsRoute.routes());
 router.use("/", urls.routes());
+router.use("/", userMemberships.routes());

 if (env.isDevelopment) {
  router.use("/", developer.routes());
--- a/server/routes/api/revisions/revisions.test.ts
+++ b/server/routes/api/revisions/revisions.test.ts
@@ -1,4 +1,4 @@
-import { UserPermission, Revision } from "@server/models";
+import { UserMembership, Revision } from "@server/models";
 import {
  buildCollection,
  buildDocument,
@@ -175,7 +175,7 @@ describe("#revisions.list", () => {
    await Revision.createFromDocument(document);
    collection.permission = null;
    await collection.save();
-    await UserPermission.destroy({
+    await UserMembership.destroy({
      where: {
        userId: user.id,
        collectionId: collection.id,
--- a/server/routes/api/shares/shares.test.ts
+++ b/server/routes/api/shares/shares.test.ts
@@ -1,5 +1,5 @@
 import { CollectionPermission } from "@shared/types";
-import { UserPermission, Share } from "@server/models";
+import { UserMembership, Share } from "@server/models";
 import {
  buildUser,
  buildDocument,
@@ -263,7 +263,7 @@ describe("#shares.create", () => {
    });
    collection.permission = null;
    await collection.save();
-    await UserPermission.update(
+    await UserMembership.update(
      {
        userId: user.id,
        permission: CollectionPermission.Read,
@@ -299,7 +299,7 @@ describe("#shares.create", () => {
    });
    collection.permission = null;
    await collection.save();
-    await UserPermission.update(
+    await UserMembership.update(
      {
        userId: user.id,
        permission: CollectionPermission.Read,
--- a/server/routes/api/shares/shares.ts
+++ b/server/routes/api/shares/shares.ts
@@ -243,12 +243,8 @@ router.post(

    if (published !== undefined) {
      share.published = published;
-
-      // Reset nested document sharing when unpublishing a share link. So that
-      // If it's ever re-published this doesn't immediately share nested docs
-      // without forewarning the user
-      if (!published) {
-        share.includeChildDocuments = false;
+      if (published) {
+        share.includeChildDocuments = true;
      }
    }

--- a/server/routes/api/userMemberships/index.ts
+++ b/server/routes/api/userMemberships/index.ts
@@ -0,0 +1 @@
+export { default } from "./userMemberships";
--- a/server/routes/api/userMemberships/schema.ts
+++ b/server/routes/api/userMemberships/schema.ts
@@ -0,0 +1,20 @@
+import { z } from "zod";
+import { BaseSchema } from "@server/routes/api/schema";
+import { ValidateIndex } from "@server/validation";
+
+export const UserMembershipsListSchema = BaseSchema;
+
+export type UserMembershipsListReq = z.infer<typeof UserMembershipsListSchema>;
+
+export const UserMembershipsUpdateSchema = BaseSchema.extend({
+  body: z.object({
+    id: z.string().uuid(),
+    index: z.string().regex(ValidateIndex.regex, {
+      message: ValidateIndex.message,
+    }),
+  }),
+});
+
+export type UserMembershipsUpdateReq = z.infer<
+  typeof UserMembershipsUpdateSchema
+>;
--- a/server/routes/api/userMemberships/userMemberships.test.ts
+++ b/server/routes/api/userMemberships/userMemberships.test.ts
@@ -0,0 +1,110 @@
+import {
+  buildCollection,
+  buildDocument,
+  buildUser,
+} from "@server/test/factories";
+import { getTestServer } from "@server/test/support";
+
+const server = getTestServer();
+
+describe("#userMemberships.list", () => {
+  it("should require authentication", async () => {
+    const res = await server.post("/api/userMemberships.list", {
+      body: {},
+    });
+    expect(res.status).toEqual(401);
+  });
+
+  it("should return the list of docs shared with user", async () => {
+    const user = await buildUser();
+    const collection = await buildCollection({
+      teamId: user.teamId,
+      createdById: user.id,
+      permission: null,
+    });
+    const document = await buildDocument({
+      collectionId: collection.id,
+      createdById: user.id,
+      teamId: user.teamId,
+    });
+    const member = await buildUser({
+      teamId: user.teamId,
+    });
+    await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+    const users = await document.$get("users");
+    expect(users.length).toEqual(1);
+    const res = await server.post("/api/userMemberships.list", {
+      body: {
+        token: member.getJwtToken(),
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data).not.toBeFalsy();
+    expect(body.data.documents).not.toBeFalsy();
+    expect(body.data.documents).toHaveLength(1);
+    expect(body.data.memberships).not.toBeFalsy();
+    expect(body.data.memberships).toHaveLength(1);
+    const sharedDoc = body.data.documents[0];
+    expect(sharedDoc.id).toEqual(document.id);
+    expect(sharedDoc.id).toEqual(body.data.memberships[0].documentId);
+    expect(body.data.memberships[0].userId).toEqual(member.id);
+    expect(body.data.memberships[0].index).not.toBeFalsy();
+    expect(body.policies).not.toBeFalsy();
+    expect(body.policies).toHaveLength(2);
+    expect(body.policies[1].abilities).not.toBeFalsy();
+    expect(body.policies[1].abilities.update).toEqual(true);
+  });
+});
+
+describe("#userMemberships.update", () => {
+  it("should update the index", async () => {
+    const user = await buildUser();
+    const collection = await buildCollection({
+      teamId: user.teamId,
+      createdById: user.id,
+      permission: null,
+    });
+    const document = await buildDocument({
+      collectionId: collection.id,
+      createdById: user.id,
+      teamId: user.teamId,
+    });
+    const member = await buildUser({
+      teamId: user.teamId,
+    });
+    const resp = await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+    const respBody = await resp.json();
+    expect(respBody.data).not.toBeFalsy();
+    expect(respBody.data.memberships).not.toBeFalsy();
+    expect(respBody.data.memberships).toHaveLength(1);
+
+    const users = await document.$get("users");
+    expect(users.length).toEqual(1);
+    const res = await server.post("/api/userMemberships.update", {
+      body: {
+        token: member.getJwtToken(),
+        id: respBody.data.memberships[0].id,
+        index: "V",
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data).not.toBeFalsy();
+    expect(body.data.documentId).toEqual(document.id);
+    expect(body.data.userId).toEqual(member.id);
+    expect(body.data.index).toEqual("V");
+  });
+});
--- a/server/routes/api/userMemberships/userMemberships.ts
+++ b/server/routes/api/userMemberships/userMemberships.ts
@@ -0,0 +1,116 @@
+import Router from "koa-router";
+
+import { Op, Sequelize } from "sequelize";
+import auth from "@server/middlewares/authentication";
+import { transaction } from "@server/middlewares/transaction";
+import validate from "@server/middlewares/validate";
+import { Document, Event, UserMembership } from "@server/models";
+import { authorize } from "@server/policies";
+import {
+  presentDocument,
+  presentMembership,
+  presentPolicies,
+} from "@server/presenters";
+import { APIContext } from "@server/types";
+import pagination from "../middlewares/pagination";
+import * as T from "./schema";
+
+const router = new Router();
+
+router.post(
+  "userMemberships.list",
+  auth(),
+  pagination(),
+  validate(T.UserMembershipsListSchema),
+  async (ctx: APIContext<T.UserMembershipsListReq>) => {
+    const { user } = ctx.state.auth;
+
+    const memberships = await UserMembership.findAll({
+      where: {
+        userId: user.id,
+        documentId: {
+          [Op.ne]: null,
+        },
+        sourceId: {
+          [Op.eq]: null,
+        },
+      },
+      order: [
+        Sequelize.literal('"user_permission"."index" collate "C"'),
+        ["updatedAt", "DESC"],
+      ],
+      offset: ctx.state.pagination.offset,
+      limit: ctx.state.pagination.limit,
+    });
+
+    const documentIds = memberships
+      .map((p) => p.documentId)
+      .filter(Boolean) as string[];
+    const documents = await Document.scope([
+      "withDrafts",
+      { method: ["withMembership", user.id] },
+      { method: ["withCollectionPermissions", user.id] },
+    ]).findAll({
+      where: {
+        id: documentIds,
+      },
+    });
+
+    const policies = presentPolicies(user, [...documents, ...memberships]);
+
+    ctx.body = {
+      pagination: ctx.state.pagination,
+      data: {
+        memberships: memberships.map(presentMembership),
+        documents: await Promise.all(
+          documents.map((document: Document) => presentDocument(document))
+        ),
+      },
+      policies,
+    };
+  }
+);
+
+router.post(
+  "userMemberships.update",
+  auth(),
+  validate(T.UserMembershipsUpdateSchema),
+  transaction(),
+  async (ctx: APIContext<T.UserMembershipsUpdateReq>) => {
+    const { id, index } = ctx.input.body;
+    const { transaction } = ctx.state;
+
+    const { user } = ctx.state.auth;
+    const membership = await UserMembership.findByPk(id, {
+      transaction,
+      rejectOnEmpty: true,
+    });
+    authorize(user, "update", membership);
+
+    membership.index = index;
+    await membership.save({ transaction });
+
+    await Event.create(
+      {
+        name: "userMemberships.update",
+        modelId: membership.id,
+        userId: membership.userId,
+        teamId: user.teamId,
+        actorId: user.id,
+        documentId: membership.documentId,
+        ip: ctx.request.ip,
+        data: {
+          index: membership.index,
+        },
+      },
+      { transaction }
+    );
+
+    ctx.body = {
+      data: presentMembership(membership),
+      policies: presentPolicies(user, [membership]),
+    };
+  }
+);
+
+export default router;
--- a/server/routes/api/views/views.test.ts
+++ b/server/routes/api/views/views.test.ts
@@ -1,5 +1,5 @@
 import { CollectionPermission } from "@shared/types";
-import { View, UserPermission } from "@server/models";
+import { View, UserMembership } from "@server/models";
 import {
  buildAdmin,
  buildCollection,
@@ -71,7 +71,7 @@ describe("#views.list", () => {
    });
    collection.permission = null;
    await collection.save();
-    await UserPermission.create({
+    await UserMembership.create({
      createdById: user.id,
      collectionId: collection.id,
      userId: user.id,
@@ -150,7 +150,7 @@ describe("#views.create", () => {
    });
    collection.permission = null;
    await collection.save();
-    await UserPermission.create({
+    await UserMembership.create({
      createdById: user.id,
      collectionId: collection.id,
      userId: user.id,
				`@@ -0,0 +1 @@`
				`export { default } from "./userMemberships";`