yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Individual document sharing with permissions (#5814)

Browse Source 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Tom Moor <tom@getoutline.com>
This commit is contained in:
Apoorv Mishra
2024-01-31 07:18:22 +05:30
committed by GitHub
parent 717c9b5d64
commit 1490c3a14b
91 changed files with 4004 additions and 1166 deletions
Download Patch File Download Diff File Expand all files Collapse all files

449
server/routes/api/documents/documents.test.ts
View File

@@ -1,12 +1,12 @@
import { faker } from "@faker-js/faker";
import { addMinutes, subDays } from "date-fns";
import { CollectionPermission } from "@shared/types";
import { CollectionPermission, DocumentPermission } from "@shared/types";
import {
Document,
View,
Revision,
Backlink,
UserPermission,
UserMembership,
SearchQuery,
Event,
User,
@@ -28,6 +28,10 @@ import { getTestServer } from "@server/test/support";
const server = getTestServer();
beforeEach(async () => {
await buildDocument();
});
describe("#documents.info", () => {
it("should fail if both id and shareId are absent", async () => {
const res = await server.post("/api/documents.info", {
@@ -907,7 +911,7 @@ describe("#documents.list", () => {
collectionId: collection.id,
});
await UserPermission.update(
await UserMembership.update(
{
userId: user.id,
permission: CollectionPermission.Read,
@@ -1068,6 +1072,85 @@ describe("#documents.drafts", () => {
});
describe("#documents.search_titles", () => {
it("should include individually shared drafts with a user in search results", async () => {
const user = await buildUser();
// create a private collection
const collection = await buildCollection({
createdById: user.id,
teamId: user.teamId,
permission: null,
});
// create a draft in collection
const document = await buildDocument({
collectionId: collection.id,
teamId: user.teamId,
createdById: user.id,
title: "Some title",
});
document.publishedAt = null;
await document.save();
const member = await buildUser({
teamId: user.teamId,
});
// add member to the document
await server.post("/api/documents.add_user", {
body: {
token: user.getJwtToken(),
id: document.id,
userId: member.id,
},
});
const res = await server.post("/api/documents.search_titles", {
body: {
token: member.getJwtToken(),
query: "title",
includeDrafts: true,
},
});
const body = await res.json();
expect(body.data).toHaveLength(1);
expect(body.data[0].id).toEqual(document.id);
expect(res.status).toEqual(200);
});
it("should include individually shared docs with a user in search results", async () => {
const user = await buildUser();
// create a private collection
const collection = await buildCollection({
createdById: user.id,
teamId: user.teamId,
permission: null,
});
// create document in that private collection
const document = await buildDocument({
collectionId: collection.id,
teamId: user.teamId,
createdById: user.id,
title: "Some title",
});
const member = await buildUser({
teamId: user.teamId,
});
// add member to the document
await server.post("/api/documents.add_user", {
body: {
token: user.getJwtToken(),
id: document.id,
userId: member.id,
},
});
const res = await server.post("/api/documents.search_titles", {
body: {
token: member.getJwtToken(),
query: "title",
},
});
const body = await res.json();
expect(body.data).toHaveLength(1);
expect(body.data[0].id).toEqual(document.id);
expect(res.status).toEqual(200);
});
it("should fail without query", async () => {
const user = await buildUser();
const res = await server.post("/api/documents.search_titles", {
@@ -1615,7 +1698,7 @@ describe("#documents.search", () => {
permission: null,
});
await UserPermission.create({
await UserMembership.create({
createdById: user.id,
collectionId: collection.id,
userId: user.id,
@@ -1745,6 +1828,85 @@ describe("#documents.search", () => {
expect(searchQuery[0].results).toBe(0);
expect(searchQuery[0].source).toBe("app");
});
it("should include individually shared docs with a user in search results", async () => {
const user = await buildUser();
// create a private collection
const collection = await buildCollection({
createdById: user.id,
teamId: user.teamId,
permission: null,
});
// create document in that private collection
const document = await buildDocument({
collectionId: collection.id,
teamId: user.teamId,
createdById: user.id,
title: "Some title",
});
const member = await buildUser({
teamId: user.teamId,
});
// add member to the document
await server.post("/api/documents.add_user", {
body: {
token: user.getJwtToken(),
id: document.id,
userId: member.id,
},
});
const res = await server.post("/api/documents.search", {
body: {
token: member.getJwtToken(),
query: "title",
},
});
const body = await res.json();
expect(body.data).toHaveLength(1);
expect(body.data[0].document.id).toEqual(document.id);
expect(res.status).toEqual(200);
});
it("should include individually shared drafts with a user in search results", async () => {
const user = await buildUser();
// create a private collection
const collection = await buildCollection({
createdById: user.id,
teamId: user.teamId,
permission: null,
});
// create a draft in collection
const document = await buildDocument({
collectionId: collection.id,
teamId: user.teamId,
createdById: user.id,
title: "Some title",
});
document.publishedAt = null;
await document.save();
const member = await buildUser({
teamId: user.teamId,
});
// add member to the document
await server.post("/api/documents.add_user", {
body: {
token: user.getJwtToken(),
id: document.id,
userId: member.id,
},
});
const res = await server.post("/api/documents.search", {
body: {
token: member.getJwtToken(),
query: "title",
includeDrafts: true,
},
});
const body = await res.json();
expect(body.data).toHaveLength(1);
expect(body.data[0].document.id).toEqual(document.id);
expect(res.status).toEqual(200);
});
});
describe("#documents.templatize", () => {
@@ -1990,7 +2152,7 @@ describe("#documents.viewed", () => {
documentId: document.id,
userId: user.id,
});
await UserPermission.destroy({
await UserMembership.destroy({
where: {
userId: user.id,
collectionId: collection.id,
@@ -2889,6 +3051,7 @@ describe("#documents.update", () => {
const user = await buildUser({ teamId: team.id });
const document = await buildDraftDocument({
teamId: team.id,
userId: user.id,
collectionId: null,
});
@@ -2920,6 +3083,7 @@ describe("#documents.update", () => {
title: "title",
text: "text",
teamId: team.id,
userId: user.id,
collectionId: null,
});
const res = await server.post("/api/documents.update", {
@@ -3012,6 +3176,7 @@ describe("#documents.update", () => {
});
const template = await buildDocument({
teamId: user.teamId,
userId: user.id,
collectionId: collection.id,
template: true,
publishedAt: null,
@@ -3045,7 +3210,7 @@ describe("#documents.update", () => {
userId: user.id,
teamId: user.teamId,
});
await UserPermission.update(
await UserMembership.update(
{
userId: user.id,
permission: CollectionPermission.ReadWrite,
@@ -3152,7 +3317,7 @@ describe("#documents.update", () => {
teamId: team.id,
});
await UserPermission.update(
await UserMembership.update(
{
createdById: user.id,
permission: CollectionPermission.ReadWrite,
@@ -3190,7 +3355,7 @@ describe("#documents.update", () => {
collectionId: collection.id,
teamId: team.id,
});
await UserPermission.update(
await UserMembership.update(
{
createdById: user.id,
permission: CollectionPermission.Read,
@@ -3226,7 +3391,7 @@ describe("#documents.update", () => {
});
collection.permission = CollectionPermission.Read;
await collection.save();
await UserPermission.destroy({
await UserMembership.destroy({
where: {
userId: user.id,
collectionId: collection.id,
@@ -3455,6 +3620,7 @@ describe("#documents.delete", () => {
const user = await buildUser();
const document = await buildDraftDocument({
teamId: user.teamId,
userId: user.id,
deletedAt: null,
});
const res = await server.post("/api/documents.delete", {
@@ -3811,19 +3977,19 @@ describe("#documents.users", () => {
// add people and groups to collection
await Promise.all([
UserPermission.create({
UserMembership.create({
collectionId: collection.id,
userId: alan.id,
permission: CollectionPermission.Read,
createdById: user.id,
}),
UserPermission.create({
UserMembership.create({
collectionId: collection.id,
userId: bret.id,
permission: CollectionPermission.Read,
createdById: user.id,
}),
UserPermission.create({
UserMembership.create({
collectionId: collection.id,
userId: ken.id,
permission: CollectionPermission.Read,
@@ -3901,19 +4067,19 @@ describe("#documents.users", () => {
// add people to collection
await Promise.all([
UserPermission.create({
UserMembership.create({
collectionId: collection.id,
userId: alan.id,
permission: CollectionPermission.Read,
createdById: user.id,
}),
UserPermission.create({
UserMembership.create({
collectionId: collection.id,
userId: bret.id,
permission: CollectionPermission.Read,
createdById: user.id,
}),
UserPermission.create({
UserMembership.create({
collectionId: collection.id,
userId: ken.id,
permission: CollectionPermission.Read,
@@ -3942,3 +4108,256 @@ describe("#documents.users", () => {
expect(memberIds).toContain(ken.id);
});
});
describe("#documents.add_user", () => {
it("should require id", async () => {
const user = await buildUser();
const res = await server.post("/api/documents.add_user", {
body: {
token: user.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(400);
expect(body.message).toEqual("id: Required");
});
it("should require authentication", async () => {
const document = await buildDocument();
const res = await server.post("/api/documents.add_user", {
body: {
id: document.id,
},
});
expect(res.status).toEqual(401);
});
it("should fail with status 400 bad request if user attempts to invite themself", async () => {
const user = await buildUser();
const collection = await buildCollection({
teamId: user.teamId,
createdById: user.id,
permission: null,
});
const document = await buildDocument({
collectionId: collection.id,
createdById: user.id,
teamId: user.teamId,
});
const res = await server.post("/api/documents.add_user", {
body: {
token: user.getJwtToken(),
id: document.id,
userId: user.id,
},
});
const body = await res.json();
expect(res.status).toEqual(400);
expect(body.message).toEqual("You cannot invite yourself");
});
it("should succeed with status 200 ok", async () => {
const user = await buildUser();
const collection = await buildCollection({
teamId: user.teamId,
createdById: user.id,
permission: null,
});
const document = await buildDocument({
collectionId: collection.id,
createdById: user.id,
teamId: user.teamId,
});
const member = await buildUser({ teamId: user.teamId });
const res = await server.post("/api/documents.add_user", {
body: {
token: user.getJwtToken(),
id: document.id,
userId: member.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data).not.toBeFalsy();
expect(body.data.users).not.toBeFalsy();
expect(body.data.users).toHaveLength(1);
expect(body.data.users[0].id).toEqual(member.id);
expect(body.data.memberships).not.toBeFalsy();
expect(body.data.memberships[0].userId).toEqual(member.id);
expect(body.data.memberships[0].documentId).toEqual(document.id);
expect(body.data.memberships[0].permission).toEqual(
DocumentPermission.ReadWrite
);
});
});
describe("#documents.remove_user", () => {
it("should require id", async () => {
const user = await buildUser();
const res = await server.post("/api/documents.remove_user", {
body: {
token: user.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(400);
expect(body.message).toEqual("id: Required");
});
it("should require authentication", async () => {
const document = await buildDocument();
const res = await server.post("/api/documents.remove_user", {
body: {
id: document.id,
},
});
expect(res.status).toEqual(401);
});
it("should require authorization", async () => {
const document = await buildDocument();
const user = await buildUser();
const anotherUser = await buildUser({
teamId: user.teamId,
});
const res = await server.post("/api/documents.remove_user", {
body: {
token: user.getJwtToken(),
id: document.id,
userId: anotherUser.id,
},
});
expect(res.status).toEqual(403);
});
it("should remove user from document", async () => {
const user = await buildUser();
const collection = await buildCollection({
teamId: user.teamId,
createdById: user.id,
permission: null,
});
const document = await buildDocument({
collectionId: collection.id,
createdById: user.id,
teamId: user.teamId,
});
const member = await buildUser({
teamId: user.teamId,
});
await server.post("/api/documents.add_user", {
body: {
token: user.getJwtToken(),
id: document.id,
userId: member.id,
},
});
let users = await document.$get("users");
expect(users.length).toEqual(1);
const res = await server.post("/api/documents.remove_user", {
body: {
token: user.getJwtToken(),
id: document.id,
userId: member.id,
},
});
users = await document.$get("users");
expect(res.status).toEqual(200);
expect(users.length).toEqual(0);
});
});
describe("#documents.memberships", () => {
let actor: User, document: Document;
beforeEach(async () => {
actor = await buildUser();
const collection = await buildCollection({
teamId: actor.teamId,
createdById: actor.id,
permission: null,
});
document = await buildDocument({
collectionId: collection.id,
createdById: actor.id,
teamId: actor.teamId,
});
});
it("should return members in document", async () => {
const members = await Promise.all([
buildUser({ teamId: actor.teamId }),
buildUser({ teamId: actor.teamId }),
]);
await Promise.all([
server.post("/api/documents.add_user", {
body: {
token: actor.getJwtToken(),
id: document.id,
userId: members[0].id,
},
}),
server.post("/api/documents.add_user", {
body: {
token: actor.getJwtToken(),
id: document.id,
userId: members[1].id,
},
}),
]);
const res = await server.post("/api/documents.memberships", {
body: {
token: actor.getJwtToken(),
id: document.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.users.length).toEqual(2);
expect(body.data.users.map((u: User) => u.id).includes(members[0].id)).toBe(
true
);
expect(body.data.users.map((u: User) => u.id).includes(members[1].id)).toBe(
true
);
});
it("should allow filtering members in document by permission", async () => {
const members = await Promise.all([
buildUser({ teamId: actor.teamId }),
buildUser({ teamId: actor.teamId }),
]);
await Promise.all([
server.post("/api/documents.add_user", {
body: {
token: actor.getJwtToken(),
id: document.id,
userId: members[0].id,
permission: DocumentPermission.ReadWrite,
},
}),
server.post("/api/documents.add_user", {
body: {
token: actor.getJwtToken(),
id: document.id,
userId: members[1].id,
permission: DocumentPermission.Read,
},
}),
]);
const res = await server.post("/api/documents.memberships", {
body: {
token: actor.getJwtToken(),
id: document.id,
permission: DocumentPermission.Read,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.users.length).toEqual(1);
expect(body.data.users[0].id).toEqual(members[1].id);
});
});

253
server/routes/api/documents/documents.ts
View File

@@ -1,11 +1,12 @@
import path from "path";
import fractionalIndex from "fractional-index";
import fs from "fs-extra";
import invariant from "invariant";
import JSZip from "jszip";
import Router from "koa-router";
import escapeRegExp from "lodash/escapeRegExp";
import mime from "mime-types";
import { Op, ScopeOptions, WhereOptions } from "sequelize";
import { Op, ScopeOptions, Sequelize, WhereOptions } from "sequelize";
import { TeamPreference } from "@shared/types";
import { subtractDate } from "@shared/utils/date";
import slugify from "@shared/utils/slugify";
@@ -40,6 +41,7 @@ import {
SearchQuery,
User,
View,
UserMembership,
} from "@server/models";
import DocumentHelper from "@server/models/helpers/DocumentHelper";
import SearchHelper from "@server/models/helpers/SearchHelper";
@@ -48,6 +50,7 @@ import {
presentCollection,
presentDocument,
presentPolicies,
presentMembership,
presentPublicTeam,
presentUser,
} from "@server/presenters";
@@ -121,6 +124,17 @@ router.post(
}
if (parentDocumentId) {
const membership = await UserMembership.findOne({
where: {
userId: user.id,
documentId: parentDocumentId,
},
});
if (membership) {
delete where.collectionId;
}
where = { ...where, parentDocumentId };
}
@@ -302,7 +316,10 @@ router.post(
order: [[sort, direction]],
include: [
{
model: Document,
model: Document.scope([
"withDrafts",
{ method: ["withMembership", userId] },
]),
required: true,
where: {
collectionId: collectionIds,
@@ -375,13 +392,7 @@ router.post(
delete where.updatedAt;
}
const collectionScope: Readonly<ScopeOptions> = {
method: ["withCollectionPermissions", user.id],
};
const documents = await Document.scope([
"defaultScope",
collectionScope,
]).findAll({
const documents = await Document.defaultScopeWithUser(user.id).findAll({
where,
order: [[sort, direction]],
offset: ctx.state.pagination.offset,
@@ -979,6 +990,7 @@ router.post(
}
if (publish) {
authorize(user, "publish", document);
if (!document.collectionId) {
assertPresent(
collectionId,
@@ -1415,11 +1427,8 @@ router.post(
let parentDocument;
if (parentDocumentId) {
parentDocument = await Document.findOne({
where: {
id: parentDocumentId,
collectionId: collection?.id,
},
parentDocument = await Document.findByPk(parentDocumentId, {
userId: user.id,
});
authorize(user, "read", parentDocument, {
collection,
@@ -1462,4 +1471,220 @@ router.post(
}
);
router.post(
"documents.add_user",
auth(),
validate(T.DocumentsAddUserSchema),
transaction(),
async (ctx: APIContext<T.DocumentsAddUserReq>) => {
const { auth, transaction } = ctx.state;
const actor = auth.user;
const { id, userId, permission } = ctx.input.body;
if (userId === actor.id) {
throw ValidationError("You cannot invite yourself");
}
const [document, user] = await Promise.all([
Document.findByPk(id, {
userId: actor.id,
rejectOnEmpty: true,
transaction,
}),
User.findByPk(userId, {
rejectOnEmpty: true,
transaction,
}),
]);
authorize(actor, "read", user);
authorize(actor, "manageUsers", document);
const UserMemberships = await UserMembership.findAll({
where: {
userId,
},
attributes: ["id", "index", "updatedAt"],
limit: 1,
order: [
// using LC_COLLATE:"C" because we need byte order to drive the sorting
// find only the first star so we can create an index before it
Sequelize.literal('"user_permission"."index" collate "C"'),
["updatedAt", "DESC"],
],
transaction,
});
// create membership at the beginning of their "Shared with me" section
const index = fractionalIndex(
null,
UserMemberships.length ? UserMemberships[0].index : null
);
const [membership] = await UserMembership.findOrCreate({
where: {
documentId: id,
userId,
},
defaults: {
index,
permission: permission || user.defaultDocumentPermission,
createdById: actor.id,
},
transaction,
lock: transaction.LOCK.UPDATE,
});
if (permission) {
membership.permission = permission;
// disconnect from the source if the permission is manually updated
membership.sourceId = null;
await membership.save({ transaction });
}
await Event.create(
{
name: "documents.add_user",
userId,
modelId: membership.id,
documentId: document.id,
teamId: document.teamId,
actorId: actor.id,
ip: ctx.request.ip,
},
{
transaction,
}
);
ctx.body = {
data: {
users: [presentUser(user)],
memberships: [presentMembership(membership)],
},
};
}
);
router.post(
"documents.remove_user",
auth(),
validate(T.DocumentsRemoveUserSchema),
transaction(),
async (ctx: APIContext<T.DocumentsRemoveUserReq>) => {
const { auth, transaction } = ctx.state;
const actor = auth.user;
const { id, userId } = ctx.input.body;
const [document, user] = await Promise.all([
Document.findByPk(id, {
userId: actor.id,
rejectOnEmpty: true,
transaction,
}),
User.findByPk(userId, {
rejectOnEmpty: true,
transaction,
}),
]);
if (actor.id !== userId) {
authorize(actor, "manageUsers", document);
authorize(actor, "read", user);
}
const membership = await UserMembership.findOne({
where: {
documentId: id,
userId,
},
transaction,
lock: transaction.LOCK.UPDATE,
rejectOnEmpty: true,
});
await membership.destroy({ transaction });
await Event.create(
{
name: "documents.remove_user",
userId,
modelId: membership.id,
documentId: document.id,
teamId: document.teamId,
actorId: actor.id,
ip: ctx.request.ip,
},
{ transaction }
);
ctx.body = {
success: true,
};
}
);
router.post(
"documents.memberships",
auth(),
pagination(),
validate(T.DocumentsMembershipsSchema),
async (ctx: APIContext<T.DocumentsMembershipsReq>) => {
const { id, query, permission } = ctx.input.body;
const { user: actor } = ctx.state.auth;
const document = await Document.findByPk(id, { userId: actor.id });
authorize(actor, "update", document);
let where: WhereOptions<UserMembership> = {
documentId: id,
};
let userWhere;
if (query) {
userWhere = {
name: {
[Op.iLike]: `%${query}%`,
},
};
}
if (permission) {
where = { ...where, permission };
}
const options = {
where,
include: [
{
model: User,
as: "user",
where: userWhere,
required: true,
},
],
};
const [total, memberships] = await Promise.all([
UserMembership.count(options),
UserMembership.findAll({
...options,
order: [["createdAt", "DESC"]],
offset: ctx.state.pagination.offset,
limit: ctx.state.pagination.limit,
}),
]);
ctx.body = {
pagination: { ...ctx.state.pagination, total },
data: {
memberships: memberships.map(presentMembership),
users: memberships.map((membership) => presentUser(membership.user)),
},
};
}
);
export default router;

45
server/routes/api/documents/schema.ts
View File

@@ -3,6 +3,7 @@ import formidable from "formidable";
import isEmpty from "lodash/isEmpty";
import isUUID from "validator/lib/isUUID";
import { z } from "zod";
import { DocumentPermission } from "@shared/types";
import { SHARE_URL_SLUG_REGEX } from "@shared/utils/urlHelpers";
import { BaseSchema } from "@server/routes/api/schema";
@@ -353,3 +354,47 @@ export const DocumentsUsersSchema = BaseSchema.extend({
});
export type DocumentsUsersReq = z.infer<typeof DocumentsUsersSchema>;
export const DocumentsAddUserSchema = BaseSchema.extend({
body: z.object({
/** Id of the document to which the user is supposed to be added */
id: z.string().uuid(),
/** Id of the user who is to be added*/
userId: z.string().uuid(),
/** Permission to be granted to the added user */
permission: z.nativeEnum(DocumentPermission).optional(),
}),
});
export type DocumentsAddUserReq = z.infer<typeof DocumentsAddUserSchema>;
export const DocumentsRemoveUserSchema = BaseSchema.extend({
body: z.object({
/** Id of the document from which to remove the user */
id: z.string().uuid(),
/** Id of the user who is to be removed */
userId: z.string().uuid(),
}),
});
export type DocumentsRemoveUserReq = z.infer<typeof DocumentsRemoveUserSchema>;
export const DocumentsSharedWithUserSchema = BaseSchema.extend({
body: DocumentsSortParamsSchema,
});
export type DocumentsSharedWithUserReq = z.infer<
typeof DocumentsSharedWithUserSchema
>;
export const DocumentsMembershipsSchema = BaseSchema.extend({
body: z.object({
id: z.string().uuid(),
query: z.string().optional(),
permission: z.nativeEnum(DocumentPermission).optional(),
}),
});
export type DocumentsMembershipsReq = z.infer<
typeof DocumentsMembershipsSchema
>;