Individual document sharing with permissions (#5814)

Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Tom Moor <tom@getoutline.com>
2024-01-31 07:18:22 +05:30
parent 717c9b5d64
commit 1490c3a14b
91 changed files with 4004 additions and 1166 deletions
--- a/server/routes/api/documents/documents.test.ts
+++ b/server/routes/api/documents/documents.test.ts
@@ -1,12 +1,12 @@
 import { faker } from "@faker-js/faker";
 import { addMinutes, subDays } from "date-fns";
-import { CollectionPermission } from "@shared/types";
+import { CollectionPermission, DocumentPermission } from "@shared/types";
 import {
  Document,
  View,
  Revision,
  Backlink,
-  UserPermission,
+  UserMembership,
  SearchQuery,
  Event,
  User,
@@ -28,6 +28,10 @@ import { getTestServer } from "@server/test/support";

 const server = getTestServer();

+beforeEach(async () => {
+  await buildDocument();
+});
+
 describe("#documents.info", () => {
  it("should fail if both id and shareId are absent", async () => {
    const res = await server.post("/api/documents.info", {
@@ -907,7 +911,7 @@ describe("#documents.list", () => {
      collectionId: collection.id,
    });

-    await UserPermission.update(
+    await UserMembership.update(
      {
        userId: user.id,
        permission: CollectionPermission.Read,
@@ -1068,6 +1072,85 @@ describe("#documents.drafts", () => {
 });

 describe("#documents.search_titles", () => {
+  it("should include individually shared drafts with a user in search results", async () => {
+    const user = await buildUser();
+    // create a private collection
+    const collection = await buildCollection({
+      createdById: user.id,
+      teamId: user.teamId,
+      permission: null,
+    });
+    // create a draft in collection
+    const document = await buildDocument({
+      collectionId: collection.id,
+      teamId: user.teamId,
+      createdById: user.id,
+      title: "Some title",
+    });
+    document.publishedAt = null;
+    await document.save();
+    const member = await buildUser({
+      teamId: user.teamId,
+    });
+    // add member to the document
+    await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+    const res = await server.post("/api/documents.search_titles", {
+      body: {
+        token: member.getJwtToken(),
+        query: "title",
+        includeDrafts: true,
+      },
+    });
+    const body = await res.json();
+    expect(body.data).toHaveLength(1);
+    expect(body.data[0].id).toEqual(document.id);
+    expect(res.status).toEqual(200);
+  });
+
+  it("should include individually shared docs with a user in search results", async () => {
+    const user = await buildUser();
+    // create a private collection
+    const collection = await buildCollection({
+      createdById: user.id,
+      teamId: user.teamId,
+      permission: null,
+    });
+    // create document in that private collection
+    const document = await buildDocument({
+      collectionId: collection.id,
+      teamId: user.teamId,
+      createdById: user.id,
+      title: "Some title",
+    });
+    const member = await buildUser({
+      teamId: user.teamId,
+    });
+    // add member to the document
+    await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+    const res = await server.post("/api/documents.search_titles", {
+      body: {
+        token: member.getJwtToken(),
+        query: "title",
+      },
+    });
+    const body = await res.json();
+    expect(body.data).toHaveLength(1);
+    expect(body.data[0].id).toEqual(document.id);
+    expect(res.status).toEqual(200);
+  });
+
  it("should fail without query", async () => {
    const user = await buildUser();
    const res = await server.post("/api/documents.search_titles", {
@@ -1615,7 +1698,7 @@ describe("#documents.search", () => {
      permission: null,
    });

-    await UserPermission.create({
+    await UserMembership.create({
      createdById: user.id,
      collectionId: collection.id,
      userId: user.id,
@@ -1745,6 +1828,85 @@ describe("#documents.search", () => {
    expect(searchQuery[0].results).toBe(0);
    expect(searchQuery[0].source).toBe("app");
  });
+
+  it("should include individually shared docs with a user in search results", async () => {
+    const user = await buildUser();
+    // create a private collection
+    const collection = await buildCollection({
+      createdById: user.id,
+      teamId: user.teamId,
+      permission: null,
+    });
+    // create document in that private collection
+    const document = await buildDocument({
+      collectionId: collection.id,
+      teamId: user.teamId,
+      createdById: user.id,
+      title: "Some title",
+    });
+    const member = await buildUser({
+      teamId: user.teamId,
+    });
+    // add member to the document
+    await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+    const res = await server.post("/api/documents.search", {
+      body: {
+        token: member.getJwtToken(),
+        query: "title",
+      },
+    });
+    const body = await res.json();
+    expect(body.data).toHaveLength(1);
+    expect(body.data[0].document.id).toEqual(document.id);
+    expect(res.status).toEqual(200);
+  });
+
+  it("should include individually shared drafts with a user in search results", async () => {
+    const user = await buildUser();
+    // create a private collection
+    const collection = await buildCollection({
+      createdById: user.id,
+      teamId: user.teamId,
+      permission: null,
+    });
+    // create a draft in collection
+    const document = await buildDocument({
+      collectionId: collection.id,
+      teamId: user.teamId,
+      createdById: user.id,
+      title: "Some title",
+    });
+    document.publishedAt = null;
+    await document.save();
+    const member = await buildUser({
+      teamId: user.teamId,
+    });
+    // add member to the document
+    await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+    const res = await server.post("/api/documents.search", {
+      body: {
+        token: member.getJwtToken(),
+        query: "title",
+        includeDrafts: true,
+      },
+    });
+    const body = await res.json();
+    expect(body.data).toHaveLength(1);
+    expect(body.data[0].document.id).toEqual(document.id);
+    expect(res.status).toEqual(200);
+  });
 });

 describe("#documents.templatize", () => {
@@ -1990,7 +2152,7 @@ describe("#documents.viewed", () => {
      documentId: document.id,
      userId: user.id,
    });
-    await UserPermission.destroy({
+    await UserMembership.destroy({
      where: {
        userId: user.id,
        collectionId: collection.id,
@@ -2889,6 +3051,7 @@ describe("#documents.update", () => {
    const user = await buildUser({ teamId: team.id });
    const document = await buildDraftDocument({
      teamId: team.id,
+      userId: user.id,
      collectionId: null,
    });

@@ -2920,6 +3083,7 @@ describe("#documents.update", () => {
      title: "title",
      text: "text",
      teamId: team.id,
+      userId: user.id,
      collectionId: null,
    });
    const res = await server.post("/api/documents.update", {
@@ -3012,6 +3176,7 @@ describe("#documents.update", () => {
    });
    const template = await buildDocument({
      teamId: user.teamId,
+      userId: user.id,
      collectionId: collection.id,
      template: true,
      publishedAt: null,
@@ -3045,7 +3210,7 @@ describe("#documents.update", () => {
      userId: user.id,
      teamId: user.teamId,
    });
-    await UserPermission.update(
+    await UserMembership.update(
      {
        userId: user.id,
        permission: CollectionPermission.ReadWrite,
@@ -3152,7 +3317,7 @@ describe("#documents.update", () => {
      teamId: team.id,
    });

-    await UserPermission.update(
+    await UserMembership.update(
      {
        createdById: user.id,
        permission: CollectionPermission.ReadWrite,
@@ -3190,7 +3355,7 @@ describe("#documents.update", () => {
      collectionId: collection.id,
      teamId: team.id,
    });
-    await UserPermission.update(
+    await UserMembership.update(
      {
        createdById: user.id,
        permission: CollectionPermission.Read,
@@ -3226,7 +3391,7 @@ describe("#documents.update", () => {
    });
    collection.permission = CollectionPermission.Read;
    await collection.save();
-    await UserPermission.destroy({
+    await UserMembership.destroy({
      where: {
        userId: user.id,
        collectionId: collection.id,
@@ -3455,6 +3620,7 @@ describe("#documents.delete", () => {
    const user = await buildUser();
    const document = await buildDraftDocument({
      teamId: user.teamId,
+      userId: user.id,
      deletedAt: null,
    });
    const res = await server.post("/api/documents.delete", {
@@ -3811,19 +3977,19 @@ describe("#documents.users", () => {

    // add people and groups to collection
    await Promise.all([
-      UserPermission.create({
+      UserMembership.create({
        collectionId: collection.id,
        userId: alan.id,
        permission: CollectionPermission.Read,
        createdById: user.id,
      }),
-      UserPermission.create({
+      UserMembership.create({
        collectionId: collection.id,
        userId: bret.id,
        permission: CollectionPermission.Read,
        createdById: user.id,
      }),
-      UserPermission.create({
+      UserMembership.create({
        collectionId: collection.id,
        userId: ken.id,
        permission: CollectionPermission.Read,
@@ -3901,19 +4067,19 @@ describe("#documents.users", () => {

    // add people to collection
    await Promise.all([
-      UserPermission.create({
+      UserMembership.create({
        collectionId: collection.id,
        userId: alan.id,
        permission: CollectionPermission.Read,
        createdById: user.id,
      }),
-      UserPermission.create({
+      UserMembership.create({
        collectionId: collection.id,
        userId: bret.id,
        permission: CollectionPermission.Read,
        createdById: user.id,
      }),
-      UserPermission.create({
+      UserMembership.create({
        collectionId: collection.id,
        userId: ken.id,
        permission: CollectionPermission.Read,
@@ -3942,3 +4108,256 @@ describe("#documents.users", () => {
    expect(memberIds).toContain(ken.id);
  });
 });
+
+describe("#documents.add_user", () => {
+  it("should require id", async () => {
+    const user = await buildUser();
+    const res = await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toEqual("id: Required");
+  });
+
+  it("should require authentication", async () => {
+    const document = await buildDocument();
+    const res = await server.post("/api/documents.add_user", {
+      body: {
+        id: document.id,
+      },
+    });
+    expect(res.status).toEqual(401);
+  });
+
+  it("should fail with status 400 bad request if user attempts to invite themself", async () => {
+    const user = await buildUser();
+    const collection = await buildCollection({
+      teamId: user.teamId,
+      createdById: user.id,
+      permission: null,
+    });
+    const document = await buildDocument({
+      collectionId: collection.id,
+      createdById: user.id,
+      teamId: user.teamId,
+    });
+
+    const res = await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: user.id,
+      },
+    });
+
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toEqual("You cannot invite yourself");
+  });
+
+  it("should succeed with status 200 ok", async () => {
+    const user = await buildUser();
+    const collection = await buildCollection({
+      teamId: user.teamId,
+      createdById: user.id,
+      permission: null,
+    });
+    const document = await buildDocument({
+      collectionId: collection.id,
+      createdById: user.id,
+      teamId: user.teamId,
+    });
+    const member = await buildUser({ teamId: user.teamId });
+
+    const res = await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data).not.toBeFalsy();
+    expect(body.data.users).not.toBeFalsy();
+    expect(body.data.users).toHaveLength(1);
+    expect(body.data.users[0].id).toEqual(member.id);
+    expect(body.data.memberships).not.toBeFalsy();
+    expect(body.data.memberships[0].userId).toEqual(member.id);
+    expect(body.data.memberships[0].documentId).toEqual(document.id);
+    expect(body.data.memberships[0].permission).toEqual(
+      DocumentPermission.ReadWrite
+    );
+  });
+});
+
+describe("#documents.remove_user", () => {
+  it("should require id", async () => {
+    const user = await buildUser();
+    const res = await server.post("/api/documents.remove_user", {
+      body: {
+        token: user.getJwtToken(),
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toEqual("id: Required");
+  });
+
+  it("should require authentication", async () => {
+    const document = await buildDocument();
+    const res = await server.post("/api/documents.remove_user", {
+      body: {
+        id: document.id,
+      },
+    });
+    expect(res.status).toEqual(401);
+  });
+
+  it("should require authorization", async () => {
+    const document = await buildDocument();
+    const user = await buildUser();
+    const anotherUser = await buildUser({
+      teamId: user.teamId,
+    });
+    const res = await server.post("/api/documents.remove_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: anotherUser.id,
+      },
+    });
+    expect(res.status).toEqual(403);
+  });
+
+  it("should remove user from document", async () => {
+    const user = await buildUser();
+    const collection = await buildCollection({
+      teamId: user.teamId,
+      createdById: user.id,
+      permission: null,
+    });
+    const document = await buildDocument({
+      collectionId: collection.id,
+      createdById: user.id,
+      teamId: user.teamId,
+    });
+    const member = await buildUser({
+      teamId: user.teamId,
+    });
+    await server.post("/api/documents.add_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+    let users = await document.$get("users");
+    expect(users.length).toEqual(1);
+    const res = await server.post("/api/documents.remove_user", {
+      body: {
+        token: user.getJwtToken(),
+        id: document.id,
+        userId: member.id,
+      },
+    });
+    users = await document.$get("users");
+    expect(res.status).toEqual(200);
+    expect(users.length).toEqual(0);
+  });
+});
+
+describe("#documents.memberships", () => {
+  let actor: User, document: Document;
+  beforeEach(async () => {
+    actor = await buildUser();
+    const collection = await buildCollection({
+      teamId: actor.teamId,
+      createdById: actor.id,
+      permission: null,
+    });
+    document = await buildDocument({
+      collectionId: collection.id,
+      createdById: actor.id,
+      teamId: actor.teamId,
+    });
+  });
+
+  it("should return members in document", async () => {
+    const members = await Promise.all([
+      buildUser({ teamId: actor.teamId }),
+      buildUser({ teamId: actor.teamId }),
+    ]);
+    await Promise.all([
+      server.post("/api/documents.add_user", {
+        body: {
+          token: actor.getJwtToken(),
+          id: document.id,
+          userId: members[0].id,
+        },
+      }),
+      server.post("/api/documents.add_user", {
+        body: {
+          token: actor.getJwtToken(),
+          id: document.id,
+          userId: members[1].id,
+        },
+      }),
+    ]);
+    const res = await server.post("/api/documents.memberships", {
+      body: {
+        token: actor.getJwtToken(),
+        id: document.id,
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.users.length).toEqual(2);
+    expect(body.data.users.map((u: User) => u.id).includes(members[0].id)).toBe(
+      true
+    );
+    expect(body.data.users.map((u: User) => u.id).includes(members[1].id)).toBe(
+      true
+    );
+  });
+
+  it("should allow filtering members in document by permission", async () => {
+    const members = await Promise.all([
+      buildUser({ teamId: actor.teamId }),
+      buildUser({ teamId: actor.teamId }),
+    ]);
+    await Promise.all([
+      server.post("/api/documents.add_user", {
+        body: {
+          token: actor.getJwtToken(),
+          id: document.id,
+          userId: members[0].id,
+          permission: DocumentPermission.ReadWrite,
+        },
+      }),
+      server.post("/api/documents.add_user", {
+        body: {
+          token: actor.getJwtToken(),
+          id: document.id,
+          userId: members[1].id,
+          permission: DocumentPermission.Read,
+        },
+      }),
+    ]);
+    const res = await server.post("/api/documents.memberships", {
+      body: {
+        token: actor.getJwtToken(),
+        id: document.id,
+        permission: DocumentPermission.Read,
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.users.length).toEqual(1);
+    expect(body.data.users[0].id).toEqual(members[1].id);
+  });
+});