feat: Nested document sharing (#2075)

* migration * frontend routing, api permissioning * feat: apiVersion=2 * feat: re-writing document links to point to share * poc nested documents on share links * fix: nested shareId permissions * ui and language tweaks, comments * breadcrumbs * Add icons to reference list items * refactor: Breadcrumb component * tweaks * Add shared parent note
2021-05-22 19:34:05 -07:00
parent dc4b5588b7
commit 44920a25f4
31 changed files with 1134 additions and 282 deletions
--- a/server/api/documents.js
+++ b/server/api/documents.js
@@ -471,11 +471,17 @@ router.post("documents.drafts", auth(), pagination(), async (ctx) => {
  };
 });

-async function loadDocument({ id, shareId, user }) {
+async function loadDocument({
+  id,
+  shareId,
+  user,
+}): Promise<{ document: Document, share?: Share, collection: Collection }> {
  let document;
+  let collection;
+  let share;

  if (shareId) {
-    const share = await Share.findOne({
+    share = await Share.findOne({
      where: {
        revokedAt: { [Op.eq]: null },
        id: shareId,
@@ -497,7 +503,20 @@ async function loadDocument({ id, shareId, user }) {
      throw new InvalidRequestError("Document could not be found for shareId");
    }

-    if (user) {
+    // It is possible to pass both an id and a shareId to the documents.info
+    // endpoint. In this case we'll load the document based on the `id` and check
+    // if the provided share token allows access. This is used by the frontend
+    // to navigate nested documents from a single share link.
+    if (id) {
+      document = await Document.findByPk(id, {
+        userId: user ? user.id : undefined,
+        paranoid: false,
+      });
+
+      // otherwise, if the user has an authenticated session make sure to load
+      // with their details so that we can return the correct policies, they may
+      // be able to edit the shared document
+    } else if (user) {
      document = await Document.findByPk(share.documentId, {
        userId: user.id,
        paranoid: false,
@@ -506,15 +525,31 @@ async function loadDocument({ id, shareId, user }) {
      document = share.document;
    }

+    // "published" === on the public internet. So if the share isn't published
+    // then we must have permission to read the document
    if (!share.published) {
      authorize(user, "read", document);
    }

-    const collection = await Collection.findByPk(document.collectionId);
+    // It is possible to disable sharing at the collection so we must check
+    collection = await Collection.findByPk(document.collectionId);
    if (!collection.sharing) {
      throw new AuthorizationError();
    }

+    // If we're attempting to load a document that isn't the document originally
+    // shared then includeChildDocuments must be enabled and the document must
+    // still be nested within the shared document
+    if (share.document.id !== document.id) {
+      if (
+        !share.includeChildDocuments ||
+        !collection.isChildDocument(share.document.id, document.id)
+      ) {
+        throw new AuthorizationError();
+      }
+    }
+
+    // It is possible to disable sharing at the team level so we must check
    const team = await Team.findByPk(document.teamId);
    if (!team.sharing) {
      throw new AuthorizationError();
@@ -535,21 +570,41 @@ async function loadDocument({ id, shareId, user }) {
    } else {
      authorize(user, "read", document);
    }
+
+    collection = document.collection;
  }

-  return document;
+  return { document, share, collection };
 }

 router.post("documents.info", auth({ required: false }), async (ctx) => {
-  const { id, shareId } = ctx.body;
+  const { id, shareId, apiVersion } = ctx.body;
  ctx.assertPresent(id || shareId, "id or shareId is required");

-  const user = ctx.state.user;
-  const document = await loadDocument({ id, shareId, user });
+  const { user } = ctx.state;
+  const { document, share, collection } = await loadDocument({
+    id,
+    shareId,
+    user,
+  });
  const isPublic = cannot(user, "read", document);
+  const serializedDocument = await presentDocument(document, { isPublic });
+
+  // Passing apiVersion=2 has a single effect, to change the response payload to
+  // include document and sharedTree keys.
+  const data =
+    apiVersion === 2
+      ? {
+          document: serializedDocument,
+          sharedTree:
+            share && share.includeChildDocuments
+              ? collection.getDocumentTree(share.documentId)
+              : undefined,
+        }
+      : serializedDocument;

  ctx.body = {
-    data: await presentDocument(document, { isPublic }),
+    data,
    policies: isPublic ? undefined : presentPolicies(user, [document]),
  };
 });
@@ -559,7 +614,7 @@ router.post("documents.export", auth({ required: false }), async (ctx) => {
  ctx.assertPresent(id || shareId, "id or shareId is required");

  const user = ctx.state.user;
-  const document = await loadDocument({ id, shareId, user });
+  const { document } = await loadDocument({ id, shareId, user });

  ctx.body = {
    data: document.toMarkdown(),
--- a/server/api/documents.test.js
+++ b/server/api/documents.test.js
@@ -98,6 +98,109 @@ describe("#documents.info", () => {
    expect(share.lastAccessedAt).toBeTruthy();
  });

+  describe("apiVersion=2", () => {
+    it("should return sharedTree from shareId", async () => {
+      const { document, collection, user } = await seed();
+      const childDocument = await buildDocument({
+        teamId: document.teamId,
+        parentDocumentId: document.id,
+        collectionId: collection.id,
+      });
+      const share = await buildShare({
+        documentId: document.id,
+        teamId: document.teamId,
+        userId: user.id,
+        includeChildDocuments: true,
+      });
+
+      await collection.addDocumentToStructure(childDocument, 0);
+
+      const res = await server.post("/api/documents.info", {
+        body: { shareId: share.id, id: childDocument.id, apiVersion: 2 },
+      });
+      const body = await res.json();
+
+      expect(res.status).toEqual(200);
+      expect(body.data.document.id).toEqual(childDocument.id);
+      expect(body.data.document.createdBy).toEqual(undefined);
+      expect(body.data.document.updatedBy).toEqual(undefined);
+      expect(body.data.sharedTree).toEqual(collection.documentStructure[0]);
+
+      await share.reload();
+      expect(share.lastAccessedAt).toBeTruthy();
+    });
+
+    it("should return sharedTree from shareId with id of nested document", async () => {
+      const { document, user } = await seed();
+      const share = await buildShare({
+        documentId: document.id,
+        teamId: document.teamId,
+        userId: user.id,
+        includeChildDocuments: true,
+      });
+
+      const res = await server.post("/api/documents.info", {
+        body: { shareId: share.id, apiVersion: 2 },
+      });
+      const body = await res.json();
+
+      expect(res.status).toEqual(200);
+      expect(body.data.document.id).toEqual(document.id);
+      expect(body.data.document.createdBy).toEqual(undefined);
+      expect(body.data.document.updatedBy).toEqual(undefined);
+      expect(body.data.sharedTree).toEqual(document.toJSON());
+
+      await share.reload();
+      expect(share.lastAccessedAt).toBeTruthy();
+    });
+
+    it("should not return sharedTree if child documents not shared", async () => {
+      const { document, user } = await seed();
+      const share = await buildShare({
+        documentId: document.id,
+        teamId: document.teamId,
+        userId: user.id,
+        includeChildDocuments: false,
+      });
+
+      const res = await server.post("/api/documents.info", {
+        body: { shareId: share.id, apiVersion: 2 },
+      });
+      const body = await res.json();
+
+      expect(res.status).toEqual(200);
+      expect(body.data.document.id).toEqual(document.id);
+      expect(body.data.document.createdBy).toEqual(undefined);
+      expect(body.data.document.updatedBy).toEqual(undefined);
+      expect(body.data.sharedTree).toEqual(undefined);
+
+      await share.reload();
+      expect(share.lastAccessedAt).toBeTruthy();
+    });
+
+    it("should not return details for nested documents", async () => {
+      const { document, collection, user } = await seed();
+      const childDocument = await buildDocument({
+        teamId: document.teamId,
+        parentDocumentId: document.id,
+        collectionId: collection.id,
+      });
+      const share = await buildShare({
+        documentId: document.id,
+        teamId: document.teamId,
+        userId: user.id,
+        includeChildDocuments: false,
+      });
+
+      await collection.addDocumentToStructure(childDocument, 0);
+
+      const res = await server.post("/api/documents.info", {
+        body: { shareId: share.id, id: childDocument.id, apiVersion: 2 },
+      });
+      expect(res.status).toEqual(403);
+    });
+  });
+
  it("should not return document from shareId if sharing is disabled for team", async () => {
    const { document, team, user } = await seed();
    const share = await buildShare({
--- a/server/api/shares.js
+++ b/server/api/shares.js
@@ -13,11 +13,12 @@ const { authorize } = policy;
 const router = new Router();

 router.post("shares.info", auth(), async (ctx) => {
-  const { id, documentId } = ctx.body;
+  const { id, documentId, apiVersion } = ctx.body;
  ctx.assertUuid(id || documentId, "id or documentId is required");

  const user = ctx.state.user;
-  const share = await Share.findOne({
+  let shares = [];
+  let share = await Share.findOne({
    where: id
      ? {
          id,
@@ -29,15 +30,62 @@ router.post("shares.info", auth(), async (ctx) => {
          revokedAt: { [Op.eq]: null },
        },
  });
-  if (!share || !share.document) {
+
+  // Deprecated API response returns just the share for the current documentId
+  if (apiVersion !== 2) {
+    if (!share || !share.document) {
+      return (ctx.response.status = 204);
+    }
+
+    authorize(user, "read", share);
+
+    ctx.body = {
+      data: presentShare(share, user.isAdmin),
+      policies: presentPolicies(user, [share]),
+    };
+    return;
+  }
+
+  // API version 2 returns the response for the current documentId and any
+  // parent documents that are publicly shared and accessible to the user
+  if (share && share.document) {
+    authorize(user, "read", share);
+    shares.push(share);
+  }
+
+  if (documentId) {
+    const document = await Document.scope("withCollection").findByPk(
+      documentId
+    );
+    const parentIds = document?.collection?.getDocumentParents(documentId);
+
+    const parentShare = parentIds
+      ? await Share.findOne({
+          where: {
+            documentId: parentIds,
+            teamId: user.teamId,
+            revokedAt: { [Op.eq]: null },
+            includeChildDocuments: true,
+            published: true,
+          },
+        })
+      : undefined;
+
+    if (parentShare && parentShare.document) {
+      authorize(user, "read", parentShare);
+      shares.push(parentShare);
+    }
+  }
+
+  if (!shares.length) {
    return (ctx.response.status = 204);
  }

-  authorize(user, "read", share);
-
  ctx.body = {
-    data: presentShare(share, user.isAdmin),
-    policies: presentPolicies(user, [share]),
+    data: {
+      shares: shares.map((share) => presentShare(share, user.isAdmin)),
+    },
+    policies: presentPolicies(user, shares),
  };
 });

@@ -95,15 +143,28 @@ router.post("shares.list", auth(), pagination(), async (ctx) => {
 });

 router.post("shares.update", auth(), async (ctx) => {
-  const { id, published } = ctx.body;
+  const { id, includeChildDocuments, published } = ctx.body;
  ctx.assertUuid(id, "id is required");
-  ctx.assertPresent(published, "published is required");

-  const user = ctx.state.user;
+  const { user } = ctx.state;
  const share = await Share.findByPk(id);
  authorize(user, "update", share);

-  share.published = published;
+  if (published !== undefined) {
+    share.published = published;
+
+    // Reset nested document sharing when unpublishing a share link. So that
+    // If it's ever re-published this doesn't immediately share nested docs
+    // without forewarning the user
+    if (!published) {
+      share.includeChildDocuments = false;
+    }
+  }
+
+  if (includeChildDocuments !== undefined) {
+    share.includeChildDocuments = includeChildDocuments;
+  }
+
  await share.save();

  await Event.create({
--- a/server/api/shares.test.js
+++ b/server/api/shares.test.js
@@ -2,7 +2,7 @@
 import TestServer from "fetch-test-server";
 import app from "../app";
 import { CollectionUser } from "../models";
-import { buildUser, buildShare } from "../test/factories";
+import { buildUser, buildDocument, buildShare } from "../test/factories";
 import { flushdb, seed } from "../test/support";

 const server = new TestServer(app.callback());
@@ -260,7 +260,7 @@ describe("#shares.info", () => {
    expect(body.data.createdBy.id).toBe(user.id);
  });

-  it("should allow reading share creaded by deleted user", async () => {
+  it("should allow reading share created by deleted user", async () => {
    const { user, document } = await seed();
    const author = await buildUser({ teamId: user.teamId });
    const share = await buildShare({
@@ -347,6 +347,135 @@ describe("#shares.info", () => {
    expect(res.status).toEqual(204);
  });

+  describe("apiVersion=2", () => {
+    it("should allow reading share by documentId", async () => {
+      const { user, document } = await seed();
+      const share = await buildShare({
+        documentId: document.id,
+        teamId: user.teamId,
+        userId: user.id,
+      });
+
+      const res = await server.post("/api/shares.info", {
+        body: {
+          token: user.getJwtToken(),
+          documentId: document.id,
+          apiVersion: 2,
+        },
+      });
+      const body = await res.json();
+
+      expect(res.status).toEqual(200);
+      expect(body.data.shares.length).toBe(1);
+      expect(body.data.shares[0].id).toBe(share.id);
+      expect(body.data.shares[0].published).toBe(true);
+    });
+
+    it("should return share for parent document with includeChildDocuments=true", async () => {
+      const { user, document, collection } = await seed();
+      const childDocument = await buildDocument({
+        teamId: document.teamId,
+        parentDocumentId: document.id,
+        collectionId: collection.id,
+      });
+      const share = await buildShare({
+        documentId: document.id,
+        teamId: document.teamId,
+        userId: user.id,
+        includeChildDocuments: true,
+      });
+
+      await collection.addDocumentToStructure(childDocument, 0);
+
+      const res = await server.post("/api/shares.info", {
+        body: {
+          token: user.getJwtToken(),
+          documentId: childDocument.id,
+          apiVersion: 2,
+        },
+      });
+      const body = await res.json();
+
+      expect(res.status).toEqual(200);
+      expect(body.data.shares.length).toBe(1);
+      expect(body.data.shares[0].id).toBe(share.id);
+      expect(body.data.shares[0].documentId).toBe(document.id);
+      expect(body.data.shares[0].published).toBe(true);
+      expect(body.data.shares[0].includeChildDocuments).toBe(true);
+    });
+
+    it("should not return share for parent document with includeChildDocuments=false", async () => {
+      const { user, document, collection } = await seed();
+      const childDocument = await buildDocument({
+        teamId: document.teamId,
+        parentDocumentId: document.id,
+        collectionId: collection.id,
+      });
+      await buildShare({
+        documentId: document.id,
+        teamId: document.teamId,
+        userId: user.id,
+        includeChildDocuments: false,
+      });
+
+      await collection.addDocumentToStructure(childDocument, 0);
+
+      const res = await server.post("/api/shares.info", {
+        body: {
+          token: user.getJwtToken(),
+          documentId: childDocument.id,
+          apiVersion: 2,
+        },
+      });
+
+      expect(res.status).toEqual(204);
+    });
+
+    it("should return shares for parent document and current document", async () => {
+      const { user, document, collection } = await seed();
+      const childDocument = await buildDocument({
+        teamId: document.teamId,
+        parentDocumentId: document.id,
+        collectionId: collection.id,
+      });
+      const share = await buildShare({
+        documentId: childDocument.id,
+        teamId: user.teamId,
+        userId: user.id,
+        includeChildDocuments: false,
+      });
+      const share2 = await buildShare({
+        documentId: document.id,
+        teamId: document.teamId,
+        userId: user.id,
+        includeChildDocuments: true,
+      });
+
+      await collection.addDocumentToStructure(childDocument, 0);
+
+      const res = await server.post("/api/shares.info", {
+        body: {
+          token: user.getJwtToken(),
+          documentId: childDocument.id,
+          apiVersion: 2,
+        },
+      });
+      const body = await res.json();
+
+      expect(res.status).toEqual(200);
+      expect(body.data.shares.length).toBe(2);
+      expect(body.data.shares[0].id).toBe(share.id);
+      expect(body.data.shares[0].includeChildDocuments).toBe(false);
+      expect(body.data.shares[0].documentId).toBe(childDocument.id);
+      expect(body.data.shares[0].published).toBe(true);
+
+      expect(body.data.shares[1].id).toBe(share2.id);
+      expect(body.data.shares[1].documentId).toBe(document.id);
+      expect(body.data.shares[1].published).toBe(true);
+      expect(body.data.shares[1].includeChildDocuments).toBe(true);
+    });
+  });
+
  it("should require authentication", async () => {
    const { user, document } = await seed();
    const share = await buildShare({
--- a/server/migrations/20210418053152-share-last-viewed.js
+++ b/server/migrations/20210418053152-share-last-viewed.js
@@ -2,7 +2,7 @@

 module.exports = {
  up: async (queryInterface, Sequelize) => {
-     await queryInterface.addColumn("shares", "lastAccessedAt", {
+    await queryInterface.addColumn("shares", "lastAccessedAt", {
      type: Sequelize.DATE,
      allowNull: true,
    });
--- a/server/migrations/20210426055334-nested-document-sharing.js
+++ b/server/migrations/20210426055334-nested-document-sharing.js
@@ -0,0 +1,15 @@
+'use strict';
+
+module.exports = {
+  up: async (queryInterface, Sequelize) => {
+    await queryInterface.addColumn("shares", "includeChildDocuments", {
+      type: Sequelize.BOOLEAN,
+      allowNull: false,
+      defaultValue: false,
+    });
+  },
+
+  down: async (queryInterface, Sequelize) => {
+    await queryInterface.removeColumn("shares", "includeChildDocuments");
+  }
+};
--- a/server/models/Collection.js
+++ b/server/models/Collection.js
@@ -375,6 +375,77 @@ Collection.prototype.deleteDocument = async function (document) {
  await document.deleteWithChildren();
 };

+Collection.prototype.isChildDocument = function (
+  parentDocumentId,
+  documentId
+): boolean {
+  let result = false;
+
+  const loopChildren = (documents, input) => {
+    return documents.map((document) => {
+      let parents = [...input];
+      if (document.id === documentId) {
+        result = parents.includes(parentDocumentId);
+      } else {
+        parents.push(document.id);
+        loopChildren(document.children, parents);
+      }
+      return document;
+    });
+  };
+
+  loopChildren(this.documentStructure, []);
+
+  return result;
+};
+
+Collection.prototype.getDocumentTree = function (documentId: string) {
+  let result;
+
+  const loopChildren = (documents) => {
+    if (result) {
+      return;
+    }
+
+    documents.forEach((document) => {
+      if (result) {
+        return;
+      }
+      if (document.id === documentId) {
+        result = document;
+      } else {
+        loopChildren(document.children);
+      }
+    });
+  };
+
+  loopChildren(this.documentStructure);
+  return result;
+};
+
+Collection.prototype.getDocumentParents = function (
+  documentId: string
+): string[] | void {
+  let result;
+
+  const loopChildren = (documents, path = []) => {
+    if (result) {
+      return;
+    }
+
+    documents.forEach((document) => {
+      if (document.id === documentId) {
+        result = path;
+      } else {
+        loopChildren(document.children, [...path, document.id]);
+      }
+    });
+  };
+
+  loopChildren(this.documentStructure);
+  return result;
+};
+
 Collection.prototype.removeDocumentInStructure = async function (
  document,
  options
--- a/server/models/Collection.test.js
+++ b/server/models/Collection.test.js
@@ -6,6 +6,7 @@ import {
  buildGroup,
  buildCollection,
  buildTeam,
+  buildDocument,
 } from "../test/factories";
 import { flushdb, seed } from "../test/support";

@@ -19,6 +20,134 @@ describe("#url", () => {
  });
 });

+describe("getDocumentParents", () => {
+  test("should return array of parent document ids", async () => {
+    const parent = await buildDocument();
+    const document = await buildDocument();
+    const collection = await buildCollection({
+      documentStructure: [
+        {
+          ...parent.toJSON(),
+          children: [document.toJSON()],
+        },
+      ],
+    });
+
+    const result = collection.getDocumentParents(document.id);
+
+    expect(result.length).toBe(1);
+    expect(result[0]).toBe(parent.id);
+  });
+
+  test("should return array of parent document ids", async () => {
+    const parent = await buildDocument();
+    const document = await buildDocument();
+    const collection = await buildCollection({
+      documentStructure: [
+        {
+          ...parent.toJSON(),
+          children: [document.toJSON()],
+        },
+      ],
+    });
+
+    const result = collection.getDocumentParents(parent.id);
+    expect(result.length).toBe(0);
+  });
+});
+
+describe("getDocumentTree", () => {
+  test("should return document tree", async () => {
+    const document = await buildDocument();
+    const collection = await buildCollection({
+      documentStructure: [document.toJSON()],
+    });
+
+    expect(collection.getDocumentTree(document.id)).toEqual(document.toJSON());
+  });
+
+  test("should return nested documents in tree", async () => {
+    const parent = await buildDocument();
+    const document = await buildDocument();
+    const collection = await buildCollection({
+      documentStructure: [
+        {
+          ...parent.toJSON(),
+          children: [document.toJSON()],
+        },
+      ],
+    });
+
+    expect(collection.getDocumentTree(parent.id)).toEqual({
+      ...parent.toJSON(),
+      children: [document.toJSON()],
+    });
+    expect(collection.getDocumentTree(document.id)).toEqual(document.toJSON());
+  });
+});
+
+describe("isChildDocument", () => {
+  test("should return false with unexpected data", async () => {
+    const document = await buildDocument();
+    const collection = await buildCollection({
+      documentStructure: [document.toJSON()],
+    });
+
+    expect(collection.isChildDocument(document.id, document.id)).toEqual(false);
+    expect(collection.isChildDocument(document.id, undefined)).toEqual(false);
+    expect(collection.isChildDocument(undefined, document.id)).toEqual(false);
+  });
+
+  test("should return false if sibling", async () => {
+    const one = await buildDocument();
+    const document = await buildDocument();
+    const collection = await buildCollection({
+      documentStructure: [one.toJSON(), document.toJSON()],
+    });
+
+    expect(collection.isChildDocument(one.id, document.id)).toEqual(false);
+    expect(collection.isChildDocument(document.id, one.id)).toEqual(false);
+  });
+
+  test("should return true if direct child of parent", async () => {
+    const parent = await buildDocument();
+    const document = await buildDocument();
+    const collection = await buildCollection({
+      documentStructure: [
+        {
+          ...parent.toJSON(),
+          children: [document.toJSON()],
+        },
+      ],
+    });
+
+    expect(collection.isChildDocument(parent.id, document.id)).toEqual(true);
+    expect(collection.isChildDocument(document.id, parent.id)).toEqual(false);
+  });
+
+  test("should return true if nested child of parent", async () => {
+    const parent = await buildDocument();
+    const nested = await buildDocument();
+    const document = await buildDocument();
+    const collection = await buildCollection({
+      documentStructure: [
+        {
+          ...parent.toJSON(),
+          children: [
+            {
+              ...nested.toJSON(),
+              children: [document.toJSON()],
+            },
+          ],
+        },
+      ],
+    });
+
+    expect(collection.isChildDocument(parent.id, document.id)).toEqual(true);
+    expect(collection.isChildDocument(document.id, parent.id)).toEqual(false);
+  });
+});
+
 describe("#addDocumentToStructure", () => {
  test("should add as last element without index", async () => {
    const { collection } = await seed();
--- a/server/models/Share.js
+++ b/server/models/Share.js
@@ -10,6 +10,7 @@ const Share = sequelize.define(
      primaryKey: true,
    },
    published: DataTypes.BOOLEAN,
+    includeChildDocuments: DataTypes.BOOLEAN,
    revokedAt: DataTypes.DATE,
    revokedById: DataTypes.UUID,
    lastAccessedAt: DataTypes.DATE,
--- a/server/presenters/share.js
+++ b/server/presenters/share.js
@@ -11,6 +11,7 @@ export default function present(share: Share, isAdmin: boolean = false) {
    published: share.published,
    url: `${share.team.url}/share/${share.id}`,
    createdBy: presentUser(share.user),
+    includeChildDocuments: share.includeChildDocuments,
    lastAccessedAt: share.lastAccessedAt,
    createdAt: share.createdAt,
    updatedAt: share.updatedAt,