yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: Nested document sharing (#2075)

Browse Source 
* migration

* frontend routing, api permissioning

* feat: apiVersion=2

* feat: re-writing document links to point to share

* poc nested documents on share links

* fix: nested shareId permissions

* ui and language tweaks, comments

* breadcrumbs

* Add icons to reference list items

* refactor: Breadcrumb component

* tweaks

* Add shared parent note
This commit is contained in:
Tom Moor
2021-05-22 19:34:05 -07:00
committed by GitHub
parent dc4b5588b7
commit 44920a25f4
31 changed files with 1134 additions and 282 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
server/api/documents.js
View File

@@ -471,11 +471,17 @@ router.post("documents.drafts", auth(), pagination(), async (ctx) => {
};
});
async function loadDocument({ id, shareId, user }) {
async function loadDocument({
id,
shareId,
user,
}): Promise<{ document: Document, share?: Share, collection: Collection }> {
let document;
let collection;
let share;
if (shareId) {
const share = await Share.findOne({
share = await Share.findOne({
where: {
revokedAt: { [Op.eq]: null },
id: shareId,
@@ -497,7 +503,20 @@ async function loadDocument({ id, shareId, user }) {
throw new InvalidRequestError("Document could not be found for shareId");
}
if (user) {
// It is possible to pass both an id and a shareId to the documents.info
// endpoint. In this case we'll load the document based on the `id` and check
// if the provided share token allows access. This is used by the frontend
// to navigate nested documents from a single share link.
if (id) {
document = await Document.findByPk(id, {
userId: user ? user.id : undefined,
paranoid: false,
});
// otherwise, if the user has an authenticated session make sure to load
// with their details so that we can return the correct policies, they may
// be able to edit the shared document
} else if (user) {
document = await Document.findByPk(share.documentId, {
userId: user.id,
paranoid: false,
@@ -506,15 +525,31 @@ async function loadDocument({ id, shareId, user }) {
document = share.document;
}
// "published" === on the public internet. So if the share isn't published
// then we must have permission to read the document
if (!share.published) {
authorize(user, "read", document);
}
const collection = await Collection.findByPk(document.collectionId);
// It is possible to disable sharing at the collection so we must check
collection = await Collection.findByPk(document.collectionId);
if (!collection.sharing) {
throw new AuthorizationError();
}
// If we're attempting to load a document that isn't the document originally
// shared then includeChildDocuments must be enabled and the document must
// still be nested within the shared document
if (share.document.id !== document.id) {
if (
!share.includeChildDocuments ||
!collection.isChildDocument(share.document.id, document.id)
) {
throw new AuthorizationError();
}
}
// It is possible to disable sharing at the team level so we must check
const team = await Team.findByPk(document.teamId);
if (!team.sharing) {
throw new AuthorizationError();
@@ -535,21 +570,41 @@ async function loadDocument({ id, shareId, user }) {
} else {
authorize(user, "read", document);
}
collection = document.collection;
}
return document;
return { document, share, collection };
}
router.post("documents.info", auth({ required: false }), async (ctx) => {
const { id, shareId } = ctx.body;
const { id, shareId, apiVersion } = ctx.body;
ctx.assertPresent(id || shareId, "id or shareId is required");
const user = ctx.state.user;
const document = await loadDocument({ id, shareId, user });
const { user } = ctx.state;
const { document, share, collection } = await loadDocument({
id,
shareId,
user,
});
const isPublic = cannot(user, "read", document);
const serializedDocument = await presentDocument(document, { isPublic });
// Passing apiVersion=2 has a single effect, to change the response payload to
// include document and sharedTree keys.
const data =
apiVersion === 2
? {
document: serializedDocument,
sharedTree:
share && share.includeChildDocuments
? collection.getDocumentTree(share.documentId)
: undefined,
}
: serializedDocument;
ctx.body = {
data: await presentDocument(document, { isPublic }),
data,
policies: isPublic ? undefined : presentPolicies(user, [document]),
};
});
@@ -559,7 +614,7 @@ router.post("documents.export", auth({ required: false }), async (ctx) => {
ctx.assertPresent(id || shareId, "id or shareId is required");
const user = ctx.state.user;
const document = await loadDocument({ id, shareId, user });
const { document } = await loadDocument({ id, shareId, user });
ctx.body = {
data: document.toMarkdown(),

103
server/api/documents.test.js
View File

@@ -98,6 +98,109 @@ describe("#documents.info", () => {
expect(share.lastAccessedAt).toBeTruthy();
});
describe("apiVersion=2", () => {
it("should return sharedTree from shareId", async () => {
const { document, collection, user } = await seed();
const childDocument = await buildDocument({
teamId: document.teamId,
parentDocumentId: document.id,
collectionId: collection.id,
});
const share = await buildShare({
documentId: document.id,
teamId: document.teamId,
userId: user.id,
includeChildDocuments: true,
});
await collection.addDocumentToStructure(childDocument, 0);
const res = await server.post("/api/documents.info", {
body: { shareId: share.id, id: childDocument.id, apiVersion: 2 },
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.document.id).toEqual(childDocument.id);
expect(body.data.document.createdBy).toEqual(undefined);
expect(body.data.document.updatedBy).toEqual(undefined);
expect(body.data.sharedTree).toEqual(collection.documentStructure[0]);
await share.reload();
expect(share.lastAccessedAt).toBeTruthy();
});
it("should return sharedTree from shareId with id of nested document", async () => {
const { document, user } = await seed();
const share = await buildShare({
documentId: document.id,
teamId: document.teamId,
userId: user.id,
includeChildDocuments: true,
});
const res = await server.post("/api/documents.info", {
body: { shareId: share.id, apiVersion: 2 },
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.document.id).toEqual(document.id);
expect(body.data.document.createdBy).toEqual(undefined);
expect(body.data.document.updatedBy).toEqual(undefined);
expect(body.data.sharedTree).toEqual(document.toJSON());
await share.reload();
expect(share.lastAccessedAt).toBeTruthy();
});
it("should not return sharedTree if child documents not shared", async () => {
const { document, user } = await seed();
const share = await buildShare({
documentId: document.id,
teamId: document.teamId,
userId: user.id,
includeChildDocuments: false,
});
const res = await server.post("/api/documents.info", {
body: { shareId: share.id, apiVersion: 2 },
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.document.id).toEqual(document.id);
expect(body.data.document.createdBy).toEqual(undefined);
expect(body.data.document.updatedBy).toEqual(undefined);
expect(body.data.sharedTree).toEqual(undefined);
await share.reload();
expect(share.lastAccessedAt).toBeTruthy();
});
it("should not return details for nested documents", async () => {
const { document, collection, user } = await seed();
const childDocument = await buildDocument({
teamId: document.teamId,
parentDocumentId: document.id,
collectionId: collection.id,
});
const share = await buildShare({
documentId: document.id,
teamId: document.teamId,
userId: user.id,
includeChildDocuments: false,
});
await collection.addDocumentToStructure(childDocument, 0);
const res = await server.post("/api/documents.info", {
body: { shareId: share.id, id: childDocument.id, apiVersion: 2 },
});
expect(res.status).toEqual(403);
});
});
it("should not return document from shareId if sharing is disabled for team", async () => {
const { document, team, user } = await seed();
const share = await buildShare({

83
server/api/shares.js
View File

@@ -13,11 +13,12 @@ const { authorize } = policy;
const router = new Router();
router.post("shares.info", auth(), async (ctx) => {
const { id, documentId } = ctx.body;
const { id, documentId, apiVersion } = ctx.body;
ctx.assertUuid(id || documentId, "id or documentId is required");
const user = ctx.state.user;
const share = await Share.findOne({
let shares = [];
let share = await Share.findOne({
where: id
? {
id,
@@ -29,15 +30,62 @@ router.post("shares.info", auth(), async (ctx) => {
revokedAt: { [Op.eq]: null },
},
});
if (!share || !share.document) {
// Deprecated API response returns just the share for the current documentId
if (apiVersion !== 2) {
if (!share || !share.document) {
return (ctx.response.status = 204);
}
authorize(user, "read", share);
ctx.body = {
data: presentShare(share, user.isAdmin),
policies: presentPolicies(user, [share]),
};
return;
}
// API version 2 returns the response for the current documentId and any
// parent documents that are publicly shared and accessible to the user
if (share && share.document) {
authorize(user, "read", share);
shares.push(share);
}
if (documentId) {
const document = await Document.scope("withCollection").findByPk(
documentId
);
const parentIds = document?.collection?.getDocumentParents(documentId);
const parentShare = parentIds
? await Share.findOne({
where: {
documentId: parentIds,
teamId: user.teamId,
revokedAt: { [Op.eq]: null },
includeChildDocuments: true,
published: true,
},
})
: undefined;
if (parentShare && parentShare.document) {
authorize(user, "read", parentShare);
shares.push(parentShare);
}
}
if (!shares.length) {
return (ctx.response.status = 204);
}
authorize(user, "read", share);
ctx.body = {
data: presentShare(share, user.isAdmin),
policies: presentPolicies(user, [share]),
data: {
shares: shares.map((share) => presentShare(share, user.isAdmin)),
},
policies: presentPolicies(user, shares),
};
});
@@ -95,15 +143,28 @@ router.post("shares.list", auth(), pagination(), async (ctx) => {
});
router.post("shares.update", auth(), async (ctx) => {
const { id, published } = ctx.body;
const { id, includeChildDocuments, published } = ctx.body;
ctx.assertUuid(id, "id is required");
ctx.assertPresent(published, "published is required");
const user = ctx.state.user;
const { user } = ctx.state;
const share = await Share.findByPk(id);
authorize(user, "update", share);
share.published = published;
if (published !== undefined) {
share.published = published;
// Reset nested document sharing when unpublishing a share link. So that
// If it's ever re-published this doesn't immediately share nested docs
// without forewarning the user
if (!published) {
share.includeChildDocuments = false;
}
}
if (includeChildDocuments !== undefined) {
share.includeChildDocuments = includeChildDocuments;
}
await share.save();
await Event.create({

133
server/api/shares.test.js
View File

@@ -2,7 +2,7 @@
import TestServer from "fetch-test-server";
import app from "../app";
import { CollectionUser } from "../models";
import { buildUser, buildShare } from "../test/factories";
import { buildUser, buildDocument, buildShare } from "../test/factories";
import { flushdb, seed } from "../test/support";
const server = new TestServer(app.callback());
@@ -260,7 +260,7 @@ describe("#shares.info", () => {
expect(body.data.createdBy.id).toBe(user.id);
});
it("should allow reading share creaded by deleted user", async () => {
it("should allow reading share created by deleted user", async () => {
const { user, document } = await seed();
const author = await buildUser({ teamId: user.teamId });
const share = await buildShare({
@@ -347,6 +347,135 @@ describe("#shares.info", () => {
expect(res.status).toEqual(204);
});
describe("apiVersion=2", () => {
it("should allow reading share by documentId", async () => {
const { user, document } = await seed();
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.info", {
body: {
token: user.getJwtToken(),
documentId: document.id,
apiVersion: 2,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.shares.length).toBe(1);
expect(body.data.shares[0].id).toBe(share.id);
expect(body.data.shares[0].published).toBe(true);
});
it("should return share for parent document with includeChildDocuments=true", async () => {
const { user, document, collection } = await seed();
const childDocument = await buildDocument({
teamId: document.teamId,
parentDocumentId: document.id,
collectionId: collection.id,
});
const share = await buildShare({
documentId: document.id,
teamId: document.teamId,
userId: user.id,
includeChildDocuments: true,
});
await collection.addDocumentToStructure(childDocument, 0);
const res = await server.post("/api/shares.info", {
body: {
token: user.getJwtToken(),
documentId: childDocument.id,
apiVersion: 2,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.shares.length).toBe(1);
expect(body.data.shares[0].id).toBe(share.id);
expect(body.data.shares[0].documentId).toBe(document.id);
expect(body.data.shares[0].published).toBe(true);
expect(body.data.shares[0].includeChildDocuments).toBe(true);
});
it("should not return share for parent document with includeChildDocuments=false", async () => {
const { user, document, collection } = await seed();
const childDocument = await buildDocument({
teamId: document.teamId,
parentDocumentId: document.id,
collectionId: collection.id,
});
await buildShare({
documentId: document.id,
teamId: document.teamId,
userId: user.id,
includeChildDocuments: false,
});
await collection.addDocumentToStructure(childDocument, 0);
const res = await server.post("/api/shares.info", {
body: {
token: user.getJwtToken(),
documentId: childDocument.id,
apiVersion: 2,
},
});
expect(res.status).toEqual(204);
});
it("should return shares for parent document and current document", async () => {
const { user, document, collection } = await seed();
const childDocument = await buildDocument({
teamId: document.teamId,
parentDocumentId: document.id,
collectionId: collection.id,
});
const share = await buildShare({
documentId: childDocument.id,
teamId: user.teamId,
userId: user.id,
includeChildDocuments: false,
});
const share2 = await buildShare({
documentId: document.id,
teamId: document.teamId,
userId: user.id,
includeChildDocuments: true,
});
await collection.addDocumentToStructure(childDocument, 0);
const res = await server.post("/api/shares.info", {
body: {
token: user.getJwtToken(),
documentId: childDocument.id,
apiVersion: 2,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.shares.length).toBe(2);
expect(body.data.shares[0].id).toBe(share.id);
expect(body.data.shares[0].includeChildDocuments).toBe(false);
expect(body.data.shares[0].documentId).toBe(childDocument.id);
expect(body.data.shares[0].published).toBe(true);
expect(body.data.shares[1].id).toBe(share2.id);
expect(body.data.shares[1].documentId).toBe(document.id);
expect(body.data.shares[1].published).toBe(true);
expect(body.data.shares[1].includeChildDocuments).toBe(true);
});
});
it("should require authentication", async () => {
const { user, document } = await seed();
const share = await buildShare({