Add security preference for workspace creation in cloud (#6801)

2024-04-13 07:01:15 -06:00
parent 1ee82e780e
commit 8490f5d558
8 changed files with 46 additions and 3 deletions
--- a/server/migrations/20240413042634-member-team-create.js
+++ b/server/migrations/20240413042634-member-team-create.js
@@ -0,0 +1,15 @@
+"use strict";
+
+module.exports = {
+  up: async (queryInterface, Sequelize) => {
+    await queryInterface.addColumn("teams", "memberTeamCreate", {
+      type: Sequelize.BOOLEAN,
+      defaultValue: true,
+      allowNull: false,
+    });
+  },
+
+  down: async (queryInterface) => {
+    await queryInterface.removeColumn("teams", "memberTeamCreate");
+  },
+};
--- a/server/models/Team.ts
+++ b/server/models/Team.ts
@@ -152,6 +152,10 @@ class Team extends ParanoidModel<
  @Column
  memberCollectionCreate: boolean;

+  @Default(true)
+  @Column
+  memberTeamCreate: boolean;
+
  @Default(UserRole.Member)
  @IsIn([[UserRole.Viewer, UserRole.Member]])
  @Column(DataType.STRING)
--- a/server/policies/team.ts
+++ b/server/policies/team.ts
@@ -1,6 +1,6 @@
 import { Team, User } from "@server/models";
 import { allow } from "./cancan";
-import { and, isCloudHosted, isTeamAdmin, isTeamModel } from "./utils";
+import { and, isCloudHosted, isTeamAdmin, isTeamModel, or } from "./utils";

 allow(User, "read", Team, isTeamModel);

@@ -13,12 +13,13 @@ allow(User, "share", Team, (actor, team) =>
  )
 );

-allow(User, "createTeam", Team, (actor) =>
+allow(User, "createTeam", Team, (actor, team) =>
  and(
    //
    isCloudHosted(),
    !actor.isGuest,
-    !actor.isViewer
+    !actor.isViewer,
+    or(actor.isAdmin, !!team?.memberTeamCreate)
  )
 );

--- a/server/presenters/team.ts
+++ b/server/presenters/team.ts
@@ -7,6 +7,7 @@ export default function presentTeam(team: Team) {
    avatarUrl: team.avatarUrl,
    sharing: team.sharing,
    memberCollectionCreate: team.memberCollectionCreate,
+    memberTeamCreate: team.memberTeamCreate,
    defaultCollectionId: team.defaultCollectionId,
    documentEmbeds: team.documentEmbeds,
    guestSignin: team.emailSigninEnabled,
--- a/server/routes/api/teams/schema.ts
+++ b/server/routes/api/teams/schema.ts
@@ -18,6 +18,8 @@ export const TeamsUpdateSchema = BaseSchema.extend({
    documentEmbeds: z.boolean().optional(),
    /** Whether team members are able to create new collections */
    memberCollectionCreate: z.boolean().optional(),
+    /** Whether team members are able to create new workspaces */
+    memberTeamCreate: z.boolean().optional(),
    /** The default landing collection for the team */
    defaultCollectionId: z.string().uuid().nullish(),
    /** The default user role */