Add security preference for workspace creation in cloud (#6801)

2024-04-13 07:01:15 -06:00
parent 1ee82e780e
commit 8490f5d558
8 changed files with 46 additions and 3 deletions
--- a/app/models/Team.ts
+++ b/app/models/Team.ts
@@ -44,6 +44,10 @@ class Team extends Model {
  @observable
  memberCollectionCreate: boolean;

+  @Field
+  @observable
+  memberTeamCreate: boolean;
+
  @Field
  @observable
  guestSignin: boolean;
--- a/app/scenes/Settings/Security.tsx
+++ b/app/scenes/Settings/Security.tsx
@@ -34,6 +34,7 @@ function Security() {
    guestSignin: team.guestSignin,
    defaultUserRole: team.defaultUserRole,
    memberCollectionCreate: team.memberCollectionCreate,
+    memberTeamCreate: team.memberTeamCreate,
    inviteRequired: team.inviteRequired,
  });

@@ -300,6 +301,19 @@ function Security() {
          onChange={handleChange}
        />
      </SettingRow>
+      {isCloudHosted && (
+        <SettingRow
+          label={t("Workspace creation")}
+          name="memberTeamCreate"
+          description={t("Allow editors to create new workspaces")}
+        >
+          <Switch
+            id="memberTeamCreate"
+            checked={data.memberTeamCreate}
+            onChange={handleChange}
+          />
+        </SettingRow>
+      )}
    </Scene>
  );
 }
--- a/server/migrations/20240413042634-member-team-create.js
+++ b/server/migrations/20240413042634-member-team-create.js
@@ -0,0 +1,15 @@
+"use strict";
+
+module.exports = {
+  up: async (queryInterface, Sequelize) => {
+    await queryInterface.addColumn("teams", "memberTeamCreate", {
+      type: Sequelize.BOOLEAN,
+      defaultValue: true,
+      allowNull: false,
+    });
+  },
+
+  down: async (queryInterface) => {
+    await queryInterface.removeColumn("teams", "memberTeamCreate");
+  },
+};
--- a/server/models/Team.ts
+++ b/server/models/Team.ts
@@ -152,6 +152,10 @@ class Team extends ParanoidModel<
  @Column
  memberCollectionCreate: boolean;

+  @Default(true)
+  @Column
+  memberTeamCreate: boolean;
+
  @Default(UserRole.Member)
  @IsIn([[UserRole.Viewer, UserRole.Member]])
  @Column(DataType.STRING)
--- a/server/policies/team.ts
+++ b/server/policies/team.ts
@@ -1,6 +1,6 @@
 import { Team, User } from "@server/models";
 import { allow } from "./cancan";
-import { and, isCloudHosted, isTeamAdmin, isTeamModel } from "./utils";
+import { and, isCloudHosted, isTeamAdmin, isTeamModel, or } from "./utils";

 allow(User, "read", Team, isTeamModel);

@@ -13,12 +13,13 @@ allow(User, "share", Team, (actor, team) =>
  )
 );

-allow(User, "createTeam", Team, (actor) =>
+allow(User, "createTeam", Team, (actor, team) =>
  and(
    //
    isCloudHosted(),
    !actor.isGuest,
-    !actor.isViewer
+    !actor.isViewer,
+    or(actor.isAdmin, !!team?.memberTeamCreate)
  )
 );

--- a/server/presenters/team.ts
+++ b/server/presenters/team.ts
@@ -7,6 +7,7 @@ export default function presentTeam(team: Team) {
    avatarUrl: team.avatarUrl,
    sharing: team.sharing,
    memberCollectionCreate: team.memberCollectionCreate,
+    memberTeamCreate: team.memberTeamCreate,
    defaultCollectionId: team.defaultCollectionId,
    documentEmbeds: team.documentEmbeds,
    guestSignin: team.emailSigninEnabled,
--- a/server/routes/api/teams/schema.ts
+++ b/server/routes/api/teams/schema.ts
@@ -18,6 +18,8 @@ export const TeamsUpdateSchema = BaseSchema.extend({
    documentEmbeds: z.boolean().optional(),
    /** Whether team members are able to create new collections */
    memberCollectionCreate: z.boolean().optional(),
+    /** Whether team members are able to create new workspaces */
+    memberTeamCreate: z.boolean().optional(),
    /** The default landing collection for the team */
    defaultCollectionId: z.string().uuid().nullish(),
    /** The default user role */
--- a/shared/i18n/locales/en_US/translation.json
+++ b/shared/i18n/locales/en_US/translation.json
@@ -930,6 +930,8 @@
  "Links to supported services are shown as rich embeds within your documents": "Links to supported services are shown as rich embeds within your documents",
  "Collection creation": "Collection creation",
  "Allow editors to create new collections within the workspace": "Allow editors to create new collections within the workspace",
+  "Workspace creation": "Workspace creation",
+  "Allow editors to create new workspaces": "Allow editors to create new workspaces",
  "Draw.io deployment": "Draw.io deployment",
  "Add your self-hosted draw.io installation url here to enable automatic embedding of diagrams within documents.": "Add your self-hosted draw.io installation url here to enable automatic embedding of diagrams within documents.",
  "Grist deployment": "Grist deployment",