feat: docs managers can action docs & create subdocs (#7077)

* feat: docs managers can action docs & create subdocs * tests --------- Co-authored-by: Tom Moor <tom.moor@gmail.com>
2024-06-19 19:22:33 -07:00
parent 2333602f25
commit 95b9453269
11 changed files with 271 additions and 136 deletions
--- a/server/policies/document.test.ts
+++ b/server/policies/document.test.ts
@@ -1,5 +1,9 @@
-import { CollectionPermission, UserRole } from "@shared/types";
-import { Document } from "@server/models";
+import {
+  CollectionPermission,
+  DocumentPermission,
+  UserRole,
+} from "@shared/types";
+import { Document, UserMembership } from "@server/models";
 import {
  buildUser,
  buildTeam,
@@ -28,6 +32,7 @@ describe("read_write collection", () => {
    expect(abilities.download).toEqual(true);
    expect(abilities.update).toEqual(true);
    expect(abilities.createChildDocument).toEqual(true);
+    expect(abilities.manageUsers).toEqual(true);
    expect(abilities.archive).toEqual(true);
    expect(abilities.delete).toEqual(true);
    expect(abilities.share).toEqual(true);
@@ -56,6 +61,7 @@ describe("read_write collection", () => {
    expect(abilities.download).toEqual(true);
    expect(abilities.update).toEqual(false);
    expect(abilities.createChildDocument).toEqual(false);
+    expect(abilities.manageUsers).toEqual(false);
    expect(abilities.archive).toEqual(false);
    expect(abilities.delete).toEqual(false);
    expect(abilities.share).toEqual(false);
@@ -86,6 +92,7 @@ describe("read_write collection", () => {
    expect(abilities.download).toEqual(false);
    expect(abilities.update).toEqual(false);
    expect(abilities.createChildDocument).toEqual(false);
+    expect(abilities.manageUsers).toEqual(false);
    expect(abilities.archive).toEqual(false);
    expect(abilities.delete).toEqual(false);
    expect(abilities.share).toEqual(false);
@@ -145,6 +152,7 @@ describe("read collection", () => {
    expect(abilities.download).toEqual(false);
    expect(abilities.update).toEqual(false);
    expect(abilities.createChildDocument).toEqual(false);
+    expect(abilities.manageUsers).toEqual(false);
    expect(abilities.archive).toEqual(false);
    expect(abilities.delete).toEqual(false);
    expect(abilities.share).toEqual(false);
@@ -172,6 +180,7 @@ describe("private collection", () => {
    expect(abilities.download).toEqual(false);
    expect(abilities.update).toEqual(false);
    expect(abilities.createChildDocument).toEqual(false);
+    expect(abilities.manageUsers).toEqual(false);
    expect(abilities.archive).toEqual(false);
    expect(abilities.delete).toEqual(false);
    expect(abilities.share).toEqual(false);
@@ -200,6 +209,7 @@ describe("private collection", () => {
    expect(abilities.download).toEqual(false);
    expect(abilities.update).toEqual(false);
    expect(abilities.createChildDocument).toEqual(false);
+    expect(abilities.manageUsers).toEqual(false);
    expect(abilities.archive).toEqual(false);
    expect(abilities.delete).toEqual(false);
    expect(abilities.share).toEqual(false);
@@ -297,9 +307,121 @@ describe("archived document", () => {
    expect(abilities.unarchive).toEqual(true);
    expect(abilities.update).toEqual(false);
    expect(abilities.createChildDocument).toEqual(false);
+    expect(abilities.manageUsers).toEqual(false);
    expect(abilities.archive).toEqual(false);
    expect(abilities.share).toEqual(false);
    expect(abilities.move).toEqual(false);
    expect(abilities.comment).toEqual(false);
  });
 });
+
+describe("read document", () => {
+  it("should allow read permissions for team member", async () => {
+    const team = await buildTeam();
+    const user = await buildUser({ teamId: team.id });
+    const collection = await buildCollection({
+      teamId: team.id,
+      permission: null,
+    });
+    const doc = await buildDocument({
+      teamId: team.id,
+      collectionId: collection.id,
+    });
+    await UserMembership.create({
+      userId: user.id,
+      documentId: doc.id,
+      permission: DocumentPermission.Read,
+      createdById: user.id,
+    });
+
+    // reload to get membership
+    const document = await Document.findByPk(doc.id, { userId: user.id });
+    const abilities = serialize(user, document);
+    expect(abilities.read).toEqual(true);
+    expect(abilities.download).toEqual(true);
+    expect(abilities.subscribe).toEqual(true);
+    expect(abilities.unsubscribe).toEqual(true);
+    expect(abilities.comment).toEqual(true);
+    expect(abilities.update).toEqual(false);
+    expect(abilities.createChildDocument).toEqual(false);
+    expect(abilities.manageUsers).toEqual(false);
+    expect(abilities.archive).toEqual(false);
+    expect(abilities.delete).toEqual(false);
+    expect(abilities.share).toEqual(false);
+    expect(abilities.move).toEqual(false);
+  });
+});
+
+describe("read_write document", () => {
+  it("should allow write permissions for team member", async () => {
+    const team = await buildTeam();
+    const user = await buildUser({ teamId: team.id });
+    const collection = await buildCollection({
+      teamId: team.id,
+      permission: null,
+    });
+    const doc = await buildDocument({
+      teamId: team.id,
+      collectionId: collection.id,
+    });
+    await UserMembership.create({
+      userId: user.id,
+      documentId: doc.id,
+      permission: DocumentPermission.ReadWrite,
+      createdById: user.id,
+    });
+
+    // reload to get membership
+    const document = await Document.findByPk(doc.id, { userId: user.id });
+    const abilities = serialize(user, document);
+    expect(abilities.read).toEqual(true);
+    expect(abilities.download).toEqual(true);
+    expect(abilities.update).toEqual(true);
+    expect(abilities.delete).toEqual(true);
+    expect(abilities.subscribe).toEqual(true);
+    expect(abilities.unsubscribe).toEqual(true);
+    expect(abilities.comment).toEqual(true);
+    expect(abilities.createChildDocument).toEqual(false);
+    expect(abilities.manageUsers).toEqual(false);
+    expect(abilities.archive).toEqual(false);
+    expect(abilities.share).toEqual(false);
+    expect(abilities.move).toEqual(false);
+  });
+});
+
+describe("manage document", () => {
+  it("should allow write permissions, user management, and sub-document creation", async () => {
+    const team = await buildTeam();
+    const user = await buildUser({ teamId: team.id });
+    const collection = await buildCollection({
+      teamId: team.id,
+      permission: null,
+    });
+    const doc = await buildDocument({
+      teamId: team.id,
+      collectionId: collection.id,
+    });
+    await UserMembership.create({
+      userId: user.id,
+      documentId: doc.id,
+      permission: DocumentPermission.Admin,
+      createdById: user.id,
+    });
+
+    // reload to get membership
+    const document = await Document.findByPk(doc.id, { userId: user.id });
+    const abilities = serialize(user, document);
+    expect(abilities.read).toEqual(true);
+    expect(abilities.download).toEqual(true);
+    expect(abilities.update).toEqual(true);
+    expect(abilities.delete).toEqual(true);
+    expect(abilities.subscribe).toEqual(true);
+    expect(abilities.unsubscribe).toEqual(true);
+    expect(abilities.comment).toEqual(true);
+    expect(abilities.createChildDocument).toEqual(true);
+    expect(abilities.manageUsers).toEqual(true);
+    expect(abilities.archive).toEqual(true);
+    expect(abilities.move).toEqual(true);
+    expect(abilities.share).toEqual(false);
+  });
+});
--- a/server/policies/document.ts
+++ b/server/policies/document.ts
@@ -129,7 +129,10 @@ allow(User, ["move", "duplicate", "manageUsers"], Document, (actor, document) =>
 allow(User, "createChildDocument", Document, (actor, document) =>
  and(
    can(actor, "update", document),
-    can(actor, "read", document?.collection),
+    or(
+      includesMembership(document, [DocumentPermission.Admin]),
+      can(actor, "read", document?.collection)
+    ),
    !document?.isDraft,
    !document?.template,
    !actor.isGuest
@@ -181,10 +184,8 @@ allow(User, ["restore", "permanentDelete"], Document, (actor, document) =>
        DocumentPermission.ReadWrite,
        DocumentPermission.Admin,
      ]),
-      or(
-        can(actor, "updateDocument", document?.collection),
-        and(!!document?.isDraft && actor.id === document?.createdById)
-      ),
+      can(actor, "updateDocument", document?.collection),
+      and(!!document?.isDraft && actor.id === document?.createdById),
      !document?.collection
    )
  )
@@ -197,7 +198,10 @@ allow(User, "archive", Document, (actor, document) =>
    !document?.isDraft,
    !!document?.isActive,
    can(actor, "update", document),
-    can(actor, "updateDocument", document?.collection)
+    or(
+      includesMembership(document, [DocumentPermission.Admin]),
+      can(actor, "updateDocument", document?.collection)
+    )
  )
 );

@@ -208,20 +212,15 @@ allow(User, "unarchive", Document, (actor, document) =>
    !document?.isDraft,
    !document?.isDeleted,
    !!document?.archivedAt,
-    and(
-      can(actor, "read", document),
-      or(
-        includesMembership(document, [
-          DocumentPermission.ReadWrite,
-          DocumentPermission.Admin,
-        ]),
-        or(
-          can(actor, "updateDocument", document?.collection),
-          and(!!document?.isDraft && actor.id === document?.createdById)
-        )
-      )
-    ),
-    can(actor, "updateDocument", document?.collection)
+    can(actor, "read", document),
+    or(
+      includesMembership(document, [
+        DocumentPermission.ReadWrite,
+        DocumentPermission.Admin,
+      ]),
+      can(actor, "updateDocument", document?.collection),
+      and(!!document?.isDraft && actor.id === document?.createdById)
+    )
  )
 );