yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: SSR meta data for nested shared documents (#3646)

Browse Source
This commit is contained in:
Tom Moor
2022-06-08 01:38:34 -07:00
committed by GitHub
parent 80ad6cfec8
commit aed8d7a649
6 changed files with 307 additions and 275 deletions
Download Patch File Download Diff File Expand all files Collapse all files

180
server/routes/api/documents.ts
View File

@@ -5,6 +5,7 @@ import { Op, ScopeOptions, WhereOptions } from "sequelize";
import { subtractDate } from "@shared/utils/date";
import documentCreator from "@server/commands/documentCreator";
import documentImporter from "@server/commands/documentImporter";
import documentLoader from "@server/commands/documentLoader";
import documentMover from "@server/commands/documentMover";
import documentPermanentDeleter from "@server/commands/documentPermanentDeleter";
import documentUpdater from "@server/commands/documentUpdater";
@@ -12,7 +13,6 @@ import { sequelize } from "@server/database/sequelize";
import {
NotFoundError,
InvalidRequestError,
AuthorizationError,
AuthenticationError,
} from "@server/errors";
import auth from "@server/middlewares/authentication";
@@ -23,13 +23,12 @@ import {
Event,
Revision,
SearchQuery,
Share,
Star,
User,
View,
Team,
} from "@server/models";
import { authorize, cannot, can } from "@server/policies";
import { authorize, cannot } from "@server/policies";
import {
presentCollection,
presentDocument,
@@ -382,175 +381,6 @@ router.post("documents.drafts", auth(), pagination(), async (ctx) => {
};
});
async function loadDocument({
id,
shareId,
user,
}: {
id?: string;
shareId?: string;
user?: User;
}): Promise<{
document: Document;
share?: Share;
collection: Collection;
}> {
let document;
let collection;
let share;
if (!shareId && !(id && user)) {
throw AuthenticationError(`Authentication or shareId required`);
}
if (shareId) {
share = await Share.findOne({
where: {
revokedAt: {
[Op.is]: null,
},
id: shareId,
},
include: [
{
// unscoping here allows us to return unpublished documents
model: Document.unscoped(),
include: [
{
model: User,
as: "createdBy",
paranoid: false,
},
{
model: User,
as: "updatedBy",
paranoid: false,
},
],
required: true,
as: "document",
},
],
});
if (!share || share.document.archivedAt) {
throw InvalidRequestError("Document could not be found for shareId");
}
// It is possible to pass both an id and a shareId to the documents.info
// endpoint. In this case we'll load the document based on the `id` and check
// if the provided share token allows access. This is used by the frontend
// to navigate nested documents from a single share link.
if (id) {
document = await Document.findByPk(id, {
userId: user ? user.id : undefined,
paranoid: false,
}); // otherwise, if the user has an authenticated session make sure to load
// with their details so that we can return the correct policies, they may
// be able to edit the shared document
} else if (user) {
document = await Document.findByPk(share.documentId, {
userId: user.id,
paranoid: false,
});
} else {
document = share.document;
}
invariant(document, "document not found");
// If the user has access to read the document, we can just update
// the last access date and return the document without additional checks.
const canReadDocument = user && can(user, "read", document);
if (canReadDocument) {
await share.update({
lastAccessedAt: new Date(),
});
// Cannot use document.collection here as it does not include the
// documentStructure by default through the relationship.
collection = await Collection.findByPk(document.collectionId);
invariant(collection, "collection not found");
return {
document,
share,
collection,
};
}
// "published" === on the public internet.
// We already know that there's either no logged in user or the user doesn't
// have permission to read the document, so we can throw an error.
if (!share.published) {
throw AuthorizationError();
}
// It is possible to disable sharing at the collection so we must check
collection = await Collection.findByPk(document.collectionId);
invariant(collection, "collection not found");
if (!collection.sharing) {
throw AuthorizationError();
}
// If we're attempting to load a document that isn't the document originally
// shared then includeChildDocuments must be enabled and the document must
// still be active and nested within the shared document
if (share.document.id !== document.id) {
if (!share.includeChildDocuments) {
throw AuthorizationError();
}
const childDocumentIds = await share.document.getChildDocumentIds({
archivedAt: {
[Op.is]: null,
},
});
if (!childDocumentIds.includes(document.id)) {
throw AuthorizationError();
}
}
// It is possible to disable sharing at the team level so we must check
const team = await Team.findByPk(document.teamId);
invariant(team, "team not found");
if (!team.sharing) {
throw AuthorizationError();
}
await share.update({
lastAccessedAt: new Date(),
});
} else {
document = await Document.findByPk(id as string, {
userId: user ? user.id : undefined,
paranoid: false,
});
if (!document) {
throw NotFoundError();
}
if (document.deletedAt) {
// don't send data if user cannot restore deleted doc
user && authorize(user, "restore", document);
} else {
user && authorize(user, "read", document);
}
collection = document.collection;
}
return {
document,
share,
collection,
};
}
router.post(
"documents.info",
auth({
@@ -560,7 +390,7 @@ router.post(
const { id, shareId, apiVersion } = ctx.body;
assertPresent(id || shareId, "id or shareId is required");
const { user } = ctx.state;
const { document, share, collection } = await loadDocument({
const { document, share, collection } = await documentLoader({
id,
shareId,
user,
@@ -598,7 +428,7 @@ router.post(
const { id, shareId } = ctx.body;
assertPresent(id || shareId, "id or shareId is required");
const { user } = ctx.state;
const { document } = await loadDocument({
const { document } = await documentLoader({
id,
shareId,
user,
@@ -786,7 +616,7 @@ router.post(
let response;
if (shareId) {
const { share, document } = await loadDocument({
const { share, document } = await documentLoader({
shareId,
user,
});