feat: Memberships (#1032)

* WIP * feat: Add collection.memberships endpoint * feat: Add ability to filter collection.memberships with query * WIP * Merge stashed work * feat: Add ability to filter memberships by permission * continued refactoring * paginated list component * Collection member management * fix: Incorrect policy data sent down after collection.update * Reduce duplication, add empty state * cleanup * fix: Modal close should be a real button * fix: Allow opening edit from modal * fix: remove unused methods * test: fix * Passing test suite * Refactor * fix: Flow UI errors * test: Add collections.update tests * lint * test: moar tests * fix: Missing scopes, more missing tests * fix: Handle collection privacy change over socket * fix: More membership scopes * fix: view endpoint permissions * fix: respond to privacy change on socket event * policy driven menus * fix: share endpoint policies * chore: Use policies to drive documents UI * alignment * fix: Header height * fix: Correct behavior when collection becomes private * fix: Header height for read-only collection * send id's over socket instead of serialized objects * fix: Remote policy change * fix: reduce collection fetching * More websocket efficiencies * fix: Document collection pinning * fix: Restored ability to edit drafts fix: Removed ability to star drafts * fix: Require write permissions to pin doc to collection * fix: Header title overlaying document actions at small screen sizes * fix: Jank on load caused by previous commit * fix: Double collection fetch post-publish * fix: Hide publish button if draft is in no longer accessible collection * fix: Always allow deleting drafts fix: Improved handling of deleted documents * feat: Show collections in drafts view feat: Show more obvious 'draft' badge on documents * fix: incorrect policies after publish to private collection * fix: Duplicating a draft publishes it
2019-10-05 18:42:03 -07:00
parent 4164fc178c
commit b42e9737b6
72 changed files with 2360 additions and 765 deletions
--- a/server/api/collections.test.js
+++ b/server/api/collections.test.js
@@ -3,7 +3,7 @@ import TestServer from 'fetch-test-server';
 import app from '../app';
 import { flushdb, seed } from '../test/support';
 import { buildUser, buildCollection } from '../test/factories';
-import { Collection } from '../models';
+import { Collection, CollectionUser } from '../models';
 const server = new TestServer(app.callback());

 beforeEach(flushdb);
@@ -28,6 +28,8 @@ describe('#collections.list', async () => {
    expect(res.status).toEqual(200);
    expect(body.data.length).toEqual(1);
    expect(body.data[0].id).toEqual(collection.id);
+    expect(body.policies.length).toEqual(1);
+    expect(body.policies[0].abilities.read).toEqual(true);
  });

  it('should not return private collections not a member of', async () => {
@@ -60,11 +62,13 @@ describe('#collections.list', async () => {

    expect(res.status).toEqual(200);
    expect(body.data.length).toEqual(2);
+    expect(body.policies.length).toEqual(2);
+    expect(body.policies[0].abilities.read).toEqual(true);
  });
 });

 describe('#collections.export', async () => {
-  it('should require user to be a member', async () => {
+  it('should now allow export of private collection not a member', async () => {
    const { user } = await seed();
    const collection = await buildCollection({
      private: true,
@@ -77,6 +81,25 @@ describe('#collections.export', async () => {
    expect(res.status).toEqual(403);
  });

+  it('should allow export of private collection', async () => {
+    const { user, collection } = await seed();
+    collection.private = true;
+    await collection.save();
+
+    await CollectionUser.create({
+      createdById: user.id,
+      collectionId: collection.id,
+      userId: user.id,
+      permission: 'read',
+    });
+
+    const res = await server.post('/api/collections.export', {
+      body: { token: user.getJwtToken(), id: collection.id },
+    });
+
+    expect(res.status).toEqual(200);
+  });
+
  it('should require authentication', async () => {
    const res = await server.post('/api/collections.export');
    const body = await res.json();
@@ -272,12 +295,25 @@ describe('#collections.remove_user', async () => {
 });

 describe('#collections.users', async () => {
-  it('should return members in private collection', async () => {
+  it('should return users in private collection', async () => {
    const { collection, user } = await seed();
+    collection.private = true;
+    await collection.save();
+
+    await CollectionUser.create({
+      createdById: user.id,
+      collectionId: collection.id,
+      userId: user.id,
+      permission: 'read',
+    });
+
    const res = await server.post('/api/collections.users', {
      body: { token: user.getJwtToken(), id: collection.id },
    });
+    const body = await res.json();
+
    expect(res.status).toEqual(200);
+    expect(body.data.length).toEqual(1);
  });

  it('should require authentication', async () => {
@@ -298,6 +334,109 @@ describe('#collections.users', async () => {
  });
 });

+describe('#collections.memberships', async () => {
+  it('should return members in private collection', async () => {
+    const { collection, user } = await seed();
+    collection.private = true;
+    await collection.save();
+
+    await CollectionUser.create({
+      createdById: user.id,
+      collectionId: collection.id,
+      userId: user.id,
+      permission: 'read_write',
+    });
+
+    const res = await server.post('/api/collections.memberships', {
+      body: { token: user.getJwtToken(), id: collection.id },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.users.length).toEqual(1);
+    expect(body.data.users[0].id).toEqual(user.id);
+    expect(body.data.memberships.length).toEqual(1);
+    expect(body.data.memberships[0].permission).toEqual('read_write');
+  });
+
+  it('should allow filtering members in collection by name', async () => {
+    const { collection, user } = await seed();
+    const user2 = await buildUser({ name: "Won't find" });
+    await CollectionUser.create({
+      createdById: user.id,
+      collectionId: collection.id,
+      userId: user.id,
+      permission: 'read_write',
+    });
+    await CollectionUser.create({
+      createdById: user2.id,
+      collectionId: collection.id,
+      userId: user2.id,
+      permission: 'read_write',
+    });
+
+    const res = await server.post('/api/collections.memberships', {
+      body: {
+        token: user.getJwtToken(),
+        id: collection.id,
+        query: user.name.slice(0, 3),
+      },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.users.length).toEqual(1);
+    expect(body.data.users[0].id).toEqual(user.id);
+  });
+
+  it('should allow filtering members in collection by permission', async () => {
+    const { collection, user } = await seed();
+    const user2 = await buildUser();
+    await CollectionUser.create({
+      createdById: user.id,
+      collectionId: collection.id,
+      userId: user.id,
+      permission: 'read_write',
+    });
+    await CollectionUser.create({
+      createdById: user2.id,
+      collectionId: collection.id,
+      userId: user2.id,
+      permission: 'maintainer',
+    });
+
+    const res = await server.post('/api/collections.memberships', {
+      body: {
+        token: user.getJwtToken(),
+        id: collection.id,
+        permission: 'maintainer',
+      },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.users.length).toEqual(1);
+    expect(body.data.users[0].id).toEqual(user2.id);
+  });
+
+  it('should require authentication', async () => {
+    const res = await server.post('/api/collections.memberships');
+    const body = await res.json();
+
+    expect(res.status).toEqual(401);
+    expect(body).toMatchSnapshot();
+  });
+
+  it('should require authorization', async () => {
+    const { collection } = await seed();
+    const user = await buildUser();
+    const res = await server.post('/api/collections.memberships', {
+      body: { token: user.getJwtToken(), id: collection.id },
+    });
+    expect(res.status).toEqual(403);
+  });
+});
+
 describe('#collections.info', async () => {
  it('should return collection', async () => {
    const { user, collection } = await seed();
@@ -321,6 +460,27 @@ describe('#collections.info', async () => {
    expect(res.status).toEqual(403);
  });

+  it('should allow user member of collection', async () => {
+    const { user, collection } = await seed();
+    collection.private = true;
+    await collection.save();
+
+    await CollectionUser.create({
+      collectionId: collection.id,
+      userId: user.id,
+      createdById: user.id,
+      permission: 'read',
+    });
+
+    const res = await server.post('/api/collections.info', {
+      body: { token: user.getJwtToken(), id: collection.id },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.id).toEqual(collection.id);
+  });
+
  it('should require authentication', async () => {
    const res = await server.post('/api/collections.info');
    const body = await res.json();
@@ -362,6 +522,128 @@ describe('#collections.create', async () => {
  });
 });

+describe('#collections.update', async () => {
+  it('should require authentication', async () => {
+    const collection = await buildCollection();
+    const res = await server.post('/api/collections.update', {
+      body: { id: collection.id, name: 'Test' },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(401);
+    expect(body).toMatchSnapshot();
+  });
+
+  it('should require authorization', async () => {
+    const { collection } = await seed();
+    const user = await buildUser();
+    const res = await server.post('/api/collections.update', {
+      body: { token: user.getJwtToken(), id: collection.id, name: 'Test' },
+    });
+    expect(res.status).toEqual(403);
+  });
+
+  it('allows editing non-private collection', async () => {
+    const { user, collection } = await seed();
+    const res = await server.post('/api/collections.update', {
+      body: { token: user.getJwtToken(), id: collection.id, name: 'Test' },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.name).toBe('Test');
+    expect(body.policies.length).toBe(1);
+  });
+
+  it('allows editing from non-private to private collection', async () => {
+    const { user, collection } = await seed();
+    const res = await server.post('/api/collections.update', {
+      body: {
+        token: user.getJwtToken(),
+        id: collection.id,
+        private: true,
+        name: 'Test',
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.name).toBe('Test');
+    expect(body.data.private).toBe(true);
+
+    // ensure we return with a write level policy
+    expect(body.policies.length).toBe(1);
+    expect(body.policies[0].abilities.update).toBe(true);
+  });
+
+  it('allows editing from private to non-private collection', async () => {
+    const { user, collection } = await seed();
+    collection.private = true;
+    await collection.save();
+
+    await CollectionUser.create({
+      collectionId: collection.id,
+      userId: user.id,
+      createdById: user.id,
+      permission: 'read_write',
+    });
+
+    const res = await server.post('/api/collections.update', {
+      body: {
+        token: user.getJwtToken(),
+        id: collection.id,
+        private: false,
+        name: 'Test',
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.name).toBe('Test');
+    expect(body.data.private).toBe(false);
+
+    // ensure we return with a write level policy
+    expect(body.policies.length).toBe(1);
+    expect(body.policies[0].abilities.update).toBe(true);
+  });
+
+  it('allows editing by read-write collection user', async () => {
+    const { user, collection } = await seed();
+    collection.private = true;
+    await collection.save();
+
+    await CollectionUser.create({
+      collectionId: collection.id,
+      userId: user.id,
+      createdById: user.id,
+      permission: 'read_write',
+    });
+
+    const res = await server.post('/api/collections.update', {
+      body: { token: user.getJwtToken(), id: collection.id, name: 'Test' },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.name).toBe('Test');
+    expect(body.policies.length).toBe(1);
+  });
+
+  it('does not allow editing by read-only collection user', async () => {
+    const { user, collection } = await seed();
+    collection.private = true;
+    await collection.save();
+
+    await CollectionUser.create({
+      collectionId: collection.id,
+      userId: user.id,
+      createdById: user.id,
+      permission: 'read',
+    });
+
+    const res = await server.post('/api/collections.update', {
+      body: { token: user.getJwtToken(), id: collection.id, name: 'Test' },
+    });
+    expect(res.status).toEqual(403);
+  });
+});
+
 describe('#collections.delete', async () => {
  it('should require authentication', async () => {
    const res = await server.post('/api/collections.delete');
@@ -380,7 +662,7 @@ describe('#collections.delete', async () => {
    expect(res.status).toEqual(403);
  });

-  it('should not delete last collection', async () => {
+  it('should not allow deleting last collection', async () => {
    const { user, collection } = await seed();
    const res = await server.post('/api/collections.delete', {
      body: { token: user.getJwtToken(), id: collection.id },