feat: Read-only users (#1955)

* Introduce isViewer field

* Update policies

* Make users read-only feature

* Remove not demoting current user validation

* Update tests

* Catch the unhandled promise rejection

* Hide unnecessary ui elements for read-only user

* Update app/scenes/Settings/People.js

Co-authored-by: Tom Moor <tom.moor@gmail.com>

* Remove redundant logic for admin only policies

* Use can logic

* Update snapshot

* Remove lint error

* Update snapshot

* Minor fix

* Update app/menus/UserMenu.js

Co-authored-by: Tom Moor <tom.moor@gmail.com>

* Update server/api/users.js

Co-authored-by: Tom Moor <tom.moor@gmail.com>

* Update app/components/DocumentListItem.js

Co-authored-by: Tom Moor <tom.moor@gmail.com>

* Update app/stores/UsersStore.js

Co-authored-by: Tom Moor <tom.moor@gmail.com>

* Use useCurrentTeam hook in functional component

* Update translation

* Update ternary

* Remove punctuation

* Move the functions to User model

* Update share policy and shareMenu

* Rename makeAdmin to promote

* Create updateCounts function and Rank enum

* Update tests

* Remove enum

* Use async await, remove enum and create computed accessor

* Remove unused variable

* Fix lint issues

* Hide templates

* Create shared/types and use rank type from it

* Delete shared/utils/rank type file

Co-authored-by: Tom Moor <tom.moor@gmail.com>

server/policies/apiKey.js

@@ -5,13 +5,11 @@ import policy from "./policy";
 const { allow } = policy;
 
 allow(User, "createApiKey", Team, (user, team) => {
-  if (!team || user.teamId !== team.id) return false;
+  if (!team || user.isViewer || user.teamId !== team.id) return false;
   return true;
 });
 
-allow(
-  User,
-  ["read", "update", "delete"],
-  ApiKey,
-  (user, apiKey) => user && user.id === apiKey.userId
-);
+allow(User, ["read", "update", "delete"], ApiKey, (user, apiKey) => {
+  if (user.isViewer) return false;
+  return user && user.id === apiKey.userId;
+});

server/policies/attachment.js

@@ -5,11 +5,19 @@ import policy from "./policy";
 const { allow } = policy;
 
 allow(User, "createAttachment", Team, (user, team) => {
-  if (!team || user.teamId !== team.id) return false;
+  if (!team || user.isViewer || user.teamId !== team.id) return false;
   return true;
 });
 
-allow(User, ["read", "delete"], Attachment, (actor, attachment) => {
+allow(User, "read", Attachment, (actor, attachment) => {
+  if (!attachment || attachment.teamId !== actor.teamId) return false;
+  if (actor.isAdmin) return true;
+  if (actor.id === attachment.userId) return true;
+  return false;
+});
+
+allow(User, "delete", Attachment, (actor, attachment) => {
+  if (actor.isViewer) return false;
   if (!attachment || attachment.teamId !== actor.teamId) return false;
   if (actor.isAdmin) return true;
   if (actor.id === attachment.userId) return true;

server/policies/collection.js

@@ -8,7 +8,7 @@ import policy from "./policy";
 const { allow } = policy;
 
 allow(User, "createCollection", Team, (user, team) => {
-  if (!team || user.teamId !== team.id) return false;
+  if (!team || user.isViewer || user.teamId !== team.id) return false;
   return true;
 });
 
@@ -48,6 +48,7 @@ allow(User, ["read", "export"], Collection, (user, collection) => {
 });
 
 allow(User, "share", Collection, (user, collection) => {
+  if (user.isViewer) return false;
   if (!collection || user.teamId !== collection.teamId) return false;
   if (!collection.sharing) return false;
 
@@ -71,6 +72,7 @@ allow(User, "share", Collection, (user, collection) => {
 });
 
 allow(User, ["publish", "update"], Collection, (user, collection) => {
+  if (user.isViewer) return false;
   if (!collection || user.teamId !== collection.teamId) return false;
 
   if (collection.permission !== "read_write") {
@@ -93,6 +95,7 @@ allow(User, ["publish", "update"], Collection, (user, collection) => {
 });
 
 allow(User, "delete", Collection, (user, collection) => {
+  if (user.isViewer) return false;
   if (!collection || user.teamId !== collection.teamId) return false;
 
   if (collection.permission !== "read_write") {

server/policies/document.js

@@ -6,7 +6,7 @@ import policy from "./policy";
 const { allow, cannot } = policy;
 
 allow(User, "createDocument", Team, (user, team) => {
-  if (!team || user.teamId !== team.id) return false;
+  if (!team || user.isViewer || user.teamId !== team.id) return false;
   return true;
 });
 
@@ -102,6 +102,7 @@ allow(User, ["pin", "unpin"], Document, (user, document) => {
 
 allow(User, "delete", Document, (user, document) => {
   // unpublished drafts can always be deleted
+  if (user.isViewer) return false;
   if (
     !document.deletedAt &&
     !document.publishedAt &&
@@ -121,6 +122,7 @@ allow(User, "delete", Document, (user, document) => {
 });
 
 allow(User, "restore", Document, (user, document) => {
+  if (user.isViewer) return false;
   if (!document.deletedAt) return false;
   return user.teamId === document.teamId;
 });

server/policies/group.js

@@ -6,7 +6,7 @@ import policy from "./policy";
 const { allow } = policy;
 
 allow(User, "createGroup", Team, (actor, team) => {
-  if (!team || actor.teamId !== team.id) return false;
+  if (!team || actor.isViewer || actor.teamId !== team.id) return false;
   if (actor.isAdmin) return true;
   throw new AdminRequiredError();
 });
@@ -21,7 +21,7 @@ allow(User, "read", Group, (actor, group) => {
 });
 
 allow(User, ["update", "delete"], Group, (actor, group) => {
-  if (!group || actor.teamId !== group.teamId) return false;
+  if (!group || actor.isViewer || actor.teamId !== group.teamId) return false;
   if (actor.isAdmin) return true;
   throw new AdminRequiredError();
 });

server/policies/integration.js

@@ -6,7 +6,7 @@ import policy from "./policy";
 const { allow } = policy;
 
 allow(User, "createIntegration", Team, (actor, team) => {
-  if (!team || actor.teamId !== team.id) return false;
+  if (!team || actor.isViewer || actor.teamId !== team.id) return false;
   if (actor.isAdmin) return true;
   throw new AdminRequiredError();
 });
@@ -19,6 +19,7 @@ allow(
 );
 
 allow(User, ["update", "delete"], Integration, (user, integration) => {
+  if (user.isViewer) return false;
   if (!integration || user.teamId !== integration.teamId) return false;
   if (user.isAdmin) return true;
   throw new AdminRequiredError();

server/policies/share.js

@@ -5,14 +5,17 @@ import policy from "./policy";
 
 const { allow } = policy;
 
-allow(
-  User,
-  ["read", "update"],
-  Share,
-  (user, share) => user.teamId === share.teamId
-);
+allow(User, "read", Share, (user, share) => {
+  return user.teamId === share.teamId;
+});
+
+allow(User, "update", Share, (user, share) => {
+  if (user.isViewer) return false;
+  return user.teamId === share.teamId;
+});
 
 allow(User, "revoke", Share, (user, share) => {
+  if (user.isViewer) return false;
   if (!share || user.teamId !== share.teamId) return false;
   if (user.id === share.userId) return true;
   if (user.isAdmin) return true;

server/policies/team.js

@@ -7,11 +7,11 @@ const { allow } = policy;
 allow(User, "read", Team, (user, team) => team && user.teamId === team.id);
 
 allow(User, "share", Team, (user, team) => {
-  if (!team || user.teamId !== team.id) return false;
+  if (!team || user.isViewer || user.teamId !== team.id) return false;
   return team.sharing;
 });
 
 allow(User, ["update", "export", "manage"], Team, (user, team) => {
-  if (!team || user.teamId !== team.id) return false;
+  if (!team || user.isViewer || user.teamId !== team.id) return false;
   return user.isAdmin;
 });

server/policies/user.js

@@ -46,7 +46,7 @@ allow(User, "promote", User, (actor, user) => {
 
 allow(User, "demote", User, (actor, user) => {
   if (!user || user.teamId !== actor.teamId) return false;
-  if (!user.isAdmin || user.isSuspended) return false;
+  if (user.isSuspended) return false;
   if (actor.isAdmin) return true;
   throw new AdminRequiredError();
 });