refactor: Policies Architecture (#1016)

* add policy serialize method * Add policies to collection responses * wip * test: remove .only * refactor: Return policies with team and document requests * store policies on the client * refactor: drive admin UI from policies
2019-08-21 21:41:37 -07:00
parent cf18b952a4
commit e2b28dfeb7
20 changed files with 194 additions and 19 deletions
--- a/server/api/auth.js
+++ b/server/api/auth.js
@@ -1,7 +1,7 @@
 // @flow
 import Router from 'koa-router';
 import auth from '../middlewares/authentication';
-import { presentUser, presentTeam } from '../presenters';
+import { presentUser, presentTeam, presentPolicies } from '../presenters';
 import { Team } from '../models';

 const router = new Router();
@@ -15,6 +15,7 @@ router.post('auth.info', auth(), async ctx => {
      user: presentUser(user, { includeDetails: true }),
      team: presentTeam(team),
    },
+    policies: presentPolicies(user, [team]),
  };
 });

--- a/server/api/collections.js
+++ b/server/api/collections.js
@@ -3,7 +3,7 @@ import fs from 'fs';
 import Router from 'koa-router';
 import auth from '../middlewares/authentication';
 import pagination from './middlewares/pagination';
-import { presentCollection, presentUser } from '../presenters';
+import { presentCollection, presentUser, presentPolicies } from '../presenters';
 import { Collection, CollectionUser, Team, Event, User } from '../models';
 import { ValidationError, InvalidRequestError } from '../errors';
 import { exportCollections } from '../logistics';
@@ -45,6 +45,7 @@ router.post('collections.create', auth(), async ctx => {

  ctx.body = {
    data: await presentCollection(collection),
+    policies: presentPolicies(user, [collection]),
  };
 });

@@ -52,11 +53,13 @@ router.post('collections.info', auth(), async ctx => {
  const { id } = ctx.body;
  ctx.assertUuid(id, 'id is required');

+  const user = ctx.state.user;
  const collection = await Collection.findByPk(id);
-  authorize(ctx.state.user, 'read', collection);
+  authorize(user, 'read', collection);

  ctx.body = {
    data: await presentCollection(collection),
+    policies: presentPolicies(user, [collection]),
  };
 });

@@ -243,6 +246,7 @@ router.post('collections.update', auth(), async ctx => {

  ctx.body = {
    data: presentCollection(collection),
+    policies: presentPolicies(user, [collection]),
  };
 });

@@ -263,10 +267,12 @@ router.post('collections.list', auth(), pagination(), async ctx => {
  const data = await Promise.all(
    collections.map(async collection => await presentCollection(collection))
  );
+  const policies = presentPolicies(user, collections);

  ctx.body = {
    pagination: ctx.state.pagination,
    data,
+    policies,
  };
 });

--- a/server/api/collections.test.js
+++ b/server/api/collections.test.js
@@ -358,6 +358,7 @@ describe('#collections.create', async () => {
    expect(res.status).toEqual(200);
    expect(body.data.id).toBeTruthy();
    expect(body.data.name).toBe('Test');
+    expect(body.policies.length).toBe(1);
  });
 });

--- a/server/api/documents.js
+++ b/server/api/documents.js
@@ -8,6 +8,7 @@ import {
  presentDocument,
  presentCollection,
  presentRevision,
+  presentPolicies,
 } from '../presenters';
 import {
  Collection,
@@ -88,9 +89,12 @@ router.post('documents.list', auth(), pagination(), async ctx => {
    documents.map(document => presentDocument(document))
  );

+  const policies = presentPolicies(user, documents);
+
  ctx.body = {
    pagination: ctx.state.pagination,
    data,
+    policies,
  };
 });

@@ -123,9 +127,12 @@ router.post('documents.pinned', auth(), pagination(), async ctx => {
    documents.map(document => presentDocument(document))
  );

+  const policies = presentPolicies(user, documents);
+
  ctx.body = {
    pagination: ctx.state.pagination,
    data,
+    policies,
  };
 });

@@ -154,9 +161,12 @@ router.post('documents.archived', auth(), pagination(), async ctx => {
    documents.map(document => presentDocument(document))
  );

+  const policies = presentPolicies(user, documents);
+
  ctx.body = {
    pagination: ctx.state.pagination,
    data,
+    policies,
  };
 });

@@ -191,13 +201,17 @@ router.post('documents.viewed', auth(), pagination(), async ctx => {
    limit: ctx.state.pagination.limit,
  });

+  const documents = views.map(view => view.document);
  const data = await Promise.all(
-    views.map(view => presentDocument(view.document))
+    documents.map(document => presentDocument(document))
  );

+  const policies = presentPolicies(user, documents);
+
  ctx.body = {
    pagination: ctx.state.pagination,
    data,
+    policies,
  };
 });

@@ -234,13 +248,17 @@ router.post('documents.starred', auth(), pagination(), async ctx => {
    limit: ctx.state.pagination.limit,
  });

+  const documents = stars.map(star => star.document);
  const data = await Promise.all(
-    stars.map(star => presentDocument(star.document))
+    documents.map(document => presentDocument(document))
  );

+  const policies = presentPolicies(user, documents);
+
  ctx.body = {
    pagination: ctx.state.pagination,
    data,
+    policies,
  };
 });

@@ -266,9 +284,12 @@ router.post('documents.drafts', auth(), pagination(), async ctx => {
    documents.map(document => presentDocument(document))
  );

+  const policies = presentPolicies(user, documents);
+
  ctx.body = {
    pagination: ctx.state.pagination,
    data,
+    policies,
  };
 });

@@ -311,6 +332,7 @@ router.post('documents.info', auth({ required: false }), async ctx => {

  ctx.body = {
    data: await presentDocument(document, { isPublic }),
+    policies: isPublic ? undefined : presentPolicies(user, [document]),
  };
 });

@@ -404,6 +426,7 @@ router.post('documents.restore', auth(), async ctx => {

  ctx.body = {
    data: await presentDocument(document),
+    policies: presentPolicies(user, [document]),
  };
 });

@@ -443,6 +466,7 @@ router.post('documents.search', auth(), pagination(), async ctx => {
    limit,
  });

+  const documents = results.map(result => result.document);
  const data = await Promise.all(
    results.map(async result => {
      const document = await presentDocument(result.document);
@@ -450,9 +474,12 @@ router.post('documents.search', auth(), pagination(), async ctx => {
    })
  );

+  const policies = presentPolicies(user, documents);
+
  ctx.body = {
    pagination: ctx.state.pagination,
    data,
+    policies,
  };
 });

@@ -479,6 +506,7 @@ router.post('documents.pin', auth(), async ctx => {

  ctx.body = {
    data: await presentDocument(document),
+    policies: presentPolicies(user, [document]),
  };
 });

@@ -505,6 +533,7 @@ router.post('documents.unpin', auth(), async ctx => {

  ctx.body = {
    data: await presentDocument(document),
+    policies: presentPolicies(user, [document]),
  };
 });

@@ -637,6 +666,7 @@ router.post('documents.create', auth(), async ctx => {

  ctx.body = {
    data: await presentDocument(document),
+    policies: presentPolicies(user, [document]),
  };
 });

@@ -719,6 +749,7 @@ router.post('documents.update', auth(), async ctx => {

  ctx.body = {
    data: await presentDocument(document),
+    policies: presentPolicies(user, [document]),
  };
 });

@@ -774,6 +805,7 @@ router.post('documents.move', auth(), async ctx => {
      collections: await Promise.all(
        collections.map(collection => presentCollection(collection))
      ),
+      policies: presentPolicies(user, documents),
    },
  };
 });
@@ -800,6 +832,7 @@ router.post('documents.archive', auth(), async ctx => {

  ctx.body = {
    data: await presentDocument(document),
+    policies: presentPolicies(user, [document]),
  };
 });

--- a/server/api/team.js
+++ b/server/api/team.js
@@ -4,7 +4,7 @@ import { Team } from '../models';
 import { publicS3Endpoint } from '../utils/s3';

 import auth from '../middlewares/authentication';
-import { presentTeam } from '../presenters';
+import { presentTeam, presentPolicies } from '../presenters';
 import policy from '../policies';

 const { authorize } = policy;
@@ -32,6 +32,7 @@ router.post('team.update', auth(), async ctx => {

  ctx.body = {
    data: presentTeam(team),
+    policies: presentPolicies(user, [team]),
  };
 });

--- a/server/policies/document.js
+++ b/server/policies/document.js
@@ -28,6 +28,7 @@ allow(User, 'archive', Document, (user, document) => {
    if (cannot(user, 'read', document.collection)) return false;
  }
  if (!document.publishedAt) return false;
+  if (document.archivedAt) return false;

  return user.teamId === document.teamId;
 });
--- a/server/policies/index.js
+++ b/server/policies/index.js
@@ -1,4 +1,5 @@
 // @flow
+import { Team, User, Collection, Document } from '../models';
 import policy from './policy';
 import './apiKey';
 import './collection';
@@ -9,4 +10,36 @@ import './share';
 import './user';
 import './team';

+const { can, abilities } = policy;
+
+type Policy = {
+  [key: string]: boolean,
+};
+
+/*
+* Given a user and a model – output an object which describes the actions the 
+* user may take against the model. This serialized policy is used for testing
+* and sent in API responses to allow clients to adjust which UI is displayed.
+*/
+export function serialize(
+  model: User,
+  target: Team | Collection | Document
+): Policy {
+  let output = {};
+
+  abilities.forEach(ability => {
+    if (model instanceof ability.model && target instanceof ability.target) {
+      let response = true;
+      try {
+        response = can(model, ability.action, target);
+      } catch (err) {
+        response = false;
+      }
+      output[ability.action] = response;
+    }
+  });
+
+  return output;
+}
+
 export default policy;
--- a/server/policies/index.test.js
+++ b/server/policies/index.test.js
@@ -0,0 +1,13 @@
+/* eslint-disable flowtype/require-valid-file-annotation */
+import { flushdb } from '../test/support';
+import { buildUser } from '../test/factories';
+import { serialize } from './index';
+
+beforeEach(flushdb);
+
+it('should serialize policy', async () => {
+  const user = await buildUser();
+  const response = serialize(user, user);
+  expect(response.update).toEqual(true);
+  expect(response.delete).toEqual(true);
+});
--- a/server/policies/team.js
+++ b/server/policies/team.js
@@ -17,6 +17,11 @@ allow(User, 'auditLog', Team, user => {
  return false;
 });

+allow(User, 'invite', Team, user => {
+  if (user.isAdmin) return true;
+  return false;
+});
+
 allow(User, ['update', 'export'], Team, (user, team) => {
  if (!team || user.teamId !== team.id) return false;
  if (user.isAdmin) return true;
--- a/server/presenters/index.js
+++ b/server/presenters/index.js
@@ -11,6 +11,7 @@ import presentTeam from './team';
 import presentIntegration from './integration';
 import presentNotificationSetting from './notificationSetting';
 import presentSlackAttachment from './slackAttachment';
+import presentPolicies from './policy';

 export {
  presentUser,
@@ -25,4 +26,5 @@ export {
  presentIntegration,
  presentNotificationSetting,
  presentSlackAttachment,
+  presentPolicies,
 };
--- a/server/presenters/policy.js
+++ b/server/presenters/policy.js
@@ -0,0 +1,13 @@
+// @flow
+import { User } from '../models';
+
+type Policy = { id: string, abilities: { [key: string]: boolean } };
+
+export default function present(user: User, objects: Object[]): Policy[] {
+  const { serialize } = require('../policies');
+
+  return objects.map(object => ({
+    id: object.id,
+    abilities: serialize(user, object),
+  }));
+}