15b1069bcc
This PR moves the entire project to Typescript. Due to the ~1000 ignores this will lead to a messy codebase for a while, but the churn is worth it – all of those ignore comments are places that were never type-safe previously. closes #1282
115 lines
3.2 KiB
TypeScript
115 lines
3.2 KiB
TypeScript
import invariant from "invariant";
|
|
import { concat, some } from "lodash";
|
|
import { Collection, User, Team } from "@server/models";
|
|
import { AdminRequiredError } from "../errors";
|
|
import policy from "./policy";
|
|
|
|
const { allow } = policy;
|
|
|
|
allow(User, "createCollection", Team, (user, team) => {
|
|
if (!team || user.isViewer || user.teamId !== team.id) return false;
|
|
return true;
|
|
});
|
|
|
|
allow(User, "importCollection", Team, (actor, team) => {
|
|
if (!team || actor.teamId !== team.id) return false;
|
|
if (actor.isAdmin) return true;
|
|
|
|
throw AdminRequiredError();
|
|
});
|
|
|
|
allow(User, "move", Collection, (user, collection) => {
|
|
if (!collection || user.teamId !== collection.teamId) return false;
|
|
if (collection.deletedAt) return false;
|
|
if (user.isAdmin) return true;
|
|
|
|
throw AdminRequiredError();
|
|
});
|
|
|
|
allow(User, "read", Collection, (user, collection) => {
|
|
if (!collection || user.teamId !== collection.teamId) return false;
|
|
|
|
if (!collection.permission) {
|
|
invariant(
|
|
collection.memberships,
|
|
"membership should be preloaded, did you forget withMembership scope?"
|
|
);
|
|
const allMemberships = concat(
|
|
collection.memberships,
|
|
collection.collectionGroupMemberships
|
|
);
|
|
return some(allMemberships, (m) =>
|
|
["read", "read_write", "maintainer"].includes(m.permission)
|
|
);
|
|
}
|
|
|
|
return true;
|
|
});
|
|
|
|
allow(User, "share", Collection, (user, collection) => {
|
|
if (user.isViewer) return false;
|
|
if (!collection || user.teamId !== collection.teamId) return false;
|
|
if (!collection.sharing) return false;
|
|
|
|
if (collection.permission !== "read_write") {
|
|
invariant(
|
|
collection.memberships,
|
|
"membership should be preloaded, did you forget withMembership scope?"
|
|
);
|
|
const allMemberships = concat(
|
|
collection.memberships,
|
|
collection.collectionGroupMemberships
|
|
);
|
|
return some(allMemberships, (m) =>
|
|
["read_write", "maintainer"].includes(m.permission)
|
|
);
|
|
}
|
|
|
|
return true;
|
|
});
|
|
|
|
allow(User, ["publish", "update"], Collection, (user, collection) => {
|
|
if (user.isViewer) return false;
|
|
if (!collection || user.teamId !== collection.teamId) return false;
|
|
|
|
if (collection.permission !== "read_write") {
|
|
invariant(
|
|
collection.memberships,
|
|
"membership should be preloaded, did you forget withMembership scope?"
|
|
);
|
|
const allMemberships = concat(
|
|
collection.memberships,
|
|
collection.collectionGroupMemberships
|
|
);
|
|
return some(allMemberships, (m) =>
|
|
["read_write", "maintainer"].includes(m.permission)
|
|
);
|
|
}
|
|
|
|
return true;
|
|
});
|
|
|
|
allow(User, "delete", Collection, (user, collection) => {
|
|
if (user.isViewer) return false;
|
|
if (!collection || user.teamId !== collection.teamId) return false;
|
|
|
|
if (collection.permission !== "read_write") {
|
|
invariant(
|
|
collection.memberships,
|
|
"membership should be preloaded, did you forget withMembership scope?"
|
|
);
|
|
const allMemberships = concat(
|
|
collection.memberships,
|
|
collection.collectionGroupMemberships
|
|
);
|
|
return some(allMemberships, (m) =>
|
|
["read_write", "maintainer"].includes(m.permission)
|
|
);
|
|
}
|
|
|
|
if (user.isAdmin) return true;
|
|
if (user.id === collection.createdById) return true;
|
|
|
|
throw AdminRequiredError();
|
|
});
|