Jayden/AFFiNE-Mirror
1
0
Fork 0
mirror of https://github.com/toeverything/AFFiNE.git synced 2026-02-13 21:05:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(server): permission (#10449)

Browse Source
This commit is contained in:
liuyi
2025-03-05 15:57:00 +08:00
committed by GitHub
parent bf7b1646b3
commit 61162c59fc
61 changed files with 2680 additions and 3562 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
packages/backend/server/src/core/doc-renderer/__tests__/controller.spec.ts
View File

@@ -10,14 +10,12 @@ import { Config } from '../../../base';
import { ConfigModule } from '../../../base/config';
import { Models } from '../../../models';
import { PgWorkspaceDocStorageAdapter } from '../../doc';
import { PermissionService } from '../../permission';
const test = ava as TestFn<{
models: Models;
app: TestingApp;
config: Config;
adapter: PgWorkspaceDocStorageAdapter;
permission: PermissionService;
}>;
test.before(async t => {
@@ -38,7 +36,6 @@ test.before(async t => {
t.context.models = app.get(Models);
t.context.config = app.get(Config);
t.context.adapter = app.get(PgWorkspaceDocStorageAdapter);
t.context.permission = app.get(PermissionService);
t.context.app = app;
});
@@ -60,7 +57,7 @@ test.after.always(async t => {
test('should render page success', async t => {
const docId = randomUUID();
const { app, adapter, permission } = t.context;
const { app, adapter, models } = t.context;
const doc = new YDoc();
const text = doc.getText('content');
@@ -75,7 +72,7 @@ test('should render page success', async t => {
text.insert(5, ' ');
await adapter.pushDocUpdates(workspace.id, docId, updates, user.id);
await permission.publishPage(workspace.id, docId);
await models.workspace.publishDoc(workspace.id, docId);
await app.GET(`/workspace/${workspace.id}/${docId}`).expect(200);
t.pass();

14
packages/backend/server/src/core/doc-renderer/controller.ts
View File

@@ -6,10 +6,10 @@ import type { Request, Response } from 'express';
import isMobile from 'is-mobile';
import { Config, metrics } from '../../base';
import { Models } from '../../models';
import { htmlSanitize } from '../../native';
import { Public } from '../auth';
import { DocReader } from '../doc';
import { PermissionService } from '../permission';
interface RenderOptions {
title: string;
@@ -51,8 +51,8 @@ export class DocRendererController {
constructor(
private readonly doc: DocReader,
private readonly permission: PermissionService,
private readonly config: Config
private readonly config: Config,
private readonly models: Models
) {
this.webAssets = this.readHtmlAssets(
join(this.config.projectRoot, 'static')
@@ -102,14 +102,15 @@ export class DocRendererController {
workspaceId: string,
docId: string
): Promise<RenderOptions | null> {
let allowUrlPreview = await this.permission.isPublicPage(
let allowUrlPreview = await this.models.workspace.isPublicPage(
workspaceId,
docId
);
if (!allowUrlPreview) {
// if page is private, but workspace url preview is on
allowUrlPreview = await this.permission.allowUrlPreview(workspaceId);
allowUrlPreview =
await this.models.workspace.allowUrlPreview(workspaceId);
}
if (allowUrlPreview) {
@@ -122,7 +123,8 @@ export class DocRendererController {
private async getWorkspaceContent(
workspaceId: string
): Promise<RenderOptions | null> {
const allowUrlPreview = await this.permission.allowUrlPreview(workspaceId);
const allowUrlPreview =
await this.models.workspace.allowUrlPreview(workspaceId);
if (allowUrlPreview) {
const workspaceContent = await this.doc.getWorkspaceContent(workspaceId);

5
packages/backend/server/src/core/doc/options.ts
View File

@@ -9,7 +9,6 @@ import {
metrics,
Runtime,
} from '../../base';
import { PermissionService } from '../permission';
import { QuotaService } from '../quota';
import { DocStorageOptions as IDocStorageOptions } from './storage';
@@ -37,7 +36,6 @@ export class DocStorageOptions implements IDocStorageOptions {
constructor(
private readonly config: Config,
private readonly runtime: Runtime,
private readonly permission: PermissionService,
private readonly quota: QuotaService
) {}
@@ -87,8 +85,7 @@ export class DocStorageOptions implements IDocStorageOptions {
};
historyMaxAge = async (spaceId: string) => {
const owner = await this.permission.getWorkspaceOwner(spaceId);
const quota = await this.quota.getUserQuota(owner.id);
const quota = await this.quota.getWorkspaceQuota(spaceId);
return quota.historyPeriod;
};

39
packages/backend/server/src/core/permission/__tests__/__snapshots__/actions.spec.ts.md
View File

@@ -91,13 +91,20 @@ Generated by [AVA](https://avajs.dev).
> WorkspaceRole: External
{
'Workspace.Adminitrators.Manage': false,
'Workspace.Blobs.List': false,
'Workspace.Blobs.Read': true,
'Workspace.Blobs.Write': false,
'Workspace.Copilot': false,
'Workspace.CreateDoc': false,
'Workspace.Delete': false,
'Workspace.Organize.Read': true,
'Workspace.Payment.Manage': false,
'Workspace.Properties.Create': false,
'Workspace.Properties.Delete': false,
'Workspace.Properties.Read': false,
'Workspace.Properties.Read': true,
'Workspace.Properties.Update': false,
'Workspace.Read': true,
'Workspace.Settings.Read': false,
'Workspace.Settings.Update': false,
'Workspace.Sync': false,
@@ -109,13 +116,20 @@ Generated by [AVA](https://avajs.dev).
> WorkspaceRole: Collaborator
{
'Workspace.Adminitrators.Manage': false,
'Workspace.Blobs.List': true,
'Workspace.Blobs.Read': true,
'Workspace.Blobs.Write': true,
'Workspace.Copilot': true,
'Workspace.CreateDoc': true,
'Workspace.Delete': false,
'Workspace.Organize.Read': true,
'Workspace.Payment.Manage': false,
'Workspace.Properties.Create': false,
'Workspace.Properties.Delete': false,
'Workspace.Properties.Read': true,
'Workspace.Properties.Update': false,
'Workspace.Read': true,
'Workspace.Settings.Read': true,
'Workspace.Settings.Update': false,
'Workspace.Sync': true,
@@ -127,13 +141,20 @@ Generated by [AVA](https://avajs.dev).
> WorkspaceRole: Admin
{
'Workspace.Adminitrators.Manage': false,
'Workspace.Blobs.List': true,
'Workspace.Blobs.Read': true,
'Workspace.Blobs.Write': true,
'Workspace.Copilot': true,
'Workspace.CreateDoc': true,
'Workspace.Delete': false,
'Workspace.Organize.Read': true,
'Workspace.Payment.Manage': false,
'Workspace.Properties.Create': true,
'Workspace.Properties.Delete': true,
'Workspace.Properties.Read': true,
'Workspace.Properties.Update': true,
'Workspace.Read': true,
'Workspace.Settings.Read': true,
'Workspace.Settings.Update': true,
'Workspace.Sync': true,
@@ -145,13 +166,20 @@ Generated by [AVA](https://avajs.dev).
> WorkspaceRole: Owner
{
'Workspace.Adminitrators.Manage': true,
'Workspace.Blobs.List': true,
'Workspace.Blobs.Read': true,
'Workspace.Blobs.Write': true,
'Workspace.Copilot': true,
'Workspace.CreateDoc': true,
'Workspace.Delete': true,
'Workspace.Organize.Read': true,
'Workspace.Payment.Manage': true,
'Workspace.Properties.Create': true,
'Workspace.Properties.Delete': true,
'Workspace.Properties.Read': true,
'Workspace.Properties.Update': true,
'Workspace.Read': true,
'Workspace.Settings.Read': true,
'Workspace.Settings.Update': true,
'Workspace.Sync': true,
@@ -257,13 +285,20 @@ Generated by [AVA](https://avajs.dev).
> Snapshot 1
{
'Workspace.Adminitrators.Manage': 'Owner',
'Workspace.Blobs.List': 'Collaborator',
'Workspace.Blobs.Read': 'External',
'Workspace.Blobs.Write': 'Collaborator',
'Workspace.Copilot': 'Collaborator',
'Workspace.CreateDoc': 'Collaborator',
'Workspace.Delete': 'Owner',
'Workspace.Organize.Read': 'External',
'Workspace.Payment.Manage': 'Owner',
'Workspace.Properties.Create': 'Admin',
'Workspace.Properties.Delete': 'Admin',
'Workspace.Properties.Read': 'Collaborator',
'Workspace.Properties.Read': 'External',
'Workspace.Properties.Update': 'Admin',
'Workspace.Read': 'External',
'Workspace.Settings.Read': 'Collaborator',
'Workspace.Settings.Update': 'Admin',
'Workspace.Sync': 'Collaborator',

BIN
packages/backend/server/src/core/permission/__tests__/__snapshots__/actions.spec.ts.snap
View File

Binary file not shown.

2
packages/backend/server/src/core/permission/__tests__/actions.spec.ts
View File

@@ -37,7 +37,7 @@ test(`should be able to fixup doc role from workspace role and doc role`, t => {
for (const workspaceRole of workspaceRoles) {
for (const docRole of docRoles) {
t.snapshot(
DocRole[fixupDocRole(workspaceRole, docRole)],
DocRole[fixupDocRole(workspaceRole, docRole)!],
`WorkspaceRole: ${WorkspaceRole[workspaceRole]}, DocRole: ${DocRole[docRole]}`
);
}

48
packages/backend/server/src/core/permission/__tests__/builder.spec.ts Normal file
View File

@@ -0,0 +1,48 @@
import test from 'ava';
import { DocID } from '../../utils/doc';
import { AccessControllerBuilder } from '../builder';
let builder: AccessControllerBuilder;
test.before(async () => {
builder = new AccessControllerBuilder();
});
test('should build correct workspace resource', t => {
t.deepEqual(builder.user('u1').workspace('ws1').data, {
userId: 'u1',
workspaceId: 'ws1',
});
t.deepEqual(builder.user('u1').workspace('ws1').allowLocal().data, {
allowLocal: true,
userId: 'u1',
workspaceId: 'ws1',
});
});
test('should build correct doc resource', t => {
const resources = [
builder.user('u1').workspace('ws1').doc('doc1').data,
builder.user('u1').doc('ws1', 'doc1').data,
builder.user('u1').doc({ workspaceId: 'ws1', docId: 'doc1' }).data,
builder.user('u1').doc(new DocID('ws1:space:doc1', 'ws1')).data,
];
t.deepEqual(
resources,
Array.from({ length: 4 }, () => ({
userId: 'u1',
workspaceId: 'ws1',
docId: 'doc1',
}))
);
t.deepEqual(builder.user('u1').doc('ws1', 'doc1').allowLocal().data, {
allowLocal: true,
docId: 'doc1',
userId: 'u1',
workspaceId: 'ws1',
});
});

160
packages/backend/server/src/core/permission/__tests__/doc.spec.ts Normal file
View File

@@ -0,0 +1,160 @@
import test from 'ava';
import { createTestingModule, TestingModule } from '../../../__tests__/utils';
import {
Models,
User,
Workspace,
WorkspaceMemberStatus,
WorkspaceRole,
} from '../../../models';
import { PermissionModule } from '..';
import { DocAccessController } from '../doc';
import { DocRole, mapDocRoleToPermissions } from '../types';
let module: TestingModule;
let models: Models;
let ac: DocAccessController;
let user: User;
let ws: Workspace;
test.before(async () => {
module = await createTestingModule({ imports: [PermissionModule] });
models = module.get<Models>(Models);
ac = new DocAccessController(models);
});
test.beforeEach(async () => {
await module.initTestingDB();
user = await models.user.create({ email: 'u1@affine.pro' });
ws = await models.workspace.create(user.id);
});
test.after.always(async () => {
await module.close();
});
test('should get null role', async t => {
const role = await ac.getRole({
workspaceId: 'ws1',
docId: 'doc1',
userId: 'u1',
});
t.is(role, null);
});
test('should return null if workspace role is not accepted', async t => {
const u2 = await models.user.create({ email: 'u2@affine.pro' });
await models.workspaceUser.set(
ws.id,
u2.id,
WorkspaceRole.Collaborator,
WorkspaceMemberStatus.UnderReview
);
const role = await ac.getRole({
workspaceId: ws.id,
docId: 'doc1',
userId: u2.id,
});
t.is(role, null);
});
test('should return [Owner] role if workspace is not found but local is allowed', async t => {
const role = await ac.getRole({
workspaceId: 'ws1',
docId: 'doc1',
userId: 'u1',
allowLocal: true,
});
t.is(role, DocRole.Owner);
});
test('should fallback to [External] if workspace is public', async t => {
await models.workspace.update(ws.id, {
public: true,
});
const role = await ac.getRole({
workspaceId: ws.id,
docId: 'doc1',
userId: 'random-user-id',
});
t.is(role, DocRole.External);
});
test('should return null even if workspace has other public doc', async t => {
await models.workspace.publishDoc(ws.id, 'doc1');
const role = await ac.getRole({
workspaceId: ws.id,
docId: 'doc2',
userId: 'random-user-id',
});
t.is(role, null);
});
test('should return [External] if doc is public', async t => {
await models.workspace.publishDoc(ws.id, 'doc1');
const role = await ac.getRole({
workspaceId: ws.id,
docId: 'doc1',
userId: 'random-user-id',
});
t.is(role, DocRole.External);
});
test('should return mapped permissions', async t => {
const { permissions } = await ac.role({
workspaceId: ws.id,
docId: 'doc1',
userId: user.id,
});
t.deepEqual(permissions, mapDocRoleToPermissions(DocRole.Owner));
});
test('should assert action', async t => {
await t.notThrowsAsync(
ac.assert(
{
workspaceId: ws.id,
docId: 'doc1',
userId: user.id,
},
'Doc.Update'
)
);
const u2 = await models.user.create({ email: 'u2@affine.pro' });
await t.throwsAsync(
ac.assert(
{ workspaceId: ws.id, docId: 'doc1', userId: u2.id },
'Doc.Update'
)
);
await models.workspaceUser.set(
ws.id,
u2.id,
WorkspaceRole.Collaborator,
WorkspaceMemberStatus.Accepted
);
await models.docUser.set(ws.id, 'doc1', u2.id, DocRole.Manager);
await t.notThrowsAsync(
ac.assert(
{ workspaceId: ws.id, docId: 'doc1', userId: u2.id },
'Doc.Delete'
)
);
});

147
packages/backend/server/src/core/permission/__tests__/workspace.spec.ts Normal file
View File

@@ -0,0 +1,147 @@
import test from 'ava';
import { createTestingModule, TestingModule } from '../../../__tests__/utils';
import {
Models,
User,
Workspace,
WorkspaceMemberStatus,
WorkspaceRole,
} from '../../../models';
import { PermissionModule } from '..';
import { mapWorkspaceRoleToPermissions } from '../types';
import { WorkspaceAccessController } from '../workspace';
let module: TestingModule;
let models: Models;
let ac: WorkspaceAccessController;
let user: User;
let ws: Workspace;
test.before(async () => {
module = await createTestingModule({ imports: [PermissionModule] });
models = module.get<Models>(Models);
ac = new WorkspaceAccessController(models);
});
test.beforeEach(async () => {
await module.initTestingDB();
user = await models.user.create({ email: 'u1@affine.pro' });
ws = await models.workspace.create(user.id);
});
test.after.always(async () => {
await module.close();
});
test('should get null role', async t => {
const role = await ac.getRole({
workspaceId: 'ws1',
userId: 'u1',
});
t.is(role, null);
});
test('should return null if role is not accepted', async t => {
const u2 = await models.user.create({ email: 'u2@affine.pro' });
await models.workspaceUser.set(
ws.id,
u2.id,
WorkspaceRole.Collaborator,
WorkspaceMemberStatus.UnderReview
);
const role = await ac.getRole({
workspaceId: ws.id,
userId: u2.id,
});
t.is(role, null);
});
test('should return [Owner] role if workspace is not found but local is allowed', async t => {
const role = await ac.getRole({
workspaceId: 'ws1',
userId: 'u1',
allowLocal: true,
});
t.is(role, WorkspaceRole.Owner);
});
test('should fallback to [External] if workspace is public', async t => {
await models.workspace.update(ws.id, {
public: true,
});
const role = await ac.getRole({
workspaceId: ws.id,
userId: 'random-user-id',
});
t.is(role, WorkspaceRole.External);
});
test('should return null even workspace has public doc', async t => {
await models.workspace.publishDoc(ws.id, 'doc1');
const role = await ac.getRole({
workspaceId: ws.id,
userId: 'random-user-id',
});
t.is(role, null);
});
test('should return mapped external permission for workspace has public docs', async t => {
await models.workspace.publishDoc(ws.id, 'doc1');
const { permissions } = await ac.role({
workspaceId: ws.id,
userId: 'random-user-id',
});
t.deepEqual(
permissions,
mapWorkspaceRoleToPermissions(WorkspaceRole.External)
);
});
test('should return mapped permissions', async t => {
const { permissions } = await ac.role({
workspaceId: ws.id,
userId: user.id,
});
t.deepEqual(permissions, mapWorkspaceRoleToPermissions(WorkspaceRole.Owner));
});
test('should assert action', async t => {
await t.notThrowsAsync(
ac.assert(
{ workspaceId: ws.id, userId: user.id },
'Workspace.TransferOwner'
)
);
const u2 = await models.user.create({ email: 'u2@affine.pro' });
await t.throwsAsync(
ac.assert({ workspaceId: ws.id, userId: u2.id }, 'Workspace.Sync')
);
await models.workspaceUser.set(
ws.id,
u2.id,
WorkspaceRole.Admin,
WorkspaceMemberStatus.Accepted
);
await t.notThrowsAsync(
ac.assert(
{ workspaceId: ws.id, userId: u2.id },
'Workspace.Settings.Update'
)
);
});

108
packages/backend/server/src/core/permission/builder.ts Normal file
View File

@@ -0,0 +1,108 @@
import { Injectable } from '@nestjs/common';
import { DocID } from '../utils/doc';
import { getAccessController } from './controller';
import { Resource } from './resource';
import { DocAction, WorkspaceAction } from './types';
@Injectable()
export class AccessControllerBuilder {
user(userId: string) {
return new UserAccessControllerBuilder(userId);
}
}
export class UserAccessControllerBuilder {
constructor(private readonly userId: string) {}
workspace(workspaceId: string) {
return new WorkspaceAccessControllerBuilder({
userId: this.userId,
workspaceId,
});
}
doc(
docId: DocID | { workspaceId: string; docId: string }
): DocAccessControllerBuilder;
doc(workspaceId: string, docId: string): DocAccessControllerBuilder;
doc(
docIdOrWorkspaceId: string | DocID | { workspaceId: string; docId: string },
doc?: string
) {
let workspaceId: string;
let docId: string;
if (docIdOrWorkspaceId instanceof DocID) {
workspaceId = docIdOrWorkspaceId.workspace;
docId = docIdOrWorkspaceId.guid;
} else if (typeof docIdOrWorkspaceId === 'string') {
workspaceId = docIdOrWorkspaceId;
docId = doc as string;
} else {
workspaceId = docIdOrWorkspaceId.workspaceId;
docId = docIdOrWorkspaceId.docId;
}
return new DocAccessControllerBuilder({
userId: this.userId,
workspaceId,
docId,
});
}
}
class WorkspaceAccessControllerBuilder {
constructor(public readonly data: Resource<'ws'>) {}
allowLocal() {
this.data.allowLocal = true;
return this;
}
doc(docId: string) {
return new DocAccessControllerBuilder({
...this.data,
docId,
});
}
async assert(action: WorkspaceAction) {
const checker = getAccessController('ws');
await checker.assert(this.data, action);
}
async can(action: WorkspaceAction) {
const checker = getAccessController('ws');
return await checker.can(this.data, action);
}
async permissions() {
const checker = getAccessController('ws');
return await checker.role(this.data);
}
}
class DocAccessControllerBuilder {
constructor(public readonly data: Resource<'doc'>) {}
allowLocal() {
this.data.allowLocal = true;
return this;
}
async assert(action: DocAction) {
const checker = getAccessController('doc');
await checker.assert(this.data, action);
}
async can(action: DocAction) {
const checker = getAccessController('doc');
return await checker.can(this.data, action);
}
async permissions() {
const checker = getAccessController('doc');
return await checker.role(this.data);
}
}

53
packages/backend/server/src/core/permission/controller.ts Normal file
View File

@@ -0,0 +1,53 @@
import { Logger, OnModuleInit } from '@nestjs/common';
import type {
Resource,
ResourceAction,
ResourceRole,
ResourceType,
} from './resource';
const ACTION_CHECKER_PROVIDERS = new Map<ResourceType, AccessController<any>>();
function registerAccessController<Type extends ResourceType>(
type: Type,
provider: AccessController<Type>
) {
ACTION_CHECKER_PROVIDERS.set(type, provider);
}
export function getAccessController<Type extends ResourceType>(
type: Type
): AccessController<Type> {
const provider = ACTION_CHECKER_PROVIDERS.get(type);
if (!provider) {
throw new Error(`No action checker provider for type ${type}`);
}
return provider;
}
export abstract class AccessController<Type extends ResourceType>
implements OnModuleInit
{
protected abstract readonly type: Type;
protected logger = new Logger(AccessController.name);
onModuleInit() {
registerAccessController(this.type, this);
}
abstract assert(
resource: Resource<Type>,
action: ResourceAction<Type>
): Promise<void>;
abstract can(
resource: Resource<Type>,
action: ResourceAction<Type>
): Promise<boolean>;
abstract role(resource: Resource<Type>): Promise<{
role: ResourceRole<Type> | null;
permissions: Record<ResourceAction<Type>, boolean>;
}>;
}

105
packages/backend/server/src/core/permission/doc.ts Normal file
View File

@@ -0,0 +1,105 @@
import { Injectable } from '@nestjs/common';
import { DocActionDenied } from '../../base';
import { Models } from '../../models';
import { AccessController, getAccessController } from './controller';
import type { Resource } from './resource';
import {
DocAction,
docActionRequiredRole,
DocRole,
fixupDocRole,
mapDocRoleToPermissions,
WorkspaceRole,
} from './types';
import { WorkspaceAccessController } from './workspace';
@Injectable()
export class DocAccessController extends AccessController<'doc'> {
protected readonly type = 'doc';
constructor(private readonly models: Models) {
super();
}
async role(resource: Resource<'doc'>) {
const role = await this.getRole(resource);
return {
role,
permissions: mapDocRoleToPermissions(role),
};
}
async can(resource: Resource<'doc'>, action: DocAction) {
const { permissions, role } = await this.role(resource);
const allow = permissions[action] || false;
if (!allow) {
this.logger.log('Doc access check failed', {
action,
resource,
role,
requiredRole: docActionRequiredRole(action),
});
}
return allow;
}
async assert(resource: Resource<'doc'>, action: DocAction) {
const allow = await this.can(resource, action);
if (!allow) {
throw new DocActionDenied({
docId: resource.docId,
spaceId: resource.workspaceId,
action,
});
}
}
async getRole(payload: Resource<'doc'>): Promise<DocRole | null> {
const workspaceController = getAccessController(
'ws'
) as WorkspaceAccessController;
const workspaceRole = await workspaceController.getRole(payload);
const userRole = await this.models.docUser.get(
payload.workspaceId,
payload.docId,
payload.userId
);
let docRole = userRole?.type ?? (null as DocRole | null);
// fallback logic
if (docRole === null) {
const defaultDocRole = await this.defaultDocRole(
payload.workspaceId,
payload.docId
);
// if user is in workspace but doc role is not set, fallback to default doc role
if (workspaceRole && workspaceRole !== WorkspaceRole.External) {
docRole = defaultDocRole.workspace;
} else {
// else fallback to external doc role
docRole = defaultDocRole.external;
}
}
// we need to fixup doc role to make sure it's not miss set
// for example: workspace owner will have doc owner role
// workspace external will not have role higher than editor
return fixupDocRole(workspaceRole, docRole);
}
private async defaultDocRole(workspaceId: string, docId: string) {
const doc = await this.models.workspace.getDoc(workspaceId, docId);
return {
external: doc?.public ? DocRole.External : null,
workspace: doc?.defaultRole ?? DocRole.Manager,
};
}
}

20
packages/backend/server/src/core/permission/event.ts Normal file
View File

@@ -0,0 +1,20 @@
import { Injectable } from '@nestjs/common';
import { OnEvent } from '../../base';
import { Models } from '../../models';
@Injectable()
export class EventsListener {
constructor(private readonly models: Models) {}
@OnEvent('doc.created')
async setDefaultPageOwner(payload: Events['doc.created']) {
const { workspaceId, docId, editor } = payload;
if (!editor) {
return;
}
await this.models.docUser.setOwner(workspaceId, docId, editor);
}
}

20
packages/backend/server/src/core/permission/index.ts
View File

@@ -1,22 +1,26 @@
import { Module } from '@nestjs/common';
import { PermissionService } from './service';
import { AccessControllerBuilder } from './builder';
import { DocAccessController } from './doc';
import { EventsListener } from './event';
import { WorkspaceAccessController } from './workspace';
@Module({
providers: [PermissionService],
exports: [PermissionService],
providers: [
WorkspaceAccessController,
DocAccessController,
AccessControllerBuilder,
EventsListener,
],
exports: [AccessControllerBuilder],
})
export class PermissionModule {}
export { PermissionService } from './service';
export { AccessControllerBuilder as AccessController } from './builder';
export {
DOC_ACTIONS,
type DocAction,
DocRole,
fixupDocRole,
mapDocRoleToPermissions,
mapWorkspaceRoleToPermissions,
PublicDocMode,
WORKSPACE_ACTIONS,
type WorkspaceAction,
WorkspaceRole,

42
packages/backend/server/src/core/permission/resource.ts Normal file
View File

@@ -0,0 +1,42 @@
import { DocAction, DocRole, WorkspaceAction, WorkspaceRole } from './types';
export type ResourceType = 'ws' | 'doc';
interface WorkspaceResource {
type: 'ws';
payload: {
allowLocal?: boolean;
workspaceId: string;
userId: string;
};
action: WorkspaceAction;
role: WorkspaceRole;
}
interface DocResource {
type: 'doc';
payload: {
allowLocal?: boolean;
workspaceId: string;
docId: string;
userId: string;
};
action: DocAction;
role: DocRole;
}
export type KnownResource = WorkspaceResource | DocResource;
export type Resource<Type extends ResourceType = 'ws'> = Extract<
KnownResource,
{ type: Type }
>['payload'];
export type ResourceRole<Type extends ResourceType> = Extract<
KnownResource,
{ type: Type }
>['role'];
export type ResourceAction<Type extends ResourceType> = Extract<
KnownResource,
{ type: Type }
>['action'];

798
packages/backend/server/src/core/permission/service.ts
View File

@@ -1,798 +0,0 @@
import { Injectable, Logger } from '@nestjs/common';
import type { Prisma, WorkspaceDocUserPermission } from '@prisma/client';
import { PrismaClient, WorkspaceMemberStatus } from '@prisma/client';
import { groupBy } from 'lodash-es';
import {
CanNotBatchGrantDocOwnerPermissions,
DocActionDenied,
EventBus,
OnEvent,
SpaceAccessDenied,
SpaceOwnerNotFound,
WorkspacePermissionNotFound,
} from '../../base';
import {
DocAction,
docActionRequiredRole,
docActionRequiredWorkspaceRole,
DocRole,
PublicDocMode,
WorkspaceRole,
} from './types';
@Injectable()
export class PermissionService {
private readonly logger = new Logger(PermissionService.name);
constructor(
private readonly prisma: PrismaClient,
private readonly event: EventBus
) {}
@OnEvent('doc.created')
async setDefaultPageOwner(payload: Events['doc.created']) {
const { workspaceId, docId, editor } = payload;
if (!editor) {
return;
}
await this.prisma.workspaceDocUserPermission.createMany({
data: {
workspaceId,
docId,
userId: editor,
type: DocRole.Owner,
createdAt: new Date(),
},
});
}
private get acceptedCondition() {
return [
{
accepted: true,
},
{
status: WorkspaceMemberStatus.Accepted,
},
];
}
/// Start regin: workspace permission
async get(ws: string, user: string): Promise<WorkspaceRole> {
const data = await this.prisma.workspaceUserPermission.findFirst({
where: {
workspaceId: ws,
userId: user,
OR: this.acceptedCondition,
},
});
if (!data) {
throw new WorkspacePermissionNotFound({ spaceId: ws });
}
return data.type;
}
/**
* check whether a workspace exists and has any one can access it
* @param workspaceId workspace id
* @returns
*/
async hasWorkspace(workspaceId: string) {
return await this.prisma.workspaceUserPermission
.count({
where: {
workspaceId,
OR: this.acceptedCondition,
},
})
.then(count => count > 0);
}
async getOwnedWorkspaces(userId: string) {
return this.prisma.workspaceUserPermission
.findMany({
where: {
userId,
type: WorkspaceRole.Owner,
OR: this.acceptedCondition,
},
select: {
workspaceId: true,
},
})
.then(data => data.map(({ workspaceId }) => workspaceId));
}
async getWorkspaceOwner(workspaceId: string) {
const owner = await this.prisma.workspaceUserPermission.findFirst({
where: {
workspaceId,
type: WorkspaceRole.Owner,
},
include: {
user: true,
},
});
if (!owner) {
throw new SpaceOwnerNotFound({ spaceId: workspaceId });
}
return owner.user;
}
async getWorkspaceAdmin(workspaceId: string) {
const admin = await this.prisma.workspaceUserPermission.findMany({
where: {
workspaceId,
type: WorkspaceRole.Admin,
},
include: {
user: true,
},
});
return admin.map(({ user }) => user);
}
async getWorkspaceMemberCount(workspaceId: string) {
return this.prisma.workspaceUserPermission.count({
where: {
workspaceId,
},
});
}
async tryGetWorkspaceOwner(workspaceId: string) {
return this.prisma.workspaceUserPermission.findFirst({
where: {
workspaceId,
type: WorkspaceRole.Owner,
},
include: {
user: true,
},
});
}
/**
* check if a doc binary is accessible by a user
*/
async isPublicAccessible(
ws: string,
id: string,
user?: string
): Promise<boolean> {
if (ws === id) {
// if workspace is public or have any public page, then allow to access
const [isPublicWorkspace, publicPages] = await Promise.all([
this.tryCheckWorkspace(ws, user, WorkspaceRole.Collaborator),
this.prisma.workspaceDoc.count({
where: {
workspaceId: ws,
public: true,
},
}),
]);
return isPublicWorkspace || publicPages > 0;
}
return this.tryCheckPage(ws, id, 'Doc.Read', user);
}
async getWorkspaceMemberStatus(ws: string, user: string) {
return this.prisma.workspaceUserPermission
.findFirst({
where: {
workspaceId: ws,
userId: user,
},
select: { status: true },
})
.then(r => r?.status);
}
/**
* Returns whether a given user is a member of a workspace and has the given or higher permission.
*/
async isWorkspaceMember(
ws: string,
user: string,
permission: WorkspaceRole = WorkspaceRole.Collaborator
): Promise<boolean> {
const count = await this.prisma.workspaceUserPermission.count({
where: {
workspaceId: ws,
userId: user,
OR: this.acceptedCondition,
type: {
gte: permission,
},
},
});
return count !== 0;
}
/**
* only check permission if the workspace is a cloud workspace
* @param workspaceId workspace id
* @param userId user id, check if is a public workspace if not provided
* @param permission default is read
*/
async checkCloudWorkspace(
workspaceId: string,
userId?: string,
permission: WorkspaceRole = WorkspaceRole.Collaborator
) {
const hasWorkspace = await this.hasWorkspace(workspaceId);
if (hasWorkspace) {
await this.checkWorkspace(workspaceId, userId, permission);
}
}
async checkWorkspace(
ws: string,
user?: string,
permission: WorkspaceRole = WorkspaceRole.Collaborator
) {
if (!(await this.tryCheckWorkspace(ws, user, permission))) {
throw new SpaceAccessDenied({ spaceId: ws });
}
}
async tryCheckWorkspace(
ws: string,
user?: string,
permission: WorkspaceRole = WorkspaceRole.Collaborator
) {
// If the permission is read, we should check if the workspace is public
if (permission === WorkspaceRole.Collaborator) {
const count = await this.prisma.workspace.count({
where: { id: ws, public: true },
});
// workspace is public
// accessible
if (count > 0) {
return true;
}
}
if (user) {
// normally check if the user has the permission
const count = await this.prisma.workspaceUserPermission.count({
where: {
workspaceId: ws,
userId: user,
OR: this.acceptedCondition,
type: {
gte: permission,
},
},
});
if (count > 0) {
return true;
} else {
const info = {
workspaceId: ws,
userId: user,
requiredRole: WorkspaceRole[permission],
};
this.logger.log(
`User's WorkspaceRole is lower than required (${JSON.stringify(info)})`
);
}
}
// unsigned in, workspace is not public
// unaccessible
return false;
}
async checkWorkspaceIs(
ws: string,
user: string,
permission: WorkspaceRole = WorkspaceRole.Collaborator
) {
if (!(await this.tryCheckWorkspaceIs(ws, user, permission))) {
throw new SpaceAccessDenied({ spaceId: ws });
}
}
async tryCheckWorkspaceIs(
ws: string,
user: string,
permission: WorkspaceRole = WorkspaceRole.Collaborator
) {
const count = await this.prisma.workspaceUserPermission.count({
where: {
workspaceId: ws,
userId: user,
OR: this.acceptedCondition,
type: permission,
},
});
return count > 0;
}
async allowUrlPreview(ws: string) {
const count = await this.prisma.workspace.count({
where: {
id: ws,
enableUrlPreview: true,
},
});
return count > 0;
}
private getAllowedStatusSource(
to: WorkspaceMemberStatus
): WorkspaceMemberStatus[] {
switch (to) {
case WorkspaceMemberStatus.NeedMoreSeat:
return [WorkspaceMemberStatus.Pending];
case WorkspaceMemberStatus.NeedMoreSeatAndReview:
return [WorkspaceMemberStatus.UnderReview];
case WorkspaceMemberStatus.Pending:
case WorkspaceMemberStatus.UnderReview:
return [WorkspaceMemberStatus.Accepted];
default:
return [];
}
}
async grant(
ws: string,
user: string,
permission: WorkspaceRole = WorkspaceRole.Collaborator,
status: WorkspaceMemberStatus = WorkspaceMemberStatus.Pending
): Promise<string> {
const data = await this.prisma.workspaceUserPermission.findFirst({
where: { workspaceId: ws, userId: user },
});
if (data) {
const toBeOwner = permission === WorkspaceRole.Owner;
if (data.accepted && data.status === WorkspaceMemberStatus.Accepted) {
const [p] = await this.prisma.$transaction(
[
this.prisma.workspaceUserPermission.update({
where: {
workspaceId_userId: { workspaceId: ws, userId: user },
},
data: { type: permission },
}),
// If the new permission is owner, we need to revoke old owner
toBeOwner
? this.prisma.workspaceUserPermission.updateMany({
where: {
workspaceId: ws,
type: WorkspaceRole.Owner,
userId: { not: user },
},
data: { type: WorkspaceRole.Admin },
})
: null,
].filter(Boolean) as Prisma.PrismaPromise<any>[]
);
return p.id;
}
const allowedStatus = this.getAllowedStatusSource(data.status);
if (allowedStatus.includes(status)) {
const ret = await this.prisma.workspaceUserPermission.update({
where: { workspaceId_userId: { workspaceId: ws, userId: user } },
data: { status },
});
return ret.id;
}
return data.id;
}
return this.prisma.workspaceUserPermission
.create({
data: {
workspaceId: ws,
userId: user,
type: permission,
status,
},
})
.then(p => p.id);
}
async acceptWorkspaceInvitation(
invitationId: string,
workspaceId: string,
status: WorkspaceMemberStatus = WorkspaceMemberStatus.Accepted
) {
const result = await this.prisma.workspaceUserPermission.updateMany({
where: {
id: invitationId,
workspaceId: workspaceId,
AND: [{ accepted: false }, { status: WorkspaceMemberStatus.Pending }],
},
data: { accepted: true, status },
});
return result.count > 0;
}
async refreshSeatStatus(workspaceId: string, memberLimit: number) {
const usedCount = await this.prisma.workspaceUserPermission.count({
where: { workspaceId, status: WorkspaceMemberStatus.Accepted },
});
const availableCount = memberLimit - usedCount;
if (availableCount <= 0) {
return;
}
await this.prisma.$transaction(async tx => {
const members = await tx.workspaceUserPermission.findMany({
select: { id: true, status: true },
where: {
workspaceId,
status: {
in: [
WorkspaceMemberStatus.NeedMoreSeat,
WorkspaceMemberStatus.NeedMoreSeatAndReview,
],
},
},
orderBy: { createdAt: 'asc' },
});
const needChange = members.slice(0, availableCount);
const { NeedMoreSeat, NeedMoreSeatAndReview } = groupBy(
needChange,
m => m.status
);
const toPendings = NeedMoreSeat ?? [];
if (toPendings.length > 0) {
await tx.workspaceUserPermission.updateMany({
where: { id: { in: toPendings.map(m => m.id) } },
data: { status: WorkspaceMemberStatus.Pending },
});
}
const toUnderReviewUserIds = NeedMoreSeatAndReview ?? [];
if (toUnderReviewUserIds.length > 0) {
await tx.workspaceUserPermission.updateMany({
where: { id: { in: toUnderReviewUserIds.map(m => m.id) } },
data: { status: WorkspaceMemberStatus.UnderReview },
});
}
return [toPendings, toUnderReviewUserIds] as const;
});
}
async revokeWorkspace(workspaceId: string, user: string) {
const permission = await this.prisma.workspaceUserPermission.findUnique({
where: { workspaceId_userId: { workspaceId, userId: user } },
});
// We shouldn't revoke owner permission
// should auto deleted by workspace/user delete cascading
if (!permission || permission.type === WorkspaceRole.Owner) {
return false;
}
await this.prisma.workspaceUserPermission.deleteMany({
where: {
workspaceId,
userId: user,
},
});
const count = await this.prisma.workspaceUserPermission.count({
where: { workspaceId },
});
this.event.emit('workspace.members.updated', {
workspaceId,
count,
});
this.event.emit('workspace.members.removed', {
workspaceId,
userId: user,
});
if (
permission.status === 'UnderReview' ||
permission.status === 'NeedMoreSeatAndReview'
) {
this.event.emit('workspace.members.requestDeclined', {
userId: user,
workspaceId,
});
}
return true;
}
/// End regin: workspace permission
/// Start regin: page permission
/**
* only check permission if the workspace is a cloud workspace
* @param workspaceId workspace id
* @param pageId page id aka doc id
* @param userId user id, check if is a public page if not provided
* @param permission default is read
*/
async checkCloudPagePermission(
workspaceId: string,
pageId: string,
action: DocAction,
userId?: string
) {
const hasWorkspace = await this.hasWorkspace(workspaceId);
if (hasWorkspace) {
await this.checkPagePermission(workspaceId, pageId, action, userId);
}
}
async checkPagePermission(
ws: string,
page: string,
action: DocAction,
user?: string
) {
if (!(await this.tryCheckPage(ws, page, action, user))) {
throw new DocActionDenied({ spaceId: ws, docId: page, action });
}
}
async tryCheckPage(
ws: string,
doc: string,
action: DocAction,
user?: string
) {
const role = docActionRequiredRole(action);
// check whether page is public
if (action === 'Doc.Read') {
const count = await this.prisma.workspaceDoc.count({
where: {
workspaceId: ws,
docId: doc,
public: true,
},
});
// page is public
// accessible
if (count > 0) {
return true;
}
}
if (user) {
const [roleEntity, pageEntity, workspaceRoleEntity] = await Promise.all([
this.prisma.workspaceDocUserPermission.findFirst({
where: {
workspaceId: ws,
docId: doc,
userId: user,
},
select: {
type: true,
},
}),
this.prisma.workspaceDoc.findFirst({
where: {
workspaceId: ws,
docId: doc,
},
select: {
defaultRole: true,
},
}),
this.prisma.workspaceUserPermission.findFirst({
where: {
workspaceId: ws,
userId: user,
OR: this.acceptedCondition,
},
select: {
type: true,
},
}),
]);
const defaultPageRole = pageEntity?.defaultRole ?? DocRole.Manager;
if (
// Page role exists, check it first
(roleEntity && roleEntity.type >= role) ||
// if
// - page has a default role
// - the user is in this workspace
// - the user is not an external user in this workspace
// then use the max of the two
(workspaceRoleEntity &&
workspaceRoleEntity.type !== WorkspaceRole.External &&
Math.max(
roleEntity?.type ?? Number.MIN_SAFE_INTEGER,
defaultPageRole
) >= role)
) {
return true;
}
const info = {
workspaceId: ws,
docId: doc,
userId: user,
workspaceRole: workspaceRoleEntity
? WorkspaceRole[workspaceRoleEntity.type]
: undefined,
pageRole: roleEntity ? DocRole[roleEntity.type] : undefined,
pageDefaultRole: DocRole[defaultPageRole],
requiredRole: DocRole[role],
action,
};
this.logger.log(
`Page role is lower than required, continue to check workspace permission (${JSON.stringify(info)})`
);
}
// check whether user has workspace related permission
return this.tryCheckWorkspace(
ws,
user,
docActionRequiredWorkspaceRole(action)
);
}
async isPublicPage(ws: string, doc: string) {
return this.prisma.workspaceDoc
.count({
where: {
workspaceId: ws,
docId: doc,
public: true,
},
})
.then(count => count > 0);
}
async publishPage(ws: string, doc: string, mode = PublicDocMode.Page) {
return this.prisma.workspaceDoc.upsert({
where: {
workspaceId_docId: {
workspaceId: ws,
docId: doc,
},
},
update: {
public: true,
mode,
},
create: {
workspaceId: ws,
docId: doc,
mode,
public: true,
},
});
}
async revokePublicPage(ws: string, doc: string) {
return this.prisma.workspaceDoc.upsert({
where: {
workspaceId_docId: {
workspaceId: ws,
docId: doc,
},
},
update: {
public: false,
},
create: {
workspaceId: ws,
docId: doc,
public: false,
},
});
}
async grantPage(ws: string, doc: string, user: string, permission: DocRole) {
const [p] = await this.prisma.$transaction(
[
this.prisma.workspaceDocUserPermission.upsert({
where: {
workspaceId_docId_userId: {
workspaceId: ws,
docId: doc,
userId: user,
},
},
update: {
type: permission,
},
create: {
workspaceId: ws,
docId: doc,
userId: user,
type: permission,
},
}),
// If the new permission is owner, we need to revoke old owner
permission === DocRole.Owner
? this.prisma.workspaceDocUserPermission.updateMany({
where: {
workspaceId: ws,
docId: doc,
type: DocRole.Owner,
userId: {
not: user,
},
},
data: {
type: DocRole.Manager,
},
})
: null,
].filter(Boolean) as Prisma.PrismaPromise<any>[]
);
return p as WorkspaceDocUserPermission;
}
async revokePage(ws: string, doc: string, user: string) {
const result = await this.prisma.workspaceDocUserPermission.deleteMany({
where: {
workspaceId: ws,
docId: doc,
userId: user,
type: {
// We shouldn't revoke owner permission, should auto deleted by workspace/user delete cascading
not: DocRole.Owner,
},
},
});
return result.count > 0;
}
async batchGrantPage(
workspaceId: string,
docId: string,
userIds: string[],
role: DocRole
) {
if (userIds.length === 0) {
return 0;
}
if (role === DocRole.Owner) {
throw new CanNotBatchGrantDocOwnerPermissions();
}
const result = await this.prisma.workspaceDocUserPermission.createMany({
skipDuplicates: true,
data: userIds.map(id => ({
workspaceId,
docId,
userId: id,
type: role,
})),
});
return result.count;
}
}

75
packages/backend/server/src/core/permission/types.ts
View File

@@ -1,25 +1,7 @@
import { LeafPaths, LeafVisitor } from '../../base';
import { DocRole, WorkspaceRole } from '../../models';
export enum PublicDocMode {
Page,
Edgeless,
}
export enum DocRole {
External = 0,
Reader = 10,
Editor = 20,
Manager = 30,
Owner = 99,
}
export enum WorkspaceRole {
External = -99,
Collaborator = 1,
Admin = 10,
Owner = 99,
}
export { DocRole, WorkspaceRole };
/**
* Definitions of all possible actions
*
@@ -28,6 +10,7 @@ export enum WorkspaceRole {
export const Actions = {
// Workspace Actions
Workspace: {
Read: '',
Sync: '',
CreateDoc: '',
Delete: '',
@@ -39,6 +22,9 @@ export const Actions = {
Read: '',
Manage: '',
},
Adminitrators: {
Manage: '',
},
Properties: {
Read: '',
Create: '',
@@ -49,6 +35,15 @@ export const Actions = {
Read: '',
Update: '',
},
Blobs: {
Read: '',
List: '',
Write: '',
},
Copilot: '',
Payment: {
Manage: '',
},
},
// Doc Actions
@@ -76,7 +71,12 @@ export const Actions = {
export const RoleActionsMap = {
WorkspaceRole: {
get [WorkspaceRole.External]() {
return [Action.Workspace.Organize.Read];
return [
Action.Workspace.Read,
Action.Workspace.Organize.Read,
Action.Workspace.Properties.Read,
Action.Workspace.Blobs.Read,
];
},
get [WorkspaceRole.Collaborator]() {
return [
@@ -84,8 +84,10 @@ export const RoleActionsMap = {
Action.Workspace.Sync,
Action.Workspace.CreateDoc,
Action.Workspace.Users.Read,
Action.Workspace.Properties.Read,
Action.Workspace.Settings.Read,
Action.Workspace.Blobs.Write,
Action.Workspace.Blobs.List,
Action.Workspace.Copilot,
];
},
get [WorkspaceRole.Admin]() {
@@ -102,7 +104,9 @@ export const RoleActionsMap = {
return [
...this[WorkspaceRole.Admin],
Action.Workspace.Delete,
Action.Workspace.Adminitrators.Manage,
Action.Workspace.TransferOwner,
Action.Workspace.Payment.Manage,
];
},
},
@@ -187,7 +191,9 @@ export const WORKSPACE_ACTIONS =
RoleActionsMap.WorkspaceRole[WorkspaceRole.Owner];
export const DOC_ACTIONS = RoleActionsMap.DocRole[DocRole.Owner];
export function mapWorkspaceRoleToPermissions(workspaceRole: WorkspaceRole) {
export function mapWorkspaceRoleToPermissions(
workspaceRole: WorkspaceRole | null
) {
const permissions = WORKSPACE_ACTIONS.reduce(
(map, action) => {
map[action] = false;
@@ -196,6 +202,10 @@ export function mapWorkspaceRoleToPermissions(workspaceRole: WorkspaceRole) {
{} as Record<WorkspaceAction, boolean>
);
if (workspaceRole === null) {
return permissions;
}
RoleActionsMap.WorkspaceRole[workspaceRole].forEach(action => {
permissions[action] = true;
});
@@ -203,7 +213,7 @@ export function mapWorkspaceRoleToPermissions(workspaceRole: WorkspaceRole) {
return permissions;
}
export function mapDocRoleToPermissions(docRole: DocRole) {
export function mapDocRoleToPermissions(docRole: DocRole | null) {
const permissions = DOC_ACTIONS.reduce(
(map, action) => {
map[action] = false;
@@ -212,6 +222,10 @@ export function mapDocRoleToPermissions(docRole: DocRole) {
{} as Record<DocAction, boolean>
);
if (docRole === null) {
return permissions;
}
RoleActionsMap.DocRole[docRole].forEach(action => {
permissions[action] = true;
});
@@ -232,9 +246,16 @@ export function mapDocRoleToPermissions(docRole: DocRole) {
* fixupDocRole(WorkspaceRole.Owner, DocRole.External) // returns DocRole.Manager
*/
export function fixupDocRole(
workspaceRole: WorkspaceRole = WorkspaceRole.External,
docRole: DocRole = DocRole.External
): DocRole {
workspaceRole: WorkspaceRole | null,
docRole: DocRole | null
): DocRole | null {
if (workspaceRole === null && docRole === null) {
return null;
}
workspaceRole = workspaceRole ?? WorkspaceRole.External;
docRole = docRole ?? DocRole.External;
switch (workspaceRole) {
case WorkspaceRole.External:
// Workspace External user won't be able to have any high permission doc role

101
packages/backend/server/src/core/permission/workspace.ts Normal file
View File

@@ -0,0 +1,101 @@
import { Injectable } from '@nestjs/common';
import { SpaceAccessDenied } from '../../base';
import { Models } from '../../models';
import { AccessController } from './controller';
import type { Resource } from './resource';
import {
mapWorkspaceRoleToPermissions,
WorkspaceAction,
workspaceActionRequiredRole,
WorkspaceRole,
} from './types';
@Injectable()
export class WorkspaceAccessController extends AccessController<'ws'> {
protected readonly type = 'ws';
constructor(private readonly models: Models) {
super();
}
async role(resource: Resource<'ws'>) {
let role = await this.getRole(resource);
// NOTE(@forehalo): special case for public page
// Currently, we can not only load binary of a public Doc to render in a shared page,
// so we need to ensure anyone has basic 'read' permission to a workspace that has public pages.
if (
!role &&
(await this.models.workspace.hasPublicDoc(resource.workspaceId))
) {
role = WorkspaceRole.External;
}
return {
role,
permissions: mapWorkspaceRoleToPermissions(role),
};
}
async can(resource: Resource<'ws'>, action: WorkspaceAction) {
const { permissions, role } = await this.role(resource);
const allow = permissions[action] || false;
if (!allow) {
this.logger.log('Workspace access check failed', {
action,
resource,
role,
requiredRole: workspaceActionRequiredRole(action),
});
}
return allow;
}
async assert(resource: Resource<'ws'>, action: WorkspaceAction) {
const allow = await this.can(resource, action);
if (!allow) {
throw new SpaceAccessDenied({ spaceId: resource.workspaceId });
}
}
async getRole(payload: Resource<'ws'>) {
const userRole = await this.models.workspaceUser.getActive(
payload.workspaceId,
payload.userId
);
let role = userRole?.type as WorkspaceRole | null;
if (!role) {
role = await this.defaultWorkspaceRole(payload);
}
return role;
}
private async defaultWorkspaceRole(payload: Resource<'ws'>) {
const ws = await this.models.workspace.get(payload.workspaceId);
// NOTE(@forehalo):
// we allow user to use online service with local workspace
// so we always return owner role for local workspace
// copilot session for local workspace is an example
if (!ws) {
if (payload.allowLocal) {
return WorkspaceRole.Owner;
}
return null;
}
if (ws.public) {
return WorkspaceRole.External;
}
return null;
}
}

26
packages/backend/server/src/core/quota/service.ts
View File

@@ -5,8 +5,8 @@ import {
Models,
type UserQuota,
WorkspaceQuota as BaseWorkspaceQuota,
WorkspaceRole,
} from '../../models';
import { PermissionService } from '../permission';
import { WorkspaceBlobStorage } from '../storage';
import {
UserQuotaHumanReadableType,
@@ -28,7 +28,6 @@ export class QuotaService {
constructor(
private readonly models: Models,
private readonly permissions: PermissionService,
private readonly storage: WorkspaceBlobStorage
) {}
@@ -73,12 +72,20 @@ export class QuotaService {
}
async getUserStorageUsage(userId: string) {
const workspaces = await this.permissions.getOwnedWorkspaces(userId);
const workspaces = await this.models.workspaceUser.getUserActiveRoles(
userId,
{
role: WorkspaceRole.Owner,
}
);
const ids = workspaces.map(w => w.workspaceId);
const workspacesWithQuota =
await this.models.workspaceFeature.batchHasQuota(workspaces);
await this.models.workspaceFeature.batchHasQuota(ids);
const sizes = await Promise.allSettled(
workspaces
ids
.filter(w => !workspacesWithQuota.includes(w))
.map(workspace => this.storage.totalSize(workspace))
);
@@ -116,8 +123,7 @@ export class QuotaService {
if (!quota) {
// get and convert to workspace quota from owner's quota
// TODO(@forehalo): replace it with `WorkspaceRoleModel` when it's ready
const owner = await this.permissions.getWorkspaceOwner(workspaceId);
const owner = await this.models.workspaceUser.getOwner(workspaceId);
const ownerQuota = await this.getUserQuota(owner.id);
return {
@@ -136,8 +142,7 @@ export class QuotaService {
const usedStorageQuota = quota.ownerQuota
? await this.getUserStorageUsage(quota.ownerQuota)
: await this.getWorkspaceStorageUsage(workspaceId);
const memberCount =
await this.permissions.getWorkspaceMemberCount(workspaceId);
const memberCount = await this.models.workspaceUser.count(workspaceId);
return {
...quota,
@@ -165,8 +170,7 @@ export class QuotaService {
async getWorkspaceSeatQuota(workspaceId: string) {
const quota = await this.getWorkspaceQuota(workspaceId);
const memberCount =
await this.permissions.getWorkspaceMemberCount(workspaceId);
const memberCount = await this.models.workspaceUser.count(workspaceId);
return {
memberCount,

13
packages/backend/server/src/core/storage/wrappers/blob.ts
View File

@@ -13,6 +13,19 @@ import {
StorageProviderFactory,
} from '../../../base';
declare global {
interface Events {
'workspace.blob.sync': {
workspaceId: string;
key: string;
};
'workspace.blob.delete': {
workspaceId: string;
key: string;
};
}
}
@Injectable()
export class WorkspaceBlobStorage {
private readonly logger = new Logger(WorkspaceBlobStorage.name);

38
packages/backend/server/src/core/sync/gateway.ts
View File

@@ -27,7 +27,7 @@ import {
PgUserspaceDocStorageAdapter,
PgWorkspaceDocStorageAdapter,
} from '../doc';
import { PermissionService, WorkspaceRole } from '../permission';
import { AccessController, WorkspaceAction } from '../permission';
import { DocID } from '../utils/doc';
const SubscribeMessage = (event: string) =>
@@ -144,7 +144,7 @@ export class SpaceSyncGateway
constructor(
private readonly runtime: Runtime,
private readonly permissions: PermissionService,
private readonly ac: AccessController,
private readonly workspace: PgWorkspaceDocStorageAdapter,
private readonly userspace: PgUserspaceDocStorageAdapter,
private readonly docReader: DocReader
@@ -170,7 +170,7 @@ export class SpaceSyncGateway
const workspace = new WorkspaceSyncAdapter(
client,
this.workspace,
this.permissions,
this.ac,
this.docReader
);
const userspace = new UserspaceSyncAdapter(client, this.userspace);
@@ -248,12 +248,13 @@ export class SpaceSyncGateway
): Promise<
EventResponse<{ missing: string; state: string; timestamp: number }>
> {
const id = new DocID(docId, spaceId);
const adapter = this.selectAdapter(client, spaceType);
adapter.assertIn(spaceId);
const doc = await adapter.diff(
spaceId,
docId,
id.guid,
stateVector ? Buffer.from(stateVector, 'base64') : undefined
);
@@ -293,11 +294,12 @@ export class SpaceSyncGateway
): Promise<EventResponse<{ accepted: true; timestamp?: number }>> {
const { spaceType, spaceId, docId, updates } = message;
const adapter = this.selectAdapter(client, spaceType);
const id = new DocID(docId, spaceId);
// TODO(@forehalo): we might need to check write permission before push updates
await this.ac.user(user.id).doc(spaceId, id.guid).assert('Doc.Update');
const timestamp = await adapter.push(
spaceId,
docId,
id.guid,
updates.map(update => Buffer.from(update, 'base64')),
user.id
);
@@ -334,7 +336,7 @@ export class SpaceSyncGateway
const { spaceType, spaceId, docId, update } = message;
const adapter = this.selectAdapter(client, spaceType);
// TODO(@forehalo): we might need to check write permission before push updates
await this.ac.user(user.id).doc(spaceId, docId).assert('Doc.Update');
const timestamp = await adapter.push(
spaceId,
docId,
@@ -472,7 +474,7 @@ abstract class SyncSocketAdapter {
if (this.in(spaceId, roomType)) {
return;
}
await this.assertAccessible(spaceId, userId, WorkspaceRole.Collaborator);
await this.assertAccessible(spaceId, userId, 'Workspace.Sync');
return this.client.join(this.room(spaceId, roomType));
}
@@ -496,7 +498,7 @@ abstract class SyncSocketAdapter {
abstract assertAccessible(
spaceId: string,
userId: string,
permission?: WorkspaceRole
action: WorkspaceAction
): Promise<void>;
push(spaceId: string, docId: string, updates: Buffer[], editorId: string) {
@@ -525,7 +527,7 @@ class WorkspaceSyncAdapter extends SyncSocketAdapter {
constructor(
client: Socket,
storage: DocStorageAdapter,
private readonly permission: PermissionService,
private readonly ac: AccessController,
private readonly docReader: DocReader
) {
super(SpaceType.Workspace, client, storage);
@@ -537,8 +539,7 @@ class WorkspaceSyncAdapter extends SyncSocketAdapter {
updates: Buffer[],
editorId: string
) {
const id = new DocID(docId, spaceId);
return super.push(spaceId, id.guid, updates, editorId);
return super.push(spaceId, docId, updates, editorId);
}
override async diff(
@@ -546,20 +547,15 @@ class WorkspaceSyncAdapter extends SyncSocketAdapter {
docId: string,
stateVector?: Uint8Array
) {
const id = new DocID(docId, spaceId);
return await this.docReader.getDocDiff(spaceId, id.guid, stateVector);
return await this.docReader.getDocDiff(spaceId, docId, stateVector);
}
async assertAccessible(
spaceId: string,
userId: string,
permission: WorkspaceRole = WorkspaceRole.Collaborator
action: WorkspaceAction
) {
if (
!(await this.permission.isWorkspaceMember(spaceId, userId, permission))
) {
throw new SpaceAccessDenied({ spaceId });
}
await this.ac.user(userId).workspace(spaceId).assert(action);
}
}
@@ -571,7 +567,7 @@ class UserspaceSyncAdapter extends SyncSocketAdapter {
async assertAccessible(
spaceId: string,
userId: string,
_permission: WorkspaceRole = WorkspaceRole.Collaborator
_action: WorkspaceAction
) {
if (spaceId !== userId) {
throw new SpaceAccessDenied({ spaceId });

67
packages/backend/server/src/core/workspaces/controller.ts
View File

@@ -1,20 +1,18 @@
import { Controller, Get, Logger, Param, Res } from '@nestjs/common';
import { PrismaClient } from '@prisma/client';
import type { Response } from 'express';
import {
AccessDenied,
ActionForbidden,
BlobNotFound,
CallMetric,
DocHistoryNotFound,
DocNotFound,
InvalidHistoryTimestamp,
} from '../../base';
import { Models, PublicDocMode } from '../../models';
import { CurrentUser, Public } from '../auth';
import { PgWorkspaceDocStorageAdapter } from '../doc';
import { DocReader } from '../doc/reader';
import { PermissionService, PublicDocMode } from '../permission';
import { AccessController } from '../permission';
import { WorkspaceBlobStorage } from '../storage';
import { DocID } from '../utils/doc';
@@ -23,10 +21,10 @@ export class WorkspacesController {
logger = new Logger(WorkspacesController.name);
constructor(
private readonly storage: WorkspaceBlobStorage,
private readonly permission: PermissionService,
private readonly ac: AccessController,
private readonly workspace: PgWorkspaceDocStorageAdapter,
private readonly docReader: DocReader,
private readonly prisma: PrismaClient
private readonly models: Models
) {}
// get workspace blob
@@ -41,18 +39,10 @@ export class WorkspacesController {
@Param('name') name: string,
@Res() res: Response
) {
// if workspace is public or have any public page, then allow to access
// otherwise, check permission
if (
!(await this.permission.isPublicAccessible(
workspaceId,
workspaceId,
user?.id
))
) {
throw new ActionForbidden();
}
await this.ac
.user(user?.id ?? 'anonymous')
.workspace(workspaceId)
.assert('Workspace.Read');
const { body, metadata } = await this.storage.get(workspaceId, name);
if (!body) {
@@ -86,17 +76,17 @@ export class WorkspacesController {
@Res() res: Response
) {
const docId = new DocID(guid, ws);
if (
// if a user has the permission
!(await this.permission.isPublicAccessible(
docId.workspace,
docId.guid,
user?.id
))
) {
throw new AccessDenied();
if (docId.isWorkspace) {
await this.ac
.user(user?.id ?? 'anonymous')
.workspace(ws)
.assert('Workspace.Read');
} else {
await this.ac
.user(user?.id ?? 'anonymous')
.doc(ws, guid)
.assert('Doc.Read');
}
const binResponse = await this.docReader.getDoc(
docId.workspace,
docId.guid
@@ -111,16 +101,12 @@ export class WorkspacesController {
if (!docId.isWorkspace) {
// fetch the publish page mode for publish page
const publishPage = await this.prisma.workspaceDoc.findUnique({
where: {
workspaceId_docId: {
workspaceId: docId.workspace,
docId: docId.guid,
},
},
});
const doc = await this.models.workspace.getDoc(
docId.workspace,
docId.guid
);
const publishPageMode =
publishPage?.mode === PublicDocMode.Edgeless ? 'edgeless' : 'page';
doc?.mode === PublicDocMode.Edgeless ? 'edgeless' : 'page';
res.setHeader('publish-mode', publishPageMode);
}
@@ -146,12 +132,7 @@ export class WorkspacesController {
throw new InvalidHistoryTimestamp({ timestamp });
}
await this.permission.checkPagePermission(
docId.workspace,
docId.guid,
'Doc.Read',
user.id
);
await this.ac.user(user.id).doc(ws, guid).assert('Doc.Read');
const history = await this.workspace.getDocHistory(
docId.workspace,

8
packages/backend/server/src/core/workspaces/event.ts
View File

@@ -44,21 +44,21 @@ export class WorkspaceEvents {
async onRoleChanged({
userId,
workspaceId,
permission,
role,
}: Events['workspace.members.roleChanged']) {
// send role changed mail
await this.workspaceService.sendRoleChangedEmail(userId, {
id: workspaceId,
role: permission,
role,
});
}
@OnEvent('workspace.members.ownershipTransferred')
@OnEvent('workspace.owner.changed')
async onOwnerTransferred({
workspaceId,
from,
to,
}: Events['workspace.members.ownershipTransferred']) {
}: Events['workspace.owner.changed']) {
// send ownership transferred mail
const fromUser = await this.models.user.getPublicUser(from);
const toUser = await this.models.user.getPublicUser(to);

50
packages/backend/server/src/core/workspaces/resolvers/blob.ts
View File

@@ -15,7 +15,7 @@ import GraphQLUpload from 'graphql-upload/GraphQLUpload.mjs';
import type { FileUpload } from '../../../base';
import { BlobQuotaExceeded, CloudThrottlerGuard } from '../../../base';
import { CurrentUser } from '../../auth';
import { PermissionService, WorkspaceRole } from '../../permission';
import { AccessController } from '../../permission';
import { QuotaService } from '../../quota';
import { WorkspaceBlobStorage } from '../../storage';
import { WorkspaceBlobSizes, WorkspaceType } from '../types';
@@ -40,7 +40,7 @@ class ListedBlob {
export class WorkspaceBlobResolver {
logger = new Logger(WorkspaceBlobResolver.name);
constructor(
private readonly permissions: PermissionService,
private readonly ac: AccessController,
private readonly quota: QuotaService,
private readonly storage: WorkspaceBlobStorage
) {}
@@ -53,7 +53,10 @@ export class WorkspaceBlobResolver {
@CurrentUser() user: CurrentUser,
@Parent() workspace: WorkspaceType
) {
await this.permissions.checkWorkspace(workspace.id, user.id);
await this.ac
.user(user.id)
.workspace(workspace.id)
.assert('Workspace.Blobs.List');
return this.storage.list(workspace.id);
}
@@ -66,24 +69,6 @@ export class WorkspaceBlobResolver {
return this.storage.totalSize(workspace.id);
}
/**
* @deprecated use `workspace.blobs` instead
*/
@Query(() => [String], {
description: 'List blobs of workspace',
deprecationReason: 'use `workspace.blobs` instead',
})
async listBlobs(
@CurrentUser() user: CurrentUser,
@Args('workspaceId') workspaceId: string
) {
await this.permissions.checkWorkspace(workspaceId, user.id);
return this.storage
.list(workspaceId)
.then(list => list.map(item => item.key));
}
@Query(() => WorkspaceBlobSizes, {
deprecationReason: 'use `user.quotaUsage` instead',
})
@@ -99,11 +84,10 @@ export class WorkspaceBlobResolver {
@Args({ name: 'blob', type: () => GraphQLUpload })
blob: FileUpload
) {
await this.permissions.checkWorkspace(
workspaceId,
user.id,
WorkspaceRole.Collaborator
);
await this.ac
.user(user.id)
.workspace(workspaceId)
.assert('Workspace.Blobs.Write');
const checkExceeded =
await this.quota.getWorkspaceQuotaCalculator(workspaceId);
@@ -159,7 +143,10 @@ export class WorkspaceBlobResolver {
return false;
}
await this.permissions.checkWorkspace(workspaceId, user.id);
await this.ac
.user(user.id)
.workspace(workspaceId)
.assert('Workspace.Blobs.Write');
await this.storage.delete(workspaceId, key, permanently);
@@ -171,11 +158,10 @@ export class WorkspaceBlobResolver {
@CurrentUser() user: CurrentUser,
@Args('workspaceId') workspaceId: string
) {
await this.permissions.checkWorkspace(
workspaceId,
user.id,
WorkspaceRole.Collaborator
);
await this.ac
.user(user.id)
.workspace(workspaceId)
.assert('Workspace.Blobs.Write');
await this.storage.release(workspaceId);

292
packages/backend/server/src/core/workspaces/resolvers/doc.ts
View File

@@ -17,7 +17,6 @@ import {
Cache,
DocActionDenied,
DocDefaultRoleCanNotBeOwner,
DocIsNotPublic,
ExpectToGrantDocUserRoles,
ExpectToPublishDoc,
ExpectToRevokeDocUserRoles,
@@ -28,21 +27,20 @@ import {
PaginationInput,
registerObjectType,
} from '../../../base';
import { Models } from '../../../models';
import { Models, PublicDocMode } from '../../../models';
import { CurrentUser } from '../../auth';
import {
AccessController,
DOC_ACTIONS,
DocAction,
DocRole,
fixupDocRole,
mapDocRoleToPermissions,
PermissionService,
PublicDocMode,
} from '../../permission';
import { PublicUserType } from '../../user';
import { DocID } from '../../utils/doc';
import { WorkspaceType } from '../types';
import { DotToUnderline, mapPermissionToGraphqlPermissions } from './workspace';
import {
DotToUnderline,
mapPermissionsToGraphqlPermissions,
} from './workspace';
registerEnumType(PublicDocMode, {
name: 'PublicDocMode',
@@ -155,8 +153,11 @@ export class WorkspaceDocResolver {
private readonly logger = new Logger(WorkspaceDocResolver.name);
constructor(
/**
* @deprecated migrate to models
*/
private readonly prisma: PrismaClient,
private readonly permission: PermissionService,
private readonly ac: AccessController,
private readonly models: Models,
private readonly cache: Cache
) {}
@@ -174,12 +175,7 @@ export class WorkspaceDocResolver {
complexity: 2,
})
async publicDocs(@Parent() workspace: WorkspaceType) {
return this.prisma.workspaceDoc.findMany({
where: {
workspaceId: workspace.id,
public: true,
},
});
return this.models.workspace.getPublicDocs(workspace.id);
}
@ResolveField(() => DocType, {
@@ -203,14 +199,7 @@ export class WorkspaceDocResolver {
@Parent() workspace: WorkspaceType,
@Args('docId') docId: string
): Promise<DocType> {
const doc = await this.prisma.workspaceDoc.findUnique({
where: {
workspaceId_docId: {
workspaceId: workspace.id,
docId,
},
},
});
const doc = await this.models.workspace.getDoc(workspace.id, docId);
if (doc) {
return doc;
@@ -249,7 +238,7 @@ export class WorkspaceDocResolver {
async publishDoc(
@CurrentUser() user: CurrentUser,
@Args('workspaceId') workspaceId: string,
@Args('docId') rawDocId: string,
@Args('docId') docId: string,
@Args({
name: 'mode',
type: () => PublicDocMode,
@@ -258,28 +247,27 @@ export class WorkspaceDocResolver {
})
mode: PublicDocMode
) {
const docId = new DocID(rawDocId, workspaceId);
if (docId.isWorkspace) {
if (workspaceId === docId) {
this.logger.error('Expect to publish doc, but it is a workspace', {
workspaceId,
docId: rawDocId,
docId,
});
throw new ExpectToPublishDoc();
}
await this.permission.checkPagePermission(
docId.workspace,
docId.guid,
'Doc.Publish',
user.id
await this.ac.user(user.id).doc(workspaceId, docId).assert('Doc.Publish');
const doc = await this.models.workspace.publishDoc(
workspaceId,
docId,
mode
);
this.logger.log(
`Publish page ${rawDocId} with mode ${mode} in workspace ${workspaceId}`
`Publish page ${docId} with mode ${mode} in workspace ${workspaceId}`
);
return this.permission.publishPage(docId.workspace, docId.guid, mode);
return doc;
}
@Mutation(() => DocType, {
@@ -297,44 +285,23 @@ export class WorkspaceDocResolver {
async revokePublicDoc(
@CurrentUser() user: CurrentUser,
@Args('workspaceId') workspaceId: string,
@Args('docId') rawDocId: string
@Args('docId') docId: string
) {
const docId = new DocID(rawDocId, workspaceId);
if (docId.isWorkspace) {
if (workspaceId === docId) {
this.logger.error('Expect to revoke public doc, but it is a workspace', {
workspaceId,
docId: rawDocId,
docId,
});
throw new ExpectToRevokePublicDoc('Expect doc not to be workspace');
}
await this.permission.checkPagePermission(
docId.workspace,
docId.guid,
'Doc.Publish',
user.id
);
await this.ac.user(user.id).doc(workspaceId, docId).assert('Doc.Publish');
const isPublic = await this.permission.isPublicPage(
docId.workspace,
docId.guid
);
const doc = await this.models.workspace.revokePublicDoc(workspaceId, docId);
const info = {
workspaceId,
docId: rawDocId,
};
if (!isPublic) {
this.logger.log(
`Expect to revoke public doc, but it is not public (${JSON.stringify(info)})`
);
throw new DocIsNotPublic('Doc is not public');
}
this.logger.log(`Revoke public doc ${docId} in workspace ${workspaceId}`);
this.logger.log(`Revoke public doc (${JSON.stringify(info)})`);
return this.permission.revokePublicPage(docId.workspace, docId.guid);
return doc;
}
private async tryFixDocOwner(workspaceId: string, docId: string) {
@@ -357,13 +324,7 @@ export class WorkspaceDocResolver {
return;
}
const owner = await this.prisma.workspaceDocUserPermission.findFirst({
where: {
workspaceId,
docId,
type: DocRole.Owner,
},
});
const owner = await this.models.docUser.getOwner(workspaceId, docId);
// skip if owner already exists
if (owner) {
@@ -387,18 +348,11 @@ export class WorkspaceDocResolver {
// try workspace.owner
if (!fixedOwner) {
const owner = await this.permission.getWorkspaceOwner(workspaceId);
const owner = await this.models.workspaceUser.getOwner(workspaceId);
fixedOwner = owner.id;
}
await this.prisma.workspaceDocUserPermission.createMany({
data: {
workspaceId,
docId,
userId: fixedOwner,
type: DocRole.Owner,
},
});
await this.models.docUser.setOwner(workspaceId, docId, fixedOwner);
this.logger.debug(
`Fixed doc owner for ${docId} in workspace ${workspaceId}, new owner: ${fixedOwner}`
@@ -411,8 +365,7 @@ export class DocResolver {
private readonly logger = new Logger(DocResolver.name);
constructor(
private readonly prisma: PrismaClient,
private readonly permission: PermissionService,
private readonly ac: AccessController,
private readonly models: Models
) {}
@@ -421,33 +374,9 @@ export class DocResolver {
@CurrentUser() user: CurrentUser,
@Parent() doc: DocType
): Promise<InstanceType<typeof DocPermissions>> {
const [permission, workspacePermission] = await this.prisma.$transaction(
tx =>
Promise.all([
tx.workspaceDocUserPermission.findFirst({
where: {
workspaceId: doc.workspaceId,
docId: doc.docId,
userId: user.id,
},
}),
tx.workspaceUserPermission.findFirst({
where: {
workspaceId: doc.workspaceId,
userId: user.id,
},
}),
])
);
const { permissions } = await this.ac.user(user.id).doc(doc).permissions();
return mapPermissionToGraphqlPermissions(
mapDocRoleToPermissions(
fixupDocRole(
workspacePermission?.type,
permission?.type ?? doc.defaultRole
)
)
);
return mapPermissionsToGraphqlPermissions(permissions);
}
@ResolveField(() => PaginatedGrantedDocUserType, {
@@ -459,49 +388,20 @@ export class DocResolver {
@Parent() doc: DocType,
@Args('pagination', PaginationInput.decode) pagination: PaginationInput
): Promise<PaginatedGrantedDocUserType> {
await this.permission.checkPagePermission(
await this.ac.user(user.id).doc(doc).assert('Doc.Users.Read');
const [permissions, totalCount] = await this.models.docUser.paginate(
doc.workspaceId,
doc.docId,
'Doc.Users.Read',
user.id
pagination
);
const [permissions, totalCount] = await this.prisma.$transaction(tx => {
return Promise.all([
tx.workspaceDocUserPermission.findMany({
where: {
workspaceId: doc.workspaceId,
docId: doc.docId,
createdAt: pagination.after
? {
gt: pagination.after,
}
: undefined,
},
orderBy: [
{
type: 'desc',
},
{
createdAt: 'desc',
},
],
take: pagination.first,
skip: pagination.offset,
}),
tx.workspaceDocUserPermission.count({
where: {
workspaceId: doc.workspaceId,
docId: doc.docId,
},
}),
]);
});
const publicUsers = await this.models.user.getPublicUsers(
permissions.map(p => p.userId)
);
const publicUsersMap = new Map(publicUsers.map(pu => [pu.id, pu]));
return paginate(
permissions.map(p => ({
...p,
@@ -518,12 +418,12 @@ export class DocResolver {
@CurrentUser() user: CurrentUser,
@Args('input') input: GrantDocUserRolesInput
): Promise<boolean> {
const doc = new DocID(input.docId, input.workspaceId);
const pairs = {
spaceId: input.workspaceId,
docId: input.docId,
};
if (doc.isWorkspace) {
if (input.workspaceId === input.docId) {
this.logger.error(
'Expect to grant doc user roles, but it is a workspace',
pairs
@@ -533,18 +433,16 @@ export class DocResolver {
'Expect doc not to be workspace'
);
}
await this.permission.checkPagePermission(
doc.workspace,
doc.guid,
'Doc.Users.Manage',
user.id
);
await this.permission.batchGrantPage(
doc.workspace,
doc.guid,
await this.ac.user(user.id).doc(input).assert('Doc.Users.Manage');
await this.models.docUser.batchSetUserRoles(
input.workspaceId,
input.docId,
input.userIds,
input.role
);
const info = {
...pairs,
userIds: input.userIds,
@@ -559,12 +457,11 @@ export class DocResolver {
@CurrentUser() user: CurrentUser,
@Args('input') input: RevokeDocUserRoleInput
): Promise<boolean> {
const doc = new DocID(input.docId, input.workspaceId);
const pairs = {
spaceId: input.workspaceId,
docId: doc.guid,
docId: input.docId,
};
if (doc.isWorkspace) {
if (input.workspaceId === input.docId) {
this.logger.error(
'Expect to revoke doc user roles, but it is a workspace',
pairs
@@ -574,13 +471,14 @@ export class DocResolver {
'Expect doc not to be workspace'
);
}
await this.permission.checkPagePermission(
doc.workspace,
doc.guid,
'Doc.Users.Manage',
user.id
await this.ac.user(user.id).doc(input).assert('Doc.Users.Manage');
await this.models.docUser.delete(
input.workspaceId,
input.docId,
input.userId
);
await this.permission.revokePage(doc.workspace, doc.guid, input.userId);
const info = {
...pairs,
userId: input.userId,
@@ -594,12 +492,11 @@ export class DocResolver {
@CurrentUser() user: CurrentUser,
@Args('input') input: UpdateDocUserRoleInput
): Promise<boolean> {
const doc = new DocID(input.docId, input.workspaceId);
const pairs = {
spaceId: doc.workspace,
docId: doc.guid,
spaceId: input.workspaceId,
docId: input.docId,
};
if (doc.isWorkspace) {
if (input.workspaceId === input.docId) {
this.logger.error(
'Expect to update doc user role, but it is a workspace',
pairs
@@ -610,28 +507,28 @@ export class DocResolver {
);
}
await this.permission.checkPagePermission(
doc.workspace,
doc.guid,
input.role === DocRole.Owner ? 'Doc.TransferOwner' : 'Doc.Users.Manage',
user.id
);
await this.permission.grantPage(
doc.workspace,
doc.guid,
input.userId,
input.role
);
const info = {
...pairs,
userId: input.userId,
role: input.role,
};
if (input.role === DocRole.Owner) {
await this.ac.user(user.id).doc(input).assert('Doc.TransferOwner');
await this.models.docUser.setOwner(
input.workspaceId,
input.docId,
input.userId
);
this.logger.log(`Transfer doc owner (${JSON.stringify(info)})`);
} else {
await this.ac.user(user.id).doc(input).assert('Doc.Users.Manage');
await this.models.docUser.set(
input.workspaceId,
input.docId,
input.userId,
input.role
);
this.logger.log(`Update doc user role (${JSON.stringify(info)})`);
}
@@ -649,12 +546,11 @@ export class DocResolver {
);
throw new DocDefaultRoleCanNotBeOwner();
}
const doc = new DocID(input.docId, input.workspaceId);
const pairs = {
spaceId: doc.workspace,
docId: doc.guid,
spaceId: input.workspaceId,
docId: input.docId,
};
if (doc.isWorkspace) {
if (input.workspaceId === input.docId) {
this.logger.error(
'Expect to update page default role, but it is a workspace',
pairs
@@ -665,12 +561,7 @@ export class DocResolver {
);
}
try {
await this.permission.checkPagePermission(
doc.workspace,
doc.guid,
'Doc.Users.Manage',
user.id
);
await this.ac.user(user.id).doc(input).assert('Doc.Users.Manage');
} catch (error) {
if (error instanceof DocActionDenied) {
this.logger.log(
@@ -684,22 +575,11 @@ export class DocResolver {
}
throw error;
}
await this.prisma.workspaceDoc.upsert({
where: {
workspaceId_docId: {
workspaceId: doc.workspace,
docId: doc.guid,
},
},
update: {
defaultRole: input.role,
},
create: {
workspaceId: doc.workspace,
docId: doc.guid,
defaultRole: input.role,
},
});
await this.models.workspace.setDocDefaultRole(
input.workspaceId,
input.docId,
input.role
);
return true;
}
}

11
packages/backend/server/src/core/workspaces/resolvers/history.ts
View File

@@ -13,7 +13,7 @@ import type { SnapshotHistory } from '@prisma/client';
import { CurrentUser } from '../../auth';
import { PgWorkspaceDocStorageAdapter } from '../../doc';
import { PermissionService } from '../../permission';
import { AccessController } from '../../permission';
import { DocID } from '../../utils/doc';
import { WorkspaceType } from '../types';
import { EditorType } from './workspace';
@@ -37,7 +37,7 @@ class DocHistoryType implements Partial<SnapshotHistory> {
export class DocHistoryResolver {
constructor(
private readonly workspace: PgWorkspaceDocStorageAdapter,
private readonly permission: PermissionService
private readonly ac: AccessController
) {}
@ResolveField(() => [DocHistoryType])
@@ -76,12 +76,7 @@ export class DocHistoryResolver {
): Promise<Date> {
const docId = new DocID(guid, workspaceId);
await this.permission.checkPagePermission(
docId.workspace,
docId.guid,
'Doc.Update',
user.id
);
await this.ac.user(user.id).doc(docId).assert('Doc.Update');
await this.workspace.rollbackDoc(
docId.workspace,

46
packages/backend/server/src/core/workspaces/resolvers/service.ts
View File

@@ -1,17 +1,17 @@
import { Injectable, Logger } from '@nestjs/common';
import { PrismaClient } from '@prisma/client';
import { getStreamAsBuffer } from 'get-stream';
import {
Cache,
MailService,
NotFound,
OnEvent,
URLHelper,
UserNotFound,
} from '../../../base';
import { Models } from '../../../models';
import { DocReader } from '../../doc';
import { PermissionService, WorkspaceRole } from '../../permission';
import { WorkspaceRole } from '../../permission';
import { WorkspaceBlobStorage } from '../../storage';
export const defaultWorkspaceAvatar =
@@ -32,8 +32,6 @@ export class WorkspaceService {
private readonly cache: Cache,
private readonly doc: DocReader,
private readonly mailer: MailService,
private readonly permission: PermissionService,
private readonly prisma: PrismaClient,
private readonly models: Models,
private readonly url: URLHelper
) {}
@@ -47,20 +45,16 @@ export class WorkspaceService {
return invite;
}
return await this.prisma.workspaceUserPermission
.findUniqueOrThrow({
where: {
id: inviteId,
},
select: {
workspaceId: true,
userId: true,
},
})
.then(r => ({
workspaceId: r.workspaceId,
inviteeUserId: r.userId,
}));
const workspaceUser = await this.models.workspaceUser.getById(inviteId);
if (!workspaceUser) {
throw new NotFound('Invitation not found');
}
return {
workspaceId: workspaceUser.workspaceId,
inviteeUserId: workspaceUser.userId,
};
}
async getWorkspaceInfo(workspaceId: string) {
@@ -115,7 +109,7 @@ export class WorkspaceService {
: null;
const inviter = inviterUserId
? await this.models.user.getPublicUser(inviterUserId)
: await this.permission.getWorkspaceOwner(workspaceId);
: await this.models.workspaceUser.getOwner(workspaceId);
if (!inviter || !invitee) {
this.logger.error(
@@ -138,7 +132,7 @@ export class WorkspaceService {
return;
}
const owner = await this.permission.getWorkspaceOwner(target.workspace.id);
const owner = await this.models.workspaceUser.getOwner(target.workspace.id);
await this.mailer.sendMemberInviteMail(target.email, {
workspace: target.workspace,
@@ -154,8 +148,8 @@ export class WorkspaceService {
async sendTeamWorkspaceUpgradedEmail(workspaceId: string) {
const workspace = await this.getWorkspaceInfo(workspaceId);
const owner = await this.permission.getWorkspaceOwner(workspaceId);
const admins = await this.permission.getWorkspaceAdmin(workspaceId);
const owner = await this.models.workspaceUser.getOwner(workspaceId);
const admins = await this.models.workspaceUser.getAdmins(workspaceId);
await this.mailer.sendTeamWorkspaceUpgradedEmail(owner.email, {
workspace,
@@ -188,8 +182,8 @@ export class WorkspaceService {
}
const workspace = await this.getWorkspaceInfo(workspaceId);
const owner = await this.permission.getWorkspaceOwner(workspaceId);
const admin = await this.permission.getWorkspaceAdmin(workspaceId);
const owner = await this.models.workspaceUser.getOwner(workspaceId);
const admin = await this.models.workspaceUser.getAdmins(workspaceId);
for (const user of [owner, ...admin]) {
await this.mailer.sendLinkInvitationReviewRequestMail(user.email, {
@@ -260,7 +254,7 @@ export class WorkspaceService {
workspaceId,
}: Events['workspace.members.leave']) {
const workspace = await this.getWorkspaceInfo(workspaceId);
const owner = await this.permission.getWorkspaceOwner(workspaceId);
const owner = await this.models.workspaceUser.getOwner(workspaceId);
await this.mailer.sendMemberLeaveEmail(owner.email, {
workspace,
user,
@@ -271,7 +265,7 @@ export class WorkspaceService {
async onMemberRemoved({
userId,
workspaceId,
}: Events['workspace.members.requestDeclined']) {
}: Events['workspace.members.removed']) {
const user = await this.models.user.get(userId);
if (!user) return;

208
packages/backend/server/src/core/workspaces/resolvers/team.ts
View File

@@ -6,7 +6,7 @@ import {
ResolveField,
Resolver,
} from '@nestjs/graphql';
import { PrismaClient, WorkspaceMemberStatus } from '@prisma/client';
import { WorkspaceMemberStatus } from '@prisma/client';
import { nanoid } from 'nanoid';
import {
@@ -17,11 +17,10 @@ import {
RequestMutex,
TooManyRequest,
URLHelper,
UserFriendlyError,
} from '../../../base';
import { Models } from '../../../models';
import { CurrentUser } from '../../auth';
import { PermissionService, WorkspaceRole } from '../../permission';
import { AccessController, WorkspaceRole } from '../../permission';
import { QuotaService } from '../../quota';
import {
InviteLink,
@@ -44,8 +43,7 @@ export class TeamWorkspaceResolver {
private readonly cache: Cache,
private readonly event: EventBus,
private readonly url: URLHelper,
private readonly prisma: PrismaClient,
private readonly permissions: PermissionService,
private readonly ac: AccessController,
private readonly models: Models,
private readonly quota: QuotaService,
private readonly mutex: RequestMutex,
@@ -68,21 +66,20 @@ export class TeamWorkspaceResolver {
@Args({ name: 'emails', type: () => [String] }) emails: string[],
@Args('sendInviteMail', { nullable: true }) sendInviteMail: boolean
) {
await this.permissions.checkWorkspace(
workspaceId,
user.id,
WorkspaceRole.Admin
);
await this.ac
.user(user.id)
.workspace(workspaceId)
.assert('Workspace.Users.Manage');
if (emails.length > 512) {
return new TooManyRequest();
throw new TooManyRequest();
}
// lock to prevent concurrent invite
const lockFlag = `invite:${workspaceId}`;
await using lock = await this.mutex.acquire(lockFlag);
if (!lock) {
return new TooManyRequest();
throw new TooManyRequest();
}
const quota = await this.quota.getWorkspaceSeatQuota(workspaceId);
@@ -93,13 +90,10 @@ export class TeamWorkspaceResolver {
try {
let target = await this.models.user.getUserByEmail(email);
if (target) {
const originRecord =
await this.prisma.workspaceUserPermission.findFirst({
where: {
workspaceId,
userId: target.id,
},
});
const originRecord = await this.models.workspaceUser.get(
workspaceId,
target.id
);
// only invite if the user is not already in the workspace
if (originRecord) continue;
} else {
@@ -110,7 +104,7 @@ export class TeamWorkspaceResolver {
}
const needMoreSeat = quota.memberCount + idx + 1 > quota.memberLimit;
ret.inviteId = await this.permissions.grant(
const role = await this.models.workspaceUser.set(
workspaceId,
target.id,
WorkspaceRole.Collaborator,
@@ -118,6 +112,7 @@ export class TeamWorkspaceResolver {
? WorkspaceMemberStatus.NeedMoreSeat
: WorkspaceMemberStatus.Pending
);
ret.inviteId = role.id;
// NOTE: we always send email even seat not enough
// because at this moment we cannot know whether the seat increase charge was successful
// after user click the invite link, we can check again and reject if charge failed
@@ -156,11 +151,10 @@ export class TeamWorkspaceResolver {
@Parent() workspace: WorkspaceType,
@CurrentUser() user: CurrentUser
) {
await this.permissions.checkWorkspace(
workspace.id,
user.id,
WorkspaceRole.Admin
);
await this.ac
.user(user.id)
.workspace(workspace.id)
.assert('Workspace.Users.Manage');
const cacheId = `workspace:inviteLink:${workspace.id}`;
const id = await this.cache.get<{ inviteId: string }>(cacheId);
@@ -183,11 +177,11 @@ export class TeamWorkspaceResolver {
@Args('expireTime', { type: () => WorkspaceInviteLinkExpireTime })
expireTime: WorkspaceInviteLinkExpireTime
): Promise<InviteLink> {
await this.permissions.checkWorkspace(
workspaceId,
user.id,
WorkspaceRole.Admin
);
await this.ac
.user(user.id)
.workspace(workspaceId)
.assert('Workspace.Users.Manage');
const cacheWorkspaceId = `workspace:inviteLink:${workspaceId}`;
const invite = await this.cache.get<{ inviteId: string }>(cacheWorkspaceId);
if (typeof invite?.inviteId === 'string') {
@@ -219,134 +213,80 @@ export class TeamWorkspaceResolver {
@CurrentUser() user: CurrentUser,
@Args('workspaceId') workspaceId: string
) {
await this.permissions.checkWorkspace(
workspaceId,
user.id,
WorkspaceRole.Admin
);
await this.ac
.user(user.id)
.workspace(workspaceId)
.assert('Workspace.Users.Manage');
const cacheId = `workspace:inviteLink:${workspaceId}`;
return await this.cache.delete(cacheId);
}
@Mutation(() => String)
@Mutation(() => Boolean)
async approveMember(
@CurrentUser() user: CurrentUser,
@Args('workspaceId') workspaceId: string,
@Args('userId') userId: string
) {
await this.permissions.checkWorkspace(
workspaceId,
user.id,
WorkspaceRole.Admin
);
await this.ac
.user(user.id)
.workspace(workspaceId)
.assert('Workspace.Users.Manage');
try {
// lock to prevent concurrent invite and grant
const lockFlag = `invite:${workspaceId}`;
await using lock = await this.mutex.acquire(lockFlag);
if (!lock) {
return new TooManyRequest();
const role = await this.models.workspaceUser.get(workspaceId, userId);
if (role) {
if (role.status === WorkspaceMemberStatus.UnderReview) {
const result = await this.models.workspaceUser.setStatus(
workspaceId,
userId,
WorkspaceMemberStatus.Accepted
);
this.event.emit('workspace.members.requestApproved', {
inviteId: result.id,
});
}
const status = await this.permissions.getWorkspaceMemberStatus(
workspaceId,
userId
);
if (status) {
if (status === WorkspaceMemberStatus.UnderReview) {
const result = await this.permissions.grant(
workspaceId,
userId,
WorkspaceRole.Collaborator,
WorkspaceMemberStatus.Accepted
);
if (result) {
this.event.emit('workspace.members.requestApproved', {
inviteId: result,
});
}
return result;
}
return new TooManyRequest();
} else {
return new MemberNotFoundInSpace({ spaceId: workspaceId });
}
} catch (e) {
this.logger.error('failed to invite user', e);
return new TooManyRequest();
return true;
} else {
throw new MemberNotFoundInSpace({ spaceId: workspaceId });
}
}
@Mutation(() => String)
@Mutation(() => Boolean)
async grantMember(
@CurrentUser() user: CurrentUser,
@Args('workspaceId') workspaceId: string,
@Args('userId') userId: string,
@Args('permission', { type: () => WorkspaceRole }) permission: WorkspaceRole
@Args('permission', { type: () => WorkspaceRole }) newRole: WorkspaceRole
) {
// non-team workspace can only transfer ownership, but no detailed permission control
if (permission !== WorkspaceRole.Owner) {
await this.ac
.user(user.id)
.workspace(workspaceId)
.assert(
newRole === WorkspaceRole.Owner
? 'Workspace.TransferOwner'
: 'Workspace.Users.Manage'
);
const role = await this.models.workspaceUser.get(workspaceId, userId);
if (!role) {
throw new MemberNotFoundInSpace({ spaceId: workspaceId });
}
if (newRole === WorkspaceRole.Owner) {
await this.models.workspaceUser.setOwner(workspaceId, userId);
} else {
// non-team workspace can only transfer ownership, but no detailed permission control
const isTeam = await this.workspaceService.isTeamWorkspace(workspaceId);
if (!isTeam) {
throw new ActionForbiddenOnNonTeamWorkspace();
}
await this.models.workspaceUser.set(workspaceId, userId, newRole);
}
await this.permissions.checkWorkspace(
workspaceId,
user.id,
permission >= WorkspaceRole.Admin
? WorkspaceRole.Owner
: WorkspaceRole.Admin
);
try {
// lock to prevent concurrent invite and grant
const lockFlag = `invite:${workspaceId}`;
await using lock = await this.mutex.acquire(lockFlag);
if (!lock) {
return new TooManyRequest();
}
const isMember = await this.permissions.isWorkspaceMember(
workspaceId,
userId
);
if (isMember) {
const result = await this.permissions.grant(
workspaceId,
userId,
permission
);
if (result) {
if (permission === WorkspaceRole.Owner) {
this.event.emit('workspace.members.ownershipTransferred', {
workspaceId,
from: user.id,
to: userId,
});
} else {
this.event.emit('workspace.members.roleChanged', {
userId,
workspaceId,
permission,
});
}
}
return result;
} else {
return new MemberNotFoundInSpace({ spaceId: workspaceId });
}
} catch (e) {
this.logger.error('failed to invite user', e);
// pass through user friendly error
if (e instanceof UserFriendlyError) {
return e;
}
return new TooManyRequest();
}
return true;
}
}

422
packages/backend/server/src/core/workspaces/resolvers/workspace.ts
View File

@@ -9,7 +9,7 @@ import {
ResolveField,
Resolver,
} from '@nestjs/graphql';
import { Prisma, PrismaClient, WorkspaceMemberStatus } from '@prisma/client';
import { WorkspaceMemberStatus } from '@prisma/client';
import GraphQLUpload from 'graphql-upload/GraphQLUpload.mjs';
import type { FileUpload } from '../../../base';
@@ -17,10 +17,13 @@ import {
AFFiNELogger,
AlreadyInSpace,
Cache,
CanNotRevokeYourself,
DocNotFound,
EventBus,
InternalServerError,
MemberNotFoundInSpace,
MemberQuotaExceeded,
OwnerCanNotLeaveWorkspace,
QueryTooLong,
registerObjectType,
RequestMutex,
@@ -33,10 +36,9 @@ import {
} from '../../../base';
import { Models } from '../../../models';
import { CurrentUser, Public } from '../../auth';
import { type Editor, PgWorkspaceDocStorageAdapter } from '../../doc';
import { type Editor } from '../../doc';
import {
mapWorkspaceRoleToPermissions,
PermissionService,
AccessController,
WORKSPACE_ACTIONS,
WorkspaceAction,
WorkspaceRole,
@@ -56,7 +58,7 @@ export type DotToUnderline<T extends string> =
? `${Prefix}_${DotToUnderline<Suffix>}`
: T;
export function mapPermissionToGraphqlPermissions<A extends string>(
export function mapPermissionsToGraphqlPermissions<A extends string>(
permission: Record<A, boolean>
): Record<DotToUnderline<A>, boolean> {
return Object.fromEntries(
@@ -126,14 +128,12 @@ export class WorkspaceRolePermissions {
export class WorkspaceResolver {
constructor(
private readonly cache: Cache,
private readonly prisma: PrismaClient,
private readonly permissions: PermissionService,
private readonly ac: AccessController,
private readonly quota: QuotaService,
private readonly models: Models,
private readonly event: EventBus,
private readonly mutex: RequestMutex,
private readonly workspaceService: WorkspaceService,
private readonly workspaceStorage: PgWorkspaceDocStorageAdapter,
private readonly logger: AFFiNELogger
) {
logger.setContext(WorkspaceResolver.name);
@@ -152,13 +152,27 @@ export class WorkspaceResolver {
return workspace.role;
}
const role = await this.permissions.get(workspace.id, user.id);
const { role } = await this.ac
.user(user.id)
.workspace(workspace.id)
.permissions();
if (!role) {
throw new SpaceAccessDenied({ spaceId: workspace.id });
}
return role ?? WorkspaceRole.External;
}
return role;
@ResolveField(() => WorkspacePermissions, {
description: 'map of action permissions',
})
async permissions(
@CurrentUser() user: CurrentUser,
@Parent() workspace: WorkspaceType
) {
const { permissions } = await this.ac
.user(user.id)
.workspace(workspace.id)
.permissions();
return mapPermissionsToGraphqlPermissions(permissions);
}
@ResolveField(() => Int, {
@@ -166,7 +180,7 @@ export class WorkspaceResolver {
complexity: 2,
})
memberCount(@Parent() workspace: WorkspaceType) {
return this.permissions.getWorkspaceMemberCount(workspace.id);
return this.models.workspaceUser.count(workspace.id);
}
@ResolveField(() => Boolean, {
@@ -174,14 +188,7 @@ export class WorkspaceResolver {
complexity: 2,
})
async initialized(@Parent() workspace: WorkspaceType) {
return this.prisma.snapshot
.count({
where: {
id: workspace.id,
workspaceId: workspace.id,
},
})
.then(count => count > 0);
return this.models.doc.exists(workspace.id, workspace.id);
}
@ResolveField(() => UserType, {
@@ -189,7 +196,7 @@ export class WorkspaceResolver {
complexity: 2,
})
async owner(@Parent() workspace: WorkspaceType) {
return this.permissions.getWorkspaceOwner(workspace.id);
return this.models.workspaceUser.getOwner(workspace.id);
}
@ResolveField(() => [InviteUserType], {
@@ -197,44 +204,48 @@ export class WorkspaceResolver {
complexity: 2,
})
async members(
@CurrentUser() user: CurrentUser,
@Parent() workspace: WorkspaceType,
@Args('skip', { type: () => Int, nullable: true }) skip?: number,
@Args('take', { type: () => Int, nullable: true }) take?: number,
@Args('query', { type: () => String, nullable: true }) query?: string
) {
const args: Prisma.WorkspaceUserPermissionFindManyArgs = {
where: { workspaceId: workspace.id },
skip,
take: take || 8,
orderBy: [{ createdAt: 'asc' }, { type: 'desc' }],
};
await this.ac
.user(user.id)
.workspace(workspace.id)
.assert('Workspace.Users.Read');
if (query) {
if (query.length > 255) {
throw new QueryTooLong({ max: 255 });
}
// @ts-expect-error not null
args.where.user = {
// TODO(@forehalo): case-insensitive search later
OR: [{ name: { contains: query } }, { email: { contains: query } }],
};
const list = await this.models.workspaceUser.search(workspace.id, query, {
offset: skip ?? 0,
first: take ?? 8,
});
return list.map(({ id, accepted, status, type, user }) => ({
...user,
permission: type,
inviteId: id,
accepted,
status,
}));
} else {
const [list] = await this.models.workspaceUser.paginate(workspace.id, {
offset: skip ?? 0,
first: take ?? 8,
});
return list.map(({ id, accepted, status, type, user }) => ({
...user,
permission: type,
inviteId: id,
accepted,
status,
}));
}
const data = await this.prisma.workspaceUserPermission.findMany({
...args,
include: {
user: true,
},
});
return data.map(({ id, accepted, status, type, user }) => ({
...user,
permission: type,
inviteId: id,
accepted,
status,
}));
}
@ResolveField(() => WorkspacePageMeta, {
@@ -245,15 +256,7 @@ export class WorkspaceResolver {
@Parent() workspace: WorkspaceType,
@Args('pageId') pageId: string
) {
const metadata = await this.prisma.snapshot.findFirst({
where: { workspaceId: workspace.id, id: pageId },
select: {
createdAt: true,
updatedAt: true,
createdByUser: { select: { name: true, avatarUrl: true } },
updatedByUser: { select: { name: true, avatarUrl: true } },
},
});
const metadata = await this.models.doc.getMeta(workspace.id, pageId);
if (!metadata) {
throw new DocNotFound({ spaceId: workspace.id, docId: pageId });
}
@@ -284,29 +287,35 @@ export class WorkspaceResolver {
@Query(() => Boolean, {
description: 'Get is owner of workspace',
complexity: 2,
deprecationReason: 'use WorkspaceType[role] instead',
})
async isOwner(
@CurrentUser() user: CurrentUser,
@Args('workspaceId') workspaceId: string
) {
const data = await this.permissions.tryGetWorkspaceOwner(workspaceId);
const role = await this.models.workspaceUser.getActive(
workspaceId,
user.id
);
return data?.user?.id === user.id;
return role?.type === WorkspaceRole.Owner;
}
@Query(() => Boolean, {
description: 'Get is admin of workspace',
complexity: 2,
deprecationReason: 'use WorkspaceType[role] instead',
})
async isAdmin(
@CurrentUser() user: CurrentUser,
@Args('workspaceId') workspaceId: string
) {
return this.permissions.tryCheckWorkspaceIs(
const role = await this.models.workspaceUser.getActive(
workspaceId,
user.id,
WorkspaceRole.Admin
user.id
);
return role?.type === WorkspaceRole.Admin;
}
@Query(() => [WorkspaceType], {
@@ -314,38 +323,30 @@ export class WorkspaceResolver {
complexity: 2,
})
async workspaces(@CurrentUser() user: CurrentUser) {
const data = await this.prisma.workspaceUserPermission.findMany({
where: {
userId: user.id,
OR: [
{
accepted: true,
},
{
status: WorkspaceMemberStatus.Accepted,
},
],
},
include: {
workspace: true,
},
});
const roles = await this.models.workspaceUser.getUserActiveRoles(user.id);
return data.map(({ workspace, type }) => {
return {
...workspace,
permission: type,
role: type,
};
});
const map = new Map(
roles.map(({ workspaceId, type }) => [workspaceId, type])
);
const workspaces = await this.models.workspace.findMany(
roles.map(({ workspaceId }) => workspaceId)
);
return workspaces.map(workspace => ({
...workspace,
permission: map.get(workspace.id),
role: map.get(workspace.id),
}));
}
@Query(() => WorkspaceType, {
description: 'Get workspace by id',
})
async workspace(@CurrentUser() user: CurrentUser, @Args('id') id: string) {
await this.permissions.checkWorkspace(id, user.id);
const workspace = await this.prisma.workspace.findUnique({ where: { id } });
await this.ac.user(user.id).workspace(id).assert('Workspace.Read');
const workspace = await this.models.workspace.get(id);
if (!workspace) {
throw new SpaceNotFound({ spaceId: id });
@@ -356,22 +357,24 @@ export class WorkspaceResolver {
@Query(() => WorkspaceRolePermissions, {
description: 'Get workspace role permissions',
deprecationReason: 'use WorkspaceType[permissions] instead',
})
async workspaceRolePermissions(
@CurrentUser() user: CurrentUser,
@Args('id') id: string
): Promise<WorkspaceRolePermissions> {
const workspace = await this.prisma.workspaceUserPermission.findFirst({
where: { workspaceId: id, userId: user.id },
});
if (!workspace) {
const { role, permissions } = await this.ac
.user(user.id)
.workspace(id)
.permissions();
if (!role) {
throw new SpaceAccessDenied({ spaceId: id });
}
return {
role: workspace.type,
permissions: mapPermissionToGraphqlPermissions(
mapWorkspaceRoleToPermissions(workspace.type)
),
role,
permissions: mapPermissionsToGraphqlPermissions(permissions),
};
}
@@ -385,19 +388,7 @@ export class WorkspaceResolver {
@Args({ name: 'init', type: () => GraphQLUpload, nullable: true })
init: FileUpload | null
) {
const workspace = await this.prisma.workspace.create({
data: {
public: false,
permissions: {
create: {
type: WorkspaceRole.Owner,
userId: user.id,
accepted: true,
status: WorkspaceMemberStatus.Accepted,
},
},
},
});
const workspace = await this.models.workspace.create(user.id);
if (init) {
// convert stream to buffer
@@ -413,13 +404,12 @@ export class WorkspaceResolver {
const buffer = chunks.length ? Buffer.concat(chunks) : null;
if (buffer) {
await this.prisma.snapshot.create({
data: {
id: workspace.id,
workspaceId: workspace.id,
blob: buffer,
updatedAt: new Date(),
},
await this.models.doc.upsert({
spaceId: workspace.id,
docId: workspace.id,
blob: buffer,
timestamp: Date.now(),
editorId: user.id,
});
}
}
@@ -435,14 +425,11 @@ export class WorkspaceResolver {
@Args({ name: 'input', type: () => UpdateWorkspaceInput })
{ id, ...updates }: UpdateWorkspaceInput
) {
await this.permissions.checkWorkspace(id, user.id, WorkspaceRole.Admin);
return this.prisma.workspace.update({
where: {
id,
},
data: updates,
});
await this.ac
.user(user.id)
.workspace(id)
.assert('Workspace.Settings.Update');
return this.models.workspace.update(id, updates);
}
@Mutation(() => Boolean)
@@ -450,16 +437,9 @@ export class WorkspaceResolver {
@CurrentUser() user: CurrentUser,
@Args('id') id: string
) {
await this.permissions.checkWorkspace(id, user.id, WorkspaceRole.Owner);
await this.ac.user(user.id).workspace(id).assert('Workspace.Delete');
await this.prisma.workspace.delete({
where: {
id,
},
});
await this.workspaceStorage.deleteSpace(id);
this.event.emit('workspace.deleted', { id });
await this.models.workspace.delete(id);
return true;
}
@@ -477,11 +457,10 @@ export class WorkspaceResolver {
})
_permission?: WorkspaceRole
) {
await this.permissions.checkWorkspace(
workspaceId,
user.id,
WorkspaceRole.Admin
);
await this.ac
.user(user.id)
.workspace(workspaceId)
.assert('Workspace.Users.Manage');
try {
// lock to prevent concurrent invite and grant
@@ -494,53 +473,40 @@ export class WorkspaceResolver {
// member limit check
await this.quota.checkSeat(workspaceId);
let target = await this.models.user.getUserByEmail(email);
if (target) {
const originRecord =
await this.prisma.workspaceUserPermission.findFirst({
where: {
workspaceId,
userId: target.id,
},
});
let user = await this.models.user.getUserByEmail(email);
if (user) {
const role = await this.models.workspaceUser.get(workspaceId, user.id);
// only invite if the user is not already in the workspace
if (originRecord) return originRecord.id;
if (role) return role.id;
} else {
target = await this.models.user.create({
user = await this.models.user.create({
email,
registered: false,
});
}
const inviteId = await this.permissions.grant(
const role = await this.models.workspaceUser.set(
workspaceId,
target.id,
user.id,
WorkspaceRole.Collaborator
);
if (sendInviteMail) {
try {
await this.workspaceService.sendInviteEmail(inviteId);
await this.workspaceService.sendInviteEmail(role.id);
} catch (e) {
const ret = await this.permissions.revokeWorkspace(
workspaceId,
target.id
await this.models.workspaceUser.delete(workspaceId, user.id);
this.logger.warn(
`failed to send ${workspaceId} invite email to ${email}, but successfully revoked permission: ${e}`
);
if (!ret) {
this.logger.fatal(
`failed to send ${workspaceId} invite email to ${email} and failed to revoke permission: ${inviteId}, ${e}`
);
} else {
this.logger.warn(
`failed to send ${workspaceId} invite email to ${email}, but successfully revoked permission: ${e}`
);
}
throw new InternalServerError(
'Failed to send invite email. Please try again.'
);
}
}
return inviteId;
return role.id;
} catch (e) {
// pass through user friendly error
if (e instanceof UserFriendlyError) {
@@ -563,7 +529,7 @@ export class WorkspaceResolver {
const { workspaceId, inviteeUserId } =
await this.workspaceService.getInviteInfo(inviteId);
const workspace = await this.workspaceService.getWorkspaceInfo(workspaceId);
const owner = await this.permissions.getWorkspaceOwner(workspaceId);
const owner = await this.models.workspaceUser.getOwner(workspaceId);
const inviteeId = inviteeUserId || user?.id;
if (!inviteeId) throw new UserNotFound();
@@ -578,28 +544,47 @@ export class WorkspaceResolver {
@Args('workspaceId') workspaceId: string,
@Args('userId') userId: string
) {
const isAdmin = await this.permissions.tryCheckWorkspaceIs(
workspaceId,
userId,
WorkspaceRole.Admin
);
if (isAdmin) {
// only owner can revoke workspace admin
await this.permissions.checkWorkspaceIs(
workspaceId,
user.id,
WorkspaceRole.Owner
);
} else {
await this.permissions.checkWorkspace(
workspaceId,
user.id,
WorkspaceRole.Admin
);
if (userId === user.id) {
throw new CanNotRevokeYourself();
}
return await this.permissions.revokeWorkspace(workspaceId, userId);
const role = await this.models.workspaceUser.get(workspaceId, userId);
if (!role) {
throw new MemberNotFoundInSpace({ spaceId: workspaceId });
}
await this.ac
.user(user.id)
.workspace(workspaceId)
.assert(
role.type === WorkspaceRole.Admin
? 'Workspace.Adminitrators.Manage'
: 'Workspace.Users.Manage'
);
await this.models.workspaceUser.delete(workspaceId, userId);
const count = await this.models.workspaceUser.count(workspaceId);
this.event.emit('workspace.members.updated', {
workspaceId,
count,
});
if (role.status === WorkspaceMemberStatus.UnderReview) {
this.event.emit('workspace.members.requestDeclined', {
userId,
workspaceId,
});
} else {
this.event.emit('workspace.members.removed', {
userId,
workspaceId,
});
}
return true;
}
@Mutation(() => Boolean)
@@ -617,11 +602,12 @@ export class WorkspaceResolver {
}
if (user) {
const status = await this.permissions.getWorkspaceMemberStatus(
const role = await this.models.workspaceUser.getActive(
workspaceId,
user.id
);
if (status === WorkspaceMemberStatus.Accepted) {
if (role) {
throw new AlreadyInSpace({ spaceId: workspaceId });
}
@@ -630,42 +616,39 @@ export class WorkspaceResolver {
`workspace:inviteLink:${workspaceId}`
);
if (invite?.inviteId === inviteId) {
const isTeam = await this.workspaceService.isTeamWorkspace(workspaceId);
const seatAvailable = await this.quota.tryCheckSeat(workspaceId);
if (!seatAvailable) {
if (seatAvailable) {
const invite = await this.models.workspaceUser.set(
workspaceId,
user.id,
WorkspaceRole.Collaborator,
WorkspaceMemberStatus.UnderReview
);
this.event.emit('workspace.members.reviewRequested', {
inviteId: invite.id,
});
return true;
} else {
const isTeam =
await this.workspaceService.isTeamWorkspace(workspaceId);
// only team workspace allow over limit
if (isTeam) {
await this.permissions.grant(
await this.models.workspaceUser.set(
workspaceId,
user.id,
WorkspaceRole.Collaborator,
WorkspaceMemberStatus.NeedMoreSeatAndReview
);
const memberCount =
await this.permissions.getWorkspaceMemberCount(workspaceId);
await this.models.workspaceUser.count(workspaceId);
this.event.emit('workspace.members.updated', {
workspaceId,
count: memberCount,
});
return true;
} else if (!status) {
} else {
throw new MemberQuotaExceeded();
}
} else {
const inviteId = await this.permissions.grant(workspaceId, user.id);
if (isTeam) {
this.event.emit('workspace.members.reviewRequested', {
inviteId,
});
}
// invite by link need admin to approve
return await this.permissions.acceptWorkspaceInvitation(
inviteId,
workspaceId,
isTeam
? WorkspaceMemberStatus.UnderReview
: WorkspaceMemberStatus.Accepted
);
}
}
}
@@ -675,10 +658,8 @@ export class WorkspaceResolver {
if (!success) throw new UserNotFound();
}
return await this.permissions.acceptWorkspaceInvitation(
inviteId,
workspaceId
);
await this.models.workspaceUser.accept(inviteId);
return true;
}
@Mutation(() => Boolean)
@@ -692,8 +673,19 @@ export class WorkspaceResolver {
})
_workspaceName?: string
) {
await this.permissions.checkWorkspace(workspaceId, user.id);
const success = this.permissions.revokeWorkspace(workspaceId, user.id);
const role = await this.models.workspaceUser.getActive(
workspaceId,
user.id
);
if (!role) {
throw new SpaceAccessDenied({ spaceId: workspaceId });
}
if (role.type === WorkspaceRole.Owner) {
throw new OwnerCanNotLeaveWorkspace();
}
await this.models.workspaceUser.delete(workspaceId, user.id);
if (sendLeaveMail) {
this.event.emit('workspace.members.leave', {
@@ -705,6 +697,6 @@ export class WorkspaceResolver {
});
}
return success;
return true;
}
}