feat: Add groups and group permissions (#1204)
* WIP - got one API test to pass yay * adds group update endpoint * added group policies * adds groups.list API * adds groups.info * remove comment * WIP * tests for delete * adds group membership list * adds tests for groups list * add and remove user endpoints for group * ask some questions * fix up some issues around primary keys * remove export from group permissions Co-Authored-By: Tom Moor <tom.moor@gmail.com> * remove random file * only create events on actual updates, add tests to ensure * adds uniqueness validation to group name * throw validation errors on model and let it pass through the controller * fix linting * WIP * WIP * WIP * WIP * WIP basic edit and delete * basic CRUD for groups and memberships in place * got member counts working * add member count and limit the number of users sent over teh wire to 6 * factor avatar with AvatarWithPresence into its own class * wip * WIP avatars in group lists * WIP collection groups * add and remove group endpoints * wip add collection groups * wip get group adding to collections to work * wip get updating collection group memberships to work * wip get new group modal working * add tests for collection index * include collection groups in the withmemberships scope * tie permissions to group memberships * remove unused import * Update app/components/GroupListItem.js update title copy Co-Authored-By: Tom Moor <tom.moor@gmail.com> * Update server/migrations/20191211044318-create-groups.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * Update server/api/groups.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * Update server/api/groups.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * Update app/menus/CollectionMenu.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * Update server/models/Group.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * minor fixes * Update app/scenes/CollectionMembers/AddGroupsToCollection.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * Update app/menus/GroupMenu.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * Update app/menus/GroupMenu.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * Update app/menus/GroupMenu.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * Update app/scenes/Collection.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * Update app/scenes/CollectionMembers/CollectionMembers.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * Update app/scenes/GroupNew.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * Update app/scenes/GroupNew.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * Update app/scenes/Settings/Groups.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * Update server/api/documents.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * Update app/scenes/CollectionMembers/components/CollectionGroupMemberListItem.js Co-Authored-By: Tom Moor <tom.moor@gmail.com> * address comments * WIP - getting websocket stuff up and running * socket event for group deletion * wrapped up cascading deletes * lint * flow * fix: UI feedback * fix: Facepile size * fix: Lots of missing await's * Allow clicking facepile on group list item to open members * remove unused route push, grammar * fix: Remove bad analytics events feat: Add group events to audit log * collection. -> collections. * Add groups to entity websocket events (sync create/update/delete) between clients * fix: Users should not be able to see groups they are not a member of * fix: Not caching errors in UI when changing group memberships * fix: Hide unusable UI * test * fix: Tweak language * feat: Automatically open 'add member' modal after creating group Co-authored-by: Tom Moor <tom.moor@gmail.com>
This commit is contained in:
Nan Yu
GitHub
291
server/api/groups.js
Normal file
291
server/api/groups.js
Normal file
@ -0,0 +1,291 @@
|
||||
// @flow
|
||||
import Router from 'koa-router';
|
||||
import auth from '../middlewares/authentication';
|
||||
import pagination from './middlewares/pagination';
|
||||
import { Op } from '../sequelize';
|
||||
import { MAX_AVATAR_DISPLAY } from '../../shared/constants';
|
||||
|
||||
import {
|
||||
presentGroup,
|
||||
presentPolicies,
|
||||
presentUser,
|
||||
presentGroupMembership,
|
||||
} from '../presenters';
|
||||
import { User, Event, Group, GroupUser } from '../models';
|
||||
import policy from '../policies';
|
||||
|
||||
const { authorize } = policy;
|
||||
const router = new Router();
|
||||
|
||||
router.post('groups.list', auth(), pagination(), async ctx => {
|
||||
const user = ctx.state.user;
|
||||
|
||||
let groups = await Group.findAll({
|
||||
where: {
|
||||
teamId: user.teamId,
|
||||
},
|
||||
order: [['updatedAt', 'DESC']],
|
||||
offset: ctx.state.pagination.offset,
|
||||
limit: ctx.state.pagination.limit,
|
||||
});
|
||||
|
||||
if (!user.isAdmin) {
|
||||
groups = groups.filter(
|
||||
group => group.groupMemberships.filter(gm => gm.userId === user.id).length
|
||||
);
|
||||
}
|
||||
|
||||
ctx.body = {
|
||||
pagination: ctx.state.pagination,
|
||||
data: {
|
||||
groups: groups.map(presentGroup),
|
||||
groupMemberships: groups
|
||||
.map(g => g.groupMemberships.slice(0, MAX_AVATAR_DISPLAY))
|
||||
.flat()
|
||||
.map(presentGroupMembership),
|
||||
},
|
||||
policies: presentPolicies(user, groups),
|
||||
};
|
||||
});
|
||||
|
||||
router.post('groups.info', auth(), async ctx => {
|
||||
const { id } = ctx.body;
|
||||
ctx.assertUuid(id, 'id is required');
|
||||
|
||||
const user = ctx.state.user;
|
||||
const group = await Group.findByPk(id);
|
||||
authorize(user, 'read', group);
|
||||
|
||||
ctx.body = {
|
||||
data: presentGroup(group),
|
||||
policies: presentPolicies(user, [group]),
|
||||
};
|
||||
});
|
||||
|
||||
router.post('groups.create', auth(), async ctx => {
|
||||
const { name } = ctx.body;
|
||||
ctx.assertPresent(name, 'name is required');
|
||||
|
||||
const user = ctx.state.user;
|
||||
|
||||
authorize(user, 'create', Group);
|
||||
let group = await Group.create({
|
||||
name,
|
||||
teamId: user.teamId,
|
||||
createdById: user.id,
|
||||
});
|
||||
|
||||
// reload to get default scope
|
||||
group = await Group.findByPk(group.id);
|
||||
|
||||
await Event.create({
|
||||
name: 'groups.create',
|
||||
actorId: user.id,
|
||||
teamId: user.teamId,
|
||||
modelId: group.id,
|
||||
data: { name: group.name },
|
||||
ip: ctx.request.ip,
|
||||
});
|
||||
|
||||
ctx.body = {
|
||||
data: presentGroup(group),
|
||||
policies: presentPolicies(user, [group]),
|
||||
};
|
||||
});
|
||||
|
||||
router.post('groups.update', auth(), async ctx => {
|
||||
const { id, name } = ctx.body;
|
||||
ctx.assertPresent(name, 'name is required');
|
||||
ctx.assertUuid(id, 'id is required');
|
||||
|
||||
const user = ctx.state.user;
|
||||
const group = await Group.findByPk(id);
|
||||
|
||||
authorize(user, 'update', group);
|
||||
|
||||
group.name = name;
|
||||
|
||||
if (group.changed()) {
|
||||
await group.save();
|
||||
await Event.create({
|
||||
name: 'groups.update',
|
||||
teamId: user.teamId,
|
||||
actorId: user.id,
|
||||
modelId: group.id,
|
||||
data: { name },
|
||||
ip: ctx.request.ip,
|
||||
});
|
||||
}
|
||||
|
||||
ctx.body = {
|
||||
data: presentGroup(group),
|
||||
policies: presentPolicies(user, [group]),
|
||||
};
|
||||
});
|
||||
|
||||
router.post('groups.delete', auth(), async ctx => {
|
||||
const { id } = ctx.body;
|
||||
ctx.assertUuid(id, 'id is required');
|
||||
|
||||
const { user } = ctx.state;
|
||||
const group = await Group.findByPk(id);
|
||||
|
||||
authorize(user, 'delete', group);
|
||||
await group.destroy();
|
||||
|
||||
await Event.create({
|
||||
name: 'groups.delete',
|
||||
actorId: user.id,
|
||||
modelId: group.id,
|
||||
teamId: group.teamId,
|
||||
data: { name: group.name },
|
||||
ip: ctx.request.ip,
|
||||
});
|
||||
|
||||
ctx.body = {
|
||||
success: true,
|
||||
};
|
||||
});
|
||||
|
||||
router.post('groups.memberships', auth(), pagination(), async ctx => {
|
||||
const { id, query, permission } = ctx.body;
|
||||
ctx.assertUuid(id, 'id is required');
|
||||
|
||||
const user = ctx.state.user;
|
||||
const group = await Group.findByPk(id);
|
||||
|
||||
authorize(user, 'read', group);
|
||||
|
||||
let where = {
|
||||
groupId: id,
|
||||
};
|
||||
|
||||
let userWhere;
|
||||
|
||||
if (query) {
|
||||
userWhere = {
|
||||
name: {
|
||||
[Op.iLike]: `%${query}%`,
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
if (permission) {
|
||||
where = {
|
||||
...where,
|
||||
permission,
|
||||
};
|
||||
}
|
||||
|
||||
const memberships = await GroupUser.findAll({
|
||||
where,
|
||||
order: [['createdAt', 'DESC']],
|
||||
offset: ctx.state.pagination.offset,
|
||||
limit: ctx.state.pagination.limit,
|
||||
include: [
|
||||
{
|
||||
model: User,
|
||||
as: 'user',
|
||||
where: userWhere,
|
||||
required: true,
|
||||
},
|
||||
],
|
||||
});
|
||||
|
||||
ctx.body = {
|
||||
pagination: ctx.state.pagination,
|
||||
data: {
|
||||
groupMemberships: memberships.map(presentGroupMembership),
|
||||
users: memberships.map(membership => presentUser(membership.user)),
|
||||
},
|
||||
};
|
||||
});
|
||||
|
||||
router.post('groups.add_user', auth(), async ctx => {
|
||||
const { id, userId } = ctx.body;
|
||||
ctx.assertUuid(id, 'id is required');
|
||||
ctx.assertUuid(userId, 'userId is required');
|
||||
|
||||
const user = await User.findByPk(userId);
|
||||
authorize(ctx.state.user, 'read', user);
|
||||
|
||||
let group = await Group.findByPk(id);
|
||||
authorize(ctx.state.user, 'update', group);
|
||||
|
||||
let membership = await GroupUser.findOne({
|
||||
where: {
|
||||
groupId: id,
|
||||
userId,
|
||||
},
|
||||
});
|
||||
|
||||
if (!membership) {
|
||||
await group.addUser(user, {
|
||||
through: { createdById: ctx.state.user.id },
|
||||
});
|
||||
|
||||
// reload to get default scope
|
||||
membership = await GroupUser.findOne({
|
||||
where: {
|
||||
groupId: id,
|
||||
userId,
|
||||
},
|
||||
});
|
||||
|
||||
// reload to get default scope
|
||||
group = await Group.findByPk(id);
|
||||
|
||||
await Event.create({
|
||||
name: 'groups.add_user',
|
||||
userId,
|
||||
teamId: user.teamId,
|
||||
modelId: group.id,
|
||||
actorId: ctx.state.user.id,
|
||||
data: { name: user.name },
|
||||
ip: ctx.request.ip,
|
||||
});
|
||||
}
|
||||
|
||||
ctx.body = {
|
||||
data: {
|
||||
users: [presentUser(user)],
|
||||
groupMemberships: [presentGroupMembership(membership)],
|
||||
groups: [presentGroup(group)],
|
||||
},
|
||||
};
|
||||
});
|
||||
|
||||
router.post('groups.remove_user', auth(), async ctx => {
|
||||
const { id, userId } = ctx.body;
|
||||
ctx.assertUuid(id, 'id is required');
|
||||
ctx.assertUuid(userId, 'userId is required');
|
||||
|
||||
let group = await Group.findByPk(id);
|
||||
authorize(ctx.state.user, 'update', group);
|
||||
|
||||
const user = await User.findByPk(userId);
|
||||
authorize(ctx.state.user, 'read', user);
|
||||
|
||||
await group.removeUser(user);
|
||||
|
||||
await Event.create({
|
||||
name: 'groups.remove_user',
|
||||
userId,
|
||||
modelId: group.id,
|
||||
teamId: user.teamId,
|
||||
actorId: ctx.state.user.id,
|
||||
data: { name: user.name },
|
||||
ip: ctx.request.ip,
|
||||
});
|
||||
|
||||
// reload to get default scope
|
||||
group = await Group.findByPk(id);
|
||||
|
||||
ctx.body = {
|
||||
data: {
|
||||
groups: [presentGroup(group)],
|
||||
},
|
||||
};
|
||||
});
|
||||
|
||||
export default router;
|
||||
Reference in New Issue
Block a user