Collection Permissions (#829)

see https://github.com/outline/outline/issues/668
2019-01-05 13:37:33 -08:00
parent 8978915423
commit 8c02b0028c
53 changed files with 1379 additions and 214 deletions
--- a/server/api/collections.js
+++ b/server/api/collections.js
@ -1,11 +1,10 @@
 // @flow
 import Router from 'koa-router';
-
 import auth from '../middlewares/authentication';
 import pagination from './middlewares/pagination';
-import { presentCollection } from '../presenters';
-import { Collection, Team } from '../models';
-import { ValidationError } from '../errors';
+import { presentCollection, presentUser } from '../presenters';
+import { Collection, CollectionUser, Team, User } from '../models';
+import { ValidationError, InvalidRequestError } from '../errors';
 import { exportCollection, exportCollections } from '../logistics';
 import policy from '../policies';

@ -14,6 +13,8 @@ const router = new Router();

 router.post('collections.create', auth(), async ctx => {
  const { name, color, description, type } = ctx.body;
+  const isPrivate = ctx.body.private;
+
  ctx.assertPresent(name, 'name is required');
  if (color)
    ctx.assertHexColor(color, 'Invalid hex value (please use format #FFFFFF)');
@ -28,6 +29,7 @@ router.post('collections.create', auth(), async ctx => {
    type: type || 'atlas',
    teamId: user.teamId,
    creatorId: user.id,
+    private: isPrivate,
  });

  ctx.body = {
@ -37,9 +39,9 @@ router.post('collections.create', auth(), async ctx => {

 router.post('collections.info', auth(), async ctx => {
  const { id } = ctx.body;
-  ctx.assertPresent(id, 'id is required');
+  ctx.assertUuid(id, 'id is required');

-  const collection = await Collection.scope('withRecentDocuments').findById(id);
+  const collection = await Collection.findById(id);
  authorize(ctx.state.user, 'read', collection);

  ctx.body = {
@ -47,9 +49,76 @@ router.post('collections.info', auth(), async ctx => {
  };
 });

+router.post('collections.add_user', auth(), async ctx => {
+  const { id, userId, permission = 'read_write' } = ctx.body;
+  ctx.assertUuid(id, 'id is required');
+  ctx.assertUuid(userId, 'userId is required');
+
+  const collection = await Collection.findById(id);
+  authorize(ctx.state.user, 'update', collection);
+
+  if (!collection.private) {
+    throw new InvalidRequestError('Collection must be private to add users');
+  }
+
+  const user = await User.findById(userId);
+  authorize(ctx.state.user, 'read', user);
+
+  await CollectionUser.create({
+    collectionId: id,
+    userId,
+    permission,
+    createdById: ctx.state.user.id,
+  });
+
+  ctx.body = {
+    success: true,
+  };
+});
+
+router.post('collections.remove_user', auth(), async ctx => {
+  const { id, userId } = ctx.body;
+  ctx.assertUuid(id, 'id is required');
+  ctx.assertUuid(userId, 'userId is required');
+
+  const collection = await Collection.findById(id);
+  authorize(ctx.state.user, 'update', collection);
+
+  if (!collection.private) {
+    throw new InvalidRequestError('Collection must be private to remove users');
+  }
+
+  const user = await User.findById(userId);
+  authorize(ctx.state.user, 'read', user);
+
+  await collection.removeUser(user);
+
+  ctx.body = {
+    success: true,
+  };
+});
+
+router.post('collections.users', auth(), async ctx => {
+  const { id } = ctx.body;
+  ctx.assertUuid(id, 'id is required');
+
+  const collection = await Collection.findById(id);
+  authorize(ctx.state.user, 'read', collection);
+
+  const users = await collection.getUsers();
+
+  const data = await Promise.all(
+    users.map(async user => await presentUser(ctx, user))
+  );
+
+  ctx.body = {
+    data,
+  };
+});
+
 router.post('collections.export', auth(), async ctx => {
  const { id } = ctx.body;
-  ctx.assertPresent(id, 'id is required');
+  ctx.assertUuid(id, 'id is required');

  const user = ctx.state.user;
  const collection = await Collection.findById(id);
@ -78,16 +147,33 @@ router.post('collections.exportAll', auth(), async ctx => {

 router.post('collections.update', auth(), async ctx => {
  const { id, name, description, color } = ctx.body;
+  const isPrivate = ctx.body.private;
+
  ctx.assertPresent(name, 'name is required');
  if (color)
    ctx.assertHexColor(color, 'Invalid hex value (please use format #FFFFFF)');

+  const user = ctx.state.user;
  const collection = await Collection.findById(id);
-  authorize(ctx.state.user, 'update', collection);
+  authorize(user, 'update', collection);
+
+  if (isPrivate && !collection.private) {
+    await CollectionUser.findOrCreate({
+      where: {
+        collectionId: collection.id,
+        userId: user.id,
+      },
+      defaults: {
+        permission: 'read_write',
+        createdById: user.id,
+      },
+    });
+  }

  collection.name = name;
  collection.description = description;
  collection.color = color;
+  collection.private = isPrivate;
  await collection.save();

  ctx.body = {
@ -97,9 +183,12 @@ router.post('collections.update', auth(), async ctx => {

 router.post('collections.list', auth(), pagination(), async ctx => {
  const user = ctx.state.user;
-  const collections = await Collection.findAll({
+
+  const collectionIds = await user.collectionIds();
+  let collections = await Collection.findAll({
    where: {
      teamId: user.teamId,
+      id: collectionIds,
    },
    order: [['updatedAt', 'DESC']],
    offset: ctx.state.pagination.offset,
@ -120,7 +209,7 @@ router.post('collections.list', auth(), pagination(), async ctx => {

 router.post('collections.delete', auth(), async ctx => {
  const { id } = ctx.body;
-  ctx.assertPresent(id, 'id is required');
+  ctx.assertUuid(id, 'id is required');

  const collection = await Collection.findById(id);
  authorize(ctx.state.user, 'delete', collection);