coop-cloud-chaos-patchs/outline
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Revoked share links (#664)

Browse Source 
* Move to revokation API for share links

* Respect revoked share links
Add documentation for shares endpoints

* 💚
This commit is contained in:
Tom Moor
2018-06-16 12:36:25 -07:00
committed by GitHub
parent fad5976dd2
commit ae502c10c9
10 changed files with 190 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/stores/SharesStore.js
View File

@ -38,7 +38,7 @@ class SharesStore {
@action @action
revoke = async (share: Share) => { revoke = async (share: Share) => {
try { try {
await client.post('/shares.delete', { id: share.id }); await client.post('/shares.revoke', { id: share.id });
runInAction('revoke', () => { runInAction('revoke', () => {
this.data.delete(share.id); this.data.delete(share.id);
}); });

9
server/api/__snapshots__/shares.test.js.snap
View File

@ -17,3 +17,12 @@ Object {
"status": 401, "status": 401,
} }
`; `;
exports[`#shares.revoke should require authentication 1`] = `
Object {
"error": "authentication_required",
"message": "Authentication required",
"ok": false,
"status": 401,
}
`;

7
server/api/documents.js
View File

@ -165,7 +165,12 @@ router.post('documents.info', auth({ required: false }), async ctx => {
let document; let document;
if (shareId) { if (shareId) {
const share = await Share.findById(shareId, { const share = await Share.find({
where: {
// $FlowFixMe
revokedAt: { [Op.eq]: null },
id: shareId,
},
include: [ include: [
{ {
model: Document, model: Document,

16
server/api/documents.test.js
View File

@ -36,7 +36,7 @@ describe('#documents.info', async () => {
expect(body.data.id).toEqual(document.id); expect(body.data.id).toEqual(document.id);
}); });
it('should return redacted documents from shareId without token', async () => { it('should return redacted document from shareId without token', async () => {
const { document } = await seed(); const { document } = await seed();
const share = await buildShare({ const share = await buildShare({
documentId: document.id, documentId: document.id,
@ -55,6 +55,20 @@ describe('#documents.info', async () => {
expect(body.data.updatedBy).toEqual(undefined); expect(body.data.updatedBy).toEqual(undefined);
}); });
it('should not return document from revoked shareId', async () => {
const { document, user } = await seed();
const share = await buildShare({
documentId: document.id,
teamId: document.teamId,
});
await share.revoke(user.id);
const res = await server.post('/api/documents.info', {
body: { shareId: share.id },
});
expect(res.status).toEqual(400);
});
it('should return documents from shareId with token', async () => { it('should return documents from shareId with token', async () => {
const { user, document, collection } = await seed(); const { user, document, collection } = await seed();
const share = await buildShare({ const share = await buildShare({

15
server/api/shares.js
View File

@ -1,11 +1,13 @@
// @flow // @flow
import Router from 'koa-router'; import Router from 'koa-router';
import Sequelize from 'sequelize';
import auth from '../middlewares/authentication'; import auth from '../middlewares/authentication';
import pagination from './middlewares/pagination'; import pagination from './middlewares/pagination';
import { presentShare } from '../presenters'; import { presentShare } from '../presenters';
import { Document, User, Share } from '../models'; import { Document, User, Share } from '../models';
import policy from '../policies'; import policy from '../policies';
const Op = Sequelize.Op;
const { authorize } = policy; const { authorize } = policy;
const router = new Router(); const router = new Router();
@ -14,7 +16,12 @@ router.post('shares.list', auth(), pagination(), async ctx => {
if (direction !== 'ASC') direction = 'DESC'; if (direction !== 'ASC') direction = 'DESC';
const user = ctx.state.user; const user = ctx.state.user;
const where = { teamId: user.teamId, userId: user.id }; const where = {
teamId: user.teamId,
userId: user.id,
// $FlowFixMe
revokedAt: { [Op.eq]: null },
};
if (user.isAdmin) delete where.userId; if (user.isAdmin) delete where.userId;
@ -68,15 +75,15 @@ router.post('shares.create', auth(), async ctx => {
}; };
}); });
router.post('shares.delete', auth(), async ctx => { router.post('shares.revoke', auth(), async ctx => {
const { id } = ctx.body; const { id } = ctx.body;
ctx.assertPresent(id, 'id is required'); ctx.assertPresent(id, 'id is required');
const user = ctx.state.user; const user = ctx.state.user;
const share = await Share.findById(id); const share = await Share.findById(id);
authorize(user, 'delete', share); authorize(user, 'revoke', share);
await share.destroy(); await share.revoke(user.id);
ctx.body = { ctx.body = {
success: true, success: true,

73
server/api/shares.test.js
View File

@ -32,6 +32,24 @@ describe('#shares.list', async () => {
expect(body.data[0].documentTitle).toBe(document.title); expect(body.data[0].documentTitle).toBe(document.title);
}); });
it('should not return revoked shares', async () => {
const { user, document } = await seed();
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
await share.revoke(user.id);
const res = await server.post('/api/shares.list', {
body: { token: user.getJwtToken() },
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(0);
});
it('admins should only return shares created by all users', async () => { it('admins should only return shares created by all users', async () => {
const { admin, document } = await seed(); const { admin, document } = await seed();
const share = await buildShare({ const share = await buildShare({
@ -106,3 +124,58 @@ describe('#shares.create', async () => {
expect(res.status).toEqual(403); expect(res.status).toEqual(403);
}); });
}); });
describe('#shares.revoke', async () => {
it('should allow author to revoke a share', async () => {
const { user, document } = await seed();
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post('/api/shares.revoke', {
body: { token: user.getJwtToken(), id: share.id },
});
expect(res.status).toEqual(200);
});
it('should allow admin to revoke a share', async () => {
const { user, admin, document } = await seed();
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post('/api/shares.revoke', {
body: { token: admin.getJwtToken(), id: share.id },
});
expect(res.status).toEqual(200);
});
it('should require authentication', async () => {
const { user, document } = await seed();
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post('/api/shares.revoke', {
body: { id: share.id },
});
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it('should require authorization', async () => {
const { document } = await seed();
const user = await buildUser();
const res = await server.post('/api/shares.create', {
body: { token: user.getJwtToken(), documentId: document.id },
});
expect(res.status).toEqual(403);
});
});

19
server/migrations/20180604191743-revoke-share-links.js Normal file
View File

@ -0,0 +1,19 @@
module.exports = {
up: async (queryInterface, Sequelize) => {
await queryInterface.addColumn('shares', 'revokedAt', {
type: Sequelize.DATE,
allowNull: true
});
await queryInterface.addColumn('shares', 'revokedById', {
type: Sequelize.UUID,
allowNull: true,
references: {
model: 'users',
},
});
},
down: async (queryInterface, Sequelize) => {
await queryInterface.removeColumn('shares', 'revokedAt');
await queryInterface.removeColumn('shares', 'revokedById');
}
}

22
server/models/Share.js
View File

@ -1,13 +1,25 @@
// @flow // @flow
import { DataTypes, sequelize } from '../sequelize'; import { DataTypes, sequelize } from '../sequelize';
const Share = sequelize.define('share', { const Share = sequelize.define(
'share',
{
id: { id: {
type: DataTypes.UUID, type: DataTypes.UUID,
defaultValue: DataTypes.UUIDV4, defaultValue: DataTypes.UUIDV4,
primaryKey: true, primaryKey: true,
}, },
}); revokedAt: DataTypes.DATE,
revokedById: DataTypes.UUID,
},
{
getterMethods: {
isRevoked() {
return !!this.revokedAt;
},
},
}
);
Share.associate = models => { Share.associate = models => {
Share.belongsTo(models.User, { Share.belongsTo(models.User, {
@ -24,4 +36,10 @@ Share.associate = models => {
}); });
}; };
Share.prototype.revoke = function(userId) {
this.revokedAt = new Date();
this.revokedById = userId;
return this.save();
};
export default Share; export default Share;

37
server/pages/Api.js
View File

@ -327,7 +327,7 @@ export default function Pricing() {
<Description> <Description>
<p> <p>
This method returns information for a document with a specific This method returns information for a document with a specific
ID. Following identifiers are allowed: ID. The following identifiers are allowed:
</p> </p>
<ul> <ul>
<li> <li>
@ -340,11 +340,8 @@ export default function Pricing() {
</ul> </ul>
</Description> </Description>
<Arguments> <Arguments>
<Argument <Argument id="id" description="Document ID or URI identifier" />
id="id" <Argument id="shareId" description="An active shareId" />
description="Document ID or URI identifier"
required
/>
</Arguments> </Arguments>
</Method> </Method>
@ -597,6 +594,34 @@ export default function Pricing() {
</Description> </Description>
<Arguments pagination /> <Arguments pagination />
</Method> </Method>
<Method method="shares.list" label="List shared document links">
<Description>
List all your currently shared document links.
</Description>
<Arguments pagination />
</Method>
<Method method="shares.create" label="Create a share link">
<Description>
Creates a new share link that can be used by anyone to access a
document. If you request multiple shares for the same document
with the same user the same share will be returned.
</Description>
<Arguments>
<Argument id="documentId" description="Document ID" required />
</Arguments>
</Method>
<Method method="shares.revoke" label="Revoke a share link">
<Description>
Makes the share link inactive so that it can no longer be used to
access the document.
</Description>
<Arguments>
<Argument id="id" description="Share ID" required />
</Arguments>
</Method>
</Methods> </Methods>
</Container> </Container>
</Grid> </Grid>

2
server/policies/share.js
View File

@ -7,7 +7,7 @@ const { allow } = policy;
allow(User, ['read'], Share, (user, share) => user.teamId === share.teamId); allow(User, ['read'], Share, (user, share) => user.teamId === share.teamId);
allow(User, ['update'], Share, (user, share) => false); allow(User, ['update'], Share, (user, share) => false);
allow(User, ['delete'], Share, (user, share) => { allow(User, ['revoke'], Share, (user, share) => {
if (!share || user.teamId !== share.teamId) return false; if (!share || user.teamId !== share.teamId) return false;
if (user.id === share.userId) return true; if (user.id === share.userId) return true;
if (user.isAdmin) return true; if (user.isAdmin) return true;