outline/server/api/shares.js

// @flow
import Router from 'koa-router';
import Sequelize from 'sequelize';
import auth from '../middlewares/authentication';
import pagination from './middlewares/pagination';
import { presentShare } from '../presenters';
import { Document, User, Event, Share, Team } from '../models';
import policy from '../policies';

const Op = Sequelize.Op;
const { authorize } = policy;
const router = new Router();

router.post('shares.list', auth(), pagination(), async ctx => {
  let { sort = 'updatedAt', direction } = ctx.body;
  if (direction !== 'ASC') direction = 'DESC';

  const user = ctx.state.user;
  const where = {
    teamId: user.teamId,
    userId: user.id,
    revokedAt: { [Op.eq]: null },
  };

  if (user.isAdmin) {
    delete where.userId;
  }

  const collectionIds = await user.collectionIds();
  const shares = await Share.findAll({
    where,
    order: [[sort, direction]],
    include: [
      {
        model: Document,
        required: true,
        as: 'document',
        where: {
          collectionId: collectionIds,
        },
      },
      {
        model: User,
        required: true,
        as: 'user',
      },
    ],
    offset: ctx.state.pagination.offset,
    limit: ctx.state.pagination.limit,
  });

  ctx.body = {
    pagination: ctx.state.pagination,
    data: shares.map(presentShare),
  };
});

router.post('shares.create', auth(), async ctx => {
  const { documentId } = ctx.body;
  ctx.assertPresent(documentId, 'documentId is required');

  const user = ctx.state.user;
  const document = await Document.findByPk(documentId, { userId: user.id });
  const team = await Team.findByPk(user.teamId);
  authorize(user, 'share', document);
  authorize(user, 'share', team);

  const [share] = await Share.findOrCreate({
    where: {
      documentId,
      userId: user.id,
      teamId: user.teamId,
      revokedAt: null,
    },
  });

  await Event.create({
    name: 'shares.create',
    documentId,
    collectionId: document.collectionId,
    modelId: share.id,
    teamId: user.teamId,
    actorId: user.id,
    data: { name: document.title },
    ip: ctx.request.ip,
  });

  share.user = user;
  share.document = document;

  ctx.body = {
    data: presentShare(share),
  };
});

router.post('shares.revoke', auth(), async ctx => {
  const { id } = ctx.body;
  ctx.assertUuid(id, 'id is required');

  const user = ctx.state.user;
  const share = await Share.findByPk(id);
  authorize(user, 'revoke', share);

  await share.revoke(user.id);

  const document = await Document.findByPk(share.documentId);

  await Event.create({
    name: 'shares.revoke',
    documentId: document.id,
    collectionId: document.collectionId,
    modelId: share.id,
    teamId: user.teamId,
    actorId: user.id,
    data: { name: document.title },
    ip: ctx.request.ip,
  });

  ctx.body = {
    success: true,
  };
});

export default router;