From 10a4cbb6bd4a7c7ca3236c28b828adbc12fd29d0 Mon Sep 17 00:00:00 2001
From: Paul Fitzpatrick <paulfitz@alum.mit.edu>
Date: Thu, 4 Nov 2021 12:25:42 -0400
Subject: [PATCH] (core) make document assignment endpoint available via
 /housekeeping api

Summary:
The /assign endpoint checks if a document is on the desired worker
and moves it if not. This is never done under regular operation, but
is useful when quarantining a misbehaving document.

The endpoint was failing to operate correctly if the requester did
not have access to the document. This diff makes the endpoint
accessible through a /housekeeping route, using the same pattern as
the /force-reload endpoint.

Test Plan: added test

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D3109
---
 app/gen-server/lib/Housekeeper.ts | 10 ++++++++++
 app/server/lib/DocApi.ts          |  4 +---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/app/gen-server/lib/Housekeeper.ts b/app/gen-server/lib/Housekeeper.ts
index 0b735229..fb1aff93 100644
--- a/app/gen-server/lib/Housekeeper.ts
+++ b/app/gen-server/lib/Housekeeper.ts
@@ -161,6 +161,16 @@ export class Housekeeper {
         headers,
       });
     }));
+
+    // Move a document to its assigned worker.  Can be useful during administrative
+    // actions.
+    app.post('/api/housekeeping/docs/:docId/assign', this._withSupport(async (docId, headers) => {
+      const url = await this._server.getHomeUrlByDocId(docId, `/api/docs/${docId}/assign`);
+      return fetch(url, {
+        method: 'POST',
+        headers,
+      });
+    }));
   }
 
   /**
diff --git a/app/server/lib/DocApi.ts b/app/server/lib/DocApi.ts
index 7c5cc0c7..899df3ef 100644
--- a/app/server/lib/DocApi.ts
+++ b/app/server/lib/DocApi.ts
@@ -132,8 +132,6 @@ export class DocWorkerApi {
     const isOwner = expressWrap(this._assertAccess.bind(this, 'owners', false));
     // check user can edit document, with soft-deleted documents being acceptable
     const canEditMaybeRemoved = expressWrap(this._assertAccess.bind(this, 'editors', true));
-    // check document exists, don't check user access
-    const docExists = expressWrap(this._assertAccess.bind(this, null, false));
     // converts google code to access token and adds it to request object
     const decodeGoogleToken = expressWrap(googleAuthTokenMiddleware.bind(null));
 
@@ -581,7 +579,7 @@ export class DocWorkerApi {
     // and frees it for reassignment if not.  Has no effect if document is in the
     // expected group.  Does not require specific rights.  Returns true if the document
     // is freed up for reassignment, otherwise false.
-    this._app.post('/api/docs/:docId/assign', docExists, throttled(async (req, res) => {
+    this._app.post('/api/docs/:docId/assign', canEdit, throttled(async (req, res) => {
       const docId = getDocId(req);
       const status = await this._docWorkerMap.getDocWorker(docId);
       if (!status) { res.json(false); return; }