From b98bad0b939a147fe75d984bd5801ab72174afd6 Mon Sep 17 00:00:00 2001 From: Spoffy Date: Thu, 13 Jun 2024 19:36:05 +0100 Subject: [PATCH 01/19] (core) Makes EE frontend behave as core if EE isn't activated Summary: - Makes EE decide which ActivationPage to use - Makes ProductUpgrades use core implementation if not activated - Changes banners to proxy to core implementation if EE not activated - [Fix] Enables new site creation in EE as in Core: - Core enables people to freely create new team sites. - Enterprise currently redirects to the pricing page. - This enables enterprise to also create team sites, instead of redirecting. Test Plan: Manually test in EE, unit tests in Jenkins Reviewers: paulfitz, jordigh Reviewed By: paulfitz Differential Revision: https://phab.getgrist.com/D4264 --- app/client/components/CoreBanners.ts | 10 ++++++++++ app/client/ui/AppUI.ts | 2 +- app/client/ui/CreateTeamModal.ts | 8 ++++---- app/client/ui/DefaultActivationPage.ts | 18 ++++++++++++++++++ stubs/app/client/components/Banners.ts | 10 +--------- stubs/app/client/ui/ActivationPage.ts | 15 +++++---------- 6 files changed, 39 insertions(+), 24 deletions(-) create mode 100644 app/client/components/CoreBanners.ts create mode 100644 app/client/ui/DefaultActivationPage.ts diff --git a/app/client/components/CoreBanners.ts b/app/client/components/CoreBanners.ts new file mode 100644 index 00000000..7df6398a --- /dev/null +++ b/app/client/components/CoreBanners.ts @@ -0,0 +1,10 @@ +import {AppModel} from 'app/client/models/AppModel'; +import {DocPageModel} from 'app/client/models/DocPageModel'; + +export function buildHomeBanners(_app: AppModel) { + return null; +} + +export function buildDocumentBanners(_docPageModel: DocPageModel) { + return null; +} diff --git a/app/client/ui/AppUI.ts b/app/client/ui/AppUI.ts index 10e7b840..23ff48d3 100644 --- a/app/client/ui/AppUI.ts +++ b/app/client/ui/AppUI.ts @@ -82,7 +82,7 @@ function createMainPage(appModel: AppModel, appObj: App) { } else if (pageType === 'admin') { return domAsync(loadAdminPanel().then(m => dom.create(m.AdminPanel, appModel))); } else if (pageType === 'activation') { - return domAsync(loadActivationPage().then(ap => dom.create(ap.ActivationPage, appModel))); + return domAsync(loadActivationPage().then(ap => dom.create(ap.getActivationPage(), appModel))); } else { return dom.create(pagePanelsDoc, appModel, appObj); } diff --git a/app/client/ui/CreateTeamModal.ts b/app/client/ui/CreateTeamModal.ts index 438fc31c..4c633e98 100644 --- a/app/client/ui/CreateTeamModal.ts +++ b/app/client/ui/CreateTeamModal.ts @@ -24,10 +24,10 @@ export async function buildNewSiteModal(context: Disposable, options: { appModel: AppModel, plan?: PlanSelection, onCreate?: () => void -}) { +}): Promise { const { onCreate } = options; - return showModal( + showModal( context, (_owner: Disposable, ctrl: IModalControl) => dom.create(NewSiteModalContent, ctrl, onCreate), dom.cls(cssModalIndex.className), @@ -87,12 +87,12 @@ export function buildUpgradeModal(owner: Disposable, options: { throw new UserError(t(`Billing is not supported in grist-core`)); } -export interface UpgradeButton { +export interface IUpgradeButton { showUpgradeCard(...args: DomArg[]): DomContents; showUpgradeButton(...args: DomArg[]): DomContents; } -export function buildUpgradeButton(owner: IDisposableOwner, app: AppModel): UpgradeButton { +export function buildUpgradeButton(owner: IDisposableOwner, app: AppModel): IUpgradeButton { return { showUpgradeCard: () => null, showUpgradeButton: () => null, diff --git a/app/client/ui/DefaultActivationPage.ts b/app/client/ui/DefaultActivationPage.ts new file mode 100644 index 00000000..859db9e8 --- /dev/null +++ b/app/client/ui/DefaultActivationPage.ts @@ -0,0 +1,18 @@ +import {AppModel} from 'app/client/models/AppModel'; +import { Disposable, IDomCreator } from 'grainjs'; + +export type IActivationPageCreator = IDomCreator<[AppModel]> + +/** + * A blank ActivationPage stand-in, as it's possible for the frontend to try and load an "activation page", + * even though there's no activation in core. + */ +export class DefaultActivationPage extends Disposable { + constructor(_appModel: AppModel) { + super(); + } + + public buildDom() { + return null; + } +} diff --git a/stubs/app/client/components/Banners.ts b/stubs/app/client/components/Banners.ts index 7df6398a..b0aa190b 100644 --- a/stubs/app/client/components/Banners.ts +++ b/stubs/app/client/components/Banners.ts @@ -1,10 +1,2 @@ -import {AppModel} from 'app/client/models/AppModel'; -import {DocPageModel} from 'app/client/models/DocPageModel'; +export { buildHomeBanners, buildDocumentBanners } from 'app/client/components/CoreBanners'; -export function buildHomeBanners(_app: AppModel) { - return null; -} - -export function buildDocumentBanners(_docPageModel: DocPageModel) { - return null; -} diff --git a/stubs/app/client/ui/ActivationPage.ts b/stubs/app/client/ui/ActivationPage.ts index aa2ce08a..99b90e57 100644 --- a/stubs/app/client/ui/ActivationPage.ts +++ b/stubs/app/client/ui/ActivationPage.ts @@ -1,12 +1,7 @@ -import {AppModel} from 'app/client/models/AppModel'; -import {Disposable} from 'grainjs'; +import { + DefaultActivationPage, IActivationPageCreator +} from "app/client/ui/DefaultActivationPage"; -export class ActivationPage extends Disposable { - constructor(_appModel: AppModel) { - super(); - } - - public buildDom() { - return null; - } +export function getActivationPage(): IActivationPageCreator { + return DefaultActivationPage; } From 40c87f45296a04c4c5092dc6f4c797c27260979e Mon Sep 17 00:00:00 2001 From: Dmitry S Date: Wed, 12 Jun 2024 17:47:25 -0400 Subject: [PATCH 02/19] (core) Update documentation of certain functions Summary: - lookupOne/lookupRecords explain `sort_by` param better, and link to more detailed article. - Incorporate a typo fix from Help Center - Fix the omission of TASTEME never having been documented. Test Plan: Corresponding update to Help Center can be reviewed at https://github.com/gristlabs/grist-help/pull/351 Reviewers: jarek Reviewed By: jarek Subscribers: jarek Differential Revision: https://phab.getgrist.com/D4269 --- sandbox/grist/functions/text.py | 18 +++++++++++++++--- sandbox/grist/table.py | 19 ++++++++++++++++--- 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/sandbox/grist/functions/text.py b/sandbox/grist/functions/text.py index 3d9a7c0d..0fe8c4ca 100644 --- a/sandbox/grist/functions/text.py +++ b/sandbox/grist/functions/text.py @@ -647,6 +647,18 @@ def T(value): six.text_type(value) if isinstance(value, AltText) else u"") def TASTEME(food): + """ + For any given piece of text, decides if it is tasty or not. + + This is not serious. It appeared as an Easter egg, and is kept as such. It is in fact a puzzle + to figure out the underlying simple rule. It has been surprisingly rarely cracked, even after + reading the source code, which is freely available and may entertain Python fans. + + >>> TASTEME('Banana') + True + >>> TASTEME('Garlic') + False + """ chews = re.findall(r'\b[A-Z]+\b', food.upper()) claw = slice(2, None) spit = lambda chow: chow[claw] @@ -657,9 +669,9 @@ def TASTEME(food): @unimplemented def TEXT(number, format_type): # pylint: disable=unused-argument """ - Converts a number into text according to a specified format. It is not yet implemented in + Converts a number into text according to a specified format. It is not yet implemented in Grist. You can use the similar Python functions str() to convert numbers into strings, and - optionally format() to specify the number format. + optionally format() to specify the number format. """ raise NotImplementedError() @@ -681,7 +693,7 @@ def TRIM(text): def UPPER(text): """ - Converts a specified string to uppercase. Same as `text.lower()`. + Converts a specified string to uppercase. Same as `text.upper()`. >>> UPPER("e. e. cummings") 'E. E. CUMMINGS' diff --git a/sandbox/grist/table.py b/sandbox/grist/table.py index 9b976403..b582ab9d 100644 --- a/sandbox/grist/table.py +++ b/sandbox/grist/table.py @@ -68,13 +68,17 @@ class UserTable(object): any expression, most commonly a field in the current row (e.g. `$SomeField`) or a constant (e.g. a quoted string like `"Some Value"`) (examples below). - If `sort_by=field` is given, sort the results by that field. + + You may set the optional `sort_by` parameter to the column ID by which to sort multiple matching + results, to determine which of them is returned. You can prefix the column ID with "-" to + reverse the order. For example: ``` People.lookupRecords(Email=$Work_Email) People.lookupRecords(First_Name="George", Last_Name="Washington") People.lookupRecords(Last_Name="Johnson", sort_by="First_Name") + Orders.lookupRecords(Customer=$id, sort_by="-OrderDate") ``` See [RecordSet](#recordset) for useful properties offered by the returned object. @@ -82,6 +86,8 @@ class UserTable(object): See [CONTAINS](#contains) for an example utilizing `UserTable.lookupRecords` to find records where a field of a list type (such as `Choice List` or `Reference List`) contains the given value. + + Learn more about [lookupRecords](references-lookups.md#lookuprecords). """ return self.table.lookup_records(**field_value_pairs) @@ -92,14 +98,21 @@ class UserTable(object): Returns a [Record](#record) matching the given field=value arguments. The value may be any expression, most commonly a field in the current row (e.g. `$SomeField`) or a constant (e.g. a quoted string - like `"Some Value"`). If multiple records match, returns one of them. If none match, returns the - special empty record. + like `"Some Value"`). If multiple records are found, the first match is returned. + + You may set the optional `sort_by` parameter to the column ID by which to sort multiple matching + results, to determine which of them is returned. You can prefix the column ID with "-" to + reverse the order. For example: ``` People.lookupOne(First_Name="Lewis", Last_Name="Carroll") People.lookupOne(Email=$Work_Email) + Tickets.lookupOne(Person=$id, sort_by="Date") # Find the first ticket for the person + Tickets.lookupOne(Person=$id, sort_by="-Date") # Find the last ticket for the person ``` + + Learn more about [lookupOne](references-lookups.md#lookupone). """ return self.table.lookup_one_record(**field_value_pairs) From 1e2991519fada31b1ec0ebcadedbe0aa62e85a2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaros=C5=82aw=20Sadzi=C5=84ski?= Date: Fri, 14 Jun 2024 12:12:24 +0200 Subject: [PATCH 03/19] (core) Restoring GRIST_DEFAULT_PRODUCT functionality Summary: The GRIST_DEFAULT_PRODUCT wasn't used for grist-ee, now it is respected. Test Plan: I've build grist-ee docker image from github and run it using our instruction (both for recreating the issue and confirming it is fixed) ``` docker run -p 8484:8484 \ -v $PWD:/persist \ -e GRIST_SESSION_SECRET=invent-a-secret-here \ -e GRIST_SINGLE_ORG=cool-beans -it gristlabs/grist-ee ``` For grist-core I recreated/confirmed it is fixed it just by `GRIST_SINGLE_ORG=team npm start` in the core folder. I also created some team sites using stubbed UI and confirmed that they were using the GRIST_DEFAULT_PRODUCT product. Reviewers: paulfitz Reviewed By: paulfitz Subscribers: paulfitz Differential Revision: https://phab.getgrist.com/D4271 --- app/client/ui/CreateTeamModal.ts | 4 +++- app/gen-server/entity/Product.ts | 5 ++--- stubs/app/server/server.ts | 2 -- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/app/client/ui/CreateTeamModal.ts b/app/client/ui/CreateTeamModal.ts index 4c633e98..4dccfc2e 100644 --- a/app/client/ui/CreateTeamModal.ts +++ b/app/client/ui/CreateTeamModal.ts @@ -136,7 +136,9 @@ function buildTeamPage({ } await create(); } finally { - disabled.set(false); + if (!disabled.isDisposed()) { + disabled.set(false); + } } } const clickOnEnter = dom.onKeyPress({ diff --git a/app/gen-server/entity/Product.ts b/app/gen-server/entity/Product.ts index 0ecde6da..42ce6526 100644 --- a/app/gen-server/entity/Product.ts +++ b/app/gen-server/entity/Product.ts @@ -147,12 +147,11 @@ export const PRODUCTS: IProduct[] = [ */ export function getDefaultProductNames() { const defaultProduct = process.env.GRIST_DEFAULT_PRODUCT; - const personalFreePlan = PERSONAL_FREE_PLAN; return { // Personal site start off on a functional plan. - personal: defaultProduct || personalFreePlan, + personal: defaultProduct || PERSONAL_FREE_PLAN, // Team site starts off on a limited plan, requiring subscription. - teamInitial: defaultProduct || 'stub', + teamInitial: defaultProduct || STUB_PLAN, // Team site that has been 'turned off'. teamCancel: 'suspended', // Functional team site. diff --git a/stubs/app/server/server.ts b/stubs/app/server/server.ts index cfb13172..20ab2d26 100644 --- a/stubs/app/server/server.ts +++ b/stubs/app/server/server.ts @@ -7,7 +7,6 @@ import {commonUrls} from 'app/common/gristUrls'; import {isAffirmative} from 'app/common/gutil'; import {HomeDBManager} from 'app/gen-server/lib/HomeDBManager'; -import {TEAM_FREE_PLAN} from 'app/common/Features'; const debugging = isAffirmative(process.env.DEBUG) || isAffirmative(process.env.VERBOSE); @@ -90,7 +89,6 @@ async function setupDb() { }, { setUserAsOwner: false, useNewPlan: true, - product: TEAM_FREE_PLAN })); } } From 76d94483adcf22f0249012e4ef2a8297955bb50a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaros=C5=82aw=20Sadzi=C5=84ski?= Date: Tue, 18 Jun 2024 12:12:20 +0200 Subject: [PATCH 04/19] (core) Adding fixSiteProducts that changes orgs from teamFree to Free product if it was set be default Summary: After release on 2024-06-12 (1.1.15) the GRIST_DEFAULT_PRODUCT env variable wasn't respected by the method that started the server in single org mode. In all deployments (apart from saas), the default product used for new sites is set to `Free`, but the code that starts the server enforced `teamFree` product. This change adds a fix routine that fixes this issue by rewriting team sites from `teamFree` product to `Free` product only if: - The default product is set to `Free` - The deployment type is something other then 'saas'. Additionally there is a test that will fail after 2024.10.01, as this fix should be removed before this date. Test Plan: Added test Reviewers: paulfitz Reviewed By: paulfitz Subscribers: paulfitz Differential Revision: https://phab.getgrist.com/D4272 --- app/gen-server/lib/Housekeeper.ts | 78 ++++++++++++++++ stubs/app/server/server.ts | 8 ++ test/server/fixSiteProducts.ts | 146 ++++++++++++++++++++++++++++++ 3 files changed, 232 insertions(+) create mode 100644 test/server/fixSiteProducts.ts diff --git a/app/gen-server/lib/Housekeeper.ts b/app/gen-server/lib/Housekeeper.ts index f3412d03..14c68ecf 100644 --- a/app/gen-server/lib/Housekeeper.ts +++ b/app/gen-server/lib/Housekeeper.ts @@ -1,8 +1,10 @@ import { ApiError } from 'app/common/ApiError'; import { delay } from 'app/common/delay'; import { buildUrlId } from 'app/common/gristUrls'; +import { BillingAccount } from 'app/gen-server/entity/BillingAccount'; import { Document } from 'app/gen-server/entity/Document'; import { Organization } from 'app/gen-server/entity/Organization'; +import { Product } from 'app/gen-server/entity/Product'; import { Workspace } from 'app/gen-server/entity/Workspace'; import { HomeDBManager, Scope } from 'app/gen-server/lib/HomeDBManager'; import { fromNow } from 'app/gen-server/sqlUtils'; @@ -462,3 +464,79 @@ async function forEachWithBreaks(logText: string, items: T[], callback: (item } log.rawInfo(logText, {itemsProcesssed, itemsTotal, timeMs: Date.now() - start}); } + +/** + * For a brief moment file `stubs/app/server/server.ts` was ignoring the GRIST_DEFAULT_PRODUCT + * variable, which is currently set for all deployment types to 'Free' product. As a result orgs + * created after 2024-06-12 (1.1.15) were created with 'teamFree' product instead of 'Free'. + * It only affected deployments that were using: + * - GRIST_DEFAULT_PRODUCT variable set to 'Free' + * - GRIST_SINGLE_ORG set to enforce single org mode. + * + * This method fixes the product for all orgs created with 'teamFree' product, if the default + * product that should be used is 'Free' and the deployment type is not 'saas' ('saas' deployment + * isn't using GRIST_DEFAULT_PRODUCT variable). This method should be removed after 2024.10.01. + * + * There is a corresponding test that will fail if this method (and that test) are not removed. + * + * @returns true if the method was run, false otherwise. + */ +export async function fixSiteProducts(options: { + deploymentType: string, + db: HomeDBManager, + dry?: boolean, +}) { + const {deploymentType, dry, db} = options; + + const hasDefaultProduct = () => Boolean(process.env.GRIST_DEFAULT_PRODUCT); + const defaultProductIsFree = () => process.env.GRIST_DEFAULT_PRODUCT === 'Free'; + const notSaasDeployment = () => deploymentType !== 'saas'; + const mustRun = hasDefaultProduct() && defaultProductIsFree() && notSaasDeployment(); + if (!mustRun) { + return false; + } + const removeMeDate = new Date('2024-10-01'); + const warningMessage = `WARNING: This method should be removed after ${removeMeDate.toDateString()}.`; + if (new Date() > removeMeDate) { + console.warn(warningMessage); + } + + // Find all billing accounts on teamFree product and change them to the Free. + + return await db.connection.transaction(async (t) => { + const freeProduct = await t.findOne(Product, {where: {name: 'Free'}}); + + const freeTeamProduct = await t.findOne(Product, {where: {name: 'teamFree'}}); + + if (!freeTeamProduct) { + console.warn('teamFree product not found.'); + return false; + } + + if (!freeProduct) { + console.warn('Free product not found.'); + return false; + } + + if (dry) { + await t.createQueryBuilder() + .select('ba') + .from(BillingAccount, 'ba') + .where('ba.product = :productId', {productId: freeTeamProduct.id}) + .getMany() + .then((accounts) => { + accounts.forEach(a => { + console.log(`Would change account ${a.id} from ${a.product.id} to ${freeProduct.id}`); + }); + }); + } else { + await t.createQueryBuilder() + .update(BillingAccount) + .set({product: freeProduct.id}) + .where({product: freeTeamProduct.id}) + .execute(); + } + + return true; + }); +} diff --git a/stubs/app/server/server.ts b/stubs/app/server/server.ts index 20ab2d26..b6f272a9 100644 --- a/stubs/app/server/server.ts +++ b/stubs/app/server/server.ts @@ -7,6 +7,7 @@ import {commonUrls} from 'app/common/gristUrls'; import {isAffirmative} from 'app/common/gutil'; import {HomeDBManager} from 'app/gen-server/lib/HomeDBManager'; +import {fixSiteProducts} from 'app/gen-server/lib/Housekeeper'; const debugging = isAffirmative(process.env.DEBUG) || isAffirmative(process.env.VERBOSE); @@ -135,6 +136,13 @@ export async function main() { if (process.env.GRIST_SERVE_PLUGINS_PORT) { await server.startCopy('pluginServer', parseInt(process.env.GRIST_SERVE_PLUGINS_PORT, 10)); } + + await fixSiteProducts({ + deploymentType: server.getDeploymentType(), + db: server.getHomeDBManager(), + dry: true + }); + return server; } diff --git a/test/server/fixSiteProducts.ts b/test/server/fixSiteProducts.ts new file mode 100644 index 00000000..b42d5a01 --- /dev/null +++ b/test/server/fixSiteProducts.ts @@ -0,0 +1,146 @@ +import {Organization} from 'app/gen-server/entity/Organization'; +import {fixSiteProducts} from 'app/gen-server/lib/Housekeeper'; +import {TestServer} from 'test/gen-server/apiUtils'; +import * as testUtils from 'test/server/testUtils'; +import {assert} from 'chai'; +import sinon from "sinon"; +import {getDefaultProductNames} from 'app/gen-server/entity/Product'; + +const email = 'chimpy@getgrist.com'; +const profile = {email, name: email}; +const org = 'single-org'; + +describe('fixSiteProducts', function() { + this.timeout(6000); + + let oldEnv: testUtils.EnvironmentSnapshot; + let server: TestServer; + + before(async function() { + oldEnv = new testUtils.EnvironmentSnapshot(); + // By default we will simulate 'core' deployment that has 'Free' team site as default product. + process.env.GRIST_TEST_SERVER_DEPLOYMENT_TYPE = 'core'; + process.env.GRIST_DEFAULT_PRODUCT = 'Free'; + server = new TestServer(this); + await server.start(); + }); + + after(async function() { + oldEnv.restore(); + await server.stop(); + }); + + it('fix should be deleted after 2024-10-01', async function() { + const now = new Date(); + const remove_date = new Date('2024-10-01'); + assert.isTrue(now < remove_date, 'This test and a fix method should be deleted after 2024-10-01'); + }); + + it('fixes sites that where created with a wrong product', async function() { + const db = server.dbManager; + const user = await db.getUserByLogin(email, {profile}) as any; + const getOrg = (id: number) => db.connection.manager.findOne( + Organization, + {where: {id}, relations: ['billingAccount', 'billingAccount.product']}); + + const productOrg = (id: number) => getOrg(id)?.then(org => org?.billingAccount?.product?.name); + + const freeOrgId = db.unwrapQueryResult(await db.addOrg(user, { + name: org, + domain: org, + }, { + setUserAsOwner: false, + useNewPlan: true, + product: 'teamFree', + })); + + const teamOrgId = db.unwrapQueryResult(await db.addOrg(user, { + name: 'fix-team-org', + domain: 'fix-team-org', + }, { + setUserAsOwner: false, + useNewPlan: true, + product: 'team', + })); + + // Make sure it is created with teamFree product. + assert.equal(await productOrg(freeOrgId), 'teamFree'); + + // Run the fixer. + assert.isTrue(await fixSiteProducts({ + db, + deploymentType: server.server.getDeploymentType(), + })); + + // Make sure we fixed the product is on Free product. + assert.equal(await productOrg(freeOrgId), 'Free'); + + // Make sure the other org is still on team product. + assert.equal(await productOrg(teamOrgId), 'team'); + }); + + it("doesn't run when on saas deployment", async function() { + process.env.GRIST_TEST_SERVER_DEPLOYMENT_TYPE = 'saas'; + + // Stub it in the server. Notice that we assume some knowledge about how the server is implemented - that it won't + // cache this value (nor any other component) and always read it when needed. Otherwise we would need to recreate + // the server each time. + const sandbox = sinon.createSandbox(); + sandbox.stub(server.server, 'getDeploymentType').returns('saas'); + assert.equal(server.server.getDeploymentType(), 'saas'); + + assert.isFalse(await fixSiteProducts({ + db: server.dbManager, + deploymentType: server.server.getDeploymentType(), + })); + + sandbox.restore(); + }); + + it("doesn't run when default product is not set", async function() { + // Make sure we are in 'core'. + assert.equal(server.server.getDeploymentType(), 'core'); + + // But only when Free product is the default one. + process.env.GRIST_DEFAULT_PRODUCT = 'teamFree'; + assert.equal(getDefaultProductNames().teamInitial, 'teamFree'); // sanity check that Grist sees it. + + assert.isFalse(await fixSiteProducts({ + db: server.dbManager, + deploymentType: server.server.getDeploymentType(), + })); + + process.env.GRIST_DEFAULT_PRODUCT = 'team'; + assert.equal(getDefaultProductNames().teamInitial, 'team'); + + assert.isFalse(await fixSiteProducts({ + db: server.dbManager, + deploymentType: server.server.getDeploymentType(), + })); + + delete process.env.GRIST_DEFAULT_PRODUCT; + assert.equal(getDefaultProductNames().teamInitial, 'stub'); + + const db = server.dbManager; + const user = await db.getUserByLogin(email, {profile}) as any; + const orgId = db.unwrapQueryResult(await db.addOrg(user, { + name: 'sanity-check-org', + domain: 'sanity-check-org', + }, { + setUserAsOwner: false, + useNewPlan: true, + product: 'teamFree', + })); + + const getOrg = (id: number) => db.connection.manager.findOne(Organization, + {where: {id}, relations: ['billingAccount', 'billingAccount.product']}); + const productOrg = (id: number) => getOrg(id)?.then(org => org?.billingAccount?.product?.name); + assert.equal(await productOrg(orgId), 'teamFree'); + + assert.isFalse(await fixSiteProducts({ + db: server.dbManager, + deploymentType: server.server.getDeploymentType(), + })); + assert.equal(await productOrg(orgId), 'teamFree'); + }); +}); From 51a34835c59077b7d035c194338b4a5555cbcfb3 Mon Sep 17 00:00:00 2001 From: Dmitry S Date: Tue, 18 Jun 2024 09:56:11 -0400 Subject: [PATCH 05/19] (core) Disable formula timing UI for non-owners Summary: For non-owners, the timing section of Document Settings is now disabled. For non-editors, the "Reload" section is disabled. Test Plan: Added a test case for timing being disabled. Reviewers: jarek Reviewed By: jarek Differential Revision: https://phab.getgrist.com/D4275 --- app/client/ui/AdminPanelCss.ts | 19 +++++++++++++++++-- app/client/ui/DocumentSettings.ts | 5 +++++ test/nbrowser/Timing.ts | 24 ++++++++++++++++++++++++ 3 files changed, 46 insertions(+), 2 deletions(-) diff --git a/app/client/ui/AdminPanelCss.ts b/app/client/ui/AdminPanelCss.ts index 9fb8b15f..2853a3fa 100644 --- a/app/client/ui/AdminPanelCss.ts +++ b/app/client/ui/AdminPanelCss.ts @@ -1,3 +1,4 @@ +import {hoverTooltip} from 'app/client/ui/tooltips'; import {transition} from 'app/client/ui/transitions'; import {toggle} from 'app/client/ui2018/checkbox'; import {mediaSmall, testId, theme, vars} from 'app/client/ui2018/cssVars'; @@ -21,6 +22,7 @@ export function AdminSectionItem(owner: IDisposableOwner, options: { description?: DomContents, value?: DomContents, expandedContent?: DomContents, + disabled?: false|string, }) { const itemContent = (...prefix: DomContents[]) => [ cssItemName( @@ -34,7 +36,7 @@ export function AdminSectionItem(owner: IDisposableOwner, options: { testId(`admin-panel-item-value-${options.id}`), dom.on('click', ev => ev.stopPropagation())), ]; - if (options.expandedContent) { + if (options.expandedContent && !options.disabled) { const isCollapsed = Observable.create(owner, true); return cssItem( cssItemShort( @@ -56,7 +58,13 @@ export function AdminSectionItem(owner: IDisposableOwner, options: { ); } else { return cssItem( - cssItemShort(itemContent()), + cssItemShort(itemContent(), + cssItemShort.cls('-disabled', Boolean(options.disabled)), + options.disabled ? hoverTooltip(options.disabled, { + placement: 'bottom-end', + modifiers: {offset: {offset: '0, -10'}}, + }) : null, + ), testId(`admin-panel-item-${options.id}`), ); } @@ -109,6 +117,9 @@ const cssItemShort = styled('div', ` &-expandable:hover { background-color: ${theme.lightHover}; } + &-disabled { + opacity: .5; + } @container line (max-width: 500px) { & { @@ -157,6 +168,10 @@ const cssItemValue = styled('div', ` margin: -16px; padding: 16px; cursor: auto; + + .${cssItemShort.className}-disabled & { + pointer-events: none; + } `); const cssCollapseIcon = styled(icon, ` diff --git a/app/client/ui/DocumentSettings.ts b/app/client/ui/DocumentSettings.ts index 615292e7..b2c9ba28 100644 --- a/app/client/ui/DocumentSettings.ts +++ b/app/client/ui/DocumentSettings.ts @@ -28,6 +28,7 @@ import {EngineCode} from 'app/common/DocumentSettings'; import {commonUrls, GristLoadConfig} from 'app/common/gristUrls'; import {not, propertyCompare} from 'app/common/gutil'; import {getCurrency, locales} from 'app/common/Locales'; +import {isOwner, isOwnerOrEditor} from 'app/common/roles'; import {Computed, Disposable, dom, fromKo, IDisposableOwner, makeTestId, Observable, styled} from 'grainjs'; import * as moment from 'moment-timezone'; @@ -58,6 +59,8 @@ export class DocSettingsPage extends Disposable { const canChangeEngine = getSupportedEngineChoices().length > 0; const docPageModel = this._gristDoc.docPageModel; const isTimingOn = this._gristDoc.isTimingOn; + const isDocOwner = isOwner(docPageModel.currentDoc.get()); + const isDocEditor = isOwnerOrEditor(docPageModel.currentDoc.get()); return cssContainer( dom.create(AdminSection, t('Document Settings'), [ @@ -115,6 +118,7 @@ export class DocSettingsPage extends Disposable { 'This allows diagnosing which formulas are responsible for slow performance when a ' + 'document is first opened, or when a document responds to changes.' )), + disabled: isDocOwner ? false : t('Only available to document owners'), }), dom.create(AdminSectionItem, { @@ -122,6 +126,7 @@ export class DocSettingsPage extends Disposable { name: t('Reload'), description: t('Hard reset of data engine'), value: cssSmallButton(t('Reload data engine'), dom.on('click', this._reloadEngine.bind(this, true))), + disabled: isDocEditor ? false : t('Only available to document editors'), }), canChangeEngine ? dom.create(AdminSectionItem, { diff --git a/test/nbrowser/Timing.ts b/test/nbrowser/Timing.ts index b21e1304..9659cdf4 100644 --- a/test/nbrowser/Timing.ts +++ b/test/nbrowser/Timing.ts @@ -166,6 +166,30 @@ describe("Timing", function () { await driver.findWait('.test-raw-data-list', 2000); assert.deepEqual(await driver.findAll('.test-raw-data-table-id', e => e.getText()), ['Table1']); }); + + it('should be disabled for non-owners', async function() { + await userApi.updateDocPermissions(docId, {users: { + [gu.translateUser('user2').email]: 'editors', + }}); + + const session = await gu.session().teamSite.user('user2').login(); + await session.loadDoc(`/doc/${docId}`); + await gu.openDocumentSettings(); + + const start = driver.find('.test-settings-timing-start'); + assert.equal(await start.isPresent(), true); + + // Check that we have an informative tooltip. + await start.mouseMove(); + assert.match(await driver.findWait('.test-tooltip', 2000).getText(), /Only available to document owners/); + + // Nothing should happen on click. We click the location rather than the element, since the + // element isn't actually clickable. + await start.mouseMove(); + await driver.withActions(a => a.press().release()); + await driver.sleep(100); + assert.equal(await driver.find(".test-settings-timing-modal").isPresent(), false); + }); }); const element = (testId: string) => ({ From 8bc8d60fca6641b662f275f81c678057d2abdf51 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 18 Jun 2024 10:54:52 -0400 Subject: [PATCH 06/19] automated update to translation keys (#1053) Co-authored-by: Paul's Grist Bot --- static/locales/en.client.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/static/locales/en.client.json b/static/locales/en.client.json index 3ba12ffc..7a8ee8df 100644 --- a/static/locales/en.client.json +++ b/static/locales/en.client.json @@ -339,7 +339,9 @@ "Stop timing...": "Stop timing...", "Time reload": "Time reload", "Timing is on": "Timing is on", - "You can make changes to the document, then stop timing to see the results.": "You can make changes to the document, then stop timing to see the results." + "You can make changes to the document, then stop timing to see the results.": "You can make changes to the document, then stop timing to see the results.", + "Only available to document editors": "Only available to document editors", + "Only available to document owners": "Only available to document owners" }, "DocumentUsage": { "Attachments Size": "Size of Attachments", From 95b2459f25b614f42cb5c4564de842243dbf8b83 Mon Sep 17 00:00:00 2001 From: Florent Date: Tue, 18 Jun 2024 16:57:06 +0200 Subject: [PATCH 07/19] HomeDBManager refactoration: extract method related to Users management in its own module (#1049) The HomeDBManager remains the exposed class to the other parts of the code: any module under gen-server/lib/homedb like UsersManager is intended to be used solely by HomeDBManager, and in order to use their methods, an indirection has to be created to pass through HomeDBManager. --- app/common/UserAPI.ts | 3 + app/gen-server/lib/HomeDBManager.ts | 909 ++++------------------ app/gen-server/lib/homedb/Interfaces.ts | 40 + app/gen-server/lib/homedb/UsersManager.ts | 755 ++++++++++++++++++ 4 files changed, 950 insertions(+), 757 deletions(-) create mode 100644 app/gen-server/lib/homedb/Interfaces.ts create mode 100644 app/gen-server/lib/homedb/UsersManager.ts diff --git a/app/common/UserAPI.ts b/app/common/UserAPI.ts index c10486ad..9c6e824a 100644 --- a/app/common/UserAPI.ts +++ b/app/common/UserAPI.ts @@ -35,6 +35,9 @@ export const ANONYMOUS_USER_EMAIL = 'anon@getgrist.com'; // Nominal email address of a user who, if you share with them, everyone gets access. export const EVERYONE_EMAIL = 'everyone@getgrist.com'; +// Nominal email address of a user who can view anything (for thumbnails). +export const PREVIEWER_EMAIL = 'thumbnail@getgrist.com'; + // A special 'docId' that means to create a new document. export const NEW_DOCUMENT_CODE = 'new'; diff --git a/app/gen-server/lib/HomeDBManager.ts b/app/gen-server/lib/HomeDBManager.ts index f8815b6e..06409d1c 100644 --- a/app/gen-server/lib/HomeDBManager.ts +++ b/app/gen-server/lib/HomeDBManager.ts @@ -4,11 +4,10 @@ import {mapGetOrSet, mapSetOrClear, MapWithTTL} from 'app/common/AsyncCreate'; import {getDataLimitStatus} from 'app/common/DocLimits'; import {createEmptyOrgUsageSummary, DocumentUsage, OrgUsageSummary} from 'app/common/DocUsage'; import {normalizeEmail} from 'app/common/emails'; -import {ANONYMOUS_PLAN, canAddOrgMembers, Features, PERSONAL_FREE_PLAN} from 'app/common/Features'; +import {ANONYMOUS_PLAN, canAddOrgMembers, Features} from 'app/common/Features'; import {buildUrlId, MIN_URLID_PREFIX_LENGTH, parseUrlId} from 'app/common/gristUrls'; -import {FullUser, UserProfile} from 'app/common/LoginSessionAPI'; +import {UserProfile} from 'app/common/LoginSessionAPI'; import {checkSubdomainValidity} from 'app/common/orgNameUtils'; -import {UserOrgPrefs} from 'app/common/Prefs'; import * as roles from 'app/common/roles'; import {StringUnion} from 'app/common/StringUnion'; import { @@ -22,9 +21,10 @@ import { Organization as OrgInfo, PermissionData, PermissionDelta, + PREVIEWER_EMAIL, UserAccessData, UserOptions, - WorkspaceProperties + WorkspaceProperties, } from "app/common/UserAPI"; import {AclRule, AclRuleDoc, AclRuleOrg, AclRuleWs} from "app/gen-server/entity/AclRule"; import {Alias} from "app/gen-server/entity/Alias"; @@ -32,7 +32,6 @@ import {BillingAccount} from "app/gen-server/entity/BillingAccount"; import {BillingAccountManager} from "app/gen-server/entity/BillingAccountManager"; import {Document} from "app/gen-server/entity/Document"; import {Group} from "app/gen-server/entity/Group"; -import {Login} from "app/gen-server/entity/Login"; import {AccessOption, AccessOptionWithRole, Organization} from "app/gen-server/entity/Organization"; import {Pref} from "app/gen-server/entity/Pref"; import {getDefaultProductNames, personalFreeFeatures, Product} from "app/gen-server/entity/Product"; @@ -41,6 +40,10 @@ import {Share} from "app/gen-server/entity/Share"; import {User} from "app/gen-server/entity/User"; import {Workspace} from "app/gen-server/entity/Workspace"; import {Limit} from 'app/gen-server/entity/Limit'; +import { + AvailableUsers, GetUserOptions, NonGuestGroup, Resource, UserProfileChange +} from 'app/gen-server/lib/homedb/Interfaces'; +import {SUPPORT_EMAIL, UsersManager} from 'app/gen-server/lib/homedb/UsersManager'; import {Permissions} from 'app/gen-server/lib/Permissions'; import {scrubUserFromOrg} from "app/gen-server/lib/scrubUserFromOrg"; import {applyPatch} from 'app/gen-server/lib/TypeORMPatches'; @@ -59,20 +62,20 @@ import log from 'app/server/lib/log'; import {Permit} from 'app/server/lib/Permit'; import {getScope} from 'app/server/lib/requestUtils'; import {WebHookSecret} from "app/server/lib/Triggers"; + import {EventEmitter} from 'events'; import {Request} from "express"; +import {defaultsDeep, flatten, pick} from 'lodash'; import { Brackets, Connection, DatabaseType, EntityManager, + ObjectLiteral, SelectQueryBuilder, WhereExpression } from "typeorm"; import uuidv4 from "uuid/v4"; -import flatten = require('lodash/flatten'); -import pick = require('lodash/pick'); -import defaultsDeep = require('lodash/defaultsDeep'); // Support transactions in Sqlite in async code. This is a monkey patch, affecting // the prototypes of various TypeORM classes. @@ -80,6 +83,7 @@ import defaultsDeep = require('lodash/defaultsDeep'); // fixed. See https://github.com/typeorm/typeorm/issues/1884#issuecomment-380767213 applyPatch(); +export { SUPPORT_EMAIL }; export const NotifierEvents = StringUnion( 'addUser', 'userChange', @@ -93,18 +97,6 @@ export const NotifierEvents = StringUnion( export type NotifierEvent = typeof NotifierEvents.type; -// Nominal email address of a user who can view anything (for thumbnails). -export const PREVIEWER_EMAIL = 'thumbnail@getgrist.com'; - -// A special user allowed to add/remove the EVERYONE_EMAIL to/from a resource. -export const SUPPORT_EMAIL = appSettings.section('access').flag('supportEmail').requireString({ - envVar: 'GRIST_SUPPORT_EMAIL', - defaultValue: 'support@getgrist.com', -}); - -// A list of emails we don't expect to see logins for. -const NON_LOGIN_EMAILS = [PREVIEWER_EMAIL, EVERYONE_EMAIL, ANONYMOUS_USER_EMAIL]; - // Name of a special workspace with examples in it. export const EXAMPLE_WORKSPACE_NAME = 'Examples & Templates'; @@ -119,8 +111,6 @@ const listPublicSites = appSettings.section('access').flag('listPublicSites').re // which is a burden under heavy traffic. const DOC_AUTH_CACHE_TTL = 5000; -type Resource = Organization|Workspace|Document; - export interface QueryResult { status: number; data?: T; @@ -171,16 +161,6 @@ export interface UserChange { membersAfter: Map; } -// A specification of the users available during a request. This can be a single -// user, identified by a user id, or a collection of profiles (typically drawn from -// the session). -type AvailableUsers = number | UserProfile[]; - -// A type guard to check for single-user case. -function isSingleUser(users: AvailableUsers): users is number { - return typeof users === 'number'; -} - // The context in which a query is being made. Includes what we know // about the user, and for requests made from pages, the active organization. export interface Scope { @@ -204,18 +184,6 @@ export interface DocScope extends Scope { urlId: string; } -type NonGuestGroup = Group & { name: roles.NonGuestRole }; - -// Returns whether the given group is a valid non-guest group. -function isNonGuestGroup(group: Group): group is NonGuestGroup { - return roles.isNonGuestRole(group.name); -} - -export interface UserProfileChange { - name?: string; - isFirstTimeUser?: boolean; -} - // Identifies a request to access a document. This combination of values is also used for caching // DocAuthResult for DOC_AUTH_CACHE_TTL. Other request scope information is passed along. export interface DocAuthKey { @@ -235,12 +203,6 @@ export interface DocAuthResult { cachedDoc?: Document; // For cases where stale info is ok. } -interface GetUserOptions { - manager?: EntityManager; - profile?: UserProfile; - userOptions?: UserOptions; -} - // Represent a DocAuthKey as a string. The format is ": ". // flushSingleDocAuthCache() depends on this format. function stringifyDocAuthKey(key: DocAuthKey): string { @@ -284,9 +246,9 @@ export type BillingOptions = Partial { - await this._getSpecialUserId({ - email: ANONYMOUS_USER_EMAIL, - name: "Anonymous" - }); - await this._getSpecialUserId({ - email: PREVIEWER_EMAIL, - name: "Preview" - }); - await this._getSpecialUserId({ - email: EVERYONE_EMAIL, - name: "Everyone" - }); - await this._getSpecialUserId({ - email: SUPPORT_EMAIL, - name: "Support" - }); + }) { + await this._usersManager.initializeSpecialIds(); if (!options?.skipWorkspaces) { // Find the example workspace. If there isn't one named just right, take the first workspace @@ -420,7 +366,7 @@ export class HomeDBManager extends EventEmitter { // anonymous users. const supportWorkspaces = await this._workspaces() .leftJoinAndSelect('workspaces.org', 'orgs') - .where('orgs.owner_id = :userId', { userId: this.getSupportUserId() }) + .where('orgs.owner_id = :userId', { userId: this._usersManager.getSupportUserId() }) .orderBy('workspaces.created_at') .getMany(); const exampleWorkspace = supportWorkspaces.find(ws => ws.name === EXAMPLE_WORKSPACE_NAME) || supportWorkspaces[0]; @@ -471,325 +417,78 @@ export class HomeDBManager extends EventEmitter { } /** - * Clear all user preferences associated with the given email addresses. * For use in tests. + * @see UsersManager.prototype.testClearUserPrefs */ public async testClearUserPrefs(emails: string[]) { - return await this._connection.transaction(async manager => { - for (const email of emails) { - const user = await this.getUserByLogin(email, {manager}); - if (user) { - await manager.delete(Pref, {userId: user.id}); - } - } - }); + return this._usersManager.testClearUserPrefs(emails); } public async getUserByKey(apiKey: string): Promise { - // Include logins relation for Authorization convenience. - return await User.findOne({where: {apiKey}, relations: ["logins"]}) || undefined; + return this._usersManager.getUserByKey(apiKey); } public async getUserByRef(ref: string): Promise { - return await User.findOne({where: {ref}, relations: ["logins"]}) || undefined; + return this._usersManager.getUserByRef(ref); } - public async getUser( - userId: number, - options: {includePrefs?: boolean} = {} - ): Promise { - const {includePrefs} = options; - const relations = ["logins"]; - if (includePrefs) { relations.push("prefs"); } - return await User.findOne({where: {id: userId}, relations}) || undefined; + public async getUser(userId: number, options: {includePrefs?: boolean} = {}) { + return this._usersManager.getUser(userId, options); } - public async getFullUser(userId: number): Promise { - const user = await User.findOne({where: {id: userId}, relations: ["logins"]}); - if (!user) { throw new ApiError("unable to find user", 400); } - return this.makeFullUser(user); + public async getFullUser(userId: number) { + return this._usersManager.getFullUser(userId); } /** - * Convert a user record into the format specified in api. + * @see UsersManager.prototype.makeFullUser */ - public makeFullUser(user: User): FullUser { - if (!user.logins?.[0]?.displayEmail) { - throw new ApiError("unable to find mandatory user email", 400); - } - const displayEmail = user.logins[0].displayEmail; - const loginEmail = user.loginEmail; - const result: FullUser = { - id: user.id, - email: displayEmail, - // Only include loginEmail when it's different, to avoid overhead when FullUser is sent - // around, and also to avoid updating too many tests. - loginEmail: loginEmail !== displayEmail ? loginEmail : undefined, - name: user.name, - picture: user.picture, - ref: user.ref, - locale: user.options?.locale, - prefs: user.prefs?.find((p)=> p.orgId === null)?.prefs, - }; - if (this.getAnonymousUserId() === user.id) { - result.anonymous = true; - } - if (this.getSupportUserId() === user.id) { - result.isSupport = true; - } - return result; + public makeFullUser(user: User) { + return this._usersManager.makeFullUser(user); } /** - * Ensures that user with external id exists and updates its profile and email if necessary. - * - * @param profile External profile + * @see UsersManager.prototype.ensureExternalUser */ public async ensureExternalUser(profile: UserProfile) { - await this._connection.transaction(async manager => { - // First find user by the connectId from the profile - const existing = await manager.findOne(User, { - where: {connectId: profile.connectId || undefined}, - relations: ["logins"], - }); - - // If a user does not exist, create it with data from the external profile. - if (!existing) { - const newUser = await this.getUserByLoginWithRetry(profile.email, { - profile, - manager - }); - if (!newUser) { - throw new ApiError("Unable to create user", 500); - } - // No need to survey this user. - newUser.isFirstTimeUser = false; - await newUser.save(); - } else { - // Else update profile and login information from external profile. - let updated = false; - let login: Login = existing.logins[0]!; - const properEmail = normalizeEmail(profile.email); - - if (properEmail !== existing.loginEmail) { - login = login ?? new Login(); - login.email = properEmail; - login.displayEmail = profile.email; - existing.logins.splice(0, 1, login); - login.user = existing; - updated = true; - } - - if (profile?.name && profile?.name !== existing.name) { - existing.name = profile.name; - updated = true; - } - - if (profile?.picture && profile?.picture !== existing.picture) { - existing.picture = profile.picture; - updated = true; - } - - if (updated) { - await manager.save([existing, login]); - } - } - }); + return this._usersManager.ensureExternalUser(profile); } - public async updateUser(userId: number, props: UserProfileChange): Promise { - let isWelcomed: boolean = false; - let user: User|null = null; - await this._connection.transaction(async manager => { - user = await manager.findOne(User, {relations: ['logins'], - where: {id: userId}}); - let needsSave = false; - if (!user) { throw new ApiError("unable to find user", 400); } - if (props.name && props.name !== user.name) { - user.name = props.name; - needsSave = true; - } - if (props.isFirstTimeUser !== undefined && props.isFirstTimeUser !== user.isFirstTimeUser) { - user.isFirstTimeUser = props.isFirstTimeUser; - needsSave = true; - // If we are turning off the isFirstTimeUser flag, then right - // after this transaction commits is a great time to trigger - // any automation for first logins - if (!props.isFirstTimeUser) { isWelcomed = true; } - } - if (needsSave) { - await user.save(); - } - }); + public async updateUser(userId: number, props: UserProfileChange) { + const { user, isWelcomed } = await this._usersManager.updateUser(userId, props); if (user && isWelcomed) { this.emit('firstLogin', this.makeFullUser(user)); } } public async updateUserName(userId: number, name: string) { - const user = await User.findOne({where: {id: userId}}); - if (!user) { throw new ApiError("unable to find user", 400); } - user.name = name; - await user.save(); + return this._usersManager.updateUserName(userId, name); } public async updateUserOptions(userId: number, props: Partial) { - const user = await User.findOne({where: {id: userId}}); - if (!user) { throw new ApiError("unable to find user", 400); } - - const newOptions = {...(user.options ?? {}), ...props}; - user.options = newOptions; - await user.save(); - } - - // Fetch user from login, creating the user if previously unseen, allowing one retry - // for an email key conflict failure. This is in case our transaction conflicts with a peer - // doing the same thing. This is quite likely if the first page visited by a previously - // unseen user fires off multiple api calls. - public async getUserByLoginWithRetry(email: string, options: GetUserOptions = {}): Promise { - try { - return await this.getUserByLogin(email, options); - } catch (e) { - if (e.name === 'QueryFailedError' && e.detail && - e.detail.match(/Key \(email\)=[^ ]+ already exists/)) { - // This is a postgres-specific error message. This problem cannot arise in sqlite, - // because we have to serialize sqlite transactions in any case to get around a typeorm - // limitation. - return await this.getUserByLogin(email, options); - } - throw e; - } + return this._usersManager.updateUserOptions(userId, props); } /** - * - * Fetches a user record based on an email address. If a user record already - * exists linked to the email address supplied, that is the record returned. - * Otherwise a fresh record is created, linked to the supplied email address. - * The supplied `options` are used when creating a fresh record, or updating - * unset/outdated fields of an existing record. - * + * @see UsersManager.prototype.getUserByLoginWithRetry + */ + public async getUserByLoginWithRetry(email: string, options: GetUserOptions = {}): Promise { + return this._usersManager.getUserByLoginWithRetry(email, options); + } + + /** + * @see UsersManager.prototype.getUserByLogin */ public async getUserByLogin(email: string, options: GetUserOptions = {}): Promise { - const {manager: transaction, profile, userOptions} = options; - const normalizedEmail = normalizeEmail(email); - const userByLogin = await this._runInTransaction(transaction, async manager => { - let needUpdate = false; - const userQuery = manager.createQueryBuilder() - .select('user') - .from(User, 'user') - .leftJoinAndSelect('user.logins', 'logins') - .leftJoinAndSelect('user.personalOrg', 'personalOrg') - .where('email = :email', {email: normalizedEmail}); - let user = await userQuery.getOne(); - let login: Login; - if (!user) { - user = new User(); - // Special users do not have first time user set so that they don't get redirected to the - // welcome page. - user.isFirstTimeUser = !NON_LOGIN_EMAILS.includes(normalizedEmail); - login = new Login(); - login.email = normalizedEmail; - login.user = user; - needUpdate = true; - } else { - login = user.logins[0]; - } - - // Check that user and login records are up to date. - if (!user.name) { - // Set the user's name if our provider knows it. Otherwise use their username - // from email, for lack of something better. If we don't have a profile at this - // time, then leave the name blank in the hopes of learning it when the user logs in. - user.name = (profile && (profile.name || email.split('@')[0])) || ''; - needUpdate = true; - } - if (profile && !user.firstLoginAt) { - // set first login time to now (remove milliseconds for compatibility with other - // timestamps in db set by typeorm, and since second level precision is fine) - const nowish = new Date(); - nowish.setMilliseconds(0); - user.firstLoginAt = nowish; - needUpdate = true; - } - if (!user.picture && profile && profile.picture) { - // Set the user's profile picture if our provider knows it. - user.picture = profile.picture; - needUpdate = true; - } - if (profile && profile.email && profile.email !== login.displayEmail) { - // Use provider's version of email address for display. - login.displayEmail = profile.email; - needUpdate = true; - } - - if (profile?.connectId && profile?.connectId !== user.connectId) { - user.connectId = profile.connectId; - needUpdate = true; - } - - if (!login.displayEmail) { - // Save some kind of display email if we don't have anything at all for it yet. - // This could be coming from how someone wrote it in a UserManager dialog, for - // instance. It will get overwritten when the user logs in if the provider's - // version is different. - login.displayEmail = email; - needUpdate = true; - } - if (!user.options?.authSubject && userOptions?.authSubject) { - // Link subject from password-based authentication provider if not previously linked. - user.options = {...(user.options ?? {}), authSubject: userOptions.authSubject}; - needUpdate = true; - } - if (needUpdate) { - login.user = user; - await manager.save([user, login]); - } - if (!user.personalOrg && !NON_LOGIN_EMAILS.includes(login.email)) { - // Add a personal organization for this user. - // We don't add a personal org for anonymous/everyone/previewer "users" as it could - // get a bit confusing. - const result = await this.addOrg(user, {name: "Personal"}, { - setUserAsOwner: true, - useNewPlan: true, - product: PERSONAL_FREE_PLAN, - }, manager); - if (result.status !== 200) { - throw new Error(result.errMessage); - } - needUpdate = true; - - // We just created a personal org; set userOrgPrefs that should apply for new users only. - const userOrgPrefs: UserOrgPrefs = {showGristTour: true}; - const orgId = result.data; - if (orgId) { - await this.updateOrg({userId: user.id}, orgId, {userOrgPrefs}, manager); - } - } - if (needUpdate) { - // We changed the db - reload user in order to give consistent results. - // In principle this could be optimized, but this is simpler to maintain. - user = await userQuery.getOne(); - } - return user; - }); - return userByLogin; + return this._usersManager.getUserByLogin(email, options); } /** + * @see UsersManager.prototype.getExistingUserByLogin * Find a user by email. Don't create the user if it doesn't already exist. */ - public async getExistingUserByLogin( - email: string, - manager?: EntityManager - ): Promise { - const normalizedEmail = normalizeEmail(email); - return await (manager || this._connection).createQueryBuilder() - .select('user') - .from(User, 'user') - .leftJoinAndSelect('user.logins', 'logins') - .where('email = :email', {email: normalizedEmail}) - .getOne() || undefined; + public async getExistingUserByLogin(email: string, manager?: EntityManager): Promise { + return this._usersManager.getExistingUserByLogin(email, manager); } /** @@ -821,50 +520,16 @@ export class HomeDBManager extends EventEmitter { public async getOrgBillableMemberCount(org: string|number|Organization): Promise { return (await this._getOrgMembers(org)) .filter(u => !u.options?.isConsultant) // remove consultants. - .filter(u => !this.getExcludedUserIds().includes(u.id)) // remove support user and other + .filter(u => !this._usersManager.getExcludedUserIds().includes(u.id)) // remove support user and other .length; } /** - * Deletes a user from the database. For the moment, the only person with the right - * to delete a user is the user themselves. - * Users have logins, a personal org, and entries in the group_users table. All are - * removed together in a transaction. All material in the personal org will be lost. - * - * @param scope: request scope, including the id of the user initiating this action - * @param userIdToDelete: the id of the user to delete from the database - * @param name: optional cross-check, delete only if user name matches this + * @see UsersManager.prototype.deleteUser */ public async deleteUser(scope: Scope, userIdToDelete: number, name?: string): Promise> { - const userIdDeleting = scope.userId; - if (userIdDeleting !== userIdToDelete) { - throw new ApiError('not permitted to delete this user', 403); - } - await this._connection.transaction(async manager => { - const user = await manager.findOne(User, {where: {id: userIdToDelete}, - relations: ["logins", "personalOrg", "prefs"]}); - if (!user) { throw new ApiError('user not found', 404); } - if (name) { - if (user.name !== name) { - throw new ApiError(`user name did not match ('${name}' vs '${user.name}')`, 400); - } - } - if (user.personalOrg) { await this.deleteOrg(scope, user.personalOrg.id, manager); } - await manager.remove([...user.logins]); - // We don't have a GroupUser entity, and adding one tickles lots of TypeOrm quirkiness, - // so use a plain query to delete entries in the group_users table. - await manager.createQueryBuilder() - .delete() - .from('group_users') - .where('user_id = :userId', {userId: userIdToDelete}) - .execute(); - - await manager.delete(User, userIdToDelete); - }); - return { - status: 200 - }; + return this._usersManager.deleteUser(scope, userIdToDelete, name); } /** @@ -878,14 +543,14 @@ export class HomeDBManager extends EventEmitter { // Anonymous access to the merged org is a special case. We return an // empty organization, not backed by the database, and which can contain // nothing but the example documents always added to the merged org. - if (this.isMergedOrg(orgKey) && userId === this.getAnonymousUserId()) { + if (this.isMergedOrg(orgKey) && userId === this._usersManager.getAnonymousUserId()) { const anonOrg: OrgInfo = { id: 0, createdAt: new Date().toISOString(), updatedAt: new Date().toISOString(), domain: this.mergedOrgDomain(), name: 'Anonymous', - owner: this.makeFullUser(this.getAnonymousUser()), + owner: this.makeFullUser(this._usersManager.getAnonymousUser()), access: 'viewers', billingAccount: { id: 0, @@ -910,7 +575,7 @@ export class HomeDBManager extends EventEmitter { qb = this._addBillingAccount(qb, scope.userId); let effectiveUserId = scope.userId; if (scope.specialPermit && scope.specialPermit.org === orgKey) { - effectiveUserId = this.getPreviewerUserId(); + effectiveUserId = this._usersManager.getPreviewerUserId(); } qb = this._withAccess(qb, effectiveUserId, 'orgs'); qb = qb.leftJoinAndSelect('orgs.owner', 'owner'); @@ -954,7 +619,7 @@ export class HomeDBManager extends EventEmitter { includeOrgsAndManagers: boolean, transaction?: EntityManager): Promise { const org = this.unwrapQueryResult(await this.getOrg(scope, orgKey, transaction)); - if (!org.billingAccount.isManager && scope.userId !== this.getPreviewerUserId() && + if (!org.billingAccount.isManager && scope.userId !== this._usersManager.getPreviewerUserId() && // The special permit (used for the support user) allows access to the billing account. scope.specialPermit?.org !== orgKey) { throw new ApiError('User does not have access to billing account', 401); @@ -1017,7 +682,7 @@ export class HomeDBManager extends EventEmitter { const query = this._orgWorkspaces(scope, orgKey, options); // Allow an empty result for the merged org for the anonymous user. The anonymous user // has no home org or workspace. For all other sitations, expect at least one workspace. - const emptyAllowed = this.isMergedOrg(orgKey) && scope.userId === this.getAnonymousUserId(); + const emptyAllowed = this.isMergedOrg(orgKey) && scope.userId === this._usersManager.getAnonymousUserId(); const result = await this._verifyAclPermissions(query, { scope, emptyAllowed }); // Return the workspaces, not the org(s). if (result.status === 200) { @@ -1140,7 +805,6 @@ export class HomeDBManager extends EventEmitter { return options.find(option => option.access === role) || null; } - /** * Returns a SelectQueryBuilder which gives an array of orgs already filtered by * the given user' (or users') access. @@ -1153,7 +817,7 @@ export class HomeDBManager extends EventEmitter { options?: {ignoreEveryoneShares?: boolean}): Promise> { let queryBuilder = this._orgs() .leftJoinAndSelect('orgs.owner', 'users', 'orgs.owner_id = users.id'); - if (isSingleUser(users)) { + if (UsersManager.isSingleUser(users)) { // When querying with a single user in mind, we keep our api promise // of returning their personal org first in the list. queryBuilder = queryBuilder @@ -1166,7 +830,7 @@ export class HomeDBManager extends EventEmitter { queryBuilder = this._withAccess(queryBuilder, users, 'orgs'); // Add a direct, efficient filter to remove irrelevant personal orgs from consideration. queryBuilder = this._filterByOrgGroups(queryBuilder, users, domain, options); - if (this._isAnonymousUser(users) && !listPublicSites) { + if (this._usersManager.isAnonymousUser(users) && !listPublicSites) { // The anonymous user is a special case. It may have access to potentially // many orgs, but listing them all would be kind of a misfeature. but reporting // nothing would complicate the client. We compromise, and report at most @@ -1227,7 +891,7 @@ export class HomeDBManager extends EventEmitter { // TODO: look up the document properly, perhaps delegating // to the regular path through this method. workspace: this.unwrapQueryResult( - await this.getWorkspace({userId: this.getSupportUserId()}, + await this.getWorkspace({userId: this._usersManager.getSupportUserId()}, this._exampleWorkspaceId)), aliases: [], access: 'editors', // a share may have view/edit access, @@ -1242,7 +906,7 @@ export class HomeDBManager extends EventEmitter { // We imagine current user owning trunk if there is no embedded userId, or // the embedded userId matches the current user. const access = (forkUserId === undefined || forkUserId === userId) ? 'owners' : - (userId === this.getPreviewerUserId() ? 'viewers' : null); + (userId === this._usersManager.getPreviewerUserId() ? 'viewers' : null); if (!access) { throw new ApiError("access denied", 403); } doc = { name: 'Untitled', @@ -1252,7 +916,7 @@ export class HomeDBManager extends EventEmitter { isPinned: false, urlId: null, workspace: this.unwrapQueryResult( - await this.getWorkspace({userId: this.getSupportUserId()}, + await this.getWorkspace({userId: this._usersManager.getSupportUserId()}, this._exampleWorkspaceId)), aliases: [], access @@ -1265,7 +929,7 @@ export class HomeDBManager extends EventEmitter { // work. let qb = this._doc({...key, showAll: true}, {manager: transaction}) .leftJoinAndSelect('orgs.owner', 'org_users'); - if (userId !== this.getAnonymousUserId()) { + if (userId !== this._usersManager.getAnonymousUserId()) { qb = this._addForks(userId, qb); } qb = this._addIsSupportWorkspace(userId, qb, 'orgs', 'workspaces'); @@ -1324,7 +988,7 @@ export class HomeDBManager extends EventEmitter { public async getRawDocById(docId: string, transaction?: EntityManager) { return await this.getDoc({ urlId: docId, - userId: this.getPreviewerUserId(), + userId: this._usersManager.getPreviewerUserId(), showAll: true }, transaction); } @@ -1443,7 +1107,7 @@ export class HomeDBManager extends EventEmitter { // If we are support user, use team product // A bit fragile: this is called during creation of support@ user, before // getSupportUserId() is available, but with setUserAsOwner of true. - user.id === this.getSupportUserId() ? productNames.team : + user.id === this._usersManager.getSupportUserId() ? productNames.team : // Otherwise use teamInitial product (a stub). productNames.teamInitial; @@ -2171,7 +1835,7 @@ export class HomeDBManager extends EventEmitter { } // Get the ids of users to update. const billingAccountId = billingAccount.id; - const analysis = await this._verifyAndLookupDeltaEmails(userId, permissionDelta, true, transaction); + const analysis = await this._usersManager.verifyAndLookupDeltaEmails(userId, permissionDelta, true, transaction); this._failIfPowerfulAndChangingSelf(analysis); const {userIdDelta} = analysis; if (!userIdDelta) { throw new ApiError('No userIdDelta', 500); } @@ -2217,7 +1881,7 @@ export class HomeDBManager extends EventEmitter { const {userId} = scope; const notifications: Array<() => void> = []; const result = await this._connection.transaction(async manager => { - const analysis = await this._verifyAndLookupDeltaEmails(userId, delta, true, manager); + const analysis = await this._usersManager.verifyAndLookupDeltaEmails(userId, delta, true, manager); const {userIdDelta} = analysis; let orgQuery = this.org(scope, orgKey, { manager, @@ -2239,7 +1903,7 @@ export class HomeDBManager extends EventEmitter { const org: Organization = queryResult.data; const groups = getNonGuestGroups(org); if (userIdDelta) { - const membersBefore = getUsersWithRole(groups, this.getExcludedUserIds()); + const membersBefore = UsersManager.getUsersWithRole(groups, this._usersManager.getExcludedUserIds()); const countBefore = removeRole(membersBefore).length; await this._updateUserPermissions(groups, userIdDelta, manager); this._checkUserChangeAllowed(userId, groups); @@ -2252,7 +1916,7 @@ export class HomeDBManager extends EventEmitter { } } // Emit an event if the number of org users is changing. - const membersAfter = getUsersWithRole(groups, this.getExcludedUserIds()); + const membersAfter = UsersManager.getUsersWithRole(groups, this._usersManager.getExcludedUserIds()); const countAfter = removeRole(membersAfter).length; notifications.push(this._userChangeNotification(userId, org, countBefore, countAfter, membersBefore, membersAfter)); @@ -2274,7 +1938,7 @@ export class HomeDBManager extends EventEmitter { const {userId} = scope; const notifications: Array<() => void> = []; const result = await this._connection.transaction(async manager => { - const analysis = await this._verifyAndLookupDeltaEmails(userId, delta, false, manager); + const analysis = await this._usersManager.verifyAndLookupDeltaEmails(userId, delta, false, manager); let {userIdDelta} = analysis; let wsQuery = this._workspace(scope, wsId, { manager, @@ -2312,14 +1976,16 @@ export class HomeDBManager extends EventEmitter { userIdDelta[userId] = roles.OWNER; } } - const membersBefore = this._withoutExcludedUsers(new Map(groups.map(grp => [grp.name, grp.memberUsers]))); + const membersBefore = this._usersManager.withoutExcludedUsers( + new Map(groups.map(grp => [grp.name, grp.memberUsers])) + ); if (userIdDelta) { // To check limits on shares, we track group members before and after call // to _updateUserPermissions. Careful, that method mutates groups. - const nonOrgMembersBefore = this._getUserDifference(groups, orgGroups); + const nonOrgMembersBefore = this._usersManager.getUserDifference(groups, orgGroups); await this._updateUserPermissions(groups, userIdDelta, manager); this._checkUserChangeAllowed(userId, groups); - const nonOrgMembersAfter = this._getUserDifference(groups, orgGroups); + const nonOrgMembersAfter = this._usersManager.getUserDifference(groups, orgGroups); const features = ws.org.billingAccount.getFeatures(); const limit = features.maxSharesPerWorkspace; if (limit !== undefined) { @@ -2347,7 +2013,7 @@ export class HomeDBManager extends EventEmitter { const notifications: Array<() => void> = []; const result = await this._connection.transaction(async manager => { const {userId} = scope; - const analysis = await this._verifyAndLookupDeltaEmails(userId, delta, false, manager); + const analysis = await this._usersManager.verifyAndLookupDeltaEmails(userId, delta, false, manager); let {userIdDelta} = analysis; const doc = await this._loadDocAccess(scope, analysis.permissionThreshold, manager); this._failIfPowerfulAndChangingSelf(analysis, {data: doc, status: 200}); @@ -2370,10 +2036,10 @@ export class HomeDBManager extends EventEmitter { // to _updateUserPermissions. Careful, that method mutates groups. const org = doc.workspace.org; const orgGroups = getNonGuestGroups(org); - const nonOrgMembersBefore = this._getUserDifference(groups, orgGroups); + const nonOrgMembersBefore = this._usersManager.getUserDifference(groups, orgGroups); await this._updateUserPermissions(groups, userIdDelta, manager); this._checkUserChangeAllowed(userId, groups); - const nonOrgMembersAfter = this._getUserDifference(groups, orgGroups); + const nonOrgMembersAfter = this._usersManager.getUserDifference(groups, orgGroups); const features = org.billingAccount.getFeatures(); this._restrictAllDocShares(features, nonOrgMembersBefore, nonOrgMembersAfter); } @@ -2399,7 +2065,7 @@ export class HomeDBManager extends EventEmitter { } const org: Organization = queryResult.data; const userRoleMap = getMemberUserRoles(org, this.defaultGroupNames); - const users = getResourceUsers(org).filter(u => userRoleMap[u.id]).map(u => { + const users = UsersManager.getResourceUsers(org).filter(u => userRoleMap[u.id]).map(u => { const access = userRoleMap[u.id]; return { ...this.makeFullUser(u), @@ -2456,7 +2122,7 @@ export class HomeDBManager extends EventEmitter { const orgMapWithMembership = getMemberUserRoles(org, this.defaultGroupNames); // Iterate through the org since all users will be in the org. - const users: UserAccessData[] = getResourceUsers([workspace, org]).map(u => { + const users: UserAccessData[] = UsersManager.getResourceUsers([workspace, org]).map(u => { const orgAccess = orgMapWithMembership[u.id] || null; return { ...this.makeFullUser(u), @@ -2516,7 +2182,7 @@ export class HomeDBManager extends EventEmitter { const orgMapWithMembership = getMemberUserRoles(doc.workspace.org, this.defaultGroupNames); const wsMaxInheritedRole = this._getMaxInheritedRole(doc.workspace); // Iterate through the org since all users will be in the org. - let users: UserAccessData[] = getResourceUsers([doc, doc.workspace, doc.workspace.org]).map(u => { + let users: UserAccessData[] = UsersManager.getResourceUsers([doc, doc.workspace, doc.workspace.org]).map(u => { // Merge the strongest roles from the resource and parent resources. Note that the parent // resource access levels must be tempered by the maxInheritedRole values of their children. const inheritFromOrg = roles.getWeakestRole(orgMap[u.id] || null, wsMaxInheritedRole); @@ -2529,7 +2195,7 @@ export class HomeDBManager extends EventEmitter { roles.getStrongestRole(wsMap[u.id] || null, inheritFromOrg) ), isMember: orgAccess && orgAccess !== 'guests', - isSupport: u.id === this.getSupportUserId() ? true : undefined, + isSupport: u.id === this._usersManager.getSupportUserId() ? true : undefined, }; }); let maxInheritedRole = this._getMaxInheritedRole(doc); @@ -2623,7 +2289,7 @@ export class HomeDBManager extends EventEmitter { } const workspace: Workspace = wsQueryResult.data; // Collect all first-level users of the doc being moved. - const firstLevelUsers = getResourceUsers(doc); + const firstLevelUsers = UsersManager.getResourceUsers(doc); const docGroups = doc.aclRules.map(rule => rule.group); if (doc.workspace.org.id !== workspace.org.id) { // Doc is going to a new org. Check that there is room for it there. @@ -2634,8 +2300,8 @@ export class HomeDBManager extends EventEmitter { const sourceOrgGroups = getNonGuestGroups(sourceOrg); const destOrg = workspace.org; const destOrgGroups = getNonGuestGroups(destOrg); - const nonOrgMembersBefore = this._getUserDifference(docGroups, sourceOrgGroups); - const nonOrgMembersAfter = this._getUserDifference(docGroups, destOrgGroups); + const nonOrgMembersBefore = this._usersManager.getUserDifference(docGroups, sourceOrgGroups); + const nonOrgMembersAfter = this._usersManager.getUserDifference(docGroups, destOrgGroups); const features = destOrg.billingAccount.getFeatures(); this._restrictAllDocShares(features, nonOrgMembersBefore, nonOrgMembersAfter, false); } @@ -2813,93 +2479,31 @@ export class HomeDBManager extends EventEmitter { .getOne() || undefined; } - /** - * Get the anonymous user, as a constructed object rather than a database lookup. - */ - public getAnonymousUser(): User { - const user = new User(); - user.id = this.getAnonymousUserId(); - user.name = "Anonymous"; - user.isFirstTimeUser = false; - const login = new Login(); - login.displayEmail = login.email = ANONYMOUS_USER_EMAIL; - user.logins = [login]; - user.ref = ''; - return user; + public getAnonymousUser() { + return this._usersManager.getAnonymousUser(); + } + + public getAnonymousUserId() { + return this._usersManager.getAnonymousUserId(); + } + + public getPreviewerUserId() { + return this._usersManager.getPreviewerUserId(); + } + + public getEveryoneUserId() { + return this._usersManager.getEveryoneUserId(); + } + + public getSupportUserId() { + return this._usersManager.getSupportUserId(); } /** - * - * Get the id of the anonymous user. - * + * @see UsersManager.prototype.completeProfiles */ - public getAnonymousUserId(): number { - const id = this._specialUserIds[ANONYMOUS_USER_EMAIL]; - if (!id) { throw new Error("Anonymous user not available"); } - return id; - } - - /** - * Get the id of the thumbnail user. - */ - public getPreviewerUserId(): number { - const id = this._specialUserIds[PREVIEWER_EMAIL]; - if (!id) { throw new Error("Previewer user not available"); } - return id; - } - - /** - * Get the id of the 'everyone' user. - */ - public getEveryoneUserId(): number { - const id = this._specialUserIds[EVERYONE_EMAIL]; - if (!id) { throw new Error("'everyone' user not available"); } - return id; - } - - /** - * Get the id of the 'support' user. - */ - public getSupportUserId(): number { - const id = this._specialUserIds[SUPPORT_EMAIL]; - if (!id) { throw new Error("'support' user not available"); } - return id; - } - - /** - * Get ids of users to be excluded from member counts and emails. - */ - public getExcludedUserIds(): number[] { - return [this.getSupportUserId(), this.getAnonymousUserId(), this.getEveryoneUserId()]; - } - - /** - * - * Take a list of user profiles coming from the client's session, correlate - * them with Users and Logins in the database, and construct full profiles - * with user ids, standardized display emails, pictures, and anonymous flags. - * - */ - public async completeProfiles(profiles: UserProfile[]): Promise { - if (profiles.length === 0) { return []; } - const qb = this._connection.createQueryBuilder() - .select('logins') - .from(Login, 'logins') - .leftJoinAndSelect('logins.user', 'user') - .where('logins.email in (:...emails)', {emails: profiles.map(profile => normalizeEmail(profile.email))}); - const completedProfiles: {[email: string]: FullUser} = {}; - for (const login of await qb.getMany()) { - completedProfiles[login.email] = { - id: login.user.id, - email: login.displayEmail, - name: login.user.name, - picture: login.user.picture, - anonymous: login.user.id === this.getAnonymousUserId(), - locale: login.user.options?.locale - }; - } - return profiles.map(profile => completedProfiles[normalizeEmail(profile.email)]) - .filter(profile => profile); + public async completeProfiles(profiles: UserProfile[]) { + return this._usersManager.completeProfiles(profiles); } /** @@ -3161,7 +2765,7 @@ export class HomeDBManager extends EventEmitter { } org = result.entities[0]; } - return getResourceUsers(org, this.defaultNonGuestGroupNames); + return UsersManager.getResourceUsers(org, this.defaultNonGuestGroupNames); } private async _getOrCreateLimit(accountId: number, limitType: LimitType, force: boolean): Promise { @@ -3198,7 +2802,6 @@ export class HomeDBManager extends EventEmitter { return result; } - private _org(scope: Scope|null, includeSupport: boolean, org: string|number|null, options: QueryOptions = {}): SelectQueryBuilder { let query = this._orgs(options.manager); @@ -3218,7 +2821,7 @@ export class HomeDBManager extends EventEmitter { // TODO If the specialPermit is used across the network, requests could refer to orgs in // different ways (number vs string), causing this comparison to fail. if (options.allowSpecialPermit && scope.specialPermit && scope.specialPermit.org === org) { - effectiveUserId = this.getPreviewerUserId(); + effectiveUserId = this._usersManager.getPreviewerUserId(); threshold = Permissions.VIEW; } // Compute whether we have access to the doc @@ -3238,7 +2841,7 @@ export class HomeDBManager extends EventEmitter { private _orgWorkspaces(scope: Scope, org: string|number|null, options: QueryOptions = {}): SelectQueryBuilder { const {userId} = scope; - const supportId = this._specialUserIds[SUPPORT_EMAIL]; + const supportId = this._usersManager.getSpecialUserId(SUPPORT_EMAIL); let query = this.org(scope, org, options) .leftJoinAndSelect('orgs.workspaces', 'workspaces') .leftJoinAndSelect('workspaces.docs', 'docs', this._onDoc(scope)) @@ -3257,7 +2860,7 @@ export class HomeDBManager extends EventEmitter { .addOrderBy('docs.created_at') .leftJoinAndSelect('orgs.owner', 'org_users'); - if (userId !== this.getAnonymousUserId()) { + if (userId !== this._usersManager.getAnonymousUserId()) { query = this._addForks(userId, query); } @@ -3268,7 +2871,7 @@ export class HomeDBManager extends EventEmitter { // Add a direct, efficient filter to remove irrelevant personal orgs from consideration. query = this._filterByOrgGroups(query, userId, null); // The anonymous user is a special case; include only examples from support user. - if (userId === this.getAnonymousUserId()) { + if (userId === this._usersManager.getAnonymousUserId()) { query = query.andWhere('orgs.owner_id = :supportId', { supportId }); } } @@ -3292,7 +2895,7 @@ export class HomeDBManager extends EventEmitter { .where('docs.urlId = :urlId', {urlId}); // Place restriction on active urlIds only. // Older urlIds are best-effort, and subject to // reuse (currently). - if (org.ownerId === this.getSupportUserId()) { + if (org.ownerId === this._usersManager.getSupportUserId()) { // This is the support user. Some of their documents end up as examples on team sites. // so urlIds need to be checked globally, which corresponds to placing no extra where // clause here. @@ -3349,7 +2952,10 @@ export class HomeDBManager extends EventEmitter { .andWhere('doc_users.id is not null'); const wsWithDocs = await wsWithDocsQuery.getOne(); await this._setGroupUsers(manager, wsGuestGroup.id, wsGuestGroup.memberUsers, - this._filterEveryone(getResourceUsers(wsWithDocs?.docs || []))); + this._usersManager.filterEveryone( + UsersManager.getResourceUsers(wsWithDocs?.docs || []) + ) + ); }); } @@ -3380,7 +2986,7 @@ export class HomeDBManager extends EventEmitter { } const orgGuestGroup = orgGroups[0]!; await this._setGroupUsers(manager, orgGuestGroup.id, orgGuestGroup.memberUsers, - this._filterEveryone(getResourceUsers(org.workspaces))); + this._usersManager.filterEveryone(UsersManager.getResourceUsers(org.workspaces))); }); } @@ -3414,25 +3020,6 @@ export class HomeDBManager extends EventEmitter { } } - /** - * Don't add everyone@ as a guest, unless also sharing with anon@. - * This means that material shared with everyone@ doesn't become - * listable/discoverable by default. - * - * This is a HACK to allow existing example doc setup to continue to - * work. It could be removed if we are willing to share the entire - * support org with users. E.g. move any material we don't want to - * share into a workspace that doesn't inherit ACLs. TODO: remove - * this hack, or enhance it up as a way to support discoverability / - * listing. It has the advantage of cloning well. - */ - private _filterEveryone(users: User[]): User[] { - const everyone = this.getEveryoneUserId(); - const anon = this.getAnonymousUserId(); - if (users.find(u => u.id === anon)) { return users; } - return users.filter(u => u.id !== everyone); - } - /** * Creates, initializes and saves a workspace in the given org with the given properties. * Product limits on number of workspaces allowed in org are not checked. @@ -3496,7 +3083,7 @@ export class HomeDBManager extends EventEmitter { * Adds any calculated fields related to billing accounts - currently just * products.paid. */ - private _addBillingAccountCalculatedFields(qb: SelectQueryBuilder) { + private _addBillingAccountCalculatedFields(qb: SelectQueryBuilder) { // We need to sum up whether the account is paid or not, so that UI can provide // a "billing" vs "upgrade" link. For the moment, we just check if there is // a subscription id. TODO: make sure this is correct in case of free plans. @@ -3507,16 +3094,16 @@ export class HomeDBManager extends EventEmitter { /** * Makes sure that product features for orgs are available in query result. */ - private _addFeatures(qb: SelectQueryBuilder, orgAlias: string = 'orgs') { + private _addFeatures(qb: SelectQueryBuilder, orgAlias: string = 'orgs') { qb = qb.leftJoinAndSelect(`${orgAlias}.billingAccount`, 'billing_accounts'); qb = qb.leftJoinAndSelect('billing_accounts.product', 'products'); // orgAlias.billingAccount.product.features should now be available return qb; } - private _addIsSupportWorkspace(users: AvailableUsers, qb: SelectQueryBuilder, + private _addIsSupportWorkspace(users: AvailableUsers, qb: SelectQueryBuilder, orgAlias: string, workspaceAlias: string) { - const supportId = this._specialUserIds[SUPPORT_EMAIL]; + const supportId = this._usersManager.getSpecialUserId(SUPPORT_EMAIL); // We'll be selecting a boolean and naming it as *_support. This matches the // SQL name `support` of a column in the Workspace entity whose javascript @@ -3525,7 +3112,7 @@ export class HomeDBManager extends EventEmitter { // If we happen to be the support user, don't treat our workspaces as anything // special, so we can work with them in the ordinary way. - if (isSingleUser(users) && users === supportId) { return qb.addSelect('false', alias); } + if (UsersManager.isSingleUser(users) && users === supportId) { return qb.addSelect('false', alias); } // Otherwise, treat workspaces owned by support as special. return qb.addSelect(`coalesce(${orgAlias}.owner_id = ${supportId}, false)`, alias); @@ -3534,7 +3121,7 @@ export class HomeDBManager extends EventEmitter { /** * Makes sure that doc forks are available in query result. */ - private _addForks(userId: number, qb: SelectQueryBuilder) { + private _addForks(userId: number, qb: SelectQueryBuilder) { return qb.leftJoin('docs.forks', 'forks', 'forks.created_by = :forkUserId') .setParameter('forkUserId', userId) .addSelect([ @@ -3546,24 +3133,6 @@ export class HomeDBManager extends EventEmitter { ]); } - /** - * - * Get the id of a special user, creating that user if it is not already present. - * - */ - private async _getSpecialUserId(profile: UserProfile) { - let id = this._specialUserIds[profile.email]; - if (!id) { - // get or create user - with retry, since there'll be a race to create the - // user if a bunch of servers start simultaneously and the user doesn't exist - // yet. - const user = await this.getUserByLoginWithRetry(profile.email, {profile}); - if (user) { id = this._specialUserIds[profile.email] = user.id; } - } - if (!id) { throw new Error(`Could not find or create user ${profile.email}`); } - return id; - } - /** * Modify an access level when the document is a fork. Here are the rules, as they * have evolved (the main constraint is that currently forks have no access info of @@ -3578,7 +3147,7 @@ export class HomeDBManager extends EventEmitter { ids: {userId: number, forkUserId?: number}, res: {access: roles.Role|null}) { if (doc.type === 'tutorial') { - if (ids.userId === this.getPreviewerUserId()) { + if (ids.userId === this._usersManager.getPreviewerUserId()) { res.access = 'viewers'; } else if (ids.forkUserId && ids.forkUserId === ids.userId) { res.access = 'owners'; @@ -3599,99 +3168,6 @@ export class HomeDBManager extends EventEmitter { } } } - - // This deals with the problem posed by receiving a PermissionDelta specifying a - // role for both alice@x and Alice@x. We do not distinguish between such emails. - // If there are multiple indistinguishabe emails, we preserve just one of them, - // assigning it the most powerful permission specified. The email variant perserved - // is the earliest alphabetically. - private _mergeIndistinguishableEmails(delta: PermissionDelta) { - if (!delta.users) { return; } - // We normalize emails for comparison, but track how they were capitalized - // in order to preserve it. This is worth doing since for the common case - // of a user being added to a resource prior to ever logging in, their - // displayEmail will be seeded from this value. - const displayEmails: {[email: string]: string} = {}; - // This will be our output. - const users: {[email: string]: roles.NonGuestRole|null} = {}; - for (const displayEmail of Object.keys(delta.users).sort()) { - const email = normalizeEmail(displayEmail); - const role = delta.users[displayEmail]; - const key = displayEmails[email] = displayEmails[email] || displayEmail; - users[key] = users[key] ? roles.getStrongestRole(users[key], role) : role; - } - delta.users = users; - } - - // Looks up the emails in the permission delta and adds them to the users map in - // the delta object. - // Returns a QueryResult based on the validity of the passed in PermissionDelta object. - private async _verifyAndLookupDeltaEmails( - userId: number, - delta: PermissionDelta, - isOrg: boolean = false, - transaction?: EntityManager - ): Promise { - if (!delta) { - throw new ApiError('Bad request: missing permission delta', 400); - } - this._mergeIndistinguishableEmails(delta); - const hasInherit = 'maxInheritedRole' in delta; - const hasUsers = delta.users; // allow zero actual changes; useful to reduce special - // cases in scripts - if ((isOrg && (hasInherit || !hasUsers)) || (!isOrg && !hasInherit && !hasUsers)) { - throw new ApiError('Bad request: invalid permission delta', 400); - } - // Lookup the email access changes and move them to the users object. - const userIdMap: {[userId: string]: roles.NonGuestRole|null} = {}; - if (hasInherit) { - // Verify maxInheritedRole - const role = delta.maxInheritedRole; - const validRoles = new Set(this.defaultBasicGroupNames); - if (role && !validRoles.has(role)) { - throw new ApiError(`Invalid maxInheritedRole ${role}`, 400); - } - } - if (delta.users) { - // Verify roles - const deltaRoles = Object.keys(delta.users).map(_userId => delta.users![_userId]); - // Cannot set role "members" on workspace/doc. - const validRoles = new Set(isOrg ? this.defaultNonGuestGroupNames : this.defaultBasicGroupNames); - for (const role of deltaRoles) { - if (role && !validRoles.has(role)) { - throw new ApiError(`Invalid user role ${role}`, 400); - } - } - // Lookup emails - const emailMap = delta.users; - const emails = Object.keys(emailMap); - const emailUsers = await Promise.all( - emails.map(async email => await this.getUserByLogin(email, {manager: transaction})) - ); - emails.forEach((email, i) => { - const userIdAffected = emailUsers[i]!.id; - // Org-level sharing with everyone would allow serious spamming - forbid it. - if (emailMap[email] !== null && // allow removing anything - userId !== this.getSupportUserId() && // allow support user latitude - userIdAffected === this.getEveryoneUserId() && - isOrg) { - throw new ApiError('This user cannot share with everyone at top level', 403); - } - userIdMap[userIdAffected] = emailMap[email]; - }); - } - const userIdDelta = delta.users ? userIdMap : null; - const userIds = Object.keys(userIdDelta || {}); - const removingSelf = userIds.length === 1 && userIds[0] === String(userId) && - delta.maxInheritedRole === undefined && userIdDelta?.[userId] === null; - const permissionThreshold = removingSelf ? Permissions.VIEW : Permissions.ACL_EDIT; - return { - userIdDelta, - permissionThreshold, - affectsSelf: userId in userIdMap, - }; - } - /** * A helper to throw an error if a user with ACL_EDIT permission attempts * to change their own access rights. The user permissions are expected to @@ -3726,7 +3202,7 @@ export class HomeDBManager extends EventEmitter { // Get the user objects which map to non-null values in the userDelta. const userIds = Object.keys(userDelta).filter(userId => userDelta[userId]) .map(userIdStr => parseInt(userIdStr, 10)); - const users = await this._getUsers(userIds, manager); + const users = await this._usersManager.getUsers(userIds, manager); // Add unaffected users to the delta so that we have a record of where they are. groups.forEach(grp => { @@ -3771,21 +3247,6 @@ export class HomeDBManager extends EventEmitter { return this._connection.transaction(op); } - /** - * Returns a Promise for an array of User entites for the given userIds. - */ - private async _getUsers(userIds: number[], optManager?: EntityManager): Promise { - if (userIds.length === 0) { - return []; - } - const manager = optManager || new EntityManager(this._connection); - const queryBuilder = manager.createQueryBuilder() - .select('users') - .from(User, 'users') - .where('users.id IN (:...userIds)', {userIds}); - return await queryBuilder.getMany(); - } - /** * Aggregate the given columns as a json object. The keys should be simple * alphanumeric strings, and the values should be the names of sql columns - @@ -3848,7 +3309,7 @@ export class HomeDBManager extends EventEmitter { let threshold = options.markPermissions; if (options.allowSpecialPermit && scope.specialPermit && scope.specialPermit.docId) { query = query.andWhere('docs.id = :docId', {docId: scope.specialPermit.docId}); - effectiveUserId = this.getPreviewerUserId(); + effectiveUserId = this._usersManager.getPreviewerUserId(); threshold = Permissions.VIEW; } // Compute whether we have access to the doc @@ -3882,7 +3343,7 @@ export class HomeDBManager extends EventEmitter { } else { query = query .setParameter('forkUserId', scope.userId) - .setParameter('forkAnonId', this.getAnonymousUserId()) + .setParameter('forkAnonId', this._usersManager.getAnonymousUserId()) .addSelect( // Access to forks is currently limited to the users that created them, with // the exception of anonymous users, who have no access to their forks. @@ -3935,7 +3396,7 @@ export class HomeDBManager extends EventEmitter { let threshold = options.markPermissions; if (options.allowSpecialPermit && scope.specialPermit && scope.specialPermit.workspaceId === wsId) { - effectiveUserId = this.getPreviewerUserId(); + effectiveUserId = this._usersManager.getPreviewerUserId(); threshold = Permissions.VIEW; } // Compute whether we have access to the ws @@ -3968,7 +3429,7 @@ export class HomeDBManager extends EventEmitter { // Always include the org of the support@ user, which contains the Samples workspace, // which we always show. (For isMergedOrg case, it's already included.) if (includeSupport) { - const supportId = this._specialUserIds[SUPPORT_EMAIL]; + const supportId = this._usersManager.getSpecialUserId(SUPPORT_EMAIL); return qb.andWhere(new Brackets((q) => this._wherePlainOrg(q, org).orWhere('orgs.owner_id = :supportId', {supportId}))); } else { @@ -4022,11 +3483,11 @@ export class HomeDBManager extends EventEmitter { .leftJoin('orgs.aclRules', 'acl_rules') .leftJoin('acl_rules.group', 'groups') .leftJoin('groups.memberUsers', 'members'); - if (isSingleUser(users)) { + if (UsersManager.isSingleUser(users)) { // Add an exception for the previewer user, if present. - const previewerId = this._specialUserIds[PREVIEWER_EMAIL]; + const previewerId = this._usersManager.getSpecialUserId(PREVIEWER_EMAIL); if (users === previewerId) { return qb; } - const everyoneId = this._specialUserIds[EVERYONE_EMAIL]; + const everyoneId = this._usersManager.getSpecialUserId(EVERYONE_EMAIL); if (options?.ignoreEveryoneShares) { return qb.where('members.id = :userId', {userId: users}); } @@ -4281,7 +3742,7 @@ export class HomeDBManager extends EventEmitter { throw new ApiError('Cannot find unique login for user', 500); } value.email = logins[0].displayEmail; - value.anonymous = (logins[0].userId === this.getAnonymousUserId()); + value.anonymous = (logins[0].userId === this._usersManager.getAnonymousUserId()); continue; } if (key === 'managers') { @@ -4395,8 +3856,8 @@ export class HomeDBManager extends EventEmitter { if (permissions !== null) { q = q.select('acl_rules.permissions'); } else { - const everyoneId = this._specialUserIds[EVERYONE_EMAIL]; - const anonId = this._specialUserIds[ANONYMOUS_USER_EMAIL]; + const everyoneId = this._usersManager.getSpecialUserId(EVERYONE_EMAIL); + const anonId = this._usersManager.getSpecialUserId(ANONYMOUS_USER_EMAIL); // Overall permissions are the bitwise-or of all individual // permissions from ACL rules. We also include // Permissions.PUBLIC if any of the ACL rules are for the @@ -4448,7 +3909,7 @@ export class HomeDBManager extends EventEmitter { q = q.andWhere(`acl_rules.${idColumn} = ${resType}.id`); if (permissions !== null) { q = q.andWhere(`(acl_rules.permissions & ${permissions}) = ${permissions}`).limit(1); - } else if (!isSingleUser(users)) { + } else if (!UsersManager.isSingleUser(users)) { q = q.addSelect('profiles.id'); q = q.addSelect('profiles.display_email'); q = q.addSelect('profiles.name'); @@ -4460,7 +3921,7 @@ export class HomeDBManager extends EventEmitter { } return q; }; - if (isSingleUser(users)) { + if (UsersManager.isSingleUser(users)) { return getBasicPermissions(qb.subQuery()); } else { return qb.subQuery() @@ -4490,7 +3951,7 @@ export class HomeDBManager extends EventEmitter { qb = qb // filter for the specified user being a direct or indirect member of the acl_rule's group .where(new Brackets(cond => { - if (isSingleUser(users)) { + if (UsersManager.isSingleUser(users)) { // Users is an integer, so ok to insert into sql. It we // didn't, we'd need to use distinct parameter names, since // we may include this code with different user ids in the @@ -4500,7 +3961,7 @@ export class HomeDBManager extends EventEmitter { cond = cond.orWhere(`gu2.user_id = ${users}`); cond = cond.orWhere(`gu3.user_id = ${users}`); // Support the special "everyone" user. - const everyoneId = this._specialUserIds[EVERYONE_EMAIL]; + const everyoneId = this._usersManager.getSpecialUserId(EVERYONE_EMAIL); if (everyoneId === undefined) { throw new Error("Special user id for EVERYONE_EMAIL not found"); } @@ -4511,7 +3972,7 @@ export class HomeDBManager extends EventEmitter { if (accessStyle === 'list') { // Support also the special anonymous user. Currently, by convention, sharing a // resource with anonymous should make it listable. - const anonId = this._specialUserIds[ANONYMOUS_USER_EMAIL]; + const anonId = this._usersManager.getSpecialUserId(ANONYMOUS_USER_EMAIL); if (anonId === undefined) { throw new Error("Special user id for ANONYMOUS_USER_EMAIL not found"); } @@ -4521,7 +3982,7 @@ export class HomeDBManager extends EventEmitter { cond = cond.orWhere(`gu3.user_id = ${anonId}`); } // Add an exception for the previewer user, if present. - const previewerId = this._specialUserIds[PREVIEWER_EMAIL]; + const previewerId = this._usersManager.getSpecialUserId(PREVIEWER_EMAIL); if (users === previewerId) { // All acl_rules granting view access are available to previewer user. cond = cond.orWhere('acl_rules.permissions = :permission', @@ -4535,7 +3996,7 @@ export class HomeDBManager extends EventEmitter { } return cond; })); - if (!isSingleUser(users)) { + if (!UsersManager.isSingleUser(users)) { // We need to join against a list of users. const emails = new Set(users.map(profile => normalizeEmail(profile.email))); if (emails.size > 0) { @@ -4569,7 +4030,7 @@ export class HomeDBManager extends EventEmitter { // Apply limits to the query. Results should be limited to a specific org // if request is from a branded webpage; results should be limited to a // specific user or set of users. - private _applyLimit(qb: SelectQueryBuilder, limit: Scope, + private _applyLimit(qb: SelectQueryBuilder, limit: Scope, resources: Array<'docs'|'workspaces'|'orgs'>, accessStyle: AccessStyle): SelectQueryBuilder { if (limit.org) { @@ -4681,7 +4142,7 @@ export class HomeDBManager extends EventEmitter { if (features.maxDocsPerOrg !== undefined) { // we need to count how many docs are in the current org, and if we // are already at or above the limit, then fail. - const wss = this.unwrapQueryResult(await this.getOrgWorkspaces({userId: this.getPreviewerUserId()}, + const wss = this.unwrapQueryResult(await this.getOrgWorkspaces({userId: this._usersManager.getPreviewerUserId()}, workspace.org.id, {manager})); const count = wss.map(ws => ws.docs.length).reduce((a, b) => a + b, 0); @@ -4701,11 +4162,7 @@ export class HomeDBManager extends EventEmitter { // For the moment only the support user can add both everyone@ and anon@ to a // resource, since that allows spam. TODO: enhance or remove. private _checkUserChangeAllowed(userId: number, groups: Group[]) { - if (userId === this.getSupportUserId()) { return; } - const ids = new Set(flatten(groups.map(g => g.memberUsers)).map(u => u.id)); - if (ids.has(this.getEveryoneUserId()) && ids.has(this.getAnonymousUserId())) { - throw new Error('this user cannot share with everyone and anonymous'); - } + return this._usersManager.checkUserChangeAllowed(userId, groups); } // Fetch a Document with all access information loaded. Make sure the user has the @@ -4781,30 +4238,6 @@ export class HomeDBManager extends EventEmitter { return () => this.emit('addUser', userId, resource, userIdDelta, membersBefore); } - // Given two arrays of groups, returns a map of users present in the first array but - // not the second, where the map is broken down by user role. - // This method is used for checking limits on shares. - // Excluded users are removed from the results. - private _getUserDifference(groupsA: Group[], groupsB: Group[]): Map { - const subtractSet: Set = - new Set(flatten(groupsB.map(grp => grp.memberUsers)).map(usr => usr.id)); - const result = new Map(); - for (const group of groupsA) { - const name = group.name; - if (!roles.isNonGuestRole(name)) { continue; } - result.set(name, group.memberUsers.filter(user => !subtractSet.has(user.id))); - } - return this._withoutExcludedUsers(result); - } - - private _withoutExcludedUsers(members: Map): Map { - const excludedUsers = this.getExcludedUserIds(); - for (const [role, users] of members.entries()) { - members.set(role, users.filter((user) => !excludedUsers.includes(user.id))); - } - return members; - } - private _billingManagerNotification(userId: number, addUserId: number, orgs: Organization[]) { return () => { this.emit('addBillingManager', userId, addUserId, orgs); @@ -4817,17 +4250,6 @@ export class HomeDBManager extends EventEmitter { }; } - /** - * Check for anonymous user, either encoded directly as an id, or as a singular - * profile (this case arises during processing of the session/access/all endpoint - * whether we are checking for available orgs without committing yet to a particular - * choice of user). - */ - private _isAnonymousUser(users: AvailableUsers): boolean { - return isSingleUser(users) ? users === this.getAnonymousUserId() : - users.length === 1 && normalizeEmail(users[0].email) === ANONYMOUS_USER_EMAIL; - } - // Set Workspace.removedAt to null (undeletion) or to a datetime (soft deletion) private _setWorkspaceRemovedAt(scope: Scope, wsId: number, removedAt: Date|null) { return this._connection.transaction(async manager => { @@ -4869,12 +4291,12 @@ export class HomeDBManager extends EventEmitter { maxInheritedRole: roles.BasicRole|null, docId?: string ): {personal: true, public: boolean}|undefined { - if (scope.userId === this.getPreviewerUserId()) { return; } + if (scope.userId === this._usersManager.getPreviewerUserId()) { return; } // If we have special access to the resource, don't filter user information. if (scope.specialPermit?.docId === docId && docId) { return; } - const thisUser = this.getAnonymousUserId() === scope.userId + const thisUser = this._usersManager.getAnonymousUserId() === scope.userId ? null : users.find(user => user.id === scope.userId); const realAccess = thisUser ? getRealAccess(thisUser, { maxInheritedRole, users }) : null; @@ -4964,24 +4386,6 @@ async function verifyEntity( }; } -// Returns all first-level memberUsers in the resources. Requires all resources' aclRules, groups -// and memberUsers to be populated. -// If optRoles is provided, only checks membership in resource groups with the given roles. -function getResourceUsers(res: Resource|Resource[], optRoles?: string[]): User[] { - res = Array.isArray(res) ? res : [res]; - const users: {[uid: string]: User} = {}; - let resAcls: AclRule[] = flatten(res.map(_res => _res.aclRules as AclRule[])); - if (optRoles) { - resAcls = resAcls.filter(_acl => optRoles.includes(_acl.group.name)); - } - resAcls.forEach((aclRule: AclRule) => { - aclRule.group.memberUsers.forEach((u: User) => users[u.id] = u); - }); - const userList = Object.keys(users).map(uid => users[uid]); - userList.sort((a, b) => a.id - b.id); - return userList; -} - // Returns a map of userIds to the user's strongest default role on the given resource. // The resource's aclRules, groups, and memberUsers must be populated. function getMemberUserRoles(res: Resource, allowRoles: T[]): {[userId: string]: T} { @@ -5014,24 +4418,6 @@ export function removeRole(usersWithRoles: Map) { return flatten([...usersWithRoles.values()]); } -function getNonGuestGroups(entity: Organization|Workspace|Document): NonGuestGroup[] { - return (entity.aclRules as AclRule[]).map(aclRule => aclRule.group).filter(isNonGuestGroup); -} - -// Returns a map of users indexed by their roles. Optionally excludes users whose ids are in -// excludeUsers. -function getUsersWithRole(groups: NonGuestGroup[], excludeUsers?: number[]): Map { - const members = new Map(); - for (const group of groups) { - let users = group.memberUsers; - if (excludeUsers) { - users = users.filter((user) => !excludeUsers.includes(user.id)); - } - members.set(group.name, users); - } - return members; -} - export async function makeDocAuthResult(docPromise: Promise): Promise { try { const doc = await docPromise; @@ -5051,3 +4437,12 @@ export function getDocAuthKeyFromScope(scope: Scope): DocAuthKey { if (!urlId) { throw new Error('document required'); } return {urlId, userId, org}; } + +// Returns whether the given group is a valid non-guest group. +function isNonGuestGroup(group: Group): group is NonGuestGroup { + return roles.isNonGuestRole(group.name); +} + +function getNonGuestGroups(entity: Organization|Workspace|Document): NonGuestGroup[] { + return (entity.aclRules as AclRule[]).map(aclRule => aclRule.group).filter(isNonGuestGroup); +} diff --git a/app/gen-server/lib/homedb/Interfaces.ts b/app/gen-server/lib/homedb/Interfaces.ts new file mode 100644 index 00000000..0802d96a --- /dev/null +++ b/app/gen-server/lib/homedb/Interfaces.ts @@ -0,0 +1,40 @@ +import { UserProfile } from "app/common/LoginSessionAPI"; +import { UserOptions } from "app/common/UserAPI"; +import * as roles from 'app/common/roles'; +import { Document } from "app/gen-server/entity/Document"; +import { Group } from "app/gen-server/entity/Group"; +import { Organization } from "app/gen-server/entity/Organization"; +import { Workspace } from "app/gen-server/entity/Workspace"; + +import { EntityManager } from "typeorm"; + +export interface QueryResult { + status: number; + data?: T; + errMessage?: string; +} + +export interface GetUserOptions { + manager?: EntityManager; + profile?: UserProfile; + userOptions?: UserOptions; +} + +export interface UserProfileChange { + name?: string; + isFirstTimeUser?: boolean; +} + +// A specification of the users available during a request. This can be a single +// user, identified by a user id, or a collection of profiles (typically drawn from +// the session). +export type AvailableUsers = number | UserProfile[]; + +export type NonGuestGroup = Group & { name: roles.NonGuestRole }; + +export type Resource = Organization|Workspace|Document; + +export type RunInTransaction = ( + transaction: EntityManager|undefined, + op: ((manager: EntityManager) => Promise) +) => Promise; diff --git a/app/gen-server/lib/homedb/UsersManager.ts b/app/gen-server/lib/homedb/UsersManager.ts new file mode 100644 index 00000000..8c0a5dca --- /dev/null +++ b/app/gen-server/lib/homedb/UsersManager.ts @@ -0,0 +1,755 @@ +import { ApiError } from 'app/common/ApiError'; +import { normalizeEmail } from 'app/common/emails'; +import { PERSONAL_FREE_PLAN } from 'app/common/Features'; +import { UserOrgPrefs } from 'app/common/Prefs'; +import * as roles from 'app/common/roles'; +import { + ANONYMOUS_USER_EMAIL, + EVERYONE_EMAIL, + FullUser, + PermissionDelta, + PREVIEWER_EMAIL, + UserOptions, + UserProfile +} from 'app/common/UserAPI'; +import { AclRule } from 'app/gen-server/entity/AclRule'; +import { Group } from 'app/gen-server/entity/Group'; +import { Login } from 'app/gen-server/entity/Login'; +import { User } from 'app/gen-server/entity/User'; +import { appSettings } from 'app/server/lib/AppSettings'; +import { HomeDBManager, PermissionDeltaAnalysis, Scope } from 'app/gen-server/lib/HomeDBManager'; +import { + AvailableUsers, GetUserOptions, NonGuestGroup, QueryResult, Resource, RunInTransaction, UserProfileChange +} from 'app/gen-server/lib/homedb/Interfaces'; +import { Permissions } from 'app/gen-server/lib/Permissions'; +import { Pref } from 'app/gen-server/entity/Pref'; + +import flatten from 'lodash/flatten'; +import { EntityManager } from 'typeorm'; + +// A special user allowed to add/remove the EVERYONE_EMAIL to/from a resource. +export const SUPPORT_EMAIL = appSettings.section('access').flag('supportEmail').requireString({ + envVar: 'GRIST_SUPPORT_EMAIL', + defaultValue: 'support@getgrist.com', +}); + +// A list of emails we don't expect to see logins for. +const NON_LOGIN_EMAILS = [PREVIEWER_EMAIL, EVERYONE_EMAIL, ANONYMOUS_USER_EMAIL]; + +/** + * Class responsible for Users Management. + * + * It's only meant to be used by HomeDBManager. If you want to use one of its (instance or static) methods, + * please make an indirection which passes through HomeDBManager. + */ +export class UsersManager { + public static isSingleUser(users: AvailableUsers): users is number { + return typeof users === 'number'; + } + + // Returns all first-level memberUsers in the resources. Requires all resources' aclRules, groups + // and memberUsers to be populated. + // If optRoles is provided, only checks membership in resource groups with the given roles. + public static getResourceUsers(res: Resource|Resource[], optRoles?: string[]): User[] { + res = Array.isArray(res) ? res : [res]; + const users: {[uid: string]: User} = {}; + let resAcls: AclRule[] = flatten(res.map(_res => _res.aclRules as AclRule[])); + if (optRoles) { + resAcls = resAcls.filter(_acl => optRoles.includes(_acl.group.name)); + } + resAcls.forEach((aclRule: AclRule) => { + aclRule.group.memberUsers.forEach((u: User) => users[u.id] = u); + }); + const userList = Object.keys(users).map(uid => users[uid]); + userList.sort((a, b) => a.id - b.id); + return userList; + } + + // Returns a map of users indexed by their roles. Optionally excludes users whose ids are in + // excludeUsers. + public static getUsersWithRole(groups: NonGuestGroup[], excludeUsers?: number[]): Map { + const members = new Map(); + for (const group of groups) { + let users = group.memberUsers; + if (excludeUsers) { + users = users.filter((user) => !excludeUsers.includes(user.id)); + } + members.set(group.name, users); + } + return members; + } + + private _specialUserIds: {[name: string]: number} = {}; // id for anonymous user, previewer, etc + + private get _connection () { + return this._homeDb.connection; + } + + public constructor( + private readonly _homeDb: HomeDBManager, + private _runInTransaction: RunInTransaction + ) {} + + /** + * Clear all user preferences associated with the given email addresses. + * For use in tests. + */ + public async testClearUserPrefs(emails: string[]) { + return await this._connection.transaction(async manager => { + for (const email of emails) { + const user = await this.getUserByLogin(email, {manager}); + if (user) { + await manager.delete(Pref, {userId: user.id}); + } + } + }); + } + + public getSpecialUserId(key: string) { + return this._specialUserIds[key]; + } + + /** + * + * Get the id of the anonymous user. + * + */ + public getAnonymousUserId(): number { + const id = this._specialUserIds[ANONYMOUS_USER_EMAIL]; + if (!id) { throw new Error("Anonymous user not available"); } + return id; + } + + /** + * Get the id of the thumbnail user. + */ + public getPreviewerUserId(): number { + const id = this._specialUserIds[PREVIEWER_EMAIL]; + if (!id) { throw new Error("Previewer user not available"); } + return id; + } + + /** + * Get the id of the 'everyone' user. + */ + public getEveryoneUserId(): number { + const id = this._specialUserIds[EVERYONE_EMAIL]; + if (!id) { throw new Error("'everyone' user not available"); } + return id; + } + + /** + * Get the id of the 'support' user. + */ + public getSupportUserId(): number { + const id = this._specialUserIds[SUPPORT_EMAIL]; + if (!id) { throw new Error("'support' user not available"); } + return id; + } + + public async getUserByKey(apiKey: string): Promise { + // Include logins relation for Authorization convenience. + return await User.findOne({where: {apiKey}, relations: ["logins"]}) || undefined; + } + + public async getUserByRef(ref: string): Promise { + return await User.findOne({where: {ref}, relations: ["logins"]}) || undefined; + } + + public async getUser( + userId: number, + options: {includePrefs?: boolean} = {} + ): Promise { + const {includePrefs} = options; + const relations = ["logins"]; + if (includePrefs) { relations.push("prefs"); } + return await User.findOne({where: {id: userId}, relations}) || undefined; + } + + public async getFullUser(userId: number): Promise { + const user = await User.findOne({where: {id: userId}, relations: ["logins"]}); + if (!user) { throw new ApiError("unable to find user", 400); } + return this.makeFullUser(user); + } + + /** + * Convert a user record into the format specified in api. + */ + public makeFullUser(user: User): FullUser { + if (!user.logins?.[0]?.displayEmail) { + throw new ApiError("unable to find mandatory user email", 400); + } + const displayEmail = user.logins[0].displayEmail; + const loginEmail = user.loginEmail; + const result: FullUser = { + id: user.id, + email: displayEmail, + // Only include loginEmail when it's different, to avoid overhead when FullUser is sent + // around, and also to avoid updating too many tests. + loginEmail: loginEmail !== displayEmail ? loginEmail : undefined, + name: user.name, + picture: user.picture, + ref: user.ref, + locale: user.options?.locale, + prefs: user.prefs?.find((p)=> p.orgId === null)?.prefs, + }; + if (this.getAnonymousUserId() === user.id) { + result.anonymous = true; + } + if (this.getSupportUserId() === user.id) { + result.isSupport = true; + } + return result; + } + + /** + * Ensures that user with external id exists and updates its profile and email if necessary. + * + * @param profile External profile + */ + public async ensureExternalUser(profile: UserProfile) { + await this._connection.transaction(async manager => { + // First find user by the connectId from the profile + const existing = await manager.findOne(User, { + where: {connectId: profile.connectId || undefined}, + relations: ["logins"], + }); + + // If a user does not exist, create it with data from the external profile. + if (!existing) { + const newUser = await this.getUserByLoginWithRetry(profile.email, { + profile, + manager + }); + if (!newUser) { + throw new ApiError("Unable to create user", 500); + } + // No need to survey this user. + newUser.isFirstTimeUser = false; + await newUser.save(); + } else { + // Else update profile and login information from external profile. + let updated = false; + let login: Login = existing.logins[0]!; + const properEmail = normalizeEmail(profile.email); + + if (properEmail !== existing.loginEmail) { + login = login ?? new Login(); + login.email = properEmail; + login.displayEmail = profile.email; + existing.logins.splice(0, 1, login); + login.user = existing; + updated = true; + } + + if (profile?.name && profile?.name !== existing.name) { + existing.name = profile.name; + updated = true; + } + + if (profile?.picture && profile?.picture !== existing.picture) { + existing.picture = profile.picture; + updated = true; + } + + if (updated) { + await manager.save([existing, login]); + } + } + }); + } + + public async updateUser(userId: number, props: UserProfileChange) { + let isWelcomed: boolean = false; + let user: User|null = null; + await this._connection.transaction(async manager => { + user = await manager.findOne(User, {relations: ['logins'], + where: {id: userId}}); + let needsSave = false; + if (!user) { throw new ApiError("unable to find user", 400); } + if (props.name && props.name !== user.name) { + user.name = props.name; + needsSave = true; + } + if (props.isFirstTimeUser !== undefined && props.isFirstTimeUser !== user.isFirstTimeUser) { + user.isFirstTimeUser = props.isFirstTimeUser; + needsSave = true; + // If we are turning off the isFirstTimeUser flag, then right + // after this transaction commits is a great time to trigger + // any automation for first logins + if (!props.isFirstTimeUser) { isWelcomed = true; } + } + if (needsSave) { + await user.save(); + } + }); + return { user, isWelcomed }; + } + + public async updateUserName(userId: number, name: string) { + const user = await User.findOne({where: {id: userId}}); + if (!user) { throw new ApiError("unable to find user", 400); } + user.name = name; + await user.save(); + } + + public async updateUserOptions(userId: number, props: Partial) { + const user = await User.findOne({where: {id: userId}}); + if (!user) { throw new ApiError("unable to find user", 400); } + + const newOptions = {...(user.options ?? {}), ...props}; + user.options = newOptions; + await user.save(); + } + + /** + * Get the anonymous user, as a constructed object rather than a database lookup. + */ + public getAnonymousUser(): User { + const user = new User(); + user.id = this.getAnonymousUserId(); + user.name = "Anonymous"; + user.isFirstTimeUser = false; + const login = new Login(); + login.displayEmail = login.email = ANONYMOUS_USER_EMAIL; + user.logins = [login]; + user.ref = ''; + return user; + } + + // Fetch user from login, creating the user if previously unseen, allowing one retry + // for an email key conflict failure. This is in case our transaction conflicts with a peer + // doing the same thing. This is quite likely if the first page visited by a previously + // unseen user fires off multiple api calls. + public async getUserByLoginWithRetry(email: string, options: GetUserOptions = {}): Promise { + try { + return await this.getUserByLogin(email, options); + } catch (e) { + if (e.name === 'QueryFailedError' && e.detail && + e.detail.match(/Key \(email\)=[^ ]+ already exists/)) { + // This is a postgres-specific error message. This problem cannot arise in sqlite, + // because we have to serialize sqlite transactions in any case to get around a typeorm + // limitation. + return await this.getUserByLogin(email, options); + } + throw e; + } + } + + /** + * Find a user by email. Don't create the user if it doesn't already exist. + */ + public async getExistingUserByLogin( + email: string, + manager?: EntityManager + ): Promise { + const normalizedEmail = normalizeEmail(email); + return await (manager || this._connection).createQueryBuilder() + .select('user') + .from(User, 'user') + .leftJoinAndSelect('user.logins', 'logins') + .where('email = :email', {email: normalizedEmail}) + .getOne() || undefined; + } + + /** + * + * Fetches a user record based on an email address. If a user record already + * exists linked to the email address supplied, that is the record returned. + * Otherwise a fresh record is created, linked to the supplied email address. + * The supplied `options` are used when creating a fresh record, or updating + * unset/outdated fields of an existing record. + * + */ + public async getUserByLogin(email: string, options: GetUserOptions = {}): Promise { + const {manager: transaction, profile, userOptions} = options; + const normalizedEmail = normalizeEmail(email); + const userByLogin = await this._runInTransaction(transaction, async manager => { + let needUpdate = false; + const userQuery = manager.createQueryBuilder() + .select('user') + .from(User, 'user') + .leftJoinAndSelect('user.logins', 'logins') + .leftJoinAndSelect('user.personalOrg', 'personalOrg') + .where('email = :email', {email: normalizedEmail}); + let user = await userQuery.getOne(); + let login: Login; + if (!user) { + user = new User(); + // Special users do not have first time user set so that they don't get redirected to the + // welcome page. + user.isFirstTimeUser = !NON_LOGIN_EMAILS.includes(normalizedEmail); + login = new Login(); + login.email = normalizedEmail; + login.user = user; + needUpdate = true; + } else { + login = user.logins[0]; + } + + // Check that user and login records are up to date. + if (!user.name) { + // Set the user's name if our provider knows it. Otherwise use their username + // from email, for lack of something better. If we don't have a profile at this + // time, then leave the name blank in the hopes of learning it when the user logs in. + user.name = (profile && (profile.name || email.split('@')[0])) || ''; + needUpdate = true; + } + if (profile && !user.firstLoginAt) { + // set first login time to now (remove milliseconds for compatibility with other + // timestamps in db set by typeorm, and since second level precision is fine) + const nowish = new Date(); + nowish.setMilliseconds(0); + user.firstLoginAt = nowish; + needUpdate = true; + } + if (!user.picture && profile && profile.picture) { + // Set the user's profile picture if our provider knows it. + user.picture = profile.picture; + needUpdate = true; + } + if (profile && profile.email && profile.email !== login.displayEmail) { + // Use provider's version of email address for display. + login.displayEmail = profile.email; + needUpdate = true; + } + + if (profile?.connectId && profile?.connectId !== user.connectId) { + user.connectId = profile.connectId; + needUpdate = true; + } + + if (!login.displayEmail) { + // Save some kind of display email if we don't have anything at all for it yet. + // This could be coming from how someone wrote it in a UserManager dialog, for + // instance. It will get overwritten when the user logs in if the provider's + // version is different. + login.displayEmail = email; + needUpdate = true; + } + if (!user.options?.authSubject && userOptions?.authSubject) { + // Link subject from password-based authentication provider if not previously linked. + user.options = {...(user.options ?? {}), authSubject: userOptions.authSubject}; + needUpdate = true; + } + if (needUpdate) { + login.user = user; + await manager.save([user, login]); + } + if (!user.personalOrg && !NON_LOGIN_EMAILS.includes(login.email)) { + // Add a personal organization for this user. + // We don't add a personal org for anonymous/everyone/previewer "users" as it could + // get a bit confusing. + const result = await this._homeDb.addOrg(user, {name: "Personal"}, { + setUserAsOwner: true, + useNewPlan: true, + product: PERSONAL_FREE_PLAN, + }, manager); + if (result.status !== 200) { + throw new Error(result.errMessage); + } + needUpdate = true; + + // We just created a personal org; set userOrgPrefs that should apply for new users only. + const userOrgPrefs: UserOrgPrefs = {showGristTour: true}; + const orgId = result.data; + if (orgId) { + await this._homeDb.updateOrg({userId: user.id}, orgId, {userOrgPrefs}, manager); + } + } + if (needUpdate) { + // We changed the db - reload user in order to give consistent results. + // In principle this could be optimized, but this is simpler to maintain. + user = await userQuery.getOne(); + } + return user; + }); + return userByLogin; + } + + /** + * Deletes a user from the database. For the moment, the only person with the right + * to delete a user is the user themselves. + * Users have logins, a personal org, and entries in the group_users table. All are + * removed together in a transaction. All material in the personal org will be lost. + * + * @param scope: request scope, including the id of the user initiating this action + * @param userIdToDelete: the id of the user to delete from the database + * @param name: optional cross-check, delete only if user name matches this + */ + public async deleteUser(scope: Scope, userIdToDelete: number, + name?: string): Promise> { + const userIdDeleting = scope.userId; + if (userIdDeleting !== userIdToDelete) { + throw new ApiError('not permitted to delete this user', 403); + } + await this._connection.transaction(async manager => { + const user = await manager.findOne(User, {where: {id: userIdToDelete}, + relations: ["logins", "personalOrg", "prefs"]}); + if (!user) { throw new ApiError('user not found', 404); } + if (name) { + if (user.name !== name) { + throw new ApiError(`user name did not match ('${name}' vs '${user.name}')`, 400); + } + } + if (user.personalOrg) { await this._homeDb.deleteOrg(scope, user.personalOrg.id, manager); } + await manager.remove([...user.logins]); + // We don't have a GroupUser entity, and adding one tickles lots of TypeOrm quirkiness, + // so use a plain query to delete entries in the group_users table. + await manager.createQueryBuilder() + .delete() + .from('group_users') + .where('user_id = :userId', {userId: userIdToDelete}) + .execute(); + + await manager.delete(User, userIdToDelete); + }); + return { + status: 200 + }; + } + + // Looks up the emails in the permission delta and adds them to the users map in + // the delta object. + // Returns a QueryResult based on the validity of the passed in PermissionDelta object. + public async verifyAndLookupDeltaEmails( + userId: number, + delta: PermissionDelta, + isOrg: boolean = false, + transaction?: EntityManager + ): Promise { + if (!delta) { + throw new ApiError('Bad request: missing permission delta', 400); + } + this._mergeIndistinguishableEmails(delta); + const hasInherit = 'maxInheritedRole' in delta; + const hasUsers = delta.users; // allow zero actual changes; useful to reduce special + // cases in scripts + if ((isOrg && (hasInherit || !hasUsers)) || (!isOrg && !hasInherit && !hasUsers)) { + throw new ApiError('Bad request: invalid permission delta', 400); + } + // Lookup the email access changes and move them to the users object. + const userIdMap: {[userId: string]: roles.NonGuestRole|null} = {}; + if (hasInherit) { + // Verify maxInheritedRole + const role = delta.maxInheritedRole; + const validRoles = new Set(this._homeDb.defaultBasicGroupNames); + if (role && !validRoles.has(role)) { + throw new ApiError(`Invalid maxInheritedRole ${role}`, 400); + } + } + if (delta.users) { + // Verify roles + const deltaRoles = Object.keys(delta.users).map(_userId => delta.users![_userId]); + // Cannot set role "members" on workspace/doc. + const validRoles = new Set(isOrg ? this._homeDb.defaultNonGuestGroupNames : this._homeDb.defaultBasicGroupNames); + for (const role of deltaRoles) { + if (role && !validRoles.has(role)) { + throw new ApiError(`Invalid user role ${role}`, 400); + } + } + // Lookup emails + const emailMap = delta.users; + const emails = Object.keys(emailMap); + const emailUsers = await Promise.all( + emails.map(async email => await this.getUserByLogin(email, {manager: transaction})) + ); + emails.forEach((email, i) => { + const userIdAffected = emailUsers[i]!.id; + // Org-level sharing with everyone would allow serious spamming - forbid it. + if (emailMap[email] !== null && // allow removing anything + userId !== this.getSupportUserId() && // allow support user latitude + userIdAffected === this.getEveryoneUserId() && + isOrg) { + throw new ApiError('This user cannot share with everyone at top level', 403); + } + userIdMap[userIdAffected] = emailMap[email]; + }); + } + const userIdDelta = delta.users ? userIdMap : null; + const userIds = Object.keys(userIdDelta || {}); + const removingSelf = userIds.length === 1 && userIds[0] === String(userId) && + delta.maxInheritedRole === undefined && userIdDelta?.[userId] === null; + const permissionThreshold = removingSelf ? Permissions.VIEW : Permissions.ACL_EDIT; + return { + userIdDelta, + permissionThreshold, + affectsSelf: userId in userIdMap, + }; + } + + public async initializeSpecialIds(): Promise { + await this._maybeCreateSpecialUserId({ + email: ANONYMOUS_USER_EMAIL, + name: "Anonymous" + }); + await this._maybeCreateSpecialUserId({ + email: PREVIEWER_EMAIL, + name: "Preview" + }); + await this._maybeCreateSpecialUserId({ + email: EVERYONE_EMAIL, + name: "Everyone" + }); + await this._maybeCreateSpecialUserId({ + email: SUPPORT_EMAIL, + name: "Support" + }); + } + + /** + * Check for anonymous user, either encoded directly as an id, or as a singular + * profile (this case arises during processing of the session/access/all endpoint + * whether we are checking for available orgs without committing yet to a particular + * choice of user). + */ + public isAnonymousUser(users: AvailableUsers): boolean { + return UsersManager.isSingleUser(users) ? users === this.getAnonymousUserId() : + users.length === 1 && normalizeEmail(users[0].email) === ANONYMOUS_USER_EMAIL; + } + + /** + * Get ids of users to be excluded from member counts and emails. + */ + public getExcludedUserIds(): number[] { + return [this.getSupportUserId(), this.getAnonymousUserId(), this.getEveryoneUserId()]; + } + + /** + * Returns a Promise for an array of User entites for the given userIds. + */ + public async getUsers(userIds: number[], optManager?: EntityManager): Promise { + if (userIds.length === 0) { + return []; + } + const manager = optManager || new EntityManager(this._connection); + const queryBuilder = manager.createQueryBuilder() + .select('users') + .from(User, 'users') + .where('users.id IN (:...userIds)', {userIds}); + return await queryBuilder.getMany(); + } + + /** + * Don't add everyone@ as a guest, unless also sharing with anon@. + * This means that material shared with everyone@ doesn't become + * listable/discoverable by default. + * + * This is a HACK to allow existing example doc setup to continue to + * work. It could be removed if we are willing to share the entire + * support org with users. E.g. move any material we don't want to + * share into a workspace that doesn't inherit ACLs. TODO: remove + * this hack, or enhance it up as a way to support discoverability / + * listing. It has the advantage of cloning well. + */ + public filterEveryone(users: User[]): User[] { + const everyone = this.getEveryoneUserId(); + const anon = this.getAnonymousUserId(); + if (users.find(u => u.id === anon)) { return users; } + return users.filter(u => u.id !== everyone); + } + + // Given two arrays of groups, returns a map of users present in the first array but + // not the second, where the map is broken down by user role. + // This method is used for checking limits on shares. + // Excluded users are removed from the results. + public getUserDifference(groupsA: Group[], groupsB: Group[]): Map { + const subtractSet: Set = + new Set(flatten(groupsB.map(grp => grp.memberUsers)).map(usr => usr.id)); + const result = new Map(); + for (const group of groupsA) { + const name = group.name; + if (!roles.isNonGuestRole(name)) { continue; } + result.set(name, group.memberUsers.filter(user => !subtractSet.has(user.id))); + } + return this.withoutExcludedUsers(result); + } + + public withoutExcludedUsers(members: Map): Map { + const excludedUsers = this.getExcludedUserIds(); + for (const [role, users] of members.entries()) { + members.set(role, users.filter((user) => !excludedUsers.includes(user.id))); + } + return members; + } + + /** + * + * Take a list of user profiles coming from the client's session, correlate + * them with Users and Logins in the database, and construct full profiles + * with user ids, standardized display emails, pictures, and anonymous flags. + * + */ + public async completeProfiles(profiles: UserProfile[]): Promise { + if (profiles.length === 0) { return []; } + const qb = this._connection.createQueryBuilder() + .select('logins') + .from(Login, 'logins') + .leftJoinAndSelect('logins.user', 'user') + .where('logins.email in (:...emails)', {emails: profiles.map(profile => normalizeEmail(profile.email))}); + const completedProfiles: {[email: string]: FullUser} = {}; + for (const login of await qb.getMany()) { + completedProfiles[login.email] = { + id: login.user.id, + email: login.displayEmail, + name: login.user.name, + picture: login.user.picture, + anonymous: login.user.id === this.getAnonymousUserId(), + locale: login.user.options?.locale + }; + } + return profiles.map(profile => completedProfiles[normalizeEmail(profile.email)]) + .filter(profile => profile); + } + + // For the moment only the support user can add both everyone@ and anon@ to a + // resource, since that allows spam. TODO: enhance or remove. + public checkUserChangeAllowed(userId: number, groups: Group[]) { + if (userId === this.getSupportUserId()) { return; } + const ids = new Set(flatten(groups.map(g => g.memberUsers)).map(u => u.id)); + if (ids.has(this.getEveryoneUserId()) && ids.has(this.getAnonymousUserId())) { + throw new Error('this user cannot share with everyone and anonymous'); + } + } + + /** + * + * Get the id of a special user, creating that user if it is not already present. + * + */ + private async _maybeCreateSpecialUserId(profile: UserProfile) { + let id = this._specialUserIds[profile.email]; + if (!id) { + // get or create user - with retry, since there'll be a race to create the + // user if a bunch of servers start simultaneously and the user doesn't exist + // yet. + const user = await this.getUserByLoginWithRetry(profile.email, {profile}); + if (user) { id = this._specialUserIds[profile.email] = user.id; } + } + if (!id) { throw new Error(`Could not find or create user ${profile.email}`); } + return id; + } + + // This deals with the problem posed by receiving a PermissionDelta specifying a + // role for both alice@x and Alice@x. We do not distinguish between such emails. + // If there are multiple indistinguishabe emails, we preserve just one of them, + // assigning it the most powerful permission specified. The email variant perserved + // is the earliest alphabetically. + private _mergeIndistinguishableEmails(delta: PermissionDelta) { + if (!delta.users) { return; } + // We normalize emails for comparison, but track how they were capitalized + // in order to preserve it. This is worth doing since for the common case + // of a user being added to a resource prior to ever logging in, their + // displayEmail will be seeded from this value. + const displayEmails: {[email: string]: string} = {}; + // This will be our output. + const users: {[email: string]: roles.NonGuestRole|null} = {}; + for (const displayEmail of Object.keys(delta.users).sort()) { + const email = normalizeEmail(displayEmail); + const role = delta.users[displayEmail]; + const key = displayEmails[email] = displayEmails[email] || displayEmail; + users[key] = users[key] ? roles.getStrongestRole(users[key], role) : role; + } + delta.users = users; + } +} From 0549e46380948856e7e3edc757466fd37d8d596c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaros=C5=82aw=20Sadzi=C5=84ski?= Date: Tue, 18 Jun 2024 18:29:06 +0200 Subject: [PATCH 08/19] (core) Removing dry option from fixSiteProducts Summary: fixSiteProducts was always called with a dry option. This option was just added for debuging test failure, it should have been removed. Test Plan: Manual. - on grist core, prepare site with `teamFree` product - then to recreate run the previous version as `GRIST_SINGLE_ORG=cool-beans GRIST_DEFAULT_PRODUCT=Free npm start` - then to confirm it is fixed, run the same command as above Site should be changed from `teamFree` to `Free`. Reviewers: paulfitz Reviewed By: paulfitz Subscribers: paulfitz Differential Revision: https://phab.getgrist.com/D4276 --- app/gen-server/lib/Housekeeper.ts | 30 +++++++----------------------- stubs/app/server/server.ts | 3 +-- 2 files changed, 8 insertions(+), 25 deletions(-) diff --git a/app/gen-server/lib/Housekeeper.ts b/app/gen-server/lib/Housekeeper.ts index 14c68ecf..116a3c50 100644 --- a/app/gen-server/lib/Housekeeper.ts +++ b/app/gen-server/lib/Housekeeper.ts @@ -483,10 +483,9 @@ async function forEachWithBreaks(logText: string, items: T[], callback: (item */ export async function fixSiteProducts(options: { deploymentType: string, - db: HomeDBManager, - dry?: boolean, + db: HomeDBManager }) { - const {deploymentType, dry, db} = options; + const {deploymentType, db} = options; const hasDefaultProduct = () => Boolean(process.env.GRIST_DEFAULT_PRODUCT); const defaultProductIsFree = () => process.env.GRIST_DEFAULT_PRODUCT === 'Free'; @@ -502,10 +501,8 @@ export async function fixSiteProducts(options: { } // Find all billing accounts on teamFree product and change them to the Free. - return await db.connection.transaction(async (t) => { const freeProduct = await t.findOne(Product, {where: {name: 'Free'}}); - const freeTeamProduct = await t.findOne(Product, {where: {name: 'teamFree'}}); if (!freeTeamProduct) { @@ -518,24 +515,11 @@ export async function fixSiteProducts(options: { return false; } - if (dry) { - await t.createQueryBuilder() - .select('ba') - .from(BillingAccount, 'ba') - .where('ba.product = :productId', {productId: freeTeamProduct.id}) - .getMany() - .then((accounts) => { - accounts.forEach(a => { - console.log(`Would change account ${a.id} from ${a.product.id} to ${freeProduct.id}`); - }); - }); - } else { - await t.createQueryBuilder() - .update(BillingAccount) - .set({product: freeProduct.id}) - .where({product: freeTeamProduct.id}) - .execute(); - } + await t.createQueryBuilder() + .update(BillingAccount) + .set({product: freeProduct.id}) + .where({product: freeTeamProduct.id}) + .execute(); return true; }); diff --git a/stubs/app/server/server.ts b/stubs/app/server/server.ts index b6f272a9..e8761cef 100644 --- a/stubs/app/server/server.ts +++ b/stubs/app/server/server.ts @@ -139,8 +139,7 @@ export async function main() { await fixSiteProducts({ deploymentType: server.getDeploymentType(), - db: server.getHomeDBManager(), - dry: true + db: server.getHomeDBManager() }); return server; From 2cb38709a56d50271c836e78821b28e6a03b68f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jordi=20Guti=C3=A9rrez=20Hermoso?= Date: Thu, 13 Jun 2024 17:45:41 -0400 Subject: [PATCH 09/19] supervisor: new file This is a new entrypoint, mostly intended for Docker, so we have one simple process controlling the main Grist process. The purpose of this is to be able to make Grist easily restartable with a new environment. --- sandbox/supervisor.mjs | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 sandbox/supervisor.mjs diff --git a/sandbox/supervisor.mjs b/sandbox/supervisor.mjs new file mode 100644 index 00000000..2508cb17 --- /dev/null +++ b/sandbox/supervisor.mjs @@ -0,0 +1,35 @@ +import {spawn} from 'child_process'; + +let grist; + +function startGrist(newConfig={}) { + saveNewConfig(newConfig); + // H/T https://stackoverflow.com/a/36995148/11352427 + grist = spawn('./sandbox/run.sh', { + stdio: ['inherit', 'inherit', 'inherit', 'ipc'] + }); + grist.on('message', function(data) { + if (data.action === 'restart') { + console.log('Restarting Grist with new environment'); + + // Note that we only set this event handler here, after we have + // a new environment to reload with. Small chance of a race here + // in case something else sends a SIGINT before we do it + // ourselves further below. + grist.on('exit', () => { + grist = startGrist(data.newConfig); + }); + + grist.kill('SIGINT'); + } + }); + return grist; +} + +// Stub function +function saveNewConfig(newConfig) { + // TODO: something here to actually persist the new config before + // restarting Grist. +} + +startGrist(); From 20035fd58fa2874cd2bbf4a4ace4e88a33e9ec0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jordi=20Guti=C3=A9rrez=20Hermoso?= Date: Fri, 7 Jun 2024 20:07:19 -0400 Subject: [PATCH 10/19] FlexServer: add new admin restart endpoint This adds an endpoint for the admin user to be able to signal to a controlling process to restart the server. This is intended for `docker-runner.mjs`. --- app/server/lib/FlexServer.ts | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/app/server/lib/FlexServer.ts b/app/server/lib/FlexServer.ts index 46e4a508..5aed483d 100644 --- a/app/server/lib/FlexServer.ts +++ b/app/server/lib/FlexServer.ts @@ -1883,6 +1883,22 @@ export class FlexServer implements GristServer { const probes = new BootProbes(this.app, this, '/api', adminMiddleware); probes.addEndpoints(); + this.app.post('/api/admin/restart', requireInstallAdmin, expressWrap(async (req, resp) => { + const newConfig = req.body.newConfig; + resp.on('finish', () => { + // If we have IPC with parent process (e.g. when running under + // Docker) tell the parent that we have a new environment so it + // can restart us. + if (process.send) { + process.send({ action: 'restart', newConfig }); + } + }); + // On the topic of http response codes, thus spake MDN: + // "409: This response is sent when a request conflicts with the current state of the server." + const status = process.send ? 200 : 409; + return resp.status(status).send(); + })); + // Restrict this endpoint to install admins this.app.get('/api/install/prefs', requireInstallAdmin, expressWrap(async (_req, resp) => { const activation = await this._activations.current(); From 1a64910be3c9a34641ae879437dd854a5df1fd9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jordi=20Guti=C3=A9rrez=20Hermoso?= Date: Thu, 13 Jun 2024 17:45:47 -0400 Subject: [PATCH 11/19] Dockerfile: use docker-runner.mjs as new entrypoint --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f6cafa43..4af861cc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -113,6 +113,7 @@ ADD bower_components /grist/bower_components ADD sandbox /grist/sandbox ADD plugins /grist/plugins ADD static /grist/static +ADD docker-runner.mjs /grist/docker-runner.mjs # Make optional pyodide sandbox available COPY --from=builder /grist/sandbox/pyodide /grist/sandbox/pyodide @@ -152,4 +153,4 @@ ENV \ EXPOSE 8484 ENTRYPOINT ["/usr/bin/tini", "-s", "--"] -CMD ["./sandbox/run.sh"] +CMD ["node", "./sandbox/supervisor.mjs"] From 91e0a62e9127c44bea394ee007b0def30e3e38f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jordi=20Guti=C3=A9rrez=20Hermoso?= Date: Wed, 19 Jun 2024 16:42:48 -0400 Subject: [PATCH 12/19] Dockerfile: remove mention of docker-runner.mjs When rewriting 1a64910be3c9a34641ae879437dd854a5df1fd9b, I accidentally left a stray reference to docker-runner.mjs in there. Since this file doesn't exist anymore, this prevents Docker builds from happening. --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4af861cc..35148cdb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -113,7 +113,6 @@ ADD bower_components /grist/bower_components ADD sandbox /grist/sandbox ADD plugins /grist/plugins ADD static /grist/static -ADD docker-runner.mjs /grist/docker-runner.mjs # Make optional pyodide sandbox available COPY --from=builder /grist/sandbox/pyodide /grist/sandbox/pyodide From 0ca120a4f43f9a8a9d501409d6d748dacba45b76 Mon Sep 17 00:00:00 2001 From: Florent Date: Thu, 20 Jun 2024 16:48:30 +0200 Subject: [PATCH 13/19] Add some database documentation (#937) Start documenting the databases including: * document ACL and other tables * Permissions * Groups, secrets, and other tables --------- Co-authored-by: jordigh --- documentation/database.md | 297 +++++++++ documentation/develop.md | 1 + .../BDD-doc-inheritance-after-change.svg | 4 + .../images/BDD-doc-inheritance-default.svg | 4 + documentation/images/BDD.drawio | 234 +++++++ documentation/images/homedb-schema.svg | 609 ++++++++++++++++++ .../images/ws-users-management-popup.png | Bin 0 -> 31918 bytes 7 files changed, 1149 insertions(+) create mode 100644 documentation/database.md create mode 100644 documentation/images/BDD-doc-inheritance-after-change.svg create mode 100644 documentation/images/BDD-doc-inheritance-default.svg create mode 100644 documentation/images/BDD.drawio create mode 100644 documentation/images/homedb-schema.svg create mode 100644 documentation/images/ws-users-management-popup.png diff --git a/documentation/database.md b/documentation/database.md new file mode 100644 index 00000000..fb8fecc6 --- /dev/null +++ b/documentation/database.md @@ -0,0 +1,297 @@ +# Database + +> [!WARNING] +> This documentation is meant to describe the state of the database. The reader should be aware that some undocumented changes may have been done after its last updates, and for this purpose should check the git history of this file. +> +> Also contributions are welcome! :heart: + +Grist manages two databases: +1. The Home Database; +2. The Document Database (also known as "the grist document"); + +The Home database is responsible for things related to the instance, such as: + - the users and the groups registered on the instance, + - the billing, + - the organisations (also called sites), the workspaces, + - the documents' metadata (such as ID, name, or workspace under which it is located); + - the access permissions (ACLs) to organisations, workspaces and documents (access to the content of the document is controlled by the document itself); + +A Grist Document contains data such as: + - The tables, pages, views data; + - The ACL *inside* to access to all or part of tables (rows or columns); + +## The Document Database + +### Inspecting the Document + +A Grist Document (with the `.grist` extension) is actually a SQLite database. You may download a document like [this one](https://api.getgrist.com/o/templates/api/docs/keLK5sVeyfPkxyaXqijz2x/download?template=false&nohistory=false) and inspect its content using a tool such as the `sqlite3` command: + +```` +$ sqlite3 Flashcards.grist +sqlite> .tables +Flashcards_Data _grist_TabBar +Flashcards_Data_summary_Card_Set _grist_TabItems +GristDocTour _grist_TableViews +_grist_ACLMemberships _grist_Tables +_grist_ACLPrincipals _grist_Tables_column +_grist_ACLResources _grist_Triggers +_grist_ACLRules _grist_Validations +_grist_Attachments _grist_Views +_grist_Cells _grist_Views_section +_grist_DocInfo _grist_Views_section_field +_grist_External_database _gristsys_Action +_grist_External_table _gristsys_ActionHistory +_grist_Filters _gristsys_ActionHistoryBranch +_grist_Imports _gristsys_Action_step +_grist_Pages _gristsys_FileInfo +_grist_REPL_Hist _gristsys_Files +_grist_Shares _gristsys_PluginData +```` + +:warning: If you want to ensure that you will not alter a document's contents, make a backup copy beforehand. + +### The migrations + +The migrations are handled in the Python sandbox in this code: +https://github.com/gristlabs/grist-core/blob/main/sandbox/grist/migrations.py + +For more information, please consult [the documentation for migrations](./migrations.md). + +## The Home Database + +The home database may either be a SQLite or a PostgreSQL database depending on how the Grist instance has been installed. For details, please refer to the `TYPEORM_*` env variables in the [README](https://github.com/gristlabs/grist-core/blob/main/README.md#database-variables). + +Unless otherwise configured, the home database is a SQLite file. In the default Docker image, it is stored at this location: `/persist/home.sqlite3`. + +The schema below is the same (except for minor differences in the column types), regardless of what the database type is. + +### The Schema + +The database schema is the following: + +![Schema of the home database](./images/homedb-schema.svg) + +> [!NOTE] +> For simplicity's sake, we have removed tables related to the billing and to the migrations. + +If you want to generate the above schema by yourself, you may run the following command using [SchemaCrawler](https://www.schemacrawler.com/) ([a docker image is available for a quick run](https://www.schemacrawler.com/docker-image.html)): +````bash +# You may adapt the --database argument to fit with the actual file name +# You may also remove the `--grep-tables` option and all that follows to get the full schema. +$ schemacrawler --server=sqlite --database=landing.db --info-level=standard \ + --portable-names --command=schema --output-format=svg \ + --output-file=/tmp/graph.svg \ + --grep-tables="products|billing_accounts|limits|billing_account_managers|activations|migrations" \ + --invert-match +```` + +### `orgs` table + +Stores organisations (also called "Team sites") information. + +| Column name | Description | +| ------------- | -------------- | +| id | The primary key | +| name | The name as displayed in the UI | +| domain | The part that should be added in the URL | +| owner | The id of the user who owns the org | +| host | ??? | + +### `workspaces` table + +Stores workspaces information. + +| Column name | Description | +| ------------- | -------------- | +| id | The primary key | +| name | The name as displayed in the UI | +| org_id | The organisation to which the workspace belongs | +| removed_at | If not null, stores the date when the workspaces has been placed in the trash (it will be hard deleted after 30 days) | + + +### `docs` table + +Stores document information that is not portable, which means that it does not store the document data nor the ACL rules (see the "Document Database" section). + +| Column name | Description | +| ------------- | -------------- | +| id | The primary key | +| name | The name as displayed in the UI | +| workspace_id | The workspace the document belongs to | +| is_pinned | Whether the document has been pinned or not | +| url_id | Short version of the `id`, as displayed in the URL | +| removed_at | If not null, stores the date when the workspaces has been placed in the trash (it will be hard deleted after 30 days) | +| options | Serialized options as described in the [DocumentOptions](https://github.com/gristlabs/grist-core/blob/4567fad94787c20f65db68e744c47d5f44b932e4/app/common/UserAPI.ts#L125-L135) interface | +| grace_period_start | Specific to getgrist.com (TODO describe it) | +| usage | stats about the document (see [DocumentUsage](https://github.com/gristlabs/grist-core/blob/4567fad94787c20f65db68e744c47d5f44b932e4/app/common/DocUsage.ts)) | +| trunk_id | If set, the current document is a fork (only from a tutorial), and this column references the original document | +| type | If set, the current document is a special one (as specified in [DocumentType](https://github.com/gristlabs/grist-core/blob/4567fad94787c20f65db68e744c47d5f44b932e4/app/common/UserAPI.ts#L123)) | + +### `aliases` table + +Aliases for documents. + +FIXME: What's the difference between `docs.url_id` and `alias.url_id`? + +| Column name | Description | +| ------------- | -------------- | +| url_id | The URL alias for the doc_id | +| org_id | The organisation the document belongs to | +| doc_id | The document id | + +### `acl_rules` table + +Permissions to access either a document, workspace or an organisation. + +| Column name | Description | +| ------------- | -------------- | +| id | The primary key | +| permissions | The permissions granted to the group. See below. | +| type | Either equals to `ACLRuleOrg`, `ACLRuleWs` or `ACLRuleDoc` | +| org_id | The org id associated to this ACL (if set, workspace_id and doc_id are null) | +| workspace_id | The workspace id associated to this ACL (if set, doc_id and org_id are null) | +| doc_id | The document id associated to this ACL (if set, workspace_id and org_id are null) | +| group_id | The group of users for which the ACL applies | + + +The permissions are stored as an integer which is read in its binary form which allows to make bitwise operations: + +| Name | Value (binary) | Description | +| --------------- | --------------- | --------------- | +| VIEW | +0b00000001 | can view | +| UPDATE | +0b00000010 | can update | +| ADD | +0b00000100 | can add | +| REMOVE | +0b00001000 | can remove | +| SCHEMA_EDIT | +0b00010000 | can change schema of tables | +| ACL_EDIT | +0b00100000 | can edit the ACL (docs) or manage the teams (orgs and workspaces) of the resource | +| (reserved) | +0b01000000 | (reserved bit for the future) | +| PUBLIC | +0b10000000 | virtual bit meaning that the resource is shared publicly (not currently used) | + +You notice that the permissions can be then composed: + - EDITOR permissions = `VIEW | UPDATE | ADD | REMOVE` = `0b00000001+0b00000010+0b00000100+0b00001000` = `0b00001111` = `15` + - ADMIN permissions = `EDITOR | SCHEMA_EDIT` = `0b00001111+0b00010000` = `0b00011111` = `31` + - OWNER permissions = `ADMIN | ACL_EDIT` = `0b00011111+0b00100000` = `0b0011111` = `63` + +For more details about that part, please refer [to the code](https://github.com/gristlabs/grist-core/blob/192e2f36ba77ec67069c58035d35205978b9215e/app/gen-server/lib/Permissions.ts). + +### `secrets` table + +Stores secret informations related to documents, so the document may not store them (otherwise someone who downloads a doc may access them). Used to store the unsubscribe key and the target url of Webhooks. + +| Column name | Description | +| ------------- | -------------- | +| id | The primary key | +| value | The value of the secret (despite the table name, its stored unencrypted) | +| doc_id | The document id | + +### `prefs` table + +Stores special grants for documents for anyone having the key. + +| Column name | Description | +| ------------- | -------------- | +| id | The primary key | +| key | A long string secret to identify the share. Suitable for URLs. Unique across the database / installation. | +| link_id | A string to identify the share. This identifier is common to the home database and the document specified by docId. It need only be unique within that document, and is not a secret. | doc_id | The document to which the share belongs | +| options | Any overall qualifiers on the share | + +For more information, please refer [to the comments in the code](https://github.com/gristlabs/grist-core/blob/192e2f36ba77ec67069c58035d35205978b9215e/app/gen-server/entity/Share.ts). + +### `groups` table + +The groups are entities that may contain either other groups and/or users. + +| Column name | Description | +|--------------- | --------------- | +| id | The primary key | +| name | The name (see the 5 types of groups below) | + +Only 5 types of groups exist, which corresponds actually to Roles (for the permissions, please refer to the [ACL rules permissions details](#acl-permissions)): + - `owners` (see the `OWNERS` permissions) + - `editors` (see the `EDITORS` permissions) + - `viewers` (see the `VIEWS` permissions) + - `members` + - `guests` + +`viewers`, `members` and `guests` have basically the same rights (like viewers), the only difference between them is that: + - `viewers` are explicitly allowed to view the resource and its descendants; + - `members` are specific to the organisations and are meant to allow access to be granted to individual documents or workspaces, rather than the full team site. + - `guests` are (FIXME: help please on this one :)) + +Each time a resource is created, the groups corresponding to the roles above are created (except the `members` which are specific to organisations). + +### `group_groups` table + +The table which allows groups to contain other groups. It is also used for the inheritance mechanism (see below). + +| Column name | Description | +|--------------- | --------------- | +| group_id | The id of the group containing the subgroup | +| subgroup_id | The id of the subgroup | + +### `group_users` table + +The table which assigns users to groups. + +| Column name | Description | +|--------------- | --------------- | +| group_id | The id of the group containing the user | +| user_id | The id of the user | + +### `groups`, `group_groups`, `group_users` and inheritances + +We mentioned earlier that the groups currently holds the roles with the associated permissions. + +The database stores the inheritances of rights as described below. + +Let's imagine that a user is granted the role of *Owner* for the "Org1" organisation, s/he therefore belongs to the group "Org1 Owners" (whose ID is `id_org1_owner_grp`) which also belongs to the "WS1 Owners" (whose ID is `id_ws1_owner_grp`) by default. In other words, this user is by default owner of both the Org1 organization and of the WS1 workspace. + +The below schema illustrates both the inheritance of between the groups and the state of the database: + +![BDD state by default](./images/BDD-doc-inheritance-default.svg) + +This inheritance can be changed through the Users management popup in the Contextual Menu for the Workspaces: + +![The drop-down list after "Inherit access:" in the workspaces Users Management popup](./images/ws-users-management-popup.png) + +If you change the inherit access to "View Only", here is what happens: + +![BDD state after inherit access has changed, the `group_groups.group_id` value has changed](./images/BDD-doc-inheritance-after-change.svg) + +The Org1 owners now belongs to the "WS1 Viewers" group, and the user despite being *Owner* of "Org1" can only view the workspace WS1 and its documents because s/he only gets the Viewer role for this workspace. Regarding the database, `group_groups` which holds the group inheritance has been updated, so the parent group for `id_org1_owner_grp` is now `id_ws1_viewers_grp`. + +### `users` table + +Stores `users` information. + +| Column name | Description | +|--------------- | --------------- | +| id | The primary key | +| name | The user's name | +| api_key | If generated, the [HTTP API Key](https://support.getgrist.com/rest-api/) used to authenticate the user | +| picture | The URL to the user's picture (must be provided by the SSO Identity Provider) | +| first_login_at | The date of the first login | +| is_first_time_user | Whether the user discovers Grist (used to trigger the Welcome Tour) | +| options | Serialized options as described in [UserOptions](https://github.com/gristlabs/grist-core/blob/513e13e6ab57c918c0e396b1d56686e45644ee1a/app/common/UserAPI.ts#L169-L179) interface | +| connect_id | Used by [GristConnect](https://github.com/gristlabs/grist-ee/blob/5ae19a7dfb436c8a3d67470b993076e51cf83f21/ext/app/server/lib/GristConnect.ts) in Enterprise Edition to identify user in external provider | +| ref | Used to identify a user in the automated tests | + +### `logins` table + +Stores information related to the identification. + +> [!NOTE] +> A user may have many `logins` records associated to him/her, like several emails used for identification. + + +| Column name | Description | +|--------------- | --------------- | +| id | The primary key | +| user_id | The user's id | +| email | The normalized email address used for equality and indexing (specifically converted to lower case) | +| display_email | The user's email address as displayed in the UI | + +### The migrations + +The database migrations are handled by TypeORM ([documentation](https://typeorm.io/migrations)). The migration files are located at `app/gen-server/migration` and are run at startup (so you don't have to worry about running them yourself). + diff --git a/documentation/develop.md b/documentation/develop.md index e95b5b01..4595b60c 100644 --- a/documentation/develop.md +++ b/documentation/develop.md @@ -130,6 +130,7 @@ Check out this repository: https://github.com/gristlabs/grist-widget#readme Some documentation to help you starting developing: - [Overview of Grist Components](./overview.md) + - [The database](./database.md) - [GrainJS & Grist Front-End Libraries](./grainjs.md) - [GrainJS Documentation](https://github.com/gristlabs/grainjs/) (The library used to build the DOM) - [The user support documentation](https://support.getgrist.com/) diff --git a/documentation/images/BDD-doc-inheritance-after-change.svg b/documentation/images/BDD-doc-inheritance-after-change.svg new file mode 100644 index 00000000..0899246a --- /dev/null +++ b/documentation/images/BDD-doc-inheritance-after-change.svg @@ -0,0 +1,4 @@ + + + +
Org1
Workspace1
Some user
group_users
group_id
user_id
id_org1_owner_grp
id_some_user
Org1 Owners
Ws1 Owners
NEW
Ws1 Viewers

group_groups
group_id
subgroup_id
id_ws1_owner_grp
id_ws1_viewers_grp
id_org1_owner_grp
 \ No newline at end of file diff --git a/documentation/images/BDD-doc-inheritance-default.svg b/documentation/images/BDD-doc-inheritance-default.svg new file mode 100644 index 00000000..1fc21857 --- /dev/null +++ b/documentation/images/BDD-doc-inheritance-default.svg @@ -0,0 +1,4 @@ + + + +
Org1
Org1
Workspace1
Workspace1
Some user
Some...group_users
group_id
group_id
user_id
user_id
id_org1_owner_grp
id_org1_owner_grp
id_some_user
id_some_usergroup_groups
group_id
group_id
subgroup_id
subgroup_id
id_ws1_owner_grp
id_ws1_owner_grp
id_org1_owner_grp
id_org1_owner_grp
Org1 Owners
Org1 Own...
Ws1 Owners
Ws1 Owne... \ No newline at end of file diff --git a/documentation/images/BDD.drawio b/documentation/images/BDD.drawio new file mode 100644 index 00000000..7e7fe9aa --- /dev/null +++ b/documentation/images/BDD.drawio @@ -0,0 +1,234 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/documentation/images/homedb-schema.svg b/documentation/images/homedb-schema.svg new file mode 100644 index 00000000..eed9fc31 --- /dev/null +++ b/documentation/images/homedb-schema.svg @@ -0,0 +1,609 @@ + + + + + + +SchemaCrawler_Diagram + +generated by +SchemaCrawler 16.21.2 +generated on +2024-04-15 14:21:22 + + + +acl_rules_53bd8961 + +acl_rules + +[table] +id + +INTEGER NOT NULL + +auto-incremented +permissions + +INTEGER NOT NULL +type + +VARCHAR NOT NULL +workspace_id + +INTEGER +org_id + +INTEGER +doc_id + +VARCHAR +group_id + +INTEGER + + + + +docs_2f969a + +docs + +[table] +id + +VARCHAR NOT NULL +name + +VARCHAR NOT NULL +created_at + +DATETIME NOT NULL +updated_at + +DATETIME NOT NULL +workspace_id + +INTEGER +is_pinned + +BOOLEAN NOT NULL +url_id + +VARCHAR +removed_at + +DATETIME +options + +VARCHAR +grace_period_start + +DATETIME +usage + +VARCHAR +created_by + +INTEGER +trunk_id + +TEXT +type + +TEXT + + + + +acl_rules_53bd8961:w->docs_2f969a:e + + + + + + + + + + +groups_b63e4e33 + +groups + +[table] +id + +INTEGER NOT NULL + +auto-incremented +name + +VARCHAR NOT NULL + + + + +acl_rules_53bd8961:w->groups_b63e4e33:e + + + + + + + + + + +orgs_34a26e + +orgs + +[table] +id + +INTEGER NOT NULL + +auto-incremented +name + +VARCHAR NOT NULL +domain + +VARCHAR +created_at + +DATETIME NOT NULL +updated_at + +DATETIME NOT NULL +owner_id + +INTEGER +billing_account_id + +INTEGER +host + +VARCHAR + + + + +acl_rules_53bd8961:w->orgs_34a26e:e + + + + + + + + + + +workspaces_e61add + +workspaces + +[table] +id + +INTEGER NOT NULL + +auto-incremented +name + +VARCHAR NOT NULL +created_at + +DATETIME NOT NULL +updated_at + +DATETIME NOT NULL +org_id + +INTEGER +removed_at + +DATETIME + + + + +acl_rules_53bd8961:w->workspaces_e61add:e + + + + + + + + + + +aliases_c97dc35d + +aliases + +[table] +url_id + +VARCHAR NOT NULL +org_id + +INTEGER NOT NULL +doc_id + +VARCHAR +created_at + +DATETIME NOT NULL + + + + +aliases_c97dc35d:w->docs_2f969a:e + + + + + + + + + + +aliases_c97dc35d:w->orgs_34a26e:e + + + + + + + + + + +docs_2f969a:w->docs_2f969a:e + + + + + + + + + + +docs_2f969a:w->workspaces_e61add:e + + + + + + + + + + +users_6a70267 + +users + +[table] +id + +INTEGER NOT NULL + +auto-incremented +name + +VARCHAR NOT NULL +api_key + +VARCHAR +picture + +VARCHAR +first_login_at + +DATETIME +is_first_time_user + +INTEGER NOT NULL +options + +VARCHAR +connect_id + +VARCHAR +"ref" + +VARCHAR NOT NULL + + + + +docs_2f969a:w->users_6a70267:e + + + + + + + + + + +secrets_756efc22 + +secrets + +[table] +id + +VARCHAR NOT NULL +"value" + +VARCHAR NOT NULL +doc_id + +VARCHAR NOT NULL + + + + +secrets_756efc22:w->docs_2f969a:e + + + + + + + + + + +shares_ca2520d3 + +shares + +[table] +id + +INTEGER NOT NULL + +auto-incremented +key + +VARCHAR NOT NULL +doc_id + +VARCHAR NOT NULL +link_id + +VARCHAR NOT NULL +options + +VARCHAR NOT NULL + + + + +shares_ca2520d3:w->docs_2f969a:e + + + + + + + + + + +group_groups_dfa1d7f3 + +group_groups + +[table] +group_id + +INTEGER NOT NULL +subgroup_id + +INTEGER NOT NULL + + + + +group_groups_dfa1d7f3:w->groups_b63e4e33:e + + + + + + + + + + +group_groups_dfa1d7f3:w->groups_b63e4e33:e + + + + + + + + + + +group_users_41cb40a7 + +group_users + +[table] +group_id + +INTEGER NOT NULL +user_id + +INTEGER NOT NULL + + + + +group_users_41cb40a7:w->groups_b63e4e33:e + + + + + + + + + + +group_users_41cb40a7:w->users_6a70267:e + + + + + + + + + + +logins_be987289 + +logins + +[table] +id + +INTEGER NOT NULL + +auto-incremented +user_id + +INTEGER NOT NULL +email + +VARCHAR NOT NULL +display_email + +VARCHAR NOT NULL + + + + +logins_be987289:w->users_6a70267:e + + + + + + + + + + +id_dc7c64b2 +billing_accounts.id + + + +orgs_34a26e:w->id_dc7c64b2:e + + + + + + + + + + +orgs_34a26e:w->users_6a70267:e + + + + + + + + + + + +prefs_660170f + +prefs + +[table] +org_id + +INTEGER +user_id + +INTEGER +prefs + +VARCHAR NOT NULL + + + + +prefs_660170f:w->orgs_34a26e:e + + + + + + + + + + +prefs_660170f:w->users_6a70267:e + + + + + + + + + + +workspaces_e61add:w->orgs_34a26e:e + + + + + + + + + + +user_id_2d5fdf94 +billing_account_managers.user_id + + + +user_id_2d5fdf94:w->users_6a70267:e + + + + + + + + + + diff --git a/documentation/images/ws-users-management-popup.png b/documentation/images/ws-users-management-popup.png new file mode 100644 index 0000000000000000000000000000000000000000..9b18aaa43bba1103fbcc549df1d929952c74d6d3 GIT binary patch literal 31918 zcmdqJbyU<}{607;As|XheF#CiTe^lW2?6QukZuqV7^F+OK^Q`mZjkN{Y3XL@j=g?& z_niG>&;Ip0d-m*{k->@g-21w(`-dURPI-W>Y*>DQ;L z#tqWn^6Q5tCv~k-W`9;Gw3=JPF{@83cn0N$QW(`HxD*GT(6Mw1X;qj~rFjdtiU=ol zYy|2;|57$(Mw59S)^BB=)^`k-Ty8lFOK&eVlZ#~-LZ2EKD%ezuc5?aSuy;Q)eWY)$ z8IT43iOHLQAborbtL% zAd5@ct+`GVGc0!97w6{oJPBn2*r433jWG zja9&s@o<<-2cmGJyTp`mu!f#*60xaEY_$A+Spj03S}M$IUUfN7JPS^B28i;LG7+m})fw z*5NMqc|J}&$0{?^GnHomKKD5%aiK*2*3StaFY(0(D^bH@fjQ^rh8*A}2gED4f!XAt1Y>|v`c^gWwLjHhaP9=)~Eeth7KltYRt40LZMvnJj?RkJJkWZ!?o zF$Sjd`FCP#idKCg<}zten|e=Gi<8(EI~b8kJ|8|herbsaR`LtU(QB~7vSV==w2B?D zl6R%3TR-32u7Rr-;VQR%!~r(=aK}AUD^Cr+eK#yLixM+E9ehq2z&Q7Hk7IH{565`9iK_EhCv{0}|HAgr&!K?SG$a1Pk}JOb=F82QS+Q5-4?Xh&mgD(5u5O(uhP^TDOG{!aD+DhV zu^^vmBictXA)^i#`?Ut%b~xCcUNs3CWWsmRzlqOGzeYB@-`^-o)INp$4g1oDqzrLz zP|o1CuD;3gS0c=3S7w1KKt5Yb7zS$pa@x3D_G|nG`^J1*=Z?r^)F|b5T3;RSZ; zTB6DN>gA!3)%e*&VaL_CLgi3TZ`6-EI>8}iD>f{8U+=EBBEcla$H&Xcm<8Nldfgsa z4W%^-mBJ+@B@gCYsVU{F~If73z0; zaM{~yF~&@^YqZ{%)tx0B39~i0?NZZyTR?|9LTYP^;Lq$V z64I4oGTYp8YfzQ{&Sj;~HSNon7Z?P7ugSB1dY;a?9n2*-49-?=(JH3utE;d7HEi|0 z^|IKafx4`Scm5k*R%>!XvZCMLGx|Cm8TDTalD>2(+z z)#$uM4%SDbM3ORYV1u6C>h_YH-|MV3lElC0NLL;zSD=c8)UD-q5#-SFvC?`fHO@TW zZn1%p<795SOoS0HwUz#K)3?H;hpdGuX~4t;aesH(ZPKG;JAYAGP(W?qzd2YxV~~}S zaWBdbRaaL~S05bC@CI(MRHj4QqFSJO9NZBa?R&YXy<|?w?{~L;eTv=acE7tjSB0`{ zPCZ?|{BNZ}QtAM1IgnJY+u~!kHQc;6xd?%Hg(bMJ?DgVu|fOCFyRZ$TgBjfGv6bZ1?+|Lzn zR8((D4vul3hq19=c~XjUii&HmSPfb@d~Zr0Z(B!hFMLDFXTdV=&tgDTDr@)mQNi}i z5GK7i?s@b+?ppCN^Yi=7Sl;BiImib$Qc+%$`ZNFi#DI1pFc^onJ!(MKT^fTzCRuDAGcA?e9<>BK$ROs`Yb*D zzX8Nun!~p;?Q>*DV;y1I9P$XUfxxxapmDT|af_*|cTR}|6K)?VM( z7)q&p&%ct`bBblMUzo+iqWkVLTBK$$?J`rBg*F!kV-#?^`^`JwcnJ}i=XN-B+aCP^ zgQ;N<3{&R{xaYRqIdL!3P*I(h)taAHak*@NUiQ2cDqjz$4UiNjjmy)7cR)tS~ z`H5(`-6=@Yzq`L20s*YHww5Zlw6wImMf?8ew8om<&2{xFwCnkqT2lY3j#mbuU+#pQ z*4Zf0F)+5QWLc70Zx7FWZ)?g79`)vHgrRt(q@3Ot()cwwt~Sbkfvq0L90tzkyXU~( zQc?_H(}E2JcG~LRH41t#B}H2jY{}a}SXtg~{^suPbl3ORFO7Ro@j=D^dSiEVwDRu5 zIKrYQN(e-|Ae3_w&P`+z5}OS3_4Re7vWnf@f9Wd~}XI7Ta%p_}lxanx|oxe&VBOrKeee@lyh4&*+ zA-l{-G(~!{vVE-&4dx4VDy+?1yQd=r$BDf53#%Bz z76un|CxUa{)7jdVmX$JvSq^+7y+h(L?i?i(YUnqu$fkHaUX#Wh8%lE@&J=q5DJ569 z)fe9rNpu=mTf6lIEw504Xhai4Azp(&KaCg-lKD;*-Q9WXb%o6bF-Qeau*MD-Z%9QA0BS~c7EPPw}~!$o|<1@c_5=+ zKHQxK`)tHg^%TVain4A}tk<$M5l8lTm}|W8J48q0-I= zg@h&`IU+WP=Al)eR?_vG8)TKcy1TJstE)e}fB!i+xW24x2*eVQ&aVoyG!!!hl}>k( ze0IKnrzz3!#m4$eg17#7e`#>iu4Qb@G2(N4jHWC!<$Lt^0hcD?<;%me_jD*Pw)Zxt zBVZL36`ofEBdmWKTnU!vL2?vuML#>Ut#{dx23eOOk>TySf}9-jhl9&!kn`71aVLNL z&=Zi;lhWC z<#AlN?sR>;<}U?JZ}_zGrMcM--(Ljs-ofYv?j*}Wz&rHd_QAn~ER(O{;n)2E&u+`~ z@2UO;*)Yd7sbiHv=wze&tBkQ}uVVt7F;sGn~&10;de!Ma;c)t4JTj)dq9rV zO|Jn7JN9g4J0d)e%-lkxcVJ+Gj9Rbnue%l7dygyRYHjAJ5twCP+%-stu~`P6ZZ8%Q zEsgR}r+OwjI>Y{iW8jr~79vBbiPte{T#lojYrGCi51@85GFs{DqYn<|Un?TSrlz4e zMQxI<7XNT}FSx$}G5iFokj4bL#0v>HIh4aP1~2)6gx5Y{lAPC6=Fysba(H;Uw^zo( z?3#N6P26he12Gb_nLt>0c>H9JhUEB?DaRs#wE>ydwWF*0t)0e_ct+?(D@W8Tlm7nx z1{eC1x$3l!A7>d7`)6u1Vq^Q4mRP8%&&La7$dc6=64h(qcUtNfj1;+YA>xd9=$LUL8{_sbGajX9C)OLgbLu%Up&=piCSxEhDB={Grl;3fgGAi+7c04~O;9lP_R2%A z*^7#aNsyN}36%zv&nJnH=KucN_vGzw@D~;VvKC$nuDbDc5qy|W03|9h5!{0q z7Oi}AV*R1zHw#Mx=H?aK_dMyxW{}_z7H6k6Jw1}h$k*h8SC=WATb{h}Sq9!M`l%lR zl1AT-TbP-cFzb;Q&V*nt3-I%wAw+VEiY%v!$x$$OdszL~(lgSUKr4Z0eRPwO+N^gb zxI{eKEVs16EN3eoN%)+S-DKpHl*X3I)U{S;=Snp1W1l-mGk;#t=!QRUwP5zIR zTM~YIIk3O`aG$WSAV>*ZvV8S_5>$lI(~dQXRtyXb{~Ie4U0p%!^Sv4AhTRq?WMt%V zj@Fmqu;Hv$x-tb>+2&7gDEaxnMRULxL>?2OgtjFp@S$d1T}iHA{L(o#}{ZB+|;{L@r<)5UYPC+UlP zfA4lpFh^w`*%@O+V|s-@eV38T3Q78$dy6LKYL zK_Q)n2A+&}jxVq`*4ONW)JWcMOoQJP=St!I3%R@ z5Ohb8_7Qwz(Q{nw+yMbIo>rnK%Gd1b=vX2oqOY%yIyaUo^tfcXqrF|^#&TyUt@d9v zYct&hDnID@>ZVy>DbE*=pYYH)Sb(dA>->gQX9x?x#zF~2^8gEQvPdeGub z`*kJ;B-dV%J5cF)c7!mGjj_LZW1;Wo>E-A5#6c?j_2H}e9IlA4LL_=sm;G&JD0tO_ zD>h{F>ZWFm71;4;x5Ob!#D51g?aRKGr>w2EZz+St+0FXDgp%$V>HGVlvvwUUddC=~ zCdI_O^E@E|p)gIr9aJ#2&d$!26%`=sPFCCS!g{;9WG#4xCnwKx+j6QtjG{+~RvsoiB+e{YRJ?9$uMca0^tM4Lo&_FvsJ*`1RloA{q ztoFT05^6Dgx3)QL`*1fK{@PbVOX~_;th(0!{=5&Q)baVa-$A#a-cvZ>7883=?IhxN zX#>65QsbqlxHygoUEzB=jZ&@lHCT1^RDWWYVwUjU@1S(Mc{jWH8u_`wr6srXUHrRZ zS38rQDBYUYp8n%>|{~ia>Ik|d)(CzrcKIUb=!Qo)Z%k(4ed-UDk2oFZR&I`BFiephG6NdFHY8?|l+k9`{j{)+!fzRHo; zD9G13TFC<&PSVn$U=0xq^M!taP!vcpFS z%oJ+$yIf52^E-%)j4Ul>%JOEps$HJ`@UFEc-^;>tv_Uj3WilPQb;I5mO|t&om$))lb6T z-{4{DlVa+-!-e`4U@z;LACW03a8&SAP%YXU=!0>_DCI`t>Gg%E-wbC^>j}=c}v^fCJ9e zoU?Ote}JnqYuB~j>~@Mg{Au5M_qX`u_Q~fPSwM7T<;;(cvQdgTmqm(p%1{_T#Wv|A zqzXWiqGS(1qWSu^_e+dg=otdfS`E}S9*%qavnH-?nyfo0o?t0+m9q+WH?t`|R+=w< z#b3r613=5;WowF8E$ZjFi2@x18jh5Rt3DM9A}X5aZ(~I7s`_AAs>ou7C=LC1_%xqY z`I8!X{{{sjWr;x4k^k=zPqAh0S3xZR8ZCbLKMxS%r$~Uy07xoU^1p{OQNw?<(de@P zH1Ht$>i>T);)U2l1drq5;{nk3Vi6tkS*m|-Zf zq}}y@nfX4Q>J{1K}~}&Q?r}ls895YX*<#H+!wM2gBG+^o#m`h)awB zkmcf_Au=N3*;9T&+uMW$bsHPTV1Sccb#$;++0M4l&BJ34w)qFMgxzdz->-lu>i`t|F_ zYWLWf5lNYd#GDqPq@8Q8yr*s+4J-i1C)pF1O)V2{WwKLL^w{08yib9GVEMjY^|;N zu{n8pZDuQi#dBnoS^!8(6OR@gED0j=)a**L_i+S!z3$=8j*+!>v2*9q5ytSaVnro6 zfKO7>(!d;PX=t`KHb7%vZMmWZ-PuV2rGa&IDoj@|jh~+%Ypg&%iIJXZu`wwoAz_eE zjSi2DY>1g@FpQ4x+RxUui6SO4lG`MenOv~9-gPfZyNu^wY8)b2&GpZ626MZl3UG}E+pFC+9O09=V>079( zkMXYtq1G=gWwx{&sH#nXVfy+s&DCDY%E&O#(cwwD-QQq>c-to0s!=9rzu2IouC9Bn z)7#%46&~&|^Fz@vI}6|r2lMX#8uuemBP}hJJ$>o}pdDu?r>pK-`$b0=m*+3eY{uG! zxVaJ(7QXf#U9_-sHC`5$y4iED% zFwg)>roX>pUn4Lh0~5P%!zod&&plV20UzBHz_78g#U?$F6a^`$hQ>FJl=tsr%GFaf zPg<4YZB0x}oSiu-E2^ti7!slCfT4(wACTrCA|d&xlT@?Z z-{0QbyKUqk23LQLj}HcDY-0mHGBjVRO0T9ip`fTZI5Z?E#Eu0x{{XbzC*+|7#>M zJjoVcF!2irQ;V){>9laJTmcgc%k(uCgAWFBV_PR{lv$KbG zsl~T8J9~6&j7-l70s)OVtGWP#(91-*e+9(wu!gr80P@j!c{o)0`1y}=WN=jQJm1In zoo$7koekF2UA-ioBPJqZ?-myy-u0DLP|#IUvIp4Ry3S-EeKNhyvivC+5aF6(Pb=A2yC4ff$x4M*!+e0fG51U*4+Vh0zHKtsO3I%jsKMSfs_pX}^Cj z3I$lxO!+dNqzX+uTwN|v?qj0OA+R|Bs)hU7>zivMAKp0g$NnxO32m(gkeBNG}Lq3%uRkQ z)5sDb7lSe+j(14Zp5+dWkGBsEfm(;ex|%K?4QzPJ%a#wp0AK>j0FNulVDY6Ycx6z~ zeI!ZkeDx`Oomw%Cf4RZ>9p3(Oh#Q+T6#6* z143NNX!9-Apxd(#zhOv}-CX{0qMhIo#xC^~Edpx%6ioq7HU{lY;Y*^1zA5*$ZcNs4 zX_D{Ffbo%T;O^IPP%N|G18jM)^<80|{?2$AD=yfNck6U95!kp$I5HG|bEcijaKKT- z+bjZe?P?b)1%RYka?@Qs`x+3$3}S|X4b%0`6o-Wv5Qy^Y7dI&XtEwRn-3WFG-Y1ak z<97cqdniwF1z+3P?B(aby>mqdLXK`NRn@ra>gpVl@uQW^#v`r&NJ-=4;~kcothPgd z6hd`+dO9j9D#Tv0BeV@EdSGk}+g}r0%?PA=FvS0tsO=m!muJ~xDdhEt%PaY(V?V#Q zkk=AfZf}ASOukT0&hCytyDtd!9iVDn;$PS+W2qVH2`=Mx`N!Q`qcAAE=iHP&Oq*15wTY(hTP?});*f;pX57>FZ>-R>1slQlPoIY2VT%;=19Qwb7sy`IBJo;7&^Pk1O z#Pe7`^;fgU9;=V|BcE~{JvUrDPfQ|wHF@ddspkS49%DSa2tLTt7g6_C1T~NZSjyBK z^IRDP@5tWd-aj2RzfiRx#^swG0&9z%rR(27ajUf|$X;e@MBI`N5=M3RK z$5f6c`a7wijhp(Ky9w@qZy>z3`jW9gR_=FDe&BxoT`B9F$ntQ1{bCL^s&~^^_jnlW zhXw7q(65`5%F~;N%OTAcR^9%HWlu!=O1=#**;`g?&QCfE^&e`Z2*Rvw3i{+)vCEiK zEfGH8$&5=Dk2C@OKBb60#oOHbpZ937?oO(Q1j1S*Y}50(eUr{QfyS#LG`{Qdd+ng@2O8i^!5Yvd+A z_)#514i-?+;G2#_{&A)j_$8wrZMpdvFjL7P<}s*D2vjZ4@o9>Pz*^SvZSF6983?=n z2=3mitOs9P>)I?t@eO|9t>5CXu-fsOS|n+9H@e>J-@K6zc3h?@D^P0IJ0{4o8SfT1 z>LhQOtTw4|G!+4ST1AdE}j_#GSlAYk- zewbypnobJEm+w-Ei+rBRv)&)y;lzg4Hz(ESHNu&(tGOzb2Su;*jJf^e);n#iCU!6K_ic4cIWZWn>++hlsV zZ^&Zzgn6Y*i8QI-7$Z5qp2*FsB}hXhl<(Wfi&HG~ILaTqTuQXVL3Z7Hm?1Nd!Mom1g7v!Rs*VjB|n2VS=w+lqQV`y?v`? zRc(hdt{to8lll2a?AYEvkBj^lU|UIBzXCCdw}|cc+8nO`j^X&!f!=q^au+rZ@~!FP zWA~-mX`yPm9$ov%;qi}K@HZ?61iII!K2rO0ZAqIohXOSFNt7yOarEX@yUeZ)AI1iT z8Wqr%1wpi#mYX#Ja!zei>Dr)gn#mg*EHOwywe+N_yO7ZpdWU=_9O$|FVPNaf8d= z0F)*kTZ9k&tw|?R01^%?i-+h~t(fBZ-MaQA2(3L8Ec~W{-dpHdaox<^v%I`kqlK=2 zz;Hejhp;OgY1s?al?(X*MOn6(crY3n2Gz;K-Wqr_|6kpRvfUaL*EdZgs3Gh(cYm@_BqW%e-uE?{?8_H8==+6%N)`#`K%2-g6)53K6is!Jloi7 zLbX5z&R@=r*PZC=|G-nGl-?I{7X<&gukQI)d=@Qx<#*N7qq>k+v562Tycg44j$UFod-|JTy5b81`orr2t1!k+UpyudJ}o~G-@Qm4gtT@ReZiI}6^k&YI#jMW&5=c==^jhmee%-rn%EcF@?{_H?AR8dtW zqo~;GFG9_C{g5m9xHn1v8I~Z|rD@=M+e3~D*vdks3@*RBaHz}i>PCUQW`3as&e&ke z1b`QlVVQnjM}K}%`Q5wDH+fb%IXTrjJl-$57qaR%HPzL50L2-PgMNu`9YD?RF6I%z z!N@f=JQ%MBkI(I-p+LF9taoDuBv=#QhXFcxIGSSz^h9yg1CI~4$*ORV!}`CkggvBb z;y-wtkqTUt>NSE!CPjhA^P~>Ih6Ufh4`npc{p+2(Kui0YHPgYuq7o=?WMyR;HT{Nh zu^nEpim`RCI!$4Uyk%Lr;N9gayZ-8YuWcKYNGSjnBKA__tj)PxUFEQ}$Zh0ENMG*H+FDuF+b?dGw?2H6PPdt{S4ic$05-`IB;vQ5YowBT!OX;z z&U3Jcj3NAQihuri1Id!j?0Cn-ghYXArjYl;(aLgUggS6B>Rcd6>WT1t!@^<&80e~K zR{(eaQ@WJ5y3Nkd`<@P^UY{o29rt{Th#2Hu@<7ZxXu9l-A73tCwjOtT_e34&G~e{p z)&2X8k%57X)4YGWOaS%ezUIR=Xe4~j#^Qod-2rQ%C?lg?wO#o}0;SZTwQG9X9MHDV zv-?YttapxHK=IKL`l^3~byQIvFy3Et#bfY`!Z|Tc{n35k@0kvLOlRSf0*kgfGRy=Z zoS{+s3TY!`D=SP>5Uqj1+E=^%Hp%!jJI}V>e9uSMY7mpHi=|Yua>79pVYlj z@x9r}1o|t>?g*4~S){p9yUyoGarv>X;2oB@ChgpIyHzwu9p z*a2RSCcP~O*xro3cM3T`Zo*;tYV=kp^{~{t4j3V(qc!cgC~(DBLS7B7HX;NvQ~EEVP?IYbQ`6DSdf4%kNLaBh1`yJeAau;G3?6=xCVm9uu2zqJnMecj zJj-wH>ag*&!F7+zVd)m|QyaOevWbCcxpbiQ?H*ibSSqJB$$u@mlQ-J*-qhy4=d8k^ z;6CcmeAyzmNTVc7rtGyW-jsE9k;Wd=bL{}DOwHw2EC+GpG14x;!jIYkmx_tl0L;H{2U)| za=K~neQD49sE$9vxa?E8d2^lyxL;NTx( zcGaJdz*XH)cQ@vF=;-dQQ+MPK#Uu8*sGeCu1F+XrzX@;$z>@+*1#FdY))uYnjihk+ zTjt{c;ik90p)`6bk`c-3=r}1w8sWJ`Q~rf;@tp|VICe3080iYzE%}Cqa{57_xXSFIk0=C`piU9HFS162$iD_{`mk2j(yE{?`FyHxA z`8&~6QV~`mPDw8&UQ1Sg&jrDvchWjD1BxSAT{OK?#1Y;n%S^`t9MpfI5lXqH6Wc4t zprCNcZGDba=qB%jG93Ablh=3zCo4cAeJ*iXiuIx8ZA7AtZU^;OiDd`kUrC5Fen&804D@Av*$oae0|(w@H}v|+<+Wl zm7#VEC7PE&^?0#;ya2>H{Trz;5wrff%ca|&{*Tx|F5|p8*yMJw8S}>ECE3C?PzthY z9qlxEX1x>Oz1~dQaH{v2tD@i8AyO9N9{uy@YSzL#nut@JCCQ4s*+{C-A?f1-4$qn!7fFnU zYN?qfF}2D~wE#5qg7yEGDwm5^JOCEkR{m+V>p6~$;aePB8N*zeK!xXguDynKdUY|c znHhZl&>^TVe?IQaq^gAV4@t^WQ=<-DZO7R&S$RFt|3T-g(x-ZzvG?C11pj$BJ|n;! z-v|w6@-cc(mo_*^*)fO+d>$6x@t`5gK?*PhQgk260Fk$pE!uM$j3!oylbmLU?Zjtv ze;(iva}3|XOr(`FBPr6 zFbHTj1;$Fa-qXl$M`+Q?X_mo31WO7>3XrD8k>rk6%$4CFLJM?R ztLJc~vGU+W@p{I^22LH^>?q2QSKuYeh1AJh%Qg;o$_>K{Zf8Cg$>Sq`Uj^eofd9;g zLVczo2Xm^j+Hq)s6!FJ9Nv08SPfuAID&cagf)q3eF%973^!PWZ4_;QESjp~wUX%Ee zVxIi7x4dN4rn+&rs!}B-K=GB81gT|F06h09cOF$*JCU0HU7snKDIVZmBYJ4MWoU3= z9&q^TpgKn-bxtqRD8(DLCkZMooKgKy^u?-tSH47-f<$w%VnOzy_p}Fn&s_vIt8i6G zvrI{>4Jpfr$zqkn8T8aR0(D}#nb>J?&^U-5HMoC;$#fI0y>j8e9WnAL*!Ycg@?lu zm1@4^BaMzyu!(()Qu+m5&}@Q(+~0!>cUMp)whv9~Y%d0=(QE3(QIHKU>lo#MU_7hUU+i>E;PE?=`q{I~s z3Qhs^=^4Obw<-hWaRX1^*lcuH#ky(Q2ETB6^A;i~tPY6Ovk78iRsy77>*g-veOicd zW7X^axMAWl20Vx$J61Ar?Y~YZ&Bed z#jyTi><@@>j6-OwY+h@%6vqc1Dt52^|EUclb$|}!bYIJ;7Ulx?pB-41TZ{ci8NsKT z45ajQOE=f@BvsT)rg$=$_ipS&NmuE^xDwyQE?X(#Ns7hDQ>9deE9Aq)Rt}vYm`G1? zMa}X*CiD+ez2}b#X8+DoAJ4*NnA_X9;^7+xRiSxKnPvZ3nXZjBspLqU4`K;n+a}32 zrWSH4cm=OAQIb;;tQfl!+P&-Zw&3%Koiu(bOG^vzZh}qQX2B>^&}Z@B=H6v<<3_92A!pEW0<5kR-># zDjf`8SzD>guT%ft3x$r4NLUcYpV3+?L6rIb?TLb|HYbAq#L{&O`MAU8@Cl29+V!ahnCfWD2hK!h?kA!hpWBd7 z+!&}%_L4DYFj!+_%0E&wW;9A=8>{pV=kK2)vv1)>F-Jf4>rAbX)}k$z&QBYX^lLsP z)8HE=-evseGHB@q&f*EZf0cOF6Gm+%>l~K;McGvLt;|58vH=(7!{fJp3T_}@%YTAdQ>O@(l!c@@AHu~Pme@466 zsX!z`&QDNA4uS~*{Gric{qX^;gwe*gpsw87Tq>xLls+I;rg^ zFv)bGUIaa2?6U~FD!*+%035Oqc$<7y1~jV@S{SFmy^yxD5v(2m}Fr_PO6 z*UGjyl1KDDCoy8cy=(VD9V`0@F&Sth)tcLB%~chK4msnEt@$`V_|(5+^k4cCBERcB zMckl1dxi@cZ3Fv#k;unSDzcE8CEl2<)!`7-We!cp`Xib5_jg_>sIT;zuENvPbsyAc z)u^(DaBABvbzO|vClPL834M#eNoTlnGCv9zR zDy4E|uwU$!;QmK?5KSiZ%l9_3sp&3SB(sON=%}d(aFQm~WV=FT9I7da{21EGMr+|&^I(!LxXkg+V|(6V#3RuQ>HVMC;f^t6=)Me$^EoUhU~cV`zcLQ{Q>0wAixH;z3z&hCYm1% zNI4$Uk!DlgWobH`-rl!Be3!w!*8xampeh%Byvxp}5IL}OVUR@+j)1kdw_6PRP`$f? z_gG!8Z7G{X(6v@6FZK z)qf&>O`OQ0U9pAaT*P0Co^SSPp z3wiU5Bp-Vj8=nB7GaVCCsih8$;@&@@Hz6kvPqDo>W1cD;2)pX7r;0(Hs*u5te{YGR zez;oKk1pT)0fPAo#aE)NQQrgp)m=Cit>Q_|Z(qAiCtjy&&AHUx2=XH5JPc!Hvy9oe zCV{+nmBpdnEe zYO1Q>fYk8d;14ik9HbnBRzDsd9_ZwE#WYYGH{9{$(NZ5S@Cbsl@9?yPr? zp}xasDO7L-aHjk?R1Q(BLr;}r?OHOzuYE-TL*62TruPZ6KIf1w(38e^d}(ec_2-q} z_02px^5q#qruPvw|)P!(R`DSw23r zrt-Sa*E^T%vds9cWD0>g_5>&|fe!alM!FOnzmsnPJn59R>oq37`{92$II1L}C=iLT zs3^14ur*|NcTEXiRM;prYW0E4+zx~Nb=(>TDf6Af=Hd zuURq$824uH%fA?RAB2UMd~XClsH^YIK!kBLHD_#Qeqe(X4fyZIoV1DT1c87RAC1$7 zKRoWd)r&;#D;t}7`H3VZ!%gecV^fnftFw>vUr?_6Z-4!|tSadRL^?kPkp4|o!=GrQ zK*90NYGxgUa${0XoeT*m5BlDTGBrU#lehOn9%+?h8rVp^u~gn?+eS7v^NsEZ0r%o~ ziYG5D1HB6)*^N{UzxFF)Du&;5`>Xrtn~#pM9%AYSMfn4n$^ZU$0dlcS=U0cz8eE%X z)O8pYHEtp;?Z)07^=>VrMjTqMJ!IFl-Ihla)DRt6haW;GPp>oqd-SKHWnDM(<6fdTn|4H&E#r5$E1%%W6Y(Lv& z)uy&k60A3>Jxszmg?7bC?&ofR?6cBG%=@PQ@87?5?-s52mOZyJ+?U{n!wS5-KwtEJ zXQlLGB@BqLWaDWRDRW)-rl&rIKe3+c{r)7poUAF?b7ZEN9@{R8Z@y=2zUvPIkLGEs z#2YIWa>+x1QIm$yl>3LyUIGb!;dzS-wU?QNstC6#N0AJ#nURLszDa@dn(a*0BMKhg z=Cq6+-rA_p?~;#;r_9d5V@(6z%Z*igJ#D|FIJ$Nw8%2OmbZ2H0Dfg@v7<=W)>D1bo4E0wIfF@&^sWl^71Ggtg?!) zwYx=LV<%yL!2d}Y(G*W;=5u+eU zw7RZZ_xv zD`)3QhfzA0JIKxb5;<^?;QjexfxdLCUDJS{*>UaHqKclQrOZg^pLu-dRR96=SlWIi40b@QQB5*G~BUMR55bkpSJ7gAt7p;zv zrI)+qa~v26(^(H}s+MImIIZz5^+wUUVzFZ%S#G*tO)f9?7~QR@Eq+ey6%`JSM zGYKRJrMe5L%w&;qBN-hvgtibJWRekgLBJtO$XRe>lW>M2qYy=)_L1rhB@1g1%-Ct7 z@QXt~J5mqk zYc^uQdiT%^Wy)` zVoA^;=OY-3_pkNtPl-@jrKvD73i;=GvgR8Q$v+LgLaXJzCyy1^rie>Il?6O}Jx{k8 znHz9aKD$<85IL%jdRCg1m*(CrJ^px0>7D3#y{qn-r}wP#>nSsSw~YM1@?fB&cg;sE zVrj@r+x4NTOIlX)(g5c3vDDI-L?@UV8~-c*(rj5^kg&DDlWZ~$O~OUbAA|2~G}Y4b z#j;K|e*F+L8TgRNKieQrQe^ry`AL?HGTiiQupJ7MEvKmWtr1I0hprE!RmbG(#gfH` zUF?4%94nF1H5AcctmJIB^Ir#E!Yj#3L&HL_Ufff`h((dhtL@W2ALu2m#?_=a@-)-+ z(JPJy@J}BGipPaSZ~nNIxdlCeyy%^qW1x|8e~JwRkwIK2RiN@XAV!S4d){e!InXBM z4g20sH$B=^SCuOwgr|jAH*{s06kf~xRMD>Gw6mk(9l}4|T=Rw#U5Ba&9P%r!p-3HCJ?HKI{ z2$Ir%^dQ~cAkr<}V2}!ebV_##hb{?`?oJ60-66dw=egs$ulsscfSo9Ua$5yzAloyTFX|*0X{WD4b2b({>V7>n8N%HZv0Qe`Gs4b5 zS7*^Id*-}#1Ne{+r!Z2BitKM@ou2jwokLSQ0QmD{pbxSl3?IVpcBZNks%g147C3ou zT<9Jzs8#uPeYBV`g`s_s-OY`k>J{?dJ)`^g?<1Q@s@-@r#-H)l*BSQmHOsuT9-Ty+b7fWD@M!wa+&*};_4y|kh z(F6v`DA3IE3gY$V_9n2|kl zp?W1Zl8U&zraMWx6n5btyz=}mm_eMMaMyG$A~M;j>VwB@YPZ6sPrC5&pBh*z`#DY0 zDOo$VKj`~zcniYEZ0leSF0Q9aZm`7fK!Mf=R^LR|u^rX%|1D{+$bAA@G=O3Z5<~t@ zg^MqrB;)}-n&02F5v)f{Pfv3gcMEtN+m{%1-DA}`jrPM6*^W@vseHRA0nF-nUb|PH zAEcN3_;`!>^z01a*n@UP#SG{r!yPxj1I@&L;;g5u9L%TS-$;R=?Hp1;p}*}bJ?yIU zXqGF8EKoKwQr7vFJjMs(7Yy$>>8Ya${AdBaHZi{G!z>~wx zs9~s89zZwx_o5=W&QIeck5@=+Y;4w=t#?pu+5OW6;Pgv*B4`hfs`KF5uN*5eo){b3 z=52>)i@9Ju|s3+QuO-)D8vr=~ZKKsIG zu>prs=V-N)H3(efo@`(sRu}=S{t?9SrA{h{24;I zIX_?GadH5AdUjTim^do=rC;6I!34y_fLbScop0~#z+DL|EZi(MXiaq6;7xcbus^7% zm?=Zf{zgnkXBv_yifor#_a4h-D>-dW108c@%x-hKHd8tdsIVy8`JZOB4hZk#ThQ;| zYP>R-T{H5@pWAYLu+GEH%gbwdtfHa<@`jqjX*YIA!aCQ6RCO?4gD@YyPnMueqi#(EPSWoc)8;$PSp~ETpg(UeBhE^r#<|%4u|_Gw<6($t(LYJ8p{FogxBmR}XcrR4?NNgeaslTe zcMecMAs|2BO}g;^1%(FJR&pm2-_ZE@(~_jKJPj{g1fK8>sppemv&q=>8p0VBk#BYu z+EPVB9H--=qUfp4j`us@i^G3I4<5`il7@%JsV$5a+Riq>-ow6t9pFCO;Pd`Eu8!lF zVRz;XsHVL1y92$V`(d<_Dg|1V)-!e4ikaMIgIVqz!4!fTOE#B9sb9aF{75-X^aQ`b zZ5Z0Uh48Lu`a*^m^7GUE-HDlV$6sF_L1I+9UN#Z$gfi)SfrO7Ty-wWG;DdF!x)b=F zbX*oA;BIIZzivqp2`Z@k^Pq|0>>}m)!>uE966}`~Q&UrDo?7Wme(83wb`+$0+ISS* zo}QVhNlbGu6c$#(K-?AY-RpPh9#UvKO*uek5www!b6cprefxd4U~g{^1M8Z=ZYKxT z>)1bEWrcWQ%i}LYtqHoZYi)ivo}Zo2)6l#zG_2k0m(-uPr3j(t=XZluMAZ)&5@@N^ zLN#XiP4>WGp>93AXNt3nkX}Zu)pqB|T?GRNVMc;Uh!-M2(E}YyP%@r`O&DJ9biB7r z%57mXQD%8^u&$b?_SAVx4_{nDVr8Srh@Zn0~$m%Zbv#_+*)qPh1ijYw7OhoI(DzL!3t56JtBl#D4{c#`dMrbLY5QGkXKRn(!t8=ek6H?w;OpGXWFV6cd8BjUK^Qn%SzFJXA z;}#+-;f9odOoH1%4fh7`Oy0h)*v_&b?U7ArP31}xk7_MX+Q6??N|T`)mwj%01Oi|G z4&m#?2x1+Ve6-h*QND0>=7~|h7rdz5X=GNOU;?!*Dz-=0=q7i2aYK4`7EgK>AJ(~F zz%R)HnCT8w2b7r2c~6!r1Q)Ih}MY z=j&#FQA&@!N!`~M=V#D9V>gtn z^rbIbcO!e;Aj7jVlg=;$*0@v*drOQA^jv-ilgz(S0fol^T<|r#6c<~+n^d)ITVP`e zpZ}eoZw&#CjvAu_mNmY|SRc3E{llW%*T7*j|CuK?0}8B^6K-^}iSCf^59ezho}X-b?X=O0yqSUa zfyuX$Dk>^QMt@R6gv?_9fEB!Uhs;FKb8WQvHYxX@M$j+*&6)v#L($t8=ZE!~85w{s z?#>0V%1BAU@67Kl50sRYP%Q6Q zAK%-g(3S~5(deqjMfl&kLWgW)X01{9NNu}#c@v{}XAdXsR6!I6X5Do`EYZI+QP3JR ztAx*%yVTV!a|-~Ue)LFx;aBKadf7573fSpWPBY|!RZ`fNAX5V2B8U;3Zd7mHd#tv# z)4_^M_H3(zwZ3#kA?O~9*-YIT&x|`Y6LZeXUt%nt2nBD|ly)O*3X zHd$i4$x)JfqI@94;f78u$uM?#_TW|ZCspGyK0l{DZp{~^^+gVh7jVclZD_lp5 zO7CQg%>xcJc#yyIX3x>u)blyg-;Y7Ar{_@Vb(nrEuidHXfK zdZ~%Ln%?nmKT39X_C}qj)YS8^@TgM4fng(kxG^O{1Fa6g41;BU(6mu^vH_%})T}Hq zq!G-7``;}l_YnkM5A0Omk)MK2!RY3MJGyljDBGTd{Q*!Gd8+rk-f8+s@APl|#*Ejj z&-HU=E-u3+->$={L$~xn-3vaerCwl~>m3N6Z@<1<#+w4}6+8{>3lStNQ8E>s_Kpt1 zP|vetLqPbAjDksdHXwka3X6-Ye$y7#5=0E9v|Khx2yP*CH8=ctf1R~@jU7D@$7%W< z22i9r34s;>Sb6I}E>b6@2oXhM`goreX%#@n5Znk5Q}L=O_x7g&!Y2e1O`-M0yA9h_0|0^89QQ7sc(hpW9dKs{QnJa{{r> z=rJS|znziOk5JSSx_v)#~@$5g9en#5kLTcusI|A=+Pr)=2eK4 znJC{=xNrS{_DzVbA$l$YIhTcfj@NDtsONeGr)E?%_U`b~6! zokyqiSFa1dmz3HUjqmRY&K`T6|H1VWs&Z+kR^E9Vv2{eSmPGaXw$l2HS8tWe*6gEn zr6%9odB2%*2j6rN7HUw0pr_q7A?VqFSiOCQ-{W`>Oj9X%e3)8T;v^94`P0zS0{3o= zvkRDU0b*d;qF6K||k8I_h`1pxyd2U|Ikymy7rrdrjYukCc4rNmYcOT`S zoF*?ciP-&NA>p)XP%o>o0>K8#ynd?865ZgVN=r9vI+XMAGHm6f zP6fist^89Z6rEHwn||XJbRsMs4N@>(Fnf*6BFP8D1|-Uo2hwB`xjuy!OkO= z2-jL2b4yJ8Vjg4~d?&DHyUVrM2xAD}w1;*1(v?<+Sq!Gg{N?mtIB1@X?F_i6 z{Rky2@!Eaok8|EyxH8DXfw?Ft{opj@1iA2a=A7f=*EW-T-#}ln!Ekec*S_;7QHrB^ z`Xu+`uSt{6GajiTH1y~c*k_P%S+Lu$%D<_R%lOdKTz_XI3fG!7%pZ1oZe4Y|@D`p{EObdlaon?tJsVoCUy3Q`G?}dMqjXz4%*d7=C_UI) zvULGth3WJBA>P&rgjx-;PdzqkfdpAUwRs5iDf`uf)Dq8@-CvNj)WZGsg59*dyj*N` z%j{#QZhf)f#n#sZKYMX=mrh+ayPnvI3y%E=%Be)Re=^m0@>kZ!QLQctD+lZRP22($ zvK^6K2EFY5H+-;%tVZtVT@l>G{mOo#<-V+4xhkwyX1UFTZ#s1{_oV5q?An?BG$oz# zK+xPCupcvvtuW0(Tl~0Lg-VZdnY|_i7^RU4HFdhE^*Blfio>bagca`fld+Px>z`%i z5@m6%YIcPci4V^9MfPLKp9nd$WqM7qZ55wO(gj-$n2-I=_Y0JHkV5BFn`-*HmVn&( zb4zPh7x2kXSa+2l8%j9Az7DWds0N)9=qFG?v!t{;R3UGV0WP=Z9V*lEF#w(2Kb1# zIpONOuBF{#i059(KN^zL2OhUBp3x4oVB%qYc4y2D`KYRLKuk^?`l@b_nY28q&fus> zCF<@KiMOmvd!tU2rhQ42(|p+uTbw;r(@66sIi_#Y_`DhlTbcVwr8)9sEUUjO0fnixaVxm zpU_VqZPJH_g>1ML&|G|q8hRo=7j!%Ru)t!{vwyg!98K9RWd&_g#)mnM*`GD(GBZ!Y zDAjhSjs5C2`@Vfvy>F@bz{7Frgz&sEXoV|x$@{+ezURpK3MEf%R_C;Ud`i3UXuG(I z(RXe-owvCtLKNZ4w^=$Zw^!m@N)GbJiN;6CP{dd9R9$(@+`6ukZ>kA7EaPhKV70WK zePp#%KkkoA_o`fS#TVZnHccA;>s9X2SKarKsy|gf&X|XFZRS~S7?#e=V>D`A_ue%L z*2;aDiLl6rU^&(`GTJscq6@VRS#Qps9!iW%=#GEi3$+#= z4NZzNajwoNKdxtfr4u4!{ z8xr4iLGnxzy{i51m0+~{H34a~;JRuduZeQMzrM>4C!$ApF_iqSELPTQUz|+rhd6Iy zsjCWoaY#o^mFUM|jhqeDt?r)J7nf5mv-OT|-JixDdr$uc*O6l3=O;<4&Wf}!?oVa| zt9j#|2T}v}Ivf)^gm;QX^j_?@FOPUEGV3BQL{d)!5puNs{VO0RQhnMT&3R1*f|J63 zu&zHg|J%Q;B~y^Iz>}w_OdN*g%^)e6D=QEvD|P$|CE3|k@PqX_BJ1`IsVqlGsOF`T zE|)~W&k@1CzkFWuwnREI$Z3zm_gv<6s4~5W#W{5l?>^ zcB*v68J}7eoy>Pj|J=M*Zsr*ob#idzPOKAM37xY8oaGi{)5$L*{TI;0G<4Sr3*<6` zWsv|r=j5Oe-n(GJ<=I#2==-#~mvA1u-6eP?o*B>+fW~xWXG2=z!2@>jf9KQ)E$wMe_yb1Yp`HBp;ANp%X zR<*w`+{&$?p|Tt=)hM@m?~t%%U9X)K+V>bDDPG>A=76um3U3#qBryK41^TY`^Tz>JGdqj}sJBww~cUP9Z$<^dRDd*m6YZK4N z7HMAHKUf($3uLZ}$+!=Ag^%~lrmDpL@<7w(;mO(g++5f_7Ip~<36eN0@7T{b3190q z=F0Ls;8`H+iDQ;I;D)nF(K(AunMDxj$$6svHfP1#7zz#fAo6-3#fZNQ366k zmLAROmyYE7K=~UDNjkV*6tNlZ&cypwWlEvWCEAZ z2moNtxHJ0qpT z(LSDikNZToPJo%&{7+{L&|v_Alob>6AL7UK-hJSMz5Tkk0Ru&kTiLI10a;*oH>i5L z9nAhnH}`~$-EOkN7Oq6K16jp!c4i`I{$?pK0g5IlsEzzyQj!D+^1t8zHqYdjhzMG$ z%eWE?SD*;GRdNfem|j`mKy+JQp?fGZ1PB6Pj2DZnUeHCu=Z5ydy8eL2%EA&BYVSBT z6?~-x+g zm8a4OFk#U!mrp5;PKjW!j7`DWA0pm;J++`gZ?TS8HQMqU)-WF!%rFf!85s0=-cZ?J zK0^uds?YOpX=!N{70sK6n#>;m2W*grhQ?Wd0${>@*BYI|*7oQeB+Tt^IEg9Y(j;`oI*;|s>Pn3NIr<`4VP zlg;y#|5o^D1T|cVFDQ~w7z@KXGx?lJb&n{U6%z$|?9U7&u3ix0rxOvkXVI3HUDuba zhX!|S0EhoMs$-iI(BzJNe(0iM`(8Hv% z3$7m(Ochfryg$i?bIvqm|FT~2L>1JMLX8r??!e}Nu@NwLIZsvDRj3^ zD##bp*+W8mN3K1;4FW+-ik>9hcO>DCgxg`54C*;bv43Kp@!4szdumDNy#iNxmls@^ z!r$_A{IyfO)ax9<_#_84Imh5pm90S&6v1;85XM7$teGwbVuHijUtn?i(jIrc;#5!i zzHh6Uot62p{^$1l*S^-73o)~*&)WvaNc~tM zD=WRycO%Q?uPVh2bbN@yKiO>z{7lAj0$JN@xZ_VLjFprEN|Okhu3=?qT%miO)=7nF z_){^j1v}r*-{2`lQ&F`nV9z0b^%7k1tp*=nEh;saEFzmV205MiOXm=`ZX>wfU&6t2 zu{RU3X;sAf$9pw!UYc7n7`h7h4v)|GX}G-`GCb3~ueDj?SQ&B%>TY$ptr&G+1!V%-N7Sr{tP#AR9Cu&mOC}(amQ*rf=eo%*L ztt!rXA{s(bZY~+zsbsWn%`ehYRgB2F`tt4b``zZNX8A3}HYNHb8TZ+6UaorIOr*^e zqzKvn1sMPOOug_W8gKOQ*Wfs(v}G*DX znEg|NZ+^IevTt4l=33SpB6F$abs?ZjkLRLs zlU3s@J{%>EC<&BG)*0^A2>Kvm>VCa=ZO!jkgaO&EyuNMW%EnB>+~}-F>Ku{rS2O!d-w1zS zTTAcXQJ@X=FTE0<3DvY`=}2?hln#~Tck}itZNGT!TDqkijZI_QkF!zwu^Q&gYylDR zY4(mve`S>@jl;1|Or=F`ie&UFC}xc>6le1A9%^E_9Q~2OsY4A{G-uyE^^qMLi4+hsYAM6{%kuiDMW5GVW z*d0gBp}n_opaJd*6aEy9fMU&HKEDZ&1gi@uGCi*XSqF<8uFW#K0=0BH zeC*G?SKZ{$jgkj;y!21X;^lwxVlzHIBYDM!b>DFK3a(Y8R}DvGXry;6kRvLJ3NrB- zIn>czrudc)*%{gSW?zTL*-Ev8Zff#-e~g;*F&LJQiCaX!lVlL!y(QT#sun^lV|~Sp z6Sgk@V%capvR!J}p4ObBG~9c1h)&s6`YyR^pmKO1TOaAu-((>rhvH*bf3)C7l-{c@ zq6wDl<4q*-T#(QqYH)$e`wP0OEE}}Hp(C%_D9|<|z&Ez&uiE1)Tx^|vkva7!vN2Ff zfm>wkP(xmv5nIz@`IDKX`((pWaKn`=B9FOvoqW4Ra9Qa;v}E))TUwHIcjSayDQW~# z;&;4A{-VSu=5#F2_?nH11%nH^-)-5UXBE~iX(gz}0d+}qvvi95`dq7HvnJ4m@7c6d4XvAVRt6AN_QH&(s?-FP08o$;OM$v9ktC4XVeZ8 zoEe_-f9}a@lw9V5yoV12n)h^6G^{sumZKq3>R$8^}e98RoRWl0k z*2#f%=A!POb_*JC!lbcrgiWu4$pU)u|#AY^IZ=uQa^U!_3i9qi@f_ zK;P=e^$x^~_U4%9D`%Wj%*lT0&myG$?Er#I<2Cy~+{u3)QDC5A@K>)PxG z8&c0ykB*Mg(s#lYB0kA?3sxL$3~Q&3CH}Q{S}m}{wF-7%Ml_K7VEbdRD43f|%J^oD z^M1VbuZ{g*vyuPcypa@k`tNa6b&+ILJP^@hGlbsKKxc+^-G%4seey?KT>HMH*XZev zjXM7x=9fHRPU6^HDM;hzDxhaM+8!|5~RGido&epSSuDvJ)k81W8mzo_2XtztQy zNTj@I$^ARSfF6Q=du}I|MwtL+hB?lk@W~r zE^6S2z;h>9wT~C89DX=MLG2J`6!J*1sjBR=lS3KF+(Ohe6r20gb&t-@a|<_gm6V`q zJUlEcJ}j)pq)(xV?f76lCRz<$Q0=*MenP2vHvq%GZvt-z#d)_)auqGDo$c1$urLB(yP5B= zpy*{21OHSDiRK1x2x(~9*!`sKPN*eCp}2n*cwEdKcg@t!O*ge<9zXUhQ%${fou`)J z9~YtV!}Z3xdKpQv*iwhFucYX%72e~`xO;1le`#{f9<~_G9<%BsmKhvLcd^#33J)Z9 zR_cqD#FHP17N{S;@EfFSqtJakO^awIDZ#@N1s;{6n%ctQNykh?czASZpFON$Bn{pT z_mlNwZc7bKr*!~{FU#`5WNm=%am|II?%|JB*xD^+0KL-BpNN>4n25+?qU_}*_8Aly zsHhN@d+MQ_TQhfhj4d9J_`(11eD(WpT&Idx$Op#?Po&L@_XqW%V4^+tjG5(;IC6Z% z@_Y4cmcM)H<^%{6{Nbp{p5~+6BlB?UC`h81j9%MUS56;pyM0ZkcloS#2D$keJtY$YfwT z=lo|jfdI28=%(YjoX(q_%_x*qXwaHBIhh+wDJ-w1R$<&zC&{}0m`bM*9+@PgS!NO9 z;5PpvjQ)4A%=`22`Wws>LNlt)ryuH<5~gxJE6rYYr0q4e&`a8Xvpd7VS9dqrEpI(c zxT)maIP1{GCp%RvAS@RTb;W~=jGpNW?afz~hs5N%&L&^|7p@0-?RIrq2d{sgCdKl0 z23@M{#R=;XSS06Q44|GGV;bvs=WGi$LY~VE$l9-r6pm;+ogtCHx<$QRj8)^|*1@r! zs?|>zBrbpK0)@vbi_2QV1`_4f@P^d!y>{*69^blf^CwH3bpxmncm7;$iFyC)E^Mpq z)Ge7+?#D`Dt^5_sBGejAhYa(dJ3J3Yt3oK%`6U@E>(ph?u3ZO2WS=(xbglp*Ui)VU zQnLpvDag`0=Zq3aX8e2+a~6s4dy1t5>C%ef$#uuCb@JleWptc>N2u{U@&pc0mj4N< z`wp6VMCifd&t`hhyNH4%Ub(n&w&oSG2ojA_g%o7Kkfm91l~Q{6P~|Jim!O!6cmmDp z|IzU|4g$zmIwR4~`oxY!N|DJ( z!7qWS_?R*M^%S6ruUXIek(i1^%l>f?l+onbeJV)|YalX^*aq^R8EQ9$SpYZISty7s zWWIju2I9Gt(xk}GiaDfSV6cSHpJ%zemTXzg3GTi?jx$gFT zg!gFg@Gr?M%|XL+|La#WRtO|o7KJVDx&V(KrB!72SXa82V0HBkUUZI#Gg*JSo03fe zhNUGNJJj$N!^?ioH$Mnb>}FRS(_#1Zpz~q88U7*TDP!v!>vSA^a$~!31j3(>mTKG< zTPHvKty1`0N+u1P$XCJ7jL(=dsS3=n5zj4CI^qQi=4>#(!ZiZ!`gTYe1adMNlSl*r zYhASdBLdO<{`AzH_BBb)+;&Ajw$#%+F8t^m$)k_clA??DOGt#Jf7s=tGroDiulm3l zkYQCG%BL`sg#=l)v<>7aS4VSyqqB3LZ9h(y43a(g8^666bz%A?ak$DM2)I*fTz3)P z3>`f^7fY#?J*Q_$DG??EPgvC@@A6?O3UnGN)VePI+!!*yn*To6`f8>#U`D9nl<;AV z0Dpad6U%W%iL2MQ!q2qOzh4NiEy|_tazh)9x1)tJk!ASzj%$v(4DERMv>C(0$W1vH zM(4TsEN3;jhQ@UH9Qo#3*c!RYOzHMEdNM(#OijH6Y|`em&I3&1f%h!W?C*7>Lp z60f>*f2niP(Q3qH5WEaGO=n2YU**>9LEX#fO?RNBElvcD+viBW@Gp-g7+;2ysNfOc z=dZQgh#*nX=pSa#TDD7bcVYbFLE)3_8X?_WWgm6tT6S+myh=(0Nqet`<}w5431f6T zve}>QxvD2L%E%LQ8>@c2mr`n{V3KW=AI>FUtjql*I`W+;0}J!BAf+oAu>}^P;_F>eu-AJM9Yf}$u{v9m-ancauAoB3dRz7f_0RJ+U>q95Wu<^4NTNd0 zpS)2hr7s>OvsCbqrRAlIIBdvojlve%W!*Fcfr=7&ifEef0Q;;IqSNmY*|O{;*Af2o zzk`-X%^g?!Pl;Cc-Wjv<_J@5)r^Ober|1vEi%w~K%BD)kv8*R3j-;vR^(F|_drNRa zN?b>jVUTtQ;jI?v{Ks)rizYqXAu^tWiIJsyAel_lmV5a_1JP~AP{!9rHxrPI-G!oT zya5~n;!6SgAXkQ%lg=VkJW#+)j#nD5HI*NK>Q0atIhR>O1DiGbA%}QTGtCct9&)Xn zT=$}aXLnnA%CQl0{31)KYj|nxID!5*wK-&>T*5tsw6!v5AHn|O;1FM?N$XX8G0}0| zpPE;E8QTH&27Q!}#28`pJM%?<4yJ%`Qs1ERQn&8oC_Usl;^FyH;4$;! gs2c@Qq{RiL`_HZP(tncK!C4{1MP!f#pat>Y01;`OF#rGn literal 0 HcmV?d00001 From 7cbb9decc00789f20360b67cfaf71f2a25c1b1ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jordi=20Guti=C3=A9rrez=20Hermoso?= Date: Thu, 20 Jun 2024 18:24:45 -0400 Subject: [PATCH 14/19] README: Rewrite boot page section to reflect new admin page We removed the boot page in 5dc4706dc7ff3e3fb1adb0ab81e4d8559a021b7c, but we forgot to update the README to reflect this. --- README.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index fad5aa62..ee9099d9 100644 --- a/README.md +++ b/README.md @@ -117,22 +117,24 @@ You can find a lot more about configuring Grist, setting up authentication, and running it on a public server in our [Self-Managed Grist](https://support.getgrist.com/self-managed/) handbook. -## Activating the boot page for diagnosing problems +## The administrator panel -You can turn on a special "boot page" to inspect the status of your -installation. Just visit `/boot` on your Grist server for instructions. -Since it is useful for the boot page to be available even when authentication -isn't set up, you can give it a special access key by setting `GRIST_BOOT_KEY`. +You can turn on a special admininistrator panel to inspect the status +of your installation. Just visit `/admin` on your Grist server for +instructions. Since it is useful for the admin panel to be +available even when authentication isn't set up, you can give it a +special access key by setting `GRIST_BOOT_KEY`. ``` docker run -p 8484:8484 -e GRIST_BOOT_KEY=secret -it gristlabs/grist ``` -The boot page should then be available at `/boot/`. We are -starting to collect probes for common problems there. If you hit a problem that -isn't covered, it would be great if you could add a probe for it in +The boot page should then be available at +`/admin?boot-key=`. We are collecting probes for +common problems there. If you hit a problem that isn't covered, it +would be great if you could add a probe for it in [BootProbes](https://github.com/gristlabs/grist-core/blob/main/app/server/lib/BootProbes.ts). -Or file an issue so someone else can add it, we're just getting start with this. +You may instead file an issue so someone else can add it. ## Building from source From 6c2079166c5931c75e4e0456e4dbc79f729e694a Mon Sep 17 00:00:00 2001 From: Roman Holinec <3ko@pixeon.sk> Date: Sun, 23 Jun 2024 05:05:48 +0000 Subject: [PATCH 15/19] Translated using Weblate (Slovak) Currently translated at 27.5% (368 of 1334 strings) Translation: Grist/client Translate-URL: https://hosted.weblate.org/projects/grist/client/sk/ --- static/locales/sk.client.json | 220 +++++++++++++++++++++++++++++++++- 1 file changed, 216 insertions(+), 4 deletions(-) diff --git a/static/locales/sk.client.json b/static/locales/sk.client.json index 0ee86e76..ea46a243 100644 --- a/static/locales/sk.client.json +++ b/static/locales/sk.client.json @@ -41,7 +41,8 @@ "Allow everyone to copy the entire document, or view it in full in fiddle mode.\nUseful for examples and templates, but not for sensitive data.": "Umožnite každému skopírovať celý dokument alebo ho zobraziť celý vo fiddle móde.\n Užitočné pre príklady a šablóny, ale nie pre citlivé údaje.", "Saved": "Uložené", "Allow editors to edit structure (e.g. modify and delete tables, columns, layouts), and to write formulas, which give access to all data regardless of read restrictions.": "Umožniť editorom upravovať štruktúru (napr. upravovať a mazať tabuľky, stĺpce, rozloženia) a písať vzorce, ktoré umožňujú prístup ku všetkým údajom bez ohľadu na obmedzenia čítania.", - "Remove {{- name }} user attribute": "Odstrániť používateľský atribút {{- name }}" + "Remove {{- name }} user attribute": "Odstrániť používateľský atribút {{- name }}", + "Add Table-wide Rule": "Pridať Pravidlo pre celú tabuľku" }, "AccountPage": { "API": "API", @@ -150,7 +151,9 @@ "Create separate series for each value of the selected column.": "Vytvoriť samostatné série pre každú hodnotu vybratého stĺpca.", "Pick a column": "Vybrať stĺpec", "Toggle chart aggregation": "Prepnúť združovanie grafu", - "selected new group data columns": "vybrať nové stĺpce skupiny dát" + "selected new group data columns": "vybrať nové stĺpce skupiny dát", + "Each Y series is followed by a series for the length of error bars.": "Po každej sérii Y nasleduje séria dlhých chybových pruhov.", + "Each Y series is followed by two series, for top and bottom error bars.": "Po každej sérii Y nasledujú dve série pre horný a dolný chybový pruh." }, "ColumnFilterMenu": { "All Shown": "Všetko zobrazené", @@ -187,7 +190,9 @@ "Widget needs {{fullAccess}} to this document.": "Widget vyžaduje {{fullAccess}} k tomuto dokumentu.", "No document access": "Bez prístupu k dokumentu", "Clear selection": "Vyčistiť výber", - "No {{columnType}} columns in table.": "V tabuľke nie sú žiadne stĺpce {{columnType}}." + "No {{columnType}} columns in table.": "V tabuľke nie sú žiadne stĺpce {{columnType}}.", + "{{wrongTypeCount}} non-{{columnType}} columns are not shown_other": "stĺpce {{wrongTypeCount}} iné ako {{columnType}} sa nezobrazujú", + "{{wrongTypeCount}} non-{{columnType}} columns are not shown_one": "stĺpec {{wrongTypeCount}} iný ako {{columnType}} sa nezobrazuje" }, "AppModel": { "This team site is suspended. Documents can be read, but not modified.": "Táto tímová stránka je pozastavená. Dokumenty je možné čítať, ale nie upravovať." @@ -219,6 +224,213 @@ "Activity": "Aktivita", "Beta": "Beta", "Compare to Previous": "Porovnať s Predchádzajúcim", - "Compare to Current": "Porovnať s Aktuálnym" + "Compare to Current": "Porovnať s Aktuálnym", + "Open Snapshot": "Otvoriť Snímok", + "Snapshots": "Snímok", + "Snapshots are unavailable.": "Snímky nie sú k dispozícii.", + "Only owners have access to snapshots for documents with access rules.": "Prístup k snímkom dokumentov s pravidlami prístupu majú iba vlastníci." + }, + "DocMenu": { + "(The organization needs a paid plan)": "(Organizácia potrebuje platený plán)", + "Access Details": "Podrobnosti Prístupu", + "By Date Modified": "Podľa Dátumu Zmeny", + "Document will be moved to Trash.": "Dokument bude presunutý do Koša.", + "Edited {{at}}": "Upravené {{at}}", + "Examples and Templates": "Príklady a Šablóny", + "Examples & Templates": "Príklady & Šablóny", + "Manage Users": "Spravovať Používateľov", + "More Examples and Templates": "Ďalšie Príklady a Šablóny", + "Move": "Presunúť", + "Other Sites": "Iné Stránky", + "Permanently Delete \"{{name}}\"?": "Natrvalo Odstrániť „{{name}}“?", + "Pin Document": "Pripnúť Dokument", + "Pinned Documents": "Pripnuté Dokumenty", + "Remove": "Odstrániť", + "Rename": "Premenovať", + "Requires edit permissions": "Vyžaduje povolenia na úpravy", + "To restore this document, restore the workspace first.": "Ak chcete tento dokument obnoviť, najskôr obnovte pracovný priestor.", + "Trash": "Kôš", + "Trash is empty.": "Kôš je prázdny.", + "Unpin Document": "Odopnúť Dokument", + "Workspace not found": "Pracovný priestor sa nenašiel", + "You are on your personal site. You also have access to the following sites:": "Nachádzate sa na svojej osobnej stránke. Máte tiež prístup k nasledujúcim stránkam:", + "All Documents": "Všetky dokumenty", + "Current workspace": "Aktuálny pracovný priestor", + "Deleted {{at}}": "Odstránené {{at}}", + "By Name": "Podľa Názvu", + "Delete": "Odstrániť", + "Delete Forever": "Odstrániť Navždy", + "Discover More Templates": "Objaviť Ďalšie Šablóny", + "Document will be permanently deleted.": "Dokument bude natrvalo odstránený.", + "Documents stay in Trash for 30 days, after which they get deleted permanently.": "Dokumenty zostanú v koši 30 dní, potom sa natrvalo odstránia.", + "Featured": "Odporúčané", + "Move {{name}} to workspace": "Presunúť {{name}} do pracovného priestoru", + "This service is not available right now": "Táto služba nie je momentálne dostupná", + "Restore": "Obnoviť", + "You are on the {{siteName}} site. You also have access to the following sites:": "Nachádzate sa na stránke {{siteName}}. Máte tiež prístup k nasledujúcim stránkam:", + "You may delete a workspace forever once it has no documents in it.": "Keď pracovný priestor neobsahuje žiadne dokumenty, môžete ho natrvalo odstrániť.", + "Delete {{name}}": "Odstrániť {{name}}" + }, + "DocPageModel": { + "Enter recovery mode": "Spustiť režim obnovenia", + "Error accessing document": "Chyba pri prístupe k dokumentu", + "Reload": "Znovu načítať", + "Add Empty Table": "Pridať Prázdnu Tabuľku", + "Add Page": "Pridať Stránku", + "Add Widget to Page": "Pridať Miniaplikáciu na Stránku", + "Document owners can attempt to recover the document. [{{error}}]": "Vlastníci dokumentu sa môžu pokúsiť dokument obnoviť. [{{chyba}}]", + "Sorry, access to this document has been denied. [{{error}}]": "Ľutujeme, prístup k tomuto dokumentu bol odmietnutý. [{{error}}]", + "You can try reloading the document, or using recovery mode. Recovery mode opens the document to be fully accessible to owners, and inaccessible to others. It also disables formulas. [{{error}}]": "Môžete skúsiť znova načítať dokument alebo použiť režim obnovenia. Režim obnovenia otvorí dokument tak, aby bol plne prístupný pre vlastníkov a neprístupný pre ostatných. Zakáže tiež vzorce. [{{error}}]", + "You do not have edit access to this document": "Nemáte prístup k úpravám tohto dokumentu" + }, + "DocTour": { + "Cannot construct a document tour from the data in this document. Ensure there is a table named GristDocTour with columns Title, Body, Placement, and Location.": "Nie je možné vytvoriť prehliadku dokumentu z údajov v tomto dokumente. Uistite sa, že existuje tabuľka s názvom GristDocTour so stĺpcami Title, Body, Placement a Location.", + "No valid document tour": "Neplatná prehliadka dokumentov" + }, + "DocumentSettings": { + "Currency:": "Mena:", + "Document Settings": "Nastavenia Dokumentu", + "Save and Reload": "Uložiť a znova Načítať", + "This document's ID (for API use):": "ID tohto dokumentu (na použitie API):", + "Time Zone:": "Časové Pásmo:", + "Manage Webhooks": "Spravovať Webhooks", + "Webhooks": "Webhooks", + "API Console": "API Konzola", + "API URL copied to clipboard": "Adresa URL rozhrania API bola skopírovaná do schránky", + "API console": "API konzola", + "API documentation.": "API dokumentácia.", + "Base doc URL: {{docApiUrl}}": "Základná URL dokumentu: {{docApiUrl}}", + "Coming soon": "Už čoskoro", + "Copy to clipboard": "Skopírovať do schránky", + "Currency": "Mena", + "Data Engine": "Dátový Stroj", + "Default for DateTime columns": "Predvoľba pre stĺpce DateTime", + "Document ID": "ID Dokumentu", + "Find slow formulas": "Vyhľadať pomalé vzorce", + "For number and date formats": "Pre čísla a formáty dátumu", + "Formula times": "Vzorec časov", + "Hard reset of data engine": "Tvrdý reset dátového stroja", + "ID for API use": "ID pre použitie API", + "Locale": "Miestne", + "Manage webhooks": "Spravovať webhooks", + "Python version used": "Použitá verzia Pythonu", + "Reload": "Znovu načítať", + "Time Zone": "Časové Pásmo", + "Try API calls from the browser": "Skúsiť volania API z prehliadača", + "python2 (legacy)": "python2 (zastaralé)", + "python3 (recommended)": "python3 (odporúčané)", + "Cancel": "Zrušiť", + "Force reload the document while timing formulas, and show the result.": "Vynútiť opätovné načítanie dokumentu pri časovaní vzorcov a zobraziť výsledok.", + "Formula timer": "Časovač Vzorca", + "Reload data engine": "Znovu načítať dátový stroj", + "Reload data engine?": "Znovu načítať dátový stroj?", + "Start timing": "Spustiť časovanie", + "Stop timing...": "Zastaviť časovač...", + "Time reload": "Znova načítať čas", + "Timing is on": "Časovanie je zapnuté", + "You can make changes to the document, then stop timing to see the results.": "Môžete vykonať zmeny v dokumente a potom zastaviť časovanie, aby ste videli výsledky.", + "Local currency ({{currency}})": "Miestna mena ({{currency}})", + "Save": "Uložiť", + "Engine (experimental {{span}} change at own risk):": "Motor (experimentálna {{span}} zmena na vlastné riziko):", + "Locale:": "Miestne:", + "Ok": "OK", + "API": "API", + "Document ID copied to clipboard": "ID dokumentu bolo skopírované do schránky", + "Document ID to use whenever the REST API calls for {{docId}}. See {{apiURL}}": "ID dokumentu, ktoré sa má použiť vždy, keď REST API požaduje {{docId}}. Pozrieť {{apiURL}}", + "For currency columns": "Pre stĺpce meny", + "Python": "Python", + "Notify other services on doc changes": "Upozorniť ostatné služby na zmeny dokumentu" + }, + "DocumentUsage": { + "Attachments Size": "Veľkosť Príloh", + "Contact the site owner to upgrade the plan to raise limits.": "Kontaktujte vlastníka lokality, aby inovoval plán a zvýšil limity.", + "For higher limits, ": "Pre vyššie limity, ", + "Rows": "Riadky", + "Usage": "Použitie", + "Usage statistics are only available to users with full access to the document data.": "Štatistiky používania sú dostupné len pre používateľov s úplným prístupom k údajom dokumentu.", + "start your 30-day free trial of the Pro plan.": "začnite svoju 30-dňovú bezplatnú skúšobnú verziu plánu Pro.", + "Data Size": "Veľkosť Údajov" + }, + "DuplicateTable": { + "Copy all data in addition to the table structure.": "Skopírujte všetky údaje okrem štruktúry tabuľky.", + "Instead of duplicating tables, it's usually better to segment data using linked views. {{link}}": "Namiesto duplikovania tabuliek je zvyčajne lepšie segmentovať údaje pomocou prepojených zobrazení. {{link}}", + "Name for new table": "Názov novej tabuľky", + "Only the document default access rules will apply to the copy.": "Na kópiu sa budú vzťahovať iba predvolené pravidlá prístupu k dokumentu." + }, + "ExampleInfo": { + "Afterschool Program": "Mimoškolský Program", + "Check out our related tutorial for how to link data, and create high-productivity layouts.": "Pozrite si náš súvisiaci návod, ako prepojiť údaje a vytvoriť vysoko produktívne rozloženia.", + "Investment Research": "Investičný Výskum", + "Lightweight CRM": "Ľahké CRM", + "Tutorial: Analyze & Visualize": "Návod: Analyzujte a Vizualizujte", + "Tutorial: Create a CRM": "Návod: Vytvorte CRM", + "Tutorial: Manage Business Data": "Návod: Správa obchodných údajov", + "Welcome to the Afterschool Program template": "Vitajte v šablóne Mimoškolský Program", + "Welcome to the Investment Research template": "Vitajte v šablóne Investičný Prieskum", + "Welcome to the Lightweight CRM template": "Vitajte v šablóne Ľahké CRM", + "Check out our related tutorial for how to model business data, use formulas, and manage complexity.": "Pozrite si náš súvisiaci návod, ako modelovať obchodné údaje, používať vzorce a spravovať zložitosť.", + "Check out our related tutorial to learn how to create summary tables and charts, and to link charts dynamically.": "Pozrite si náš súvisiaci návod, v ktorom sa dozviete, ako vytvoriť súhrnné tabuľky a grafy a ako grafy dynamicky prepojiť." + }, + "FieldConfig": { + "COLUMN BEHAVIOR": "SPRÁVANIE STĹPCA", + "COLUMN LABEL AND ID": "ŠTÍTOK A ID STĹPCA", + "Clear and make into formula": "Vyčistiť a vytvoriť vzorec", + "DESCRIPTION": "POPIS", + "Clear and reset": "Vymazať a resetovať", + "Column options are limited in summary tables.": "Možnosti stĺpcov sú v súhrnných tabuľkách obmedzené.", + "Mixed Behavior": "Zmiešané Správanie", + "Empty Columns_other": "Prázdne Stĺpce", + "Convert column to data": "Previesť stĺpec na údaje", + "Convert to trigger formula": "Konvertovať na spúšťací vzorec", + "Data Columns_one": "Stĺpec Údajov", + "Data Columns_other": "Stĺpce Údajov", + "Empty Columns_one": "Prázdny Stĺpec", + "Enter formula": "Zadať vzorec", + "Formula Columns_one": "Stĺpec Vzorca", + "Formula Columns_other": "Stĺpce Vzorca", + "Make into data column": "Vložiť do stĺpca údajov", + "Set trigger formula": "Nastaviť spúšťací vzorec", + "TRIGGER FORMULA": "SPÚŠŤACÍ VZOREC", + "Set formula": "Nastaviť vzorec" + }, + "Drafts": { + "Restore last edit": "Obnoviť poslednú úpravu", + "Undo discard": "Zrušiť zahodenie" + }, + "FieldMenus": { + "Revert to common settings": "Vrátiť sa k bežným nastaveniam", + "Save as common settings": "Uložiť ako bežné nastavenia", + "Use separate settings": "Použiť samostatné nastavenia", + "Using separate settings": "Použitie samostatných nastavení", + "Using common settings": "Použitie bežných nastavení" + }, + "FilterBar": { + "SearchColumns": "Prehľadať stĺpce", + "Search Columns": "Prehľadať Stĺpce" + }, + "GridViewMenus": { + "Add to sort": "Pridať do triedenia", + "Clear values": "Vyčistiť hodnoty", + "Delete {{count}} columns_one": "Odstrániť stĺpec", + "Freeze {{count}} columns_other": "Zmraziť {{count}} stĺpcov", + "Freeze {{count}} more columns_other": "Zmraziť {{count}} ďalšie stĺpce", + "Add Column": "Pridať Stĺpec", + "Column Options": "Možnosti Stĺpca", + "Convert formula to data": "Previesť vzorec na údaje", + "Delete {{count}} columns_other": "Odstrániť {{count}} stĺpcov", + "Filter Data": "Filtrovať Údaje", + "Freeze {{count}} columns_one": "Zmraziť tento stĺpec", + "Freeze {{count}} more columns_one": "Zmraziť ešte jeden stĺpec", + "Hide {{count}} columns_one": "Skryť stĺpec", + "Hide {{count}} columns_other": "Skryť {{count}} stĺpce" + }, + "GridOptions": { + "Horizontal Gridlines": "Horizontálna línia Mriežky", + "Grid Options": "Možnosti Mriežky", + "Vertical Gridlines": "Vertikálna línia Mriežky", + "Zebra Stripes": "Zebra Pruhy" + }, + "FilterConfig": { + "Add Column": "Pridať Stĺpec" } } From 64dc9e13c9b457deea4658278b9918b390c6c3e5 Mon Sep 17 00:00:00 2001 From: Paul Janzen Date: Mon, 24 Jun 2024 22:39:16 +0000 Subject: [PATCH 16/19] Translated using Weblate (Portuguese (Brazil)) Currently translated at 100.0% (1336 of 1336 strings) Translation: Grist/client Translate-URL: https://hosted.weblate.org/projects/grist/client/pt_BR/ --- static/locales/pt_BR.client.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/static/locales/pt_BR.client.json b/static/locales/pt_BR.client.json index 950fd01c..06457ef5 100644 --- a/static/locales/pt_BR.client.json +++ b/static/locales/pt_BR.client.json @@ -347,7 +347,9 @@ "Reload data engine": "Recarregar o motor de dados", "Reload data engine?": "Recarregar o motor de dados?", "Start timing": "Iniciar cronometragem", - "Stop timing...": "Pare de cronometrar..." + "Stop timing...": "Pare de cronometrar...", + "Only available to document editors": "Disponível apenas para editores de documentos", + "Only available to document owners": "Disponível apenas para proprietários de documentos" }, "DocumentUsage": { "Attachments Size": "Tamanho dos Anexos", From fbdd896f04a30067bfb0cf9305f804b661d7181b Mon Sep 17 00:00:00 2001 From: Paul Janzen Date: Mon, 24 Jun 2024 22:39:37 +0000 Subject: [PATCH 17/19] Translated using Weblate (Spanish) Currently translated at 100.0% (1336 of 1336 strings) Translation: Grist/client Translate-URL: https://hosted.weblate.org/projects/grist/client/es/ --- static/locales/es.client.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/static/locales/es.client.json b/static/locales/es.client.json index c8163854..9a54b025 100644 --- a/static/locales/es.client.json +++ b/static/locales/es.client.json @@ -289,7 +289,9 @@ "Reload data engine": "Recargar el motor de datos", "Reload data engine?": "¿Recargar motor de datos?", "You can make changes to the document, then stop timing to see the results.": "Puede realizar cambios en el documento y luego detener el cronometraje para ver los resultados.", - "Stop timing...": "Dejando de cronometrar..." + "Stop timing...": "Dejando de cronometrar...", + "Only available to document editors": "Sólo disponible para editores de documentos", + "Only available to document owners": "Solo disponible para los propietarios de documentos" }, "DuplicateTable": { "Copy all data in addition to the table structure.": "Copiar todos los datos además de la estructura de la tabla.", From 3c7623b51b7852eec2d97e9a47855cf91332057c Mon Sep 17 00:00:00 2001 From: Paul Janzen Date: Mon, 24 Jun 2024 22:38:27 +0000 Subject: [PATCH 18/19] Translated using Weblate (German) Currently translated at 100.0% (1336 of 1336 strings) Translation: Grist/client Translate-URL: https://hosted.weblate.org/projects/grist/client/de/ --- static/locales/de.client.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/static/locales/de.client.json b/static/locales/de.client.json index af9e532d..f7ed1c6d 100644 --- a/static/locales/de.client.json +++ b/static/locales/de.client.json @@ -347,7 +347,9 @@ "Formula timer": "Formel Timer", "Cancel": "Abbrechen", "Timing is on": "Das Timing läuft", - "You can make changes to the document, then stop timing to see the results.": "Sie können Änderungen an dem Dokument vornehmen und dann die Zeitmessung stoppen, um die Ergebnisse zu sehen." + "You can make changes to the document, then stop timing to see the results.": "Sie können Änderungen an dem Dokument vornehmen und dann die Zeitmessung stoppen, um die Ergebnisse zu sehen.", + "Only available to document editors": "Nur für Redakteure von Dokumenten verfügbar", + "Only available to document owners": "Nur für Eigentümer von Dokumenten verfügbar" }, "DocumentUsage": { "Attachments Size": "Größe der Anhänge", From e007b381150e3448a2a80787f2364c5d8b306bdd Mon Sep 17 00:00:00 2001 From: Roman Holinec <3ko@pixeon.sk> Date: Mon, 24 Jun 2024 04:39:52 +0000 Subject: [PATCH 19/19] Translated using Weblate (Slovak) Currently translated at 29.7% (398 of 1336 strings) Translation: Grist/client Translate-URL: https://hosted.weblate.org/projects/grist/client/sk/ --- static/locales/sk.client.json | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/static/locales/sk.client.json b/static/locales/sk.client.json index ea46a243..abc89726 100644 --- a/static/locales/sk.client.json +++ b/static/locales/sk.client.json @@ -339,7 +339,9 @@ "Document ID to use whenever the REST API calls for {{docId}}. See {{apiURL}}": "ID dokumentu, ktoré sa má použiť vždy, keď REST API požaduje {{docId}}. Pozrieť {{apiURL}}", "For currency columns": "Pre stĺpce meny", "Python": "Python", - "Notify other services on doc changes": "Upozorniť ostatné služby na zmeny dokumentu" + "Notify other services on doc changes": "Upozorniť ostatné služby na zmeny dokumentu", + "Only available to document editors": "Dostupné iba pre editorov dokumentov", + "Only available to document owners": "Dostupné iba pre vlastníkov dokumentov" }, "DocumentUsage": { "Attachments Size": "Veľkosť Príloh", @@ -422,7 +424,35 @@ "Freeze {{count}} columns_one": "Zmraziť tento stĺpec", "Freeze {{count}} more columns_one": "Zmraziť ešte jeden stĺpec", "Hide {{count}} columns_one": "Skryť stĺpec", - "Hide {{count}} columns_other": "Skryť {{count}} stĺpce" + "Hide {{count}} columns_other": "Skryť {{count}} stĺpce", + "Reset {{count}} columns_one": "Resetovať stĺpec", + "Reset {{count}} columns_other": "Resetovať {{count}} stĺpcov", + "Reset {{count}} entire columns_one": "Resetovať celý stĺpec", + "Reset {{count}} entire columns_other": "Resetovať {{count}} celé stĺpce", + "Apply to new records": "Použiť na nové záznamy", + "Authorship": "Autorstvo", + "Lookups": "Vyhľadávania", + "Show column {{- label}}": "Zobraziť stĺpec {{- label}}", + "Sort": "Triediť", + "Sorted (#{{count}})_one": "Zoradené (#{{count}})", + "Sorted (#{{count}})_other": "Zoradené (#{{count}})", + "Unfreeze {{count}} columns_one": "Zrušiť zmrazenie tohto stĺpca", + "Unfreeze all columns": "Zrušiť zmrazenie všetkých stĺpcov", + "Show hidden columns": "Zobraziť skryté stĺpce", + "Timestamp": "Časové razítko", + "no reference column": "žiadny referenčný stĺpec", + "Unfreeze {{count}} columns_other": "Zrušiť zmrazenie {{count}} stĺpcov", + "Insert column to the left": "Vložiť stĺpec doľava", + "Insert column to the right": "Vložiť stĺpec doprava", + "Apply on record changes": "Použiť zmeny záznamu", + "Created By": "Vytvoril", + "Hidden Columns": "Skryté stĺpce", + "Last Updated At": "Naposledy aktualizované v", + "Last Updated By": "Naposledy aktualizované používateľom", + "Insert column to the {{to}}": "Vložiť stĺpec do {{to}}", + "More sort options ...": "Ďalšie možnosti zoradenia…", + "Rename column": "Premenovať stĺpec", + "Created At": "Vytvorené v" }, "GridOptions": { "Horizontal Gridlines": "Horizontálna línia Mriežky",