gristlabs_grist-core/app/gen-server/lib/HomeDBManager.ts
Jarosław Sadziński 59942a23b6 (core) Limiting doc remove permission to owners.
Summary:
Guest editors added to a document were able to remove it. This limits this permission
by allowing only owners of a doc to delete it.

Test Plan: Updated

Reviewers: paulfitz

Reviewed By: paulfitz

Subscribers: dsagal, anaisconce

Differential Revision: https://phab.getgrist.com/D3708
2022-11-30 23:37:18 +01:00

4462 lines
195 KiB
TypeScript

import {ApiError} from 'app/common/ApiError';
import {mapGetOrSet, mapSetOrClear, MapWithTTL} from 'app/common/AsyncCreate';
import {getDataLimitStatus} from 'app/common/DocLimits';
import {createEmptyOrgUsageSummary, DocumentUsage, OrgUsageSummary} from 'app/common/DocUsage';
import {normalizeEmail} from 'app/common/emails';
import {canAddOrgMembers, Features} from 'app/common/Features';
import {buildUrlId, MIN_URLID_PREFIX_LENGTH, parseUrlId} from 'app/common/gristUrls';
import {FullUser, UserProfile} from 'app/common/LoginSessionAPI';
import {checkSubdomainValidity} from 'app/common/orgNameUtils';
import {UserOrgPrefs} from 'app/common/Prefs';
import * as roles from 'app/common/roles';
import {StringUnion} from 'app/common/StringUnion';
import {
ANONYMOUS_USER_EMAIL,
DocumentProperties,
EVERYONE_EMAIL,
getRealAccess,
ManagerDelta,
NEW_DOCUMENT_CODE,
OrganizationProperties,
Organization as OrgInfo,
PermissionData,
PermissionDelta,
UserAccessData,
UserOptions,
WorkspaceProperties
} from "app/common/UserAPI";
import {AclRule, AclRuleDoc, AclRuleOrg, AclRuleWs} from "app/gen-server/entity/AclRule";
import {Alias} from "app/gen-server/entity/Alias";
import {BillingAccount, ExternalBillingOptions} from "app/gen-server/entity/BillingAccount";
import {BillingAccountManager} from "app/gen-server/entity/BillingAccountManager";
import {Document} from "app/gen-server/entity/Document";
import {Group} from "app/gen-server/entity/Group";
import {Login} from "app/gen-server/entity/Login";
import {AccessOption, AccessOptionWithRole, Organization} from "app/gen-server/entity/Organization";
import {Pref} from "app/gen-server/entity/Pref";
import {getDefaultProductNames, personalFreeFeatures, Product} from "app/gen-server/entity/Product";
import {Secret} from "app/gen-server/entity/Secret";
import {User} from "app/gen-server/entity/User";
import {Workspace} from "app/gen-server/entity/Workspace";
import {Permissions} from 'app/gen-server/lib/Permissions';
import {scrubUserFromOrg} from "app/gen-server/lib/scrubUserFromOrg";
import {applyPatch} from 'app/gen-server/lib/TypeORMPatches';
import {
bitOr,
getRawAndEntities,
hasAtLeastOneOfTheseIds,
hasOnlyTheseIdsOrNull,
now,
readJson
} from 'app/gen-server/sqlUtils';
import {appSettings} from 'app/server/lib/AppSettings';
import {getOrCreateConnection} from 'app/server/lib/dbUtils';
import {makeId} from 'app/server/lib/idUtils';
import log from 'app/server/lib/log';
import {Permit} from 'app/server/lib/Permit';
import {getScope} from 'app/server/lib/requestUtils';
import {WebHookSecret} from "app/server/lib/Triggers";
import {EventEmitter} from 'events';
import {Request} from "express";
import {
Brackets,
Connection,
DatabaseType,
EntityManager,
SelectQueryBuilder,
WhereExpression
} from "typeorm";
import uuidv4 from "uuid/v4";
import flatten = require('lodash/flatten');
import pick = require('lodash/pick');
// Support transactions in Sqlite in async code. This is a monkey patch, affecting
// the prototypes of various TypeORM classes.
// TODO: remove this patch if the issue is ever accepted as a problem in TypeORM and
// fixed. See https://github.com/typeorm/typeorm/issues/1884#issuecomment-380767213
applyPatch();
export const NotifierEvents = StringUnion(
'addUser',
'userChange',
'firstLogin',
'addBillingManager',
'teamCreator',
'trialPeriodEndingSoon',
);
export type NotifierEvent = typeof NotifierEvents.type;
// Nominal email address of a user who can view anything (for thumbnails).
export const PREVIEWER_EMAIL = 'thumbnail@getgrist.com';
// A special user allowed to add/remove the EVERYONE_EMAIL to/from a resource.
export const SUPPORT_EMAIL = appSettings.section('access').flag('supportEmail').requireString({
envVar: 'GRIST_SUPPORT_EMAIL',
defaultValue: 'support@getgrist.com',
});
// A list of emails we don't expect to see logins for.
const NON_LOGIN_EMAILS = [PREVIEWER_EMAIL, EVERYONE_EMAIL, ANONYMOUS_USER_EMAIL];
// Name of a special workspace with examples in it.
export const EXAMPLE_WORKSPACE_NAME = 'Examples & Templates';
// Flag controlling whether sites that are publicly accessible should be listed
// to the anonymous user. Defaults to not listing such sites.
const listPublicSites = appSettings.section('access').flag('listPublicSites').readBool({
envVar: 'GRIST_LIST_PUBLIC_SITES',
defaultValue: false,
});
// A TTL in milliseconds for caching the result of looking up access level for a doc,
// which is a burden under heavy traffic.
const DOC_AUTH_CACHE_TTL = 5000;
type Resource = Organization|Workspace|Document;
export interface QueryResult<T> {
status: number;
data?: T;
errMessage?: string;
}
// Maps from userId to group name, or null to inherit.
export interface UserIdDelta {
[userId: string]: roles.NonGuestRole|null;
}
// A collection of fun facts derived from a PermissionDelta (used to describe
// a change of users) and a user.
export interface PermissionDeltaAnalysis {
userIdDelta: UserIdDelta | null; // New roles for users, indexed by user id.
permissionThreshold: Permissions; // The permissions needed to make the change.
// Usually Permissions.ACL_EDIT, but
// Permissions.ACL_VIEW is enough for a user
// to removed themselves.
affectsSelf: boolean; // Flags if the user making the change would
// be affected by the change.
}
// Options for certain create query helpers private to this file.
interface QueryOptions {
manager?: EntityManager;
markPermissions?: Permissions;
needRealOrg?: boolean; // Set if pseudo-org should be collapsed to user's personal org
allowSpecialPermit?: boolean; // Set if specialPermit in Scope object should be respected,
// potentially overriding markPermissions.
}
interface GroupDescriptor {
readonly name: roles.Role;
readonly permissions: number;
readonly nestParent: boolean;
readonly orgOnly?: boolean;
}
// Information about a change in billable users.
export interface UserChange {
userId: number; // who initiated the change
org: Organization; // organization changed
customerId: string|null; // stripe customer id
countBefore: number; // billable users before change
countAfter: number; // billable users after change
membersBefore: Map<roles.NonGuestRole, User[]>;
membersAfter: Map<roles.NonGuestRole, User[]>;
}
// A specification of the users available during a request. This can be a single
// user, identified by a user id, or a collection of profiles (typically drawn from
// the session).
type AvailableUsers = number | UserProfile[];
// A type guard to check for single-user case.
function isSingleUser(users: AvailableUsers): users is number {
return typeof users === 'number';
}
// The context in which a query is being made. Includes what we know
// about the user, and for requests made from pages, the active organization.
export interface Scope {
userId: number; // The ID of the user for authentication purposes.
org?: string; // Org identified in request.
urlId?: string; // Set when accessing a document. May be a docId.
users?: AvailableUsers; // Set if available identities.
includeSupport?: boolean; // When set, include sample resources shared by support to scope.
showRemoved?: boolean; // When set, query is scoped to removed workspaces/docs.
showOnlyPinned?: boolean; // When set, query is scoped only to pinned docs.
showAll?: boolean; // When set, return both removed and regular resources.
specialPermit?: Permit; // When set, extra rights are granted on a specific resource.
}
// Flag for whether we are listing resources or opening them. This makes a difference
// for public resources, which we allow users to open but not necessarily list.
type AccessStyle = 'list' | 'open';
// A Scope for documents, with mandatory urlId.
export interface DocScope extends Scope {
urlId: string;
}
type NonGuestGroup = Group & { name: roles.NonGuestRole };
// Returns whether the given group is a valid non-guest group.
function isNonGuestGroup(group: Group): group is NonGuestGroup {
return roles.isNonGuestRole(group.name);
}
export interface UserProfileChange {
name?: string;
isFirstTimeUser?: boolean;
}
// Identifies a request to access a document. This combination of values is also used for caching
// DocAuthResult for DOC_AUTH_CACHE_TTL. Other request scope information is passed along.
export interface DocAuthKey {
urlId: string; // May be docId. Must be unambiguous in the context of the org.
userId: number; // The user accessing this doc. (Could be the ID of Anonymous.)
org?: string; // Undefined if unknown (e.g. in API calls, but needs unique urlId).
}
// Document auth info. This is the minimum needed to resolve user access checks. For anything else
// (e.g. doc title), the uncached getDoc() call should be used.
export interface DocAuthResult {
docId: string|null; // The unique identifier of the document. Null on error.
access: roles.Role|null; // The access level for the requesting user. Null on error.
removed: boolean|null; // Set if the doc is soft-deleted. Users may still have access
// to removed documents for some purposes. Null on error.
error?: ApiError;
cachedDoc?: Document; // For cases where stale info is ok.
}
interface GetUserOptions {
manager?: EntityManager;
profile?: UserProfile;
userOptions?: UserOptions;
}
// Represent a DocAuthKey as a string. The format is "<urlId>:<org> <userId>".
// flushSingleDocAuthCache() depends on this format.
function stringifyDocAuthKey(key: DocAuthKey): string {
return stringifyUrlIdOrg(key.urlId, key.org) + ` ${key.userId}`;
}
function stringifyUrlIdOrg(urlId: string, org?: string): string {
return `${urlId}:${org}`;
}
export interface DocumentMetadata {
// ISO 8601 UTC date (e.g. the output of new Date().toISOString()).
updatedAt?: string;
usage?: DocumentUsage|null;
}
/**
* HomeDBManager handles interaction between the ApiServer and the Home database,
* encapsulating the typeorm logic.
*/
export class HomeDBManager extends EventEmitter {
private _connection: Connection;
private _dbType: DatabaseType;
private _specialUserIds: {[name: string]: number} = {}; // id for anonymous user, previewer, etc
private _exampleWorkspaceId: number;
private _exampleOrgId: number;
private _idPrefix: string = ""; // Place this before ids in subdomains, used in routing to
// deployments on same subdomain.
private _docAuthCache = new MapWithTTL<string, Promise<DocAuthResult>>(DOC_AUTH_CACHE_TTL);
// In restricted mode, documents should be read-only.
private _restrictedMode: boolean = false;
/**
* Five aclRules, each with one group (with the names 'owners', 'editors', 'viewers',
* 'guests', and 'members') are created by default on every new entity (Organization,
* Workspace, Document). These special groups are documented in the _defaultGroups
* constant below.
*
* When a child resource is created under a parent (i.e. when a new Workspace is created
* under an Organization), special groups with a truthy 'nestParent' property are set up
* to include in their memberGroups a single group on initialization - the parent's
* corresponding special group. Special groups with a falsy 'nextParent' property are
* empty on intialization.
*
* NOTE: The groups are ordered from most to least permissive, and should remain that way.
* TODO: app/common/roles already contains an ordering of the default roles. Usage should
* be consolidated.
*/
private readonly _defaultGroups: GroupDescriptor[] = [{
name: roles.OWNER,
permissions: Permissions.OWNER,
nestParent: true
}, {
name: roles.EDITOR,
permissions: Permissions.EDITOR,
nestParent: true
}, {
name: roles.VIEWER,
permissions: Permissions.VIEW,
nestParent: true
}, {
name: roles.GUEST,
permissions: Permissions.VIEW,
nestParent: false
}, {
name: roles.MEMBER,
permissions: Permissions.VIEW,
nestParent: false,
orgOnly: true
}];
public emit(event: NotifierEvent, ...args: any[]): boolean {
return super.emit(event, ...args);
}
// All groups.
public get defaultGroups(): GroupDescriptor[] {
return this._defaultGroups;
}
// Groups whose permissions are inherited from parent resource to child resources.
public get defaultBasicGroups(): GroupDescriptor[] {
return this._defaultGroups
.filter(_grpDesc => _grpDesc.nestParent);
}
// Groups that are common to all resources.
public get defaultCommonGroups(): GroupDescriptor[] {
return this._defaultGroups
.filter(_grpDesc => !_grpDesc.orgOnly);
}
public get defaultGroupNames(): roles.Role[] {
return this._defaultGroups.map(_grpDesc => _grpDesc.name);
}
public get defaultBasicGroupNames(): roles.BasicRole[] {
return this.defaultBasicGroups
.map(_grpDesc => _grpDesc.name) as roles.BasicRole[];
}
public get defaultNonGuestGroupNames(): roles.NonGuestRole[] {
return this._defaultGroups
.filter(_grpDesc => _grpDesc.name !== roles.GUEST)
.map(_grpDesc => _grpDesc.name) as roles.NonGuestRole[];
}
public get defaultCommonGroupNames(): roles.NonMemberRole[] {
return this.defaultCommonGroups
.map(_grpDesc => _grpDesc.name) as roles.NonMemberRole[];
}
public setPrefix(prefix: string) {
this._idPrefix = prefix;
}
public setRestrictedMode(restricted: boolean) {
this._restrictedMode = restricted;
}
public async connect(): Promise<void> {
this._connection = await getOrCreateConnection();
this._dbType = this._connection.driver.options.type;
}
// make sure special users and workspaces are available
public async initializeSpecialIds(options?: {
skipWorkspaces?: boolean // if set, skip setting example workspace.
}): Promise<void> {
await this._getSpecialUserId({
email: ANONYMOUS_USER_EMAIL,
name: "Anonymous"
});
await this._getSpecialUserId({
email: PREVIEWER_EMAIL,
name: "Preview"
});
await this._getSpecialUserId({
email: EVERYONE_EMAIL,
name: "Everyone"
});
await this._getSpecialUserId({
email: SUPPORT_EMAIL,
name: "Support"
});
if (!options?.skipWorkspaces) {
// Find the example workspace. If there isn't one named just right, take the first workspace
// belonging to the support user. This shouldn't happen in deployments but could happen
// in tests.
// TODO: it should now be possible to remove all this; the only remaining
// issue is what workspace to associate with documents created by
// anonymous users.
const supportWorkspaces = await this._workspaces()
.leftJoinAndSelect('workspaces.org', 'orgs')
.where('orgs.owner_id = :userId', { userId: this.getSupportUserId() })
.orderBy('workspaces.created_at')
.getMany();
const exampleWorkspace = supportWorkspaces.find(ws => ws.name === EXAMPLE_WORKSPACE_NAME) || supportWorkspaces[0];
if (!exampleWorkspace) { throw new Error('No example workspace available'); }
if (exampleWorkspace.name !== EXAMPLE_WORKSPACE_NAME) {
log.warn('did not find an appropriately named example workspace in deployment');
}
this._exampleWorkspaceId = exampleWorkspace.id;
this._exampleOrgId = exampleWorkspace.org.id;
}
}
public get connection() {
return this._connection;
}
public async testQuery(sql: string, args: any[]): Promise<any> {
return this._connection.query(sql, args);
}
/**
* Maps from the name of an entity to its id, for the purposes of
* unit tests only. It relies on test entities being named
* distinctly. It just runs through each model in turn by brute
* force, and returns the id of this first match it finds.
*/
public async testGetId(name: string): Promise<number|string> {
const org = await Organization.findOne({where: {name}});
if (org) { return org.id; }
const ws = await Workspace.findOne({where: {name}});
if (ws) { return ws.id; }
const doc = await Document.findOne({where: {name}});
if (doc) { return doc.id; }
const user = await User.findOne({where: {name}});
if (user) { return user.id; }
const product = await Product.findOne({where: {name}});
if (product) { return product.id; }
throw new Error(`Cannot testGetId(${name})`);
}
/**
* For tests only. Get user's unique reference by name.
*/
public async testGetRef(name: string): Promise<string> {
const user = await User.findOne({where: {name}});
if (user) { return user.ref; }
throw new Error(`Cannot testGetRef(${name})`);
}
/**
* Clear all user preferences associated with the given email addresses.
* For use in tests.
*/
public async testClearUserPrefs(emails: string[]) {
return await this._connection.transaction(async manager => {
for (const email of emails) {
const user = await this.getUserByLogin(email, {manager});
if (user) {
await manager.delete(Pref, {userId: user.id});
}
}
});
}
public async getUserByKey(apiKey: string): Promise<User|undefined> {
// Include logins relation for Authorization convenience.
return await User.findOne({where: {apiKey}, relations: ["logins"]}) || undefined;
}
public async getUser(userId: number): Promise<User|undefined> {
return await User.findOne({where: {id: userId}, relations: ["logins"]}) || undefined;
}
public async getFullUser(userId: number): Promise<FullUser> {
const user = await User.findOne({where: {id: userId}, relations: ["logins"]});
if (!user) { throw new ApiError("unable to find user", 400); }
return this.makeFullUser(user);
}
/**
* Convert a user record into the format specified in api.
*/
public makeFullUser(user: User): FullUser {
if (!user.logins?.[0]?.displayEmail) {
throw new ApiError("unable to find mandatory user email", 400);
}
const result: FullUser = {
id: user.id,
email: user.logins[0].displayEmail,
name: user.name,
picture: user.picture,
ref: user.ref,
};
if (this.getAnonymousUserId() === user.id) {
result.anonymous = true;
}
if (this.getSupportUserId() === user.id) {
result.isSupport = true;
}
return result;
}
/**
* Ensures that user with external id exists and updates its profile and email if necessary.
*
* @param profile External profile
*/
public async ensureExternalUser(profile: UserProfile) {
await this._connection.transaction(async manager => {
// First find user by the connectId from the profile
const existing = await manager.findOne(User, {
where: {connectId: profile.connectId || undefined},
relations: ["logins"],
});
// If a user does not exist, create it with data from the external profile.
if (!existing) {
const newUser = await this.getUserByLoginWithRetry(profile.email, {
profile,
manager
});
if (!newUser) {
throw new ApiError("Unable to create user", 500);
}
// No need to survey this user.
newUser.isFirstTimeUser = false;
await newUser.save();
} else {
// Else update profile and login information from external profile.
let updated = false;
let login: Login = existing.logins[0]!;
const properEmail = normalizeEmail(profile.email);
if (properEmail !== existing.loginEmail) {
login = login ?? new Login();
login.email = properEmail;
login.displayEmail = profile.email;
existing.logins.splice(0, 1, login);
login.user = existing;
updated = true;
}
if (profile?.name && profile?.name !== existing.name) {
existing.name = profile.name;
updated = true;
}
if (profile?.picture && profile?.picture !== existing.picture) {
existing.picture = profile.picture;
updated = true;
}
if (updated) {
await manager.save([existing, login]);
}
}
});
}
public async updateUser(userId: number, props: UserProfileChange): Promise<void> {
let isWelcomed: boolean = false;
let user: User|null = null;
await this._connection.transaction(async manager => {
user = await manager.findOne(User, {relations: ['logins'],
where: {id: userId}});
let needsSave = false;
if (!user) { throw new ApiError("unable to find user", 400); }
if (props.name && props.name !== user.name) {
user.name = props.name;
needsSave = true;
}
if (props.isFirstTimeUser !== undefined && props.isFirstTimeUser !== user.isFirstTimeUser) {
user.isFirstTimeUser = props.isFirstTimeUser;
needsSave = true;
// If we are turning off the isFirstTimeUser flag, then right
// after this transaction commits is a great time to trigger
// any automation for first logins
if (!props.isFirstTimeUser) { isWelcomed = true; }
}
if (needsSave) {
await user.save();
}
});
if (user && isWelcomed) {
this.emit('firstLogin', this.makeFullUser(user));
}
}
public async updateUserName(userId: number, name: string) {
const user = await User.findOne({where: {id: userId}});
if (!user) { throw new ApiError("unable to find user", 400); }
user.name = name;
await user.save();
}
public async updateUserOptions(userId: number, props: Partial<UserOptions>) {
const user = await User.findOne({where: {id: userId}});
if (!user) { throw new ApiError("unable to find user", 400); }
const newOptions = {...(user.options ?? {}), ...props};
user.options = newOptions;
await user.save();
}
// Fetch user from login, creating the user if previously unseen, allowing one retry
// for an email key conflict failure. This is in case our transaction conflicts with a peer
// doing the same thing. This is quite likely if the first page visited by a previously
// unseen user fires off multiple api calls.
public async getUserByLoginWithRetry(email: string, options: GetUserOptions = {}): Promise<User|undefined> {
try {
return await this.getUserByLogin(email, options);
} catch (e) {
if (e.name === 'QueryFailedError' && e.detail &&
e.detail.match(/Key \(email\)=[^ ]+ already exists/)) {
// This is a postgres-specific error message. This problem cannot arise in sqlite,
// because we have to serialize sqlite transactions in any case to get around a typeorm
// limitation.
return await this.getUserByLogin(email, options);
}
throw e;
}
}
/**
*
* Fetches a user record based on an email address. If a user record already
* exists linked to the email address supplied, that is the record returned.
* Otherwise a fresh record is created, linked to the supplied email address.
* The supplied `options` are used when creating a fresh record, or updating
* unset/outdated fields of an existing record.
*
*/
public async getUserByLogin(email: string, options: GetUserOptions = {}): Promise<User|undefined> {
const {manager: transaction, profile, userOptions} = options;
const normalizedEmail = normalizeEmail(email);
const userByLogin = await this._runInTransaction(transaction, async manager => {
let needUpdate = false;
const userQuery = manager.createQueryBuilder()
.select('user')
.from(User, 'user')
.leftJoinAndSelect('user.logins', 'logins')
.leftJoinAndSelect('user.personalOrg', 'personalOrg')
.where('email = :email', {email: normalizedEmail});
let user = await userQuery.getOne();
let login: Login;
if (!user) {
user = new User();
// Special users do not have first time user set so that they don't get redirected to the
// welcome page.
user.isFirstTimeUser = !NON_LOGIN_EMAILS.includes(normalizedEmail);
login = new Login();
login.email = normalizedEmail;
login.user = user;
needUpdate = true;
} else {
login = user.logins[0];
}
// Check that user and login records are up to date.
if (!user.name) {
// Set the user's name if our provider knows it. Otherwise use their username
// from email, for lack of something better. If we don't have a profile at this
// time, then leave the name blank in the hopes of learning it when the user logs in.
user.name = (profile && (profile.name || email.split('@')[0])) || '';
needUpdate = true;
}
if (profile && !user.firstLoginAt) {
// set first login time to now (remove milliseconds for compatibility with other
// timestamps in db set by typeorm, and since second level precision is fine)
const nowish = new Date();
nowish.setMilliseconds(0);
user.firstLoginAt = nowish;
needUpdate = true;
}
if (!user.picture && profile && profile.picture) {
// Set the user's profile picture if our provider knows it.
user.picture = profile.picture;
needUpdate = true;
}
if (profile && profile.email && profile.email !== login.displayEmail) {
// Use provider's version of email address for display.
login.displayEmail = profile.email;
needUpdate = true;
}
if (profile?.connectId && profile?.connectId !== user.connectId) {
user.connectId = profile.connectId;
needUpdate = true;
}
if (!login.displayEmail) {
// Save some kind of display email if we don't have anything at all for it yet.
// This could be coming from how someone wrote it in a UserManager dialog, for
// instance. It will get overwritten when the user logs in if the provider's
// version is different.
login.displayEmail = email;
needUpdate = true;
}
if (!user.options?.authSubject && userOptions?.authSubject) {
// Link subject from password-based authentication provider if not previously linked.
user.options = {...(user.options ?? {}), authSubject: userOptions.authSubject};
needUpdate = true;
}
if (needUpdate) {
login.user = user;
await manager.save([user, login]);
}
if (!user.personalOrg && !NON_LOGIN_EMAILS.includes(login.email)) {
// Add a personal organization for this user.
// We don't add a personal org for anonymous/everyone/previewer "users" as it could
// get a bit confusing.
const result = await this.addOrg(user, {name: "Personal"}, {
setUserAsOwner: true,
useNewPlan: true
}, manager);
if (result.status !== 200) {
throw new Error(result.errMessage);
}
needUpdate = true;
// We just created a personal org; set userOrgPrefs that should apply for new users only.
const userOrgPrefs: UserOrgPrefs = {showGristTour: true};
const orgId = result.data;
if (orgId) {
await this.updateOrg({userId: user.id}, orgId, {userOrgPrefs}, manager);
}
}
if (needUpdate) {
// We changed the db - reload user in order to give consistent results.
// In principle this could be optimized, but this is simpler to maintain.
user = await userQuery.getOne();
}
return user;
});
return userByLogin;
}
/**
* Find a user by email. Don't create the user if it doesn't already exist.
*/
public async getExistingUserByLogin(
email: string,
manager?: EntityManager
): Promise<User|undefined> {
const normalizedEmail = normalizeEmail(email);
return await (manager || this._connection).createQueryBuilder()
.select('user')
.from(User, 'user')
.leftJoinAndSelect('user.logins', 'logins')
.where('email = :email', {email: normalizedEmail})
.getOne() || undefined;
}
/**
* Returns true if the given domain string is available, and false if it is not available.
* NOTE that the endpoint only checks if the domain string is taken in the database, it does
* not check whether the string contains invalid characters.
*/
public async isDomainAvailable(domain: string): Promise<boolean> {
let qb = this._orgs();
qb = this._whereOrg(qb, domain);
const results = await qb.getRawAndEntities();
return results.entities.length === 0;
}
/**
* Returns the number of users in any non-guest role in the given org.
* Note that this does not require permissions and should not be exposed to the client.
*
* If an Organization is provided, all of orgs.acl_rules, orgs.acl_rules.group,
* and orgs.acl_rules.group.memberUsers should be included.
*/
public async getOrgMemberCount(org: string|number|Organization): Promise<number> {
if (!(org instanceof Organization)) {
const orgQuery = this._org(null, false, org, {
needRealOrg: true
})
// Join the org's ACL rules (with 1st level groups/users listed).
.leftJoinAndSelect('orgs.aclRules', 'acl_rules')
.leftJoinAndSelect('acl_rules.group', 'org_groups')
.leftJoinAndSelect('org_groups.memberUsers', 'org_member_users');
const result = await orgQuery.getRawAndEntities();
if (result.entities.length === 0) {
// If the query for the doc failed, return the failure result.
throw new ApiError('org not found', 404);
}
org = result.entities[0];
}
return getResourceUsers(org, this.defaultNonGuestGroupNames).length;
}
/**
* Deletes a user from the database. For the moment, the only person with the right
* to delete a user is the user themselves.
* Users have logins, a personal org, and entries in the group_users table. All are
* removed together in a transaction. All material in the personal org will be lost.
*
* @param scope: request scope, including the id of the user initiating this action
* @param userIdToDelete: the id of the user to delete from the database
* @param name: optional cross-check, delete only if user name matches this
*/
public async deleteUser(scope: Scope, userIdToDelete: number,
name?: string): Promise<QueryResult<void>> {
const userIdDeleting = scope.userId;
if (userIdDeleting !== userIdToDelete) {
throw new ApiError('not permitted to delete this user', 403);
}
await this._connection.transaction(async manager => {
const user = await manager.findOne(User, {where: {id: userIdToDelete},
relations: ["logins", "personalOrg"]});
if (!user) { throw new ApiError('user not found', 404); }
if (name) {
if (user.name !== name) {
throw new ApiError(`user name did not match ('${name}' vs '${user.name}')`, 400);
}
}
if (user.personalOrg) { await this.deleteOrg(scope, user.personalOrg.id, manager); }
await manager.remove([...user.logins]);
// We don't have a GroupUser entity, and adding one tickles lots of TypeOrm quirkiness,
// so use a plain query to delete entries in the group_users table.
await manager.createQueryBuilder()
.delete()
.from('group_users')
.where('user_id = :userId', {userId: userIdToDelete})
.execute();
await manager.delete(User, userIdToDelete);
});
return {
status: 200
};
}
/**
* Returns a QueryResult for the given organization. The orgKey
* can be a string (the domain from url) or the id of an org. If it is
* null, the user's personal organization is returned.
*/
public async getOrg(scope: Scope, orgKey: string|number|null,
transaction?: EntityManager): Promise<QueryResult<Organization>> {
const {userId} = scope;
// Anonymous access to the merged org is a special case. We return an
// empty organization, not backed by the database, and which can contain
// nothing but the example documents always added to the merged org.
if (this.isMergedOrg(orgKey) && userId === this.getAnonymousUserId()) {
const anonOrg: OrgInfo = {
id: 0,
createdAt: new Date().toISOString(),
updatedAt: new Date().toISOString(),
domain: this.mergedOrgDomain(),
name: 'Anonymous',
owner: this.makeFullUser(this.getAnonymousUser()),
access: 'viewers',
billingAccount: {
id: 0,
individual: true,
product: {
name: 'anonymous',
features: personalFreeFeatures,
},
isManager: false,
inGoodStanding: true,
},
host: null
};
return { status: 200, data: anonOrg as any };
}
let qb = this.org(scope, orgKey, {
manager: transaction,
needRealOrg: true
});
qb = this._addBillingAccount(qb, scope.userId);
let effectiveUserId = scope.userId;
if (scope.specialPermit && scope.specialPermit.org === orgKey) {
effectiveUserId = this.getPreviewerUserId();
}
qb = this._withAccess(qb, effectiveUserId, 'orgs');
qb = qb.leftJoinAndSelect('orgs.owner', 'owner');
// Add preference information that will be relevant for presentation of the org.
// That includes preference information specific to the site and the user,
// or specific just to the site, or specific just to the user.
qb = qb.leftJoinAndMapMany('orgs.prefs', Pref, 'prefs',
'(prefs.org_id = orgs.id or prefs.org_id IS NULL) AND ' +
'(prefs.user_id = :userId or prefs.user_id IS NULL)',
{userId});
// Apply a particular order (user+org first if present, then org, then user).
// Slightly round-about syntax because Sqlite and Postgres disagree about NULL
// ordering (Sqlite does support NULL LAST syntax now, but not on our fork yet).
qb = qb.addOrderBy('coalesce(prefs.org_id, 0)', 'DESC');
qb = qb.addOrderBy('coalesce(prefs.user_id, 0)', 'DESC');
const result = await this._verifyAclPermissions(qb);
if (result.status === 200) {
// Return the only org.
result.data = result.data[0];
if (this.isMergedOrg(orgKey)) {
// The merged psuedo-organization is almost, but not quite, the user's personal
// org. We give it a distinct domain and id.
result.data.id = 0;
result.data.domain = this.mergedOrgDomain();
}
}
return result;
}
/**
* Gets the billing account for the specified org. Will throw errors if the org
* is not found, or if the user does not have access to its billing account.
*
* The special previewer user is given access to billing account information.
*
* The billing account includes fields such as stripeCustomerId.
* To include `managers` and `orgs` fields listing all billing account managers
* and organizations linked to the account, set `includeOrgsAndManagers`.
*/
public async getBillingAccount(scope: Scope, orgKey: string|number,
includeOrgsAndManagers: boolean,
transaction?: EntityManager): Promise<BillingAccount> {
const org = this.unwrapQueryResult(await this.getOrg(scope, orgKey, transaction));
if (!org.billingAccount.isManager && scope.userId !== this.getPreviewerUserId() &&
// The special permit (used for the support user) allows access to the billing account.
scope.specialPermit?.org !== orgKey) {
throw new ApiError('User does not have access to billing account', 401);
}
if (!includeOrgsAndManagers) { return org.billingAccount; }
// For full billing account information including all managers
// (for team accounts) and orgs (for individual accounts), we need
// to make a different query since what we've got so far is
// filtered by org and by user for authorization purposes.
// Also, filling out user information linked to orgs and managers
// requires a few extra joins.
return this.getFullBillingAccount(org.billingAccount.id, transaction);
}
/**
* Gets all information about a billing account, without permission check.
*/
public getFullBillingAccount(billingAccountId: number, transaction?: EntityManager): Promise<BillingAccount> {
return this._runInTransaction(transaction, async tr => {
let qb = tr.createQueryBuilder()
.select('billing_accounts')
.from(BillingAccount, 'billing_accounts')
.leftJoinAndSelect('billing_accounts.product', 'products')
.leftJoinAndSelect('billing_accounts.managers', 'managers')
.leftJoinAndSelect('managers.user', 'manager_users')
.leftJoinAndSelect('manager_users.logins', 'manager_logins')
.leftJoinAndSelect('billing_accounts.orgs', 'orgs')
.leftJoinAndSelect('orgs.owner', 'org_users')
.leftJoinAndSelect('org_users.logins', 'org_logins')
.where('billing_accounts.id = :billingAccountId', {billingAccountId});
qb = this._addBillingAccountCalculatedFields(qb);
// TODO: should reconcile with isManager field that stripped down results have.
const results = await qb.getRawAndEntities();
const resources = this._normalizeQueryResults(results.entities);
if (!resources[0]) {
throw new ApiError('Cannot find billing account', 500);
}
return resources[0];
});
}
/**
* Look up an org by an external id. External IDs are used in integrations, and
* simply offer an alternate way to identify an org.
*/
public async getOrgByExternalId(externalId: string): Promise<Organization|undefined> {
const query = this._orgs()
.leftJoinAndSelect('orgs.billingAccount', 'billing_accounts')
.leftJoinAndSelect('billing_accounts.product', 'products')
.where('external_id = :externalId', {externalId});
return await query.getOne() || undefined;
}
/**
* Returns a QueryResult for an organization with nested workspaces.
*/
public async getOrgWorkspaces(scope: Scope, orgKey: string|number,
options: QueryOptions = {}): Promise<QueryResult<Workspace[]>> {
const query = this._orgWorkspaces(scope, orgKey, options);
// Allow an empty result for the merged org for the anonymous user. The anonymous user
// has no home org or workspace. For all other sitations, expect at least one workspace.
const emptyAllowed = this.isMergedOrg(orgKey) && scope.userId === this.getAnonymousUserId();
const result = await this._verifyAclPermissions(query, { scope, emptyAllowed });
// Return the workspaces, not the org(s).
if (result.status === 200) {
// Place ownership information in workspaces, available for the merged org.
for (const o of result.data) {
for (const ws of o.workspaces) {
ws.owner = o.owner;
// Include the org's domain so that the UI can build doc URLs that include the org.
ws.orgDomain = o.domain;
}
}
// For org-specific requests, we still have the org's workspaces, plus the Samples workspace
// from the support org.
result.data = [].concat(...result.data.map((o: Organization) => o.workspaces));
}
return result;
}
/**
* Returns a QueryResult for the workspace with the given workspace id. The workspace
* includes nested Docs.
*/
public async getWorkspace(scope: Scope, wsId: number): Promise<QueryResult<Workspace>> {
const {userId} = scope;
let queryBuilder = this._workspaces()
.where('workspaces.id = :wsId', {wsId})
// Nest the docs within the workspace object
.leftJoinAndSelect('workspaces.docs', 'docs', this._onDoc(scope))
.leftJoinAndSelect('workspaces.org', 'orgs')
.leftJoinAndSelect('orgs.owner', 'owner')
// Define some order (spec doesn't promise anything though)
.orderBy('workspaces.created_at')
.addOrderBy('docs.created_at');
queryBuilder = this._addIsSupportWorkspace(userId, queryBuilder, 'orgs', 'workspaces');
// Add access information and query limits
// TODO: allow generic org limit once sample/support workspace is done differently
queryBuilder = this._applyLimit(queryBuilder, {...scope, org: undefined}, ['workspaces', 'docs'], 'list');
const result = await this._verifyAclPermissions(queryBuilder, { scope });
// Return a single workspace.
if (result.status === 200) {
result.data = result.data[0];
}
return result;
}
/**
* Returns an organization's usage summary (e.g. count of documents that are approaching or exceeding
* limits).
*/
public async getOrgUsageSummary(scope: Scope, orgKey: string|number): Promise<OrgUsageSummary> {
// Check that an owner of the org is making the request.
const markPermissions = Permissions.OWNER;
let orgQuery = this.org(scope, orgKey, {
markPermissions,
needRealOrg: true
});
orgQuery = this._addFeatures(orgQuery);
const orgQueryResult = await verifyIsPermitted(orgQuery);
const org: Organization = this.unwrapQueryResult(orgQueryResult);
const productFeatures = org.billingAccount.product.features;
// Grab all the non-removed documents in the org.
let docsQuery = this._docs()
.innerJoin('docs.workspace', 'workspaces')
.innerJoin('workspaces.org', 'orgs')
.where('docs.workspace_id = workspaces.id')
.andWhere('workspaces.removed_at IS NULL AND docs.removed_at IS NULL');
docsQuery = this._whereOrg(docsQuery, orgKey);
if (this.isMergedOrg(orgKey)) {
docsQuery = docsQuery.andWhere('orgs.owner_id = :userId', {userId: scope.userId});
}
const docsQueryResult = await this._verifyAclPermissions(docsQuery, { scope, emptyAllowed: true });
const docs: Document[] = this.unwrapQueryResult(docsQueryResult);
// Return an aggregate count of documents, grouped by data limit status.
const summary = createEmptyOrgUsageSummary();
for (const {usage: docUsage, gracePeriodStart} of docs) {
const dataLimitStatus = getDataLimitStatus({docUsage, gracePeriodStart, productFeatures});
if (dataLimitStatus) { summary[dataLimitStatus] += 1; }
}
return summary;
}
/**
* Compute the best access option for an organization, from the
* users available to the client. If none of the options can access
* the organization, returns null. If there are equally good
* options, an arbitrary one is returned.
*
* Comparison is made between roles rather than fine-grained
* permissions, since otherwise the result would not be well defined
* (permissions could in general overlap without one being a
* superset of the other). For the acl rules we've used so far,
* this problem does not arise and reasoning at the level of a
* hierarchy of roles is adequate.
*/
public async getBestUserForOrg(users: AvailableUsers, org: number|string): Promise<AccessOptionWithRole|null> {
if (this.isMergedOrg(org)) {
// Don't try to pick a best user for the merged personal org.
// If this changes in future, be sure to call this._filterByOrgGroups on the query
// below, otherwise it will include every users' personal org which is wasteful
// and parsing/mapping the results in TypeORM is slow.
return null;
}
let qb = this._orgs();
qb = this._whereOrg(qb, org);
qb = this._withAccess(qb, users, 'orgs');
const result = await this._verifyAclPermissions(qb, {emptyAllowed: true});
if (!result.data) {
throw new ApiError(result.errMessage || 'failed to select user', result.status);
}
if (!result.data.length) { return null; }
const options: AccessOptionWithRole[] = result.data[0].accessOptions;
if (!options.length) { return null; }
const role = roles.getStrongestRole(...options.map(option => option.access));
return options.find(option => option.access === role) || null;
}
/**
* Returns a SelectQueryBuilder which gives an array of orgs already filtered by
* the given user' (or users') access.
* If a domain is specified, only an org matching that domain and accessible by
* the user or users is returned.
* The anonymous user is treated specially, to avoid advertising organizations
* with anonymous access.
*/
public async getOrgs(users: AvailableUsers, domain: string|null,
options?: {ignoreEveryoneShares?: boolean}): Promise<QueryResult<Organization[]>> {
let queryBuilder = this._orgs()
.leftJoinAndSelect('orgs.owner', 'users', 'orgs.owner_id = users.id');
if (isSingleUser(users)) {
// When querying with a single user in mind, we keep our api promise
// of returning their personal org first in the list.
queryBuilder = queryBuilder
.orderBy('(coalesce(users.id,0) = :userId)', 'DESC')
.setParameter('userId', users);
}
queryBuilder = queryBuilder
.addOrderBy('users.name')
.addOrderBy('orgs.name');
queryBuilder = this._withAccess(queryBuilder, users, 'orgs');
// Add a direct, efficient filter to remove irrelevant personal orgs from consideration.
queryBuilder = this._filterByOrgGroups(queryBuilder, users, domain, options);
if (this._isAnonymousUser(users) && !listPublicSites) {
// The anonymous user is a special case. It may have access to potentially
// many orgs, but listing them all would be kind of a misfeature. but reporting
// nothing would complicate the client. We compromise, and report at most
// the org of the site the user is on (or nothing when the api is accessed
// via a url that is unrelated to any particular org).
// This special processing is only needed for the isSingleUser case. Multiple
// users can only be presented when the user has proven login access to each.
if (domain && !this.isMergedOrg(domain)) {
queryBuilder = this._whereOrg(queryBuilder, domain);
} else {
return {status: 200, data: []};
}
}
return this._verifyAclPermissions(queryBuilder, {emptyAllowed: true});
}
// As for getOrgs, but all personal orgs are merged into a single entry.
public async getMergedOrgs(userId: number, users: AvailableUsers,
domain: string|null): Promise<QueryResult<Organization[]>> {
const result = await this.getOrgs(users, domain);
if (result.status === 200) {
return {status: 200, data: this._mergePersonalOrgs(userId, result.data!)};
}
return result;
}
// Returns the doc with access information for the calling user only.
// TODO: The return type of this function includes the workspace and org with the owner
// properties set, as documented in app/common/UserAPI. The return type of this function
// should reflect that.
public async getDocImpl(key: DocAuthKey): Promise<Document> {
const {userId} = key;
// Doc permissions of forks are based on the "trunk" document, so make sure
// we look up permissions of trunk if we are on a fork (we'll fix the permissions
// up for the fork immediately afterwards).
const {trunkId, forkId, forkUserId, snapshotId} = parseUrlId(key.urlId);
const urlId = trunkId;
if (forkId || snapshotId) { key = {...key, urlId}; }
let doc: Document;
if (urlId === NEW_DOCUMENT_CODE) {
if (!forkId) { throw new ApiError('invalid document identifier', 400); }
// We imagine current user owning trunk if there is no embedded userId, or
// the embedded userId matches the current user.
const access = (forkUserId === undefined || forkUserId === userId) ? 'owners' :
(userId === this.getPreviewerUserId() ? 'viewers' : null);
if (!access) { throw new ApiError("access denied", 403); }
doc = {
name: 'Untitled',
createdAt: new Date().toISOString(),
updatedAt: new Date().toISOString(),
id: 'new',
isPinned: false,
urlId: null,
workspace: this.unwrapQueryResult<Workspace>(
await this.getWorkspace({userId: this.getSupportUserId()},
this._exampleWorkspaceId)),
aliases: [],
access
} as any;
} else {
// We can't delegate filtering of removed documents to the db, since we'll be
// caching authentication. But we also don't need to delegate filtering, since
// it is very simple at the single-document level. So we direct the db to include
// everything with showAll flag, and let the getDoc() wrapper deal with the remaining
// work.
let qb = this._doc({...key, showAll: true})
.leftJoinAndSelect('orgs.owner', 'org_users');
qb = this._addIsSupportWorkspace(userId, qb, 'orgs', 'workspaces');
qb = this._addFeatures(qb); // add features to determine whether we've gone readonly
const docs = this.unwrapQueryResult<Document[]>(await this._verifyAclPermissions(qb));
if (docs.length === 0) { throw new ApiError('document not found', 404); }
if (docs.length > 1) { throw new ApiError('ambiguous document request', 400); }
doc = docs[0];
const features = doc.workspace.org.billingAccount.product.features;
if (features.readOnlyDocs || this._restrictedMode) {
// Don't allow any access to docs that is stronger than "viewers".
doc.access = roles.getWeakestRole('viewers', doc.access);
}
// Place ownership information in the doc's workspace.
(doc.workspace as any).owner = doc.workspace.org.owner;
}
if (forkId || snapshotId) {
// Fix up our reply to be correct for the fork, rather than the trunk.
// The "id" and "urlId" fields need updating.
doc.id = buildUrlId({trunkId: doc.id, forkId, forkUserId, snapshotId});
if (doc.urlId) {
doc.urlId = buildUrlId({trunkId: doc.urlId, forkId, forkUserId, snapshotId});
}
// Set trunkAccess field.
doc.trunkAccess = doc.access;
// Update access for fork.
this._setForkAccess({userId, forkUserId, snapshotId}, doc);
}
return doc;
}
// Calls getDocImpl() and returns the Document from that, caching a fresh DocAuthResult along
// the way. Note that we only cache the access level, not Document itself.
public async getDoc(reqOrScope: Request | Scope): Promise<Document> {
const scope = "params" in reqOrScope ? getScope(reqOrScope) : reqOrScope;
const key = getDocAuthKeyFromScope(scope);
const promise = this.getDocImpl(key);
await mapSetOrClear(this._docAuthCache, stringifyDocAuthKey(key), makeDocAuthResult(promise));
const doc = await promise;
// Filter the result for removed / non-removed documents.
if (!scope.showAll && scope.showRemoved ?
(doc.removedAt === null && doc.workspace.removedAt === null) :
(doc.removedAt || doc.workspace.removedAt)) {
throw new ApiError('document not found', 404);
}
return doc;
}
public async getRawDocById(docId: string) {
return await this.getDoc({urlId: docId, userId: this.getPreviewerUserId(), showAll: true});
}
// Returns access info for the given doc and user, caching the results for DOC_AUTH_CACHE_TTL
// ms. This helps reduce database load created by liberal authorization requests.
public async getDocAuthCached(key: DocAuthKey): Promise<DocAuthResult> {
return mapGetOrSet(this._docAuthCache, stringifyDocAuthKey(key),
() => makeDocAuthResult(this.getDocImpl(key)));
}
// Used in tests, and to clear all timeouts when exiting.
public flushDocAuthCache() {
this._docAuthCache.clear();
}
// Flush cached access information about a specific document
// (identified specifically by a docId, not a urlId). Any cached
// information under an alias will also be flushed.
// TODO: make a more efficient implementation if needed.
public async flushSingleDocAuthCache(scope: DocScope, docId: string) {
// Get all aliases of this document.
const aliases = await this._connection.manager.find(Alias, {where: {docId}});
// Construct a set of possible prefixes for cache keys.
const names = new Set(aliases.map(a => stringifyUrlIdOrg(a.urlId, scope.org)));
names.add(stringifyUrlIdOrg(docId, scope.org));
// Remove any cache keys that start with any of the prefixes.
for (const key of this._docAuthCache.keys()) {
const name = key.split(' ', 1)[0];
if (names.has(name)) { this._docAuthCache.delete(key); }
}
}
// Find a document by name. Limit name search to a specific organization.
// It is possible to hit ambiguities, e.g. with the same name of a doc
// in multiple workspaces, so this is not a general-purpose method. It
// is here to facilitate V0 -> V1 migration, so existing links to docs continue
// to work.
public async getDocByName(userId: number, orgId: number, docName: string): Promise<QueryResult<Document>> {
let qb = this._docs()
.innerJoin('docs.workspace', 'workspace')
.innerJoin('workspace.org', 'org')
.where('docs.name = :docName', {docName})
.andWhere('org.id = :orgId', {orgId});
qb = this._withAccess(qb, userId, 'docs');
return this._single(await this._verifyAclPermissions(qb));
}
/**
*
* Adds an org with the given name. Returns a query result with the id of the added org.
*
* @param user: user doing the adding
* @param name: desired org name
* @param domain: desired org domain, or null not to set a domain
* @param setUserAsOwner: if this is the user's personal org (they will be made an
* owner in the ACL sense in any case)
* @param useNewPlan: by default, the individual billing account associated with the
* user's personal org will be used for all other orgs they create. Set useNewPlan
* to force a distinct non-individual billing account to be used for this org.
* NOTE: Currently it is always a true - billing account is one to one with org.
* @param planType: if set, controls the type of plan used for the org. Only
* meaningful for team sites currently.
*
*/
public async addOrg(user: User, props: Partial<OrganizationProperties>,
options: { setUserAsOwner: boolean,
useNewPlan: boolean,
planType?: string,
externalId?: string,
externalOptions?: ExternalBillingOptions },
transaction?: EntityManager): Promise<QueryResult<number>> {
const notifications: Array<() => void> = [];
const name = props.name;
const domain = props.domain;
if (!name) {
return {
status: 400,
errMessage: 'Bad request: name required'
};
}
const orgResult = await this._runInTransaction(transaction, async manager => {
if (domain) {
try {
checkSubdomainValidity(domain);
} catch (e) {
return {
status: 400,
errMessage: `Domain is not permitted: ${e.message}`
};
}
}
// Create or find a billing account to associate with this org.
const billingAccountEntities = [];
let billingAccount;
if (options.useNewPlan) { // use separate billing account (currently yes)
const productNames = getDefaultProductNames();
let productName = options.setUserAsOwner ? productNames.personal :
options.planType === productNames.teamFree ? productNames.teamFree : productNames.teamInitial;
// A bit fragile: this is called during creation of support@ user, before
// getSupportUserId() is available, but with setUserAsOwner of true.
if (!options.setUserAsOwner
&& user.id === this.getSupportUserId()
&& options.planType !== productNames.teamFree) {
// For teams created by support@getgrist.com, set the product to something
// good so payment not needed. This is useful for testing.
productName = productNames.team;
}
billingAccount = new BillingAccount();
billingAccount.individual = options.setUserAsOwner;
const dbProduct = await manager.findOne(Product, {where: {name: productName}});
if (!dbProduct) {
throw new Error('Cannot find product for new organization');
}
billingAccount.product = dbProduct;
billingAccountEntities.push(billingAccount);
const billingAccountManager = new BillingAccountManager();
billingAccountManager.user = user;
billingAccountManager.billingAccount = billingAccount;
billingAccountEntities.push(billingAccountManager);
if (options.externalId) {
// save will fail if externalId is a duplicate.
billingAccount.externalId = options.externalId;
}
if (options.externalOptions) {
billingAccount.externalOptions = options.externalOptions;
}
} else {
log.warn("Creating org with shared billing account");
// Use the billing account from the user's personal org to start with.
billingAccount = await manager.createQueryBuilder()
.select('billing_accounts')
.from(BillingAccount, 'billing_accounts')
.leftJoinAndSelect('billing_accounts.orgs', 'orgs')
.where('orgs.owner_id = :userId', {userId: user.id})
.getOne();
if (options.externalId && billingAccount?.externalId !== options.externalId) {
throw new ApiError('Conflicting external identifier', 400);
}
if (!billingAccount) {
throw new ApiError('Cannot find an initial plan for organization', 500);
}
}
// Create a new org.
const org = new Organization();
org.checkProperties(props);
org.updateFromProperties(props);
org.billingAccount = billingAccount;
if (domain) {
org.domain = domain;
}
if (options.setUserAsOwner) {
org.owner = user;
}
// Create the special initial permission groups for the new org.
const groupMap = this._createGroups();
org.aclRules = this.defaultGroups.map(_grpDesc => {
// Get the special group with the name needed for this ACL Rule
const group = groupMap[_grpDesc.name];
// Note that the user is added to the owners group of an org when it is created.
if (_grpDesc.name === roles.OWNER) {
group.memberUsers = [user];
}
// Add each of the special groups to the new workspace.
const aclRuleOrg = new AclRuleOrg();
aclRuleOrg.permissions = _grpDesc.permissions;
aclRuleOrg.group = group;
aclRuleOrg.organization = org;
return aclRuleOrg;
});
// Saves the workspace as well as its new ACL Rules and Group.
const groups = org.aclRules.map(rule => rule.group);
let savedOrg: Organization;
try {
const result = await manager.save([org, ...org.aclRules, ...groups, ...billingAccountEntities]);
savedOrg = result[0] as Organization;
} catch (e) {
if (e.name === 'QueryFailedError' && e.message &&
e.message.match(/unique constraint/i)) {
throw new ApiError('Domain already in use', 400);
}
throw e;
}
// Add a starter workspace to the org. Any limits on org workspace
// count are not checked, this will succeed unconditionally.
await this._doAddWorkspace(savedOrg, {name: 'Home'}, manager);
if (!options.setUserAsOwner) {
// This user just made a team site (once this transaction is applied).
// Emit a notification.
notifications.push(this._teamCreatorNotification(user.id));
}
return {
status: 200,
data: savedOrg.id
};
});
for (const notification of notifications) { notification(); }
return orgResult;
}
// If setting anything more than prefs:
// Checks that the user has UPDATE permissions to the given org. If not, throws an
// error. Otherwise updates the given org with the given name. Returns an empty
// query result with status 200 on success.
// For setting userPrefs or userOrgPrefs:
// These are user-specific setting, so are allowed with VIEW access (that includes
// guests). Prefs are replaced in their entirety, not merged.
// For setting orgPrefs:
// These are not user-specific, so require UPDATE permissions.
public async updateOrg(
scope: Scope,
orgKey: string|number,
props: Partial<OrganizationProperties>,
transaction?: EntityManager,
): Promise<QueryResult<number>> {
// Check the scope of the modifications.
let markPermissions: number = Permissions.VIEW;
let modifyOrg: boolean = false;
let modifyPrefs: boolean = false;
for (const key of Object.keys(props)) {
if (key === 'orgPrefs') {
// If setting orgPrefs, make sure we have UPDATE rights since this
// will affect other users.
markPermissions = Permissions.UPDATE;
modifyPrefs = true;
} else if (key === 'userPrefs' || key === 'userOrgPrefs') {
// These keys only affect the current user.
modifyPrefs = true;
} else {
markPermissions = Permissions.UPDATE;
modifyOrg = true;
}
}
// TODO: Unsetting a domain will likely have to be supported; also possibly prefs.
return await this._runInTransaction(transaction, async manager => {
const orgQuery = this.org(scope, orgKey, {
manager,
markPermissions,
needRealOrg: true
});
const queryResult = await verifyIsPermitted(orgQuery);
if (queryResult.status !== 200) {
// If the query for the workspace failed, return the failure result.
return queryResult;
}
// Update the fields and save.
const org: Organization = queryResult.data;
org.checkProperties(props);
if (modifyOrg) {
if (props.domain) {
if (org.owner) {
throw new ApiError('Cannot set a domain for a personal organization', 400);
}
try {
checkSubdomainValidity(props.domain);
} catch (e) {
return {
status: 400,
errMessage: `Domain is not permitted: ${e.message}`
};
}
}
org.updateFromProperties(props);
await manager.save(org);
}
if (modifyPrefs) {
for (const flavor of ['orgPrefs', 'userOrgPrefs', 'userPrefs'] as const) {
const prefs = props[flavor];
if (prefs === undefined) { continue; }
const orgId = ['orgPrefs', 'userOrgPrefs'].includes(flavor) ? org.id : null;
const userId = ['userOrgPrefs', 'userPrefs'].includes(flavor) ? scope.userId : null;
await manager.createQueryBuilder()
.insert()
// if pref flavor has been set before, update it
.onConflict('(COALESCE(org_id,0), COALESCE(user_id,0)) DO UPDATE SET prefs = :prefs')
// TypeORM muddles JSON handling a bit here
.setParameters({prefs: JSON.stringify(prefs)})
.into(Pref)
.values({orgId, userId, prefs})
.execute();
}
}
return {status: 200};
});
}
// Checks that the user has REMOVE permissions to the given org. If not, throws an
// error. Otherwise deletes the given org. Returns an empty query result with
// status 200 on success.
public async deleteOrg(scope: Scope, orgKey: string|number,
transaction?: EntityManager): Promise<QueryResult<number>> {
return await this._runInTransaction(transaction, async manager => {
const orgQuery = this.org(scope, orgKey, {
manager,
markPermissions: Permissions.REMOVE,
allowSpecialPermit: true
})
// Join the org's workspaces (with ACLs and groups), docs (with ACLs and groups)
// and ACLs and groups so we can remove them.
.leftJoinAndSelect('orgs.aclRules', 'acl_rules')
.leftJoinAndSelect('acl_rules.group', 'groups')
.leftJoinAndSelect('orgs.workspaces', 'workspaces')
.leftJoinAndSelect('workspaces.aclRules', 'workspace_acl_rules')
.leftJoinAndSelect('workspace_acl_rules.group', 'workspace_group')
.leftJoinAndSelect('workspaces.docs', 'docs')
.leftJoinAndSelect('docs.aclRules', 'doc_acl_rules')
.leftJoinAndSelect('doc_acl_rules.group', 'doc_group')
.leftJoinAndSelect('orgs.billingAccount', 'billing_accounts');
const queryResult = await verifyIsPermitted(orgQuery);
if (queryResult.status !== 200) {
// If the query for the org failed, return the failure result.
return queryResult;
}
const org: Organization = queryResult.data;
// Delete the org, org ACLs/groups, workspaces, workspace ACLs/groups, workspace docs
// and doc ACLs/groups.
const orgGroups = org.aclRules.map(orgAcl => orgAcl.group);
const wsAcls = ([] as AclRule[]).concat(...org.workspaces.map(ws => ws.aclRules));
const wsGroups = wsAcls.map(wsAcl => wsAcl.group);
const docs = ([] as Document[]).concat(...org.workspaces.map(ws => ws.docs));
const docAcls = ([] as AclRule[]).concat(...docs.map(doc => doc.aclRules));
const docGroups = docAcls.map(docAcl => docAcl.group);
await manager.remove([org, ...org.aclRules, ...orgGroups, ...org.workspaces,
...wsAcls, ...wsGroups, ...docs, ...docAcls, ...docGroups]);
// Delete billing account if this was the last org using it.
const billingAccount = await manager.findOne(BillingAccount, {
where: {id: org.billingAccountId},
relations: ['orgs'],
});
if (billingAccount && billingAccount.orgs.length === 0) {
await manager.remove([billingAccount]);
}
return {status: 200};
});
}
// Checks that the user has ADD permissions to the given org. If not, throws an error.
// Otherwise adds a workspace with the given name. Returns a query result with the id
// of the added workspace.
public async addWorkspace(scope: Scope, orgKey: string|number,
props: Partial<WorkspaceProperties>): Promise<QueryResult<number>> {
const name = props.name;
if (!name) {
return {
status: 400,
errMessage: 'Bad request: name required'
};
}
return await this._connection.transaction(async manager => {
let orgQuery = this.org(scope, orgKey, {
manager,
markPermissions: Permissions.ADD,
needRealOrg: true
})
// Join the org's ACL rules (with 1st level groups listed) so we can include them in the
// workspace.
.leftJoinAndSelect('orgs.aclRules', 'acl_rules')
.leftJoinAndSelect('acl_rules.group', 'org_group')
.leftJoinAndSelect('orgs.workspaces', 'workspaces'); // we may want to count workspaces.
orgQuery = this._addFeatures(orgQuery); // add features to access optional workspace limit.
const queryResult = await verifyIsPermitted(orgQuery);
if (queryResult.status !== 200) {
// If the query for the organization failed, return the failure result.
return queryResult;
}
const org: Organization = queryResult.data;
const features = org.billingAccount.product.features;
if (features.maxWorkspacesPerOrg !== undefined) {
// we need to count how many workspaces are in the current org, and if we
// are already at or above the limit, then fail.
const count = org.workspaces.length;
if (count >= features.maxWorkspacesPerOrg) {
throw new ApiError('No more workspaces permitted', 403, {
limit: {
quantity: 'workspaces',
maximum: features.maxWorkspacesPerOrg,
value: count,
projectedValue: count + 1
}
});
}
}
const workspace = await this._doAddWorkspace(org, props, manager);
return {
status: 200,
data: workspace.id
};
});
}
// Checks that the user has UPDATE permissions to the given workspace. If not, throws an
// error. Otherwise updates the given workspace with the given name. Returns an empty
// query result with status 200 on success.
public async updateWorkspace(scope: Scope, wsId: number,
props: Partial<WorkspaceProperties>): Promise<QueryResult<number>> {
return await this._connection.transaction(async manager => {
const wsQuery = this._workspace(scope, wsId, {
manager,
markPermissions: Permissions.UPDATE
});
const queryResult = await verifyIsPermitted(wsQuery);
if (queryResult.status !== 200) {
// If the query for the workspace failed, return the failure result.
return queryResult;
}
// Update the name and save.
const workspace: Workspace = queryResult.data;
workspace.checkProperties(props);
workspace.updateFromProperties(props);
await manager.save(workspace);
return {status: 200};
});
}
// Checks that the user has REMOVE permissions to the given workspace. If not, throws an
// error. Otherwise deletes the given workspace. Returns an empty query result with
// status 200 on success.
public async deleteWorkspace(scope: Scope, wsId: number): Promise<QueryResult<number>> {
return await this._connection.transaction(async manager => {
const wsQuery = this._workspace(scope, wsId, {
manager,
markPermissions: Permissions.REMOVE,
allowSpecialPermit: true
})
// Join the workspace's docs (with ACLs and groups) and ACLs and groups so we can
// remove them. Also join the org to get the orgId.
.leftJoinAndSelect('workspaces.aclRules', 'acl_rules')
.leftJoinAndSelect('acl_rules.group', 'groups')
.leftJoinAndSelect('workspaces.docs', 'docs')
.leftJoinAndSelect('docs.aclRules', 'doc_acl_rules')
.leftJoinAndSelect('doc_acl_rules.group', 'doc_groups')
.leftJoinAndSelect('workspaces.org', 'orgs');
const queryResult = await verifyIsPermitted(wsQuery);
if (queryResult.status !== 200) {
// If the query for the workspace failed, return the failure result.
return queryResult;
}
const workspace: Workspace = queryResult.data;
// Delete the workspace, workspace docs, doc ACLs/groups and workspace ACLs/groups.
const wsGroups = workspace.aclRules.map(wsAcl => wsAcl.group);
const docAcls = ([] as AclRule[]).concat(...workspace.docs.map(doc => doc.aclRules));
const docGroups = docAcls.map(docAcl => docAcl.group);
await manager.remove([workspace, ...wsGroups, ...docAcls, ...workspace.docs,
...workspace.aclRules, ...docGroups]);
// Update the guests in the org after removing this workspace.
await this._repairOrgGuests(scope, workspace.org.id, manager);
return {status: 200};
});
}
public softDeleteWorkspace(scope: Scope, wsId: number): Promise<void> {
return this._setWorkspaceRemovedAt(scope, wsId, new Date());
}
public async undeleteWorkspace(scope: Scope, wsId: number): Promise<void> {
return this._setWorkspaceRemovedAt(scope, wsId, null);
}
// Checks that the user has ADD permissions to the given workspace. If not, throws an
// error. Otherwise adds a doc with the given name. Returns a query result with the id
// of the added doc.
// The desired docId may be passed in. If passed in, it should have been generated
// by makeId(). The client should not be given control of the choice of docId.
// This option is used during imports, where it is convenient not to add a row to the
// document database until the document has actually been imported.
public async addDocument(scope: Scope, wsId: number, props: Partial<DocumentProperties>,
docId?: string): Promise<QueryResult<string>> {
const name = props.name;
if (!name) {
return {
status: 400,
errMessage: 'Bad request: name required'
};
}
return await this._connection.transaction(async manager => {
let wsQuery = this._workspace(scope, wsId, {
manager,
markPermissions: Permissions.ADD
})
.leftJoinAndSelect('workspaces.org', 'orgs')
// Join the workspaces's ACL rules (with 1st level groups listed) so we can include
// them in the doc.
.leftJoinAndSelect('workspaces.aclRules', 'acl_rules')
.leftJoinAndSelect('acl_rules.group', 'workspace_group');
wsQuery = this._addFeatures(wsQuery);
const queryResult = await verifyIsPermitted(wsQuery);
if (queryResult.status !== 200) {
// If the query for the organization failed, return the failure result.
return queryResult;
}
const workspace: Workspace = queryResult.data;
await this._checkRoomForAnotherDoc(workspace, manager);
// Create a new document.
const doc = new Document();
doc.id = docId || makeId();
doc.checkProperties(props);
doc.updateFromProperties(props);
// For some reason, isPinned defaulting to null, not false,
// for some typeorm/postgres combination? That causes a
// constraint violation.
if (!doc.isPinned) {
doc.isPinned = false;
}
// By default, assign a urlId that is a prefix of the docId.
// The urlId should be unique across all existing documents.
if (!doc.urlId) {
for (let i = MIN_URLID_PREFIX_LENGTH; i <= doc.id.length; i++) {
const candidate = doc.id.substr(0, i);
if (!await manager.findOne(Alias, {where: {urlId: candidate}})) {
doc.urlId = candidate;
break;
}
}
if (!doc.urlId) {
// This should happen only if UUIDs collide.
throw new Error('Could not find a free identifier for document');
}
}
if (doc.urlId) {
await this._checkForUrlIdConflict(manager, workspace.org, doc.urlId);
const alias = new Alias();
doc.aliases = [alias];
alias.urlId = doc.urlId;
alias.orgId = workspace.org.id;
} else {
doc.aliases = [];
}
doc.workspace = workspace;
// Create the special initial permission groups for the new workspace.
const groupMap = this._createGroups(workspace);
doc.aclRules = this.defaultCommonGroups.map(_grpDesc => {
// Get the special group with the name needed for this ACL Rule
const group = groupMap[_grpDesc.name];
// Add each of the special groups to the new doc.
const aclRuleDoc = new AclRuleDoc();
aclRuleDoc.permissions = _grpDesc.permissions;
aclRuleDoc.group = group;
aclRuleDoc.document = doc;
return aclRuleDoc;
});
// Saves the document as well as its new ACL Rules and Group.
const groups = doc.aclRules.map(rule => rule.group);
const result = await manager.save([doc, ...doc.aclRules, ...doc.aliases, ...groups]);
return {
status: 200,
data: (result[0] as Document).id
};
});
}
public addSecret(value: string, docId: string): Promise<Secret> {
return this._connection.transaction(async manager => {
const secret = new Secret();
secret.id = uuidv4();
secret.value = value;
secret.doc = {id: docId} as any;
await manager.save([secret]);
return secret;
});
}
public async getSecret(id: string, docId: string, manager?: EntityManager): Promise<string | undefined> {
const secret = await (manager || this._connection).createQueryBuilder()
.select('secrets')
.from(Secret, 'secrets')
.where('id = :id AND doc_id = :docId', {id, docId})
.getOne();
return secret?.value;
}
public async removeWebhook(id: string, docId: string, unsubscribeKey: string): Promise<void> {
if (!(id && unsubscribeKey)) {
throw new ApiError('Bad request: id and unsubscribeKey both required', 400);
}
return await this._connection.transaction(async manager => {
const secret = await this.getSecret(id, docId, manager);
if (!secret) {
throw new ApiError('Webhook with given id not found', 404);
}
const webhook = JSON.parse(secret) as WebHookSecret;
if (webhook.unsubscribeKey !== unsubscribeKey) {
throw new ApiError('Wrong unsubscribeKey', 401);
}
await manager.createQueryBuilder()
.delete()
.from(Secret)
.where('id = :id', {id})
.execute();
});
}
// Checks that the user has UPDATE permissions to the given doc. If not, throws an
// error. Otherwise updates the given doc with the given name. Returns an empty
// query result with status 200 on success.
// NOTE: This does not update the updateAt date indicating the last modified time of the doc.
// We may want to make it do so.
public async updateDocument(scope: DocScope,
props: Partial<DocumentProperties>): Promise<QueryResult<number>> {
return await this._connection.transaction(async manager => {
const docQuery = this._doc(scope, {
manager,
markPermissions: Permissions.UPDATE
});
const queryResult = await verifyIsPermitted(docQuery);
if (queryResult.status !== 200) {
// If the query for the workspace failed, return the failure result.
return queryResult;
}
// Update the name and save.
const doc: Document = queryResult.data;
doc.checkProperties(props);
doc.updateFromProperties(props);
// Forcibly remove the aliases relation from the document object, so that TypeORM
// doesn't try to save it. It isn't safe to do that because it was filtered by
// a where clause.
// TODO: refactor to avoid using TypeORM's save method.
doc.aliases = undefined as any;
// TODO: if pinning does anything special in future, like triggering thumbnail
// processing, then we should probably call pinDoc.
await manager.save(doc);
if (props.urlId) {
// We accumulate old urlIds in order to correctly redirect them, so we need
// to do some extra bookwork when a doc's urlId is changed. First, throw
// an error if urlId is already in use by this org.
await this._checkForUrlIdConflict(manager, doc.workspace.org, props.urlId, doc.id);
// Otherwise, add an alias entry for this document.
await manager.createQueryBuilder()
.insert()
// if urlId has been used before, update it
.onConflict(`(org_id, url_id) DO UPDATE SET doc_id = :docId, created_at = ${now(this._dbType)}`)
.setParameter('docId', doc.id)
.into(Alias)
.values({orgId: doc.workspace.org.id, urlId: props.urlId, doc})
.execute();
// TODO: we could limit the max number of aliases stored per document.
}
return {status: 200};
});
}
// Checks that the user has REMOVE permissions to the given document. If not, throws an
// error. Otherwise deletes the given document. Returns an empty query result with
// status 200 on success.
public async deleteDocument(scope: DocScope): Promise<QueryResult<number>> {
return await this._connection.transaction(async manager => {
const docQuery = this._doc(scope, {
manager,
markPermissions: Permissions.REMOVE | Permissions.SCHEMA_EDIT,
allowSpecialPermit: true
})
// Join the docs's ACLs and groups so we can remove them.
// Join the workspace and org to get their ids.
.leftJoinAndSelect('docs.aclRules', 'acl_rules')
.leftJoinAndSelect('acl_rules.group', 'groups');
const queryResult = await verifyIsPermitted(docQuery);
if (queryResult.status !== 200) {
// If the query for the workspace failed, return the failure result.
return queryResult;
}
const doc: Document = queryResult.data;
// Delete the doc and doc ACLs/groups.
const docGroups = doc.aclRules.map(docAcl => docAcl.group);
await manager.remove([doc, ...docGroups, ...doc.aclRules]);
// Update guests of the workspace and org after removing this doc.
await this._repairWorkspaceGuests(scope, doc.workspace.id, manager);
await this._repairOrgGuests(scope, doc.workspace.org.id, manager);
return {status: 200};
});
}
public softDeleteDocument(scope: DocScope): Promise<void> {
return this._setDocumentRemovedAt(scope, new Date());
}
public async undeleteDocument(scope: DocScope): Promise<void> {
return this._setDocumentRemovedAt(scope, null);
}
// Fetches and provides a callback with the billingAccount so it may be updated within
// a transaction. The billingAccount is saved after any changes applied in the callback.
// Will throw an error if the user does not have access to the org's billingAccount.
//
// Only certain properties of the billingAccount may be changed:
// 'inGoodStanding', 'status', 'stripeCustomerId','stripeSubscriptionId', 'stripePlanId'
//
// Returns an empty query result with status 200 on success.
public async updateBillingAccount(
userId: number,
orgKey: string|number,
callback: (billingAccount: BillingAccount, transaction: EntityManager) => void|Promise<void>
): Promise<QueryResult<void>> {
return await this._connection.transaction(async transaction => {
const billingAccount = await this.getBillingAccount({userId}, orgKey, false, transaction);
const billingAccountCopy = Object.assign({}, billingAccount);
await callback(billingAccountCopy, transaction);
// Pick out properties that are allowed to be changed, to prevent accidental updating
// of other information.
const updated = pick(billingAccountCopy, 'inGoodStanding', 'status', 'stripeCustomerId',
'stripeSubscriptionId', 'stripePlanId', 'product', 'externalId',
'externalOptions');
billingAccount.paid = undefined; // workaround for a typeorm bug fixed upstream in
// https://github.com/typeorm/typeorm/pull/4035
await transaction.save(Object.assign(billingAccount, updated));
return { status: 200 };
});
}
// Updates the managers of a billing account. Returns an empty query result with
// status 200 on success.
public async updateBillingAccountManagers(userId: number, orgKey: string|number,
delta: ManagerDelta): Promise<QueryResult<void>> {
const notifications: Array<() => void> = [];
// Translate our ManagerDelta to a PermissionDelta so that we can reuse existing
// methods for normalizing/merging emails and finding the user ids.
const permissionDelta: PermissionDelta = {users: {}};
for (const key of Object.keys(delta.users)) {
const target = delta.users[key];
if (target !== null && target !== 'managers') {
throw new ApiError("Only valid settings for billing account managers are 'managers' or null", 400);
}
permissionDelta.users![key] = delta.users[key] ? 'owners' : null;
}
return await this._connection.transaction(async transaction => {
const billingAccount = await this.getBillingAccount({userId}, orgKey, true, transaction);
// At this point, we'll have thrown an error if userId is not a billing account manager.
// Now check if the billing account has mutable managers (individual account does not).
if (billingAccount.individual) {
throw new ApiError('billing account managers cannot be added/removed for individual billing accounts', 400);
}
// Get the ids of users to update.
const billingAccountId = billingAccount.id;
const analysis = await this._verifyAndLookupDeltaEmails(userId, permissionDelta, true, transaction);
this._failIfPowerfulAndChangingSelf(analysis);
const {userIdDelta} = analysis;
if (!userIdDelta) { throw new ApiError('No userIdDelta', 500); }
// Any duplicated emails have been merged, and userIdDelta is now keyed by user ids.
// Now we iterate over users and add/remove them as managers.
for (const memberUserIdStr of Object.keys(userIdDelta)) {
const memberUserId = parseInt(memberUserIdStr, 10);
const add = Boolean(userIdDelta[memberUserIdStr]);
const manager = await transaction.findOne(BillingAccountManager, {where: {userId: memberUserId,
billingAccountId}});
if (add) {
// Skip adding user if they are already a manager.
if (!manager) {
const newManager = new BillingAccountManager();
newManager.userId = memberUserId;
newManager.billingAccountId = billingAccountId;
await transaction.save(newManager);
notifications.push(this._billingManagerNotification(userId, memberUserId,
billingAccount.orgs));
}
} else {
if (manager) {
// Don't allow a user to remove themselves as a manager, to be consistent
// with ACL behavior.
if (memberUserId === userId) {
throw new ApiError('Users cannot remove themselves as billing managers', 400);
}
await transaction.remove(manager);
}
}
}
for (const notification of notifications) { notification(); }
return { status: 200 };
});
}
// Updates the permissions of users on the given org according to the PermissionDelta.
public async updateOrgPermissions(
scope: Scope,
orgKey: string|number,
delta: PermissionDelta
): Promise<QueryResult<void>> {
const {userId} = scope;
const notifications: Array<() => void> = [];
const result = await this._connection.transaction(async manager => {
const analysis = await this._verifyAndLookupDeltaEmails(userId, delta, true, manager);
const {userIdDelta} = analysis;
let orgQuery = this.org(scope, orgKey, {
manager,
markPermissions: analysis.permissionThreshold,
needRealOrg: true
})
// Join the org's ACL rules (with 1st level groups/users listed) so we can edit them.
.leftJoinAndSelect('orgs.aclRules', 'acl_rules')
.leftJoinAndSelect('acl_rules.group', 'org_groups')
.leftJoinAndSelect('org_groups.memberUsers', 'org_member_users');
orgQuery = this._addFeatures(orgQuery);
orgQuery = this._withAccess(orgQuery, userId, 'orgs');
const queryResult = await verifyIsPermitted(orgQuery);
if (queryResult.status !== 200) {
// If the query for the organization failed, return the failure result.
return queryResult;
}
this._failIfPowerfulAndChangingSelf(analysis, queryResult);
const org: Organization = queryResult.data;
const groups = getNonGuestGroups(org);
if (userIdDelta) {
const membersBefore = getUsersWithRole(groups, this.getExcludedUserIds());
const countBefore = removeRole(membersBefore).length;
await this._updateUserPermissions(groups, userIdDelta, manager);
this._checkUserChangeAllowed(userId, groups);
await manager.save(groups);
// Fully remove any users being removed from the org.
for (const deltaUser in userIdDelta) {
// Any users removed from the org should be removed from everything in the org.
if (userIdDelta[deltaUser] === null) {
await scrubUserFromOrg(org.id, parseInt(deltaUser, 10), userId, manager);
}
}
// Emit an event if the number of org users is changing.
const membersAfter = getUsersWithRole(groups, this.getExcludedUserIds());
const countAfter = removeRole(membersAfter).length;
notifications.push(this._userChangeNotification(userId, org, countBefore, countAfter,
membersBefore, membersAfter));
// Notify any added users that they've been added to this resource.
notifications.push(this._inviteNotification(userId, org, userIdDelta, membersBefore));
}
return {status: 200};
});
for (const notification of notifications) { notification(); }
return result;
}
// Updates the permissions of users on the given workspace according to the PermissionDelta.
public async updateWorkspacePermissions(
scope: Scope,
wsId: number,
delta: PermissionDelta
): Promise<QueryResult<void>> {
const {userId} = scope;
const notifications: Array<() => void> = [];
const result = await this._connection.transaction(async manager => {
const analysis = await this._verifyAndLookupDeltaEmails(userId, delta, false, manager);
let {userIdDelta} = analysis;
let wsQuery = this._workspace(scope, wsId, {
manager,
markPermissions: analysis.permissionThreshold,
})
// Join the workspace's ACL rules and groups/users so we can edit them.
.leftJoinAndSelect('workspaces.aclRules', 'acl_rules')
.leftJoinAndSelect('acl_rules.group', 'workspace_groups')
.leftJoinAndSelect('workspace_groups.memberUsers', 'workspace_users')
// Join the workspace's org and org member groups so we know what should be inherited.
.leftJoinAndSelect('workspaces.org', 'org')
.leftJoinAndSelect('org.aclRules', 'org_acl_rules')
.leftJoinAndSelect('org_acl_rules.group', 'org_groups')
.leftJoinAndSelect('org_groups.memberUsers', 'org_users');
wsQuery = this._addFeatures(wsQuery, 'org');
wsQuery = this._withAccess(wsQuery, userId, 'workspaces');
const queryResult = await verifyIsPermitted(wsQuery);
if (queryResult.status !== 200) {
// If the query for the workspace failed, return the failure result.
return queryResult;
}
this._failIfPowerfulAndChangingSelf(analysis, queryResult);
const ws: Workspace = queryResult.data;
// Get all the non-guest groups on the org.
const orgGroups = getNonGuestGroups(ws.org);
// Get all the non-guest groups to be updated by the delta.
const groups = getNonGuestGroups(ws);
if ('maxInheritedRole' in delta) {
// Honor the maxInheritedGroups delta setting.
this._moveInheritedGroups(groups, orgGroups, delta.maxInheritedRole);
if (delta.maxInheritedRole !== roles.OWNER) {
// If the maxInheritedRole was lowered from 'owners', add the calling user
// back as an owner so that their acl edit access is not revoked.
userIdDelta = userIdDelta || {};
userIdDelta[userId] = roles.OWNER;
}
}
const membersBefore = this._withoutExcludedUsers(new Map(groups.map(grp => [grp.name, grp.memberUsers])));
if (userIdDelta) {
// To check limits on shares, we track group members before and after call
// to _updateUserPermissions. Careful, that method mutates groups.
const nonOrgMembersBefore = this._getUserDifference(groups, orgGroups);
await this._updateUserPermissions(groups, userIdDelta, manager);
this._checkUserChangeAllowed(userId, groups);
const nonOrgMembersAfter = this._getUserDifference(groups, orgGroups);
const features = ws.org.billingAccount.product.features;
const limit = features.maxSharesPerWorkspace;
if (limit !== undefined) {
this._restrictShares(null, limit, removeRole(nonOrgMembersBefore),
removeRole(nonOrgMembersAfter), true, 'workspace', features);
}
}
await manager.save(groups);
// If the users in workspace were changed, make a call to repair the guests in the org.
if (userIdDelta) {
await this._repairOrgGuests(scope, ws.org.id, manager);
notifications.push(this._inviteNotification(userId, ws, userIdDelta, membersBefore));
}
return {status: 200};
});
for (const notification of notifications) { notification(); }
return result;
}
// Updates the permissions of users on the given doc according to the PermissionDelta.
public async updateDocPermissions(
scope: DocScope,
delta: PermissionDelta
): Promise<QueryResult<void>> {
const notifications: Array<() => void> = [];
const result = await this._connection.transaction(async manager => {
const {userId} = scope;
const analysis = await this._verifyAndLookupDeltaEmails(userId, delta, false, manager);
let {userIdDelta} = analysis;
const doc = await this._loadDocAccess(scope, analysis.permissionThreshold, manager);
this._failIfPowerfulAndChangingSelf(analysis, {data: doc, status: 200});
// Get all the non-guest doc groups to be updated by the delta.
const groups = getNonGuestGroups(doc);
if ('maxInheritedRole' in delta) {
const wsGroups = getNonGuestGroups(doc.workspace);
// Honor the maxInheritedGroups delta setting.
this._moveInheritedGroups(groups, wsGroups, delta.maxInheritedRole);
if (delta.maxInheritedRole !== roles.OWNER) {
// If the maxInheritedRole was lowered from 'owners', add the calling user
// back as an owner so that their acl edit access is not revoked.
userIdDelta = userIdDelta || {};
userIdDelta[userId] = roles.OWNER;
}
}
const membersBefore = new Map(groups.map(grp => [grp.name, grp.memberUsers]));
if (userIdDelta) {
// To check limits on shares, we track group members before and after call
// to _updateUserPermissions. Careful, that method mutates groups.
const org = doc.workspace.org;
const orgGroups = getNonGuestGroups(org);
const nonOrgMembersBefore = this._getUserDifference(groups, orgGroups);
await this._updateUserPermissions(groups, userIdDelta, manager);
this._checkUserChangeAllowed(userId, groups);
const nonOrgMembersAfter = this._getUserDifference(groups, orgGroups);
const features = org.billingAccount.product.features;
this._restrictAllDocShares(features, nonOrgMembersBefore, nonOrgMembersAfter);
}
await manager.save(groups);
if (userIdDelta) {
// If the users in the doc were changed, make calls to repair workspace then org guests.
await this._repairWorkspaceGuests(scope, doc.workspace.id, manager);
await this._repairOrgGuests(scope, doc.workspace.org.id, manager);
notifications.push(this._inviteNotification(userId, doc, userIdDelta, membersBefore));
}
return {status: 200};
});
for (const notification of notifications) { notification(); }
return result;
}
// Returns UserAccessData for all users with any permissions on the org.
public async getOrgAccess(scope: Scope, orgKey: string|number): Promise<QueryResult<PermissionData>> {
const orgQuery = this.org(scope, orgKey, {
markPermissions: Permissions.VIEW,
needRealOrg: true,
allowSpecialPermit: true
})
// Join the org's ACL rules (with 1st level groups/users listed).
.leftJoinAndSelect('orgs.aclRules', 'acl_rules')
.leftJoinAndSelect('acl_rules.group', 'org_groups')
.leftJoinAndSelect('org_groups.memberUsers', 'org_member_users')
.leftJoinAndSelect('org_member_users.logins', 'user_logins');
const queryResult = await verifyIsPermitted(orgQuery);
if (queryResult.status !== 200) {
// If the query for the doc failed, return the failure result.
return queryResult;
}
const org: Organization = queryResult.data;
const userRoleMap = getMemberUserRoles(org, this.defaultGroupNames);
const users = getResourceUsers(org).filter(u => userRoleMap[u.id]).map(u => {
const access = userRoleMap[u.id];
return {
...this.makeFullUser(u),
access,
isMember: access !== 'guests',
};
});
const personal = this._filterAccessData(scope, users, null);
return {
status: 200,
data: {
...personal,
users
}
};
}
// Returns UserAccessData for all users with any permissions on the ORG, as well as the
// maxInheritedRole set on the workspace. Note that information for all users in the org
// is given to indicate which users have access to the org but not to this particular workspace.
public async getWorkspaceAccess(scope: Scope, wsId: number): Promise<QueryResult<PermissionData>> {
const wsQuery = this._workspace(scope, wsId, {
markPermissions: Permissions.VIEW
})
// Join the workspace's ACL rules (with 1st level groups/users listed).
.leftJoinAndSelect('workspaces.aclRules', 'acl_rules')
.leftJoinAndSelect('acl_rules.group', 'workspace_groups')
.leftJoinAndSelect('workspace_groups.memberUsers', 'workspace_group_users')
.leftJoinAndSelect('workspace_groups.memberGroups', 'workspace_group_groups')
.leftJoinAndSelect('workspace_group_users.logins', 'workspace_user_logins')
// Join the org and groups/users.
.leftJoinAndSelect('workspaces.org', 'org')
.leftJoinAndSelect('org.aclRules', 'org_acl_rules')
.leftJoinAndSelect('org_acl_rules.group', 'org_groups')
.leftJoinAndSelect('org_groups.memberUsers', 'org_group_users')
.leftJoinAndSelect('org_group_users.logins', 'org_user_logins');
const queryResult = await verifyIsPermitted(wsQuery);
if (queryResult.status !== 200) {
// If the query for the doc failed, return the failure result.
return queryResult;
}
const workspace: Workspace = queryResult.data;
const wsMap = getMemberUserRoles(workspace, this.defaultCommonGroupNames);
// The orgMap gives the org access inherited by each user.
const orgMap = getMemberUserRoles(workspace.org, this.defaultBasicGroupNames);
const orgMapWithMembership = getMemberUserRoles(workspace.org, this.defaultGroupNames);
// Iterate through the org since all users will be in the org.
const users: UserAccessData[] = getResourceUsers([workspace, workspace.org]).map(u => {
const orgAccess = orgMapWithMembership[u.id] || null;
return {
...this.makeFullUser(u),
access: wsMap[u.id] || null,
parentAccess: roles.getEffectiveRole(orgMap[u.id] || null),
isMember: orgAccess && orgAccess !== 'guests',
};
});
const maxInheritedRole = this._getMaxInheritedRole(workspace);
const personal = this._filterAccessData(scope, users, maxInheritedRole);
return {
status: 200,
data: {
...personal,
maxInheritedRole,
users
}
};
}
// Returns UserAccessData for all users with any permissions on the ORG, as well as the
// maxInheritedRole set on the doc. Note that information for all users in the org is given
// to indicate which users have access to the org but not to this particular doc.
// TODO: Consider updating to traverse through the doc groups and their nested groups for
// a more straightforward way of determining inheritance. The difficulty here is that all users
// in the org and their logins are needed for inclusion in the result, which would require an
// extra lookup step when traversing from the doc.
//
// If the user is not an owner of the document, only that user (at most) will be mentioned
// in the result.
//
// Optionally, the results can be flattened, removing all information about inheritance and
// parents, and just giving the effective access level of each user (frankly, the default
// output of this method is quite confusing).
//
// Optionally, users without access to the document can be removed from the results
// (I believe they are included in order to one day facilitate auto-completion in the client?).
public async getDocAccess(scope: DocScope, options?: {
flatten?: boolean,
excludeUsersWithoutAccess?: boolean,
}): Promise<QueryResult<PermissionData>> {
// Doc permissions of forks are based on the "trunk" document, so make sure
// we look up permissions of trunk if we are on a fork (we'll fix the permissions
// up for the fork immediately afterwards).
const {trunkId, forkId, forkUserId, snapshotId} = parseUrlId(scope.urlId);
const doc = await this._loadDocAccess({...scope, urlId: trunkId}, Permissions.VIEW);
const docMap = getMemberUserRoles(doc, this.defaultCommonGroupNames);
// The wsMap gives the ws access inherited by each user.
const wsMap = getMemberUserRoles(doc.workspace, this.defaultBasicGroupNames);
// The orgMap gives the org access inherited by each user.
const orgMap = getMemberUserRoles(doc.workspace.org, this.defaultBasicGroupNames);
// The orgMapWithMembership gives the full access to the org for each user, including
// the "members" level, which grants no default inheritable access but allows the user
// to be added freely to workspaces and documents.
const orgMapWithMembership = getMemberUserRoles(doc.workspace.org, this.defaultGroupNames);
const wsMaxInheritedRole = this._getMaxInheritedRole(doc.workspace);
// Iterate through the org since all users will be in the org.
let users: UserAccessData[] = getResourceUsers([doc, doc.workspace, doc.workspace.org]).map(u => {
// Merge the strongest roles from the resource and parent resources. Note that the parent
// resource access levels must be tempered by the maxInheritedRole values of their children.
const inheritFromOrg = roles.getWeakestRole(orgMap[u.id] || null, wsMaxInheritedRole);
const orgAccess = orgMapWithMembership[u.id] || null;
return {
...this.makeFullUser(u),
access: docMap[u.id] || null,
parentAccess: roles.getEffectiveRole(
roles.getStrongestRole(wsMap[u.id] || null, inheritFromOrg)
),
isMember: orgAccess && orgAccess !== 'guests',
isSupport: u.id === this.getSupportUserId() ? true : undefined,
};
});
let maxInheritedRole = this._getMaxInheritedRole(doc);
if (options?.excludeUsersWithoutAccess) {
users = users.filter(user => {
const access = getRealAccess(user, { maxInheritedRole, users });
return roles.canView(access);
});
}
if (forkId || snapshotId || options?.flatten) {
for (const user of users) {
const access = getRealAccess(user, { maxInheritedRole, users });
user.access = access;
user.parentAccess = undefined;
}
maxInheritedRole = null;
}
const personal = this._filterAccessData(scope, users, maxInheritedRole, doc.id);
// If we are on a fork, make any access changes needed. Assumes results
// have been flattened.
if (forkId || snapshotId) {
for (const user of users) {
this._setForkAccess({userId: user.id, forkUserId, snapshotId}, user);
}
}
return {
status: 200,
data: {
...personal,
maxInheritedRole,
users
}
};
}
public async moveDoc(
scope: DocScope,
wsId: number
): Promise<QueryResult<void>> {
return await this._connection.transaction(async manager => {
// Get the doc
const docQuery = this._doc(scope, {
manager,
markPermissions: Permissions.OWNER
})
.leftJoinAndSelect('docs.aclRules', 'acl_rules')
.leftJoinAndSelect('acl_rules.group', 'doc_groups')
.leftJoinAndSelect('doc_groups.memberUsers', 'doc_users')
.leftJoinAndSelect('workspaces.aclRules', 'workspace_acl_rules')
.leftJoinAndSelect('workspace_acl_rules.group', 'workspace_groups')
.leftJoinAndSelect('workspace_groups.memberUsers', 'workspace_users')
.leftJoinAndSelect('orgs.aclRules', 'org_acl_rules')
.leftJoinAndSelect('org_acl_rules.group', 'org_groups')
.leftJoinAndSelect('org_groups.memberUsers', 'org_users');
const docQueryResult = await verifyIsPermitted(docQuery);
if (docQueryResult.status !== 200) {
// If the query for the doc failed, return the failure result.
return docQueryResult;
}
const doc: Document = docQueryResult.data;
if (doc.workspace.id === wsId) {
return {
status: 400,
errMessage: `Bad request: doc is already in destination workspace`
};
}
// Get the destination workspace
let wsQuery = this._workspace(scope, wsId, {
manager,
markPermissions: Permissions.ADD
})
// Join the workspaces's ACL rules (with 1st level groups listed) so we can include
// them in the doc.
.leftJoinAndSelect('workspaces.aclRules', 'acl_rules')
.leftJoinAndSelect('acl_rules.group', 'workspace_groups')
.leftJoinAndSelect('workspace_groups.memberUsers', 'workspace_users')
.leftJoinAndSelect('workspaces.org', 'orgs')
.leftJoinAndSelect('orgs.aclRules', 'org_acl_rules')
.leftJoinAndSelect('org_acl_rules.group', 'org_groups')
.leftJoinAndSelect('org_groups.memberUsers', 'org_users');
wsQuery = this._addFeatures(wsQuery);
const wsQueryResult = await verifyIsPermitted(wsQuery);
if (wsQueryResult.status !== 200) {
// If the query for the organization failed, return the failure result.
return wsQueryResult;
}
const workspace: Workspace = wsQueryResult.data;
// Collect all first-level users of the doc being moved.
const firstLevelUsers = getResourceUsers(doc);
const docGroups = doc.aclRules.map(rule => rule.group);
if (doc.workspace.org.id !== workspace.org.id) {
// Doc is going to a new org. Check that there is room for it there.
await this._checkRoomForAnotherDoc(workspace, manager);
// Check also that doc doesn't have too many shares.
if (firstLevelUsers.length > 0) {
const sourceOrg = doc.workspace.org;
const sourceOrgGroups = getNonGuestGroups(sourceOrg);
const destOrg = workspace.org;
const destOrgGroups = getNonGuestGroups(destOrg);
const nonOrgMembersBefore = this._getUserDifference(docGroups, sourceOrgGroups);
const nonOrgMembersAfter = this._getUserDifference(docGroups, destOrgGroups);
const features = destOrg.billingAccount.product.features;
this._restrictAllDocShares(features, nonOrgMembersBefore, nonOrgMembersAfter, false);
}
}
// Update the doc workspace.
const oldWs = doc.workspace;
doc.workspace = workspace;
// The doc should have groups which properly inherit the permissions of the
// new workspace after it is moved.
// Update the doc groups to inherit the groups in the new workspace/org.
// Any previously custom added members remain in the doc groups.
doc.aclRules.forEach(aclRule => {
this._setInheritance(aclRule.group, workspace);
});
// If the org is changing, remove all urlIds for this doc, since there could be
// conflicts in the new org.
// TODO: could try recreating/keeping the urlIds in the new org if there is in fact
// no conflict. Be careful about the merged personal org.
if (oldWs.org.id !== doc.workspace.org.id) {
doc.urlId = null;
await manager.delete(Alias, { doc: doc.id });
}
// Forcibly remove the aliases relation from the document object, so that TypeORM
// doesn't try to save it. It isn't safe to do that because it was filtered by
// a where clause.
doc.aliases = undefined as any;
// Saves the document as well as its new ACL Rules and Groups and the
// updated guest group in the workspace.
await manager.save([doc, ...doc.aclRules, ...docGroups]);
if (firstLevelUsers.length > 0) {
// If the doc has first-level users, update the source and destination workspaces.
await this._repairWorkspaceGuests(scope, oldWs.id, manager);
await this._repairWorkspaceGuests(scope, doc.workspace.id, manager);
if (oldWs.org.id !== doc.workspace.org.id) {
// Also if the org changed, update the source and destination org guest groups.
await this._repairOrgGuests(scope, oldWs.org.id, manager);
await this._repairOrgGuests(scope, doc.workspace.org.id, manager);
}
}
return {
status: 200
};
});
}
// Pin or unpin a doc.
public async pinDoc(
scope: DocScope,
setPinned: boolean
): Promise<QueryResult<void>> {
return await this._connection.transaction(async manager => {
// Find the doc to assert that it exists. Assert that the user has edit access to the
// parent org.
const permissions = Permissions.EDITOR;
const docQuery = this._doc(scope, {
manager
})
.addSelect(this._markIsPermitted('orgs', scope.userId, 'open', permissions), 'is_permitted');
const docQueryResult = await verifyIsPermitted(docQuery);
if (docQueryResult.status !== 200) {
// If the query for the doc failed, return the failure result.
return docQueryResult;
}
const doc: Document = docQueryResult.data;
if (doc.isPinned !== setPinned) {
doc.isPinned = setPinned;
// Forcibly remove the aliases relation from the document object, so that TypeORM
// doesn't try to save it. It isn't safe to do that because it was filtered by
// a where clause.
doc.aliases = undefined as any;
// Save and return success status.
await manager.save(doc);
}
return { status: 200 };
});
}
/**
* Updates the updatedAt and usage values for several docs. Takes a map where each entry maps
* a docId to a metadata object containing the updatedAt and/or usage values. This is not a part
* of the API, it should be called only by the HostedMetadataManager when a change is made to a
* doc.
*/
public async setDocsMetadata(
docUpdateMap: {[docId: string]: DocumentMetadata}
): Promise<QueryResult<void>> {
if (!docUpdateMap || Object.keys(docUpdateMap).length === 0) {
return {
status: 400,
errMessage: `Bad request: missing argument`
};
}
const docIds = Object.keys(docUpdateMap);
return this._connection.transaction(async manager => {
const updateTasks = docIds.map(docId => {
return manager.createQueryBuilder()
.update(Document)
.set(docUpdateMap[docId])
.where("id = :docId", {docId})
.execute();
});
await Promise.all(updateTasks);
return { status: 200 };
});
}
public async setDocGracePeriodStart(docId: string, gracePeriodStart: Date | null) {
return await this._connection.createQueryBuilder()
.update(Document)
.set({gracePeriodStart})
.where({id: docId})
.execute();
}
public async getDocProduct(docId: string): Promise<Product | undefined> {
return await this._connection.createQueryBuilder()
.select('product')
.from(Product, 'product')
.leftJoinAndSelect('product.accounts', 'account')
.leftJoinAndSelect('account.orgs', 'org')
.leftJoinAndSelect('org.workspaces', 'workspace')
.leftJoinAndSelect('workspace.docs', 'doc')
.where('doc.id = :docId', {docId})
.getOne() || undefined;
}
/**
* Get the anonymous user, as a constructed object rather than a database lookup.
*/
public getAnonymousUser(): User {
const user = new User();
user.id = this.getAnonymousUserId();
user.name = "Anonymous";
user.isFirstTimeUser = false;
const login = new Login();
login.displayEmail = login.email = ANONYMOUS_USER_EMAIL;
user.logins = [login];
user.ref = '';
return user;
}
/**
*
* Get the id of the anonymous user.
*
*/
public getAnonymousUserId(): number {
const id = this._specialUserIds[ANONYMOUS_USER_EMAIL];
if (!id) { throw new Error("Anonymous user not available"); }
return id;
}
/**
* Get the id of the thumbnail user.
*/
public getPreviewerUserId(): number {
const id = this._specialUserIds[PREVIEWER_EMAIL];
if (!id) { throw new Error("Previewer user not available"); }
return id;
}
/**
* Get the id of the 'everyone' user.
*/
public getEveryoneUserId(): number {
const id = this._specialUserIds[EVERYONE_EMAIL];
if (!id) { throw new Error("'everyone' user not available"); }
return id;
}
/**
* Get the id of the 'support' user.
*/
public getSupportUserId(): number {
const id = this._specialUserIds[SUPPORT_EMAIL];
if (!id) { throw new Error("'support' user not available"); }
return id;
}
/**
* Get ids of users to be excluded from member counts and emails.
*/
public getExcludedUserIds(): number[] {
return [this.getSupportUserId(), this.getAnonymousUserId(), this.getEveryoneUserId()];
}
/**
*
* Take a list of user profiles coming from the client's session, correlate
* them with Users and Logins in the database, and construct full profiles
* with user ids, standardized display emails, pictures, and anonymous flags.
*
*/
public async completeProfiles(profiles: UserProfile[]): Promise<FullUser[]> {
if (profiles.length === 0) { return []; }
const qb = this._connection.createQueryBuilder()
.select('logins')
.from(Login, 'logins')
.leftJoinAndSelect('logins.user', 'user')
.where('logins.email in (:...emails)', {emails: profiles.map(profile => normalizeEmail(profile.email))});
const completedProfiles: {[email: string]: FullUser} = {};
for (const login of await qb.getMany()) {
completedProfiles[login.email] = {
id: login.user.id,
email: login.displayEmail,
name: login.user.name,
picture: login.user.picture,
anonymous: login.user.id === this.getAnonymousUserId()
};
}
return profiles.map(profile => completedProfiles[normalizeEmail(profile.email)])
.filter(profile => profile);
}
/**
* Calculate the public-facing subdomain for an org.
*
* If the domain is a personal org, the public-facing subdomain will
* be docs/docs-s (if `mergePersonalOrgs` is set), or docs-[s]NNN where NNN
* is the user id (if `mergePersonalOrgs` is not set).
*
* If a domain is set in the database, and `suppressDomain` is not
* set, we report that domain verbatim. The `suppressDomain` may
* be set in some key endpoints in order to enforce a `vanityDomain`
* feature flag.
*
* Otherwise, we report o-NNN (or o-sNNN in staging) where NNN is
* the org id.
*/
public normalizeOrgDomain(orgId: number, domain: string|null,
ownerId: number|undefined, mergePersonalOrgs: boolean = true,
suppressDomain: boolean = false): string {
if (ownerId) {
// An org with an ownerId set is a personal org. Historically, those orgs
// have a subdomain like docs-NN where NN is the user ID.
const personalDomain = `docs-${this._idPrefix}${ownerId}`;
// In most cases now we pool all personal orgs as a single virtual org.
// So when mergePersonalOrgs is on, and the subdomain is either not set
// (as it is in the database for personal orgs) or set to something
// like docs-NN (as it is in the API), normalization should just return the
// single merged org ("docs" or "docs-s").
if (mergePersonalOrgs && (!domain || domain === personalDomain)) {
domain = this.mergedOrgDomain();
}
if (!domain) {
domain = personalDomain;
}
} else if (suppressDomain || !domain) {
// If no subdomain is set, or custom subdomains or forbidden, return something
// uninspiring but unique, like o-NN where NN is the org ID.
domain = `o-${this._idPrefix}${orgId}`;
}
return domain;
}
// Throw an error for query results that represent errors or have no data; otherwise unwrap
// the valid result it contains.
public unwrapQueryResult<T>(qr: QueryResult<T>): T {
if (qr.data) { return qr.data; }
throw new ApiError(qr.errMessage || 'an error occurred', qr.status);
}
// Throw an error for query results that represent errors
public checkQueryResult<T>(qr: QueryResult<T>) {
if (qr.status !== 200) {
throw new ApiError(qr.errMessage || 'an error occurred', qr.status);
}
}
// Get the domain name for the merged organization. In production, this is 'docs',
// in staging, it is 'docs-s'.
public mergedOrgDomain() {
if (this._idPrefix) {
return `docs-${this._idPrefix}`;
}
return 'docs';
}
// The merged organization is a special pseudo-organization
// patched together from all the material a given user has access
// to. The result is approximately, but not exactly, an organization,
// and so it treated a bit differently.
public isMergedOrg(orgKey: string|number|null) {
return orgKey === this.mergedOrgDomain() || orgKey === 0;
}
/**
* Construct a QueryBuilder for a select query on a specific org given by orgId.
* Provides options for running in a transaction and adding permission info.
* See QueryOptions documentation above.
*/
public org(scope: Scope, org: string|number|null,
options: QueryOptions = {}): SelectQueryBuilder<Organization> {
return this._org(scope, scope.includeSupport || false, org, options);
}
private _org(scope: Scope|null, includeSupport: boolean, org: string|number|null,
options: QueryOptions = {}): SelectQueryBuilder<Organization> {
let query = this._orgs(options.manager);
// merged pseudo-org must become personal org.
if (org === null || (options.needRealOrg && this.isMergedOrg(org))) {
if (!scope || !scope.userId) { throw new Error('_org: requires userId'); }
query = query.where('orgs.owner_id = :userId', {userId: scope.userId});
} else {
query = this._whereOrg(query, org, includeSupport);
}
if (options.markPermissions) {
if (!scope || !scope.userId) {
throw new Error(`_orgQuery error: userId must be set to mark permissions`);
}
let effectiveUserId = scope.userId;
let threshold = options.markPermissions;
// TODO If the specialPermit is used across the network, requests could refer to orgs in
// different ways (number vs string), causing this comparison to fail.
if (options.allowSpecialPermit && scope.specialPermit && scope.specialPermit.org === org) {
effectiveUserId = this.getPreviewerUserId();
threshold = Permissions.VIEW;
}
// Compute whether we have access to the doc
query = query.addSelect(
this._markIsPermitted('orgs', effectiveUserId, 'open', threshold),
'is_permitted'
);
}
return query;
}
/**
* Construct a QueryBuilder for a select query on a specific org's workspaces given by orgId.
* Provides options for running in a transaction and adding permission info.
* See QueryOptions documentation above.
*/
private _orgWorkspaces(scope: Scope, org: string|number|null,
options: QueryOptions = {}): SelectQueryBuilder<Organization> {
const {userId} = scope;
const supportId = this._specialUserIds[SUPPORT_EMAIL];
let query = this.org(scope, org, options)
.leftJoinAndSelect('orgs.workspaces', 'workspaces')
.leftJoinAndSelect('workspaces.docs', 'docs', this._onDoc(scope))
.leftJoin('orgs.billingAccount', 'account')
.leftJoin('account.product', 'product')
.addSelect('product.features')
.addSelect('product.id')
.addSelect('account.id')
// order the support org (aka Samples/Examples) after other ones.
.orderBy('coalesce(orgs.owner_id = :supportId, false)')
.setParameter('supportId', supportId)
.addOrderBy('(orgs.owner_id = :userId)', 'DESC')
.setParameter('userId', userId)
// For consistency of results, particularly in tests, order workspaces by name.
.addOrderBy('workspaces.name')
.addOrderBy('docs.created_at')
.leftJoinAndSelect('orgs.owner', 'org_users');
// If merged org, we need to take some special steps.
if (this.isMergedOrg(org)) {
// Add information about owners of personal orgs.
query = query.leftJoinAndSelect('org_users.logins', 'org_logins');
// Add a direct, efficient filter to remove irrelevant personal orgs from consideration.
query = this._filterByOrgGroups(query, userId, null);
// The anonymous user is a special case; include only examples from support user.
if (userId === this.getAnonymousUserId()) {
query = query.andWhere('orgs.owner_id = :supportId', { supportId });
}
}
query = this._addIsSupportWorkspace(userId, query, 'orgs', 'workspaces');
// Add access information and query limits
// TODO: allow generic org limit once sample/support workspace is done differently
query = this._applyLimit(query, {...scope, org: undefined}, ['orgs', 'workspaces', 'docs'], 'list');
return query;
}
/**
* Check if urlId is already in use in the given org, and throw an error if so.
* If the org is a personal org, we check for use of the urlId in any personal org.
* If docId is set, we permit the urlId to be in use by that doc.
*/
private async _checkForUrlIdConflict(manager: EntityManager, org: Organization, urlId: string, docId?: string) {
// Prepare a query to see if there is an existing conflicting urlId.
let aliasQuery = this._docs(manager)
.leftJoinAndSelect('docs.aliases', 'aliases')
.leftJoinAndSelect('aliases.org', 'orgs')
.where('docs.urlId = :urlId', {urlId}); // Place restriction on active urlIds only.
// Older urlIds are best-effort, and subject to
// reuse (currently).
if (org.ownerId === this.getSupportUserId()) {
// This is the support user. Some of their documents end up as examples on team sites.
// so urlIds need to be checked globally, which corresponds to placing no extra where
// clause here.
} else if (org.ownerId) {
// This is a personal org, so look for conflicts in any personal org
// (needed to ensure consistency in merged personal org).
// We don't need to do anything special about examples since they are stored in a personal
// org.
aliasQuery = aliasQuery.andWhere('orgs.owner_id is not null');
} else {
// For team sites, just check within the team site.
// We also need to check within the support@ org for conflict with examples, which
// currently have an existence within team sites.
aliasQuery = aliasQuery.andWhere('(aliases.orgId = :orgId OR aliases.orgId = :exampleOrgId)',
{orgId: org.id, exampleOrgId: this._exampleOrgId});
}
if (docId) {
aliasQuery = aliasQuery.andWhere('docs.id <> :docId', {docId});
}
if (await aliasQuery.getOne()) {
throw new ApiError('urlId already in use', 400);
}
// Also forbid any urlId that would match an existing docId, that is a recipe for confusion
// and mischief.
if (await this._docs(manager).where('docs.id = :urlId', {urlId}).getOne()) {
throw new ApiError('urlId already in use as document id', 400);
}
}
/**
* Updates the workspace guests with any first-level users of docs inside the workspace.
*/
private async _repairWorkspaceGuests(scope: Scope, wsId: number, transaction?: EntityManager): Promise<void> {
return await this._runInTransaction(transaction, async manager => {
// Get guest group for workspace.
const wsQuery = this._workspace(scope, wsId, {manager})
.leftJoinAndSelect('workspaces.aclRules', 'acl_rules')
.leftJoinAndSelect('acl_rules.group', 'groups')
.leftJoinAndSelect('groups.memberUsers', 'users');
const workspace: Workspace = (await wsQuery.getOne())!;
const wsGuestGroup = workspace.aclRules.map(aclRule => aclRule.group)
.find(_grp => _grp.name === roles.GUEST);
if (!wsGuestGroup) {
throw new Error(`_repairWorkspaceGuests error: could not find ${roles.GUEST} ACL group`);
}
// Get explicitly added users of docs inside the workspace, as a separate query
// to avoid multiplying rows and to allow filtering the result in sql.
const wsWithDocsQuery = this._workspace(scope, wsId, {manager})
.leftJoinAndSelect('workspaces.docs', 'docs')
.leftJoinAndSelect('docs.aclRules', 'doc_acl_rules')
.leftJoinAndSelect('doc_acl_rules.group', 'doc_groups')
.leftJoinAndSelect('doc_groups.memberUsers', 'doc_users')
.andWhere('doc_users.id is not null');
const wsWithDocs = await wsWithDocsQuery.getOne();
await this._setGroupUsers(manager, wsGuestGroup.id, wsGuestGroup.memberUsers,
this._filterEveryone(getResourceUsers(wsWithDocs?.docs || [])));
});
}
/**
* Updates the org guests with any first-level users of workspaces inside the org.
* NOTE: If repairing both workspace and org guests, this should always be called AFTER
* _repairWorkspaceGuests.
*/
private async _repairOrgGuests(scope: Scope, orgKey: string|number, transaction?: EntityManager): Promise<void> {
return await this._runInTransaction(transaction, async manager => {
const orgQuery = this.org(scope, orgKey, {manager})
.leftJoinAndSelect('orgs.aclRules', 'acl_rules')
.leftJoinAndSelect('acl_rules.group', 'groups')
.leftJoinAndSelect('groups.memberUsers', 'users')
.andWhere('groups.name = :role', {role: roles.GUEST});
const org = await orgQuery.getOne();
if (!org) { throw new Error('cannot find org'); }
const workspaceQuery = this._workspaces(manager)
.where('workspaces.org_id = :orgId', {orgId: org.id})
.leftJoinAndSelect('workspaces.aclRules', 'workspace_acl_rules')
.leftJoinAndSelect('workspace_acl_rules.group', 'workspace_group')
.leftJoinAndSelect('workspace_group.memberUsers', 'workspace_users')
.leftJoinAndSelect('workspaces.org', 'org');
org.workspaces = await workspaceQuery.getMany();
const orgGroups = org.aclRules.map(aclRule => aclRule.group);
if (orgGroups.length !== 1) {
throw new Error(`_repairOrgGuests error: found ${orgGroups.length} ${roles.GUEST} ACL group(s)`);
}
const orgGuestGroup = orgGroups[0]!;
await this._setGroupUsers(manager, orgGuestGroup.id, orgGuestGroup.memberUsers,
this._filterEveryone(getResourceUsers(org.workspaces)));
});
}
/**
* Update the set of users in a group. TypeORM's .save() method appears to be
* unreliable for a ManyToMany relation with a table with a multi-column primary
* key, so we make the update using explicit deletes and inserts.
*/
private async _setGroupUsers(manager: EntityManager, groupId: number, usersBefore: User[],
usersAfter: User[]) {
const userIdsBefore = new Set(usersBefore.map(u => u.id));
const userIdsAfter = new Set(usersAfter.map(u => u.id));
const toDelete = [...userIdsBefore].filter(id => !userIdsAfter.has(id));
const toAdd = [...userIdsAfter].filter(id => !userIdsBefore.has(id));
if (toDelete.length > 0) {
await manager.createQueryBuilder()
.delete()
.from('group_users')
.whereInIds(toDelete.map(id => ({user_id: id, group_id: groupId})))
.execute();
}
if (toAdd.length > 0) {
await manager.createQueryBuilder()
.insert()
.into('group_users')
.values(toAdd.map(id => ({user_id: id, group_id: groupId})))
.execute();
}
}
/**
* Don't add everyone@ as a guest, unless also sharing with anon@.
* This means that material shared with everyone@ doesn't become
* listable/discoverable by default.
*
* This is a HACK to allow existing example doc setup to continue to
* work. It could be removed if we are willing to share the entire
* support org with users. E.g. move any material we don't want to
* share into a workspace that doesn't inherit ACLs. TODO: remove
* this hack, or enhance it up as a way to support discoverability /
* listing. It has the advantage of cloning well.
*/
private _filterEveryone(users: User[]): User[] {
const everyone = this.getEveryoneUserId();
const anon = this.getAnonymousUserId();
if (users.find(u => u.id === anon)) { return users; }
return users.filter(u => u.id !== everyone);
}
/**
* Creates, initializes and saves a workspace in the given org with the given properties.
* Product limits on number of workspaces allowed in org are not checked.
*/
private async _doAddWorkspace(org: Organization, props: Partial<WorkspaceProperties>,
transaction?: EntityManager): Promise<Workspace> {
if (!props.name) { throw new ApiError('Bad request: name required', 400); }
return await this._runInTransaction(transaction, async manager => {
// Create a new workspace.
const workspace = new Workspace();
workspace.checkProperties(props);
workspace.updateFromProperties(props);
workspace.org = org;
// Create the special initial permission groups for the new workspace.
const groupMap = this._createGroups(org);
workspace.aclRules = this.defaultCommonGroups.map(_grpDesc => {
// Get the special group with the name needed for this ACL Rule
const group = groupMap[_grpDesc.name];
// Add each of the special groups to the new workspace.
const aclRuleWs = new AclRuleWs();
aclRuleWs.permissions = _grpDesc.permissions;
aclRuleWs.group = group;
aclRuleWs.workspace = workspace;
return aclRuleWs;
});
// Saves the workspace as well as its new ACL Rules and Group.
const groups = workspace.aclRules.map(rule => rule.group);
const result = await manager.save([workspace, ...workspace.aclRules, ...groups]);
return result[0];
});
}
/**
* If the user is a manager of the billing account associated with
* the domain, an extra `billingAccount` field is returned,
* containing a `inGoodStanding` flag, a `status` json field, and a
* `product.paid` flag which is true if on a paid plan or false
* otherwise. Other `billingAccount` fields are included (stripe ids in
* particular) but these will not be reported across the API.
*/
private _addBillingAccount(qb: SelectQueryBuilder<Organization>, userId: number) {
qb = qb.leftJoinAndSelect('orgs.billingAccount', 'billing_accounts');
qb = qb.leftJoinAndSelect('billing_accounts.product', 'products');
qb = qb.leftJoinAndSelect('billing_accounts.managers', 'managers',
'managers.billing_account_id = billing_accounts.id and ' +
'managers.user_id = :userId');
qb = qb.setParameter('userId', userId);
qb = this._addBillingAccountCalculatedFields(qb);
return qb;
}
/**
* Adds any calculated fields related to billing accounts - currently just
* products.paid.
*/
private _addBillingAccountCalculatedFields<T>(qb: SelectQueryBuilder<T>) {
// We need to sum up whether the account is paid or not, so that UI can provide
// a "billing" vs "upgrade" link. For the moment, we just check if there is
// a subscription id. TODO: make sure this is correct in case of free plans.
qb = qb.addSelect(`(billing_accounts.stripe_subscription_id is not null)`, 'billing_accounts_paid');
return qb;
}
/**
* Makes sure that product features for orgs are available in query result.
*/
private _addFeatures<T>(qb: SelectQueryBuilder<T>, orgAlias: string = 'orgs') {
qb = qb.leftJoinAndSelect(`${orgAlias}.billingAccount`, 'billing_accounts');
qb = qb.leftJoinAndSelect('billing_accounts.product', 'products');
// orgAlias.billingAccount.product.features should now be available
return qb;
}
private _addIsSupportWorkspace<T>(users: AvailableUsers, qb: SelectQueryBuilder<T>,
orgAlias: string, workspaceAlias: string) {
const supportId = this._specialUserIds[SUPPORT_EMAIL];
// We'll be selecting a boolean and naming it as *_support. This matches the
// SQL name `support` of a column in the Workspace entity whose javascript
// name is `isSupportWorkspace`.
const alias = `${workspaceAlias}_support`;
// If we happen to be the support user, don't treat our workspaces as anything
// special, so we can work with them in the ordinary way.
if (isSingleUser(users) && users === supportId) { return qb.addSelect('false', alias); }
// Otherwise, treat workspaces owned by support as special.
return qb.addSelect(`coalesce(${orgAlias}.owner_id = ${supportId}, false)`, alias);
}
/**
*
* Get the id of a special user, creating that user if it is not already present.
*
*/
private async _getSpecialUserId(profile: UserProfile) {
let id = this._specialUserIds[profile.email];
if (!id) {
// get or create user - with retry, since there'll be a race to create the
// user if a bunch of servers start simultaneously and the user doesn't exist
// yet.
const user = await this.getUserByLoginWithRetry(profile.email, {profile});
if (user) { id = this._specialUserIds[profile.email] = user.id; }
}
if (!id) { throw new Error(`Could not find or create user ${profile.email}`); }
return id;
}
/**
* Modify an access level when the document is a fork. Here are the rules, as they
* have evolved (the main constraint is that currently forks have no access info of
* their own in the db).
* - If fork is a snapshot, all users are at most viewers. Else:
* - If there is no ~USERID in fork id, then all viewers of trunk are owners of the fork.
* - If there is a ~USERID in fork id, that user is owner, all others are at most viewers.
*/
private _setForkAccess(ids: {userId: number, forkUserId?: number, snapshotId?: string},
res: {access: roles.Role|null}) {
// Forks without a user id are editable by anyone with view access to the trunk.
if (ids.forkUserId === undefined && roles.canView(res.access)) { res.access = 'owners'; }
if (ids.forkUserId !== undefined) {
// A fork user id is known, so only that user should get to edit the fork.
if (ids.userId === ids.forkUserId) {
if (roles.canView(res.access)) { res.access = 'owners'; }
} else {
// reduce to viewer if not already viewer
res.access = roles.getWeakestRole('viewers', res.access);
}
}
// Finally, if we are viewing a snapshot, we can't edit it.
if (ids.snapshotId) {
res.access = roles.getWeakestRole('viewers', res.access);
}
}
// This deals with the problem posed by receiving a PermissionDelta specifying a
// role for both alice@x and Alice@x. We do not distinguish between such emails.
// If there are multiple indistinguishabe emails, we preserve just one of them,
// assigning it the most powerful permission specified. The email variant perserved
// is the earliest alphabetically.
private _mergeIndistinguishableEmails(delta: PermissionDelta) {
if (!delta.users) { return; }
// We normalize emails for comparison, but track how they were capitalized
// in order to preserve it. This is worth doing since for the common case
// of a user being added to a resource prior to ever logging in, their
// displayEmail will be seeded from this value.
const displayEmails: {[email: string]: string} = {};
// This will be our output.
const users: {[email: string]: roles.NonGuestRole|null} = {};
for (const displayEmail of Object.keys(delta.users).sort()) {
const email = normalizeEmail(displayEmail);
const role = delta.users[displayEmail];
const key = displayEmails[email] = displayEmails[email] || displayEmail;
users[key] = users[key] ? roles.getStrongestRole(users[key], role) : role;
}
delta.users = users;
}
// Looks up the emails in the permission delta and adds them to the users map in
// the delta object.
// Returns a QueryResult based on the validity of the passed in PermissionDelta object.
private async _verifyAndLookupDeltaEmails(
userId: number,
delta: PermissionDelta,
isOrg: boolean = false,
transaction?: EntityManager
): Promise<PermissionDeltaAnalysis> {
if (!delta) {
throw new ApiError('Bad request: missing permission delta', 400);
}
this._mergeIndistinguishableEmails(delta);
const hasInherit = 'maxInheritedRole' in delta;
const hasUsers = delta.users; // allow zero actual changes; useful to reduce special
// cases in scripts
if ((isOrg && (hasInherit || !hasUsers)) || (!isOrg && !hasInherit && !hasUsers)) {
throw new ApiError('Bad request: invalid permission delta', 400);
}
// Lookup the email access changes and move them to the users object.
const userIdMap: {[userId: string]: roles.NonGuestRole|null} = {};
if (hasInherit) {
// Verify maxInheritedRole
const role = delta.maxInheritedRole;
const validRoles = new Set(this.defaultBasicGroupNames);
if (role && !validRoles.has(role)) {
throw new ApiError(`Invalid maxInheritedRole ${role}`, 400);
}
}
if (delta.users) {
// Verify roles
const deltaRoles = Object.keys(delta.users).map(_userId => delta.users![_userId]);
// Cannot set role "members" on workspace/doc.
const validRoles = new Set(isOrg ? this.defaultNonGuestGroupNames : this.defaultBasicGroupNames);
for (const role of deltaRoles) {
if (role && !validRoles.has(role)) {
throw new ApiError(`Invalid user role ${role}`, 400);
}
}
// Lookup emails
const emailMap = delta.users;
const emails = Object.keys(emailMap);
const emailUsers = await Promise.all(
emails.map(async email => await this.getUserByLogin(email, {manager: transaction}))
);
emails.forEach((email, i) => {
const userIdAffected = emailUsers[i]!.id;
// Org-level sharing with everyone would allow serious spamming - forbid it.
if (emailMap[email] !== null && // allow removing anything
userId !== this.getSupportUserId() && // allow support user latitude
userIdAffected === this.getEveryoneUserId() &&
isOrg) {
throw new ApiError('This user cannot share with everyone at top level', 403);
}
userIdMap[userIdAffected] = emailMap[email];
});
}
const userIdDelta = delta.users ? userIdMap : null;
const userIds = Object.keys(userIdDelta || {});
const removingSelf = userIds.length === 1 && userIds[0] === String(userId) &&
delta.maxInheritedRole === undefined && userIdDelta?.[userId] === null;
const permissionThreshold = removingSelf ? Permissions.VIEW : Permissions.ACL_EDIT;
return {
userIdDelta,
permissionThreshold,
affectsSelf: userId in userIdMap,
};
}
/**
* A helper to throw an error if a user with ACL_EDIT permission attempts
* to change their own access rights. The user permissions are expected to
* be in the supplied QueryResult, or if none is supplied are assumed to be
* ACL_EDIT.
*/
private _failIfPowerfulAndChangingSelf(analysis: PermissionDeltaAnalysis, result?: QueryResult<any>) {
const permissions: Permissions = result ? result.data.permissions : Permissions.ACL_EDIT;
if (permissions === undefined) {
throw new Error('Query malformed');
}
if ((permissions & Permissions.ACL_EDIT) && analysis.affectsSelf) {
// editors don't get to remove themselves.
// TODO: Consider when to allow updating own permissions - allowing updating own
// permissions indiscriminately could lead to orphaned resources.
throw new ApiError('Bad request: cannot update own permissions', 400);
}
}
/**
* Helper for adjusting acl rules. Given an array of top-level groups from the resource
* of interest, returns the updated groups. The returned groups should be saved to
* update the group inheritance in the database. Updates the passed in groups.
*
* NOTE that all group memberUsers must be populated.
*/
private async _updateUserPermissions(
groups: NonGuestGroup[],
userDelta: UserIdDelta,
manager: EntityManager
): Promise<void> {
// Get the user objects which map to non-null values in the userDelta.
const userIds = Object.keys(userDelta).filter(userId => userDelta[userId])
.map(userIdStr => parseInt(userIdStr, 10));
const users = await this._getUsers(userIds, manager);
// Add unaffected users to the delta so that we have a record of where they are.
groups.forEach(grp => {
grp.memberUsers.forEach(usr => {
if (!(usr.id in userDelta)) {
userDelta[usr.id] = grp.name;
users.push(usr);
}
});
});
// Create mapping from group names to top-level groups (contain the inherited groups)
const topGroups: {[groupName: string]: NonGuestGroup} = {};
groups.forEach(grp => {
// Note that this has a side effect of resetting the memberUsers arrays.
grp.memberUsers = [];
topGroups[grp.name] = grp;
});
// Add users to groups (this has a side-effect of updating the group memberUsers)
users.forEach(user => {
const groupName = userDelta[user.id]!;
// NOTE that the special names constant is ordered from least to most permissive.
// The destination must be a reserved inheritance group or null.
if (groupName && !this.defaultNonGuestGroupNames.includes(groupName)) {
throw new Error(`_updateUserPermissions userDelta contains invalid group`);
}
topGroups[groupName].memberUsers.push(user);
});
}
/**
* Run an operation in an existing transaction if available, otherwise create
* a new transaction for it.
*
* @param transaction: the manager of an existing transaction, or undefined.
* @param op: the operation to run in a transaction.
*/
private _runInTransaction(transaction: EntityManager|undefined,
op: (manager: EntityManager) => Promise<any>): Promise<any> {
if (transaction) { return op(transaction); }
return this._connection.transaction(op);
}
/**
* Returns a Promise for an array of User entites for the given userIds.
*/
private async _getUsers(userIds: number[], optManager?: EntityManager): Promise<User[]> {
if (userIds.length === 0) {
return [];
}
const manager = optManager || new EntityManager(this._connection);
const queryBuilder = manager.createQueryBuilder()
.select('users')
.from(User, 'users')
.where('users.id IN (:...userIds)', {userIds});
return await queryBuilder.getMany();
}
/**
* Aggregate the given columns as a json object. The keys should be simple
* alphanumeric strings, and the values should be the names of sql columns -
* this method is not set up to quote concrete values.
*/
private _aggJsonObject(content: {[key: string]: string}): string {
const args = [...Object.keys(content).map(key => [`'${key}'`, content[key]])];
if (this._dbType === 'postgres') {
return `json_agg(json_build_object(${args.join(',')}))`;
} else {
return `json_group_array(json_object(${args.join(',')}))`;
}
}
private _docs(manager?: EntityManager) {
return (manager || this._connection).createQueryBuilder()
.select('docs')
.from(Document, 'docs');
}
/**
* Construct a QueryBuilder for a select query on a specific doc given by urlId.
* Provides options for running in a transaction and adding permission info.
* See QueryOptions documentation above.
*
* In order to accept urlIds, the aliases, workspaces, and orgs tables are joined.
*/
private _doc(scope: DocScope, options: QueryOptions = {}): SelectQueryBuilder<Document> {
const {urlId, userId} = scope;
// Check if doc is being accessed with a merged org url. If so,
// we will only filter urlId matches, and will allow docId matches
// for team site documents. This is for backwards compatibility,
// to support https://docs.getgrist.com/api/docs/<docid> for team
// site documents.
const mergedOrg = this.isMergedOrg(scope.org || null);
let query = this._docs(options.manager)
.leftJoinAndSelect('docs.workspace', 'workspaces')
.leftJoinAndSelect('workspaces.org', 'orgs')
.leftJoinAndSelect('docs.aliases', 'aliases')
.where(new Brackets(cond => {
return cond
.where('docs.id = :urlId', {urlId})
.orWhere(new Brackets(urlIdCond => {
let urlIdQuery = urlIdCond
.where('aliases.url_id = :urlId', {urlId})
.andWhere('aliases.org_id = orgs.id');
if (mergedOrg) {
// Filter specifically for merged org documents.
urlIdQuery = urlIdQuery.andWhere('orgs.owner_id is not null');
}
return urlIdQuery;
}));
}));
// TODO includeSupport should really be false, and the support for it should be removed.
// (For this, example doc URLs should be under docs.getgrist.com rather than team domains.)
// Add access information and query limits
query = this._applyLimit(query, {...scope, includeSupport: true}, ['docs', 'workspaces', 'orgs'], 'open');
if (options.markPermissions) {
let effectiveUserId = userId;
let threshold = options.markPermissions;
if (options.allowSpecialPermit && scope.specialPermit && scope.specialPermit.docId) {
query = query.andWhere('docs.id = :docId', {docId: scope.specialPermit.docId});
effectiveUserId = this.getPreviewerUserId();
threshold = Permissions.VIEW;
}
// Compute whether we have access to the doc
query = query.addSelect(
this._markIsPermitted('docs', effectiveUserId, 'open', threshold),
'is_permitted'
);
}
return query;
}
private _workspaces(manager?: EntityManager) {
return (manager || this._connection).createQueryBuilder()
.select('workspaces')
.from(Workspace, 'workspaces');
}
/**
* Construct "ON" clause for joining docs. This clause takes care of filtering
* out any docs that are not to be listed due to soft deletion. This filtering
* is done in the "ON" clause rather than in a "WHERE" clause since we still
* want to list workspaces even if there are no docs within them. A "WHERE" clause
* would entirely remove information about a workspace with no docs. The "ON"
* clause, in combination with a "LEFT JOIN", preserves the workspace information
* and just sets doc information to NULL.
*/
private _onDoc(scope: Scope) {
const onDefault = 'docs.workspace_id = workspaces.id';
if (scope.showAll) {
return onDefault;
} else if (scope.showOnlyPinned) {
return `${onDefault} AND docs.is_pinned = TRUE AND (workspaces.removed_at IS NULL AND docs.removed_at IS NULL)`;
} else if (scope.showRemoved) {
return `${onDefault} AND (workspaces.removed_at IS NOT NULL OR docs.removed_at IS NOT NULL)`;
} else {
return `${onDefault} AND (workspaces.removed_at IS NULL AND docs.removed_at IS NULL)`;
}
}
/**
* Construct a QueryBuilder for a select query on a specific workspace given by
* wsId. Provides options for running in a transaction and adding permission info.
* See QueryOptions documentation above.
*/
private _workspace(scope: Scope, wsId: number, options: QueryOptions = {}): SelectQueryBuilder<Workspace> {
let query = this._workspaces(options.manager)
.where('workspaces.id = :wsId', {wsId});
if (options.markPermissions) {
let effectiveUserId = scope.userId;
let threshold = options.markPermissions;
if (options.allowSpecialPermit && scope.specialPermit &&
scope.specialPermit.workspaceId === wsId) {
effectiveUserId = this.getPreviewerUserId();
threshold = Permissions.VIEW;
}
// Compute whether we have access to the ws
query = query.addSelect(
this._markIsPermitted('workspaces', effectiveUserId, 'open', threshold),
'is_permitted'
);
}
return query;
}
private _orgs(manager?: EntityManager) {
return (manager || this._connection).createQueryBuilder()
.select('orgs')
.from(Organization, 'orgs');
}
// Adds a where clause to filter orgs by domain or id.
// If org is null, filter for user's personal org.
// if includeSupport is true, include the org of the support@ user (for the Samples workspace)
private _whereOrg<T extends WhereExpression>(qb: T, org: string|number, includeSupport = false): T {
if (this.isMergedOrg(org)) {
// Select from universe of personal orgs.
// Don't panic though! While this means that SQL can't use an organization id
// to narrow down queries, it will still be filtering via joins against the user and
// groups the user belongs to.
qb = qb.andWhere('orgs.owner_id is not null');
return qb;
}
// Always include the org of the support@ user, which contains the Samples workspace,
// which we always show. (For isMergedOrg case, it's already included.)
if (includeSupport) {
const supportId = this._specialUserIds[SUPPORT_EMAIL];
return qb.andWhere(new Brackets((q) =>
this._wherePlainOrg(q, org).orWhere('orgs.owner_id = :supportId', {supportId})));
} else {
return this._wherePlainOrg(qb, org);
}
}
private _wherePlainOrg<T extends WhereExpression>(qb: T, org: string|number): T {
if (typeof org === 'number') {
return qb.andWhere('orgs.id = :org', {org});
}
if (org.startsWith(`docs-${this._idPrefix}`)) {
// this is someone's personal org
const ownerId = org.split(`docs-${this._idPrefix}`)[1];
qb = qb.andWhere('orgs.owner_id = :ownerId', {ownerId});
} else if (org.startsWith(`o-${this._idPrefix}`)) {
// this is an org identified by org id
const orgId = org.split(`o-${this._idPrefix}`)[1];
qb = qb.andWhere('orgs.id = :orgId', {orgId});
} else {
// this is a regular domain
qb = qb.andWhere('orgs.domain = :org', {org});
}
return qb;
}
private _withAccess(qb: SelectQueryBuilder<any>, users: AvailableUsers,
table: 'orgs'|'workspaces'|'docs',
accessStyle: AccessStyle = 'open') {
return qb
.addSelect(this._markIsPermitted(table, users, accessStyle, null), `${table}_permissions`);
}
/**
* Filter for orgs for which the user is a member of a group (or which are shared
* with "everyone@"). For access to workspaces and docs, we rely on the fact that
* the user will be added to a guest group at the organization level.
*
* If AvailableUsers is a profile list, we do NOT include orgs accessible
* via "everyone@" (this affects the "api/session/access/all" endpoint).
*
* Otherwise, orgs shared with "everyone@" are candidates for inclusion.
* If an orgKey is supplied, it is the only org which will be considered
* for inclusion on the basis of sharing with "everyone@". TODO: consider
* whether this wrinkle is needed anymore, or can be safely removed.
*/
private _filterByOrgGroups(qb: SelectQueryBuilder<Organization>, users: AvailableUsers,
orgKey: string|number|null,
options?: {ignoreEveryoneShares?: boolean}) {
qb = qb
.leftJoin('orgs.aclRules', 'acl_rules')
.leftJoin('acl_rules.group', 'groups')
.leftJoin('groups.memberUsers', 'members');
if (isSingleUser(users)) {
// Add an exception for the previewer user, if present.
const previewerId = this._specialUserIds[PREVIEWER_EMAIL];
if (users === previewerId) { return qb; }
const everyoneId = this._specialUserIds[EVERYONE_EMAIL];
if (options?.ignoreEveryoneShares) {
return qb.where('members.id = :userId', {userId: users});
}
return qb.andWhere(new Brackets(cond => {
// Accept direct membership, or via a share with "everyone@".
return cond
.where('members.id = :userId', {userId: users})
.orWhere(new Brackets(everyoneCond => {
const everyoneQuery = everyoneCond.where('members.id = :everyoneId', {everyoneId});
return (orgKey !== null) ? this._whereOrg(everyoneQuery, orgKey) : everyoneQuery;
}));
}));
}
// The user hasn't been narrowed down to one choice, so join against logins and
// check normalized email.
const emails = new Set(users.map(profile => normalizeEmail(profile.email)));
// Empty list needs to be special-cased since "in ()" isn't supported in postgres.
if (emails.size === 0) { return qb.andWhere('1 = 0'); }
return qb
.leftJoin('members.logins', 'memberLogins')
.andWhere('memberLogins.email in (:...emails)', {emails: [...emails]});
}
private _single(result: QueryResult<any>) {
if (result.status === 200) {
// TODO: assert result is really singular.
result.data = result.data[0];
}
return result;
}
/**
* Helper for adjusting acl inheritance rules. Given an array of top-level groups from the
* resource of interest, and an array of inherited groups belonging to the parent resource,
* moves the inherited groups to the group with the destination name or lower, if their
* permission level is lower. If the destination group name is omitted, the groups are
* moved to their original inheritance locations. If the destination group name is null,
* the groups are all removed and there is no access inheritance to this resource.
* Returns the updated array of top-level groups. These returned groups should be saved
* to update the group inheritance in the database.
*
* For all passed-in groups, their .memberGroups will be reset. For
* the basic roles (owner | editor | viewer), these will get updated
* to include inheritedGroups, with roles reduced to dest when dest
* is given. All of the basic roles must be present among
* groups. Any non-basic roles present among inheritedGroups will be
* ignored.
*
* Does not modify inheritedGroups.
*/
private _moveInheritedGroups(
groups: NonGuestGroup[], inheritedGroups: Group[], dest?: roles.BasicRole|null
): void {
// Limit scope to those inheritedGroups that have basic roles (viewers, editors, owners).
inheritedGroups = inheritedGroups.filter(group => roles.isBasicRole(group.name));
// NOTE that the special names constant is ordered from least to most permissive.
const reverseDefaultNames = this.defaultBasicGroupNames.reverse();
// The destination must be a reserved inheritance group or null.
if (dest && !reverseDefaultNames.includes(dest)) {
throw new Error('moveInheritedGroups called with invalid destination name');
}
// Mapping from group names to top-level groups
const topGroups: {[groupName: string]: NonGuestGroup} = {};
groups.forEach(grp => {
// Note that this has a side effect of initializing the memberGroups arrays.
grp.memberGroups = [];
topGroups[grp.name] = grp;
});
// The destFunc maps from an inherited group to its required top-level group name.
const destFunc = (inherited: Group) =>
dest === null ? null : reverseDefaultNames.find(sp => sp === inherited.name || sp === dest);
// Place inherited groups (this has the side-effect of updating member groups)
inheritedGroups.forEach(grp => {
if (!roles.isBasicRole(grp.name)) {
// We filtered out such groups at the start of this method, but just in case...
throw new Error(`${grp.name} is not an inheritable group`);
}
const moveTo = destFunc(grp);
if (moveTo) {
topGroups[moveTo].memberGroups.push(grp);
}
});
}
/**
* Returns a name to group mapping for the standard groups. Useful when adding a new child
* entity. Finds and includes the correct parent groups as member groups.
*/
private _createGroups(inherit?: Organization|Workspace): {[name: string]: Group} {
const groupMap: {[name: string]: Group} = {};
this.defaultGroups.forEach(groupProps => {
if (!groupProps.orgOnly || !inherit) {
// Skip this group if it's an org only group and the resource inherits from a parent.
const group = new Group();
group.name = groupProps.name;
if (inherit) {
this._setInheritance(group, inherit);
}
groupMap[groupProps.name] = group;
}
});
return groupMap;
}
// Sets the given group to inherit the groups in the given parent resource.
private _setInheritance(group: Group, parent: Organization|Workspace) {
// Add the parent groups to the group
const groupProps = this.defaultGroups.find(special => special.name === group.name);
if (!groupProps) {
throw new Error(`Non-standard group passed to _addInheritance: ${group.name}`);
}
if (groupProps.nestParent) {
const parentGroups = (parent.aclRules as AclRule[]).map((_aclRule: AclRule) => _aclRule.group);
const inheritGroup = parentGroups.find((_parentGroup: Group) => _parentGroup.name === group.name);
if (!inheritGroup) {
throw new Error(`Special group ${group.name} not found in ${parent.name} for inheritance`);
}
group.memberGroups = [inheritGroup];
}
}
// Return a QueryResult reflecting the output of a query builder.
// If a rawQueryBuilder is supplied, it is used to make the query,
// but then the original queryBuilder is used to interpret the results
// as entities (make sure the two queries give results in the same format!)
// Checks on all "permissions" fields which select queries set on
// resources to indicate whether the user has access.
// If the output is empty, and `emptyAllowed` is not set, we signal that the desired
// resource does not exist (404).
// If the overall permissions do not allow viewing, we signal that the resource is forbidden.
// Access fields are added to all entities giving the group name corresponding
// with the access level of the user.
// Returns the resource fetched by the queryBuilder.
private async _verifyAclPermissions<T extends Resource>(
queryBuilder: SelectQueryBuilder<T>,
options: {
rawQueryBuilder?: SelectQueryBuilder<any>,
emptyAllowed?: boolean,
scope?: Scope,
} = {}
): Promise<QueryResult<any>> {
const results = await (options.rawQueryBuilder ?
getRawAndEntities(options.rawQueryBuilder, queryBuilder) :
queryBuilder.getRawAndEntities());
if (results.entities.length === 0 ||
(results.entities.length === 1 && results.entities[0].filteredOut)) {
if (options.emptyAllowed) { return {status: 200, data: []}; }
return {errMessage: `${getFrom(queryBuilder)} not found`, status: 404};
}
const resources = this._normalizeQueryResults(results.entities, {
scope: options.scope,
});
if (resources.length === 0 && !options.emptyAllowed) {
return {errMessage: "access denied", status: 403};
} else {
return {
status: 200,
data: resources
};
}
}
// Normalize query results in the following ways:
// * Convert `permissions` fields to summary `access` fields.
// * Set appropriate `domain` fields for personal organizations.
// * Include `billingAccount` field only for a billing account manager.
// * Replace `user.logins` objects with user.email and user.anonymous.
// * Collapse fields from nested `manager.user` objects into the surrounding
// `manager` objects.
//
// Find any nested entities with a "permissions" field, and add to them an
// "access" field (if the permission is a simple number) or an "accessOptions"
// field (if the permission is json). Entities in a list that the user doesn't
// have the right to access may be removed.
// * They are removed for workspaces in orgs.
// * They are not removed for docs in workspaces, if user has right to delete
// the workspace.
//
// When returning organizations, set the domain to docs-${userId} for personal orgs.
// We could also have simply stored that domain in the database, but have kept
// them out for now, for the flexibility to change how we want these kinds of orgs
// to be presented without having to do awkward migrations.
//
// The suppressDomain option ensures that any organization domains are given
// in ugly o-NNNN form.
private _normalizeQueryResults(value: any,
options: {
suppressDomain?: boolean,
scope?: Scope,
parentPermissions?: number,
} = {}): any {
// We only need to examine objects, excluding null.
if (typeof value !== 'object' || value === null) { return value; }
// For arrays, add access information and remove anything user should not see.
if (Array.isArray(value)) {
const items = value.map(v => this._normalizeQueryResults(v, options));
// If the items are not workspaces, and the user can delete their parent, then
// ignore the user's access level when deciding whether to filter them out or
// to keep them.
const ignoreAccess = options.parentPermissions &&
(options.parentPermissions & Permissions.REMOVE) && // tslint:disable-line:no-bitwise
items.length > 0 && !items[0].docs;
return items.filter(v => !this._isForbidden(v, Boolean(ignoreAccess), options.scope));
}
// For hashes, iterate through key/values, adding access info if 'permissions' field is found.
if (value.billingAccount) {
// This is an organization with billing account information available. Check limits.
const org = value as Organization;
const features = org.billingAccount.product.features;
if (!features.vanityDomain) {
// Vanity domain not allowed for this org.
options = {...options, suppressDomain: true};
}
}
const permissions = (typeof value.permissions === 'number') ? value.permissions : undefined;
const childOptions = { ...options, parentPermissions: permissions };
for (const key of Object.keys(value)) {
const subValue = value[key];
// When returning organizations, set the domain to docs-${userId} for personal orgs.
// We could also have simply stored that domain in the database. I'd prefer to keep
// them out for now, for the flexibility to change how we want these kinds of orgs
// to be presented without having to do awkward migrations.
if (key === 'domain') {
value[key] = this.normalizeOrgDomain(value.id, subValue, value.owner && value.owner.id,
false, options.suppressDomain);
continue;
}
if (key === 'billingAccount') {
if (value[key].managers) {
value[key].isManager = Boolean(value[key].managers.length);
delete value[key].managers;
}
continue;
}
if (key === 'logins') {
const logins = subValue;
delete value[key];
if (logins.length !== 1) {
throw new ApiError('Cannot find unique login for user', 500);
}
value.email = logins[0].displayEmail;
value.anonymous = (logins[0].userId === this.getAnonymousUserId());
continue;
}
if (key === 'managers') {
const managers = this._normalizeQueryResults(subValue, childOptions);
for (const manager of managers) {
if (manager.user) {
Object.assign(manager, manager.user);
delete manager.user;
}
}
value[key] = managers;
continue;
}
if (key === 'prefs' && Array.isArray(subValue)) {
delete value[key];
const prefs = this._normalizeQueryResults(subValue, childOptions);
for (const pref of prefs) {
if (pref.orgId && pref.userId) {
value.userOrgPrefs = pref.prefs;
} else if (pref.orgId) {
value.orgPrefs = pref.prefs;
} else if (pref.userId) {
value.userPrefs = pref.prefs;
}
}
continue;
}
if (key !== 'permissions') {
value[key] = this._normalizeQueryResults(subValue, childOptions);
continue;
}
if (typeof subValue === 'number' || !subValue) {
// Find the first special group for which the user has all permissions.
value.access = this._getRoleFromPermissions(subValue || 0);
if (subValue & Permissions.PUBLIC) { // tslint:disable-line:no-bitwise
value.public = true;
}
} else {
// Resource may be accessed by multiple users, encoded in JSON.
const accessOptions: AccessOption[] = readJson(this._dbType, subValue);
value.accessOptions = accessOptions.map(option => ({
access: this._getRoleFromPermissions(option.perms), ...option
}));
}
delete value.permissions; // permissions is not specified in the api, so we drop it.
}
return value;
}
// entity is forbidden if it contains an access field set to null, or an accessOptions field
// that is the empty list.
private _isForbidden(entity: any, ignoreAccess: boolean, scope?: Scope): boolean {
if (!entity) { return false; }
if (entity.filteredOut) { return true; }
// Specifically for workspaces (as determined by having a "docs" field):
// if showing trash, and the workspace looks empty, and the workspace is itself
// not marked as trash, then filter it out. This situation can arise when there is
// a trash doc in a workspace that the user does not have access to, and also a
// doc that the user does have access to.
if (entity.docs && scope?.showRemoved && entity.docs.length === 0 &&
!entity.removedAt) { return true; }
if (ignoreAccess) { return false; }
if (entity.access === null) { return true; }
if (!entity.accessOptions) { return false; }
return entity.accessOptions.length === 0;
}
// Returns the most permissive default role that does not have more permissions than the passed
// in argument.
private _getRoleFromPermissions(permissions: number): roles.Role|null {
permissions &= ~Permissions.PUBLIC; // tslint:disable-line:no-bitwise
const group = this.defaultBasicGroups.find(grp =>
(permissions & grp.permissions) === grp.permissions); // tslint:disable-line:no-bitwise
return group ? group.name : null;
}
// Returns the maxInheritedRole group name set on a resource.
// The resource's aclRules, groups, and memberGroups must be populated.
private _getMaxInheritedRole(res: Workspace|Document): roles.BasicRole|null {
const groups = (res.aclRules as AclRule[]).map((_aclRule: AclRule) => _aclRule.group);
let maxInheritedRole: roles.NonGuestRole|null = null;
for (const name of this.defaultBasicGroupNames) {
const group = groups.find(_grp => _grp.name === name);
if (!group) {
throw new Error(`Error in _getMaxInheritedRole: group ${name} not found in ${res.name}`);
}
if (group.memberGroups.length > 0) {
maxInheritedRole = name;
break;
}
}
return roles.getEffectiveRole(maxInheritedRole);
}
/**
* Return a query builder to check if we have access to the given resource.
* Tests the given permission-level access, defaulting to view permission.
* @param resType: type of resource (table name)
* @param userId: id of user accessing the resource
* @param permissions: permission to test for - if null, we return the permissions
*/
private _markIsPermitted(
resType: 'orgs'|'workspaces'|'docs',
users: AvailableUsers,
accessStyle: AccessStyle,
permissions: Permissions|null = Permissions.VIEW
): (qb: SelectQueryBuilder<any>) => SelectQueryBuilder<any> {
const idColumn = resType.slice(0, -1) + "_id";
return qb => {
const getBasicPermissions = (q: SelectQueryBuilder<any>) => {
if (permissions !== null) {
q = q.select('acl_rules.permissions');
} else {
const everyoneId = this._specialUserIds[EVERYONE_EMAIL];
const anonId = this._specialUserIds[ANONYMOUS_USER_EMAIL];
// Overall permissions are the bitwise-or of all individual
// permissions from ACL rules. We also include
// Permissions.PUBLIC if any of the ACL rules are for the
// public (shared with everyone@ or anon@). This could be
// optimized if we eliminate one of those users. The guN
// aliases are joining in _getUsersAcls, and refer to the
// group_users table at different levels of nesting.
// When listing, everyone@ shares do not contribute to access permissions,
// only to the public flag. So resources available to the user only because
// they are publically available will not be listed. Shares with anon@,
// on the other hand, *are* listed.
// At this point, we have user ids available for a group associated with the acl
// rule, or a subgroup of that group, of a subgroup of that group, or a subgroup
// of that group (this is enough nesting to support docs in workspaces in orgs,
// with one level of nesting held for future use).
const userIdCols = ['gu0.user_id', 'gu1.user_id', 'gu2.user_id', 'gu3.user_id'];
// If any of the user ids is public (everyone@, anon@), we set the PUBLIC flag.
// This is only advisory, for display in the client - it plays no role in access
// control.
const publicFlagSql = `case when ` +
hasAtLeastOneOfTheseIds(this._dbType, [everyoneId, anonId], userIdCols) +
` then ${Permissions.PUBLIC} else 0 end`;
// The contribution made by the acl rule to overall user permission is contained
// in acl_rules.permissions. BUT if we are listing resources, we discount the
// permission contribution if it is only made with everyone@, and not anon@
// or any of the ids associated with the user. The resource may end up being
// accessible but unlisted for this user.
const contributionSql = accessStyle !== 'list' ? 'acl_rules.permissions' :
`case when ` +
hasOnlyTheseIdsOrNull(this._dbType, [everyoneId], userIdCols) +
` then 0 else acl_rules.permissions end`;
// Finally, if all users are null, the resource is being viewed by the special
// previewer user.
const previewerSql = `case when coalesce(${userIdCols.join(',')}) is null` +
` then acl_rules.permissions else 0 end`;
q = q.select(
bitOr(this._dbType, `(${publicFlagSql} | ${contributionSql} | ${previewerSql})`, 8),
'permissions'
);
}
q = q.from('acl_rules', 'acl_rules');
q = this._getUsersAcls(q, users, accessStyle);
q = q.andWhere(`acl_rules.${idColumn} = ${resType}.id`);
if (permissions !== null) {
q = q.andWhere(`(acl_rules.permissions & ${permissions}) = ${permissions}`).limit(1);
} else if (!isSingleUser(users)) {
q = q.addSelect('profiles.id');
q = q.addSelect('profiles.display_email');
q = q.addSelect('profiles.name');
// anything we select without aggregating, we must also group by (postgres is fussy
// about this)
q = q.groupBy('profiles.id');
q = q.addGroupBy('profiles.display_email');
q = q.addGroupBy('profiles.name');
}
return q;
};
if (isSingleUser(users)) {
return getBasicPermissions(qb.subQuery());
} else {
return qb.subQuery()
.from(subQb => getBasicPermissions(subQb.subQuery()), 'options')
.select(this._aggJsonObject({id: 'options.id',
email: 'options.display_email',
perms: 'options.permissions',
name: 'options.name'}));
}
};
}
// Takes a query that includes acl_rules, and filters for just those acl_rules that apply
// to the user, either directly or via up to three layers of nested groups. Two layers are
// sufficient for our current ACL setup. A third is added as a low-cost preparation
// for implementing something like teams in the future. It has no measurable effect on
// speed.
private _getUsersAcls(qb: SelectQueryBuilder<any>, users: AvailableUsers,
accessStyle: AccessStyle) {
// Every acl_rule is associated with a single group. A user may
// be a direct member of that group, via the group_users table.
// Or they may be a member of a group that is a member of that
// group, via group_groups. Or they may be even more steps
// removed. We unroll to a fixed number of steps, and use joins
// rather than a recursive query, since we need this step to be as
// fast as possible.
qb = qb
// filter for the specified user being a direct or indirect member of the acl_rule's group
.where(new Brackets(cond => {
if (isSingleUser(users)) {
// Users is an integer, so ok to insert into sql. It we
// didn't, we'd need to use distinct parameter names, since
// we may include this code with different user ids in the
// same query
cond = cond.where(`gu0.user_id = ${users}`);
cond = cond.orWhere(`gu1.user_id = ${users}`);
cond = cond.orWhere(`gu2.user_id = ${users}`);
cond = cond.orWhere(`gu3.user_id = ${users}`);
// Support the special "everyone" user.
const everyoneId = this._specialUserIds[EVERYONE_EMAIL];
if (everyoneId === undefined) {
throw new Error("Special user id for EVERYONE_EMAIL not found");
}
cond = cond.orWhere(`gu0.user_id = ${everyoneId}`);
cond = cond.orWhere(`gu1.user_id = ${everyoneId}`);
cond = cond.orWhere(`gu2.user_id = ${everyoneId}`);
cond = cond.orWhere(`gu3.user_id = ${everyoneId}`);
if (accessStyle === 'list') {
// Support also the special anonymous user. Currently, by convention, sharing a
// resource with anonymous should make it listable.
const anonId = this._specialUserIds[ANONYMOUS_USER_EMAIL];
if (anonId === undefined) {
throw new Error("Special user id for ANONYMOUS_USER_EMAIL not found");
}
cond = cond.orWhere(`gu0.user_id = ${anonId}`);
cond = cond.orWhere(`gu1.user_id = ${anonId}`);
cond = cond.orWhere(`gu2.user_id = ${anonId}`);
cond = cond.orWhere(`gu3.user_id = ${anonId}`);
}
// Add an exception for the previewer user, if present.
const previewerId = this._specialUserIds[PREVIEWER_EMAIL];
if (users === previewerId) {
// All acl_rules granting view access are available to previewer user.
cond = cond.orWhere('acl_rules.permissions = :permission',
{permission: Permissions.VIEW});
}
} else {
cond = cond.where('gu0.user_id = profiles.id');
cond = cond.orWhere('gu1.user_id = profiles.id');
cond = cond.orWhere('gu2.user_id = profiles.id');
cond = cond.orWhere('gu3.user_id = profiles.id');
}
return cond;
}));
if (!isSingleUser(users)) {
// We need to join against a list of users.
const emails = new Set(users.map(profile => normalizeEmail(profile.email)));
if (emails.size > 0) {
// the 1 = 1 on clause seems the shortest portable way to do a cross join in postgres
// and sqlite via typeorm.
qb = qb.leftJoin('(select users.id, display_email, email, name from users inner join logins ' +
'on users.id = logins.user_id where logins.email in (:...emails))',
'profiles', '1 = 1');
qb = qb.setParameter('emails', [...emails]);
} else {
// Add a dummy user with id 0, for simplicity. This user will
// not match any group. The casts are needed for a postgres 9.5 issue
// where type inference fails (we use 9.5 on jenkins).
qb = qb.leftJoin(`(select 0 as id, cast('none' as text) as display_email, ` +
`cast('none' as text) as email, cast('none' as text) as name)`,
'profiles', '1 = 1');
}
}
// join the relevant groups and subgroups
return qb
.leftJoin('group_groups', 'gg1', 'gg1.group_id = acl_rules.group_id')
.leftJoin('group_groups', 'gg2', 'gg2.group_id = gg1.subgroup_id')
.leftJoin('group_groups', 'gg3', 'gg3.group_id = gg2.subgroup_id')
// join the users in the relevant groups and subgroups.
.leftJoin('group_users', 'gu3', 'gg3.subgroup_id = gu3.group_id')
.leftJoin('group_users', 'gu2', 'gg2.subgroup_id = gu2.group_id')
.leftJoin('group_users', 'gu1', 'gg1.subgroup_id = gu1.group_id')
.leftJoin('group_users', 'gu0', 'acl_rules.group_id = gu0.group_id');
}
// Apply limits to the query. Results should be limited to a specific org
// if request is from a branded webpage; results should be limited to a
// specific user or set of users.
private _applyLimit<T>(qb: SelectQueryBuilder<T>, limit: Scope,
resources: Array<'docs'|'workspaces'|'orgs'>,
accessStyle: AccessStyle): SelectQueryBuilder<T> {
if (limit.org) {
// Filtering on merged org is a special case, see urlIdQuery
const mergedOrg = this.isMergedOrg(limit.org || null);
if (!mergedOrg) {
qb = this._whereOrg(qb, limit.org, limit.includeSupport || false);
}
}
if (limit.users || limit.userId) {
for (const res of resources) {
qb = this._withAccess(qb, limit.users || limit.userId, res, accessStyle);
}
}
if (resources.includes('docs') && resources.includes('workspaces') && !limit.showAll) {
// Add Workspace.filteredOut column that is set for workspaces that should be filtered out.
// We don't use a WHERE clause directly since this would leave us unable to distinguish
// an empty result from insufficient access; and there's no straightforward way to do
// what we want in an ON clause.
// Filter out workspaces only if there are no docs in them (The "ON" clause from
// _onDocs will have taken care of including the right docs). If there are docs,
// then include the workspace regardless of whether it itself has been soft-deleted
// or not.
// TODO: if getOrgWorkspaces and getWorkspace were restructured to make two queries
// rather than a single query, this trickiness could be eliminated.
if (limit.showRemoved) {
qb = qb.addSelect('docs.id IS NULL AND workspaces.removed_at IS NULL',
'workspaces_filtered_out');
} else {
qb = qb.addSelect('docs.id IS NULL AND workspaces.removed_at IS NOT NULL',
'workspaces_filtered_out');
}
}
return qb;
}
// Filter out all personal orgs, and add back in a single merged org.
private _mergePersonalOrgs(userId: number, orgs: Organization[]): Organization[] {
const regularOrgs = orgs.filter(org => org.owner === null);
const personalOrg = orgs.find(org => org.owner && org.owner.id === userId);
if (!personalOrg) { return regularOrgs; }
personalOrg.id = 0;
personalOrg.domain = this.mergedOrgDomain();
return [personalOrg].concat(regularOrgs);
}
// Check if shares are about to exceed a limit, and emit a meaningful
// ApiError if so.
// If checkChange is set, issue an error only if a new share is being
// made.
private _restrictShares(role: roles.NonGuestRole|null, limit: number,
before: User[], after: User[], checkChange: boolean, kind: string,
features: Features) {
const existingUserIds = new Set(before.map(user => user.id));
// Do not emit error if users are not added, even if the number is past the limit.
if (after.length > limit &&
(!checkChange || after.some(user => !existingUserIds.has(user.id)))) {
const more = limit > 0 ? ' more' : '';
throw new ApiError(
checkChange ? `No${more} external ${kind} ${role || 'shares'} permitted` :
`Too many external ${kind} ${role || 'shares'}`,
403, {
limit: {
quantity: 'collaborators',
subquantity: role || undefined,
maximum: limit,
value: before.length,
projectedValue: after.length
},
tips: canAddOrgMembers(features) ? [{
action: 'add-members',
message: 'add users as team members to the site first'
}] : [{
action: 'upgrade',
message: 'pay for more team members'
}]
});
}
}
// Check if document shares exceed any of the share limits, and emit a meaningful
// ApiError if so. If both membersBefore and membersAfter are specified, fail
// only if a new share is being added, but otherwise don't complain even if limits
// are exceeded. If only membersBefore is specified, fail strictly if limits are
// exceeded.
private _restrictAllDocShares(features: Features,
nonOrgMembersBefore: Map<roles.NonGuestRole, User[]>,
nonOrgMembersAfter: Map<roles.NonGuestRole, User[]>,
checkChange: boolean = true) {
// Apply a limit to document shares that is not specific to a particular role.
if (features.maxSharesPerDoc !== undefined) {
this._restrictShares(null, features.maxSharesPerDoc, removeRole(nonOrgMembersBefore),
removeRole(nonOrgMembersAfter), checkChange, 'document', features);
}
if (features.maxSharesPerDocPerRole) {
for (const role of this.defaultBasicGroupNames) {
const limit = features.maxSharesPerDocPerRole[role];
if (limit === undefined) { continue; }
// Apply a per-role limit to document shares.
this._restrictShares(role, limit, nonOrgMembersBefore.get(role) || [],
nonOrgMembersAfter.get(role) || [], checkChange, 'document', features);
}
}
}
// Throw an error if there's no room for adding another document.
private async _checkRoomForAnotherDoc(workspace: Workspace, manager: EntityManager) {
const features = workspace.org.billingAccount.product.features;
if (features.maxDocsPerOrg !== undefined) {
// we need to count how many docs are in the current org, and if we
// are already at or above the limit, then fail.
const wss = this.unwrapQueryResult(await this.getOrgWorkspaces({userId: this.getPreviewerUserId()},
workspace.org.id,
{manager}));
const count = wss.map(ws => ws.docs.length).reduce((a, b) => a + b, 0);
if (count >= features.maxDocsPerOrg) {
throw new ApiError('No more documents permitted', 403, {
limit: {
quantity: 'docs',
maximum: features.maxDocsPerOrg,
value: count,
projectedValue: count + 1
}
});
}
}
}
// For the moment only the support user can add both everyone@ and anon@ to a
// resource, since that allows spam. TODO: enhance or remove.
private _checkUserChangeAllowed(userId: number, groups: Group[]) {
if (userId === this.getSupportUserId()) { return; }
const ids = new Set(flatten(groups.map(g => g.memberUsers)).map(u => u.id));
if (ids.has(this.getEveryoneUserId()) && ids.has(this.getAnonymousUserId())) {
throw new Error('this user cannot share with everyone and anonymous');
}
}
// Fetch a Document with all access information loaded. Make sure the user has the
// specified permissions on the doc. The Document's organization will have product
// feature information loaded also.
private async _loadDocAccess(scope: DocScope, markPermissions: Permissions,
transaction?: EntityManager): Promise<Document> {
return await this._runInTransaction(transaction, async manager => {
const docQuery = this._doc(scope, {manager, markPermissions})
// Join the doc's ACL rules and groups/users so we can edit them.
.leftJoinAndSelect('docs.aclRules', 'acl_rules')
.leftJoinAndSelect('acl_rules.group', 'doc_groups')
.leftJoinAndSelect('doc_groups.memberUsers', 'doc_group_users')
.leftJoinAndSelect('doc_groups.memberGroups', 'doc_group_groups')
.leftJoinAndSelect('doc_group_users.logins', 'doc_user_logins')
// Join the workspace so we know what should be inherited. We will join
// the workspace member groups/users as a separate query, since
// SQL results are flattened, and multiplying the number of rows we have already
// by the number of workspace users could get excessive.
.leftJoinAndSelect('docs.workspace', 'workspace');
const queryResult = await verifyIsPermitted(docQuery);
const doc: Document = this.unwrapQueryResult(queryResult);
// Load the workspace's member groups/users.
const workspaceQuery = this._workspace(scope, doc.workspace.id, {manager})
.leftJoinAndSelect('workspaces.aclRules', 'workspace_acl_rules')
.leftJoinAndSelect('workspace_acl_rules.group', 'workspace_groups')
.leftJoinAndSelect('workspace_groups.memberUsers', 'workspace_group_users')
.leftJoinAndSelect('workspace_groups.memberGroups', 'workspace_group_groups')
.leftJoinAndSelect('workspace_group_users.logins', 'workspace_user_logins')
// We'll need the org as well. We will join its members as a separate query, since
// SQL results are flattened, and multiplying the number of rows we have already
// by the number of org users could get excessive.
.leftJoinAndSelect('workspaces.org', 'org');
doc.workspace = (await workspaceQuery.getOne())!;
// Load the org's member groups/users.
let orgQuery = this.org(scope, doc.workspace.org.id, {manager})
.leftJoinAndSelect('orgs.aclRules', 'org_acl_rules')
.leftJoinAndSelect('org_acl_rules.group', 'org_groups')
.leftJoinAndSelect('org_groups.memberUsers', 'org_group_users')
.leftJoinAndSelect('org_group_users.logins', 'org_user_logins');
orgQuery = this._addFeatures(orgQuery);
doc.workspace.org = (await orgQuery.getOne())!;
return doc;
});
}
// Emit an event indicating that the count of users with access to the org has changed, with
// the customerId and the updated number of users.
// The org argument must include the billingAccount.
private _userChangeNotification(
userId: number,
org: Organization, // Must include billingAccount
countBefore: number,
countAfter: number,
membersBefore: Map<roles.NonGuestRole, User[]>,
membersAfter: Map<roles.NonGuestRole, User[]>
) {
return () => {
const customerId = org.billingAccount.stripeCustomerId;
const change: UserChange = {userId, org, customerId,
countBefore, countAfter,
membersBefore, membersAfter};
this.emit('userChange', change);
};
}
// Create a notification function that emits an event when users may have been added to a resource.
private _inviteNotification(userId: number, resource: Organization|Workspace|Document,
userIdDelta: UserIdDelta, membersBefore: Map<roles.NonGuestRole, User[]>): () => void {
return () => this.emit('addUser', userId, resource, userIdDelta, membersBefore);
}
// Given two arrays of groups, returns a map of users present in the first array but
// not the second, where the map is broken down by user role.
// This method is used for checking limits on shares.
// Excluded users are removed from the results.
private _getUserDifference(groupsA: Group[], groupsB: Group[]): Map<roles.NonGuestRole, User[]> {
const subtractSet: Set<number> =
new Set(flatten(groupsB.map(grp => grp.memberUsers)).map(usr => usr.id));
const result = new Map<roles.NonGuestRole, User[]>();
for (const group of groupsA) {
const name = group.name;
if (!roles.isNonGuestRole(name)) { continue; }
result.set(name, group.memberUsers.filter(user => !subtractSet.has(user.id)));
}
return this._withoutExcludedUsers(result);
}
private _withoutExcludedUsers(members: Map<roles.NonGuestRole, User[]>): Map<roles.NonGuestRole, User[]> {
const excludedUsers = this.getExcludedUserIds();
for (const [role, users] of members.entries()) {
members.set(role, users.filter((user) => !excludedUsers.includes(user.id)));
}
return members;
}
private _billingManagerNotification(userId: number, addUserId: number, orgs: Organization[]) {
return () => {
this.emit('addBillingManager', userId, addUserId, orgs);
};
}
private _teamCreatorNotification(userId: number) {
return () => {
this.emit('teamCreator', userId);
};
}
/**
* Check for anonymous user, either encoded directly as an id, or as a singular
* profile (this case arises during processing of the session/access/all endpoint
* whether we are checking for available orgs without committing yet to a particular
* choice of user).
*/
private _isAnonymousUser(users: AvailableUsers): boolean {
return isSingleUser(users) ? users === this.getAnonymousUserId() :
users.length === 1 && normalizeEmail(users[0].email) === ANONYMOUS_USER_EMAIL;
}
// Set Workspace.removedAt to null (undeletion) or to a datetime (soft deletion)
private _setWorkspaceRemovedAt(scope: Scope, wsId: number, removedAt: Date|null) {
return this._connection.transaction(async manager => {
const wsQuery = this._workspace({...scope, showAll: true}, wsId, {
manager,
markPermissions: Permissions.REMOVE
});
const workspace: Workspace = this.unwrapQueryResult(await verifyIsPermitted(wsQuery));
await manager.createQueryBuilder()
.update(Workspace).set({removedAt}).where({id: workspace.id})
.execute();
});
}
// Set Document.removedAt to null (undeletion) or to a datetime (soft deletion)
private _setDocumentRemovedAt(scope: DocScope, removedAt: Date|null) {
return this._connection.transaction(async manager => {
let docQuery = this._doc({...scope, showAll: true}, {
manager,
markPermissions: Permissions.SCHEMA_EDIT | Permissions.REMOVE,
allowSpecialPermit: true
});
if (!removedAt) {
docQuery = this._addFeatures(docQuery); // pull in billing information for doc count limits
}
const doc: Document = this.unwrapQueryResult(await verifyIsPermitted(docQuery));
if (!removedAt) {
await this._checkRoomForAnotherDoc(doc.workspace, manager);
}
await manager.createQueryBuilder()
.update(Document).set({removedAt}).where({id: doc.id})
.execute();
});
}
private _filterAccessData(
scope: Scope,
users: UserAccessData[],
maxInheritedRole: roles.BasicRole|null,
docId?: string
): {personal: true, public: boolean}|undefined {
if (scope.userId === this.getPreviewerUserId()) { return; }
// If we have special access to the resource, don't filter user information.
if (scope.specialPermit?.docId === docId && docId) { return; }
const thisUser = this.getAnonymousUserId() === scope.userId
? null
: users.find(user => user.id === scope.userId);
const realAccess = thisUser ? getRealAccess(thisUser, { maxInheritedRole, users }) : null;
// If we are an owner, don't filter user information.
if (thisUser && realAccess === 'owners') { return; }
// Limit user information returned to being about the current user.
users.length = 0;
if (thisUser) { users.push(thisUser); }
return { personal: true, public: !realAccess };
}
}
// Return a QueryResult reflecting the output of a query builder.
// Checks on the "is_permitted" field which select queries set on resources to
// indicate whether the user has access.
// If the output is empty, we signal that the desired resource does not exist.
// If the "is_permitted" field is falsy, we signal that the resource is forbidden.
// Returns the resource fetched by the queryBuilder.
async function verifyIsPermitted(
queryBuilder: SelectQueryBuilder<any>
): Promise<QueryResult<any>> {
const results = await queryBuilder.getRawAndEntities();
if (results.entities.length === 0) {
return {
status: 404,
errMessage: `${getFrom(queryBuilder)} not found`
};
} else if (results.entities.length > 1) {
return {
status: 400,
errMessage: `ambiguous ${getFrom(queryBuilder)} request`
};
} else if (!results.raw[0].is_permitted) {
return {
status: 403,
errMessage: "access denied"
};
}
return {
status: 200,
data: results.entities[0]
};
}
// Returns all first-level memberUsers in the resources. Requires all resources' aclRules, groups
// and memberUsers to be populated.
// If optRoles is provided, only checks membership in resource groups with the given roles.
function getResourceUsers(res: Resource|Resource[], optRoles?: string[]): User[] {
res = Array.isArray(res) ? res : [res];
const users: {[uid: string]: User} = {};
let resAcls: AclRule[] = flatten(res.map(_res => _res.aclRules as AclRule[]));
if (optRoles) {
resAcls = resAcls.filter(_acl => optRoles.includes(_acl.group.name));
}
resAcls.forEach((aclRule: AclRule) => {
aclRule.group.memberUsers.forEach((u: User) => users[u.id] = u);
});
const userList = Object.keys(users).map(uid => users[uid]);
userList.sort((a, b) => a.id - b.id);
return userList;
}
// Returns a map of userIds to the user's strongest default role on the given resource.
// The resource's aclRules, groups, and memberUsers must be populated.
function getMemberUserRoles<T extends roles.Role>(res: Resource, allowRoles: T[]): {[userId: string]: T} {
// Add the users to a map to ensure uniqueness. (A user may be present in
// more than one group)
const userMap: {[userId: string]: T} = {};
(res.aclRules as AclRule[]).forEach((aclRule: AclRule) => {
const role = aclRule.group.name as T;
if (allowRoles.includes(role)) {
// Map the users to remove sensitive information from the result and
// to add the group names.
aclRule.group.memberUsers.forEach((u: User) => {
// If the user is already present in another group, use the more
// powerful role name.
userMap[u.id] = userMap[u.id] ? roles.getStrongestRole(userMap[u.id], role) : role;
});
}
});
return userMap;
}
// Extract a human-readable name for the type of entity being selected.
function getFrom(queryBuilder: SelectQueryBuilder<any>): string {
const alias = queryBuilder.expressionMap.mainAlias;
return (alias && alias.metadata && alias.metadata.name.toLowerCase()) || 'resource';
}
// Flatten a map of users per role into a simple list of users.
export function removeRole(usersWithRoles: Map<roles.NonGuestRole, User[]>) {
return flatten([...usersWithRoles.values()]);
}
function getNonGuestGroups(entity: Organization|Workspace|Document): NonGuestGroup[] {
return (entity.aclRules as AclRule[]).map(aclRule => aclRule.group).filter(isNonGuestGroup);
}
// Returns a map of users indexed by their roles. Optionally excludes users whose ids are in
// excludeUsers.
function getUsersWithRole(groups: NonGuestGroup[], excludeUsers?: number[]): Map<roles.NonGuestRole, User[]> {
const members = new Map<roles.NonGuestRole, User[]>();
for (const group of groups) {
let users = group.memberUsers;
if (excludeUsers) {
users = users.filter((user) => !excludeUsers.includes(user.id));
}
members.set(group.name, users);
}
return members;
}
export async function makeDocAuthResult(docPromise: Promise<Document>): Promise<DocAuthResult> {
try {
const doc = await docPromise;
const removed = Boolean(doc.removedAt || doc.workspace.removedAt);
return {docId: doc.id, access: doc.access, removed, cachedDoc: doc};
} catch (error) {
return {docId: null, access: null, removed: null, error};
}
}
/**
* Extracts DocAuthKey information from scope. This includes everything needed to
* identify the document to access. Throws if information is not present.
*/
export function getDocAuthKeyFromScope(scope: Scope): DocAuthKey {
const {urlId, userId, org} = scope;
if (!urlId) { throw new Error('document required'); }
return {urlId, userId, org};
}