WIP 4

2026-05-19 07:54:05 +08:00 · 2025-12-29 22:13:58 +00:00
parent c2e722ee5c
commit 0c3901abf5
15 changed files with 612 additions and 228 deletions
@@ -0,0 +1,71 @@
+import { ForbiddenException, Injectable } from '@nestjs/common';
+import { Page, User } from '@docmost/db/types/entity.types';
+import { PagePermissionRepo } from '@docmost/db/repos/page/page-permission.repo';
+import SpaceAbilityFactory from '../casl/abilities/space-ability.factory';
+import {
+  SpaceCaslAction,
+  SpaceCaslSubject,
+} from '../casl/interfaces/space-ability.type';
+
+@Injectable()
+export class PageAccessService {
+  constructor(
+    private readonly pagePermissionRepo: PagePermissionRepo,
+    private readonly spaceAbility: SpaceAbilityFactory,
+  ) {}
+
+  /**
+   * Validate user can view page, throws ForbiddenException if not.
+   * If page has restrictions: page-level permission determines access.
+   * If no restrictions: space-level permission determines access.
+   */
+  async validateCanView(page: Page, user: User): Promise<void> {
+    // TODO: cache by pageId and userId.
+    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
+
+    // User must be at least a space member
+    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
+      throw new ForbiddenException();
+    }
+
+    const { hasRestriction, canAccess } =
+      await this.pagePermissionRepo.getUserPageAccessLevel(user.id, page.id);
+
+    if (hasRestriction) {
+      // Page has restrictions - use page-level permission
+      if (!canAccess) {
+        throw new ForbiddenException();
+      }
+    }
+    // No restriction - space membership (checked above) is sufficient for view
+  }
+
+  /**
+   * Validate user can edit page, throws ForbiddenException if not.
+   * If page has restrictions: page-level writer permission determines access.
+   * If no restrictions: space-level edit permission determines access.
+   */
+  async validateCanEdit(page: Page, user: User): Promise<void> {
+    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
+
+    // User must be at least a space member
+    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
+      throw new ForbiddenException();
+    }
+
+    const { hasRestriction, canEdit } =
+      await this.pagePermissionRepo.getUserPageAccessLevel(user.id, page.id);
+
+    if (hasRestriction) {
+      // Page has restrictions - use page-level permission
+      if (!canEdit) {
+        throw new ForbiddenException();
+      }
+    } else {
+      // No restrictions - use space-level permission
+      if (ability.cannot(SpaceCaslAction.Edit, SpaceCaslSubject.Page)) {
+        throw new ForbiddenException();
+      }
+    }
+  }
+}