feat(ee): public sharing controls (#1910)

* feat(ee): public sharing controls * lint
2026-05-07 06:23:06 +08:00 · 2026-02-06 10:35:36 -08:00
parent 2f97a3debc
commit 1ad53c2581
25 changed files with 525 additions and 38 deletions
@@ -92,9 +92,9 @@
    "pdfjs-dist": "^5.4.394",
    "pg-tsquery": "^8.4.2",
    "pgvector": "^0.2.1",
-    "postgres": "^3.4.8",
    "pino-http": "^11.0.0",
    "pino-pretty": "^13.1.3",
+    "postgres": "^3.4.8",
    "postmark": "^4.0.5",
    "react": "^18.3.1",
    "reflect-metadata": "^0.2.2",
@@ -64,8 +64,18 @@ export class ShareController {
      throw new BadRequestException();
    }

+    const shareData = await this.shareService.getSharedPage(dto, workspace.id);
+
+    const sharingAllowed = await this.shareService.isSharingAllowed(
+      workspace.id,
+      shareData.share.spaceId,
+    );
+    if (!sharingAllowed) {
+      throw new NotFoundException('Shared page not found');
+    }
+
    return {
-      ...(await this.shareService.getSharedPage(dto, workspace.id)),
+      ...shareData,
      hasLicenseKey: hasLicenseOrEE({
        licenseKey: workspace.licenseKey,
        isCloud: this.environmentService.isCloud(),
@@ -86,6 +96,14 @@ export class ShareController {
      throw new NotFoundException('Share not found');
    }

+    const sharingAllowed = await this.shareService.isSharingAllowed(
+      share.workspaceId,
+      share.spaceId,
+    );
+    if (!sharingAllowed) {
+      throw new NotFoundException('Share not found');
+    }
+
    return share;
  }

@@ -127,6 +145,14 @@ export class ShareController {
      throw new ForbiddenException();
    }

+    const sharingAllowed = await this.shareService.isSharingAllowed(
+      workspace.id,
+      page.spaceId,
+    );
+    if (!sharingAllowed) {
+      throw new ForbiddenException('Public sharing is disabled');
+    }
+
    return this.shareService.createShare({
      page,
      authUserId: user.id,
@@ -176,8 +202,21 @@ export class ShareController {
    @Body() dto: ShareIdDto,
    @AuthWorkspace() workspace: Workspace,
  ) {
+    const treeData = await this.shareService.getShareTree(
+      dto.shareId,
+      workspace.id,
+    );
+
+    const sharingAllowed = await this.shareService.isSharingAllowed(
+      workspace.id,
+      treeData.share.spaceId,
+    );
+    if (!sharingAllowed) {
+      throw new NotFoundException('Share not found');
+    }
+
    return {
-      ...(await this.shareService.getShareTree(dto.shareId, workspace.id)),
+      ...treeData,
      hasLicenseKey: hasLicenseOrEE({
        licenseKey: workspace.licenseKey,
        isCloud: this.environmentService.isCloud(),
@@ -264,6 +264,31 @@ export class ShareService {
    return ancestor;
  }

+  async isSharingAllowed(
+    workspaceId: string,
+    spaceId: string,
+  ): Promise<boolean> {
+    const result = await this.db
+      .selectFrom('workspaces')
+      .innerJoin('spaces', 'spaces.workspaceId', 'workspaces.id')
+      .select([
+        'workspaces.settings as workspaceSettings',
+        'spaces.settings as spaceSettings',
+      ])
+      .where('workspaces.id', '=', workspaceId)
+      .where('spaces.id', '=', spaceId)
+      .executeTakeFirst();
+
+    if (!result) return false;
+
+    const workspaceDisabled =
+      (result.workspaceSettings as any)?.sharing?.disabled === true;
+    const spaceDisabled =
+      (result.spaceSettings as any)?.sharing?.disabled === true;
+
+    return !workspaceDisabled && !spaceDisabled;
+  }
+
  async updatePublicAttachments(page: Page): Promise<any> {
    const prosemirrorJson = getProsemirrorContent(page.content);
    const attachmentIds = getAttachmentIds(prosemirrorJson);
@@ -1,10 +1,14 @@
 import { PartialType } from '@nestjs/mapped-types';
 import { CreateSpaceDto } from './create-space.dto';
-import { IsNotEmpty, IsString, IsUUID } from 'class-validator';
+import { IsBoolean, IsNotEmpty, IsOptional, IsString, IsUUID } from 'class-validator';

 export class UpdateSpaceDto extends PartialType(CreateSpaceDto) {
  @IsString()
  @IsNotEmpty()
  @IsUUID()
  spaceId: string;
+
+  @IsOptional()
+  @IsBoolean()
+  disablePublicSharing: boolean;
 }
@@ -1,5 +1,6 @@
 import {
  BadRequestException,
+  ForbiddenException,
  Injectable,
  NotFoundException,
 } from '@nestjs/common';
@@ -17,12 +18,18 @@ import { QueueJob, QueueName } from 'src/integrations/queue/constants';
 import { Queue } from 'bullmq';
 import { InjectQueue } from '@nestjs/bullmq';
 import { CursorPaginationResult } from '@docmost/db/pagination/cursor-pagination';
+import { ShareRepo } from '@docmost/db/repos/share/share.repo';
+import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
+import { LicenseCheckService } from '../../../integrations/environment/license-check.service';

@Injectable()
 export class SpaceService {
  constructor(
    private spaceRepo: SpaceRepo,
    private spaceMemberService: SpaceMemberService,
+    private shareRepo: ShareRepo,
+    private workspaceRepo: WorkspaceRepo,
+    private licenseCheckService: LicenseCheckService,
    @InjectKysely() private readonly db: KyselyDB,
    @InjectQueue(QueueName.ATTACHMENT_QUEUE) private attachmentQueue: Queue,
  ) {}
@@ -105,6 +112,31 @@ export class SpaceService {
      }
    }

+    if (typeof updateSpaceDto.disablePublicSharing !== 'undefined') {
+      const workspace = await this.workspaceRepo.findById(workspaceId, {
+        withLicenseKey: true,
+      });
+
+      if (
+        !this.licenseCheckService.isValidEELicense(workspace.licenseKey)
+      ) {
+        throw new ForbiddenException(
+          'This feature requires a valid enterprise license',
+        );
+      }
+
+      await this.spaceRepo.updateSharingSettings(
+        updateSpaceDto.spaceId,
+        workspaceId,
+        'disabled',
+        updateSpaceDto.disablePublicSharing,
+      );
+
+      if (updateSpaceDto.disablePublicSharing) {
+        await this.shareRepo.deleteBySpaceId(updateSpaceDto.spaceId);
+      }
+    }
+
    return await this.spaceRepo.updateSpace(
      {
        name: updateSpaceDto.name,
@@ -30,4 +30,8 @@ export class UpdateWorkspaceDto extends PartialType(CreateWorkspaceDto) {
  @IsOptional()
  @IsBoolean()
  generativeAi: boolean;
+
+  @IsOptional()
+  @IsBoolean()
+  disablePublicSharing: boolean;
 }
@@ -5,6 +5,7 @@ import {
  Logger,
  NotFoundException,
 } from '@nestjs/common';
+import { LicenseCheckService } from '../../../integrations/environment/license-check.service';
 import { CreateWorkspaceDto } from '../dto/create-workspace.dto';
 import { UpdateWorkspaceDto } from '../dto/update-workspace.dto';
 import { SpaceService } from '../../space/services/space.service';
@@ -33,6 +34,7 @@ import { Queue } from 'bullmq';
 import { generateRandomSuffixNumbers } from '../../../common/helpers';
 import { isPageEmbeddingsTableExists } from '@docmost/db/helpers/helpers';
 import { CursorPaginationResult } from '@docmost/db/pagination/cursor-pagination';
+import { ShareRepo } from '@docmost/db/repos/share/share.repo';

@Injectable()
 export class WorkspaceService {
@@ -47,6 +49,8 @@ export class WorkspaceService {
    private userRepo: UserRepo,
    private environmentService: EnvironmentService,
    private domainService: DomainService,
+    private licenseCheckService: LicenseCheckService,
+    private shareRepo: ShareRepo,
    @InjectKysely() private readonly db: KyselyDB,
    @InjectQueue(QueueName.ATTACHMENT_QUEUE) private attachmentQueue: Queue,
    @InjectQueue(QueueName.BILLING_QUEUE) private billingQueue: Queue,
@@ -358,6 +362,32 @@ export class WorkspaceService {
      delete updateWorkspaceDto.generativeAi;
    }

+    if (typeof updateWorkspaceDto.disablePublicSharing !== 'undefined') {
+      const currentWorkspace = await this.workspaceRepo.findById(workspaceId, {
+        withLicenseKey: true,
+      });
+
+      if (
+        !this.licenseCheckService.isValidEELicense(currentWorkspace.licenseKey)
+      ) {
+        throw new ForbiddenException(
+          'This feature requires a valid enterprise license',
+        );
+      }
+
+      await this.workspaceRepo.updateSharingSettings(
+        workspaceId,
+        'disabled',
+        updateWorkspaceDto.disablePublicSharing,
+      );
+
+      if (updateWorkspaceDto.disablePublicSharing) {
+        await this.shareRepo.deleteByWorkspaceId(workspaceId);
+      }
+
+      delete updateWorkspaceDto.disablePublicSharing;
+    }
+
    await this.workspaceRepo.updateWorkspace(updateWorkspaceDto, workspaceId);

    const workspace = await this.workspaceRepo.findById(workspaceId, {
@@ -0,0 +1,9 @@
+import { Kysely } from 'kysely';
+
+export async function up(db: Kysely<any>): Promise<void> {
+  await db.schema.alterTable('spaces').addColumn('settings', 'jsonb').execute();
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema.alterTable('spaces').dropColumn('settings').execute();
+}
@@ -136,6 +136,20 @@ export class ShareRepo {
    await query.execute();
  }

+  async deleteBySpaceId(spaceId: string): Promise<void> {
+    await this.db
+      .deleteFrom('shares')
+      .where('spaceId', '=', spaceId)
+      .execute();
+  }
+
+  async deleteByWorkspaceId(workspaceId: string): Promise<void> {
+    await this.db
+      .deleteFrom('shares')
+      .where('workspaceId', '=', workspaceId)
+      .execute();
+  }
+
  async getShares(userId: string, pagination: PaginationOptions) {
    const query = this.db
      .selectFrom('shares')
@@ -89,6 +89,26 @@ export class SpaceRepo {
      .executeTakeFirst();
  }

+  async updateSharingSettings(
+    spaceId: string,
+    workspaceId: string,
+    prefKey: string,
+    prefValue: string | boolean,
+  ) {
+    return this.db
+      .updateTable('spaces')
+      .set({
+        settings: sql`COALESCE(settings, '{}'::jsonb)
+          || jsonb_build_object('sharing', COALESCE(settings->'sharing', '{}'::jsonb)
+          || jsonb_build_object('${sql.raw(prefKey)}', ${sql.lit(prefValue)}))`,
+        updatedAt: new Date(),
+      })
+      .where('id', '=', spaceId)
+      .where('workspaceId', '=', workspaceId)
+      .returningAll()
+      .executeTakeFirst();
+  }
+
  async insertSpace(
    insertableSpace: InsertableSpace,
    trx?: KyselyTransaction,
@@ -167,7 +167,7 @@ export class WorkspaceRepo {
      .updateTable('workspaces')
      .set({
        settings: sql`COALESCE(settings, '{}'::jsonb)
-                || jsonb_build_object('api', COALESCE(settings->'api', '{}'::jsonb) 
+                || jsonb_build_object('api', COALESCE(settings->'api', '{}'::jsonb)
                || jsonb_build_object('${sql.raw(prefKey)}', ${sql.lit(prefValue)}))`,
        updatedAt: new Date(),
      })
@@ -185,7 +185,25 @@ export class WorkspaceRepo {
      .updateTable('workspaces')
      .set({
        settings: sql`COALESCE(settings, '{}'::jsonb)
-                || jsonb_build_object('ai', COALESCE(settings->'ai', '{}'::jsonb) 
+                || jsonb_build_object('ai', COALESCE(settings->'ai', '{}'::jsonb)
+                || jsonb_build_object('${sql.raw(prefKey)}', ${sql.lit(prefValue)}))`,
+        updatedAt: new Date(),
+      })
+      .where('id', '=', workspaceId)
+      .returning(this.baseFields)
+      .executeTakeFirst();
+  }
+
+  async updateSharingSettings(
+    workspaceId: string,
+    prefKey: string,
+    prefValue: string | boolean,
+  ) {
+    return this.db
+      .updateTable('workspaces')
+      .set({
+        settings: sql`COALESCE(settings, '{}'::jsonb)
+                || jsonb_build_object('sharing', COALESCE(settings->'sharing', '{}'::jsonb)
                || jsonb_build_object('${sql.raw(prefKey)}', ${sql.lit(prefValue)}))`,
        updatedAt: new Date(),
      })
@@ -273,6 +273,7 @@ export interface Spaces {
  id: Generated<string>;
  logo: string | null;
  name: string | null;
+  settings: Json | null;
  slug: string;
  updatedAt: Generated<Timestamp>;
  visibility: Generated<string>;
@@ -4,6 +4,7 @@ import { ConfigModule } from '@nestjs/config';
 import { validate } from './environment.validation';
 import { envPath } from '../../common/helpers';
 import { DomainService } from './domain.service';
+import { LicenseCheckService } from './license-check.service';

@Global()
@Module({
@@ -15,7 +16,7 @@ import { DomainService } from './domain.service';
      validate,
    }),
  ],
-  providers: [EnvironmentService, DomainService],
-  exports: [EnvironmentService, DomainService],
+  providers: [EnvironmentService, DomainService, LicenseCheckService],
+  exports: [EnvironmentService, DomainService, LicenseCheckService],
 })
 export class EnvironmentModule {}
@@ -0,0 +1,28 @@
+import { Injectable } from '@nestjs/common';
+import { ModuleRef } from '@nestjs/core';
+import { EnvironmentService } from './environment.service';
+
+@Injectable()
+export class LicenseCheckService {
+  constructor(
+    private moduleRef: ModuleRef,
+    private environmentService: EnvironmentService,
+  ) {}
+
+  isValidEELicense(licenseKey: string): boolean {
+    if (this.environmentService.isCloud()) {
+      return true;
+    }
+
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-require-imports
+      const LicenseModule = require('../../ee/licence/license.service');
+      const licenseService = this.moduleRef.get(LicenseModule.LicenseService, {
+        strict: false,
+      });
+      return licenseService.isValidEELicense(licenseKey);
+    } catch {
+      return false;
+    }
+  }
+}