feat(ee): viewer comments (#2060)

2026-06-11 02:36:56 +08:00 · 2026-03-28 19:32:52 +00:00
parent 17da762984
commit 3829b6cbef
29 changed files with 608 additions and 42 deletions
@@ -58,13 +58,13 @@ export class CommentController {
      throw new NotFoundException('Page not found');
    }

-    await this.pageAccessService.validateCanEdit(page, user);
+    await this.pageAccessService.validateCanComment(page, user, workspace.id);

    const comment = await this.commentService.create(
      {
-        userId: user.id,
        page,
        workspaceId: workspace.id,
+        user,
      },
      createCommentDto,
    );
@@ -120,7 +120,7 @@ export class CommentController {

  @HttpCode(HttpStatus.OK)
  @Post('update')
-  async update(@Body() dto: UpdateCommentDto, @AuthUser() user: User) {
+  async update(@Body() dto: UpdateCommentDto, @AuthUser() user: User, @AuthWorkspace() workspace: Workspace) {
    const comment = await this.commentRepo.findById(dto.commentId, {
      includeCreator: true,
      includeResolvedBy: true,
@@ -134,14 +134,14 @@ export class CommentController {
      throw new NotFoundException('Page not found');
    }

-    await this.pageAccessService.validateCanEdit(page, user);
+    await this.pageAccessService.validateCanComment(page, user, workspace.id);

    return this.commentService.update(comment, dto, user);
  }

  @HttpCode(HttpStatus.OK)
  @Post('delete')
-  async delete(@Body() input: CommentIdDto, @AuthUser() user: User) {
+  async delete(@Body() input: CommentIdDto, @AuthUser() user: User, @AuthWorkspace() workspace: Workspace) {
    const comment = await this.commentRepo.findById(input.commentId);
    if (!comment) {
      throw new NotFoundException('Comment not found');
@@ -152,8 +152,7 @@ export class CommentController {
      throw new NotFoundException('Page not found');
    }

-    // Check page-level edit permission first
-    await this.pageAccessService.validateCanEdit(page, user);
+    await this.pageAccessService.validateCanComment(page, user, workspace.id);

    // Check if user is the comment owner
    const isOwner = comment.creatorId === user.id;
@@ -169,7 +168,7 @@ export class CommentController {
      // Space admin can delete any comment
      if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Settings)) {
        throw new ForbiddenException(
-          'You can only delete your own comments or must be a space admin',
+          'You can only delete your own comments',
        );
      }
      await this.commentRepo.deleteComment(comment.id);
@@ -1,8 +1,10 @@
 import { Module } from '@nestjs/common';
 import { CommentService } from './comment.service';
 import { CommentController } from './comment.controller';
+import { CollaborationModule } from '../../collaboration/collaboration.module';

@Module({
+  imports: [CollaborationModule],
  controllers: [CommentController],
  providers: [CommentService],
  exports: [CommentService],
@@ -7,7 +7,8 @@ import {
 } from '@nestjs/common';
 import { InjectQueue } from '@nestjs/bullmq';
 import { Queue } from 'bullmq';
-import { CreateCommentDto } from './dto/create-comment.dto';
+import { CreateCommentDto, yjsSelectionSchema } from './dto/create-comment.dto';
+import { CollaborationGateway } from '../../collaboration/collaboration.gateway';
 import { UpdateCommentDto } from './dto/update-comment.dto';
 import { CommentRepo } from '@docmost/db/repos/comment/comment.repo';
 import { Comment, Page, User } from '@docmost/db/types/entity.types';
@@ -27,6 +28,7 @@ export class CommentService {
    private commentRepo: CommentRepo,
    private pageRepo: PageRepo,
    private wsService: WsService,
+    private collaborationGateway: CollaborationGateway,
    @InjectQueue(QueueName.GENERAL_QUEUE)
    private generalQueue: Queue,
    @InjectQueue(QueueName.NOTIFICATION_QUEUE)
@@ -45,10 +47,10 @@ export class CommentService {
  }

  async create(
-    opts: { userId: string; page: Page; workspaceId: string },
+    opts: { page: Page; workspaceId: string; user: User },
    createCommentDto: CreateCommentDto,
  ) {
-    const { userId, page, workspaceId } = opts;
+    const { page, workspaceId, user } = opts;
    const commentContent = JSON.parse(createCommentDto.content);

    if (createCommentDto.parentCommentId) {
@@ -71,11 +73,39 @@ export class CommentService {
      selection: createCommentDto?.selection?.substring(0, 250) ?? null,
      type: createCommentDto.type ?? 'page',
      parentCommentId: createCommentDto?.parentCommentId,
-      creatorId: userId,
+      creatorId: user.id,
      workspaceId: workspaceId,
      spaceId: page.spaceId,
    });

+    if (createCommentDto.yjsSelection) {
+      const parsed = yjsSelectionSchema.safeParse(createCommentDto.yjsSelection);
+      if (!parsed.success) {
+        this.logger.warn(
+          `Invalid yjsSelection for comment ${inserted.id}: ${parsed.error.message}`,
+        );
+      } else {
+        const documentName = `page.${page.id}`;
+        try {
+          await this.collaborationGateway.handleYjsEvent(
+            'setCommentMark',
+            documentName,
+            {
+              yjsSelection: parsed.data,
+              commentId: inserted.id,
+              resolved: false,
+              user,
+            },
+          );
+        } catch (error) {
+          this.logger.warn(
+            `Failed to apply comment mark for comment ${inserted.id}, comment saved without inline highlight`,
+            error,
+          );
+        }
+      }
+    }
+
    const comment = await this.commentRepo.findById(inserted.id, {
      includeCreator: true,
      includeResolvedBy: true,
@@ -83,7 +113,7 @@ export class CommentService {

    this.generalQueue
      .add(QueueJob.ADD_PAGE_WATCHERS, {
-        userIds: [userId],
+        userIds: [user.id],
        pageId: page.id,
        spaceId: page.spaceId,
        workspaceId,
@@ -101,7 +131,7 @@ export class CommentService {
      page.id,
      page.spaceId,
      workspaceId,
-      userId,
+      user.id,
      !isReply,
      createCommentDto.parentCommentId,
    );
@@ -1,4 +1,22 @@
-import { IsIn, IsJSON, IsOptional, IsString, IsUUID } from 'class-validator';
+import { IsIn, IsJSON, IsObject, IsOptional, IsString, IsUUID } from 'class-validator';
+import { z } from 'zod';
+
+const yjsIdSchema = z.object({
+  client: z.number().int().nonnegative(),
+  clock: z.number().int().nonnegative(),
+});
+
+const yjsRelativePositionSchema = z.object({
+  type: yjsIdSchema,
+  tname: z.string().nullable(),
+  item: yjsIdSchema.nullable(),
+  assoc: z.number().int(),
+});
+
+export const yjsSelectionSchema = z.object({
+  anchor: yjsRelativePositionSchema,
+  head: yjsRelativePositionSchema,
+});

 export class CreateCommentDto {
  @IsString()
@@ -18,4 +36,11 @@ export class CreateCommentDto {
  @IsOptional()
  @IsUUID()
  parentCommentId: string;
+
+  @IsOptional()
+  @IsObject()
+  yjsSelection?: {
+    anchor: any;
+    head: any;
+  };
 }
@@ -6,12 +6,14 @@ import {
  SpaceCaslAction,
  SpaceCaslSubject,
 } from '../../casl/interfaces/space-ability.type';
+import { SpaceRepo } from '@docmost/db/repos/space/space.repo';

@Injectable()
 export class PageAccessService {
  constructor(
    private readonly pagePermissionRepo: PagePermissionRepo,
    private readonly spaceAbility: SpaceAbilityFactory,
+    private readonly spaceRepo: SpaceRepo,
  ) {}

  /**
@@ -99,4 +101,25 @@ export class PageAccessService {

    return { hasRestriction: hasAnyRestriction };
  }
+
+  async validateCanComment(
+    page: Page,
+    user: User,
+    workspaceId: string,
+  ): Promise<void> {
+    try {
+      await this.validateCanEdit(page, user);
+      return;
+    } catch {
+      // User cannot edit — check if reader commenting is enabled
+    }
+
+    await this.validateCanView(page, user);
+
+    const space = await this.spaceRepo.findById(page.spaceId, workspaceId);
+    const settings = space?.settings as Record<string, any> | null;
+    if (!settings?.comments?.allowViewerComments) {
+      throw new ForbiddenException();
+    }
+  }
 }
@@ -11,4 +11,8 @@ export class UpdateSpaceDto extends PartialType(CreateSpaceDto) {
  @IsOptional()
  @IsBoolean()
  disablePublicSharing: boolean;
+
+  @IsOptional()
+  @IsBoolean()
+  allowViewerComments: boolean;
 }
@@ -13,6 +13,7 @@ import { Space, User } from '@docmost/db/types/entity.types';
 import { UpdateSpaceDto } from '../dto/update-space.dto';
 import { executeTx } from '@docmost/db/utils';
 import { InjectKysely } from 'nestjs-kysely';
+import { Feature } from '../../../common/features';
 import { SpaceMemberService } from './space-member.service';
 import { SpaceRole } from '../../../common/helpers/types/permission';
 import { QueueJob, QueueName } from 'src/integrations/queue/constants';
@@ -133,17 +134,34 @@ export class SpaceService {
      }
    }

-    if (typeof updateSpaceDto.disablePublicSharing !== 'undefined') {
+    if (
+      typeof updateSpaceDto.disablePublicSharing !== 'undefined' ||
+      typeof updateSpaceDto.allowViewerComments !== 'undefined'
+    ) {
      const workspace = await this.workspaceRepo.findById(workspaceId, {
        withLicenseKey: true,
      });

      if (
-        !this.licenseCheckService.hasFeature(workspace.licenseKey, 'security:settings', workspace.plan)
+        typeof updateSpaceDto.disablePublicSharing !== 'undefined' &&
+        !this.licenseCheckService.hasFeature(
+          workspace.licenseKey,
+          Feature.SECURITY_SETTINGS,
+          workspace.plan,
+        )
      ) {
-        throw new ForbiddenException(
-          'This feature requires a valid license',
-        );
+        throw new ForbiddenException('This feature requires a valid license');
+      }
+
+      if (
+        typeof updateSpaceDto.allowViewerComments !== 'undefined' &&
+        !this.licenseCheckService.hasFeature(
+          workspace.licenseKey,
+          Feature.VIEWER_COMMENTS,
+          workspace.plan,
+        )
+      ) {
+        throw new ForbiddenException('This feature requires a valid license');
      }
    }

@@ -179,6 +197,22 @@ export class SpaceService {
        }
      }

+      if (typeof updateSpaceDto.allowViewerComments !== 'undefined') {
+        const prev = settingsBefore?.comments?.allowViewerComments ?? false;
+        if (prev !== updateSpaceDto.allowViewerComments) {
+          before.allowViewerComments = prev;
+          after.allowViewerComments = updateSpaceDto.allowViewerComments;
+        }
+
+        await this.spaceRepo.updateCommentSettings(
+          updateSpaceDto.spaceId,
+          workspaceId,
+          'allowViewerComments',
+          updateSpaceDto.allowViewerComments,
+          trx,
+        );
+      }
+
      updatedSpace = await this.spaceRepo.updateSpace(
        {
          name: updateSpaceDto.name,
@@ -18,6 +18,7 @@ import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
 import { KyselyDB, KyselyTransaction } from '@docmost/db/types/kysely.types';
 import { executeTx } from '@docmost/db/utils';
 import { InjectKysely } from 'nestjs-kysely';
+import { Feature } from '../../../common/features';
 import { User } from '@docmost/db/types/entity.types';
 import { GroupUserRepo } from '@docmost/db/repos/group/group-user.repo';
 import { GroupRepo } from '@docmost/db/repos/group/group.repo';
@@ -352,7 +353,7 @@ export class WorkspaceService {
        typeof updateWorkspaceDto.trashRetentionDays !== 'undefined' ||
        typeof updateWorkspaceDto.restrictApiToAdmins !== 'undefined'
      ) {
-        if (!this.licenseCheckService.hasFeature(ws.licenseKey, 'security:settings', ws.plan)) {
+        if (!this.licenseCheckService.hasFeature(ws.licenseKey, Feature.SECURITY_SETTINGS, ws.plan)) {
          throw new ForbiddenException(
            'This feature requires a valid license',
          );