feat(ee): page-level access/permissions (#1971)

* Add page_hierarchy table * feat(ee): page-level permissions * pagination * rename migration fixes * fix * tabs * fix theme * cleanup * sync * page permissions notification * other fixes * sharing disbled * fix column nodes * toggle error handling
2026-05-17 06:44:05 +08:00 · 2026-02-26 19:49:10 +00:00
parent 22f33bab7c
commit 59e945562d
75 changed files with 4235 additions and 363 deletions
@@ -175,4 +175,14 @@ export class GroupUserRepo {
      .where('groupId', '=', groupId)
      .execute();
  }
+
+  async getUserGroupIds(userId: string): Promise<string[]> {
+    const results = await this.db
+      .selectFrom('groupUsers')
+      .select('groupId')
+      .where('userId', '=', userId)
+      .execute();
+
+    return results.map((r) => r.groupId);
+  }
 }
@@ -175,11 +175,13 @@ export class PageRepo {
          .selectFrom('pages')
          .select(['id'])
          .where('id', '=', pageId)
+          .where('deletedAt', 'is', null)
          .unionAll((exp) =>
            exp
              .selectFrom('pages as p')
              .select(['p.id'])
-              .innerJoin('page_descendants as pd', 'pd.id', 'p.parentPageId'),
+              .innerJoin('page_descendants as pd', 'pd.id', 'p.parentPageId')
+              .where('p.deletedAt', 'is', null),
          ),
      )
      .selectFrom('page_descendants')
@@ -197,6 +199,7 @@ export class PageRepo {
            deletedAt: currentDate,
          })
          .where('id', 'in', pageIds)
+          .where('deletedAt', 'is', null)
          .execute();

        await trx.deleteFrom('shares').where('pageId', 'in', pageIds).execute();
@@ -472,4 +475,75 @@ export class PageRepo {
      .selectAll()
      .execute();
  }
+
+  /**
+   * Get page and all descendants, excluding restricted pages and their subtrees.
+   * More efficient than getPageAndDescendants + filtering because:
+   * 1. Single DB query (no separate restricted IDs query)
+   * 2. Stops traversing at restricted pages (doesn't fetch data to discard)
+   * 3. No in-memory filtering needed
+   */
+  async getPageAndDescendantsExcludingRestricted(
+    parentPageId: string,
+    opts: { includeContent: boolean },
+  ) {
+    return (
+      this.db
+        .withRecursive('page_hierarchy', (db) =>
+          db
+            .selectFrom('pages')
+            .leftJoin('pageAccess', 'pageAccess.pageId', 'pages.id')
+            .select([
+              'pages.id',
+              'pages.slugId',
+              'pages.title',
+              'pages.icon',
+              'pages.position',
+              'pages.parentPageId',
+              'pages.spaceId',
+              'pages.workspaceId',
+              sql<boolean>`page_access.id IS NOT NULL`.as('isRestricted'),
+            ])
+            .$if(opts?.includeContent, (qb) => qb.select('pages.content'))
+            .where('pages.id', '=', parentPageId)
+            .where('pages.deletedAt', 'is', null)
+            .unionAll((exp) =>
+              exp
+                .selectFrom('pages as p')
+                .innerJoin('page_hierarchy as ph', 'p.parentPageId', 'ph.id')
+                .leftJoin('pageAccess', 'pageAccess.pageId', 'p.id')
+                .select([
+                  'p.id',
+                  'p.slugId',
+                  'p.title',
+                  'p.icon',
+                  'p.position',
+                  'p.parentPageId',
+                  'p.spaceId',
+                  'p.workspaceId',
+                  sql<boolean>`page_access.id IS NOT NULL`.as('isRestricted'),
+                ])
+                .$if(opts?.includeContent, (qb) => qb.select('p.content'))
+                .where('p.deletedAt', 'is', null)
+                // Only recurse into children of non-restricted pages
+                .where('ph.isRestricted', '=', false),
+            ),
+        )
+        .selectFrom('page_hierarchy')
+        .select([
+          'id',
+          'slugId',
+          'title',
+          'icon',
+          'position',
+          'parentPageId',
+          'spaceId',
+          'workspaceId',
+        ])
+        .$if(opts?.includeContent, (qb) => qb.select('content'))
+        // Filter out restricted pages from the result
+        .where('isRestricted', '=', false)
+        .execute()
+    );
+  }
 }
@@ -0,0 +1,23 @@
+type PagePermissionUserMember = {
+  id: string;
+  name: string;
+  email: string;
+  avatarUrl: string | null;
+  type: 'user';
+  role: string;
+  createdAt: Date;
+};
+
+type PagePermissionGroupMember = {
+  id: string;
+  name: string;
+  memberCount: number;
+  isDefault: boolean;
+  type: 'group';
+  role: string;
+  createdAt: Date;
+};
+
+export type PagePermissionMember =
+  | PagePermissionUserMember
+  | PagePermissionGroupMember;