feat(ee): viewers comment settings

2026-05-14 20:54:07 +08:00 · 2026-03-27 21:43:12 +00:00
parent a3559b7c33
commit dc75fddd9c
27 changed files with 606 additions and 40 deletions
@@ -5,6 +5,7 @@ import {
  prosemirrorNodeToYElement,
  tiptapExtensions,
 } from './collaboration.util';
+import { setYjsMark, updateYjsMarkAttribute, YjsSelection } from './yjs.util';
 import * as Y from 'yjs';
 import { User } from '@docmost/db/types/entity.types';

@@ -27,6 +28,53 @@ export class CollaborationHandler {
        //   const fragment = doc.getXmlFragment('default');
        //});
      },
+      setCommentMark: async (
+        documentName: string,
+        payload: {
+          yjsSelection: YjsSelection;
+          commentId: string;
+          resolved: boolean;
+          user: User;
+        },
+      ) => {
+        const { yjsSelection, commentId, resolved, user } = payload;
+        await this.withYdocConnection(
+          hocuspocus,
+          documentName,
+          { user },
+          (doc) => {
+            const fragment = doc.getXmlFragment('default');
+            setYjsMark(doc, fragment, yjsSelection, 'comment', {
+              commentId,
+              resolved,
+            });
+          },
+        );
+      },
+      resolveCommentMark: async (
+        documentName: string,
+        payload: {
+          commentId: string;
+          resolved: boolean;
+          user: User;
+        },
+      ) => {
+        const { commentId, resolved, user } = payload;
+        await this.withYdocConnection(
+          hocuspocus,
+          documentName,
+          { user },
+          (doc) => {
+            const fragment = doc.getXmlFragment('default');
+            updateYjsMarkAttribute(
+              fragment,
+              'comment',
+              { name: 'commentId', value: commentId },
+              { resolved },
+            );
+          },
+        );
+      },
      updatePageContent: async (
        documentName: string,
        payload: {
@@ -58,8 +106,7 @@ export class CollaborationHandler {
            } else {
              const newContent = prosemirrorJson.content || [];
              const yElements = newContent.map(prosemirrorNodeToYElement);
-              const position =
-                operation === 'prepend' ? 0 : fragment.length;
+              const position = operation === 'prepend' ? 0 : fragment.length;
              fragment.insert(position, yElements);
            }
          },
@@ -1,7 +1,7 @@
 import {
  initProseMirrorDoc,
  relativePositionToAbsolutePosition,
-} from 'y-prosemirror';
+} from '@tiptap/y-tiptap';
 import * as Y from 'yjs';
 import { Document } from '@hocuspocus/server';
 import { getSchema } from '@tiptap/core';
@@ -0,0 +1,22 @@
+export const Feature = {
+  SSO_CUSTOM: 'sso:custom',
+  SSO_GOOGLE: 'sso:google',
+  MFA: 'mfa',
+  API_KEYS: 'api:keys',
+  COMMENT_RESOLUTION: 'comment:resolution',
+  PAGE_PERMISSIONS: 'page:permissions',
+  AI: 'ai',
+  CONFLUENCE_IMPORT: 'import:confluence',
+  DOCX_IMPORT: 'import:docx',
+  ATTACHMENT_INDEXING: 'attachment:indexing',
+  SECURITY_SETTINGS: 'security:settings',
+  MCP: 'mcp',
+  SCIM: 'scim',
+  PAGE_VERIFICATION: 'page:verification',
+  AUDIT_LOGS: 'audit:logs',
+  RETENTION: 'retention',
+  SHARING_CONTROLS: 'sharing:controls',
+  VIEWER_COMMENTS: 'comment:viewer',
+} as const;
+
+export type FeatureKey = (typeof Feature)[keyof typeof Feature];
@@ -58,13 +58,13 @@ export class CommentController {
      throw new NotFoundException('Page not found');
    }

-    await this.pageAccessService.validateCanEdit(page, user);
+    await this.pageAccessService.validateCanComment(page, user, workspace.id);

    const comment = await this.commentService.create(
      {
-        userId: user.id,
        page,
        workspaceId: workspace.id,
+        user,
      },
      createCommentDto,
    );
@@ -120,7 +120,7 @@ export class CommentController {

  @HttpCode(HttpStatus.OK)
  @Post('update')
-  async update(@Body() dto: UpdateCommentDto, @AuthUser() user: User) {
+  async update(@Body() dto: UpdateCommentDto, @AuthUser() user: User, @AuthWorkspace() workspace: Workspace) {
    const comment = await this.commentRepo.findById(dto.commentId, {
      includeCreator: true,
      includeResolvedBy: true,
@@ -134,14 +134,14 @@ export class CommentController {
      throw new NotFoundException('Page not found');
    }

-    await this.pageAccessService.validateCanEdit(page, user);
+    await this.pageAccessService.validateCanComment(page, user, workspace.id);

    return this.commentService.update(comment, dto, user);
  }

  @HttpCode(HttpStatus.OK)
  @Post('delete')
-  async delete(@Body() input: CommentIdDto, @AuthUser() user: User) {
+  async delete(@Body() input: CommentIdDto, @AuthUser() user: User, @AuthWorkspace() workspace: Workspace) {
    const comment = await this.commentRepo.findById(input.commentId);
    if (!comment) {
      throw new NotFoundException('Comment not found');
@@ -152,8 +152,7 @@ export class CommentController {
      throw new NotFoundException('Page not found');
    }

-    // Check page-level edit permission first
-    await this.pageAccessService.validateCanEdit(page, user);
+    await this.pageAccessService.validateCanComment(page, user, workspace.id);

    // Check if user is the comment owner
    const isOwner = comment.creatorId === user.id;
@@ -169,7 +168,7 @@ export class CommentController {
      // Space admin can delete any comment
      if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Settings)) {
        throw new ForbiddenException(
-          'You can only delete your own comments or must be a space admin',
+          'You can only delete your own comments',
        );
      }
      await this.commentRepo.deleteComment(comment.id);
@@ -1,8 +1,10 @@
 import { Module } from '@nestjs/common';
 import { CommentService } from './comment.service';
 import { CommentController } from './comment.controller';
+import { CollaborationModule } from '../../collaboration/collaboration.module';

@Module({
+  imports: [CollaborationModule],
  controllers: [CommentController],
  providers: [CommentService],
  exports: [CommentService],
@@ -7,7 +7,8 @@ import {
 } from '@nestjs/common';
 import { InjectQueue } from '@nestjs/bullmq';
 import { Queue } from 'bullmq';
-import { CreateCommentDto } from './dto/create-comment.dto';
+import { CreateCommentDto, yjsSelectionSchema } from './dto/create-comment.dto';
+import { CollaborationGateway } from '../../collaboration/collaboration.gateway';
 import { UpdateCommentDto } from './dto/update-comment.dto';
 import { CommentRepo } from '@docmost/db/repos/comment/comment.repo';
 import { Comment, Page, User } from '@docmost/db/types/entity.types';
@@ -27,6 +28,7 @@ export class CommentService {
    private commentRepo: CommentRepo,
    private pageRepo: PageRepo,
    private wsService: WsService,
+    private collaborationGateway: CollaborationGateway,
    @InjectQueue(QueueName.GENERAL_QUEUE)
    private generalQueue: Queue,
    @InjectQueue(QueueName.NOTIFICATION_QUEUE)
@@ -45,10 +47,10 @@ export class CommentService {
  }

  async create(
-    opts: { userId: string; page: Page; workspaceId: string },
+    opts: { page: Page; workspaceId: string; user: User },
    createCommentDto: CreateCommentDto,
  ) {
-    const { userId, page, workspaceId } = opts;
+    const { page, workspaceId, user } = opts;
    const commentContent = JSON.parse(createCommentDto.content);

    if (createCommentDto.parentCommentId) {
@@ -71,11 +73,39 @@ export class CommentService {
      selection: createCommentDto?.selection?.substring(0, 250) ?? null,
      type: createCommentDto.type ?? 'page',
      parentCommentId: createCommentDto?.parentCommentId,
-      creatorId: userId,
+      creatorId: user.id,
      workspaceId: workspaceId,
      spaceId: page.spaceId,
    });

+    if (createCommentDto.yjsSelection) {
+      const parsed = yjsSelectionSchema.safeParse(createCommentDto.yjsSelection);
+      if (!parsed.success) {
+        this.logger.warn(
+          `Invalid yjsSelection for comment ${inserted.id}: ${parsed.error.message}`,
+        );
+      } else {
+        const documentName = `page.${page.id}`;
+        try {
+          await this.collaborationGateway.handleYjsEvent(
+            'setCommentMark',
+            documentName,
+            {
+              yjsSelection: parsed.data,
+              commentId: inserted.id,
+              resolved: false,
+              user,
+            },
+          );
+        } catch (error) {
+          this.logger.warn(
+            `Failed to apply comment mark for comment ${inserted.id}, comment saved without inline highlight`,
+            error,
+          );
+        }
+      }
+    }
+
    const comment = await this.commentRepo.findById(inserted.id, {
      includeCreator: true,
      includeResolvedBy: true,
@@ -83,7 +113,7 @@ export class CommentService {

    this.generalQueue
      .add(QueueJob.ADD_PAGE_WATCHERS, {
-        userIds: [userId],
+        userIds: [user.id],
        pageId: page.id,
        spaceId: page.spaceId,
        workspaceId,
@@ -101,7 +131,7 @@ export class CommentService {
      page.id,
      page.spaceId,
      workspaceId,
-      userId,
+      user.id,
      !isReply,
      createCommentDto.parentCommentId,
    );
@@ -1,4 +1,22 @@
-import { IsIn, IsJSON, IsOptional, IsString, IsUUID } from 'class-validator';
+import { IsIn, IsJSON, IsObject, IsOptional, IsString, IsUUID } from 'class-validator';
+import { z } from 'zod';
+
+const yjsIdSchema = z.object({
+  client: z.number().int().nonnegative(),
+  clock: z.number().int().nonnegative(),
+});
+
+const yjsRelativePositionSchema = z.object({
+  type: yjsIdSchema,
+  tname: z.string().nullable(),
+  item: yjsIdSchema.nullable(),
+  assoc: z.number().int(),
+});
+
+export const yjsSelectionSchema = z.object({
+  anchor: yjsRelativePositionSchema,
+  head: yjsRelativePositionSchema,
+});

 export class CreateCommentDto {
  @IsString()
@@ -18,4 +36,11 @@ export class CreateCommentDto {
  @IsOptional()
  @IsUUID()
  parentCommentId: string;
+
+  @IsOptional()
+  @IsObject()
+  yjsSelection?: {
+    anchor: any;
+    head: any;
+  };
 }
@@ -6,12 +6,14 @@ import {
  SpaceCaslAction,
  SpaceCaslSubject,
 } from '../../casl/interfaces/space-ability.type';
+import { SpaceRepo } from '@docmost/db/repos/space/space.repo';

@Injectable()
 export class PageAccessService {
  constructor(
    private readonly pagePermissionRepo: PagePermissionRepo,
    private readonly spaceAbility: SpaceAbilityFactory,
+    private readonly spaceRepo: SpaceRepo,
  ) {}

  /**
@@ -99,4 +101,25 @@ export class PageAccessService {

    return { hasRestriction: hasAnyRestriction };
  }
+
+  async validateCanComment(
+    page: Page,
+    user: User,
+    workspaceId: string,
+  ): Promise<void> {
+    try {
+      await this.validateCanEdit(page, user);
+      return;
+    } catch {
+      // User cannot edit — check if reader commenting is enabled
+    }
+
+    await this.validateCanView(page, user);
+
+    const space = await this.spaceRepo.findById(page.spaceId, workspaceId);
+    const settings = space?.settings as Record<string, any> | null;
+    if (!settings?.comments?.allowViewerComments) {
+      throw new ForbiddenException();
+    }
+  }
 }
@@ -11,4 +11,8 @@ export class UpdateSpaceDto extends PartialType(CreateSpaceDto) {
  @IsOptional()
  @IsBoolean()
  disablePublicSharing: boolean;
+
+  @IsOptional()
+  @IsBoolean()
+  allowViewerComments: boolean;
 }
@@ -13,6 +13,7 @@ import { Space, User } from '@docmost/db/types/entity.types';
 import { UpdateSpaceDto } from '../dto/update-space.dto';
 import { executeTx } from '@docmost/db/utils';
 import { InjectKysely } from 'nestjs-kysely';
+import { Feature } from '../../../common/features';
 import { SpaceMemberService } from './space-member.service';
 import { SpaceRole } from '../../../common/helpers/types/permission';
 import { QueueJob, QueueName } from 'src/integrations/queue/constants';
@@ -133,17 +134,34 @@ export class SpaceService {
      }
    }

-    if (typeof updateSpaceDto.disablePublicSharing !== 'undefined') {
+    if (
+      typeof updateSpaceDto.disablePublicSharing !== 'undefined' ||
+      typeof updateSpaceDto.allowViewerComments !== 'undefined'
+    ) {
      const workspace = await this.workspaceRepo.findById(workspaceId, {
        withLicenseKey: true,
      });

      if (
-        !this.licenseCheckService.hasFeature(workspace.licenseKey, 'security:settings', workspace.plan)
+        typeof updateSpaceDto.disablePublicSharing !== 'undefined' &&
+        !this.licenseCheckService.hasFeature(
+          workspace.licenseKey,
+          Feature.SECURITY_SETTINGS,
+          workspace.plan,
+        )
      ) {
-        throw new ForbiddenException(
-          'This feature requires a valid license',
-        );
+        throw new ForbiddenException('This feature requires a valid license');
+      }
+
+      if (
+        typeof updateSpaceDto.allowViewerComments !== 'undefined' &&
+        !this.licenseCheckService.hasFeature(
+          workspace.licenseKey,
+          Feature.VIEWER_COMMENTS,
+          workspace.plan,
+        )
+      ) {
+        throw new ForbiddenException('This feature requires a valid license');
      }
    }

@@ -179,6 +197,22 @@ export class SpaceService {
        }
      }

+      if (typeof updateSpaceDto.allowViewerComments !== 'undefined') {
+        const prev = settingsBefore?.comments?.allowViewerComments ?? false;
+        if (prev !== updateSpaceDto.allowViewerComments) {
+          before.allowViewerComments = prev;
+          after.allowViewerComments = updateSpaceDto.allowViewerComments;
+        }
+
+        await this.spaceRepo.updateCommentSettings(
+          updateSpaceDto.spaceId,
+          workspaceId,
+          'allowViewerComments',
+          updateSpaceDto.allowViewerComments,
+          trx,
+        );
+      }
+
      updatedSpace = await this.spaceRepo.updateSpace(
        {
          name: updateSpaceDto.name,
@@ -18,6 +18,7 @@ import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
 import { KyselyDB, KyselyTransaction } from '@docmost/db/types/kysely.types';
 import { executeTx } from '@docmost/db/utils';
 import { InjectKysely } from 'nestjs-kysely';
+import { Feature } from '../../../common/features';
 import { User } from '@docmost/db/types/entity.types';
 import { GroupUserRepo } from '@docmost/db/repos/group/group-user.repo';
 import { GroupRepo } from '@docmost/db/repos/group/group.repo';
@@ -352,7 +353,7 @@ export class WorkspaceService {
        typeof updateWorkspaceDto.trashRetentionDays !== 'undefined' ||
        typeof updateWorkspaceDto.restrictApiToAdmins !== 'undefined'
      ) {
-        if (!this.licenseCheckService.hasFeature(ws.licenseKey, 'security:settings', ws.plan)) {
+        if (!this.licenseCheckService.hasFeature(ws.licenseKey, Feature.SECURITY_SETTINGS, ws.plan)) {
          throw new ForbiddenException(
            'This feature requires a valid license',
          );
@@ -111,6 +111,28 @@ export class SpaceRepo {
      .executeTakeFirst();
  }

+  async updateCommentSettings(
+    spaceId: string,
+    workspaceId: string,
+    prefKey: string,
+    prefValue: string | boolean,
+    trx?: KyselyTransaction,
+  ) {
+    const db = dbOrTx(this.db, trx);
+    return db
+      .updateTable('spaces')
+      .set({
+        settings: sql`COALESCE(settings, '{}'::jsonb)
+          || jsonb_build_object('comments', COALESCE(settings->'comments', '{}'::jsonb)
+          || jsonb_build_object('${sql.raw(prefKey)}', ${sql.lit(prefValue)}))`,
+        updatedAt: new Date(),
+      })
+      .where('id', '=', spaceId)
+      .where('workspaceId', '=', workspaceId)
+      .returningAll()
+      .executeTakeFirst();
+  }
+
  async insertSpace(
    insertableSpace: InsertableSpace,
    trx?: KyselyTransaction,