Merge branch 'main' into perm-x

2026-06-11 02:36:56 +08:00 · 2026-02-09 19:13:52 -08:00
parent 0225764c2c 7861b5b186
commit f6e250958a
111 changed files with 4539 additions and 2292 deletions
@@ -17,13 +17,13 @@ import {
  UseInterceptors,
 } from '@nestjs/common';
 import { AttachmentService } from './services/attachment.service';
-import { FastifyReply } from 'fastify';
+import { FastifyReply, FastifyRequest } from 'fastify';
 import { FileInterceptor } from '../../common/interceptors/file.interceptor';
 import * as bytes from 'bytes';
 import { AuthUser } from '../../common/decorators/auth-user.decorator';
 import { AuthWorkspace } from '../../common/decorators/auth-workspace.decorator';
 import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
-import { User, Workspace } from '@docmost/db/types/entity.types';
+import { Attachment, User, Workspace } from '@docmost/db/types/entity.types';
 import { StorageService } from '../../integrations/storage/storage.service';
 import {
  getAttachmentFolderPath,
@@ -147,6 +147,7 @@ export class AttachmentController {
  @UseGuards(JwtAuthGuard)
  @Get('/files/:fileId/:fileName')
  async getFile(
+    @Req() req: FastifyRequest,
    @Res() res: FastifyReply,
    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
@@ -175,22 +176,7 @@ export class AttachmentController {
    await this.pageAccessService.validateCanView(page, user);

    try {
-      const fileStream = await this.storageService.readStream(
-        attachment.filePath,
-      );
-      res.headers({
-        'Content-Type': attachment.mimeType,
-        'Cache-Control': 'private, max-age=3600',
-      });
-
-      if (!inlineFileExtensions.includes(attachment.fileExt)) {
-        res.header(
-          'Content-Disposition',
-          `attachment; filename="${encodeURIComponent(attachment.fileName)}"`,
-        );
-      }
-
-      return res.send(fileStream);
+      return await this.sendFileResponse(req, res, attachment, 'private');
    } catch (err) {
      this.logger.error(err);
      throw new NotFoundException('File not found');
@@ -199,6 +185,7 @@ export class AttachmentController {

  @Get('/files/public/:fileId/:fileName')
  async getPublicFile(
+    @Req() req: FastifyRequest,
    @Res() res: FastifyReply,
    @AuthWorkspace() workspace: Workspace,
    @Param('fileId') fileId: string,
@@ -237,22 +224,7 @@ export class AttachmentController {
    }

    try {
-      const fileStream = await this.storageService.readStream(
-        attachment.filePath,
-      );
-      res.headers({
-        'Content-Type': attachment.mimeType,
-        'Cache-Control': 'public, max-age=3600',
-      });
-
-      if (!inlineFileExtensions.includes(attachment.fileExt)) {
-        res.header(
-          'Content-Disposition',
-          `attachment; filename="${encodeURIComponent(attachment.fileName)}"`,
-        );
-      }
-
-      return res.send(fileStream);
+      return await this.sendFileResponse(req, res, attachment, 'public');
    } catch (err) {
      this.logger.error(err);
      throw new NotFoundException('File not found');
@@ -427,4 +399,70 @@ export class AttachmentController {
      return;
    }
  }
+
+  private async sendFileResponse(
+    req: FastifyRequest,
+    res: FastifyReply,
+    attachment: Attachment,
+    cacheScope: 'private' | 'public',
+  ) {
+    const fileSize = Number(attachment.fileSize);
+    const rangeHeader = req.headers.range;
+
+    res.header('Accept-Ranges', 'bytes');
+
+    if (!inlineFileExtensions.includes(attachment.fileExt)) {
+      res.header(
+        'Content-Disposition',
+        `attachment; filename="${encodeURIComponent(attachment.fileName)}"`,
+      );
+    }
+
+    if (rangeHeader && fileSize) {
+      const match = rangeHeader.match(/bytes=(\d+)-(\d*)/);
+      if (match) {
+        const start = parseInt(match[1], 10);
+        const end = match[2]
+          ? Math.min(parseInt(match[2], 10), fileSize - 1)
+          : fileSize - 1;
+
+        if (start >= fileSize || start > end) {
+          res.status(416);
+          res.header('Content-Range', `bytes */${fileSize}`);
+          return res.send();
+        }
+
+        const fileStream = await this.storageService.readRangeStream(
+          attachment.filePath,
+          { start, end },
+        );
+
+        res.status(206);
+        res.headers({
+          'Content-Type': attachment.mimeType,
+          'Content-Range': `bytes ${start}-${end}/${fileSize}`,
+          'Content-Length': end - start + 1,
+          'Cache-Control': `${cacheScope}, max-age=3600`,
+        });
+
+        return res.send(fileStream);
+      }
+    }
+
+    const fileStream = await this.storageService.readStream(
+      attachment.filePath,
+    );
+
+    res.headers({
+      'Content-Type': attachment.mimeType,
+      'Cache-Control': `${cacheScope}, max-age=3600`,
+    });
+
+    const isSvg = attachment.fileExt === '.svg';
+    if (fileSize && !isSvg) {
+      res.header('Content-Length', fileSize);
+    }
+
+    return res.send(fileStream);
+  }
 }
@@ -99,6 +99,7 @@ export class AttachmentService {
      if (isUpdate) {
        attachment = await this.attachmentRepo.updateAttachment(
          {
+            fileSize: preparedFile.fileSize,
            updatedAt: new Date(),
          },
          attachmentId,
@@ -9,7 +9,9 @@ export class PageHistoryService {
  constructor(private pageHistoryRepo: PageHistoryRepo) {}

  async findById(historyId: string): Promise<PageHistory> {
-    return await this.pageHistoryRepo.findById(historyId);
+    return await this.pageHistoryRepo.findById(historyId, {
+      includeContent: true,
+    });
  }

  async findHistoryByPageId(
@@ -61,8 +61,18 @@ export class ShareController {
      throw new BadRequestException();
    }

+    const shareData = await this.shareService.getSharedPage(dto, workspace.id);
+
+    const sharingAllowed = await this.shareService.isSharingAllowed(
+      workspace.id,
+      shareData.share.spaceId,
+    );
+    if (!sharingAllowed) {
+      throw new NotFoundException('Shared page not found');
+    }
+
    return {
-      ...(await this.shareService.getSharedPage(dto, workspace.id)),
+      ...shareData,
      hasLicenseKey: hasLicenseOrEE({
        licenseKey: workspace.licenseKey,
        isCloud: this.environmentService.isCloud(),
@@ -83,6 +93,14 @@ export class ShareController {
      throw new NotFoundException('Share not found');
    }

+    const sharingAllowed = await this.shareService.isSharingAllowed(
+      share.workspaceId,
+      share.spaceId,
+    );
+    if (!sharingAllowed) {
+      throw new NotFoundException('Share not found');
+    }
+
    return share;
  }

@@ -129,6 +147,14 @@ export class ShareController {
      throw new BadRequestException('Cannot share a restricted page');
    }

+    const sharingAllowed = await this.shareService.isSharingAllowed(
+      workspace.id,
+      page.spaceId,
+    );
+    if (!sharingAllowed) {
+      throw new ForbiddenException('Public sharing is disabled');
+    }
+
    return this.shareService.createShare({
      page,
      authUserId: user.id,
@@ -184,8 +210,21 @@ export class ShareController {
    @Body() dto: ShareIdDto,
    @AuthWorkspace() workspace: Workspace,
  ) {
+    const treeData = await this.shareService.getShareTree(
+      dto.shareId,
+      workspace.id,
+    );
+
+    const sharingAllowed = await this.shareService.isSharingAllowed(
+      workspace.id,
+      treeData.share.spaceId,
+    );
+    if (!sharingAllowed) {
+      throw new NotFoundException('Share not found');
+    }
+
    return {
-      ...(await this.shareService.getShareTree(dto.shareId, workspace.id)),
+      ...treeData,
      hasLicenseKey: hasLicenseOrEE({
        licenseKey: workspace.licenseKey,
        isCloud: this.environmentService.isCloud(),
@@ -281,6 +281,31 @@ export class ShareService {
    return ancestor;
  }

+  async isSharingAllowed(
+    workspaceId: string,
+    spaceId: string,
+  ): Promise<boolean> {
+    const result = await this.db
+      .selectFrom('workspaces')
+      .innerJoin('spaces', 'spaces.workspaceId', 'workspaces.id')
+      .select([
+        'workspaces.settings as workspaceSettings',
+        'spaces.settings as spaceSettings',
+      ])
+      .where('workspaces.id', '=', workspaceId)
+      .where('spaces.id', '=', spaceId)
+      .executeTakeFirst();
+
+    if (!result) return false;
+
+    const workspaceDisabled =
+      (result.workspaceSettings as any)?.sharing?.disabled === true;
+    const spaceDisabled =
+      (result.spaceSettings as any)?.sharing?.disabled === true;
+
+    return !workspaceDisabled && !spaceDisabled;
+  }
+
  async updatePublicAttachments(page: Page): Promise<any> {
    const prosemirrorJson = getProsemirrorContent(page.content);
    const attachmentIds = getAttachmentIds(prosemirrorJson);
@@ -1,10 +1,14 @@
 import { PartialType } from '@nestjs/mapped-types';
 import { CreateSpaceDto } from './create-space.dto';
-import { IsNotEmpty, IsString, IsUUID } from 'class-validator';
+import { IsBoolean, IsNotEmpty, IsOptional, IsString, IsUUID } from 'class-validator';

 export class UpdateSpaceDto extends PartialType(CreateSpaceDto) {
  @IsString()
  @IsNotEmpty()
  @IsUUID()
  spaceId: string;
+
+  @IsOptional()
+  @IsBoolean()
+  disablePublicSharing: boolean;
 }
@@ -1,5 +1,6 @@
 import {
  BadRequestException,
+  ForbiddenException,
  Injectable,
  NotFoundException,
 } from '@nestjs/common';
@@ -17,12 +18,18 @@ import { QueueJob, QueueName } from 'src/integrations/queue/constants';
 import { Queue } from 'bullmq';
 import { InjectQueue } from '@nestjs/bullmq';
 import { CursorPaginationResult } from '@docmost/db/pagination/cursor-pagination';
+import { ShareRepo } from '@docmost/db/repos/share/share.repo';
+import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
+import { LicenseCheckService } from '../../../integrations/environment/license-check.service';

@Injectable()
 export class SpaceService {
  constructor(
    private spaceRepo: SpaceRepo,
    private spaceMemberService: SpaceMemberService,
+    private shareRepo: ShareRepo,
+    private workspaceRepo: WorkspaceRepo,
+    private licenseCheckService: LicenseCheckService,
    @InjectKysely() private readonly db: KyselyDB,
    @InjectQueue(QueueName.ATTACHMENT_QUEUE) private attachmentQueue: Queue,
  ) {}
@@ -105,6 +112,31 @@ export class SpaceService {
      }
    }

+    if (typeof updateSpaceDto.disablePublicSharing !== 'undefined') {
+      const workspace = await this.workspaceRepo.findById(workspaceId, {
+        withLicenseKey: true,
+      });
+
+      if (
+        !this.licenseCheckService.isValidEELicense(workspace.licenseKey)
+      ) {
+        throw new ForbiddenException(
+          'This feature requires a valid enterprise license',
+        );
+      }
+
+      await this.spaceRepo.updateSharingSettings(
+        updateSpaceDto.spaceId,
+        workspaceId,
+        'disabled',
+        updateSpaceDto.disablePublicSharing,
+      );
+
+      if (updateSpaceDto.disablePublicSharing) {
+        await this.shareRepo.deleteBySpaceId(updateSpaceDto.spaceId);
+      }
+    }
+
    return await this.spaceRepo.updateSpace(
      {
        name: updateSpaceDto.name,
@@ -30,4 +30,8 @@ export class UpdateWorkspaceDto extends PartialType(CreateWorkspaceDto) {
  @IsOptional()
  @IsBoolean()
  generativeAi: boolean;
+
+  @IsOptional()
+  @IsBoolean()
+  disablePublicSharing: boolean;
 }
@@ -5,6 +5,7 @@ import {
  Logger,
  NotFoundException,
 } from '@nestjs/common';
+import { LicenseCheckService } from '../../../integrations/environment/license-check.service';
 import { CreateWorkspaceDto } from '../dto/create-workspace.dto';
 import { UpdateWorkspaceDto } from '../dto/update-workspace.dto';
 import { SpaceService } from '../../space/services/space.service';
@@ -33,6 +34,7 @@ import { Queue } from 'bullmq';
 import { generateRandomSuffixNumbers } from '../../../common/helpers';
 import { isPageEmbeddingsTableExists } from '@docmost/db/helpers/helpers';
 import { CursorPaginationResult } from '@docmost/db/pagination/cursor-pagination';
+import { ShareRepo } from '@docmost/db/repos/share/share.repo';

@Injectable()
 export class WorkspaceService {
@@ -47,6 +49,8 @@ export class WorkspaceService {
    private userRepo: UserRepo,
    private environmentService: EnvironmentService,
    private domainService: DomainService,
+    private licenseCheckService: LicenseCheckService,
+    private shareRepo: ShareRepo,
    @InjectKysely() private readonly db: KyselyDB,
    @InjectQueue(QueueName.ATTACHMENT_QUEUE) private attachmentQueue: Queue,
    @InjectQueue(QueueName.BILLING_QUEUE) private billingQueue: Queue,
@@ -358,6 +362,32 @@ export class WorkspaceService {
      delete updateWorkspaceDto.generativeAi;
    }

+    if (typeof updateWorkspaceDto.disablePublicSharing !== 'undefined') {
+      const currentWorkspace = await this.workspaceRepo.findById(workspaceId, {
+        withLicenseKey: true,
+      });
+
+      if (
+        !this.licenseCheckService.isValidEELicense(currentWorkspace.licenseKey)
+      ) {
+        throw new ForbiddenException(
+          'This feature requires a valid enterprise license',
+        );
+      }
+
+      await this.workspaceRepo.updateSharingSettings(
+        workspaceId,
+        'disabled',
+        updateWorkspaceDto.disablePublicSharing,
+      );
+
+      if (updateWorkspaceDto.disablePublicSharing) {
+        await this.shareRepo.deleteByWorkspaceId(workspaceId);
+      }
+
+      delete updateWorkspaceDto.disablePublicSharing;
+    }
+
    await this.workspaceRepo.updateWorkspace(updateWorkspaceDto, workspaceId);

    const workspace = await this.workspaceRepo.findById(workspaceId, {