sinvo/docmost
1
0
Fork 0
mirror of https://github.com/docmost/docmost.git synced 2026-05-08 07:13:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: sinvo/docmost:feat/audit-log
Branches Tags
sinvo/docmost:main sinvo/docmost:transclusion sinvo/docmost:i10n_main sinvo/docmost:react-email sinvo/docmost:a11y-1 sinvo/docmost:include sinvo/docmost:v0.80.2 sinvo/docmost:fire-pdf sinvo/docmost:feat/scim sinvo/docmost:table-width sinvo/docmost:fix-831 sinvo/docmost:proxy sinvo/docmost:base-duck sinvo/docmost:base sinvo/docmost:security-471 sinvo/docmost:pdf-export sinvo/docmost:fix/favorites sinvo/docmost:bug-352873 sinvo/docmost:fix-6121 sinvo/docmost:verify sinvo/docmost:templates-favorites sinvo/docmost:chat sinvo/docmost:space-watch sinvo/docmost:bugs-231 sinvo/docmost:mrl sinvo/docmost:watchers-notify sinvo/docmost:ratelimits sinvo/docmost:bug-fix-23 sinvo/docmost:indexes sinvo/docmost:editor-972 sinvo/docmost:editor-279 sinvo/docmost:viewers-comment sinvo/docmost:sessions sinvo/docmost:updates-x sinvo/docmost:fix-245 sinvo/docmost:fix-notion sinvo/docmost:feature-flag sinvo/docmost:fix/conf-anchor sinvo/docmost:fix-123 sinvo/docmost:fix-email sinvo/docmost:diagrams-save sinvo/docmost:fix-share sinvo/docmost:docker-build sinvo/docmost:media-dry sinvo/docmost:fix/deps1 sinvo/docmost:fix/editor-refresh sinvo/docmost:perm-x sinvo/docmost:feat/integrations sinvo/docmost:feat/labels sinvo/docmost:feat/content-update sinvo/docmost:feat/content sinvo/docmost:fix/diagrams sinvo/docmost:fix/clipboard sinvo/docmost:fix/history sinvo/docmost:feat/ai-menu sinvo/docmost:feat/docx-import sinvo/docmost:feat/sharing-controls sinvo/docmost:fix/bugs sinvo/docmost:fix/safari-print sinvo/docmost:update-packages sinvo/docmost:feat/diff sinvo/docmost:feat/history-diff sinvo/docmost:fix/search sinvo/docmost:feat/cursor-pagination sinvo/docmost:fix/server sinvo/docmost:feat/collab-redis sinvo/docmost:feat/export-metadata sinvo/docmost:tiptap3-migration sinvo/docmost:react19 sinvo/docmost:feat/excalidraw-sync sinvo/docmost:feat/comment-yjs sinvo/docmost:fix/indexes sinvo/docmost:feat/audit-log sinvo/docmost:perm-share sinvo/docmost:permissions-2 sinvo/docmost:column-poc sinvo/docmost:feat/pagebreak sinvo/docmost:feat/toc-node sinvo/docmost:editor-toc sinvo/docmost:anchor-link sinvo/docmost:feat/spaces-admin sinvo/docmost:fix/member-search-filtering sinvo/docmost:ai sinvo/docmost:permissions-init-poc sinvo/docmost:feat/mfa-reset sinvo/docmost:resize-embed sinvo/docmost:redis-vectordb-poc sinvo/docmost:feat/custom-domain sinvo/docmost:custom_domain sinvo/docmost:commenteditor-emoji-picker sinvo/docmost:exception sinvo/docmost:vite-rolldown sinvo/docmost:esm-packages sinvo/docmost:feat/stream-files sinvo/docmost:sentry
sinvo/docmost:v0.80.2 sinvo/docmost:v0.80.1 sinvo/docmost:v0.80.0 sinvo/docmost:v0.71.1 sinvo/docmost:v0.71.0 sinvo/docmost:v0.70.3 sinvo/docmost:v0.70.2 sinvo/docmost:v0.70.1 sinvo/docmost:v0.70.0 sinvo/docmost:v0.25.3 sinvo/docmost:v0.25.2 sinvo/docmost:v0.25.1 sinvo/docmost:v0.25.0 sinvo/docmost:v0.25.0-beta.1 sinvo/docmost:v0.24.1 sinvo/docmost:v0.24.0 sinvo/docmost:v0.23.2 sinvo/docmost:v0.23.1 sinvo/docmost:v0.23.0 sinvo/docmost:v0.22.2 sinvo/docmost:v0.22.1 sinvo/docmost:v0.22.0 sinvo/docmost:v0.21.0 sinvo/docmost:v0.20.4 sinvo/docmost:v0.20.3 sinvo/docmost:v0.20.2 sinvo/docmost:v0.20.1 sinvo/docmost:v0.20.0 sinvo/docmost:v0.10.2 sinvo/docmost:v0.10.1 sinvo/docmost:v0.10.0 sinvo/docmost:v0.9.0 sinvo/docmost:v0.8.4 sinvo/docmost:v0.8.3 sinvo/docmost:v0.8.2 sinvo/docmost:v0.8.1 sinvo/docmost:v0.8.0 sinvo/docmost:v0.7.0 sinvo/docmost:v0.6.2 sinvo/docmost:v0.6.1 sinvo/docmost:v0.6.0 sinvo/docmost:v0.5.0 sinvo/docmost:v0.4.1 sinvo/docmost:v0.4.0 sinvo/docmost:v0.3.1 sinvo/docmost:v0.3.0 sinvo/docmost:v0.2.10 sinvo/docmost:v0.2.9 sinvo/docmost:v0.2.8 sinvo/docmost:v0.2.7 sinvo/docmost:v0.2.5 sinvo/docmost:v0.2.4 sinvo/docmost:0.2.3 sinvo/docmost:v0.2.2 sinvo/docmost:v0.2.1 sinvo/docmost:v0.2.0
..
compare: sinvo/docmost:permissions-2
Branches Tags
sinvo/docmost:transclusion sinvo/docmost:main sinvo/docmost:i10n_main sinvo/docmost:react-email sinvo/docmost:a11y-1 sinvo/docmost:include sinvo/docmost:v0.80.2 sinvo/docmost:fire-pdf sinvo/docmost:feat/scim sinvo/docmost:table-width sinvo/docmost:fix-831 sinvo/docmost:proxy sinvo/docmost:base-duck sinvo/docmost:base sinvo/docmost:security-471 sinvo/docmost:pdf-export sinvo/docmost:fix/favorites sinvo/docmost:bug-352873 sinvo/docmost:fix-6121 sinvo/docmost:verify sinvo/docmost:templates-favorites sinvo/docmost:chat sinvo/docmost:space-watch sinvo/docmost:bugs-231 sinvo/docmost:mrl sinvo/docmost:watchers-notify sinvo/docmost:ratelimits sinvo/docmost:bug-fix-23 sinvo/docmost:indexes sinvo/docmost:editor-972 sinvo/docmost:editor-279 sinvo/docmost:viewers-comment sinvo/docmost:sessions sinvo/docmost:updates-x sinvo/docmost:fix-245 sinvo/docmost:fix-notion sinvo/docmost:feature-flag sinvo/docmost:fix/conf-anchor sinvo/docmost:fix-123 sinvo/docmost:fix-email sinvo/docmost:diagrams-save sinvo/docmost:fix-share sinvo/docmost:docker-build sinvo/docmost:media-dry sinvo/docmost:fix/deps1 sinvo/docmost:fix/editor-refresh sinvo/docmost:perm-x sinvo/docmost:feat/integrations sinvo/docmost:feat/labels sinvo/docmost:feat/content-update sinvo/docmost:feat/content sinvo/docmost:fix/diagrams sinvo/docmost:fix/clipboard sinvo/docmost:fix/history sinvo/docmost:feat/ai-menu sinvo/docmost:feat/docx-import sinvo/docmost:feat/sharing-controls sinvo/docmost:fix/bugs sinvo/docmost:fix/safari-print sinvo/docmost:update-packages sinvo/docmost:feat/diff sinvo/docmost:feat/history-diff sinvo/docmost:fix/search sinvo/docmost:feat/cursor-pagination sinvo/docmost:fix/server sinvo/docmost:feat/collab-redis sinvo/docmost:feat/export-metadata sinvo/docmost:tiptap3-migration sinvo/docmost:react19 sinvo/docmost:feat/excalidraw-sync sinvo/docmost:feat/comment-yjs sinvo/docmost:fix/indexes sinvo/docmost:feat/audit-log sinvo/docmost:perm-share sinvo/docmost:permissions-2 sinvo/docmost:column-poc sinvo/docmost:feat/pagebreak sinvo/docmost:feat/toc-node sinvo/docmost:editor-toc sinvo/docmost:anchor-link sinvo/docmost:feat/spaces-admin sinvo/docmost:fix/member-search-filtering sinvo/docmost:ai sinvo/docmost:permissions-init-poc sinvo/docmost:feat/mfa-reset sinvo/docmost:resize-embed sinvo/docmost:redis-vectordb-poc sinvo/docmost:feat/custom-domain sinvo/docmost:custom_domain sinvo/docmost:commenteditor-emoji-picker sinvo/docmost:exception sinvo/docmost:vite-rolldown sinvo/docmost:esm-packages sinvo/docmost:feat/stream-files sinvo/docmost:sentry
sinvo/docmost:v0.80.2 sinvo/docmost:v0.80.1 sinvo/docmost:v0.80.0 sinvo/docmost:v0.71.1 sinvo/docmost:v0.71.0 sinvo/docmost:v0.70.3 sinvo/docmost:v0.70.2 sinvo/docmost:v0.70.1 sinvo/docmost:v0.70.0 sinvo/docmost:v0.25.3 sinvo/docmost:v0.25.2 sinvo/docmost:v0.25.1 sinvo/docmost:v0.25.0 sinvo/docmost:v0.25.0-beta.1 sinvo/docmost:v0.24.1 sinvo/docmost:v0.24.0 sinvo/docmost:v0.23.2 sinvo/docmost:v0.23.1 sinvo/docmost:v0.23.0 sinvo/docmost:v0.22.2 sinvo/docmost:v0.22.1 sinvo/docmost:v0.22.0 sinvo/docmost:v0.21.0 sinvo/docmost:v0.20.4 sinvo/docmost:v0.20.3 sinvo/docmost:v0.20.2 sinvo/docmost:v0.20.1 sinvo/docmost:v0.20.0 sinvo/docmost:v0.10.2 sinvo/docmost:v0.10.1 sinvo/docmost:v0.10.0 sinvo/docmost:v0.9.0 sinvo/docmost:v0.8.4 sinvo/docmost:v0.8.3 sinvo/docmost:v0.8.2 sinvo/docmost:v0.8.1 sinvo/docmost:v0.8.0 sinvo/docmost:v0.7.0 sinvo/docmost:v0.6.2 sinvo/docmost:v0.6.1 sinvo/docmost:v0.6.0 sinvo/docmost:v0.5.0 sinvo/docmost:v0.4.1 sinvo/docmost:v0.4.0 sinvo/docmost:v0.3.1 sinvo/docmost:v0.3.0 sinvo/docmost:v0.2.10 sinvo/docmost:v0.2.9 sinvo/docmost:v0.2.8 sinvo/docmost:v0.2.7 sinvo/docmost:v0.2.5 sinvo/docmost:v0.2.4 sinvo/docmost:0.2.3 sinvo/docmost:v0.2.2 sinvo/docmost:v0.2.1 sinvo/docmost:v0.2.0

3 Commits
feat/audit-log .. permissions-2

Author SHA1 Message Date
Philipinho 404e6c0b2f fix 2025-12-18 18:32:24 +00:00
Philipinho 900e367677 Merge branch 'main' into permissions-2 2025-12-18 18:30:48 +00:00
Philipinho ace00a0b0a WIP 2025-08-14 08:58:23 -07:00
55 changed files with 2543 additions and 561 deletions
Expand all files Collapse all files
apps/server/package.json
-1
View File
@@ -44,7 +44,6 @@
"@nestjs-labs/nestjs-ioredis": "^11.0.4",
"@nestjs/bullmq": "^11.0.4",
"@nestjs/common": "^11.1.9",
"nestjs-cls": "^4.5.0",
"@nestjs/config": "^4.0.2",
"@nestjs/core": "^11.1.9",
"@nestjs/event-emitter": "^3.0.1",
apps/server/src/app.module.ts
+1 -14
View File
@@ -1,8 +1,6 @@
import { Module } from '@nestjs/common';
import { APP_INTERCEPTOR } from '@nestjs/core';
import { AppController } from './app.controller';
import { AppService } from './app.service';
import { AuditActorInterceptor } from './common/interceptors/audit-actor.interceptor';
import { CoreModule } from './core/core.module';
import { EnvironmentModule } from './integrations/environment/environment.module';
import { CollaborationModule } from './collaboration/collaboration.module';
@@ -20,7 +18,6 @@ import { SecurityModule } from './integrations/security/security.module';
import { TelemetryModule } from './integrations/telemetry/telemetry.module';
import { RedisModule } from '@nestjs-labs/nestjs-ioredis';
import { RedisConfigService } from './integrations/redis/redis-config.service';
import { ClsModule } from 'nestjs-cls';
const enterpriseModules = [];
try {
@@ -38,10 +35,6 @@ try {
@Module({
imports: [
ClsModule.forRoot({
global: true,
middleware: { mount: true },
}),
CoreModule,
DatabaseModule,
EnvironmentModule,
@@ -67,12 +60,6 @@ try {
...enterpriseModules,
],
controllers: [AppController],
providers: [
AppService,
{
provide: APP_INTERCEPTOR,
useClass: AuditActorInterceptor,
},
],
providers: [AppService],
})
export class AppModule {}
apps/server/src/common/events/audit-events.ts
-101
View File
@@ -1,101 +0,0 @@
export const AuditEvent = {
// Workspace Invitations
WORKSPACE_CREATED: 'workspace.created',
WORKSPACE_INVITE_CREATED: 'workspace.invite_created',
WORKSPACE_INVITE_REVOKED: 'workspace.invite_revoked',
WORKSPACE_INVITE_ACCEPTED: 'workspace.invite_accepted',
WORKSPACE_USER_CREATED: 'workspace.user_created',
WORKSPACE_USER_DEACTIVATED: 'workspace.user_deactivated',
WORKSPACE_ALLOWED_DOMAIN_UPDATED: 'workspace.allowed_domain_updated',
WORKSPACE_ICON_CHANGED: 'workspace.icon_changed',
WORKSPACE_NAME_CHANGED: 'workspace.name_changed',
WORKSPACE_AI_TOGGLED: 'workspace.ai_toggled',
USER_CREATED: 'user.created',
USER_DELETED: 'user.deleted',
USER_LOGIN: 'user.login',
USER_LOGOUT: 'user.logout',
USER_ROLE_CHANGED: 'user.user_role_changed',
USER_PASSWORD_CHANGED: 'user.password_changed',
USER_PASSWORD_RESET: 'user.reset_password',
USER_PHOTO_CHANGED: 'user.reset_password',
USER_NAME_CHANGED: 'user.name_changed',
USER_EMAIL_CHANGED: 'user.email_changed',
USER_MFA_SETUP: 'user.mfa_setup',
USER_MFA_BACKUP_CODE_GENERATED: 'user.mfa_backup_code_generated',
// API Keys
API_KEY_CREATED: 'api_key.created',
API_KEY_UPDATED: 'api_key.updated',
API_KEY_DELETED: 'api_key.deleted',
// Space
SPACE_CREATED: 'space.created',
SPACE_UPDATED: 'space.updated',
SPACE_DELETED: 'space.deleted',
SPACE_MEMBER_ADDED: 'space.member_added',
SPACE_MEMBER_REMOVED: 'space.member_removed',
SPACE_MEMBER_ROLE_CHANGED: 'space.member_role_changed',
// OR SPACE_USER_ADDED: 'space.user_added',
// SPACE_GROUP_ADDED: 'space.group_added',
// GROUP
GROUP_CREATED: 'group.created',
GROUP_UPDATED: 'group.updated',
GROUP_DELETED: 'group.deleted',
GROUP_MEMBER_ADDED: 'group.member_added',
GROUP_MEMBER_REMOVED: 'group.member_removed',
// Comments
COMMENT_CREATED: 'comment.created',
COMMENT_UPDATED: 'comment.updated',
COMMENT_DELETED: 'comment.deleted',
COMMENT_RESOLVED: 'comment.resolved',
COMMENT_REOPENED: 'comment.reopened',
// PAGE
PAGE_CREATED: 'page.created',
PAGE_UPDATED: 'page.updated',
PAGE_TRASHED: 'page.trash',
PAGE_DELETED: 'page.deleted',
PAGE_SHARED: 'page.shared',
ATTACHMENT_UPLOADED: 'attachment.uploaded',
PAGE_IMPORTED: 'page.imported',
PAGE_RESTORED: 'page.restored',
PAGE_EXPORTED: 'page.exported',
SPACE_EXPORTED: 'space.imported',
// SSO EVENTS
} as const;
export type AuditEventType = (typeof AuditEvent)[keyof typeof AuditEvent];
export type ActorType = 'user' | 'system' | 'api_key';
export interface AuditLogPayload {
event: AuditEventType;
resourceType: string;
resourceId?: string;
changes?: {
before?: Record<string, any>;
after?: Record<string, any>;
};
metadata?: Record<string, any>;
}
export interface AuditLogData extends AuditLogPayload {
workspaceId: string;
actorId?: string;
actorType: ActorType;
ipAddress?: string;
userAgent?: string;
}
apps/server/src/common/events/event.contants.ts
+1
View File
@@ -1,5 +1,6 @@
export enum EventName {
COLLAB_PAGE_UPDATED = 'collab.page.updated',
PAGE_CREATED = 'page.created',
PAGE_UPDATED = 'page.updated',
PAGE_CONTENT_UPDATED = 'page-content-updated',
apps/server/src/common/helpers/nanoid.utils.ts
+1 -1
View File
@@ -5,4 +5,4 @@ export const nanoIdGen = customAlphabet(alphabet, 10);
const slugIdAlphabet =
'0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
export const generateSlugId = customAlphabet(slugIdAlphabet, 10);
export const generateSlugId = customAlphabet(slugIdAlphabet, 10);
apps/server/src/common/helpers/types/permission.ts
+6
View File
@@ -10,6 +10,12 @@ export enum SpaceRole {
READER = 'reader', // can only read pages in space
}
export enum PageRole {
WRITER = 'writer', // can read and write pages in space
READER = 'reader', // can only read pages in space
RESTRICTED = 'restricted', // cannot access page
}
export enum SpaceVisibility {
OPEN = 'open', // any workspace member can see that it exists and join.
PRIVATE = 'private', // only added space users can see
apps/server/src/common/interceptors/audit-actor.interceptor.ts
-29
View File
@@ -1,29 +0,0 @@
import {
CallHandler,
ExecutionContext,
Injectable,
NestInterceptor,
} from '@nestjs/common';
import { Observable } from 'rxjs';
import { ClsService } from 'nestjs-cls';
import { AuditContext, AUDIT_CONTEXT_KEY } from '../middlewares/audit-context.middleware';
@Injectable()
export class AuditActorInterceptor implements NestInterceptor {
constructor(private readonly cls: ClsService) {}
intercept(context: ExecutionContext, next: CallHandler): Observable<any> {
const request = context.switchToHttp().getRequest();
const user = request.user?.user;
if (user?.id) {
const auditContext = this.cls.get<AuditContext>(AUDIT_CONTEXT_KEY);
if (auditContext) {
auditContext.actorId = user.id;
this.cls.set(AUDIT_CONTEXT_KEY, auditContext);
}
}
return next.handle();
}
}
apps/server/src/common/logger/internal-log-filter.ts
+9 -2
View File
@@ -14,11 +14,18 @@ export class InternalLogFilter extends ConsoleLogger {
super();
const isProduction = process.env.NODE_ENV === 'production';
const isDebugMode = process.env.DEBUG_MODE === 'true';
if (isProduction && !isDebugMode) {
this.allowedLogLevels = ['log', 'error', 'fatal'];
} else {
this.allowedLogLevels = ['log', 'debug', 'verbose', 'warn', 'error', 'fatal'];
this.allowedLogLevels = [
'log',
'debug',
'verbose',
'warn',
'error',
'fatal',
];
}
}
apps/server/src/common/middlewares/audit-context.middleware.ts
-50
View File
@@ -1,50 +0,0 @@
import { Injectable, NestMiddleware } from '@nestjs/common';
import { FastifyRequest, FastifyReply } from 'fastify';
import { ClsService } from 'nestjs-cls';
export interface AuditContext {
workspaceId: string | null;
actorId: string | null;
actorType: 'user' | 'system' | 'api_key';
ipAddress: string | null;
}
export const AUDIT_CONTEXT_KEY = 'auditContext';
@Injectable()
export class AuditContextMiddleware implements NestMiddleware {
constructor(private readonly cls: ClsService) {}
use(req: FastifyRequest['raw'], res: FastifyReply['raw'], next: () => void) {
const workspaceId = (req as any).workspaceId ?? null;
const ipAddress = this.extractIpAddress(req);
const auditContext: AuditContext = {
workspaceId,
actorId: null,
actorType: 'user',
ipAddress,
};
this.cls.set(AUDIT_CONTEXT_KEY, auditContext);
next();
}
private extractIpAddress(req: FastifyRequest['raw']): string | null {
const xForwardedFor = req.headers['x-forwarded-for'];
if (xForwardedFor) {
const ips = Array.isArray(xForwardedFor)
? xForwardedFor[0]
: xForwardedFor.split(',')[0];
return ips?.trim() ?? null;
}
const xRealIp = req.headers['x-real-ip'];
if (xRealIp) {
return Array.isArray(xRealIp) ? xRealIp[0] : xRealIp;
}
return (req as any).socket?.remoteAddress ?? null;
}
}
apps/server/src/core/casl/abilities/page-ability.factory.ts
+168
View File
@@ -0,0 +1,168 @@
import { Injectable, Logger, NotFoundException } from '@nestjs/common';
import {
AbilityBuilder,
createMongoAbility,
MongoAbility,
} from '@casl/ability';
import { PageRole, SpaceRole } from '../../../common/helpers/types/permission';
import { User } from '@docmost/db/types/entity.types';
import {
PagePermissionRepo,
PageMemberRole,
} from '@docmost/db/repos/page/page-permission-repo.service';
import { PageRepo } from '@docmost/db/repos/page/page.repo';
import {
PageCaslAction,
IPageAbility,
PageCaslSubject,
} from '../interfaces/page-ability.type';
import { findHighestUserSpaceRole } from '@docmost/db/repos/Space/utils';
import { UserSpaceRole } from '@docmost/db/repos/space/types';
import { SpaceMemberRepo } from '@docmost/db/repos/space/space-member.repo';
@Injectable()
export default class PageAbilityFactory {
private readonly logger = new Logger(PageAbilityFactory.name);
constructor(
private readonly pagePermissionRepo: PagePermissionRepo,
private readonly pageRepo: PageRepo,
private readonly spaceMemberRepo: SpaceMemberRepo,
) {}
async createForUser(user: User, pageId: string) {
//user.id = '0197750c-a70c-73a6-83ad-65a193433f5c';
// This opens the possibility to share pages with individual users from other Spaces
/*
//TODO: we might account for space permission here too.
// we could just do it all here. no need to call two abilities.
const userSpaceRoles = await this.spaceMemberRepo.getUserSpaceRoles(
user.id,
spaceId,
);
*/
// const userPageRole = findHighestUserPageRole(userPageRoles);
// if no role abort
// Check page-level permissions first if pageId provided
const permission = await this.pagePermissionRepo.getUserPagePermission({
pageId: pageId,
userId: user.id,
});
// does it pick one? what if the user has permissions via groups? what roles takes precedence?
if (!permission) {
//TODO: it means we should use the space level permission
// need deeper understanding here though
// call the space factory?
}
this.logger.log('permissions', permission);
if (permission) {
// make sure the permission is for this page
// or cascaded/inherited from a parent page
/*this.logger.debug('role', permission.role, 'cascade', permission.cascade);
if (permission.pageId !== pageId && !permission.cascade) {
this.logger.debug('no permission');
// No explicit access and not inheriting - deny
return new AbilityBuilder<MongoAbility<IPageAbility>>(
createMongoAbility,
).build();
}*/
}
// if no permission should we use space permission here?
// if non, skip for default to take precedence
switch (permission.role) {
case PageRole.WRITER:
return buildPageWriterAbility();
case PageRole.READER:
return buildPageReaderAbility();
case PageRole.RESTRICTED:
return buildPageRestrictedAbility();
default:
throw new NotFoundException('Page permissions not found');
}
}
private buildAbilityForRole(role: string) {
switch (role) {
case PageRole.WRITER:
return buildPageWriterAbility();
case PageRole.READER:
return buildPageReaderAbility();
case PageRole.RESTRICTED:
return buildPageRestrictedAbility();
default:
return new AbilityBuilder<MongoAbility<IPageAbility>>(
createMongoAbility,
).build();
}
}
}
function buildPageWriterAbility() {
const { can, build } = new AbilityBuilder<MongoAbility<IPageAbility>>(
createMongoAbility,
);
can(PageCaslAction.Read, PageCaslSubject.Settings);
can(PageCaslAction.Read, PageCaslSubject.Member);
can(PageCaslAction.Manage, PageCaslSubject.Page);
can(PageCaslAction.Manage, PageCaslSubject.Share);
return build();
}
function buildPageReaderAbility() {
const { can, build } = new AbilityBuilder<MongoAbility<IPageAbility>>(
createMongoAbility,
);
can(PageCaslAction.Read, PageCaslSubject.Settings);
can(PageCaslAction.Read, PageCaslSubject.Member);
can(PageCaslAction.Read, PageCaslSubject.Page);
can(PageCaslAction.Read, PageCaslSubject.Share);
return build();
}
function buildPageRestrictedAbility() {
const { cannot, build } = new AbilityBuilder<MongoAbility<IPageAbility>>(
createMongoAbility,
);
cannot(PageCaslAction.Read, PageCaslSubject.Settings);
cannot(PageCaslAction.Read, PageCaslSubject.Member);
cannot(PageCaslAction.Read, PageCaslSubject.Page);
cannot(PageCaslAction.Read, PageCaslSubject.Share);
return build();
}
export interface UserPageRole {
userId: string;
role: string;
}
export function findHighestUserPageRole(userPageRoles: UserPageRole[]) {
//TODO: perhaps, we want the lowest here?
if (!userPageRoles) {
return undefined;
}
const roleOrder: { [key in PageRole]: number } = {
[PageRole.WRITER]: 3,
[PageRole.READER]: 2,
[PageRole.RESTRICTED]: 1,
};
let highestRole: string;
for (const userPageRole of userPageRoles) {
const currentRole = userPageRole.role;
if (!highestRole || roleOrder[currentRole] > roleOrder[highestRole]) {
highestRole = currentRole;
}
}
return highestRole;
}
apps/server/src/core/casl/casl.module.ts
+3 -2
View File
@@ -1,10 +1,11 @@
import { Global, Module } from '@nestjs/common';
import SpaceAbilityFactory from './abilities/space-ability.factory';
import WorkspaceAbilityFactory from './abilities/workspace-ability.factory';
import PageAbilityFactory from './abilities/page-ability.factory';
@Global()
@Module({
providers: [WorkspaceAbilityFactory, SpaceAbilityFactory],
exports: [WorkspaceAbilityFactory, SpaceAbilityFactory],
providers: [WorkspaceAbilityFactory, SpaceAbilityFactory, PageAbilityFactory],
exports: [WorkspaceAbilityFactory, SpaceAbilityFactory, PageAbilityFactory],
})
export class CaslModule {}
apps/server/src/core/casl/interfaces/page-ability.type.ts
+19
View File
@@ -0,0 +1,19 @@
export enum PageCaslAction {
Manage = 'manage',
Create = 'create',
Read = 'read',
Edit = 'edit',
Delete = 'delete',
}
export enum PageCaslSubject {
Settings = 'settings',
Member = 'member',
Page = 'page',
Share = 'share',
}
export type IPageAbility =
| [PageCaslAction, PageCaslSubject.Settings]
| [PageCaslAction, PageCaslSubject.Member]
| [PageCaslAction, PageCaslSubject.Page]
| [PageCaslAction, PageCaslSubject.Share];
apps/server/src/core/core.module.ts
+6 -26
View File
@@ -15,13 +15,7 @@ import { SpaceModule } from './space/space.module';
import { GroupModule } from './group/group.module';
import { CaslModule } from './casl/casl.module';
import { DomainMiddleware } from '../common/middlewares/domain.middleware';
import { AuditContextMiddleware } from '../common/middlewares/audit-context.middleware';
import { ShareModule } from './share/share.module';
import {
AUDIT_SERVICE,
NoopAuditService,
} from '../integrations/audit/audit.service';
import { ClsMiddleware } from 'nestjs-cls';
@Module({
imports: [
@@ -37,31 +31,17 @@ import { ClsMiddleware } from 'nestjs-cls';
CaslModule,
ShareModule,
],
providers: [
{
provide: AUDIT_SERVICE,
useClass: NoopAuditService,
},
],
exports: [AUDIT_SERVICE],
})
export class CoreModule implements NestModule {
configure(consumer: MiddlewareConsumer) {
const excludedRoutes = [
{ path: 'auth/setup', method: RequestMethod.POST },
{ path: 'health', method: RequestMethod.GET },
{ path: 'health/live', method: RequestMethod.GET },
{ path: 'billing/stripe/webhook', method: RequestMethod.POST },
];
consumer
.apply(DomainMiddleware)
.exclude(...excludedRoutes)
.forRoutes('*');
consumer
.apply(AuditContextMiddleware)
.exclude(...excludedRoutes)
.exclude(
{ path: 'auth/setup', method: RequestMethod.POST },
{ path: 'health', method: RequestMethod.GET },
{ path: 'health/live', method: RequestMethod.GET },
{ path: 'billing/stripe/webhook', method: RequestMethod.POST },
)
.forRoutes('*');
}
}
apps/server/src/core/group/dto/create-group.dto.ts
+1 -1
View File
@@ -7,7 +7,7 @@ import {
MaxLength,
MinLength,
} from 'class-validator';
import {Transform, TransformFnParams} from "class-transformer";
import { Transform, TransformFnParams } from 'class-transformer';
export class CreateGroupDto {
@MinLength(2)
apps/server/src/core/page/dto/add-page-members.dto.ts
+34
View File
@@ -0,0 +1,34 @@
import {
ArrayMaxSize,
IsArray,
IsBoolean,
IsEnum,
IsOptional,
IsUUID,
} from 'class-validator';
import { PageIdDto } from './page.dto';
import { PageMemberRole } from '@docmost/db/repos/page/page-permission-repo.service';
export class AddPageMembersDto extends PageIdDto {
@IsEnum(PageMemberRole)
role: string;
// optional
@IsArray()
@ArrayMaxSize(25, {
message: 'userIds must be an array with no more than 25 elements',
})
@IsUUID('all', { each: true })
userIds: string[];
@IsOptional()
@IsArray()
@ArrayMaxSize(25, {
message: 'groupIds must be an array with no more than 25 elements',
})
@IsUUID('all', { each: true })
groupIds: string[];
@IsBoolean()
@IsOptional()
cascade?: boolean; // Apply to all child pages
}
apps/server/src/core/page/dto/deleted-page.dto.ts
+1 -1
View File
@@ -4,4 +4,4 @@ export class DeletedPageDto {
@IsNotEmpty()
@IsString()
spaceId: string;
}
}
apps/server/src/core/page/dto/duplicate-page.dto.ts
+4 -4
View File
@@ -17,8 +17,8 @@ export type CopyPageMapEntry = {
};
export type ICopyPageAttachment = {
newPageId: string,
oldPageId: string,
oldAttachmentId: string,
newAttachmentId: string,
newPageId: string;
oldPageId: string;
oldAttachmentId: string;
newAttachmentId: string;
};
apps/server/src/core/page/dto/get-page-members.dto.ts
+22
View File
@@ -0,0 +1,22 @@
import { IsOptional, IsNumber, IsString, Min, Max } from 'class-validator';
import { PageIdDto } from './page.dto';
import { Type } from 'class-transformer';
export class GetPageMembersDto extends PageIdDto {
@IsOptional()
@Type(() => Number)
@IsNumber()
@Min(1)
page?: number = 1;
@IsOptional()
@Type(() => Number)
@IsNumber()
@Min(1)
@Max(100)
limit?: number = 20;
@IsOptional()
@IsString()
query?: string;
}
apps/server/src/core/page/dto/remove-page-member.dto.ts
+7
View File
@@ -0,0 +1,7 @@
import { IsUUID } from 'class-validator';
import { PageIdDto } from './page.dto';
export class RemovePageMemberDto extends PageIdDto {
@IsUUID()
memberId: string;
}
apps/server/src/core/page/dto/update-page-member-role.dto.ts
+11
View File
@@ -0,0 +1,11 @@
import { IsEnum, IsUUID } from 'class-validator';
import { PageIdDto } from './page.dto';
import { PageMemberRole } from '@docmost/db/repos/page/page-permission-repo.service';
export class UpdatePageMemberRoleDto extends PageIdDto {
@IsUUID()
memberId: string;
@IsEnum(PageMemberRole)
role: string;
}
apps/server/src/core/page/dto/update-page-permission.dto.ts
+21
View File
@@ -0,0 +1,21 @@
import { IsBoolean, IsEnum, IsOptional, IsUUID } from 'class-validator';
import { PageMemberRole } from '@docmost/db/repos/page/page-permission-repo.service';
export class UpdatePagePermissionDto {
@IsUUID()
pageId: string;
@IsUUID()
@IsOptional()
userId?: string;
@IsUUID()
@IsOptional()
groupId?: string;
@IsEnum(PageMemberRole)
role: string;
@IsBoolean()
cascade: boolean; // Apply to all child pages
}
apps/server/src/core/page/page.controller.ts
+188 -2
View File
@@ -32,9 +32,24 @@ import {
} from '../casl/interfaces/space-ability.type';
import SpaceAbilityFactory from '../casl/abilities/space-ability.factory';
import { PageRepo } from '@docmost/db/repos/page/page.repo';
import { SharedPagesRepo } from '@docmost/db/repos/page/shared-pages.repo';
import { RecentPageDto } from './dto/recent-page.dto';
import { DuplicatePageDto } from './dto/duplicate-page.dto';
import { DeletedPageDto } from './dto/deleted-page.dto';
import { AddPageMembersDto } from './dto/add-page-members.dto';
import { RemovePageMemberDto } from './dto/remove-page-member.dto';
import { UpdatePageMemberRoleDto } from './dto/update-page-member-role.dto';
import { UpdatePagePermissionDto } from './dto/update-page-permission.dto';
import { GetPageMembersDto } from './dto/get-page-members.dto';
import {
PagePermissionService,
PagePermissionsResponse,
} from './services/page-member.service';
import PageAbilityFactory from '../casl/abilities/page-ability.factory';
import {
PageCaslAction,
PageCaslSubject,
} from '../casl/interfaces/page-ability.type';
@UseGuards(JwtAuthGuard)
@Controller('pages')
@@ -44,6 +59,9 @@ export class PageController {
private readonly pageRepo: PageRepo,
private readonly pageHistoryService: PageHistoryService,
private readonly spaceAbility: SpaceAbilityFactory,
private readonly pageAbility: PageAbilityFactory,
private readonly pagePermissionService: PagePermissionService,
private readonly sharedPagesRepo: SharedPagesRepo,
) {}
@HttpCode(HttpStatus.OK)
@@ -61,11 +79,21 @@ export class PageController {
throw new NotFoundException('Page not found');
}
const ability = await this.spaceAbility.createForUser(user, page.spaceId);
if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
const pageAbility = await this.pageAbility.createForUser(user, page.id);
if (pageAbility.cannot(PageCaslAction.Read, PageCaslSubject.Page)) {
throw new ForbiddenException();
}
/*const ability = await this.spaceAbility.createForUser(
user,
page.spaceId,
);
if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
throw new ForbiddenException();
}*/
return page;
}
@@ -389,4 +417,162 @@ export class PageController {
}
return this.pageService.getPageBreadCrumbs(page.id);
}
@HttpCode(HttpStatus.OK)
@Post('permissions/restrict')
async restrictPage(@Body() dto: PageIdDto, @AuthUser() user: User) {
const page = await this.pageRepo.findById(dto.pageId);
if (!page) {
throw new NotFoundException('Page not found');
}
// TODO: make sure they have access to the page, and can restrict
// And the page is not already restricted
// They can add and remove page restriction
// When a page restriction is removed, we remove the entries in page permissions table.
const ability = await this.spaceAbility.createForUser(user, page.spaceId);
if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
throw new ForbiddenException();
}
return this.pagePermissionService.restrictPage(user, page.id);
}
@HttpCode(HttpStatus.OK)
@Post('permissions/add')
async addPageMembers(
@Body() dto: AddPageMembersDto,
@AuthUser() user: User,
@AuthWorkspace() workspace: Workspace,
) {
const page = await this.pageRepo.findById(dto.pageId);
if (!page) {
throw new NotFoundException('Page not found');
}
const ability = await this.spaceAbility.createForUser(user, page.spaceId);
if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
throw new ForbiddenException();
}
return this.pagePermissionService.addMembersToPageBatch(
dto,
user,
workspace.id,
);
}
@HttpCode(HttpStatus.OK)
@Post('permissions/remove')
async removePageMember(
@Body() dto: RemovePageMemberDto,
@AuthUser() user: User,
@AuthWorkspace() workspace: Workspace,
) {
const page = await this.pageRepo.findById(dto.pageId);
if (!page) {
throw new NotFoundException('Page not found');
}
const ability = await this.spaceAbility.createForUser(user, page.spaceId);
if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
throw new ForbiddenException();
}
return this.pagePermissionService.removePageMember(dto, workspace.id);
}
@HttpCode(HttpStatus.OK)
@Post('permissions/update-role')
async updatePageMemberRole(
@Body() dto: UpdatePageMemberRoleDto,
@AuthUser() user: User,
@AuthWorkspace() workspace: Workspace,
) {
const page = await this.pageRepo.findById(dto.pageId);
if (!page) {
throw new NotFoundException('Page not found');
}
const ability = await this.spaceAbility.createForUser(user, page.spaceId);
if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
throw new ForbiddenException();
}
return this.pagePermissionService.updatePageMemberRole(dto, workspace.id);
}
@HttpCode(HttpStatus.OK)
@Post('permissions/update')
async updatePagePermissions(
@Body() dto: UpdatePagePermissionDto,
@AuthUser() user: User,
): Promise<PagePermissionsResponse> {
const page = await this.pageRepo.findById(dto.pageId);
if (!page) {
throw new NotFoundException('Page not found');
}
const ability = await this.spaceAbility.createForUser(user, page.spaceId);
if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
throw new ForbiddenException();
}
return this.pagePermissionService.updatePagePermission(dto);
}
@HttpCode(HttpStatus.OK)
@Post('permissions/info')
async getPagePermissions(
@Body() dto: PageIdDto,
@AuthUser() user: User,
): Promise<PagePermissionsResponse> {
const page = await this.pageRepo.findById(dto.pageId);
if (!page) {
throw new NotFoundException('Page not found');
}
const ability = await this.spaceAbility.createForUser(user, page.spaceId);
if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
throw new ForbiddenException();
}
return this.pagePermissionService.getPagePermissions(dto.pageId);
}
@HttpCode(HttpStatus.OK)
@Post('permissions/list')
async getPageMembers(
@Body() dto: GetPageMembersDto,
@AuthUser() user: User,
@AuthWorkspace() workspace: Workspace,
) {
const page = await this.pageRepo.findById(dto.pageId);
if (!page) {
throw new NotFoundException('Page not found');
}
const ability = await this.spaceAbility.createForUser(user, page.spaceId);
if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
throw new ForbiddenException();
}
const pagination: PaginationOptions = {
page: dto.page || 1,
limit: dto.limit || 20,
query: dto.query,
};
return this.pagePermissionService.getPageMembers(
dto.pageId,
workspace.id,
pagination,
);
}
@HttpCode(HttpStatus.OK)
@Post('shared')
async getUserSharedPages(@AuthUser() user: User) {
return this.sharedPagesRepo.getUserSharedPages(user.id);
}
}
apps/server/src/core/page/page.module.ts
+10 -2
View File
@@ -3,12 +3,20 @@ import { PageService } from './services/page.service';
import { PageController } from './page.controller';
import { PageHistoryService } from './services/page-history.service';
import { TrashCleanupService } from './services/trash-cleanup.service';
import { PagePermissionService } from './services/page-member.service';
import { SharedPagesRepo } from '@docmost/db/repos/page/shared-pages.repo';
import { StorageModule } from '../../integrations/storage/storage.module';
@Module({
controllers: [PageController],
providers: [PageService, PageHistoryService, TrashCleanupService],
exports: [PageService, PageHistoryService],
providers: [
PageService,
PageHistoryService,
TrashCleanupService,
PagePermissionService,
SharedPagesRepo,
],
exports: [PageService, PageHistoryService, PagePermissionService],
imports: [StorageModule],
})
export class PageModule {}
apps/server/src/core/page/services/page-member.service.ts
+648
View File
@@ -0,0 +1,648 @@
import {
BadRequestException,
Injectable,
NotFoundException,
} from '@nestjs/common';
import { PaginationOptions } from '@docmost/db/pagination/pagination-options';
import { KyselyDB, KyselyTransaction } from '@docmost/db/types/kysely.types';
import {
PagePermissionRepo,
PageMemberRole,
} from '@docmost/db/repos/page/page-permission-repo.service';
import { SharedPagesRepo } from '@docmost/db/repos/page/shared-pages.repo';
import { AddPageMembersDto } from '../dto/add-page-members.dto';
import { InjectKysely } from 'nestjs-kysely';
import { Page, PagePermission, User } from '@docmost/db/types/entity.types';
import { PageRepo } from '@docmost/db/repos/page/page.repo';
import { RemovePageMemberDto } from '../dto/remove-page-member.dto';
import { UpdatePageMemberRoleDto } from '../dto/update-page-member-role.dto';
import { UpdatePagePermissionDto } from '../dto/update-page-permission.dto';
import { UserRepo } from '@docmost/db/repos/user/user.repo';
import { GroupRepo } from '@docmost/db/repos/group/group.repo';
import { SpaceMemberRepo } from '@docmost/db/repos/space/space-member.repo';
import { executeTx } from '@docmost/db/utils';
export interface IPagePermission {
id: string;
cascade: boolean;
member: {
id: string;
type: 'user' | 'group' | 'public';
email?: string;
displayName?: string;
avatarUrl?: string;
workspaceRole?: string;
name?: string;
memberCount?: number;
};
membershipRole: {
id: string;
level: string;
source: 'direct' | 'inherited';
};
grantedBy: {
id: string;
type: 'page' | 'space';
title?: string;
name?: string;
parentId?: string;
};
}
export interface PagePermissionsResponse {
page: {
id: string;
title: string;
hasCustomPermissions: boolean;
inheritPermissions: boolean;
permissions: IPagePermission[];
};
}
@Injectable()
export class PagePermissionService {
constructor(
private pageMemberRepo: PagePermissionRepo,
private pageRepo: PageRepo,
private sharedPagesRepo: SharedPagesRepo,
private userRepo: UserRepo,
private groupRepo: GroupRepo,
private spaceMemberRepo: SpaceMemberRepo,
@InjectKysely() private readonly db: KyselyDB,
) {}
async addUserToPage(
userId: string,
pageId: string,
role: string,
workspaceId: string,
trx?: KyselyTransaction,
): Promise<void> {
await this.pageMemberRepo.insertPageMember(
{
userId: userId,
pageId: pageId,
role: role,
},
trx,
);
}
async addGroupToPage(
groupId: string,
pageId: string,
role: string,
workspaceId: string,
trx?: KyselyTransaction,
): Promise<void> {
await this.pageMemberRepo.insertPageMember(
{
groupId: groupId,
pageId: pageId,
role: role,
},
trx,
);
}
async getPageMembers(
pageId: string,
workspaceId: string,
pagination: PaginationOptions,
) {
const page = await this.pageRepo.findById(pageId);
// const page = await this.pageRepo.findById(pageId, { workspaceId });
if (!page) {
throw new NotFoundException('Page not found');
}
const members = await this.pageMemberRepo.getPageMembersPaginated(
pageId,
pagination,
);
return members;
}
async restrictPage(authUser: User, pageId: string) {
// to add custom permissions to a page,
// we have to restrict the page first.
// the user is here because they can restrict this page
// TODO: make sure page is not in trash
// Not sure if normal users can see restricted pages in trash.
await this.db
.updateTable('pages')
.set({
isRestricted: true,
restrictedById: authUser.id,
})
.where('id', '=', pageId)
.execute();
}
async addMembersToPageBatch(
dto: AddPageMembersDto,
authUser: User,
workspaceId: string,
): Promise<void> {
try {
const page = await this.pageRepo.findById(dto.pageId);
//const page = await this.pageRepo.findById(dto.pageId, { workspaceId });
if (!page) {
throw new NotFoundException('Page not found');
}
// Validate role
if (!Object.values(PageMemberRole).includes(dto.role as PageMemberRole)) {
throw new BadRequestException(`Invalid role: ${dto.role}`);
}
// Enable custom permissions if adding first member
/*if (!page.hasCustomPermissions) {
await this.pageRepo.update(dto.pageId, {
hasCustomPermissions: true,
inheritPermissions: false,
});
}*/
// Make sure we have valid workspace users
const validUsersQuery = this.db
.selectFrom('users')
.select(['id', 'name'])
.where('users.id', 'in', dto.userIds)
.where('users.workspaceId', '=', workspaceId)
.where(({ not, exists, selectFrom }) =>
not(
exists(
selectFrom('pagePermissions')
.select('id')
.whereRef('pagePermissions.userId', '=', 'users.id')
.where('pagePermissions.pageId', '=', dto.pageId),
),
),
);
const validGroupsQuery = this.db
.selectFrom('groups')
.select(['id', 'name'])
.where('groups.id', 'in', dto.groupIds)
.where('groups.workspaceId', '=', workspaceId)
.where(({ not, exists, selectFrom }) =>
not(
exists(
selectFrom('pagePermissions')
.select('id')
.whereRef('pagePermissions.groupId', '=', 'groups.id')
.where('pagePermissions.pageId', '=', dto.pageId),
),
),
);
let validUsers = [],
validGroups = [];
if (dto.userIds && dto.userIds.length > 0) {
validUsers = await validUsersQuery.execute();
}
if (dto.groupIds && dto.groupIds.length > 0) {
validGroups = await validGroupsQuery.execute();
}
const usersToAdd = [];
for (const user of validUsers) {
usersToAdd.push({
pageId: dto.pageId,
userId: user.id,
role: dto.role,
addedById: authUser.id,
});
// Track orphaned page access if user doesn't have parent access
if (page.parentPageId && dto.role !== PageMemberRole.NONE) {
const hasParentAccess = await this.checkParentAccess(
user.id,
page.parentPageId,
);
if (!hasParentAccess) {
await this.sharedPagesRepo.addSharedPage(user.id, dto.pageId);
}
}
}
const groupsToAdd = [];
for (const group of validGroups) {
groupsToAdd.push({
pageId: dto.pageId,
groupId: group.id,
role: dto.role,
addedById: authUser.id,
});
}
const membersToAdd = [...usersToAdd, ...groupsToAdd];
if (membersToAdd.length > 0) {
await this.db
.insertInto('pagePermissions')
.values(membersToAdd)
.execute();
}
// Apply to child pages if requested
if (dto.cascade) {
await this.cascadeToChildren(dto.pageId, membersToAdd);
}
} catch (error) {
if (
error instanceof NotFoundException ||
error instanceof BadRequestException
) {
throw error;
}
throw new BadRequestException(
'Failed to add members to page. Please try again.',
);
}
}
async removePageMember(
dto: RemovePageMemberDto,
workspaceId: string,
): Promise<void> {
const member = await this.db
.selectFrom('pagePermissions')
.innerJoin('pages', 'pages.id', 'pagePermissions.pageId')
.select(['pagePermissions.id', 'pagePermissions.userId'])
.where('pagePermissions.id', '=', dto.memberId)
.where('pagePermissions.pageId', '=', dto.pageId)
.where('pages.workspaceId', '=', workspaceId)
.executeTakeFirst();
if (!member) {
throw new NotFoundException('Page member not found');
}
// Check if this is the last admin
const adminCount = await this.pageMemberRepo.roleCountByPageId(
PageMemberRole.ADMIN,
dto.pageId,
);
if (adminCount === 1) {
const memberToRemove = await this.pageMemberRepo.getPageMemberByTypeId(
dto.pageId,
{ userId: member.userId },
);
if (memberToRemove?.role === PageMemberRole.ADMIN) {
throw new BadRequestException('Cannot remove the last admin from page');
}
}
await this.pageMemberRepo.removePageMemberById(dto.memberId, dto.pageId);
// Remove from shared pages if it was tracked
if (member.userId) {
await this.sharedPagesRepo.removeSharedPage(member.userId, dto.pageId);
}
}
async updatePageMemberRole(
dto: UpdatePageMemberRoleDto,
workspaceId: string,
): Promise<void> {
const member = await this.db
.selectFrom('pagePermissions')
.innerJoin('pages', 'pages.id', 'pagePermissions.pageId')
.select(['pagePermissions.id', 'pagePermissions.role'])
.where('pagePermissions.id', '=', dto.memberId)
.where('pagePermissions.pageId', '=', dto.pageId)
.where('pages.workspaceId', '=', workspaceId)
.executeTakeFirst();
if (!member) {
throw new NotFoundException('Page member not found');
}
if (
member.role === PageMemberRole.ADMIN &&
dto.role !== PageMemberRole.ADMIN
) {
const adminCount = await this.pageMemberRepo.roleCountByPageId(
PageMemberRole.ADMIN,
dto.pageId,
);
if (adminCount === 1) {
throw new BadRequestException('Cannot change role of the last admin');
}
}
await this.pageMemberRepo.updatePageMember(
{ role: dto.role },
dto.memberId,
dto.pageId,
);
}
async updatePagePermission(
dto: UpdatePagePermissionDto,
): Promise<PagePermissionsResponse> {
const { pageId, userId, groupId, role, cascade } = dto;
try {
// Validate inputs
if (!userId && !groupId) {
throw new BadRequestException(
'Either userId or groupId must be provided',
);
}
if (userId && groupId) {
throw new BadRequestException('Cannot provide both userId and groupId');
}
if (!Object.values(PageMemberRole).includes(role as PageMemberRole)) {
throw new BadRequestException(`Invalid role: ${role}`);
}
await executeTx(this.db, async (trx) => {
// Update the role
if (userId) {
await this.pageMemberRepo.upsertPageMember(
{
pageId,
userId,
role,
},
trx,
);
} else if (groupId) {
await this.pageMemberRepo.upsertPageMember(
{
pageId,
groupId,
role,
},
trx,
);
}
// Mark page as having custom permissions
/* await this.pageRepo.update(
pageId,
{
hasCustomPermissions: true,
inheritPermissions: false,
},
trx,
);*/
// Cascade to children if requested
if (cascade) {
const descendants = await this.pageRepo.getAllDescendants(
pageId,
trx,
);
for (const childId of descendants) {
if (userId) {
await this.pageMemberRepo.upsertPageMember(
{
pageId: childId,
userId,
role,
},
trx,
);
} else if (groupId) {
await this.pageMemberRepo.upsertPageMember(
{
pageId: childId,
groupId,
role,
},
trx,
);
}
}
}
});
// Return comprehensive permission data
return this.getPagePermissions(pageId);
} catch (error) {
if (error instanceof BadRequestException) {
throw error;
}
throw new BadRequestException(
'Failed to update page permissions. Please try again.',
);
}
}
async getPagePermissions(pageId: string): Promise<PagePermissionsResponse> {
const page = await this.pageRepo.findById(pageId, { includeSpace: true });
if (!page) {
throw new NotFoundException('Page not found');
}
const permissions: IPagePermission[] = [];
// 1. Get direct page members
const directMembers = await this.pageMemberRepo.getPageMembers(pageId);
// Batch fetch all users and groups
const userIds = directMembers.filter((m) => m.userId).map((m) => m.userId);
const groupIds = directMembers
.filter((m) => m.groupId)
.map((m) => m.groupId);
const [users, groups] = await Promise.all([
userIds.length > 0
? this.db
.selectFrom('users')
.selectAll()
.where('id', 'in', userIds)
.execute()
: Promise.resolve([]),
groupIds.length > 0
? this.db
.selectFrom('groups')
.selectAll()
.where('id', 'in', groupIds)
.execute()
: Promise.resolve([]),
]);
const userMap = new Map(users.map((u) => [u.id, u] as const));
const groupMap = new Map(groups.map((g) => [g.id, g] as const));
// Build permissions with batch-fetched data
for (const member of directMembers) {
let memberData: any = null;
if (member.userId) {
const user = userMap.get(member.userId);
if (user) {
memberData = {
id: user.id,
type: 'user' as const,
email: user.email,
displayName: user.name,
avatarUrl: user.avatarUrl,
workspaceRole: user.role,
};
}
} else if (member.groupId) {
const group = groupMap.get(member.groupId);
if (group) {
memberData = {
id: group.id,
type: 'group' as const,
name: group.name,
memberCount: await this.db
.selectFrom('groupUsers')
.select((eb) => eb.fn.count('userId').as('count'))
.where('groupId', '=', group.id)
.executeTakeFirst()
.then((result) => Number(result?.count || 0)),
};
}
}
if (memberData) {
permissions.push({
id: member.id,
cascade: true, // Page permissions cascade by default
member: memberData,
membershipRole: {
id: member.id,
level: member.role,
source: 'direct',
},
grantedBy: {
id: pageId,
type: 'page',
title: page.title,
},
});
}
}
// 2. Get inherited space members (if page inherits)
if (page) {
//if (page.inheritPermissions || !page.hasCustomPermissions) {
const spaceMembers = await this.spaceMemberRepo.getSpaceMembersPaginated(
page.spaceId,
{ page: 1, limit: 100 },
);
for (const spaceMember of spaceMembers.items as any[]) {
// Skip if user has direct page permission
const hasDirect = directMembers.some(
(dm) =>
(dm.userId === spaceMember.id && spaceMember.type === 'user') ||
(dm.groupId === spaceMember.id && spaceMember.type === 'group'),
);
if (!hasDirect) {
permissions.push({
id: `space-${spaceMember.id}`,
cascade: false, // Space permissions don't cascade to page children
member: {
id: spaceMember.id,
type: spaceMember.type as 'user' | 'group',
email: spaceMember.email,
displayName: spaceMember.name,
avatarUrl: spaceMember.avatarUrl,
name: spaceMember.name,
memberCount: Number(spaceMember.memberCount || 0),
},
membershipRole: {
id: `space-role-${spaceMember.id}`,
level: spaceMember.role,
source: 'inherited',
},
grantedBy: {
id: page.spaceId,
type: 'space',
name: (page as any).space?.name,
},
});
}
}
}
return {
page: {
id: page.id,
title: page.title,
hasCustomPermissions: true,
inheritPermissions: false,
permissions,
},
};
}
private async checkParentAccess(
userId: string,
parentPageId: string | null,
): Promise<boolean> {
if (!parentPageId) return true; // Root pages always accessible
const parentAccess = await this.pageMemberRepo.resolveUserPageAccess(
userId,
parentPageId,
);
return parentAccess !== null && parentAccess !== PageMemberRole.NONE;
}
private async cascadeToChildren(
pageId: string,
membersToAdd: any[],
): Promise<void> {
const descendants = await this.pageRepo.getAllDescendants(pageId);
if (descendants.length === 0) return;
// Separate user and group members for proper conflict handling
const userMembers = membersToAdd.filter((m) => m.userId);
const groupMembers = membersToAdd.filter((m) => m.groupId);
for (const childId of descendants) {
// Handle user members with proper conflict resolution
if (userMembers.length > 0) {
const childUserMembers = userMembers.map((m) => ({
...m,
pageId: childId,
}));
await this.db
.insertInto('pagePermissions')
.values(childUserMembers)
.onConflict((oc) =>
oc.columns(['pageId', 'userId']).doUpdateSet({
role: (eb) => eb.ref('excluded.role'),
updatedAt: new Date(),
}),
)
.execute();
}
// Handle group members separately
if (groupMembers.length > 0) {
const childGroupMembers = groupMembers.map((m) => ({
...m,
pageId: childId,
}));
await this.db
.insertInto('pagePermissions')
.values(childGroupMembers)
.onConflict((oc) =>
oc.columns(['pageId', 'groupId']).doUpdateSet({
role: (eb) => eb.ref('excluded.role'),
updatedAt: new Date(),
}),
)
.execute();
}
}
}
}
apps/server/src/core/space/dto/create-space.dto.ts
+1 -1
View File
@@ -5,7 +5,7 @@ import {
MaxLength,
MinLength,
} from 'class-validator';
import {Transform, TransformFnParams} from "class-transformer";
import { Transform, TransformFnParams } from 'class-transformer';
export class CreateSpaceDto {
@MinLength(2)
apps/server/src/core/space/services/space-member.service.ts
+2 -77
View File
@@ -1,6 +1,5 @@
import {
BadRequestException,
Inject,
Injectable,
NotFoundException,
} from '@nestjs/common';
@@ -15,11 +14,6 @@ import { RemoveSpaceMemberDto } from '../dto/remove-space-member.dto';
import { UpdateSpaceMemberRoleDto } from '../dto/update-space-member-role.dto';
import { SpaceRole } from '../../../common/helpers/types/permission';
import { PaginationResult } from '@docmost/db/pagination/pagination';
import { AuditEvent } from '../../../common/events/audit-events';
import {
AUDIT_SERVICE,
IAuditService,
} from '../../../integrations/audit/audit.service';
@Injectable()
export class SpaceMemberService {
@@ -27,7 +21,6 @@ export class SpaceMemberService {
private spaceMemberRepo: SpaceMemberRepo,
private spaceRepo: SpaceRepo,
@InjectKysely() private readonly db: KyselyDB,
@Inject(AUDIT_SERVICE) private readonly auditService: IAuditService,
) {}
async addUserToSpace(
@@ -168,43 +161,8 @@ export class SpaceMemberService {
if (membersToAdd.length > 0) {
await this.spaceMemberRepo.insertSpaceMember(membersToAdd);
// Audit log for each member added
for (const user of validUsers) {
this.auditService.log({
event: AuditEvent.SPACE_MEMBER_ADDED,
resourceType: 'space_members',
resourceId: dto.spaceId,
changes: {
after: { role: dto.role },
},
metadata: {
spaceId: dto.spaceId,
spaceName: space.name,
userId: user.id,
userName: user.name,
memberType: 'user',
},
});
}
for (const group of validGroups) {
this.auditService.log({
event: AuditEvent.SPACE_MEMBER_ADDED,
resourceType: 'space_members',
resourceId: dto.spaceId,
changes: {
after: { role: dto.role },
},
metadata: {
spaceId: dto.spaceId,
spaceName: space.name,
groupId: group.id,
groupName: group.name,
memberType: 'group',
},
});
}
} else {
// either they are already members or do not exist on the workspace
}
}
@@ -251,22 +209,6 @@ export class SpaceMemberService {
spaceMember.id,
dto.spaceId,
);
this.auditService.log({
event: AuditEvent.SPACE_MEMBER_REMOVED,
resourceType: 'space_member',
resourceId: dto.spaceId,
changes: {
before: { role: spaceMember.role },
},
metadata: {
spaceId: dto.spaceId,
spaceName: space.name,
userId: spaceMember.userId,
groupId: spaceMember.groupId,
memberType: spaceMember.userId ? 'user' : 'group',
},
});
}
async updateSpaceMemberRole(
@@ -317,23 +259,6 @@ export class SpaceMemberService {
spaceMember.id,
dto.spaceId,
);
this.auditService.log({
event: AuditEvent.SPACE_MEMBER_ROLE_CHANGED,
resourceType: 'space_members',
resourceId: dto.spaceId,
changes: {
before: { role: spaceMember.role },
after: { role: dto.role },
},
metadata: {
spaceId: dto.spaceId,
spaceName: space.name,
userId: spaceMember.userId,
groupId: spaceMember.groupId,
memberType: spaceMember.userId ? 'user' : 'group',
},
});
}
async validateLastAdmin(spaceId: string): Promise<void> {
apps/server/src/core/user/user.service.ts
+3 -1
View File
@@ -70,7 +70,9 @@ export class UserService {
);
if (!isPasswordMatch) {
throw new BadRequestException('You must provide the correct password to change your email');
throw new BadRequestException(
'You must provide the correct password to change your email',
);
}
if (await this.userRepo.findByEmail(updateUserDto.email, workspace.id)) {
apps/server/src/core/workspace/services/workspace-invitation.service.ts
-46
View File
@@ -1,6 +1,5 @@
import {
BadRequestException,
Inject,
Injectable,
Logger,
NotFoundException,
@@ -34,11 +33,6 @@ import {
validateAllowedEmail,
validateSsoEnforcement,
} from '../../auth/auth.util';
import { AuditEvent } from '../../../common/events/audit-events';
import {
AUDIT_SERVICE,
IAuditService,
} from '../../../integrations/audit/audit.service';
@Injectable()
export class WorkspaceInvitationService {
@@ -52,7 +46,6 @@ export class WorkspaceInvitationService {
@InjectKysely() private readonly db: KyselyDB,
@InjectQueue(QueueName.BILLING_QUEUE) private billingQueue: Queue,
private readonly environmentService: EnvironmentService,
@Inject(AUDIT_SERVICE) private readonly auditService: IAuditService,
) {}
async getInvitations(workspaceId: string, pagination: PaginationOptions) {
@@ -186,24 +179,6 @@ export class WorkspaceInvitationService {
workspace.hostname,
);
});
// Audit log for each invitation created
for (const invitation of invites) {
this.auditService.log({
event: AuditEvent.WORKSPACE_INVITE_CREATED,
resourceType: 'workspace_invitation',
resourceId: invitation.id,
changes: {
after: {
email: invitation.email,
role: invitation.role,
},
},
metadata: {
groupIds: invitation.groupIds,
},
});
}
}
}
@@ -369,32 +344,11 @@ export class WorkspaceInvitationService {
invitationId: string,
workspaceId: string,
): Promise<void> {
const invitation = await this.db
.selectFrom('workspaceInvitations')
.select(['id', 'email', 'role'])
.where('id', '=', invitationId)
.where('workspaceId', '=', workspaceId)
.executeTakeFirst();
await this.db
.deleteFrom('workspaceInvitations')
.where('id', '=', invitationId)
.where('workspaceId', '=', workspaceId)
.execute();
if (invitation) {
this.auditService.log({
event: AuditEvent.WORKSPACE_INVITE_REVOKED,
resourceType: 'workspace_invitation',
resourceId: invitation.id,
changes: {
before: {
email: invitation.email,
role: invitation.role,
},
},
});
}
}
async getInvitationLinkById(
apps/server/src/core/workspace/services/workspace.service.ts
-34
View File
@@ -1,7 +1,6 @@
import {
BadRequestException,
ForbiddenException,
Inject,
Injectable,
Logger,
NotFoundException,
@@ -35,11 +34,6 @@ import { QueueJob, QueueName } from '../../../integrations/queue/constants';
import { Queue } from 'bullmq';
import { generateRandomSuffixNumbers } from '../../../common/helpers';
import { isPageEmbeddingsTableExists } from '@docmost/db/helpers/helpers';
import { AuditEvent } from '../../../common/events/audit-events';
import {
AUDIT_SERVICE,
IAuditService,
} from '../../../integrations/audit/audit.service';
@Injectable()
export class WorkspaceService {
@@ -58,7 +52,6 @@ export class WorkspaceService {
@InjectQueue(QueueName.ATTACHMENT_QUEUE) private attachmentQueue: Queue,
@InjectQueue(QueueName.BILLING_QUEUE) private billingQueue: Queue,
@InjectQueue(QueueName.AI_QUEUE) private aiQueue: Queue,
@Inject(AUDIT_SERVICE) private readonly auditService: IAuditService,
) {}
async findById(workspaceId: string) {
@@ -435,20 +428,6 @@ export class WorkspaceService {
user.id,
workspaceId,
);
this.auditService.log({
event: AuditEvent.USER_ROLE_CHANGED,
resourceType: 'users',
resourceId: user.id,
changes: {
before: { role: user.role },
after: { role: newRole },
},
metadata: {
userName: user.name,
userEmail: user.email,
},
});
}
async generateHostname(
@@ -552,19 +531,6 @@ export class WorkspaceService {
.execute();
});
this.auditService.log({
event: AuditEvent.USER_DELETED,
resourceType: 'users',
resourceId: user.id,
changes: {
before: {
name: user.name,
email: user.email,
role: user.role,
},
},
});
try {
await this.attachmentQueue.add(QueueJob.DELETE_USER_AVATARS, user);
} catch (err) {
apps/server/src/database/database.module.ts
+3
View File
@@ -26,6 +26,7 @@ import { UserTokenRepo } from './repos/user-token/user-token.repo';
import { BacklinkRepo } from '@docmost/db/repos/backlink/backlink.repo';
import { ShareRepo } from '@docmost/db/repos/share/share.repo';
import { PageListener } from '@docmost/db/listeners/page.listener';
import { PagePermissionRepo } from '@docmost/db/repos/page/page-permission-repo.service';
// https://github.com/brianc/node-postgres/issues/811
types.setTypeParser(types.builtins.INT8, (val) => Number(val));
@@ -78,6 +79,7 @@ types.setTypeParser(types.builtins.INT8, (val) => Number(val));
BacklinkRepo,
ShareRepo,
PageListener,
PagePermissionRepo,
],
exports: [
WorkspaceRepo,
@@ -93,6 +95,7 @@ types.setTypeParser(types.builtins.INT8, (val) => Number(val));
UserTokenRepo,
BacklinkRepo,
ShareRepo,
PagePermissionRepo,
],
})
export class DatabaseModule
apps/server/src/database/migrations/20250327T145832-add-contributorIds-to-pages.ts
+1 -1
View File
@@ -3,7 +3,7 @@ import { type Kysely, sql } from 'kysely';
export async function up(db: Kysely<any>): Promise<void> {
await db.schema
.alterTable('pages')
.addColumn('contributor_ids', sql`uuid[]`, (col) => col.defaultTo("{}"))
.addColumn('contributor_ids', sql`uuid[]`, (col) => col.defaultTo('{}'))
.execute();
}
apps/server/src/database/migrations/20250812T000805-add-page-permissions.ts
+102
View File
@@ -0,0 +1,102 @@
import { Kysely, sql } from 'kysely';
export async function up(db: Kysely<any>): Promise<void> {
await db.schema
.createTable('page_permissions')
.addColumn('id', 'uuid', (col) =>
col.primaryKey().defaultTo(sql`gen_uuid_v7()`),
)
.addColumn('user_id', 'uuid', (col) =>
col.references('users.id').onDelete('cascade'),
)
.addColumn('group_id', 'uuid', (col) =>
col.references('groups.id').onDelete('cascade'),
)
.addColumn('page_id', 'uuid', (col) =>
col.notNull().references('pages.id').onDelete('cascade'),
)
.addColumn('role', 'varchar', (col) => col.notNull())
.addColumn('cascade', 'boolean', (col) => col.defaultTo(true).notNull()) // children can inherit
.addColumn('added_by_id', 'uuid', (col) =>
col.references('users.id').onDelete('set null'),
)
.addColumn('created_at', 'timestamptz', (col) =>
col.notNull().defaultTo(sql`now()`),
)
.addColumn('updated_at', 'timestamptz', (col) =>
col.notNull().defaultTo(sql`now()`),
)
.addColumn('deleted_at', 'timestamptz')
.addUniqueConstraint('unique_page_user', ['page_id', 'user_id'])
.addUniqueConstraint('unique_page_group', ['page_id', 'group_id'])
.addCheckConstraint(
'allow_either_user_id_or_group_id_check',
sql`(user_id IS NOT NULL AND group_id IS NULL) OR (user_id IS NULL AND group_id IS NOT NULL)`,
)
.execute();
await db.schema
.alterTable('pages')
.addColumn('is_restricted', 'boolean', (col) =>
col.defaultTo(false).notNull(),
)
.addColumn('restricted_by_id', 'uuid', (col) =>
col.references('users.id').onDelete('set null'),
)
.execute();
// Add indexes for performance
await db.schema
.createIndex('idx_page_permissions_page_id')
.on('page_permissions')
.column('page_id')
.execute();
await db.schema
.createIndex('idx_page_permissions_user_id')
.on('page_permissions')
.column('user_id')
.execute();
await db.schema
.createIndex('idx_page_permissions_group_id')
.on('page_permissions')
.column('group_id')
.execute();
// Create user_shared_pages table for tracking orphaned page access
await db.schema
.createTable('user_shared_pages')
.addColumn('user_id', 'uuid', (col) =>
col.notNull().references('users.id').onDelete('cascade'),
)
.addColumn('page_id', 'uuid', (col) =>
col.notNull().references('pages.id').onDelete('cascade'),
)
.addColumn('shared_at', 'timestamptz', (col) =>
col.notNull().defaultTo(sql`now()`),
)
.addPrimaryKeyConstraint('user_shared_pages_pkey', ['user_id', 'page_id'])
.execute();
await db.schema
.createIndex('idx_user_shared_pages_user_id')
.on('user_shared_pages')
.column('user_id')
.execute();
await db.schema
.createIndex('idx_user_shared_pages_shared_at')
.on('user_shared_pages')
.column('shared_at')
.execute();
}
export async function down(db: Kysely<any>): Promise<void> {
await db.schema.alterTable('pages').dropColumn('is_restricted').execute();
await db.schema.alterTable('pages').dropColumn('restricted_by_id').execute();
await db.schema.dropTable('user_shared_pages').execute();
await db.schema.dropTable('page_permissions').execute();
}
apps/server/src/database/migrations/20260109T120000-audit-logs.ts
-32
View File
@@ -1,32 +0,0 @@
import { Kysely, sql } from 'kysely';
export async function up(db: Kysely<any>): Promise<void> {
await db.schema
.createTable('audit_logs')
.addColumn('id', 'uuid', (col) =>
col.primaryKey().defaultTo(sql`gen_uuid_v7()`),
)
.addColumn('workspace_id', 'uuid', (col) =>
col.notNull().references('workspaces.id').onDelete('cascade'),
)
.addColumn('actor_id', 'uuid', (col) =>
col.references('users.id').onDelete('set null'),
)
.addColumn('actor_type', 'varchar', (col) =>
col.notNull().defaultTo('user'),
)
.addColumn('event', 'varchar', (col) => col.notNull())
.addColumn('resource_type', 'varchar', (col) => col.notNull())
.addColumn('resource_id', 'uuid')
.addColumn('changes', 'jsonb')
.addColumn('metadata', 'jsonb')
.addColumn('ip_address', sql `inet`)
.addColumn('created_at', 'timestamptz', (col) =>
col.notNull().defaultTo(sql`now()`),
)
.execute();
}
export async function down(db: Kysely<any>): Promise<void> {
await db.schema.dropTable('audit_logs').execute();
}
apps/server/src/database/pagination/pagination-options.ts
+2 -2
View File
@@ -23,9 +23,9 @@ export class PaginationOptions {
@IsOptional()
@IsString()
query: string;
query?: string;
@IsOptional()
@IsBoolean()
adminView: boolean;
adminView?: boolean;
}
apps/server/src/database/repos/comment/comment.repo.ts
+4 -1
View File
@@ -105,7 +105,10 @@ export class CommentRepo {
return Number(result?.count) > 0;
}
async hasChildrenFromOtherUsers(commentId: string, userId: string): Promise<boolean> {
async hasChildrenFromOtherUsers(
commentId: string,
userId: string,
): Promise<boolean> {
const result = await this.db
.selectFrom('comments')
.select((eb) => eb.fn.count('id').as('count'))
apps/server/src/database/repos/group/group-user.repo.ts
+5 -1
View File
@@ -57,7 +57,11 @@ export class GroupUserRepo {
if (pagination.query) {
query = query.where((eb) =>
eb(sql`f_unaccent(users.name)`, 'ilike', sql`f_unaccent(${'%' + pagination.query + '%'})`),
eb(
sql`f_unaccent(users.name)`,
'ilike',
sql`f_unaccent(${'%' + pagination.query + '%'})`,
),
);
}
apps/server/src/database/repos/group/group.repo.ts
+5 -1
View File
@@ -114,7 +114,11 @@ export class GroupRepo {
if (pagination.query) {
query = query.where((eb) =>
eb(sql`f_unaccent(name)`, 'ilike', sql`f_unaccent(${'%' + pagination.query + '%'})`).or(
eb(
sql`f_unaccent(name)`,
'ilike',
sql`f_unaccent(${'%' + pagination.query + '%'})`,
).or(
sql`f_unaccent(description)`,
'ilike',
sql`f_unaccent(${'%' + pagination.query + '%'})`,
apps/server/src/database/repos/page/page-permission-repo.service.ts
+1041
View File
File diff suppressed because it is too large Load Diff
apps/server/src/database/repos/page/page.repo.ts
+42
View File
@@ -454,4 +454,46 @@ export class PageRepo {
.selectAll()
.execute();
}
async update(
pageId: string,
updatablePage: UpdatablePage,
trx?: KyselyTransaction,
): Promise<void> {
const db = dbOrTx(this.db, trx);
await db
.updateTable('pages')
.set({ ...updatablePage, updatedAt: new Date() })
.where('id', '=', pageId)
.execute();
}
async getAllDescendants(
pageId: string,
trx?: KyselyTransaction,
): Promise<string[]> {
const db = dbOrTx(this.db, trx);
// Recursive CTE to get all descendants
const descendants = await db
.withRecursive('page_tree', (qb) =>
qb
.selectFrom('pages')
.select(['id', 'parentPageId'])
.where('parentPageId', '=', pageId)
.where('deletedAt', 'is', null)
.unionAll((eb) =>
eb
.selectFrom('pages as p')
.innerJoin('page_tree as pt', 'p.parentPageId', 'pt.id')
.select(['p.id', 'p.parentPageId'])
.where('p.deletedAt', 'is', null),
),
)
.selectFrom('page_tree')
.select('id')
.execute();
return descendants.map((d) => d.id);
}
}
apps/server/src/database/repos/page/shared-pages.repo.ts
+58
View File
@@ -0,0 +1,58 @@
import { Injectable } from '@nestjs/common';
import { InjectKysely } from 'nestjs-kysely';
import { KyselyDB } from '../../types/kysely.types';
import { Page } from '../../types/entity.types';
import { PageMemberRole } from './page-permission-repo.service';
@Injectable()
export class SharedPagesRepo {
constructor(@InjectKysely() private readonly db: KyselyDB) {}
async addSharedPage(userId: string, pageId: string): Promise<void> {
await this.db
.insertInto('userSharedPages')
.values({
userId,
pageId,
sharedAt: new Date(),
})
.onConflict((oc) => oc.columns(['userId', 'pageId']).doNothing())
.execute();
}
async removeSharedPage(userId: string, pageId: string): Promise<void> {
await this.db
.deleteFrom('userSharedPages')
.where('userId', '=', userId)
.where('pageId', '=', pageId)
.execute();
}
async getUserSharedPages(userId: string): Promise<Page[]> {
return await this.db
.selectFrom('userSharedPages as usp')
.innerJoin('pages as p', 'p.id', 'usp.pageId')
.innerJoin('pagePermissions as pm', (join) =>
join
.onRef('pm.pageId', '=', 'p.id')
.on('pm.userId', '=', userId)
.on('pm.role', '!=', PageMemberRole.NONE),
)
.selectAll('p')
.where('usp.userId', '=', userId)
.where('p.deletedAt', 'is', null)
.orderBy('usp.sharedAt', 'desc')
.execute();
}
async isPageSharedWithUser(userId: string, pageId: string): Promise<boolean> {
const result = await this.db
.selectFrom('userSharedPages')
.select('userId')
.where('userId', '=', userId)
.where('pageId', '=', pageId)
.executeTakeFirst();
return !!result;
}
}
apps/server/src/database/types/db.d.ts
Vendored
+36 -26
View File
@@ -3,13 +3,18 @@
* Please do not edit it manually.
*/
import type { ColumnType } from "kysely";
import type { ColumnType } from 'kysely';
export type Generated<T> = T extends ColumnType<infer S, infer I, infer U>
? ColumnType<S, I | undefined, U>
: ColumnType<T, T | undefined, T>;
export type Generated<T> =
T extends ColumnType<infer S, infer I, infer U>
? ColumnType<S, I | undefined, U>
: ColumnType<T, T | undefined, T>;
export type Int8 = ColumnType<string, bigint | number | string, bigint | number | string>;
export type Int8 = ColumnType<
string,
bigint | number | string,
bigint | number | string
>;
export type Json = JsonValue;
@@ -27,13 +32,13 @@ export type Timestamp = ColumnType<Date, Date | string, Date | string>;
export interface ApiKeys {
createdAt: Generated<Timestamp>;
creatorId: string;
deletedAt: Timestamp | null;
expiresAt: Timestamp | null;
id: Generated<string>;
lastUsedAt: Timestamp | null;
name: string | null;
updatedAt: Generated<Timestamp>;
creatorId: string;
workspaceId: string;
}
@@ -56,20 +61,6 @@ export interface Attachments {
workspaceId: string;
}
export interface AuditLogs {
actorId: string | null;
actorType: Generated<string>;
changes: Json | null;
createdAt: Generated<Timestamp>;
event: string;
id: Generated<string>;
ipAddress: string | null;
metadata: Json | null;
resourceId: string | null;
resourceType: string;
workspaceId: string;
}
export interface AuthAccounts {
authProviderId: string | null;
createdAt: Generated<Timestamp>;
@@ -86,25 +77,25 @@ export interface AuthProviders {
createdAt: Generated<Timestamp>;
creatorId: string | null;
deletedAt: Timestamp | null;
groupSync: Generated<boolean>;
id: Generated<string>;
isEnabled: Generated<boolean>;
groupSync: Generated<boolean>;
ldapBaseDn: string | null;
ldapBindDn: string | null;
ldapBindPassword: string | null;
ldapConfig: Json | null;
ldapTlsCaCert: string | null;
ldapTlsEnabled: Generated<boolean | null>;
ldapUrl: string | null;
ldapUserAttributes: Json | null;
ldapUserSearchFilter: string | null;
ldapConfig: Json | null;
settings: Json | null;
name: string;
oidcClientId: string | null;
oidcClientSecret: string | null;
oidcIssuer: string | null;
samlCertificate: string | null;
samlUrl: string | null;
settings: Json | null;
type: string;
updatedAt: Generated<Timestamp>;
workspaceId: string;
@@ -223,6 +214,19 @@ export interface PageHistory {
workspaceId: string;
}
export interface PagePermissions {
addedById: string | null;
cascade: Generated<boolean>;
createdAt: Generated<Timestamp>;
deletedAt: Timestamp | null;
groupId: string | null;
id: Generated<string>;
pageId: string;
role: string;
updatedAt: Generated<Timestamp>;
userId: string | null;
}
export interface Pages {
content: Json | null;
contributorIds: Generated<string[] | null>;
@@ -309,12 +313,12 @@ export interface Users {
deletedAt: Timestamp | null;
email: string;
emailVerifiedAt: Timestamp | null;
hasGeneratedPassword: Generated<boolean | null>;
id: Generated<string>;
invitedById: string | null;
lastActiveAt: Timestamp | null;
lastLoginAt: Timestamp | null;
locale: string | null;
hasGeneratedPassword: Generated<boolean | null>;
name: string | null;
password: string | null;
role: string | null;
@@ -324,6 +328,12 @@ export interface Users {
workspaceId: string | null;
}
export interface UserSharedPages {
pageId: string;
sharedAt: Generated<Timestamp>;
userId: string;
}
export interface UserTokens {
createdAt: Generated<Timestamp>;
expiresAt: Timestamp | null;
@@ -374,7 +384,6 @@ export interface Workspaces {
export interface DB {
apiKeys: ApiKeys;
attachments: Attachments;
auditLogs: AuditLogs;
authAccounts: AuthAccounts;
authProviders: AuthProviders;
backlinks: Backlinks;
@@ -384,13 +393,14 @@ export interface DB {
groups: Groups;
groupUsers: GroupUsers;
pageHistory: PageHistory;
AuditLog: PagePermissions;
pagePermissions: PagePermissions;
pages: Pages;
shares: Shares;
spaceMembers: SpaceMembers;
spaces: Spaces;
userMfa: UserMfa;
users: Users;
userSharedPages: UserSharedPages;
userTokens: UserTokens;
workspaceInvitations: WorkspaceInvitations;
workspaces: Workspaces;
apps/server/src/database/types/db.interface.ts
+47 -2
View File
@@ -1,6 +1,51 @@
import { DB } from '@docmost/db/types/db';
import {
ApiKeys,
Attachments,
AuthAccounts,
AuthProviders,
Backlinks,
Billing,
Comments,
FileTasks,
Groups,
GroupUsers,
PageHistory,
PagePermissions,
Pages,
Shares,
SpaceMembers,
Spaces,
UserMfa,
Users,
UserSharedPages,
UserTokens,
WorkspaceInvitations,
Workspaces,
} from '@docmost/db/types/db';
import { PageEmbeddings } from '@docmost/db/types/embeddings.types';
export interface DbInterface extends DB {
export interface DbInterface {
attachments: Attachments;
authAccounts: AuthAccounts;
authProviders: AuthProviders;
backlinks: Backlinks;
billing: Billing;
comments: Comments;
fileTasks: FileTasks;
groups: Groups;
groupUsers: GroupUsers;
pageEmbeddings: PageEmbeddings;
pagePermissions: PagePermissions;
pageHistory: PageHistory;
pages: Pages;
shares: Shares;
spaceMembers: SpaceMembers;
spaces: Spaces;
userMfa: UserMfa;
users: Users;
userSharedPages: UserSharedPages;
userTokens: UserTokens;
workspaceInvitations: WorkspaceInvitations;
workspaces: Workspaces;
apiKeys: ApiKeys;
}
apps/server/src/database/types/entity.types.ts
+11 -6
View File
@@ -4,8 +4,10 @@ import {
Comments,
Groups,
Pages,
PagePermissions,
Spaces,
Users,
UserSharedPages,
Workspaces,
PageHistory as History,
GroupUsers,
@@ -20,7 +22,6 @@ import {
FileTasks,
UserMfa as _UserMFA,
ApiKeys,
AuditLogs,
} from './db';
import { PageEmbeddings } from '@docmost/db/types/embeddings.types';
@@ -51,6 +52,15 @@ export type SpaceMember = Selectable<SpaceMembers>;
export type InsertableSpaceMember = Insertable<SpaceMembers>;
export type UpdatableSpaceMember = Updateable<Omit<SpaceMembers, 'id'>>;
// PageMember
export type PagePermission = Selectable<PagePermissions>;
export type InsertablePagePermission = Insertable<PagePermissions>;
export type UpdatablePagePermission = Updateable<Omit<PagePermissions, 'id'>>;
// UserSharedPage
export type UserSharedPage = Selectable<UserSharedPages>;
export type InsertableUserSharedPage = Insertable<UserSharedPages>;
// Group
export type ExtendedGroup = Groups & { memberCount: number };
@@ -132,8 +142,3 @@ export type UpdatableApiKey = Updateable<Omit<ApiKeys, 'id'>>;
export type PageEmbedding = Selectable<PageEmbeddings>;
export type InsertablePageEmbedding = Insertable<PageEmbeddings>;
export type UpdatablePageEmbedding = Updateable<Omit<PageEmbeddings, 'id'>>;
// Audit Log
export type AuditLog = Selectable<AuditLogs>;
export type InsertableAuditLog = Insertable<AuditLogs>;
export type UpdatableAuditLog = Updateable<Omit<AuditLogs, 'id'>>;
apps/server/src/ee
+1 -1
Submodule apps/server/src/ee updated: 741c15eba3...075761c2d9
apps/server/src/integrations/audit/audit.service.ts
-48
View File
@@ -1,48 +0,0 @@
import { Injectable } from '@nestjs/common';
import { AuditLogPayload, ActorType } from '../../common/events/audit-events';
export type IAuditService = {
log(payload: AuditLogPayload): void | Promise<void>;
logWithContext(
payload: AuditLogPayload,
context: {
workspaceId: string;
actorId?: string;
actorType?: ActorType;
ipAddress?: string;
userAgent?: string;
},
): void | Promise<void>;
setActorId(actorId: string): void;
setActorType(actorType: ActorType): void;
};
export const AUDIT_SERVICE = Symbol('AUDIT_SERVICE');
@Injectable()
export class NoopAuditService implements IAuditService {
log(_payload: AuditLogPayload): void {
// No-op: swallow the log when EE module is not available
}
logWithContext(
_payload: AuditLogPayload,
_context: {
workspaceId: string;
actorId?: string;
actorType?: ActorType;
ipAddress?: string;
userAgent?: string;
},
): void {
// No-op: swallow the log when EE module is not available
}
setActorId(_actorId: string): void {
// No-op
}
setActorType(_actorType: ActorType): void {
// No-op
}
}
apps/server/src/integrations/export/dto/export-dto.ts
+1 -1
View File
@@ -41,4 +41,4 @@ export class ExportSpaceDto {
@IsOptional()
@IsBoolean()
includeAttachments?: boolean;
}
}
apps/server/src/integrations/export/export.service.ts
+1 -1
View File
@@ -107,7 +107,7 @@ export class ExportService {
const page = await this.pageRepo.findById(pageId, {
includeContent: true,
});
if (page){
if (page) {
pages = [page];
}
}
apps/server/src/integrations/export/turndown-utils.ts
+8 -4
View File
@@ -69,17 +69,21 @@ function taskList(turndownService: TurndownService) {
'input[type="checkbox"]',
) as HTMLInputElement;
const isChecked = checkbox.checked;
// Process content like regular list items
content = content
.replace(/^\n+/, '') // remove leading newlines
.replace(/\n+$/, '\n') // replace trailing newlines with just a single one
.replace(/\n/gm, '\n '); // indent nested content with 2 spaces
// Create the checkbox prefix
const prefix = `- ${isChecked ? '[x]' : '[ ]'} `;
return prefix + content + (node.nextSibling && !/\n$/.test(content) ? '\n' : '');
return (
prefix +
content +
(node.nextSibling && !/\n$/.test(content) ? '\n' : '')
);
},
});
}
apps/server/src/integrations/import/dto/file-task-dto.ts
+1 -1
View File
@@ -15,4 +15,4 @@ export type ImportPageNode = {
parentPageId: string | null;
fileExtension: string;
filePath: string;
};
};
apps/server/src/integrations/queue/constants/queue.constants.ts
-4
View File
@@ -6,7 +6,6 @@ export enum QueueName {
FILE_TASK_QUEUE = '{file-task-queue}',
SEARCH_QUEUE = '{search-queue}',
AI_QUEUE = '{ai-queue}',
AUDIT_QUEUE = '{audit-queue}',
}
export enum QueueJob {
@@ -59,7 +58,4 @@ export enum QueueJob {
GENERATE_PAGE_EMBEDDINGS = 'generate-page-embeddings',
DELETE_PAGE_EMBEDDINGS = 'delete-page-embeddings',
AUDIT_LOG = 'audit-log',
AUDIT_CLEANUP = 'audit-cleanup',
}
apps/server/src/integrations/queue/constants/queue.interface.ts
+2 -3
View File
@@ -1,5 +1,4 @@
import { MentionNode } from "../../../common/helpers/prosemirror/utils";
import { MentionNode } from '../../../common/helpers/prosemirror/utils';
export interface IPageBacklinkJob {
pageId: string;
@@ -9,4 +8,4 @@ export interface IPageBacklinkJob {
export interface IStripeSeatsSyncJob {
workspaceId: string;
}
}
apps/server/src/integrations/queue/queue.module.ts
-8
View File
@@ -73,14 +73,6 @@ import { BacklinksProcessor } from './processors/backlinks.processor';
attempts: 1,
},
}),
BullModule.registerQueue({
name: QueueName.AUDIT_QUEUE,
defaultJobOptions: {
removeOnComplete: true,
removeOnFail: true,
attempts: 3,
},
}),
],
exports: [BullModule],
providers: [BacklinksProcessor],
apps/server/src/integrations/storage/drivers/local.driver.ts
+1 -1
View File
@@ -42,7 +42,7 @@ export class LocalDriver implements StorageDriver {
try {
const fromFullPath = this._fullPath(fromFilePath);
const toFullPath = this._fullPath(toFilePath);
if (await this.exists(fromFilePath)) {
await fs.copy(fromFullPath, toFullPath);
}
apps/server/src/integrations/storage/providers/storage.provider.ts
+4 -3
View File
@@ -40,8 +40,8 @@ export const storageDriverConfigProvider = {
},
};
case StorageOption.S3:
{ const s3Config = {
case StorageOption.S3: {
const s3Config = {
driver,
config: {
region: environmentService.getAwsS3Region(),
@@ -68,7 +68,8 @@ export const storageDriverConfigProvider = {
};
}
return s3Config; }
return s3Config;
}
default:
throw new Error(`Unknown storage driver: ${driver}`);
pnpm-lock.yaml
Generated
-19
View File
@@ -578,9 +578,6 @@ importers:
nanoid:
specifier: 3.3.11
version: 3.3.11
nestjs-cls:
specifier: ^4.5.0
version: 4.5.0(@nestjs/common@11.1.9(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.9)(reflect-metadata@0.2.2)(rxjs@7.8.2)
nestjs-kysely:
specifier: ^1.2.0
version: 1.2.0(@nestjs/common@11.1.9(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.9)(kysely@0.28.2)(reflect-metadata@0.2.2)
@@ -7985,15 +7982,6 @@ packages:
neo-async@2.6.2:
resolution: {integrity: sha512-Yd3UES5mWCSqR+qNT93S3UoYUkqAZ9lLg8a7g9rimsWmYGK8cVToA4/sF3RrshdyV3sAGMXVUmpMYOw+dLpOuw==}
nestjs-cls@4.5.0:
resolution: {integrity: sha512-oi3GNCc5pnsnVI5WJKMDwmg4NP+JyEw+edlwgepyUba5+RGGtJzpbVaaxXGW1iPbDuQde3/fA8Jdjq9j88BVcQ==}
engines: {node: '>=16'}
peerDependencies:
'@nestjs/common': '> 7.0.0 < 11'
'@nestjs/core': '> 7.0.0 < 11'
reflect-metadata: '*'
rxjs: '>= 7'
nestjs-kysely@1.2.0:
resolution: {integrity: sha512-KseCGb0SXCzIYC+Hx3Z3d+kPAfSZCSK6j9UoqUV/gcBCPad9utC7itmoUw0/w5sV+Jf9pc1DKpgClP1IkflA4w==}
peerDependencies:
@@ -19143,13 +19131,6 @@ snapshots:
neo-async@2.6.2: {}
nestjs-cls@4.5.0(@nestjs/common@11.1.9(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.9)(reflect-metadata@0.2.2)(rxjs@7.8.2):
dependencies:
'@nestjs/common': 11.1.9(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2)
'@nestjs/core': 11.1.9(@nestjs/common@11.1.9(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/websockets@11.1.9)(reflect-metadata@0.2.2)(rxjs@7.8.2)
reflect-metadata: 0.2.2
rxjs: 7.8.2
nestjs-kysely@1.2.0(@nestjs/common@11.1.9(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.9)(kysely@0.28.2)(reflect-metadata@0.2.2):
dependencies:
'@nestjs/common': 11.1.9(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2)