fix

Merge branch 'main' into permissions-2
WIP
2026-05-15 13:14:11 +08:00 · 2025-12-18 18:32:24 +00:00 · 2025-12-18 18:30:48 +00:00 · 2025-08-14 08:58:23 -07:00
56 changed files with 2609 additions and 2303 deletions
@@ -9,7 +9,6 @@ import { TokenService } from '../../core/auth/services/token.service';
 import { UserRepo } from '@docmost/db/repos/user/user.repo';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import { SpaceMemberRepo } from '@docmost/db/repos/space/space-member.repo';
 import { PagePermissionRepo } from '@docmost/db/repos/page/page-permission.repo';
 import { findHighestUserSpaceRole } from '@docmost/db/repos/space/utils';
 import { SpaceRole } from '../../common/helpers/types/permission';
 import { getPageId } from '../collaboration.util';
@@ -24,7 +23,6 @@ export class AuthenticationExtension implements Extension {
    private userRepo: UserRepo,
    private pageRepo: PageRepo,
    private readonly spaceMemberRepo: SpaceMemberRepo,
    private readonly pagePermissionRepo: PagePermissionRepo,
  ) {}
  async onAuthenticate(data: onAuthenticatePayload) {
@@ -70,31 +68,9 @@ export class AuthenticationExtension implements Extension {
      throw new UnauthorizedException();
    }
-    // Check page-level permissions
+    if (userSpaceRole === SpaceRole.READER) {
-    const { hasRestriction, canAccess, canEdit } =
+      data.connection.readOnly = true;
-      await this.pagePermissionRepo.getUserPageAccessLevel(user.id, page.id);
+      this.logger.debug(`User granted readonly access to page: ${pageId}`);
    if (hasRestriction) {
      // Page has restrictions - use page-level permissions
      if (!canAccess) {
        this.logger.warn(
          `User ${user.id} denied page-level access to page: ${pageId}`,
        );
        throw new UnauthorizedException();
      }
      if (!canEdit) {
        data.connection.readOnly = true;
        this.logger.debug(
          `User ${user.id} granted readonly access to restricted page: ${pageId}`,
        );
      }
    } else {
      // No restrictions - use space-level permissions
      if (userSpaceRole === SpaceRole.READER) {
        data.connection.readOnly = true;
        this.logger.debug(`User granted readonly access to page: ${pageId}`);
      }
    }
    this.logger.debug(`Authenticated user ${user.id} on page ${pageId}`);
@@ -1,5 +1,6 @@
 export enum EventName {
  COLLAB_PAGE_UPDATED = 'collab.page.updated',
  PAGE_CREATED = 'page.created',
  PAGE_UPDATED = 'page.updated',
  PAGE_CONTENT_UPDATED = 'page-content-updated',
@@ -5,4 +5,4 @@ export const nanoIdGen = customAlphabet(alphabet, 10);
 const slugIdAlphabet =
  '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
-export const generateSlugId = customAlphabet(slugIdAlphabet, 10);
+export const generateSlugId = customAlphabet(slugIdAlphabet, 10);
@@ -10,16 +10,13 @@ export enum SpaceRole {
  READER = 'reader', // can only read pages in space
 }
 export enum PageRole {
  WRITER = 'writer', // can read and write pages in space
  READER = 'reader', // can only read pages in space
  RESTRICTED = 'restricted', // cannot access page
 }
 export enum SpaceVisibility {
  OPEN = 'open', // any workspace member can see that it exists and join.
  PRIVATE = 'private', // only added space users can see
 }
 export enum PageAccessLevel {
  RESTRICTED = 'restricted', // only specific users/groups can view or edit
 }
 export enum PagePermissionRole {
  READER = 'reader', // can only view content and descendants
  WRITER = 'writer', // can edit content, descendants, and add new users to permission
 }
@@ -14,11 +14,18 @@ export class InternalLogFilter extends ConsoleLogger {
    super();
    const isProduction = process.env.NODE_ENV === 'production';
    const isDebugMode = process.env.DEBUG_MODE === 'true';
-    
+
    if (isProduction && !isDebugMode) {
      this.allowedLogLevels = ['log', 'error', 'fatal'];
    } else {
-      this.allowedLogLevels = ['log', 'debug', 'verbose', 'warn', 'error', 'fatal'];
+      this.allowedLogLevels = [
        'log',
        'debug',
        'verbose',
        'warn',
        'error',
        'fatal',
      ];
    }
  }
@@ -53,7 +53,6 @@ import { TokenService } from '../auth/services/token.service';
 import { JwtAttachmentPayload, JwtType } from '../auth/dto/jwt-payload';
 import * as path from 'path';
 import { RemoveIconDto } from './dto/attachment.dto';
 import { PageAccessService } from '../page-access/page-access.service';
@Controller()
 export class AttachmentController {
@@ -68,7 +67,6 @@ export class AttachmentController {
    private readonly attachmentRepo: AttachmentRepo,
    private readonly environmentService: EnvironmentService,
    private readonly tokenService: TokenService,
    private readonly pageAccessService: PageAccessService,
  ) {}
  @UseGuards(JwtAuthGuard)
@@ -113,8 +111,13 @@ export class AttachmentController {
      throw new NotFoundException('Page not found');
    }
-    // Checks both space-level and page-level edit permissions
+    const spaceAbility = await this.spaceAbility.createForUser(
-    await this.pageAccessService.validateCanEdit(page, user);
+      user,
      page.spaceId,
    );
    if (spaceAbility.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    const spaceId = page.spaceId;
@@ -168,13 +171,14 @@ export class AttachmentController {
      throw new NotFoundException();
    }
-    const page = await this.pageRepo.findById(attachment.pageId);
+    const spaceAbility = await this.spaceAbility.createForUser(
-    if (!page) {
+      user,
-      throw new NotFoundException();
+      attachment.spaceId,
-    }
+    );
-    // Checks both space-level and page-level view permissions
+    if (spaceAbility.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
-    await this.pageAccessService.validateCanView(page, user);
+      throw new ForbiddenException();
    }
    try {
      const fileStream = await this.storageService.read(attachment.filePath);
@@ -0,0 +1,168 @@
 import { Injectable, Logger, NotFoundException } from '@nestjs/common';
 import {
  AbilityBuilder,
  createMongoAbility,
  MongoAbility,
 } from '@casl/ability';
 import { PageRole, SpaceRole } from '../../../common/helpers/types/permission';
 import { User } from '@docmost/db/types/entity.types';
 import {
  PagePermissionRepo,
  PageMemberRole,
 } from '@docmost/db/repos/page/page-permission-repo.service';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import {
  PageCaslAction,
  IPageAbility,
  PageCaslSubject,
 } from '../interfaces/page-ability.type';
 import { findHighestUserSpaceRole } from '@docmost/db/repos/Space/utils';
 import { UserSpaceRole } from '@docmost/db/repos/space/types';
 import { SpaceMemberRepo } from '@docmost/db/repos/space/space-member.repo';
@Injectable()
 export default class PageAbilityFactory {
  private readonly logger = new Logger(PageAbilityFactory.name);
  constructor(
    private readonly pagePermissionRepo: PagePermissionRepo,
    private readonly pageRepo: PageRepo,
    private readonly spaceMemberRepo: SpaceMemberRepo,
  ) {}
  async createForUser(user: User, pageId: string) {
    //user.id = '0197750c-a70c-73a6-83ad-65a193433f5c';
    // This opens the possibility to share pages with individual users from other Spaces
    /*     
    //TODO: we might account for space permission here too.
    // we could just do it all here. no need to call two abilities.
    const userSpaceRoles = await this.spaceMemberRepo.getUserSpaceRoles(
      user.id,
      spaceId,
    );
    */
    // const userPageRole = findHighestUserPageRole(userPageRoles);
    // if no role abort
    // Check page-level permissions first if pageId provided
    const permission = await this.pagePermissionRepo.getUserPagePermission({
      pageId: pageId,
      userId: user.id,
    });
    // does it pick one? what if the user has permissions via groups? what roles takes precedence?
    if (!permission) {
      //TODO: it means we should use the space level permission
      // need deeper understanding here though
      // call the space factory?
    }
    this.logger.log('permissions', permission);
    if (permission) {
      // make sure the permission is for this page
      // or cascaded/inherited from a parent page
      /*this.logger.debug('role', permission.role, 'cascade', permission.cascade);
      if (permission.pageId !== pageId && !permission.cascade) {
        this.logger.debug('no permission');
        // No explicit access and not inheriting - deny
        return new AbilityBuilder<MongoAbility<IPageAbility>>(
          createMongoAbility,
        ).build();
      }*/
    }
    // if no permission should we use space permission here?
    // if non, skip for default to take precedence
    switch (permission.role) {
      case PageRole.WRITER:
        return buildPageWriterAbility();
      case PageRole.READER:
        return buildPageReaderAbility();
      case PageRole.RESTRICTED:
        return buildPageRestrictedAbility();
      default:
        throw new NotFoundException('Page permissions not found');
    }
  }
  private buildAbilityForRole(role: string) {
    switch (role) {
      case PageRole.WRITER:
        return buildPageWriterAbility();
      case PageRole.READER:
        return buildPageReaderAbility();
      case PageRole.RESTRICTED:
        return buildPageRestrictedAbility();
      default:
        return new AbilityBuilder<MongoAbility<IPageAbility>>(
          createMongoAbility,
        ).build();
    }
  }
 }
 function buildPageWriterAbility() {
  const { can, build } = new AbilityBuilder<MongoAbility<IPageAbility>>(
    createMongoAbility,
  );
  can(PageCaslAction.Read, PageCaslSubject.Settings);
  can(PageCaslAction.Read, PageCaslSubject.Member);
  can(PageCaslAction.Manage, PageCaslSubject.Page);
  can(PageCaslAction.Manage, PageCaslSubject.Share);
  return build();
 }
 function buildPageReaderAbility() {
  const { can, build } = new AbilityBuilder<MongoAbility<IPageAbility>>(
    createMongoAbility,
  );
  can(PageCaslAction.Read, PageCaslSubject.Settings);
  can(PageCaslAction.Read, PageCaslSubject.Member);
  can(PageCaslAction.Read, PageCaslSubject.Page);
  can(PageCaslAction.Read, PageCaslSubject.Share);
  return build();
 }
 function buildPageRestrictedAbility() {
  const { cannot, build } = new AbilityBuilder<MongoAbility<IPageAbility>>(
    createMongoAbility,
  );
  cannot(PageCaslAction.Read, PageCaslSubject.Settings);
  cannot(PageCaslAction.Read, PageCaslSubject.Member);
  cannot(PageCaslAction.Read, PageCaslSubject.Page);
  cannot(PageCaslAction.Read, PageCaslSubject.Share);
  return build();
 }
 export interface UserPageRole {
  userId: string;
  role: string;
 }
 export function findHighestUserPageRole(userPageRoles: UserPageRole[]) {
  //TODO: perhaps, we want the lowest here?
  if (!userPageRoles) {
    return undefined;
  }
  const roleOrder: { [key in PageRole]: number } = {
    [PageRole.WRITER]: 3,
    [PageRole.READER]: 2,
    [PageRole.RESTRICTED]: 1,
  };
  let highestRole: string;
  for (const userPageRole of userPageRoles) {
    const currentRole = userPageRole.role;
    if (!highestRole || roleOrder[currentRole] > roleOrder[highestRole]) {
      highestRole = currentRole;
    }
  }
  return highestRole;
 }
@@ -1,10 +1,11 @@
 import { Global, Module } from '@nestjs/common';
 import SpaceAbilityFactory from './abilities/space-ability.factory';
 import WorkspaceAbilityFactory from './abilities/workspace-ability.factory';
 import PageAbilityFactory from './abilities/page-ability.factory';
@Global()
@Module({
-  providers: [WorkspaceAbilityFactory, SpaceAbilityFactory],
+  providers: [WorkspaceAbilityFactory, SpaceAbilityFactory, PageAbilityFactory],
-  exports: [WorkspaceAbilityFactory, SpaceAbilityFactory],
+  exports: [WorkspaceAbilityFactory, SpaceAbilityFactory, PageAbilityFactory],
 })
 export class CaslModule {}
@@ -0,0 +1,19 @@
 export enum PageCaslAction {
  Manage = 'manage',
  Create = 'create',
  Read = 'read',
  Edit = 'edit',
  Delete = 'delete',
 }
 export enum PageCaslSubject {
  Settings = 'settings',
  Member = 'member',
  Page = 'page',
  Share = 'share',
 }
 export type IPageAbility =
  | [PageCaslAction, PageCaslSubject.Settings]
  | [PageCaslAction, PageCaslSubject.Member]
  | [PageCaslAction, PageCaslSubject.Page]
  | [PageCaslAction, PageCaslSubject.Share];
@@ -24,7 +24,6 @@ import {
  SpaceCaslSubject,
 } from '../casl/interfaces/space-ability.type';
 import { CommentRepo } from '@docmost/db/repos/comment/comment.repo';
 import { PageAccessService } from '../page-access/page-access.service';
@UseGuards(JwtAuthGuard)
@Controller('comments')
@@ -34,7 +33,6 @@ export class CommentController {
    private readonly commentRepo: CommentRepo,
    private readonly pageRepo: PageRepo,
    private readonly spaceAbility: SpaceAbilityFactory,
    private readonly pageAccessService: PageAccessService,
  ) {}
  @HttpCode(HttpStatus.OK)
@@ -49,7 +47,10 @@ export class CommentController {
      throw new NotFoundException('Page not found');
    }
-    await this.pageAccessService.validateCanEdit(page, user);
+    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Create, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.commentService.create(
      {
@@ -74,8 +75,10 @@ export class CommentController {
      throw new NotFoundException('Page not found');
    }
-    await this.pageAccessService.validateCanView(page, user);
+    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
-
+    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.commentService.findByPageId(page.id, pagination);
  }
@@ -87,13 +90,13 @@ export class CommentController {
      throw new NotFoundException('Comment not found');
    }
-    const page = await this.pageRepo.findById(comment.pageId);
+    const ability = await this.spaceAbility.createForUser(
-    if (!page) {
+      user,
-      throw new NotFoundException('Page not found');
+      comment.spaceId,
    );
    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    await this.pageAccessService.validateCanView(page, user);
    return comment;
  }
@@ -105,12 +108,17 @@ export class CommentController {
      throw new NotFoundException('Comment not found');
    }
-    const page = await this.pageRepo.findById(comment.pageId);
+    const ability = await this.spaceAbility.createForUser(
-    if (!page) {
+      user,
-      throw new NotFoundException('Page not found');
+      comment.spaceId,
-    }
+    );
-    await this.pageAccessService.validateCanEdit(page, user);
+    // must be a space member with edit permission
    if (ability.cannot(SpaceCaslAction.Edit, SpaceCaslSubject.Page)) {
      throw new ForbiddenException(
        'You must have space edit permission to edit comments',
      );
    }
    return this.commentService.update(comment, dto, user);
  }
@@ -123,27 +131,41 @@ export class CommentController {
      throw new NotFoundException('Comment not found');
    }
-    const page = await this.pageRepo.findById(comment.pageId);
+    const ability = await this.spaceAbility.createForUser(
-    if (!page) {
+      user,
-      throw new NotFoundException('Page not found');
+      comment.spaceId,
-    }
+    );
-    // Check page-level edit permission first
+    // must be a space member with edit permission
-    await this.pageAccessService.validateCanEdit(page, user);
+    if (ability.cannot(SpaceCaslAction.Edit, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    // Check if user is the comment owner
    const isOwner = comment.creatorId === user.id;
    if (isOwner) {
      /*
      // Check if comment has children from other users
      const hasChildrenFromOthers =
        await this.commentRepo.hasChildrenFromOtherUsers(comment.id, user.id);
      // Owner can delete if no children from other users
      if (!hasChildrenFromOthers) {
        await this.commentRepo.deleteComment(comment.id);
        return;
      }
      // If has children from others, only space admin can delete
      if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Settings)) {
        throw new ForbiddenException(
          'Only space admins can delete comments with replies from other users',
        );
      }*/
      await this.commentRepo.deleteComment(comment.id);
      return;
    }
    const ability = await this.spaceAbility.createForUser(
      user,
      comment.spaceId,
    );
    // Space admin can delete any comment
    if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Settings)) {
      throw new ForbiddenException(
@@ -14,7 +14,6 @@ import { SearchModule } from './search/search.module';
 import { SpaceModule } from './space/space.module';
 import { GroupModule } from './group/group.module';
 import { CaslModule } from './casl/casl.module';
 import { PageAccessModule } from './page-access/page-access.module';
 import { DomainMiddleware } from '../common/middlewares/domain.middleware';
 import { ShareModule } from './share/share.module';
@@ -30,7 +29,6 @@ import { ShareModule } from './share/share.module';
    SpaceModule,
    GroupModule,
    CaslModule,
    PageAccessModule,
    ShareModule,
  ],
 })
@@ -7,7 +7,7 @@ import {
  MaxLength,
  MinLength,
 } from 'class-validator';
-import {Transform, TransformFnParams} from "class-transformer";
+import { Transform, TransformFnParams } from 'class-transformer';
 export class CreateGroupDto {
  @MinLength(2)
@@ -1,9 +0,0 @@
 import { Global, Module } from '@nestjs/common';
 import { PageAccessService } from './page-access.service';
@Global()
@Module({
  providers: [PageAccessService],
  exports: [PageAccessService],
 })
 export class PageAccessModule {}
@@ -1,71 +0,0 @@
 import { ForbiddenException, Injectable } from '@nestjs/common';
 import { Page, User } from '@docmost/db/types/entity.types';
 import { PagePermissionRepo } from '@docmost/db/repos/page/page-permission.repo';
 import SpaceAbilityFactory from '../casl/abilities/space-ability.factory';
 import {
  SpaceCaslAction,
  SpaceCaslSubject,
 } from '../casl/interfaces/space-ability.type';
@Injectable()
 export class PageAccessService {
  constructor(
    private readonly pagePermissionRepo: PagePermissionRepo,
    private readonly spaceAbility: SpaceAbilityFactory,
  ) {}
  /**
   * Validate user can view page, throws ForbiddenException if not.
   * If page has restrictions: page-level permission determines access.
   * If no restrictions: space-level permission determines access.
   */
  async validateCanView(page: Page, user: User): Promise<void> {
    // TODO: cache by pageId and userId.
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    // User must be at least a space member
    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    const { hasRestriction, canAccess } =
      await this.pagePermissionRepo.getUserPageAccessLevel(user.id, page.id);
    if (hasRestriction) {
      // Page has restrictions - use page-level permission
      if (!canAccess) {
        throw new ForbiddenException();
      }
    }
    // No restriction - space membership (checked above) is sufficient for view
  }
  /**
   * Validate user can edit page, throws ForbiddenException if not.
   * If page has restrictions: page-level writer permission determines access.
   * If no restrictions: space-level edit permission determines access.
   */
  async validateCanEdit(page: Page, user: User): Promise<void> {
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    // User must be at least a space member
    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    const { hasRestriction, canEdit } =
      await this.pagePermissionRepo.getUserPageAccessLevel(user.id, page.id);
    if (hasRestriction) {
      // Page has restrictions - use page-level permission
      if (!canEdit) {
        throw new ForbiddenException();
      }
    } else {
      // No restrictions - use space-level permission
      if (ability.cannot(SpaceCaslAction.Edit, SpaceCaslSubject.Page)) {
        throw new ForbiddenException();
      }
    }
  }
 }
@@ -0,0 +1,34 @@
 import {
  ArrayMaxSize,
  IsArray,
  IsBoolean,
  IsEnum,
  IsOptional,
  IsUUID,
 } from 'class-validator';
 import { PageIdDto } from './page.dto';
 import { PageMemberRole } from '@docmost/db/repos/page/page-permission-repo.service';
 export class AddPageMembersDto extends PageIdDto {
  @IsEnum(PageMemberRole)
  role: string;
  // optional
  @IsArray()
  @ArrayMaxSize(25, {
    message: 'userIds must be an array with no more than 25 elements',
  })
  @IsUUID('all', { each: true })
  userIds: string[];
  @IsOptional()
  @IsArray()
  @ArrayMaxSize(25, {
    message: 'groupIds must be an array with no more than 25 elements',
  })
  @IsUUID('all', { each: true })
  groupIds: string[];
  @IsBoolean()
  @IsOptional()
  cascade?: boolean; // Apply to all child pages
 }
@@ -4,4 +4,4 @@ export class DeletedPageDto {
  @IsNotEmpty()
  @IsString()
  spaceId: string;
-}
+}
@@ -17,8 +17,8 @@ export type CopyPageMapEntry = {
 };
 export type ICopyPageAttachment = {
-  newPageId: string,
+  newPageId: string;
-  oldPageId: string,
+  oldPageId: string;
-  oldAttachmentId: string,
+  oldAttachmentId: string;
-  newAttachmentId: string,
+  newAttachmentId: string;
 };
@@ -0,0 +1,22 @@
 import { IsOptional, IsNumber, IsString, Min, Max } from 'class-validator';
 import { PageIdDto } from './page.dto';
 import { Type } from 'class-transformer';
 export class GetPageMembersDto extends PageIdDto {
  @IsOptional()
  @Type(() => Number)
  @IsNumber()
  @Min(1)
  page?: number = 1;
  @IsOptional()
  @Type(() => Number)
  @IsNumber()
  @Min(1)
  @Max(100)
  limit?: number = 20;
  @IsOptional()
  @IsString()
  query?: string;
 }
@@ -1,67 +0,0 @@
 import {
  ArrayMaxSize,
  ArrayMinSize,
  IsArray,
  IsEnum,
  IsNotEmpty,
  IsOptional,
  IsString,
  IsUUID,
 } from 'class-validator';
 import { PagePermissionRole } from '../../../common/helpers/types/permission';
 export class PageIdDto {
  @IsString()
  @IsNotEmpty()
  pageId: string;
 }
 export class RestrictPageDto extends PageIdDto {}
 export class AddPagePermissionDto extends PageIdDto {
  @IsEnum(PagePermissionRole)
  role: string;
  @IsOptional()
  @IsArray()
  @ArrayMaxSize(25, {
    message: 'userIds must be an array with no more than 25 elements',
  })
  @ArrayMinSize(1)
  @IsUUID('all', { each: true })
  userIds?: string[];
  @IsOptional()
  @IsArray()
  @ArrayMaxSize(25, {
    message: 'groupIds must be an array with no more than 25 elements',
  })
  @ArrayMinSize(1)
  @IsUUID('all', { each: true })
  groupIds?: string[];
 }
 export class RemovePagePermissionDto extends PageIdDto {
  @IsOptional()
  @IsUUID()
  userId?: string;
  @IsOptional()
  @IsUUID()
  groupId?: string;
 }
 export class UpdatePagePermissionRoleDto extends PageIdDto {
  @IsEnum(PagePermissionRole)
  role: string;
  @IsOptional()
  @IsUUID()
  userId?: string;
  @IsOptional()
  @IsUUID()
  groupId?: string;
 }
 export class RemovePageRestrictionDto extends PageIdDto {}
@@ -0,0 +1,7 @@
 import { IsUUID } from 'class-validator';
 import { PageIdDto } from './page.dto';
 export class RemovePageMemberDto extends PageIdDto {
  @IsUUID()
  memberId: string;
 }
@@ -0,0 +1,11 @@
 import { IsEnum, IsUUID } from 'class-validator';
 import { PageIdDto } from './page.dto';
 import { PageMemberRole } from '@docmost/db/repos/page/page-permission-repo.service';
 export class UpdatePageMemberRoleDto extends PageIdDto {
  @IsUUID()
  memberId: string;
  @IsEnum(PageMemberRole)
  role: string;
 }
@@ -0,0 +1,21 @@
 import { IsBoolean, IsEnum, IsOptional, IsUUID } from 'class-validator';
 import { PageMemberRole } from '@docmost/db/repos/page/page-permission-repo.service';
 export class UpdatePagePermissionDto {
  @IsUUID()
  pageId: string;
  @IsUUID()
  @IsOptional()
  userId?: string;
  @IsUUID()
  @IsOptional()
  groupId?: string;
  @IsEnum(PageMemberRole)
  role: string;
  @IsBoolean()
  cascade: boolean; // Apply to all child pages
 }
@@ -1,107 +0,0 @@
 import {
  BadRequestException,
  Body,
  Controller,
  HttpCode,
  HttpStatus,
  Post,
  UseGuards,
 } from '@nestjs/common';
 import { PagePermissionService } from './services/page-permission.service';
 import {
  AddPagePermissionDto,
  PageIdDto,
  RemovePagePermissionDto,
  RemovePageRestrictionDto,
  RestrictPageDto,
  UpdatePagePermissionRoleDto,
 } from './dto/page-permission.dto';
 import { AuthUser } from '../../common/decorators/auth-user.decorator';
 import { AuthWorkspace } from '../../common/decorators/auth-workspace.decorator';
 import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
 import { PaginationOptions } from '@docmost/db/pagination/pagination-options';
 import { User, Workspace } from '@docmost/db/types/entity.types';
@UseGuards(JwtAuthGuard)
@Controller('pages/permissions')
 export class PagePermissionController {
  constructor(
    private readonly pagePermissionService: PagePermissionService,
  ) {}
  @HttpCode(HttpStatus.OK)
  @Post('restrict')
  async restrictPage(
    @Body() dto: RestrictPageDto,
    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
  ) {
    await this.pagePermissionService.restrictPage(dto.pageId, user, workspace.id);
  }
  @HttpCode(HttpStatus.OK)
  @Post('add')
  async addPagePermission(
    @Body() dto: AddPagePermissionDto,
    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
  ) {
    if (
      (!dto.userIds || dto.userIds.length === 0) &&
      (!dto.groupIds || dto.groupIds.length === 0)
    ) {
      throw new BadRequestException('userIds or groupIds is required');
    }
    await this.pagePermissionService.addPagePermissions(dto, user, workspace.id);
  }
  @HttpCode(HttpStatus.OK)
  @Post('remove')
  async removePagePermission(
    @Body() dto: RemovePagePermissionDto,
    @AuthUser() user: User,
  ) {
    if (!dto.userId && !dto.groupId) {
      throw new BadRequestException('userId or groupId is required');
    }
    await this.pagePermissionService.removePagePermission(dto, user);
  }
  @HttpCode(HttpStatus.OK)
  @Post('update-role')
  async updatePagePermissionRole(
    @Body() dto: UpdatePagePermissionRoleDto,
    @AuthUser() user: User,
  ) {
    if (!dto.userId && !dto.groupId) {
      throw new BadRequestException('userId or groupId is required');
    }
    await this.pagePermissionService.updatePagePermissionRole(dto, user);
  }
  @HttpCode(HttpStatus.OK)
  @Post('unrestrict')
  async removePageRestriction(
    @Body() dto: RemovePageRestrictionDto,
    @AuthUser() user: User,
  ) {
    await this.pagePermissionService.removePageRestriction(dto.pageId, user);
  }
  @HttpCode(HttpStatus.OK)
  @Post('list')
  async getPagePermissions(
    @Body() dto: PageIdDto,
    @Body() pagination: PaginationOptions,
    @AuthUser() user: User,
  ) {
    return this.pagePermissionService.getPagePermissions(
      dto.pageId,
      user,
      pagination,
    );
  }
 }
@@ -10,7 +10,6 @@ import {
  UseGuards,
 } from '@nestjs/common';
 import { PageService } from './services/page.service';
 import { PageAccessService } from '../page-access/page-access.service';
 import { CreatePageDto } from './dto/create-page.dto';
 import { UpdatePageDto } from './dto/update-page.dto';
 import { MovePageDto, MovePageToSpaceDto } from './dto/move-page.dto';
@@ -33,9 +32,24 @@ import {
 } from '../casl/interfaces/space-ability.type';
 import SpaceAbilityFactory from '../casl/abilities/space-ability.factory';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import { SharedPagesRepo } from '@docmost/db/repos/page/shared-pages.repo';
 import { RecentPageDto } from './dto/recent-page.dto';
 import { DuplicatePageDto } from './dto/duplicate-page.dto';
 import { DeletedPageDto } from './dto/deleted-page.dto';
 import { AddPageMembersDto } from './dto/add-page-members.dto';
 import { RemovePageMemberDto } from './dto/remove-page-member.dto';
 import { UpdatePageMemberRoleDto } from './dto/update-page-member-role.dto';
 import { UpdatePagePermissionDto } from './dto/update-page-permission.dto';
 import { GetPageMembersDto } from './dto/get-page-members.dto';
 import {
  PagePermissionService,
  PagePermissionsResponse,
 } from './services/page-member.service';
 import PageAbilityFactory from '../casl/abilities/page-ability.factory';
 import {
  PageCaslAction,
  PageCaslSubject,
 } from '../casl/interfaces/page-ability.type';
@UseGuards(JwtAuthGuard)
@Controller('pages')
@@ -45,7 +59,9 @@ export class PageController {
    private readonly pageRepo: PageRepo,
    private readonly pageHistoryService: PageHistoryService,
    private readonly spaceAbility: SpaceAbilityFactory,
-    private readonly pageAccessService: PageAccessService,
+    private readonly pageAbility: PageAbilityFactory,
    private readonly pagePermissionService: PagePermissionService,
    private readonly sharedPagesRepo: SharedPagesRepo,
  ) {}
  @HttpCode(HttpStatus.OK)
@@ -63,7 +79,20 @@ export class PageController {
      throw new NotFoundException('Page not found');
    }
-    await this.pageAccessService.validateCanView(page, user);
+    const pageAbility = await this.pageAbility.createForUser(user, page.id);
    if (pageAbility.cannot(PageCaslAction.Read, PageCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    /*const ability = await this.spaceAbility.createForUser(
      user,
      page.spaceId,
    );
    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }*/
    return page;
  }
@@ -75,24 +104,12 @@ export class PageController {
    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
  ) {
-    if (createPageDto.parentPageId) {
+    const ability = await this.spaceAbility.createForUser(
-      // Creating under a parent page - check edit permission on parent
+      user,
-      const parentPage = await this.pageRepo.findById(
+      createPageDto.spaceId,
-        createPageDto.parentPageId,
+    );
-      );
+    if (ability.cannot(SpaceCaslAction.Create, SpaceCaslSubject.Page)) {
-      if (!parentPage || parentPage.spaceId !== createPageDto.spaceId) {
+      throw new ForbiddenException();
        throw new NotFoundException('Parent page not found');
      }
      await this.pageAccessService.validateCanEdit(parentPage, user);
    } else {
      // Creating at root level - require space-level permission
      const ability = await this.spaceAbility.createForUser(
        user,
        createPageDto.spaceId,
      );
      if (ability.cannot(SpaceCaslAction.Create, SpaceCaslSubject.Page)) {
        throw new ForbiddenException();
      }
    }
    return this.pageService.create(user.id, workspace.id, createPageDto);
@@ -107,7 +124,10 @@ export class PageController {
      throw new NotFoundException('Page not found');
    }
-    await this.pageAccessService.validateCanEdit(page, user);
+    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Edit, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.pageService.update(page, updatePageDto, user.id);
  }
@@ -136,9 +156,10 @@ export class PageController {
      }
      await this.pageService.forceDelete(deletePageDto.pageId, workspace.id);
    } else {
-      // User with edit permission can delete
+      // Soft delete requires page manage permissions
-      await this.pageAccessService.validateCanEdit(page, user);
+      if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
-
+        throw new ForbiddenException();
      }
      await this.pageService.removePage(
        deletePageDto.pageId,
        user.id,
@@ -160,18 +181,11 @@ export class PageController {
      throw new NotFoundException('Page not found');
    }
    //Todo: currently, this means if they are not admins, they need to add a space admin to the page, which is not possible as it was soft-deleted
    // so page is virtually lost. Fix.
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    //TODO: can users with page level edit, but no space level edit restore pages they can edit?
    // Check page-level edit permission (if restoring to a restricted ancestor)
    await this.pageAccessService.validateCanEdit(page, user);
    await this.pageRepo.restorePage(pageIdDto.pageId, workspace.id);
    return this.pageRepo.findById(pageIdDto.pageId, {
@@ -198,7 +212,6 @@ export class PageController {
      return this.pageService.getRecentSpacePages(
        recentPageDto.spaceId,
        user.id,
        pagination,
      );
    }
@@ -213,7 +226,6 @@ export class PageController {
    @Body() pagination: PaginationOptions,
    @AuthUser() user: User,
  ) {
    //TODO: should space admin see deleted pages they dont have access to?
    if (deletedPageDto.spaceId) {
      const ability = await this.spaceAbility.createForUser(
        user,
@@ -231,6 +243,7 @@ export class PageController {
    }
  }
  // TODO: scope to workspaces
  @HttpCode(HttpStatus.OK)
  @Post('/history')
  async getPageHistory(
@@ -243,7 +256,10 @@ export class PageController {
      throw new NotFoundException('Page not found');
    }
-    await this.pageAccessService.validateCanView(page, user);
+    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.pageHistoryService.findHistoryByPageId(page.id, pagination);
  }
@@ -259,14 +275,13 @@ export class PageController {
      throw new NotFoundException('Page history not found');
    }
-    // Get the page to check permissions
+    const ability = await this.spaceAbility.createForUser(
-    const page = await this.pageRepo.findById(history.pageId);
+      user,
-    if (!page) {
+      history.spaceId,
-      throw new NotFoundException('Page not found');
+    );
    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    await this.pageAccessService.validateCanView(page, user);
    return history;
  }
@@ -298,12 +313,7 @@ export class PageController {
      throw new ForbiddenException();
    }
-    return this.pageService.getSidebarPages(
+    return this.pageService.getSidebarPages(spaceId, pagination, dto.pageId);
      spaceId,
      pagination,
      dto.pageId,
      user.id,
    );
  }
  @HttpCode(HttpStatus.OK)
@@ -333,11 +343,7 @@ export class PageController {
      throw new ForbiddenException();
    }
-    // Check page-level edit permission on the source page
+    return this.pageService.movePageToSpace(movedPage, dto.spaceId);
    await this.pageAccessService.validateCanEdit(movedPage, user);
    // Moves only accessible pages; inaccessible child pages become root pages in original space
    return this.pageService.movePageToSpace(movedPage, dto.spaceId, user.id);
  }
  @HttpCode(HttpStatus.OK)
@@ -348,10 +354,6 @@ export class PageController {
      throw new NotFoundException('Page to copy not found');
    }
    // Check page-level view permission on the source page (need to read to copy)
    // Inaccessible child branches are automatically skipped during duplication
    await this.pageAccessService.validateCanView(copiedPage, user);
    // If spaceId is provided, it's a copy to different space
    if (dto.spaceId) {
      const abilities = await Promise.all([
@@ -394,22 +396,10 @@ export class PageController {
      user,
      movedPage.spaceId,
    );
    if (ability.cannot(SpaceCaslAction.Edit, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    // Check page-level edit permission
    await this.pageAccessService.validateCanEdit(movedPage, user);
    // If moving to a new parent, check permission on the target parent
    if (dto.parentPageId && dto.parentPageId !== movedPage.parentPageId) {
      const targetParent = await this.pageRepo.findById(dto.parentPageId);
      if (targetParent) {
        await this.pageAccessService.validateCanEdit(targetParent, user);
      }
    }
    return this.pageService.movePage(dto, movedPage);
  }
@@ -421,8 +411,168 @@ export class PageController {
      throw new NotFoundException('Page not found');
    }
-    await this.pageAccessService.validateCanView(page, user);
+    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
-
+    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.pageService.getPageBreadCrumbs(page.id);
  }
  @HttpCode(HttpStatus.OK)
  @Post('permissions/restrict')
  async restrictPage(@Body() dto: PageIdDto, @AuthUser() user: User) {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    // TODO: make sure they have access to the page, and can restrict
    // And the page is not already restricted
    // They can add and remove page restriction
    // When a page restriction is removed, we remove the entries in page permissions table.
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.pagePermissionService.restrictPage(user, page.id);
  }
  @HttpCode(HttpStatus.OK)
  @Post('permissions/add')
  async addPageMembers(
    @Body() dto: AddPageMembersDto,
    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
  ) {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.pagePermissionService.addMembersToPageBatch(
      dto,
      user,
      workspace.id,
    );
  }
  @HttpCode(HttpStatus.OK)
  @Post('permissions/remove')
  async removePageMember(
    @Body() dto: RemovePageMemberDto,
    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
  ) {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.pagePermissionService.removePageMember(dto, workspace.id);
  }
  @HttpCode(HttpStatus.OK)
  @Post('permissions/update-role')
  async updatePageMemberRole(
    @Body() dto: UpdatePageMemberRoleDto,
    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
  ) {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.pagePermissionService.updatePageMemberRole(dto, workspace.id);
  }
  @HttpCode(HttpStatus.OK)
  @Post('permissions/update')
  async updatePagePermissions(
    @Body() dto: UpdatePagePermissionDto,
    @AuthUser() user: User,
  ): Promise<PagePermissionsResponse> {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.pagePermissionService.updatePagePermission(dto);
  }
  @HttpCode(HttpStatus.OK)
  @Post('permissions/info')
  async getPagePermissions(
    @Body() dto: PageIdDto,
    @AuthUser() user: User,
  ): Promise<PagePermissionsResponse> {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.pagePermissionService.getPagePermissions(dto.pageId);
  }
  @HttpCode(HttpStatus.OK)
  @Post('permissions/list')
  async getPageMembers(
    @Body() dto: GetPageMembersDto,
    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
  ) {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    const pagination: PaginationOptions = {
      page: dto.page || 1,
      limit: dto.limit || 20,
      query: dto.query,
    };
    return this.pagePermissionService.getPageMembers(
      dto.pageId,
      workspace.id,
      pagination,
    );
  }
  @HttpCode(HttpStatus.OK)
  @Post('shared')
  async getUserSharedPages(@AuthUser() user: User) {
    return this.sharedPagesRepo.getUserSharedPages(user.id);
  }
 }
@@ -3,13 +3,19 @@ import { PageService } from './services/page.service';
 import { PageController } from './page.controller';
 import { PageHistoryService } from './services/page-history.service';
 import { TrashCleanupService } from './services/trash-cleanup.service';
-import { PagePermissionService } from './services/page-permission.service';
+import { PagePermissionService } from './services/page-member.service';
-import { PagePermissionController } from './page-permission.controller';
+import { SharedPagesRepo } from '@docmost/db/repos/page/shared-pages.repo';
 import { StorageModule } from '../../integrations/storage/storage.module';
@Module({
-  controllers: [PageController, PagePermissionController],
+  controllers: [PageController],
-  providers: [PageService, PageHistoryService, TrashCleanupService, PagePermissionService],
+  providers: [
    PageService,
    PageHistoryService,
    TrashCleanupService,
    PagePermissionService,
    SharedPagesRepo,
  ],
  exports: [PageService, PageHistoryService, PagePermissionService],
  imports: [StorageModule],
 })
@@ -0,0 +1,648 @@
 import {
  BadRequestException,
  Injectable,
  NotFoundException,
 } from '@nestjs/common';
 import { PaginationOptions } from '@docmost/db/pagination/pagination-options';
 import { KyselyDB, KyselyTransaction } from '@docmost/db/types/kysely.types';
 import {
  PagePermissionRepo,
  PageMemberRole,
 } from '@docmost/db/repos/page/page-permission-repo.service';
 import { SharedPagesRepo } from '@docmost/db/repos/page/shared-pages.repo';
 import { AddPageMembersDto } from '../dto/add-page-members.dto';
 import { InjectKysely } from 'nestjs-kysely';
 import { Page, PagePermission, User } from '@docmost/db/types/entity.types';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import { RemovePageMemberDto } from '../dto/remove-page-member.dto';
 import { UpdatePageMemberRoleDto } from '../dto/update-page-member-role.dto';
 import { UpdatePagePermissionDto } from '../dto/update-page-permission.dto';
 import { UserRepo } from '@docmost/db/repos/user/user.repo';
 import { GroupRepo } from '@docmost/db/repos/group/group.repo';
 import { SpaceMemberRepo } from '@docmost/db/repos/space/space-member.repo';
 import { executeTx } from '@docmost/db/utils';
 export interface IPagePermission {
  id: string;
  cascade: boolean;
  member: {
    id: string;
    type: 'user' | 'group' | 'public';
    email?: string;
    displayName?: string;
    avatarUrl?: string;
    workspaceRole?: string;
    name?: string;
    memberCount?: number;
  };
  membershipRole: {
    id: string;
    level: string;
    source: 'direct' | 'inherited';
  };
  grantedBy: {
    id: string;
    type: 'page' | 'space';
    title?: string;
    name?: string;
    parentId?: string;
  };
 }
 export interface PagePermissionsResponse {
  page: {
    id: string;
    title: string;
    hasCustomPermissions: boolean;
    inheritPermissions: boolean;
    permissions: IPagePermission[];
  };
 }
@Injectable()
 export class PagePermissionService {
  constructor(
    private pageMemberRepo: PagePermissionRepo,
    private pageRepo: PageRepo,
    private sharedPagesRepo: SharedPagesRepo,
    private userRepo: UserRepo,
    private groupRepo: GroupRepo,
    private spaceMemberRepo: SpaceMemberRepo,
    @InjectKysely() private readonly db: KyselyDB,
  ) {}
  async addUserToPage(
    userId: string,
    pageId: string,
    role: string,
    workspaceId: string,
    trx?: KyselyTransaction,
  ): Promise<void> {
    await this.pageMemberRepo.insertPageMember(
      {
        userId: userId,
        pageId: pageId,
        role: role,
      },
      trx,
    );
  }
  async addGroupToPage(
    groupId: string,
    pageId: string,
    role: string,
    workspaceId: string,
    trx?: KyselyTransaction,
  ): Promise<void> {
    await this.pageMemberRepo.insertPageMember(
      {
        groupId: groupId,
        pageId: pageId,
        role: role,
      },
      trx,
    );
  }
  async getPageMembers(
    pageId: string,
    workspaceId: string,
    pagination: PaginationOptions,
  ) {
    const page = await this.pageRepo.findById(pageId);
    // const page = await this.pageRepo.findById(pageId, { workspaceId });
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const members = await this.pageMemberRepo.getPageMembersPaginated(
      pageId,
      pagination,
    );
    return members;
  }
  async restrictPage(authUser: User, pageId: string) {
    // to add custom permissions to a page,
    // we have to restrict the page first.
    // the user is here because they can restrict this page
    // TODO: make sure page is not in trash
    // Not sure if normal users can see restricted pages in trash.
    await this.db
      .updateTable('pages')
      .set({
        isRestricted: true,
        restrictedById: authUser.id,
      })
      .where('id', '=', pageId)
      .execute();
  }
  async addMembersToPageBatch(
    dto: AddPageMembersDto,
    authUser: User,
    workspaceId: string,
  ): Promise<void> {
    try {
      const page = await this.pageRepo.findById(dto.pageId);
      //const page = await this.pageRepo.findById(dto.pageId, { workspaceId });
      if (!page) {
        throw new NotFoundException('Page not found');
      }
      // Validate role
      if (!Object.values(PageMemberRole).includes(dto.role as PageMemberRole)) {
        throw new BadRequestException(`Invalid role: ${dto.role}`);
      }
      // Enable custom permissions if adding first member
      /*if (!page.hasCustomPermissions) {
        await this.pageRepo.update(dto.pageId, {
          hasCustomPermissions: true,
          inheritPermissions: false,
        });
      }*/
      // Make sure we have valid workspace users
      const validUsersQuery = this.db
        .selectFrom('users')
        .select(['id', 'name'])
        .where('users.id', 'in', dto.userIds)
        .where('users.workspaceId', '=', workspaceId)
        .where(({ not, exists, selectFrom }) =>
          not(
            exists(
              selectFrom('pagePermissions')
                .select('id')
                .whereRef('pagePermissions.userId', '=', 'users.id')
                .where('pagePermissions.pageId', '=', dto.pageId),
            ),
          ),
        );
      const validGroupsQuery = this.db
        .selectFrom('groups')
        .select(['id', 'name'])
        .where('groups.id', 'in', dto.groupIds)
        .where('groups.workspaceId', '=', workspaceId)
        .where(({ not, exists, selectFrom }) =>
          not(
            exists(
              selectFrom('pagePermissions')
                .select('id')
                .whereRef('pagePermissions.groupId', '=', 'groups.id')
                .where('pagePermissions.pageId', '=', dto.pageId),
            ),
          ),
        );
      let validUsers = [],
        validGroups = [];
      if (dto.userIds && dto.userIds.length > 0) {
        validUsers = await validUsersQuery.execute();
      }
      if (dto.groupIds && dto.groupIds.length > 0) {
        validGroups = await validGroupsQuery.execute();
      }
      const usersToAdd = [];
      for (const user of validUsers) {
        usersToAdd.push({
          pageId: dto.pageId,
          userId: user.id,
          role: dto.role,
          addedById: authUser.id,
        });
        // Track orphaned page access if user doesn't have parent access
        if (page.parentPageId && dto.role !== PageMemberRole.NONE) {
          const hasParentAccess = await this.checkParentAccess(
            user.id,
            page.parentPageId,
          );
          if (!hasParentAccess) {
            await this.sharedPagesRepo.addSharedPage(user.id, dto.pageId);
          }
        }
      }
      const groupsToAdd = [];
      for (const group of validGroups) {
        groupsToAdd.push({
          pageId: dto.pageId,
          groupId: group.id,
          role: dto.role,
          addedById: authUser.id,
        });
      }
      const membersToAdd = [...usersToAdd, ...groupsToAdd];
      if (membersToAdd.length > 0) {
        await this.db
          .insertInto('pagePermissions')
          .values(membersToAdd)
          .execute();
      }
      // Apply to child pages if requested
      if (dto.cascade) {
        await this.cascadeToChildren(dto.pageId, membersToAdd);
      }
    } catch (error) {
      if (
        error instanceof NotFoundException ||
        error instanceof BadRequestException
      ) {
        throw error;
      }
      throw new BadRequestException(
        'Failed to add members to page. Please try again.',
      );
    }
  }
  async removePageMember(
    dto: RemovePageMemberDto,
    workspaceId: string,
  ): Promise<void> {
    const member = await this.db
      .selectFrom('pagePermissions')
      .innerJoin('pages', 'pages.id', 'pagePermissions.pageId')
      .select(['pagePermissions.id', 'pagePermissions.userId'])
      .where('pagePermissions.id', '=', dto.memberId)
      .where('pagePermissions.pageId', '=', dto.pageId)
      .where('pages.workspaceId', '=', workspaceId)
      .executeTakeFirst();
    if (!member) {
      throw new NotFoundException('Page member not found');
    }
    // Check if this is the last admin
    const adminCount = await this.pageMemberRepo.roleCountByPageId(
      PageMemberRole.ADMIN,
      dto.pageId,
    );
    if (adminCount === 1) {
      const memberToRemove = await this.pageMemberRepo.getPageMemberByTypeId(
        dto.pageId,
        { userId: member.userId },
      );
      if (memberToRemove?.role === PageMemberRole.ADMIN) {
        throw new BadRequestException('Cannot remove the last admin from page');
      }
    }
    await this.pageMemberRepo.removePageMemberById(dto.memberId, dto.pageId);
    // Remove from shared pages if it was tracked
    if (member.userId) {
      await this.sharedPagesRepo.removeSharedPage(member.userId, dto.pageId);
    }
  }
  async updatePageMemberRole(
    dto: UpdatePageMemberRoleDto,
    workspaceId: string,
  ): Promise<void> {
    const member = await this.db
      .selectFrom('pagePermissions')
      .innerJoin('pages', 'pages.id', 'pagePermissions.pageId')
      .select(['pagePermissions.id', 'pagePermissions.role'])
      .where('pagePermissions.id', '=', dto.memberId)
      .where('pagePermissions.pageId', '=', dto.pageId)
      .where('pages.workspaceId', '=', workspaceId)
      .executeTakeFirst();
    if (!member) {
      throw new NotFoundException('Page member not found');
    }
    if (
      member.role === PageMemberRole.ADMIN &&
      dto.role !== PageMemberRole.ADMIN
    ) {
      const adminCount = await this.pageMemberRepo.roleCountByPageId(
        PageMemberRole.ADMIN,
        dto.pageId,
      );
      if (adminCount === 1) {
        throw new BadRequestException('Cannot change role of the last admin');
      }
    }
    await this.pageMemberRepo.updatePageMember(
      { role: dto.role },
      dto.memberId,
      dto.pageId,
    );
  }
  async updatePagePermission(
    dto: UpdatePagePermissionDto,
  ): Promise<PagePermissionsResponse> {
    const { pageId, userId, groupId, role, cascade } = dto;
    try {
      // Validate inputs
      if (!userId && !groupId) {
        throw new BadRequestException(
          'Either userId or groupId must be provided',
        );
      }
      if (userId && groupId) {
        throw new BadRequestException('Cannot provide both userId and groupId');
      }
      if (!Object.values(PageMemberRole).includes(role as PageMemberRole)) {
        throw new BadRequestException(`Invalid role: ${role}`);
      }
      await executeTx(this.db, async (trx) => {
        // Update the role
        if (userId) {
          await this.pageMemberRepo.upsertPageMember(
            {
              pageId,
              userId,
              role,
            },
            trx,
          );
        } else if (groupId) {
          await this.pageMemberRepo.upsertPageMember(
            {
              pageId,
              groupId,
              role,
            },
            trx,
          );
        }
        // Mark page as having custom permissions
        /* await this.pageRepo.update(
          pageId,
          {
            hasCustomPermissions: true,
            inheritPermissions: false,
          },
          trx,
        );*/
        // Cascade to children if requested
        if (cascade) {
          const descendants = await this.pageRepo.getAllDescendants(
            pageId,
            trx,
          );
          for (const childId of descendants) {
            if (userId) {
              await this.pageMemberRepo.upsertPageMember(
                {
                  pageId: childId,
                  userId,
                  role,
                },
                trx,
              );
            } else if (groupId) {
              await this.pageMemberRepo.upsertPageMember(
                {
                  pageId: childId,
                  groupId,
                  role,
                },
                trx,
              );
            }
          }
        }
      });
      // Return comprehensive permission data
      return this.getPagePermissions(pageId);
    } catch (error) {
      if (error instanceof BadRequestException) {
        throw error;
      }
      throw new BadRequestException(
        'Failed to update page permissions. Please try again.',
      );
    }
  }
  async getPagePermissions(pageId: string): Promise<PagePermissionsResponse> {
    const page = await this.pageRepo.findById(pageId, { includeSpace: true });
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const permissions: IPagePermission[] = [];
    // 1. Get direct page members
    const directMembers = await this.pageMemberRepo.getPageMembers(pageId);
    // Batch fetch all users and groups
    const userIds = directMembers.filter((m) => m.userId).map((m) => m.userId);
    const groupIds = directMembers
      .filter((m) => m.groupId)
      .map((m) => m.groupId);
    const [users, groups] = await Promise.all([
      userIds.length > 0
        ? this.db
            .selectFrom('users')
            .selectAll()
            .where('id', 'in', userIds)
            .execute()
        : Promise.resolve([]),
      groupIds.length > 0
        ? this.db
            .selectFrom('groups')
            .selectAll()
            .where('id', 'in', groupIds)
            .execute()
        : Promise.resolve([]),
    ]);
    const userMap = new Map(users.map((u) => [u.id, u] as const));
    const groupMap = new Map(groups.map((g) => [g.id, g] as const));
    // Build permissions with batch-fetched data
    for (const member of directMembers) {
      let memberData: any = null;
      if (member.userId) {
        const user = userMap.get(member.userId);
        if (user) {
          memberData = {
            id: user.id,
            type: 'user' as const,
            email: user.email,
            displayName: user.name,
            avatarUrl: user.avatarUrl,
            workspaceRole: user.role,
          };
        }
      } else if (member.groupId) {
        const group = groupMap.get(member.groupId);
        if (group) {
          memberData = {
            id: group.id,
            type: 'group' as const,
            name: group.name,
            memberCount: await this.db
              .selectFrom('groupUsers')
              .select((eb) => eb.fn.count('userId').as('count'))
              .where('groupId', '=', group.id)
              .executeTakeFirst()
              .then((result) => Number(result?.count || 0)),
          };
        }
      }
      if (memberData) {
        permissions.push({
          id: member.id,
          cascade: true, // Page permissions cascade by default
          member: memberData,
          membershipRole: {
            id: member.id,
            level: member.role,
            source: 'direct',
          },
          grantedBy: {
            id: pageId,
            type: 'page',
            title: page.title,
          },
        });
      }
    }
    // 2. Get inherited space members (if page inherits)
    if (page) {
      //if (page.inheritPermissions || !page.hasCustomPermissions) {
      const spaceMembers = await this.spaceMemberRepo.getSpaceMembersPaginated(
        page.spaceId,
        { page: 1, limit: 100 },
      );
      for (const spaceMember of spaceMembers.items as any[]) {
        // Skip if user has direct page permission
        const hasDirect = directMembers.some(
          (dm) =>
            (dm.userId === spaceMember.id && spaceMember.type === 'user') ||
            (dm.groupId === spaceMember.id && spaceMember.type === 'group'),
        );
        if (!hasDirect) {
          permissions.push({
            id: `space-${spaceMember.id}`,
            cascade: false, // Space permissions don't cascade to page children
            member: {
              id: spaceMember.id,
              type: spaceMember.type as 'user' | 'group',
              email: spaceMember.email,
              displayName: spaceMember.name,
              avatarUrl: spaceMember.avatarUrl,
              name: spaceMember.name,
              memberCount: Number(spaceMember.memberCount || 0),
            },
            membershipRole: {
              id: `space-role-${spaceMember.id}`,
              level: spaceMember.role,
              source: 'inherited',
            },
            grantedBy: {
              id: page.spaceId,
              type: 'space',
              name: (page as any).space?.name,
            },
          });
        }
      }
    }
    return {
      page: {
        id: page.id,
        title: page.title,
        hasCustomPermissions: true,
        inheritPermissions: false,
        permissions,
      },
    };
  }
  private async checkParentAccess(
    userId: string,
    parentPageId: string | null,
  ): Promise<boolean> {
    if (!parentPageId) return true; // Root pages always accessible
    const parentAccess = await this.pageMemberRepo.resolveUserPageAccess(
      userId,
      parentPageId,
    );
    return parentAccess !== null && parentAccess !== PageMemberRole.NONE;
  }
  private async cascadeToChildren(
    pageId: string,
    membersToAdd: any[],
  ): Promise<void> {
    const descendants = await this.pageRepo.getAllDescendants(pageId);
    if (descendants.length === 0) return;
    // Separate user and group members for proper conflict handling
    const userMembers = membersToAdd.filter((m) => m.userId);
    const groupMembers = membersToAdd.filter((m) => m.groupId);
    for (const childId of descendants) {
      // Handle user members with proper conflict resolution
      if (userMembers.length > 0) {
        const childUserMembers = userMembers.map((m) => ({
          ...m,
          pageId: childId,
        }));
        await this.db
          .insertInto('pagePermissions')
          .values(childUserMembers)
          .onConflict((oc) =>
            oc.columns(['pageId', 'userId']).doUpdateSet({
              role: (eb) => eb.ref('excluded.role'),
              updatedAt: new Date(),
            }),
          )
          .execute();
      }
      // Handle group members separately
      if (groupMembers.length > 0) {
        const childGroupMembers = groupMembers.map((m) => ({
          ...m,
          pageId: childId,
        }));
        await this.db
          .insertInto('pagePermissions')
          .values(childGroupMembers)
          .onConflict((oc) =>
            oc.columns(['pageId', 'groupId']).doUpdateSet({
              role: (eb) => eb.ref('excluded.role'),
              updatedAt: new Date(),
            }),
          )
          .execute();
      }
    }
  }
 }
@@ -1,438 +0,0 @@
 import {
  BadRequestException,
  ForbiddenException,
  Injectable,
  NotFoundException,
 } from '@nestjs/common';
 import { InjectKysely } from 'nestjs-kysely';
 import { KyselyDB } from '@docmost/db/types/kysely.types';
 import { PagePermissionRepo } from '@docmost/db/repos/page/page-permission.repo';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import {
  AddPagePermissionDto,
  RemovePagePermissionDto,
  UpdatePagePermissionRoleDto,
 } from '../dto/page-permission.dto';
 import { Page, User } from '@docmost/db/types/entity.types';
 import { PaginationOptions } from '@docmost/db/pagination/pagination-options';
 import {
  PageAccessLevel,
  PagePermissionRole,
 } from '../../../common/helpers/types/permission';
 import { executeTx } from '@docmost/db/utils';
 import SpaceAbilityFactory from '../../casl/abilities/space-ability.factory';
 import {
  SpaceCaslAction,
  SpaceCaslSubject,
 } from '../../casl/interfaces/space-ability.type';
@Injectable()
 export class PagePermissionService {
  constructor(
    private pagePermissionRepo: PagePermissionRepo,
    private pageRepo: PageRepo,
    private spaceAbility: SpaceAbilityFactory,
    @InjectKysely() private readonly db: KyselyDB,
  ) {}
  async restrictPage(
    pageId: string,
    authUser: User,
    workspaceId: string,
  ): Promise<void> {
    const page = await this.pageRepo.findById(pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const ability = await this.spaceAbility.createForUser(authUser, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Edit, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    // TODO: does this check if any of the page's ancestor's is restricted and the user don't have access to it?
    // to have access to this page, they must already have access to the page if any of it's ancestor's is restricted
    const existingAccess =
      await this.pagePermissionRepo.findPageAccessByPageId(pageId);
    if (existingAccess) {
      throw new BadRequestException('Page is already restricted');
    }
    await executeTx(this.db, async (trx) => {
      const pageAccess = await this.pagePermissionRepo.insertPageAccess(
        {
          pageId: pageId,
          workspaceId: workspaceId,
          accessLevel: PageAccessLevel.RESTRICTED,
          creatorId: authUser.id,
        },
        trx,
      );
      await this.pagePermissionRepo.insertPagePermissions(
        [
          {
            pageAccessId: pageAccess.id,
            userId: authUser.id,
            role: PagePermissionRole.WRITER,
            addedById: authUser.id,
          },
        ],
        trx,
      );
    });
  }
  async addPagePermissions(
    dto: AddPagePermissionDto,
    authUser: User,
    workspaceId: string,
  ): Promise<void> {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    await this.validateWriteAccess(page, authUser);
    const pageAccess = await this.pagePermissionRepo.findPageAccessByPageId(
      dto.pageId,
    );
    if (!pageAccess) {
      throw new BadRequestException(
        'Page is not restricted. Restrict the page first.',
      );
    }
    let validUsers = [];
    let validGroups = [];
    if (dto.userIds && dto.userIds.length > 0) {
      validUsers = await this.db
        .selectFrom('users')
        .select(['id'])
        .where('id', 'in', dto.userIds)
        .where('workspaceId', '=', workspaceId)
        .where(({ not, exists, selectFrom }) =>
          not(
            exists(
              selectFrom('pagePermissions')
                .select('id')
                .whereRef('pagePermissions.userId', '=', 'users.id')
                .where('pagePermissions.pageAccessId', '=', pageAccess.id),
            ),
          ),
        )
        .execute();
    }
    if (dto.groupIds && dto.groupIds.length > 0) {
      validGroups = await this.db
        .selectFrom('groups')
        .select(['id'])
        .where('id', 'in', dto.groupIds)
        .where('workspaceId', '=', workspaceId)
        .where(({ not, exists, selectFrom }) =>
          not(
            exists(
              selectFrom('pagePermissions')
                .select('id')
                .whereRef('pagePermissions.groupId', '=', 'groups.id')
                .where('pagePermissions.pageAccessId', '=', pageAccess.id),
            ),
          ),
        )
        .execute();
    }
    const permissionsToAdd = [];
    for (const user of validUsers) {
      permissionsToAdd.push({
        pageAccessId: pageAccess.id,
        userId: user.id,
        role: dto.role,
        addedById: authUser.id,
      });
    }
    for (const group of validGroups) {
      permissionsToAdd.push({
        pageAccessId: pageAccess.id,
        groupId: group.id,
        role: dto.role,
        addedById: authUser.id,
      });
    }
    if (permissionsToAdd.length > 0) {
      await this.pagePermissionRepo.insertPagePermissions(permissionsToAdd);
    }
  }
  async removePagePermission(
    dto: RemovePagePermissionDto,
    authUser: User,
  ): Promise<void> {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    await this.validateWriteAccess(page, authUser);
    const pageAccess = await this.pagePermissionRepo.findPageAccessByPageId(
      dto.pageId,
    );
    if (!pageAccess) {
      throw new BadRequestException('Page is not restricted');
    }
    if (!dto.userId && !dto.groupId) {
      throw new BadRequestException('Please provide a userId or groupId');
    }
    if (dto.userId) {
      const permission = await this.pagePermissionRepo.findPagePermissionByUserId(
        pageAccess.id,
        dto.userId,
      );
      if (!permission) {
        throw new NotFoundException('Permission not found');
      }
      if (permission.role === PagePermissionRole.WRITER) {
        await this.validateLastWriter(pageAccess.id);
      }
      await this.pagePermissionRepo.deletePagePermissionByUserId(
        pageAccess.id,
        dto.userId,
      );
    } else if (dto.groupId) {
      const permission =
        await this.pagePermissionRepo.findPagePermissionByGroupId(
          pageAccess.id,
          dto.groupId,
        );
      if (!permission) {
        throw new NotFoundException('Permission not found');
      }
      if (permission.role === PagePermissionRole.WRITER) {
        await this.validateLastWriter(pageAccess.id);
      }
      await this.pagePermissionRepo.deletePagePermissionByGroupId(
        pageAccess.id,
        dto.groupId,
      );
    }
  }
  async updatePagePermissionRole(
    dto: UpdatePagePermissionRoleDto,
    authUser: User,
  ): Promise<void> {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    await this.validateWriteAccess(page, authUser);
    const pageAccess = await this.pagePermissionRepo.findPageAccessByPageId(
      dto.pageId,
    );
    if (!pageAccess) {
      throw new BadRequestException('Page is not restricted');
    }
    if (!dto.userId && !dto.groupId) {
      throw new BadRequestException('Please provide a userId or groupId');
    }
    if (dto.userId) {
      const permission =
        await this.pagePermissionRepo.findPagePermissionByUserId(
          pageAccess.id,
          dto.userId,
        );
      if (!permission) {
        throw new NotFoundException('Permission not found');
      }
      if (permission.role === dto.role) {
        return;
      }
      if (permission.role === PagePermissionRole.WRITER) {
        await this.validateLastWriter(pageAccess.id);
      }
      await this.pagePermissionRepo.updatePagePermissionRole(
        pageAccess.id,
        dto.role,
        { userId: dto.userId },
      );
    } else if (dto.groupId) {
      const permission =
        await this.pagePermissionRepo.findPagePermissionByGroupId(
          pageAccess.id,
          dto.groupId,
        );
      if (!permission) {
        throw new NotFoundException('Permission not found');
      }
      if (permission.role === dto.role) {
        return;
      }
      if (permission.role === PagePermissionRole.WRITER) {
        await this.validateLastWriter(pageAccess.id);
      }
      await this.pagePermissionRepo.updatePagePermissionRole(
        pageAccess.id,
        dto.role,
        { groupId: dto.groupId },
      );
    }
  }
  async removePageRestriction(pageId: string, authUser: User): Promise<void> {
    const page = await this.pageRepo.findById(pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    await this.validateWriteAccess(page, authUser);
    const pageAccess =
      await this.pagePermissionRepo.findPageAccessByPageId(pageId);
    if (!pageAccess) {
      throw new BadRequestException('Page is not restricted');
    }
    await this.pagePermissionRepo.deletePageAccess(pageId);
  }
  async getPagePermissions(
    pageId: string,
    authUser: User,
    pagination: PaginationOptions,
  ) {
    const page = await this.pageRepo.findById(pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const ability = await this.spaceAbility.createForUser(authUser, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    const pageAccess =
      await this.pagePermissionRepo.findPageAccessByPageId(pageId);
    if (!pageAccess) {
      return {
        items: [],
        pagination: {
          page: 1,
          perPage: pagination.limit,
          totalItems: 0,
          totalPages: 0,
          hasNextPage: false,
          hasPrevPage: false,
        },
      };
    }
    return this.pagePermissionRepo.getPagePermissionsPaginated(
      pageAccess.id,
      pagination,
    );
  }
  async validateLastWriter(pageAccessId: string): Promise<void> {
    const writerCount =
      await this.pagePermissionRepo.countWritersByPageAccessId(pageAccessId);
    if (writerCount <= 1) {
      throw new BadRequestException(
        'There must be at least one user with "Can edit" permission',
      );
    }
  }
  /**
   * Check if user has writer permission on ALL restricted ancestors of a page.
   * Used for permission management operations.
   */
  async hasWritePermission(userId: string, pageId: string): Promise<boolean> {
    const hasRestriction =
      await this.pagePermissionRepo.hasRestrictedAncestor(pageId);
    if (!hasRestriction) {
      return false; // no restrictions, defer to space permissions
    }
    return this.pagePermissionRepo.canUserEditPage(userId, pageId);
  }
  async hasPageAccess(pageId: string): Promise<boolean> {
    const pageAccess =
      await this.pagePermissionRepo.findPageAccessByPageId(pageId);
    return !!pageAccess;
  }
  async validateWriteAccess(page: Page, user: User): Promise<void> {
    const hasWritePermission = await this.hasWritePermission(user.id, page.id);
    if (hasWritePermission) {
      return;
    }
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
  }
  /**
   * Check if user can view a page.
   * User must have permission (reader or writer) on EVERY restricted ancestor.
   * Returns true if:
   * - No ancestors are restricted (defer to space permission)
   * - User has permission on all restricted ancestors
   */
  async canViewPage(userId: string, pageId: string): Promise<boolean> {
    return this.pagePermissionRepo.canUserAccessPage(userId, pageId);
  }
  /**
   * Check if user can edit a page.
   * User must have WRITER permission on EVERY restricted ancestor.
   * Returns true if:
   * - No ancestors are restricted (defer to space permission)
   * - User has writer permission on all restricted ancestors
   */
  async canEditPage(userId: string, pageId: string): Promise<boolean> {
    return this.pagePermissionRepo.canUserEditPage(userId, pageId);
  }
  /**
   * Filter page IDs to only those the user can access.
   */
  async filterAccessiblePages(
    pageIds: string[],
    userId: string,
  ): Promise<string[]> {
    const results =
      await this.pagePermissionRepo.filterAccessiblePageIdsWithPermissions(
        pageIds,
        userId,
      );
    return results.map((r) => r.id);
  }
 }
@@ -7,7 +7,6 @@ import {
 import { CreatePageDto } from '../dto/create-page.dto';
 import { UpdatePageDto } from '../dto/update-page.dto';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import { PagePermissionRepo } from '@docmost/db/repos/page/page-permission.repo';
 import { InsertablePage, Page, User } from '@docmost/db/types/entity.types';
 import { PaginationOptions } from '@docmost/db/pagination/pagination-options';
 import {
@@ -48,7 +47,6 @@ export class PageService {
  constructor(
    private pageRepo: PageRepo,
    private pagePermissionRepo: PagePermissionRepo,
    private attachmentRepo: AttachmentRepo,
    @InjectKysely() private readonly db: KyselyDB,
    private readonly storageService: StorageService,
@@ -57,61 +55,6 @@ export class PageService {
    private eventEmitter: EventEmitter2,
  ) {}
  /**
   * Filters a list of pages to only those accessible to the user while maintaining tree integrity.
   * A page is included only if:
   * 1. The user has access to it
   * 2. Its parent is also included (or it's the root page)
   * This ensures that if a middle page is inaccessible, its entire subtree is excluded.
   */
  private async filterAccessibleTreePages<T extends { id: string; parentPageId: string | null }>(
    pages: T[],
    rootPageId: string,
    userId: string,
  ): Promise<T[]> {
    if (pages.length === 0) return [];
    const pageIds = pages.map((p) => p.id);
    const accessiblePages =
      await this.pagePermissionRepo.filterAccessiblePageIdsWithPermissions(
        pageIds,
        userId,
      );
    const accessibleSet = new Set(accessiblePages.map((p) => p.id));
    // Build a map for quick lookup
    const pageMap = new Map(pages.map((p) => [p.id, p]));
    // Prune: include a page only if it's accessible AND its parent chain to root is included
    const includedIds = new Set<string>();
    // Process pages in a way that ensures parents are processed before children
    // We do this by iterating until no more pages can be added
    let changed = true;
    while (changed) {
      changed = false;
      for (const page of pages) {
        if (includedIds.has(page.id)) continue;
        if (!accessibleSet.has(page.id)) continue;
        // Root page: include if accessible
        if (page.id === rootPageId) {
          includedIds.add(page.id);
          changed = true;
          continue;
        }
        // Non-root: include if parent is already included
        if (page.parentPageId && includedIds.has(page.parentPageId)) {
          includedIds.add(page.id);
          changed = true;
        }
      }
    }
    return pages.filter((p) => includedIds.has(p.id));
  }
  async findById(
    pageId: string,
    includeContent?: boolean,
@@ -224,7 +167,7 @@ export class PageService {
      page.id,
    );
-    return this.pageRepo.findById(page.id, {
+    return await this.pageRepo.findById(page.id, {
      includeSpace: true,
      includeContent: true,
      includeCreator: true,
@@ -237,7 +180,6 @@ export class PageService {
    spaceId: string,
    pagination: PaginationOptions,
    pageId?: string,
    userId?: string,
  ): Promise<any> {
    let query = this.db
      .selectFrom('pages')
@@ -263,83 +205,16 @@ export class PageService {
      query = query.where('parentPageId', 'is', null);
    }
-    const result = await executeWithPagination(query, {
+    const result = executeWithPagination(query, {
      page: pagination.page,
      perPage: 250,
    });
    if (userId && result.items.length > 0) {
      const pageIds = result.items.map((p: any) => p.id);
      // Single query to get accessible pages with their edit permissions
      const accessiblePages =
        await this.pagePermissionRepo.filterAccessiblePageIdsWithPermissions(
          pageIds,
          userId,
        );
      const permissionMap = new Map(
        accessiblePages.map((p) => [p.id, p.canEdit]),
      );
      // Filter and add canEdit flag in one pass
      result.items = result.items
        .filter((p: any) => permissionMap.has(p.id))
        .map((p: any) => ({
          ...p,
          canEdit: permissionMap.get(p.id),
        }));
      // For pages with hasChildren: true, verify they have accessible children
      const pagesWithChildren = result.items.filter((p: any) => p.hasChildren);
      if (pagesWithChildren.length > 0) {
        const parentIds = pagesWithChildren.map((p: any) => p.id);
        const parentsWithAccessibleChildren =
          await this.pagePermissionRepo.getParentIdsWithAccessibleChildren(
            parentIds,
            userId,
          );
        const hasAccessibleChildrenSet = new Set(parentsWithAccessibleChildren);
        result.items = result.items.map((p: any) => ({
          ...p,
          hasChildren: p.hasChildren && hasAccessibleChildrenSet.has(p.id),
        }));
      }
    }
    return result;
  }
-  async movePageToSpace(rootPage: Page, spaceId: string, userId: string) {
+  async movePageToSpace(rootPage: Page, spaceId: string) {
    const allPages = await this.pageRepo.getPageAndDescendants(rootPage.id, {
      includeContent: false,
    });
    // Filter to only accessible pages while maintaining tree integrity
    const accessiblePages = await this.filterAccessibleTreePages(
      allPages,
      rootPage.id,
      userId,
    );
    const accessibleIds = new Set(accessiblePages.map((p) => p.id));
    // Find inaccessible pages whose parent is being moved - these need to be orphaned
    const pagesToOrphan = allPages.filter(
      (p) => !accessibleIds.has(p.id) && p.parentPageId && accessibleIds.has(p.parentPageId),
    );
    await executeTx(this.db, async (trx) => {
      // Orphan inaccessible child pages (make them root pages in original space)
      for (const page of pagesToOrphan) {
        const orphanPosition = await this.nextPagePosition(rootPage.spaceId, null);
        await this.pageRepo.updatePage(
          { parentPageId: null, position: orphanPosition },
          page.id,
          trx,
        );
      }
      // Update root page
      const nextPosition = await this.nextPagePosition(spaceId);
      await this.pageRepo.updatePage(
@@ -347,50 +222,44 @@ export class PageService {
        rootPage.id,
        trx,
      );
-
+      const pageIds = await this.pageRepo
-      const pageIdsToMove = accessiblePages.map((p) => p.id);
+        .getPageAndDescendants(rootPage.id, { includeContent: false })
-
+        .then((pages) => pages.map((page) => page.id));
-      if (pageIdsToMove.length > 1) {
+      // The first id is the root page id
-        // Update sub pages (all accessible pages except root)
+      if (pageIds.length > 1) {
        // Update sub pages
        await this.pageRepo.updatePages(
          { spaceId },
-          pageIdsToMove.filter((id) => id !== rootPage.id),
+          pageIds.filter((id) => id !== rootPage.id),
          trx,
        );
      }
-      if (pageIdsToMove.length > 0) {
+      if (pageIds.length > 0) {
        // Clear page-level permissions - moved pages inherit destination space permissions
        // (page_permissions cascade deletes via foreign key)
        await trx
          .deleteFrom('pageAccess')
          .where('pageId', 'in', pageIdsToMove)
          .execute();
        // update spaceId in shares
        await trx
          .updateTable('shares')
          .set({ spaceId: spaceId })
-          .where('pageId', 'in', pageIdsToMove)
+          .where('pageId', 'in', pageIds)
          .execute();
        // Update comments
        await trx
          .updateTable('comments')
          .set({ spaceId: spaceId })
-          .where('pageId', 'in', pageIdsToMove)
+          .where('pageId', 'in', pageIds)
          .execute();
        // Update attachments
        await this.attachmentRepo.updateAttachmentsByPageId(
          { spaceId },
-          pageIdsToMove,
+          pageIds,
          trx,
        );
        await this.aiQueue.add(QueueJob.PAGE_MOVED_TO_SPACE, {
-          pageId: pageIdsToMove,
+          pageId: pageIds,
-          workspaceId: rootPage.workspaceId,
+          workspaceId: rootPage.workspaceId
        });
      }
    });
@@ -415,17 +284,10 @@ export class PageService {
      nextPosition = await this.nextPagePosition(spaceId);
    }
-    const allPages = await this.pageRepo.getPageAndDescendants(rootPage.id, {
+    const pages = await this.pageRepo.getPageAndDescendants(rootPage.id, {
      includeContent: true,
    });
    // Filter to only accessible pages while maintaining tree integrity
    const pages = await this.filterAccessibleTreePages(
      allPages,
      rootPage.id,
      authUser.id,
    );
    const pageMap = new Map<string, CopyPageMapEntry>();
    pages.forEach((page) => {
      pageMap.set(page.id, {
@@ -525,14 +387,9 @@ export class PageService {
          workspaceId: page.workspaceId,
          creatorId: authUser.id,
          lastUpdatedById: authUser.id,
-          parentPageId:
+          parentPageId: page.id === rootPage.id
-            page.id === rootPage.id
+            ? (isDuplicateInSameSpace ? rootPage.parentPageId : null)
-              ? isDuplicateInSameSpace
+            : (page.parentPageId ? pageMap.get(page.parentPageId)?.newPageId : null),
                ? rootPage.parentPageId
                : null
              : page.parentPageId
                ? pageMap.get(page.parentPageId)?.newPageId
                : null,
        };
      }),
    );
@@ -711,43 +568,16 @@ export class PageService {
  async getRecentSpacePages(
    spaceId: string,
    userId: string,
    pagination: PaginationOptions,
  ): Promise<PaginationResult<Page>> {
-    const result = await this.pageRepo.getRecentPagesInSpace(spaceId, pagination);
+    return await this.pageRepo.getRecentPagesInSpace(spaceId, pagination);
    if (result.items.length > 0) {
      const pageIds = result.items.map((p) => p.id);
      const accessiblePages =
        await this.pagePermissionRepo.filterAccessiblePageIdsWithPermissions(
          pageIds,
          userId,
        );
      const accessibleSet = new Set(accessiblePages.map((p) => p.id));
      result.items = result.items.filter((p) => accessibleSet.has(p.id));
    }
    return result;
  }
  async getRecentPages(
    userId: string,
    pagination: PaginationOptions,
  ): Promise<PaginationResult<Page>> {
-    const result = await this.pageRepo.getRecentPages(userId, pagination);
+    return await this.pageRepo.getRecentPages(userId, pagination);
    if (result.items.length > 0) {
      const pageIds = result.items.map((p) => p.id);
      const accessiblePages =
        await this.pagePermissionRepo.filterAccessiblePageIdsWithPermissions(
          pageIds,
          userId,
        );
      const accessibleSet = new Set(accessiblePages.map((p) => p.id));
      result.items = result.items.filter((p) => accessibleSet.has(p.id));
    }
    return result;
  }
  async getDeletedSpacePages(
@@ -7,7 +7,6 @@ import { sql } from 'kysely';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import { SpaceMemberRepo } from '@docmost/db/repos/space/space-member.repo';
 import { ShareRepo } from '@docmost/db/repos/share/share.repo';
 import { PagePermissionRepo } from '@docmost/db/repos/page/page-permission.repo';
 // eslint-disable-next-line @typescript-eslint/no-require-imports
 const tsquery = require('pg-tsquery')();
@@ -19,7 +18,6 @@ export class SearchService {
    private pageRepo: PageRepo,
    private shareRepo: ShareRepo,
    private spaceMemberRepo: SpaceMemberRepo,
    private pagePermissionRepo: PagePermissionRepo,
  ) {}
  async searchPage(
@@ -120,22 +118,10 @@ export class SearchService {
    }
    //@ts-ignore
-    let results: any[] = await queryResults.execute();
+    queryResults = await queryResults.execute();
    // Filter results by page-level permissions (if user is authenticated)
    if (opts.userId && results.length > 0) {
      const pageIds = results.map((r: any) => r.id);
      const accessiblePages =
        await this.pagePermissionRepo.filterAccessiblePageIdsWithPermissions(
          pageIds,
          opts.userId,
        );
      const accessibleSet = new Set(accessiblePages.map((p) => p.id));
      results = results.filter((r: any) => accessibleSet.has(r.id));
    }
    //@ts-ignore
-    const searchResults = results.map((result: SearchResponseDto) => {
+    const searchResults = queryResults.map((result: SearchResponseDto) => {
      if (result.highlight) {
        result.highlight = result.highlight
          .replace(/\r\n|\r|\n/g, ' ')
@@ -224,18 +210,6 @@ export class SearchService {
        pageSearch = pageSearch.where('spaceId', 'in', userSpaceIds);
        pages = await pageSearch.execute();
      }
      // Filter by page-level permissions
      if (pages.length > 0) {
        const pageIds = pages.map((p) => p.id);
        const accessiblePages =
          await this.pagePermissionRepo.filterAccessiblePageIdsWithPermissions(
            pageIds,
            userId,
          );
        const accessibleSet = new Set(accessiblePages.map((p) => p.id));
        pages = pages.filter((p) => accessibleSet.has(p.id));
      }
    }
    return { users, groups, pages };
@@ -26,8 +26,6 @@ import {
  UpdateShareDto,
 } from './dto/share.dto';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import { PagePermissionRepo } from '@docmost/db/repos/page/page-permission.repo';
 import { PageAccessService } from '../page-access/page-access.service';
 import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
 import { Public } from '../../common/decorators/public.decorator';
 import { ShareRepo } from '@docmost/db/repos/share/share.repo';
@@ -43,8 +41,6 @@ export class ShareController {
    private readonly spaceAbility: SpaceAbilityFactory,
    private readonly shareRepo: ShareRepo,
    private readonly pageRepo: PageRepo,
    private readonly pagePermissionRepo: PagePermissionRepo,
    private readonly pageAccessService: PageAccessService,
    private readonly environmentService: EnvironmentService,
  ) {}
@@ -100,7 +96,6 @@ export class ShareController {
    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
  ) {
    // TODO: look into permission
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Shared page not found');
@@ -127,21 +122,9 @@ export class ShareController {
      throw new NotFoundException('Page not found');
    }
-    // User must be able to edit the page to create a share
+    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
-    await this.pageAccessService.validateCanEdit(page, user);
+    if (ability.cannot(SpaceCaslAction.Create, SpaceCaslSubject.Share)) {
-
+      throw new ForbiddenException();
    // Block includeSubPages if user cannot access all descendants
    if (createShareDto.includeSubPages) {
      const hasInaccessible =
        await this.pagePermissionRepo.hasInaccessibleDescendants(
          page.id,
          user.id,
        );
      if (hasInaccessible) {
        throw new BadRequestException(
          'Cannot share subpages: restricted pages found',
        );
      }
    }
    return this.shareService.createShare({
@@ -161,26 +144,9 @@ export class ShareController {
      throw new NotFoundException('Share not found');
    }
-    const page = await this.pageRepo.findById(share.pageId);
+    const ability = await this.spaceAbility.createForUser(user, share.spaceId);
-    if (!page) {
+    if (ability.cannot(SpaceCaslAction.Edit, SpaceCaslSubject.Share)) {
-      throw new NotFoundException('Page not found');
+      throw new ForbiddenException();
    }
    // User must be able to edit the page to update its share
    await this.pageAccessService.validateCanEdit(page, user);
    // Block includeSubPages if user cannot access all descendants
    if (updateShareDto.includeSubPages) {
      const hasInaccessible =
        await this.pagePermissionRepo.hasInaccessibleDescendants(
          page.id,
          user.id,
        );
      if (hasInaccessible) {
        throw new BadRequestException(
          'Cannot share subpages: restricted pages found',
        );
      }
    }
    return this.shareService.updateShare(share.id, updateShareDto);
@@ -195,14 +161,11 @@ export class ShareController {
      throw new NotFoundException('Share not found');
    }
-    const page = await this.pageRepo.findById(share.pageId);
+    const ability = await this.spaceAbility.createForUser(user, share.spaceId);
-    if (!page) {
+    if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Share)) {
-      throw new NotFoundException('Page not found');
+      throw new ForbiddenException();
    }
    // User must be able to edit the page to delete its share
    await this.pageAccessService.validateCanEdit(page, user);
    await this.shareRepo.deleteShare(share.id);
  }
@@ -19,7 +19,6 @@ import {
 } from '../../common/helpers/prosemirror/utils';
 import { Node } from '@tiptap/pm/model';
 import { ShareRepo } from '@docmost/db/repos/share/share.repo';
 import { PagePermissionRepo } from '@docmost/db/repos/page/page-permission.repo';
 import { updateAttachmentAttr } from './share.util';
 import { Page } from '@docmost/db/types/entity.types';
 import { validate as isValidUUID } from 'uuid';
@@ -32,7 +31,6 @@ export class ShareService {
  constructor(
    private readonly shareRepo: ShareRepo,
    private readonly pageRepo: PageRepo,
    private readonly pagePermissionRepo: PagePermissionRepo,
    @InjectKysely() private readonly db: KyselyDB,
    private readonly tokenService: TokenService,
  ) {}
@@ -44,114 +42,16 @@ export class ShareService {
    }
    if (share.includeSubPages) {
-      const allPages = await this.pageRepo.getPageAndDescendants(share.pageId, {
+      const pageList = await this.pageRepo.getPageAndDescendants(share.pageId, {
        includeContent: false,
      });
-      // Filter out restricted pages and maintain tree integrity
+      return { share, pageTree: pageList };
      const filteredPages = await this.filterPublicPages(allPages, share.pageId);
      return { share, pageTree: filteredPages };
    } else {
      return { share, pageTree: [] };
    }
  }
  /**
   * Filter pages for public share - exclude restricted pages.
   * A page is included only if:
   * 1. It has no page_access restriction AND
   * 2. Its parent is also included (or it's the root)
   */
  private async filterPublicPages<
    T extends { id: string; parentPageId: string | null },
  >(pages: T[], rootPageId: string): Promise<T[]> {
    if (pages.length === 0) return [];
    // Get all restricted page IDs
    const restrictedIds =
      await this.pagePermissionRepo.getRestrictedDescendantIds(rootPageId);
    const restrictedSet = new Set(restrictedIds);
    // Include pages that are NOT restricted and have valid parent chain
    const includedIds = new Set<string>();
    let changed = true;
    while (changed) {
      changed = false;
      for (const page of pages) {
        if (includedIds.has(page.id)) continue;
        if (restrictedSet.has(page.id)) continue;
        // Root page: include if not restricted
        if (page.id === rootPageId) {
          includedIds.add(page.id);
          changed = true;
          continue;
        }
        // Non-root: include if parent is included
        if (page.parentPageId && includedIds.has(page.parentPageId)) {
          includedIds.add(page.id);
          changed = true;
        }
      }
    }
    return pages.filter((p) => includedIds.has(p.id));
  }
  /**
   * Check if a specific page is accessible within a public share.
   * A page is accessible if no page in its ancestor chain
   * (from the page up to and including the share root) has a page_access restriction.
   */
  private async isPagePubliclyAccessible(
    pageId: string,
    shareRootPageId: string,
  ): Promise<boolean> {
    if (pageId === shareRootPageId) {
      const hasRestriction = await this.db
        .selectFrom('pageAccess')
        .select('id')
        .where('pageId', '=', pageId)
        .executeTakeFirst();
      return !hasRestriction;
    }
    // Get the depth from share root to the requested page
    const shareToPage = await this.db
      .selectFrom('pageHierarchy')
      .select('depth')
      .where('ancestorId', '=', shareRootPageId)
      .where('descendantId', '=', pageId)
      .executeTakeFirst();
    if (!shareToPage) {
      return false;
    }
    // Get all ancestor IDs in the chain from pageId to shareRootPageId
    const chainPageIds = await this.db
      .selectFrom('pageHierarchy')
      .select('ancestorId')
      .where('descendantId', '=', pageId)
      .where('depth', '<=', shareToPage.depth)
      .where('depth', '>', 0)
      .execute();
    const idsToCheck = [pageId, ...chainPageIds.map((c) => c.ancestorId)];
    // Check if any page in the chain has a restriction
    const hasRestricted = await this.db
      .selectFrom('pageAccess')
      .select('pageId')
      .where('pageId', 'in', idsToCheck)
      .executeTakeFirst();
    return !hasRestricted;
  }
  async createShare(opts: {
    authUserId: string;
    workspaceId: string;
@@ -203,17 +103,6 @@ export class ShareService {
      throw new NotFoundException('Shared page not found');
    }
    // For descendant pages, verify the ancestor chain has no restrictions
    if (share.level > 0) {
      const isAccessible = await this.isPagePubliclyAccessible(
        dto.pageId,
        share.pageId,
      );
      if (!isAccessible) {
        throw new NotFoundException('Shared page not found');
      }
    }
    const page = await this.pageRepo.findById(dto.pageId, {
      includeContent: true,
      includeCreator: true,
@@ -5,7 +5,7 @@ import {
  MaxLength,
  MinLength,
 } from 'class-validator';
-import {Transform, TransformFnParams} from "class-transformer";
+import { Transform, TransformFnParams } from 'class-transformer';
 export class CreateSpaceDto {
  @MinLength(2)
@@ -70,7 +70,9 @@ export class UserService {
      );
      if (!isPasswordMatch) {
-        throw new BadRequestException('You must provide the correct password to change your email');
+        throw new BadRequestException(
          'You must provide the correct password to change your email',
        );
      }
      if (await this.userRepo.findByEmail(updateUserDto.email, workspace.id)) {
@@ -16,7 +16,6 @@ import { GroupUserRepo } from '@docmost/db/repos/group/group-user.repo';
 import { SpaceRepo } from '@docmost/db/repos/space/space.repo';
 import { SpaceMemberRepo } from '@docmost/db/repos/space/space-member.repo';
 import { PageRepo } from './repos/page/page.repo';
 import { PagePermissionRepo } from './repos/page/page-permission.repo';
 import { CommentRepo } from './repos/comment/comment.repo';
 import { PageHistoryRepo } from './repos/page/page-history.repo';
 import { AttachmentRepo } from './repos/attachment/attachment.repo';
@@ -27,6 +26,7 @@ import { UserTokenRepo } from './repos/user-token/user-token.repo';
 import { BacklinkRepo } from '@docmost/db/repos/backlink/backlink.repo';
 import { ShareRepo } from '@docmost/db/repos/share/share.repo';
 import { PageListener } from '@docmost/db/listeners/page.listener';
 import { PagePermissionRepo } from '@docmost/db/repos/page/page-permission-repo.service';
 // https://github.com/brianc/node-postgres/issues/811
 types.setTypeParser(types.builtins.INT8, (val) => Number(val));
@@ -72,7 +72,6 @@ types.setTypeParser(types.builtins.INT8, (val) => Number(val));
    SpaceRepo,
    SpaceMemberRepo,
    PageRepo,
    PagePermissionRepo,
    PageHistoryRepo,
    CommentRepo,
    AttachmentRepo,
@@ -80,6 +79,7 @@ types.setTypeParser(types.builtins.INT8, (val) => Number(val));
    BacklinkRepo,
    ShareRepo,
    PageListener,
    PagePermissionRepo,
  ],
  exports: [
    WorkspaceRepo,
@@ -89,13 +89,13 @@ types.setTypeParser(types.builtins.INT8, (val) => Number(val));
    SpaceRepo,
    SpaceMemberRepo,
    PageRepo,
    PagePermissionRepo,
    PageHistoryRepo,
    CommentRepo,
    AttachmentRepo,
    UserTokenRepo,
    BacklinkRepo,
    ShareRepo,
    PagePermissionRepo,
  ],
 })
 export class DatabaseModule
@@ -3,7 +3,7 @@ import { type Kysely, sql } from 'kysely';
 export async function up(db: Kysely<any>): Promise<void> {
  await db.schema
    .alterTable('pages')
-    .addColumn('contributor_ids', sql`uuid[]`, (col) => col.defaultTo("{}"))
+    .addColumn('contributor_ids', sql`uuid[]`, (col) => col.defaultTo('{}'))
    .execute();
 }
@@ -0,0 +1,102 @@
 import { Kysely, sql } from 'kysely';
 export async function up(db: Kysely<any>): Promise<void> {
  await db.schema
    .createTable('page_permissions')
    .addColumn('id', 'uuid', (col) =>
      col.primaryKey().defaultTo(sql`gen_uuid_v7()`),
    )
    .addColumn('user_id', 'uuid', (col) =>
      col.references('users.id').onDelete('cascade'),
    )
    .addColumn('group_id', 'uuid', (col) =>
      col.references('groups.id').onDelete('cascade'),
    )
    .addColumn('page_id', 'uuid', (col) =>
      col.notNull().references('pages.id').onDelete('cascade'),
    )
    .addColumn('role', 'varchar', (col) => col.notNull())
    .addColumn('cascade', 'boolean', (col) => col.defaultTo(true).notNull()) // children can inherit
    .addColumn('added_by_id', 'uuid', (col) =>
      col.references('users.id').onDelete('set null'),
    )
    .addColumn('created_at', 'timestamptz', (col) =>
      col.notNull().defaultTo(sql`now()`),
    )
    .addColumn('updated_at', 'timestamptz', (col) =>
      col.notNull().defaultTo(sql`now()`),
    )
    .addColumn('deleted_at', 'timestamptz')
    .addUniqueConstraint('unique_page_user', ['page_id', 'user_id'])
    .addUniqueConstraint('unique_page_group', ['page_id', 'group_id'])
    .addCheckConstraint(
      'allow_either_user_id_or_group_id_check',
      sql`(user_id IS NOT NULL AND group_id IS NULL) OR (user_id IS NULL AND group_id IS NOT NULL)`,
    )
    .execute();
  await db.schema
    .alterTable('pages')
    .addColumn('is_restricted', 'boolean', (col) =>
      col.defaultTo(false).notNull(),
    )
    .addColumn('restricted_by_id', 'uuid', (col) =>
      col.references('users.id').onDelete('set null'),
    )
    .execute();
  // Add indexes for performance
  await db.schema
    .createIndex('idx_page_permissions_page_id')
    .on('page_permissions')
    .column('page_id')
    .execute();
  await db.schema
    .createIndex('idx_page_permissions_user_id')
    .on('page_permissions')
    .column('user_id')
    .execute();
  await db.schema
    .createIndex('idx_page_permissions_group_id')
    .on('page_permissions')
    .column('group_id')
    .execute();
  // Create user_shared_pages table for tracking orphaned page access
  await db.schema
    .createTable('user_shared_pages')
    .addColumn('user_id', 'uuid', (col) =>
      col.notNull().references('users.id').onDelete('cascade'),
    )
    .addColumn('page_id', 'uuid', (col) =>
      col.notNull().references('pages.id').onDelete('cascade'),
    )
    .addColumn('shared_at', 'timestamptz', (col) =>
      col.notNull().defaultTo(sql`now()`),
    )
    .addPrimaryKeyConstraint('user_shared_pages_pkey', ['user_id', 'page_id'])
    .execute();
  await db.schema
    .createIndex('idx_user_shared_pages_user_id')
    .on('user_shared_pages')
    .column('user_id')
    .execute();
  await db.schema
    .createIndex('idx_user_shared_pages_shared_at')
    .on('user_shared_pages')
    .column('shared_at')
    .execute();
 }
 export async function down(db: Kysely<any>): Promise<void> {
  await db.schema.alterTable('pages').dropColumn('is_restricted').execute();
  await db.schema.alterTable('pages').dropColumn('restricted_by_id').execute();
  await db.schema.dropTable('user_shared_pages').execute();
  await db.schema.dropTable('page_permissions').execute();
 }
@@ -1,200 +0,0 @@
 import { Kysely, sql } from 'kysely';
 export async function up(db: Kysely<any>): Promise<void> {
  await db.schema
    .createTable('page_hierarchy')
    .ifNotExists()
    .addColumn('ancestor_id', 'uuid', (col) =>
      col.notNull().references('pages.id').onDelete('cascade'),
    )
    .addColumn('descendant_id', 'uuid', (col) =>
      col.notNull().references('pages.id').onDelete('cascade'),
    )
    .addColumn('depth', 'integer', (col) => col.notNull().defaultTo(0))
    .addPrimaryKeyConstraint('page_hierarchy_pkey', [
      'ancestor_id',
      'descendant_id',
    ])
    .execute();
  // indexes
  await db.schema
    .createIndex('idx_page_hierarchy_descendant')
    .ifNotExists()
    .on('page_hierarchy')
    .column('descendant_id')
    .execute();
  await db.schema
    .createIndex('idx_page_hierarchy_ancestor_depth')
    .ifNotExists()
    .on('page_hierarchy')
    .columns(['ancestor_id', 'depth'])
    .execute();
  await db.schema
    .createIndex('idx_page_hierarchy_descendant_depth')
    .ifNotExists()
    .on('page_hierarchy')
    .columns(['descendant_id', 'depth'])
    .execute();
  // rebuild function
  await sql`
    CREATE OR REPLACE FUNCTION rebuild_page_hierarchy()
    RETURNS void
    LANGUAGE plpgsql
    AS $$
    BEGIN
      TRUNCATE page_hierarchy;
      WITH RECURSIVE page_tree AS (
        SELECT id AS ancestor_id, id AS descendant_id, 0 AS depth
        FROM pages WHERE deleted_at IS NULL
        UNION ALL
        SELECT pt.ancestor_id, p.id AS descendant_id, pt.depth + 1
        FROM page_tree pt
        JOIN pages p ON p.parent_page_id = pt.descendant_id
        WHERE p.deleted_at IS NULL
      )
      INSERT INTO page_hierarchy (ancestor_id, descendant_id, depth)
      SELECT ancestor_id, descendant_id, depth FROM page_tree;
    END;
    $$;
  `.execute(db);
  // Create insert trigger function
  await sql`
    CREATE OR REPLACE FUNCTION page_hierarchy_after_insert()
    RETURNS TRIGGER
    LANGUAGE plpgsql
    AS $$
    BEGIN
      IF NEW.deleted_at IS NOT NULL THEN
        RETURN NEW;
      END IF;
      IF NEW.parent_page_id IS NULL THEN
        INSERT INTO page_hierarchy (ancestor_id, descendant_id, depth)
        VALUES (NEW.id, NEW.id, 0);
      ELSE
        INSERT INTO page_hierarchy (ancestor_id, descendant_id, depth)
        SELECT ancestor_id, NEW.id, depth + 1
        FROM page_hierarchy
        WHERE descendant_id = NEW.parent_page_id
        UNION ALL
        SELECT NEW.id, NEW.id, 0;
      END IF;
      RETURN NEW;
    END;
    $$;
  `.execute(db);
  await sql`
    CREATE OR REPLACE TRIGGER page_hierarchy_after_insert_trigger
    AFTER INSERT ON pages
    FOR EACH ROW
    EXECUTE FUNCTION page_hierarchy_after_insert();
  `.execute(db);
  // Create update trigger function
  await sql`
    CREATE OR REPLACE FUNCTION page_hierarchy_after_update()
    RETURNS TRIGGER
    LANGUAGE plpgsql
    AS $$
    DECLARE
      subtree_ids UUID[];
    BEGIN
      -- Only process if parent_page_id or deleted_at changed
      IF OLD.parent_page_id IS NOT DISTINCT FROM NEW.parent_page_id
         AND OLD.deleted_at IS NOT DISTINCT FROM NEW.deleted_at THEN
        RETURN NEW;
      END IF;
      -- Handle soft-delete: remove from closure when deleted_at is set
      IF OLD.deleted_at IS NULL AND NEW.deleted_at IS NOT NULL THEN
        SELECT array_agg(descendant_id) INTO subtree_ids
        FROM page_hierarchy
        WHERE ancestor_id = NEW.id;
        DELETE FROM page_hierarchy
        WHERE descendant_id = ANY(subtree_ids);
        RETURN NEW;
      END IF;
      -- Handle restore: rebuild closure when deleted_at is cleared
      IF OLD.deleted_at IS NOT NULL AND NEW.deleted_at IS NULL THEN
        IF NEW.parent_page_id IS NULL THEN
          INSERT INTO page_hierarchy (ancestor_id, descendant_id, depth)
          VALUES (NEW.id, NEW.id, 0);
        ELSE
          INSERT INTO page_hierarchy (ancestor_id, descendant_id, depth)
          SELECT ancestor_id, NEW.id, depth + 1
          FROM page_hierarchy
          WHERE descendant_id = NEW.parent_page_id
          UNION ALL
          SELECT NEW.id, NEW.id, 0;
        END IF;
        RETURN NEW;
      END IF;
      -- Skip if page is soft-deleted
      IF NEW.deleted_at IS NOT NULL THEN
        RETURN NEW;
      END IF;
      -- Move operation: parent changed
      -- Get all descendants of the moved page (including itself)
      SELECT array_agg(descendant_id) INTO subtree_ids
      FROM page_hierarchy
      WHERE ancestor_id = NEW.id;
      -- Delete old ancestor relationships (keep internal subtree links)
      DELETE FROM page_hierarchy
      WHERE descendant_id = ANY(subtree_ids)
        AND NOT (ancestor_id = ANY(subtree_ids));
      -- Insert new ancestor relationships (if new parent exists)
      IF NEW.parent_page_id IS NOT NULL THEN
        INSERT INTO page_hierarchy (ancestor_id, descendant_id, depth)
        SELECT
          new_anc.ancestor_id,
          sub.descendant_id,
          new_anc.depth + sub.depth + 1
        FROM page_hierarchy new_anc
        CROSS JOIN page_hierarchy sub
        WHERE new_anc.descendant_id = NEW.parent_page_id
          AND sub.ancestor_id = NEW.id
          AND sub.descendant_id = ANY(subtree_ids);
      END IF;
      RETURN NEW;
    END;
    $$;
  `.execute(db);
  await sql`
    CREATE OR REPLACE TRIGGER page_hierarchy_after_update_trigger
    AFTER UPDATE ON pages
    FOR EACH ROW
    EXECUTE FUNCTION page_hierarchy_after_update();
  `.execute(db);
  await sql`SELECT rebuild_page_hierarchy()`.execute(db);
 }
 export async function down(db: Kysely<any>): Promise<void> {
  await sql`DROP TRIGGER IF EXISTS page_hierarchy_after_update_trigger ON pages`.execute(
    db,
  );
  await sql`DROP TRIGGER IF EXISTS page_hierarchy_after_insert_trigger ON pages`.execute(
    db,
  );
  await sql`DROP FUNCTION IF EXISTS page_hierarchy_after_update()`.execute(db);
  await sql`DROP FUNCTION IF EXISTS page_hierarchy_after_insert()`.execute(db);
  await sql`DROP FUNCTION IF EXISTS rebuild_page_hierarchy()`.execute(db);
  await db.schema.dropTable('page_hierarchy').ifExists().execute();
 }
@@ -1,93 +0,0 @@
 import { Kysely, sql } from 'kysely';
 export async function up(db: Kysely<any>): Promise<void> {
  await db.schema
    .createTable('page_access')
    .addColumn('id', 'uuid', (col) =>
      col.primaryKey().defaultTo(sql`gen_uuid_v7()`),
    )
    .addColumn('page_id', 'uuid', (col) =>
      col.notNull().unique().references('pages.id').onDelete('cascade'),
    )
    .addColumn('workspace_id', 'uuid', (col) =>
      col.notNull().references('workspaces.id').onDelete('cascade'),
    )
    .addColumn('access_level', 'varchar', (col) => col.notNull())
    .addColumn('creator_id', 'uuid', (col) =>
      col.references('users.id').onDelete('set null'),
    )
    .addColumn('created_at', 'timestamptz', (col) =>
      col.notNull().defaultTo(sql`now()`),
    )
    .addColumn('updated_at', 'timestamptz', (col) =>
      col.notNull().defaultTo(sql`now()`),
    )
    .execute();
  await db.schema
    .createTable('page_permissions')
    .addColumn('id', 'uuid', (col) =>
      col.primaryKey().defaultTo(sql`gen_uuid_v7()`),
    )
    .addColumn('page_access_id', 'uuid', (col) =>
      col.notNull().references('page_access.id').onDelete('cascade'),
    )
    .addColumn('user_id', 'uuid', (col) =>
      col.references('users.id').onDelete('cascade'),
    )
    .addColumn('group_id', 'uuid', (col) =>
      col.references('groups.id').onDelete('cascade'),
    )
    .addColumn('role', 'varchar', (col) => col.notNull())
    .addColumn('added_by_id', 'uuid', (col) =>
      col.references('users.id').onDelete('set null'),
    )
    .addColumn('created_at', 'timestamptz', (col) =>
      col.notNull().defaultTo(sql`now()`),
    )
    .addColumn('updated_at', 'timestamptz', (col) =>
      col.notNull().defaultTo(sql`now()`),
    )
    .addUniqueConstraint('page_access_user_unique', [
      'page_access_id',
      'user_id',
    ])
    .addUniqueConstraint('page_access_group_unique', [
      'page_access_id',
      'group_id',
    ])
    .addCheckConstraint(
      'allow_either_user_id_or_group_id_check',
      sql`((user_id IS NOT NULL AND group_id IS NULL) OR (user_id IS NULL AND group_id IS NOT NULL))`,
    )
    .execute();
  await db.schema
    .createIndex('idx_page_access_workspace')
    .on('page_access')
    .column('workspace_id')
    .execute();
  await db.schema
    .createIndex('idx_page_permissions_page_access')
    .on('page_permissions')
    .column('page_access_id')
    .execute();
  await db.schema
    .createIndex('idx_page_permissions_user')
    .on('page_permissions')
    .column('user_id')
    .execute();
  await db.schema
    .createIndex('idx_page_permissions_group')
    .on('page_permissions')
    .column('group_id')
    .execute();
 }
 export async function down(db: Kysely<any>): Promise<void> {
  await db.schema.dropTable('page_permissions').ifExists().execute();
  await db.schema.dropTable('page_access').ifExists().execute();
 }
@@ -23,9 +23,9 @@ export class PaginationOptions {
  @IsOptional()
  @IsString()
-  query: string;
+  query?: string;
  @IsOptional()
  @IsBoolean()
-  adminView: boolean;
+  adminView?: boolean;
 }
@@ -105,7 +105,10 @@ export class CommentRepo {
    return Number(result?.count) > 0;
  }
-  async hasChildrenFromOtherUsers(commentId: string, userId: string): Promise<boolean> {
+  async hasChildrenFromOtherUsers(
    commentId: string,
    userId: string,
  ): Promise<boolean> {
    const result = await this.db
      .selectFrom('comments')
      .select((eb) => eb.fn.count('id').as('count'))
@@ -57,7 +57,11 @@ export class GroupUserRepo {
    if (pagination.query) {
      query = query.where((eb) =>
-        eb(sql`f_unaccent(users.name)`, 'ilike', sql`f_unaccent(${'%' + pagination.query + '%'})`),
+        eb(
          sql`f_unaccent(users.name)`,
          'ilike',
          sql`f_unaccent(${'%' + pagination.query + '%'})`,
        ),
      );
    }
@@ -152,14 +156,4 @@ export class GroupUserRepo {
      .where('groupId', '=', groupId)
      .execute();
  }
  async getUserGroupIds(userId: string): Promise<string[]> {
    const results = await this.db
      .selectFrom('groupUsers')
      .select('groupId')
      .where('userId', '=', userId)
      .execute();
    return results.map((r) => r.groupId);
  }
 }
@@ -114,7 +114,11 @@ export class GroupRepo {
    if (pagination.query) {
      query = query.where((eb) =>
-        eb(sql`f_unaccent(name)`, 'ilike', sql`f_unaccent(${'%' + pagination.query + '%'})`).or(
+        eb(
          sql`f_unaccent(name)`,
          'ilike',
          sql`f_unaccent(${'%' + pagination.query + '%'})`,
        ).or(
          sql`f_unaccent(description)`,
          'ilike',
          sql`f_unaccent(${'%' + pagination.query + '%'})`,
@@ -1,692 +0,0 @@
 import { Injectable } from '@nestjs/common';
 import { InjectKysely } from 'nestjs-kysely';
 import { KyselyDB, KyselyTransaction } from '@docmost/db/types/kysely.types';
 import { dbOrTx } from '@docmost/db/utils';
 import {
  InsertablePageAccess,
  InsertablePagePermission,
  PageAccess,
  PagePermission,
 } from '@docmost/db/types/entity.types';
 import { PaginationOptions } from '@docmost/db/pagination/pagination-options';
 import { executeWithPagination } from '@docmost/db/pagination/pagination';
 import { sql } from 'kysely';
 import { GroupRepo } from '@docmost/db/repos/group/group.repo';
 import { GroupUserRepo } from '@docmost/db/repos/group/group-user.repo';
@Injectable()
 export class PagePermissionRepo {
  constructor(
    @InjectKysely() private readonly db: KyselyDB,
    private readonly groupRepo: GroupRepo,
    private readonly groupUserRepo: GroupUserRepo,
  ) {}
  async findPageAccessByPageId(
    pageId: string,
    trx?: KyselyTransaction,
  ): Promise<PageAccess | undefined> {
    const db = dbOrTx(this.db, trx);
    return db
      .selectFrom('pageAccess')
      .selectAll()
      .where('pageId', '=', pageId)
      .executeTakeFirst();
  }
  async insertPageAccess(
    data: InsertablePageAccess,
    trx?: KyselyTransaction,
  ): Promise<PageAccess> {
    const db = dbOrTx(this.db, trx);
    return db
      .insertInto('pageAccess')
      .values(data)
      .returningAll()
      .executeTakeFirst();
  }
  async deletePageAccess(pageId: string, trx?: KyselyTransaction): Promise<void> {
    const db = dbOrTx(this.db, trx);
    await db.deleteFrom('pageAccess').where('pageId', '=', pageId).execute();
  }
  async insertPagePermissions(
    permissions: InsertablePagePermission[],
    trx?: KyselyTransaction,
  ): Promise<void> {
    if (permissions.length === 0) return;
    const db = dbOrTx(this.db, trx);
    await db
      .insertInto('pagePermissions')
      .values(permissions)
      .execute();
  }
  async findPagePermissionByUserId(
    pageAccessId: string,
    userId: string,
    trx?: KyselyTransaction,
  ): Promise<PagePermission | undefined> {
    const db = dbOrTx(this.db, trx);
    return db
      .selectFrom('pagePermissions')
      .selectAll()
      .where('pageAccessId', '=', pageAccessId)
      .where('userId', '=', userId)
      .executeTakeFirst();
  }
  async findPagePermissionByGroupId(
    pageAccessId: string,
    groupId: string,
    trx?: KyselyTransaction,
  ): Promise<PagePermission | undefined> {
    const db = dbOrTx(this.db, trx);
    return db
      .selectFrom('pagePermissions')
      .selectAll()
      .where('pageAccessId', '=', pageAccessId)
      .where('groupId', '=', groupId)
      .executeTakeFirst();
  }
  async deletePagePermissionByUserId(
    pageAccessId: string,
    userId: string,
    trx?: KyselyTransaction,
  ): Promise<void> {
    const db = dbOrTx(this.db, trx);
    await db
      .deleteFrom('pagePermissions')
      .where('pageAccessId', '=', pageAccessId)
      .where('userId', '=', userId)
      .execute();
  }
  async deletePagePermissionByGroupId(
    pageAccessId: string,
    groupId: string,
    trx?: KyselyTransaction,
  ): Promise<void> {
    const db = dbOrTx(this.db, trx);
    await db
      .deleteFrom('pagePermissions')
      .where('pageAccessId', '=', pageAccessId)
      .where('groupId', '=', groupId)
      .execute();
  }
  async updatePagePermissionRole(
    pageAccessId: string,
    role: string,
    opts: { userId?: string; groupId?: string },
    trx?: KyselyTransaction,
  ): Promise<void> {
    const db = dbOrTx(this.db, trx);
    let query = db
      .updateTable('pagePermissions')
      .set({ role, updatedAt: new Date() })
      .where('pageAccessId', '=', pageAccessId);
    if (opts.userId) {
      query = query.where('userId', '=', opts.userId);
    } else if (opts.groupId) {
      query = query.where('groupId', '=', opts.groupId);
    }
    await query.execute();
  }
  async countWritersByPageAccessId(
    pageAccessId: string,
    trx?: KyselyTransaction,
  ): Promise<number> {
    const db = dbOrTx(this.db, trx);
    const result = await db
      .selectFrom('pagePermissions')
      .select((eb) => eb.fn.count('id').as('count'))
      .where('pageAccessId', '=', pageAccessId)
      .where('role', '=', 'writer')
      .executeTakeFirst();
    return Number(result?.count ?? 0);
  }
  async getPagePermissionsPaginated(
    pageAccessId: string,
    pagination: PaginationOptions,
  ) {
    let query = this.db
      .selectFrom('pagePermissions')
      .leftJoin('users', 'users.id', 'pagePermissions.userId')
      .leftJoin('groups', 'groups.id', 'pagePermissions.groupId')
      .select([
        'pagePermissions.id',
        'pagePermissions.role',
        'pagePermissions.createdAt',
        'users.id as userId',
        'users.name as userName',
        'users.avatarUrl as userAvatarUrl',
        'users.email as userEmail',
        'groups.id as groupId',
        'groups.name as groupName',
        'groups.isDefault as groupIsDefault',
      ])
      .select((eb) => this.groupRepo.withMemberCount(eb))
      .where('pageAccessId', '=', pageAccessId)
      .orderBy((eb) => eb('groups.id', 'is not', null), 'desc')
      .orderBy('pagePermissions.createdAt', 'asc');
    if (pagination.query) {
      query = query.where((eb) =>
        eb(
          sql`f_unaccent(users.name)`,
          'ilike',
          sql`f_unaccent(${'%' + pagination.query + '%'})`,
        )
          .or(
            sql`users.email`,
            'ilike',
            sql`f_unaccent(${'%' + pagination.query + '%'})`,
          )
          .or(
            sql`f_unaccent(groups.name)`,
            'ilike',
            sql`f_unaccent(${'%' + pagination.query + '%'})`,
          ),
      );
    }
    const result = await executeWithPagination(query, {
      page: pagination.page,
      perPage: pagination.limit,
    });
    const members = result.items.map((member) => {
      if (member.userId) {
        return {
          id: member.userId,
          name: member.userName,
          email: member.userEmail,
          avatarUrl: member.userAvatarUrl,
          type: 'user' as const,
          role: member.role,
          createdAt: member.createdAt,
        };
      } else {
        return {
          id: member.groupId,
          name: member.groupName,
          memberCount: member.memberCount as number,
          isDefault: member.groupIsDefault,
          type: 'group' as const,
          role: member.role,
          createdAt: member.createdAt,
        };
      }
    });
    result.items = members as any;
    return result;
  }
  async getUserPagePermission(
    userId: string,
    pageId: string,
  ): Promise<{ role: string } | undefined> {
    const result = await this.db
      .selectFrom('pageAccess')
      .innerJoin('pagePermissions', 'pagePermissions.pageAccessId', 'pageAccess.id')
      .select(['pagePermissions.role'])
      .where('pageAccess.pageId', '=', pageId)
      .where('pagePermissions.userId', '=', userId)
      .unionAll(
        this.db
          .selectFrom('pageAccess')
          .innerJoin('pagePermissions', 'pagePermissions.pageAccessId', 'pageAccess.id')
          .innerJoin('groupUsers', 'groupUsers.groupId', 'pagePermissions.groupId')
          .select(['pagePermissions.role'])
          .where('pageAccess.pageId', '=', pageId)
          .where('groupUsers.userId', '=', userId),
      )
      .executeTakeFirst();
    return result;
  }
  async findRestrictedAncestor(
    pageId: string,
  ): Promise<{ pageId: string; accessLevel: string; depth: number } | undefined> {
    return this.db
      .selectFrom('pageHierarchy')
      .innerJoin('pageAccess', 'pageAccess.pageId', 'pageHierarchy.ancestorId')
      .select([
        'pageAccess.pageId',
        'pageAccess.accessLevel',
        'pageHierarchy.depth',
      ])
      .where('pageHierarchy.descendantId', '=', pageId)
      .orderBy('pageHierarchy.depth', 'asc')
      .executeTakeFirst();
  }
  /**
   * Check if user can access a page by verifying they have permission on ALL restricted ancestors.
   */
  async canUserAccessPage(userId: string, pageId: string): Promise<boolean> {
    const deniedAncestor = await this.db
      .selectFrom('pageHierarchy')
      .innerJoin('pageAccess', 'pageAccess.pageId', 'pageHierarchy.ancestorId')
      .leftJoin('pagePermissions', (join) =>
        join
          .onRef('pagePermissions.pageAccessId', '=', 'pageAccess.id')
          .on((eb) =>
            eb.or([
              eb('pagePermissions.userId', '=', userId),
              eb(
                'pagePermissions.groupId',
                'in',
                eb
                  .selectFrom('groupUsers')
                  .select('groupUsers.groupId')
                  .where('groupUsers.userId', '=', userId),
              ),
            ]),
          ),
      )
      .select('pageAccess.pageId')
      .where('pageHierarchy.descendantId', '=', pageId)
      .where('pagePermissions.id', 'is', null)
      .executeTakeFirst();
    return !deniedAncestor;
  }
  /**
   * Check if user can edit a page by verifying they have WRITER permission on ALL restricted ancestors.
   */
  async canUserEditPage(userId: string, pageId: string): Promise<boolean> {
    const deniedAncestor = await this.db
      .selectFrom('pageHierarchy')
      .innerJoin('pageAccess', 'pageAccess.pageId', 'pageHierarchy.ancestorId')
      .leftJoin('pagePermissions', (join) =>
        join
          .onRef('pagePermissions.pageAccessId', '=', 'pageAccess.id')
          .on('pagePermissions.role', '=', 'writer')
          .on((eb) =>
            eb.or([
              eb('pagePermissions.userId', '=', userId),
              eb(
                'pagePermissions.groupId',
                'in',
                eb
                  .selectFrom('groupUsers')
                  .select('groupUsers.groupId')
                  .where('groupUsers.userId', '=', userId),
              ),
            ]),
          ),
      )
      .select('pageAccess.pageId')
      .where('pageHierarchy.descendantId', '=', pageId)
      .where('pagePermissions.id', 'is', null)
      .executeTakeFirst();
    return !deniedAncestor;
  }
  /**
   * Get user's access level for a page, checking ALL restricted ancestors.
   * Returns:
   * - hasRestriction: whether page or any ancestor has restrictions
   * - canAccess: user has permission on all restricted ancestors (always true if no restrictions)
   * - canEdit: user has writer permission on all restricted ancestors (always true if no restrictions)
   */
  async getUserPageAccessLevel(
    userId: string,
    pageId: string,
  ): Promise<{ hasRestriction: boolean; canAccess: boolean; canEdit: boolean }> {
    const result = await this.db
      .selectFrom('pages')
      .select((eb) => [
        // hasRestriction: any ancestor has page_access entry
        eb
          .case()
          .when(
            eb.exists(
              eb
                .selectFrom('pageHierarchy')
                .innerJoin(
                  'pageAccess',
                  'pageAccess.pageId',
                  'pageHierarchy.ancestorId',
                )
                .select('pageAccess.id')
                .whereRef('pageHierarchy.descendantId', '=', 'pages.id'),
            ),
          )
          .then(true)
          .else(false)
          .end()
          .as('hasRestriction'),
        // canAccess: no restricted ancestor without ANY permission
        eb
          .case()
          .when(
            eb.not(
              eb.exists(
                eb
                  .selectFrom('pageHierarchy')
                  .innerJoin(
                    'pageAccess',
                    'pageAccess.pageId',
                    'pageHierarchy.ancestorId',
                  )
                  .leftJoin('pagePermissions', (join) =>
                    join
                      .onRef('pagePermissions.pageAccessId', '=', 'pageAccess.id')
                      .on((eb2) =>
                        eb2.or([
                          eb2('pagePermissions.userId', '=', userId),
                          eb2(
                            'pagePermissions.groupId',
                            'in',
                            eb2
                              .selectFrom('groupUsers')
                              .select('groupUsers.groupId')
                              .where('groupUsers.userId', '=', userId),
                          ),
                        ]),
                      ),
                  )
                  .select('pageAccess.pageId')
                  .whereRef('pageHierarchy.descendantId', '=', 'pages.id')
                  .where('pagePermissions.id', 'is', null),
              ),
            ),
          )
          .then(true)
          .else(false)
          .end()
          .as('canAccess'),
        // canEdit: no restricted ancestor without WRITER permission
        eb
          .case()
          .when(
            eb.not(
              eb.exists(
                eb
                  .selectFrom('pageHierarchy')
                  .innerJoin(
                    'pageAccess',
                    'pageAccess.pageId',
                    'pageHierarchy.ancestorId',
                  )
                  .leftJoin('pagePermissions', (join) =>
                    join
                      .onRef('pagePermissions.pageAccessId', '=', 'pageAccess.id')
                      .on('pagePermissions.role', '=', 'writer')
                      .on((eb2) =>
                        eb2.or([
                          eb2('pagePermissions.userId', '=', userId),
                          eb2(
                            'pagePermissions.groupId',
                            'in',
                            eb2
                              .selectFrom('groupUsers')
                              .select('groupUsers.groupId')
                              .where('groupUsers.userId', '=', userId),
                          ),
                        ]),
                      ),
                  )
                  .select('pageAccess.pageId')
                  .whereRef('pageHierarchy.descendantId', '=', 'pages.id')
                  .where('pagePermissions.id', 'is', null),
              ),
            ),
          )
          .then(true)
          .else(false)
          .end()
          .as('canEdit'),
      ])
      .where('pages.id', '=', pageId)
      .executeTakeFirst();
    return {
      hasRestriction: Boolean(result?.hasRestriction),
      canAccess: Boolean(result?.canAccess),
      canEdit: Boolean(result?.canEdit),
    };
  }
  /**
   * Filter a list of page IDs to only those the user can access.
   * Returns page IDs with their permission level (canEdit).
   * Single query implementation for efficiency.
   */
  async filterAccessiblePageIdsWithPermissions(
    pageIds: string[],
    userId: string,
  ): Promise<Array<{ id: string; canEdit: boolean }>> {
    if (pageIds.length === 0) return [];
    const results = await this.db
      .selectFrom('pages')
      .select('pages.id')
      // Check if user lacks writer permission on any restricted ancestor
      .select((eb) =>
        eb
          .case()
          .when(
            eb.not(
              eb.exists(
                eb
                  .selectFrom('pageHierarchy')
                  .innerJoin(
                    'pageAccess',
                    'pageAccess.pageId',
                    'pageHierarchy.ancestorId',
                  )
                  .leftJoin('pagePermissions', (join) =>
                    join
                      .onRef('pagePermissions.pageAccessId', '=', 'pageAccess.id')
                      .on('pagePermissions.role', '=', 'writer')
                      .on((eb2) =>
                        eb2.or([
                          eb2('pagePermissions.userId', '=', userId),
                          eb2(
                            'pagePermissions.groupId',
                            'in',
                            eb2
                              .selectFrom('groupUsers')
                              .select('groupUsers.groupId')
                              .where('groupUsers.userId', '=', userId),
                          ),
                        ]),
                      ),
                  )
                  .select('pageAccess.pageId')
                  .whereRef('pageHierarchy.descendantId', '=', 'pages.id')
                  .where('pagePermissions.id', 'is', null),
              ),
            ),
          )
          .then(true)
          .else(false)
          .end()
          .as('canEdit'),
      )
      .where('pages.id', 'in', pageIds)
      // Filter: user must have access (any permission on all restricted ancestors)
      .where(({ not, exists, selectFrom }) =>
        not(
          exists(
            selectFrom('pageHierarchy')
              .innerJoin(
                'pageAccess',
                'pageAccess.pageId',
                'pageHierarchy.ancestorId',
              )
              .leftJoin('pagePermissions', (join) =>
                join
                  .onRef('pagePermissions.pageAccessId', '=', 'pageAccess.id')
                  .on((eb) =>
                    eb.or([
                      eb('pagePermissions.userId', '=', userId),
                      eb(
                        'pagePermissions.groupId',
                        'in',
                        eb
                          .selectFrom('groupUsers')
                          .select('groupUsers.groupId')
                          .where('groupUsers.userId', '=', userId),
                      ),
                    ]),
                  ),
              )
              .select('pageAccess.pageId')
              .whereRef('pageHierarchy.descendantId', '=', 'pages.id')
              .where('pagePermissions.id', 'is', null),
          ),
        ),
      )
      .execute();
    return results.map((r) => ({ id: r.id, canEdit: Boolean(r.canEdit) }));
  }
  /**
   * Check if a page or any of its ancestors has restrictions.
   * Used to determine if page-level permission checks are needed.
   */
  async hasRestrictedAncestor(pageId: string): Promise<boolean> {
    const result = await this.db
      .selectFrom('pageHierarchy')
      .innerJoin('pageAccess', 'pageAccess.pageId', 'pageHierarchy.ancestorId')
      .select('pageAccess.id')
      .where('pageHierarchy.descendantId', '=', pageId)
      .executeTakeFirst();
    return !!result;
  }
  /**
   * Given a list of parent page IDs, return which ones have at least one accessible child.
   * Efficient batch query for sidebar hasChildren calculation.
   */
  async getParentIdsWithAccessibleChildren(
    parentIds: string[],
    userId: string,
  ): Promise<string[]> {
    if (parentIds.length === 0) return [];
    const results = await this.db
      .selectFrom('pages as child')
      .select('child.parentPageId')
      .distinct()
      .where('child.parentPageId', 'in', parentIds)
      .where('child.deletedAt', 'is', null)
      .where(({ not, exists, selectFrom }) =>
        not(
          exists(
            selectFrom('pageHierarchy')
              .innerJoin(
                'pageAccess',
                'pageAccess.pageId',
                'pageHierarchy.ancestorId',
              )
              .leftJoin('pagePermissions', (join) =>
                join
                  .onRef('pagePermissions.pageAccessId', '=', 'pageAccess.id')
                  .on((eb) =>
                    eb.or([
                      eb('pagePermissions.userId', '=', userId),
                      eb(
                        'pagePermissions.groupId',
                        'in',
                        eb
                          .selectFrom('groupUsers')
                          .select('groupUsers.groupId')
                          .where('groupUsers.userId', '=', userId),
                      ),
                    ]),
                  ),
              )
              .select('pageAccess.pageId')
              .whereRef('pageHierarchy.descendantId', '=', 'child.id')
              .where('pagePermissions.id', 'is', null),
          ),
        ),
      )
      .execute();
    return results.map((r) => r.parentPageId);
  }
  /**
   * Check if any descendant of a page has restrictions that the user cannot access.
   * Used to determine if includeSubPages can be enabled for sharing.
   */
  async hasInaccessibleDescendants(
    pageId: string,
    userId: string,
  ): Promise<boolean> {
    // Get all descendant page IDs (excluding the root page itself)
    const descendants = await this.db
      .selectFrom('pageHierarchy')
      .select('descendantId')
      .where('ancestorId', '=', pageId)
      .where('depth', '>', 0)
      .execute();
    if (descendants.length === 0) {
      return false;
    }
    const descendantIds = descendants.map((d) => d.descendantId);
    // Check if any descendant has a restriction the user cannot access
    const inaccessible = await this.db
      .selectFrom('pageAccess')
      .leftJoin('pagePermissions', (join) =>
        join
          .onRef('pagePermissions.pageAccessId', '=', 'pageAccess.id')
          .on((eb) =>
            eb.or([
              eb('pagePermissions.userId', '=', userId),
              eb(
                'pagePermissions.groupId',
                'in',
                eb
                  .selectFrom('groupUsers')
                  .select('groupUsers.groupId')
                  .where('groupUsers.userId', '=', userId),
              ),
            ]),
          ),
      )
      .select('pageAccess.pageId')
      .where('pageAccess.pageId', 'in', descendantIds)
      .where('pagePermissions.id', 'is', null)
      .executeTakeFirst();
    return !!inaccessible;
  }
  /**
   * Get all descendant page IDs that have restrictions (page_access entries).
   * Used to filter restricted pages from public share trees.
   */
  async getRestrictedDescendantIds(pageId: string): Promise<string[]> {
    const results = await this.db
      .selectFrom('pageHierarchy')
      .innerJoin('pageAccess', 'pageAccess.pageId', 'pageHierarchy.descendantId')
      .select('pageHierarchy.descendantId')
      .where('pageHierarchy.ancestorId', '=', pageId)
      .execute();
    return results.map((r) => r.descendantId);
  }
 }
@@ -454,4 +454,46 @@ export class PageRepo {
      .selectAll()
      .execute();
  }
  async update(
    pageId: string,
    updatablePage: UpdatablePage,
    trx?: KyselyTransaction,
  ): Promise<void> {
    const db = dbOrTx(this.db, trx);
    await db
      .updateTable('pages')
      .set({ ...updatablePage, updatedAt: new Date() })
      .where('id', '=', pageId)
      .execute();
  }
  async getAllDescendants(
    pageId: string,
    trx?: KyselyTransaction,
  ): Promise<string[]> {
    const db = dbOrTx(this.db, trx);
    // Recursive CTE to get all descendants
    const descendants = await db
      .withRecursive('page_tree', (qb) =>
        qb
          .selectFrom('pages')
          .select(['id', 'parentPageId'])
          .where('parentPageId', '=', pageId)
          .where('deletedAt', 'is', null)
          .unionAll((eb) =>
            eb
              .selectFrom('pages as p')
              .innerJoin('page_tree as pt', 'p.parentPageId', 'pt.id')
              .select(['p.id', 'p.parentPageId'])
              .where('p.deletedAt', 'is', null),
          ),
      )
      .selectFrom('page_tree')
      .select('id')
      .execute();
    return descendants.map((d) => d.id);
  }
 }
@@ -0,0 +1,58 @@
 import { Injectable } from '@nestjs/common';
 import { InjectKysely } from 'nestjs-kysely';
 import { KyselyDB } from '../../types/kysely.types';
 import { Page } from '../../types/entity.types';
 import { PageMemberRole } from './page-permission-repo.service';
@Injectable()
 export class SharedPagesRepo {
  constructor(@InjectKysely() private readonly db: KyselyDB) {}
  async addSharedPage(userId: string, pageId: string): Promise<void> {
    await this.db
      .insertInto('userSharedPages')
      .values({
        userId,
        pageId,
        sharedAt: new Date(),
      })
      .onConflict((oc) => oc.columns(['userId', 'pageId']).doNothing())
      .execute();
  }
  async removeSharedPage(userId: string, pageId: string): Promise<void> {
    await this.db
      .deleteFrom('userSharedPages')
      .where('userId', '=', userId)
      .where('pageId', '=', pageId)
      .execute();
  }
  async getUserSharedPages(userId: string): Promise<Page[]> {
    return await this.db
      .selectFrom('userSharedPages as usp')
      .innerJoin('pages as p', 'p.id', 'usp.pageId')
      .innerJoin('pagePermissions as pm', (join) =>
        join
          .onRef('pm.pageId', '=', 'p.id')
          .on('pm.userId', '=', userId)
          .on('pm.role', '!=', PageMemberRole.NONE),
      )
      .selectAll('p')
      .where('usp.userId', '=', userId)
      .where('p.deletedAt', 'is', null)
      .orderBy('usp.sharedAt', 'desc')
      .execute();
  }
  async isPageSharedWithUser(userId: string, pageId: string): Promise<boolean> {
    const result = await this.db
      .selectFrom('userSharedPages')
      .select('userId')
      .where('userId', '=', userId)
      .where('pageId', '=', pageId)
      .executeTakeFirst();
    return !!result;
  }
 }
@@ -197,12 +197,6 @@ export interface GroupUsers {
  userId: string;
 }
 export interface PageHierarchy {
  ancestorId: string;
  descendantId: string;
  depth: Generated<number>;
 }
 export interface PageHistory {
  content: Json | null;
  coverPhoto: string | null;
@@ -220,6 +214,19 @@ export interface PageHistory {
  workspaceId: string;
 }
 export interface PagePermissions {
  addedById: string | null;
  cascade: Generated<boolean>;
  createdAt: Generated<Timestamp>;
  deletedAt: Timestamp | null;
  groupId: string | null;
  id: Generated<string>;
  pageId: string;
  role: string;
  updatedAt: Generated<Timestamp>;
  userId: string | null;
 }
 export interface Pages {
  content: Json | null;
  contributorIds: Generated<string[] | null>;
@@ -231,9 +238,11 @@ export interface Pages {
  icon: string | null;
  id: Generated<string>;
  isLocked: Generated<boolean>;
  isRestricted: Generated<boolean>;
  lastUpdatedById: string | null;
  parentPageId: string | null;
  position: string | null;
  restrictedById: string | null;
  slugId: string;
  spaceId: string;
  textContent: string | null;
@@ -319,6 +328,12 @@ export interface Users {
  workspaceId: string | null;
 }
 export interface UserSharedPages {
  pageId: string;
  sharedAt: Generated<Timestamp>;
  userId: string;
 }
 export interface UserTokens {
  createdAt: Generated<Timestamp>;
  expiresAt: Timestamp | null;
@@ -366,27 +381,6 @@ export interface Workspaces {
  updatedAt: Generated<Timestamp>;
 }
 export interface PageAccess {
  id: Generated<string>;
  pageId: string;
  workspaceId: string;
  accessLevel: string;
  creatorId: string | null;
  createdAt: Generated<Timestamp>;
  updatedAt: Generated<Timestamp>;
 }
 export interface PagePermissions {
  id: Generated<string>;
  pageAccessId: string;
  userId: string | null;
  groupId: string | null;
  role: string;
  addedById: string | null;
  createdAt: Generated<Timestamp>;
  updatedAt: Generated<Timestamp>;
 }
 export interface DB {
  apiKeys: ApiKeys;
  attachments: Attachments;
@@ -398,8 +392,6 @@ export interface DB {
  fileTasks: FileTasks;
  groups: Groups;
  groupUsers: GroupUsers;
  pageAccess: PageAccess;
  pageHierarchy: PageHierarchy;
  pageHistory: PageHistory;
  pagePermissions: PagePermissions;
  pages: Pages;
@@ -408,6 +400,7 @@ export interface DB {
  spaces: Spaces;
  userMfa: UserMfa;
  users: Users;
  userSharedPages: UserSharedPages;
  userTokens: UserTokens;
  workspaceInvitations: WorkspaceInvitations;
  workspaces: Workspaces;
@@ -9,8 +9,6 @@ import {
  FileTasks,
  Groups,
  GroupUsers,
  PageAccess,
  PageHierarchy,
  PageHistory,
  PagePermissions,
  Pages,
@@ -19,6 +17,7 @@ import {
  Spaces,
  UserMfa,
  Users,
  UserSharedPages,
  UserTokens,
  WorkspaceInvitations,
  Workspaces,
@@ -35,17 +34,16 @@ export interface DbInterface {
  fileTasks: FileTasks;
  groups: Groups;
  groupUsers: GroupUsers;
  pageAccess: PageAccess;
  pageHierarchy: PageHierarchy;
  pageEmbeddings: PageEmbeddings;
  pageHistory: PageHistory;
  pagePermissions: PagePermissions;
  pageHistory: PageHistory;
  pages: Pages;
  shares: Shares;
  spaceMembers: SpaceMembers;
  spaces: Spaces;
  userMfa: UserMfa;
  users: Users;
  userSharedPages: UserSharedPages;
  userTokens: UserTokens;
  workspaceInvitations: WorkspaceInvitations;
  workspaces: Workspaces;
@@ -3,12 +3,11 @@ import {
  Attachments,
  Comments,
  Groups,
  PageAccess as _PageAccess,
  PageHierarchy as _PageHierarchy,
  PagePermissions as _PagePermissions,
  Pages,
  PagePermissions,
  Spaces,
  Users,
  UserSharedPages,
  Workspaces,
  PageHistory as History,
  GroupUsers,
@@ -53,6 +52,15 @@ export type SpaceMember = Selectable<SpaceMembers>;
 export type InsertableSpaceMember = Insertable<SpaceMembers>;
 export type UpdatableSpaceMember = Updateable<Omit<SpaceMembers, 'id'>>;
 // PageMember
 export type PagePermission = Selectable<PagePermissions>;
 export type InsertablePagePermission = Insertable<PagePermissions>;
 export type UpdatablePagePermission = Updateable<Omit<PagePermissions, 'id'>>;
 // UserSharedPage
 export type UserSharedPage = Selectable<UserSharedPages>;
 export type InsertableUserSharedPage = Insertable<UserSharedPages>;
 // Group
 export type ExtendedGroup = Groups & { memberCount: number };
@@ -134,17 +142,3 @@ export type UpdatableApiKey = Updateable<Omit<ApiKeys, 'id'>>;
 export type PageEmbedding = Selectable<PageEmbeddings>;
 export type InsertablePageEmbedding = Insertable<PageEmbeddings>;
 export type UpdatablePageEmbedding = Updateable<Omit<PageEmbeddings, 'id'>>;
 // Page Hierarchy (closure table - composite primary key)
 export type PageHierarchy = Selectable<_PageHierarchy>;
 export type InsertablePageHierarchy = Insertable<_PageHierarchy>;
 // Page Access
 export type PageAccess = Selectable<_PageAccess>;
 export type InsertablePageAccess = Insertable<_PageAccess>;
 export type UpdatablePageAccess = Updateable<Omit<_PageAccess, 'id'>>;
 // Page Permission
 export type PagePermission = Selectable<_PagePermissions>;
 export type InsertablePagePermission = Insertable<_PagePermissions>;
 export type UpdatablePagePermission = Updateable<Omit<_PagePermissions, 'id'>>;
@@ -41,4 +41,4 @@ export class ExportSpaceDto {
  @IsOptional()
  @IsBoolean()
  includeAttachments?: boolean;
-}
+}
@@ -107,7 +107,7 @@ export class ExportService {
      const page = await this.pageRepo.findById(pageId, {
        includeContent: true,
      });
-      if (page){
+      if (page) {
        pages = [page];
      }
    }
@@ -69,17 +69,21 @@ function taskList(turndownService: TurndownService) {
        'input[type="checkbox"]',
      ) as HTMLInputElement;
      const isChecked = checkbox.checked;
-      
+
      // Process content like regular list items
      content = content
        .replace(/^\n+/, '') // remove leading newlines
        .replace(/\n+$/, '\n') // replace trailing newlines with just a single one
        .replace(/\n/gm, '\n  '); // indent nested content with 2 spaces
-      
+
      // Create the checkbox prefix
      const prefix = `- ${isChecked ? '[x]' : '[ ]'} `;
-      
+
-      return prefix + content + (node.nextSibling && !/\n$/.test(content) ? '\n' : '');
+      return (
        prefix +
        content +
        (node.nextSibling && !/\n$/.test(content) ? '\n' : '')
      );
    },
  });
 }
@@ -15,4 +15,4 @@ export type ImportPageNode = {
  parentPageId: string | null;
  fileExtension: string;
  filePath: string;
-};
+};
@@ -1,5 +1,4 @@
-import { MentionNode } from "../../../common/helpers/prosemirror/utils";
+import { MentionNode } from '../../../common/helpers/prosemirror/utils';
 export interface IPageBacklinkJob {
  pageId: string;
@@ -9,4 +8,4 @@ export interface IPageBacklinkJob {
 export interface IStripeSeatsSyncJob {
  workspaceId: string;
-}
+}
@@ -42,7 +42,7 @@ export class LocalDriver implements StorageDriver {
    try {
      const fromFullPath = this._fullPath(fromFilePath);
      const toFullPath = this._fullPath(toFilePath);
-      
+
      if (await this.exists(fromFilePath)) {
        await fs.copy(fromFullPath, toFullPath);
      }
@@ -40,8 +40,8 @@ export const storageDriverConfigProvider = {
          },
        };
-      case StorageOption.S3:
+      case StorageOption.S3: {
-        { const s3Config = {
+        const s3Config = {
          driver,
          config: {
            region: environmentService.getAwsS3Region(),
@@ -68,7 +68,8 @@ export const storageDriverConfigProvider = {
          };
        }
-        return s3Config; }
+        return s3Config;
      }
      default:
        throw new Error(`Unknown storage driver: ${driver}`);
Author	SHA1	Message	Date
Philipinho	404e6c0b2f	fix	2025-12-18 18:32:24 +00:00
Philipinho	900e367677	Merge branch 'main' into permissions-2	2025-12-18 18:30:48 +00:00
Philipinho	ace00a0b0a	WIP	2025-08-14 08:58:23 -07:00