full implementation

apps/server/src/common/helpers/cache-keys.ts

@@ -1,11 +1,3 @@
 export const CacheKey = {
   LICENSE_VALID: (workspaceId: string) => `license:valid:${workspaceId}`,
-  SPACE_ROLES: (userId: string, spaceId: string) =>
-    `perm:space-roles:${userId}:${spaceId}`,
-  PAGE_CAN_EDIT: (userId: string, pageId: string) =>
-    `perm:can-edit:${userId}:${pageId}`,
 };
-
-// Permission caches dedupe repeated checks within and across short request bursts.
-// 5s keeps staleness on revocations bounded.
-export const PERMISSION_CACHE_TTL_MS = 5_000;

apps/server/src/common/helpers/with-cache.ts

@@ -1,27 +0,0 @@
-import { Cache } from 'cache-manager';
-
-export async function withCache<T>(
-  cacheManager: Cache,
-  key: string,
-  ttlMs: number,
-  fn: () => Promise<T>,
-): Promise<T> {
-  try {
-    const cached = await cacheManager.get<{ v: T }>(key);
-    if (cached !== undefined && cached !== null) {
-      return cached.v;
-    }
-  } catch (err) {
-    console.warn(`[withCache] get failed for "${key}", falling back to source`, err);
-  }
-
-  const value = await fn();
-
-  try {
-    await cacheManager.set(key, { v: value }, ttlMs);
-  } catch (err) {
-    console.warn(`[withCache] set failed for "${key}"`, err);
-  }
-
-  return value;
-}

apps/server/src/database/repos/page/page-permission.repo.ts

@@ -1,6 +1,4 @@
-import { Inject, Injectable } from '@nestjs/common';
+import { Injectable } from '@nestjs/common';
-import { CACHE_MANAGER } from '@nestjs/cache-manager';
-import { Cache } from 'cache-manager';
 import { InjectKysely } from 'nestjs-kysely';
 import { KyselyDB, KyselyTransaction } from '@docmost/db/types/kysely.types';
 import { dbOrTx } from '@docmost/db/utils';
@@ -19,11 +17,6 @@ import {
   executeWithCursorPagination,
 } from '@docmost/db/pagination/cursor-pagination';
 import { PagePermissionMember } from './types/page-permission.types';
-import { withCache } from '../../../common/helpers/with-cache';
-import {
-  CacheKey,
-  PERMISSION_CACHE_TTL_MS,
-} from '../../../common/helpers/cache-keys';
 
 export { PagePermissionMember } from './types/page-permission.types';
 
@@ -32,7 +25,6 @@ export class PagePermissionRepo {
   constructor(
     @InjectKysely() private readonly db: KyselyDB,
     private readonly groupRepo: GroupRepo,
-    @Inject(CACHE_MANAGER) private readonly cacheManager: Cache,
   ) {}
 
   async findPageAccessByPageId(
@@ -369,8 +361,40 @@ export class PagePermissionRepo {
    * Check if user can access a page by verifying they have permission on ALL restricted ancestors.
    */
   async canUserAccessPage(userId: string, pageId: string): Promise<boolean> {
-    const { canAccess } = await this.canUserEditPage(userId, pageId);
+    const deniedAncestor = await this.db
-    return canAccess;
+      .withRecursive('ancestors', (qb) =>
+        qb
+          .selectFrom('pages')
+          .select(['pages.id as ancestorId', 'pages.parentPageId'])
+          .where('pages.id', '=', pageId)
+          .unionAll((eb) =>
+            eb
+              .selectFrom('pages')
+              .innerJoin('ancestors', 'ancestors.parentPageId', 'pages.id')
+              .select(['pages.id as ancestorId', 'pages.parentPageId']),
+          ),
+      )
+      .selectFrom('ancestors')
+      .innerJoin('pageAccess', 'pageAccess.pageId', 'ancestors.ancestorId')
+      .leftJoin('pagePermissions', (join) =>
+        join
+          .onRef('pagePermissions.pageAccessId', '=', 'pageAccess.id')
+          .on((eb) =>
+            eb.or([
+              eb('pagePermissions.userId', '=', userId),
+              eb(
+                'pagePermissions.groupId',
+                'in',
+                this.userGroupIdsSubquery(eb, userId),
+              ),
+            ]),
+          ),
+      )
+      .select('pageAccess.pageId')
+      .where('pagePermissions.id', 'is', null)
+      .executeTakeFirst();
+
+    return !deniedAncestor;
   }
 
   /**
@@ -388,11 +412,6 @@ export class PagePermissionRepo {
     canAccess: boolean;
     canEdit: boolean;
   }> {
-    return withCache(
-      this.cacheManager,
-      CacheKey.PAGE_CAN_EDIT(userId, pageId),
-      PERMISSION_CACHE_TTL_MS,
-      async () => {
     const result = await sql<{
       canAccess: boolean | null;
       canEdit: boolean | null;
@@ -430,8 +449,6 @@ export class PagePermissionRepo {
       canAccess: row.canAccess,
       canEdit: row.canAccess && (row.canEdit ?? false),
     };
-      },
-    );
   }
 
   /**

apps/server/src/database/repos/space/space-member.repo.ts

@@ -1,6 +1,4 @@
-import { BadRequestException, Inject, Injectable } from '@nestjs/common';
+import { BadRequestException, Injectable } from '@nestjs/common';
-import { CACHE_MANAGER } from '@nestjs/cache-manager';
-import { Cache } from 'cache-manager';
 import { InjectKysely } from 'nestjs-kysely';
 import { KyselyDB, KyselyTransaction } from '@docmost/db/types/kysely.types';
 import { dbOrTx } from '@docmost/db/utils';
@@ -15,11 +13,6 @@ import { MemberInfo, UserSpaceRole } from './types';
 import { executeWithCursorPagination } from '@docmost/db/pagination/cursor-pagination';
 import { GroupRepo } from '@docmost/db/repos/group/group.repo';
 import { SpaceRepo } from '@docmost/db/repos/space/space.repo';
-import { withCache } from '../../../common/helpers/with-cache';
-import {
-  CacheKey,
-  PERMISSION_CACHE_TTL_MS,
-} from '../../../common/helpers/cache-keys';
 
 @Injectable()
 export class SpaceMemberRepo {
@@ -27,7 +20,6 @@ export class SpaceMemberRepo {
     @InjectKysely() private readonly db: KyselyDB,
     private readonly groupRepo: GroupRepo,
     private readonly spaceRepo: SpaceRepo,
-    @Inject(CACHE_MANAGER) private readonly cacheManager: Cache,
   ) {}
 
   async insertSpaceMember(
@@ -222,11 +214,6 @@ export class SpaceMemberRepo {
     userId: string,
     spaceId: string,
   ): Promise<UserSpaceRole[]> {
-    return withCache(
-      this.cacheManager,
-      CacheKey.SPACE_ROLES(userId, spaceId),
-      PERMISSION_CACHE_TTL_MS,
-      async () => {
     const roles = await this.db
       .selectFrom('spaceMembers')
       .select(['userId', 'role'])
@@ -235,11 +222,7 @@ export class SpaceMemberRepo {
       .unionAll(
         this.db
           .selectFrom('spaceMembers')
-              .innerJoin(
+          .innerJoin('groupUsers', 'groupUsers.groupId', 'spaceMembers.groupId')
-                'groupUsers',
-                'groupUsers.groupId',
-                'spaceMembers.groupId',
-              )
           .select(['groupUsers.userId', 'spaceMembers.role'])
           .where('groupUsers.userId', '=', userId)
           .where('spaceMembers.spaceId', '=', spaceId),
@@ -250,8 +233,6 @@ export class SpaceMemberRepo {
       return undefined;
     }
     return roles;
-      },
-    );
   }
 
   async getUserIdsWithSpaceAccess(