2024-09-16 17:14:16 +03:00
|
|
|
import { match } from 'ts-pattern';
|
|
|
|
|
|
2023-06-09 18:21:18 +10:00
|
|
|
import { prisma } from '@documenso/prisma';
|
2024-02-06 16:16:10 +11:00
|
|
|
import type { Prisma } from '@documenso/prisma/client';
|
2024-09-16 17:14:16 +03:00
|
|
|
import { TeamMemberRole } from '@documenso/prisma/client';
|
2023-06-09 18:21:18 +10:00
|
|
|
|
2024-11-28 16:05:37 +07:00
|
|
|
import { AppError, AppErrorCode } from '../../errors/app-error';
|
2024-09-16 17:14:16 +03:00
|
|
|
import { DocumentVisibility } from '../../types/document-visibility';
|
2024-02-06 16:16:10 +11:00
|
|
|
import { getTeamById } from '../team/get-team';
|
|
|
|
|
|
|
|
|
|
export type GetDocumentByIdOptions = {
|
2023-06-09 18:21:18 +10:00
|
|
|
id: number;
|
|
|
|
|
userId: number;
|
2024-02-06 16:16:10 +11:00
|
|
|
teamId?: number;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
export const getDocumentById = async ({ id, userId, teamId }: GetDocumentByIdOptions) => {
|
|
|
|
|
const documentWhereInput = await getDocumentWhereInput({
|
|
|
|
|
documentId: id,
|
|
|
|
|
userId,
|
|
|
|
|
teamId,
|
|
|
|
|
});
|
2023-06-09 18:21:18 +10:00
|
|
|
|
2024-11-28 16:05:37 +07:00
|
|
|
const document = await prisma.document.findFirst({
|
2024-02-06 16:16:10 +11:00
|
|
|
where: documentWhereInput,
|
2023-09-07 19:27:21 +10:00
|
|
|
include: {
|
|
|
|
|
documentData: true,
|
2023-09-22 12:27:54 +00:00
|
|
|
documentMeta: true,
|
2024-02-12 17:30:23 +11:00
|
|
|
User: {
|
|
|
|
|
select: {
|
|
|
|
|
id: true,
|
|
|
|
|
name: true,
|
|
|
|
|
email: true,
|
|
|
|
|
},
|
|
|
|
|
},
|
2024-09-16 17:14:16 +03:00
|
|
|
Recipient: {
|
|
|
|
|
select: {
|
|
|
|
|
email: true,
|
|
|
|
|
},
|
|
|
|
|
},
|
2024-02-12 17:30:23 +11:00
|
|
|
team: {
|
|
|
|
|
select: {
|
|
|
|
|
id: true,
|
|
|
|
|
url: true,
|
|
|
|
|
},
|
|
|
|
|
},
|
2023-09-07 19:27:21 +10:00
|
|
|
},
|
2023-06-09 18:21:18 +10:00
|
|
|
});
|
2024-11-28 16:05:37 +07:00
|
|
|
|
|
|
|
|
if (!document) {
|
|
|
|
|
throw new AppError(AppErrorCode.NOT_FOUND, {
|
|
|
|
|
message: 'Document could not be found',
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return document;
|
2023-06-09 18:21:18 +10:00
|
|
|
};
|
2024-02-06 16:16:10 +11:00
|
|
|
|
|
|
|
|
export type GetDocumentWhereInputOptions = {
|
|
|
|
|
documentId: number;
|
|
|
|
|
userId: number;
|
|
|
|
|
teamId?: number;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Whether to return a filter that allows access to both the user and team documents.
|
|
|
|
|
* This only applies if `teamId` is passed in.
|
|
|
|
|
*
|
|
|
|
|
* If true, and `teamId` is passed in, the filter will allow both team and user documents.
|
|
|
|
|
* If false, and `teamId` is passed in, the filter will only allow team documents.
|
|
|
|
|
*
|
|
|
|
|
* Defaults to false.
|
|
|
|
|
*/
|
|
|
|
|
overlapUserTeamScope?: boolean;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Generate the where input for a given Prisma document query.
|
|
|
|
|
*
|
|
|
|
|
* This will return a query that allows a user to get a document if they have valid access to it.
|
|
|
|
|
*/
|
|
|
|
|
export const getDocumentWhereInput = async ({
|
|
|
|
|
documentId,
|
|
|
|
|
userId,
|
|
|
|
|
teamId,
|
|
|
|
|
overlapUserTeamScope = false,
|
|
|
|
|
}: GetDocumentWhereInputOptions) => {
|
|
|
|
|
const documentWhereInput: Prisma.DocumentWhereUniqueInput = {
|
|
|
|
|
id: documentId,
|
|
|
|
|
OR: [
|
|
|
|
|
{
|
|
|
|
|
userId,
|
|
|
|
|
},
|
|
|
|
|
],
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
if (teamId === undefined || !documentWhereInput.OR) {
|
|
|
|
|
return documentWhereInput;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const team = await getTeamById({ teamId, userId });
|
|
|
|
|
|
|
|
|
|
// Allow access to team and user documents.
|
|
|
|
|
if (overlapUserTeamScope) {
|
|
|
|
|
documentWhereInput.OR.push({
|
|
|
|
|
teamId: team.id,
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Allow access to only team documents.
|
|
|
|
|
if (!overlapUserTeamScope) {
|
|
|
|
|
documentWhereInput.OR = [
|
|
|
|
|
{
|
|
|
|
|
teamId: team.id,
|
|
|
|
|
},
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Allow access to documents sent to or from the team email.
|
|
|
|
|
if (team.teamEmail) {
|
|
|
|
|
documentWhereInput.OR.push(
|
|
|
|
|
{
|
|
|
|
|
Recipient: {
|
|
|
|
|
some: {
|
|
|
|
|
email: team.teamEmail.email,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
User: {
|
|
|
|
|
email: team.teamEmail.email,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2024-09-16 17:14:16 +03:00
|
|
|
const user = await prisma.user.findFirstOrThrow({
|
|
|
|
|
where: {
|
|
|
|
|
id: userId,
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const visibilityFilters = [
|
|
|
|
|
...match(team.currentTeamMember?.role)
|
|
|
|
|
.with(TeamMemberRole.ADMIN, () => [
|
|
|
|
|
{ visibility: DocumentVisibility.EVERYONE },
|
|
|
|
|
{ visibility: DocumentVisibility.MANAGER_AND_ABOVE },
|
|
|
|
|
{ visibility: DocumentVisibility.ADMIN },
|
|
|
|
|
])
|
|
|
|
|
.with(TeamMemberRole.MANAGER, () => [
|
|
|
|
|
{ visibility: DocumentVisibility.EVERYONE },
|
|
|
|
|
{ visibility: DocumentVisibility.MANAGER_AND_ABOVE },
|
|
|
|
|
])
|
|
|
|
|
.otherwise(() => [{ visibility: DocumentVisibility.EVERYONE }]),
|
|
|
|
|
{
|
feat: add global settings for teams (#1391)
## Description
This PR introduces global settings for teams. At the moment, it allows
team admins to configure the following:
* The default visibility of the documents uploaded to the team account
* Whether to include the document owner (sender) details when sending
emails to the recipients.
### Include Sender Details
If the Sender Details setting is enabled, the emails sent by the team
will include the sender's name:
> "Example User" on behalf of "Example Team" has invited you to sign
"document.pdf"
Otherwise, the email will say:
> "Example Team" has invited you to sign "document.pdf"
### Default Document Visibility
This new option allows users to set the default visibility for the
documents uploaded to the team account. It can have the following
values:
* Everyone
* Manager and above
* Admins only
If the default document visibility isn't set, the document will be set
to the role of the user who created the document:
* If a user with the "User" role creates a document, the document's
visibility is set to "Everyone".
* Manager role -> "Manager and above"
* Admin role -> "Admins only"
Otherwise, if there is a default document visibility value, it uses that
value.
#### Gotcha
To avoid issues, the `document owner` and the `recipient` can access the
document irrespective of their role. For example:
* If a team member with the role "Member" uploads a document and the
default document visibility is "Admins", only the document owner and
admins can access the document.
* Similar to the other scenarios.
* If an admin uploads a document and the default document visibility is
"Admins", the recipient can access the document.
* The admins have access to all the documents.
* Managers have access to documents with the visibility set to
"Everyone" and "Manager and above"
* Members have access only to the documents with the visibility set to
"Everyone".
## Testing Performed
Tested it locally.
2024-11-08 13:50:49 +02:00
|
|
|
OR: [
|
|
|
|
|
{
|
|
|
|
|
Recipient: {
|
|
|
|
|
some: {
|
|
|
|
|
email: user.email,
|
|
|
|
|
},
|
|
|
|
|
},
|
2024-09-16 17:14:16 +03:00
|
|
|
},
|
feat: add global settings for teams (#1391)
## Description
This PR introduces global settings for teams. At the moment, it allows
team admins to configure the following:
* The default visibility of the documents uploaded to the team account
* Whether to include the document owner (sender) details when sending
emails to the recipients.
### Include Sender Details
If the Sender Details setting is enabled, the emails sent by the team
will include the sender's name:
> "Example User" on behalf of "Example Team" has invited you to sign
"document.pdf"
Otherwise, the email will say:
> "Example Team" has invited you to sign "document.pdf"
### Default Document Visibility
This new option allows users to set the default visibility for the
documents uploaded to the team account. It can have the following
values:
* Everyone
* Manager and above
* Admins only
If the default document visibility isn't set, the document will be set
to the role of the user who created the document:
* If a user with the "User" role creates a document, the document's
visibility is set to "Everyone".
* Manager role -> "Manager and above"
* Admin role -> "Admins only"
Otherwise, if there is a default document visibility value, it uses that
value.
#### Gotcha
To avoid issues, the `document owner` and the `recipient` can access the
document irrespective of their role. For example:
* If a team member with the role "Member" uploads a document and the
default document visibility is "Admins", only the document owner and
admins can access the document.
* Similar to the other scenarios.
* If an admin uploads a document and the default document visibility is
"Admins", the recipient can access the document.
* The admins have access to all the documents.
* Managers have access to documents with the visibility set to
"Everyone" and "Manager and above"
* Members have access only to the documents with the visibility set to
"Everyone".
## Testing Performed
Tested it locally.
2024-11-08 13:50:49 +02:00
|
|
|
{
|
|
|
|
|
userId: user.id,
|
|
|
|
|
},
|
|
|
|
|
],
|
2024-09-16 17:14:16 +03:00
|
|
|
},
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
return {
|
|
|
|
|
...documentWhereInput,
|
|
|
|
|
OR: [...visibilityFilters],
|
|
|
|
|
};
|
2024-02-06 16:16:10 +11:00
|
|
|
};
|
