Merge branch "main"

2024-11-08 22:56:22 +11:00
parent 3ca5e47ed4
commit 80c0468df2
121 changed files with 5668 additions and 1393 deletions
--- a/packages/lib/server-only/document/update-document-settings.ts
+++ b/packages/lib/server-only/document/update-document-settings.ts
@@ -1,13 +1,15 @@
 'use server';

+import { match } from 'ts-pattern';
+
 import { isUserEnterprise } from '@documenso/ee/server-only/util/is-document-enterprise';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
 import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 import type { CreateDocumentAuditLogDataResponse } from '@documenso/lib/utils/document-audit-logs';
 import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
-import type { DocumentVisibility } from '@documenso/prisma/client';
-import { DocumentStatus } from '@documenso/prisma/client';
+import { DocumentVisibility } from '@documenso/prisma/client';
+import { DocumentStatus, TeamMemberRole } from '@documenso/prisma/client';

 import { AppError, AppErrorCode } from '../../errors/app-error';
 import type { TDocumentAccessAuthTypes, TDocumentActionAuthTypes } from '../../types/document-auth';
@@ -20,7 +22,7 @@ export type UpdateDocumentSettingsOptions = {
  data: {
    title?: string;
    externalId?: string | null;
-    visibility?: string | null;
+    visibility?: DocumentVisibility | null;
    globalAccessAuth?: TDocumentAccessAuthTypes | null;
    globalActionAuth?: TDocumentActionAuthTypes | null;
  };
@@ -63,8 +65,62 @@ export const updateDocumentSettings = async ({
            teamId: null,
          }),
    },
+    include: {
+      team: {
+        select: {
+          members: {
+            where: {
+              userId,
+            },
+            select: {
+              role: true,
+            },
+          },
+        },
+      },
+    },
  });

+  if (teamId) {
+    const currentUserRole = document.team?.members[0]?.role;
+
+    match(currentUserRole)
+      .with(TeamMemberRole.ADMIN, () => true)
+      .with(TeamMemberRole.MANAGER, () => {
+        const allowedVisibilities: DocumentVisibility[] = [
+          DocumentVisibility.EVERYONE,
+          DocumentVisibility.MANAGER_AND_ABOVE,
+        ];
+
+        if (
+          !allowedVisibilities.includes(document.visibility) ||
+          (data.visibility && !allowedVisibilities.includes(data.visibility))
+        ) {
+          throw new AppError(
+            AppErrorCode.UNAUTHORIZED,
+            'You do not have permission to update the document visibility',
+          );
+        }
+      })
+      .with(TeamMemberRole.MEMBER, () => {
+        if (
+          document.visibility !== DocumentVisibility.EVERYONE ||
+          (data.visibility && data.visibility !== DocumentVisibility.EVERYONE)
+        ) {
+          throw new AppError(
+            AppErrorCode.UNAUTHORIZED,
+            'You do not have permission to update the document visibility',
+          );
+        }
+      })
+      .otherwise(() => {
+        throw new AppError(
+          AppErrorCode.UNAUTHORIZED,
+          'You do not have permission to update the document',
+        );
+      });
+  }
+
  const { documentAuthOption } = extractDocumentAuthMethods({
    documentAuth: document.authOptions,
  });