@speckle/shared/dist/commonjs/authz/fragments/savedViews.js

Shared code between various Speckle JS packages

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.ensureCanAccessSavedViewGroupFragment = exports.ensureCanAccessSavedViewFragment = exports.WriteTypes = void 0;
const result_1 = require("true-myth/result");
const authErrors_js_1 = require("../domain/authErrors.js");
const types_js_1 = require("../domain/savedViews/types.js");
const projects_js_1 = require("./projects.js");
const constants_js_1 = require("../../core/constants.js");
const index_js_1 = require("../../workspaces/index.js");
const index_js_2 = require("../../saved-views/index.js");
const index_js_3 = require("../../core/index.js");
exports.WriteTypes = (0, index_js_3.StringEnum)([
    'UpdateGeneral',
    'MoveView',
    'EditTitle',
    'EditDescription',
    'SetHomeView'
]);
/**
 * Ensure the user can access the view
 */
const ensureCanAccessSavedViewFragment = (loaders) => async ({ userId, projectId, savedViewId, access, allowNonExistent }) => {
    const canUseSavedViews = await (0, projects_js_1.ensureCanUseProjectWorkspacePlanFeatureFragment)(loaders)({
        projectId,
        feature: index_js_1.WorkspacePlanFeatures.SavedViews
    });
    if (canUseSavedViews.isErr)
        return (0, result_1.err)(canUseSavedViews.error);
    const savedView = await loaders.getSavedView({ projectId, savedViewId });
    if (!savedView) {
        if (allowNonExistent)
            return (0, result_1.ok)();
        return (0, result_1.err)(new authErrors_js_1.SavedViewNotFoundError());
    }
    const isPublic = savedView.visibility === types_js_1.SavedViewVisibility.public;
    const isAuthor = savedView.authorId === userId;
    // Validate read access
    if (access === 'read') {
        if (isAuthor || isPublic) {
            return (0, result_1.ok)();
        }
        else {
            return (0, result_1.err)(new authErrors_js_1.SavedViewNoAccessError({
                message: 'You do not have permission to read this saved view.'
            }));
        }
    }
    // Validate write access
    // Check for write access to project first
    const ensuredWriteAccess = await (0, projects_js_1.ensureImplicitProjectMemberWithWriteAccessFragment)(loaders)({
        userId,
        projectId
    });
    if (ensuredWriteAccess.isErr) {
        if (ensuredWriteAccess.error.code === authErrors_js_1.ProjectNotEnoughPermissionsError.code)
            return (0, result_1.err)(new authErrors_js_1.ProjectNotEnoughPermissionsError({
                message: "Your role on this project doesn't give you permission to update views."
            }));
        return (0, result_1.err)(ensuredWriteAccess.error);
    }
    if (isAuthor) {
        // authors can write whatever
        return (0, result_1.ok)();
    }
    // Non-author project writers can make specific changes
    switch (access) {
        case exports.WriteTypes.MoveView:
        case exports.WriteTypes.EditTitle:
        case exports.WriteTypes.EditDescription:
        case exports.WriteTypes.SetHomeView:
            return (0, result_1.ok)();
        case exports.WriteTypes.UpdateGeneral:
            return (0, result_1.err)(new authErrors_js_1.SavedViewNoAccessError({
                message: 'You do not have permission to edit the view in this way'
            }));
        default:
            (0, index_js_3.throwUncoveredError)(access);
    }
};
exports.ensureCanAccessSavedViewFragment = ensureCanAccessSavedViewFragment;
/**
 * Ensure the user can access the view group
 */
const ensureCanAccessSavedViewGroupFragment = (loaders) => async ({ userId, projectId, savedViewGroupId, access }) => {
    const canUseSavedViews = await (0, projects_js_1.ensureCanUseProjectWorkspacePlanFeatureFragment)(loaders)({
        projectId,
        feature: index_js_1.WorkspacePlanFeatures.SavedViews
    });
    if (canUseSavedViews.isErr)
        return (0, result_1.err)(canUseSavedViews.error);
    const savedViewGroup = await loaders.getSavedViewGroup({
        projectId,
        groupId: savedViewGroupId
    });
    if (!savedViewGroup)
        return (0, result_1.err)(new authErrors_js_1.SavedViewGroupNotFoundError());
    if (access === 'read') {
        return (0, result_1.ok)(); // read access available to everyone who has access to project
    }
    // Prevent default group updates (as it doesnt exist)
    if ((0, index_js_2.isUngroupedGroup)(savedViewGroup.id)) {
        return (0, result_1.err)(new authErrors_js_1.UngroupedSavedViewGroupLockError());
    }
    // groups have no visibility (yet), so authors AND project owners can mutate
    const isAuthor = savedViewGroup.authorId === userId;
    const expectedProjectRole = isAuthor ? constants_js_1.Roles.Stream.Contributor : constants_js_1.Roles.Stream.Owner;
    const ensuredWriteAccess = await (0, projects_js_1.ensureImplicitProjectMemberWithWriteAccessFragment)(loaders)({
        userId,
        projectId,
        role: expectedProjectRole
    });
    if (ensuredWriteAccess.isErr) {
        if (ensuredWriteAccess.error.code === authErrors_js_1.ProjectNotEnoughPermissionsError.code)
            return (0, result_1.err)(new authErrors_js_1.ProjectNotEnoughPermissionsError({
                message: "Your role on this project doesn't give you permission to update view groups."
            }));
        return (0, result_1.err)(ensuredWriteAccess.error);
    }
    return (0, result_1.ok)();
};
exports.ensureCanAccessSavedViewGroupFragment = ensureCanAccessSavedViewGroupFragment;
//# sourceMappingURL=savedViews.js.map