@speckle/shared/dist/commonjs/authz/policies/workspace/canReceiveProjectsUpdatedMessage.js

Shared code between various Speckle JS packages

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.canReceiveWorkspaceProjectsUpdatedMessagePolicy = void 0;
const result_1 = require("true-myth/result");
const authErrors_js_1 = require("../../domain/authErrors.js");
const server_js_1 = require("../../fragments/server.js");
const canRead_js_1 = require("../project/canRead.js");
const workspaces_js_1 = require("../../fragments/workspaces.js");
const constants_js_1 = require("../../../core/constants.js");
/**
 * Whether the user can receive "workspace's projects updated" subscription messages about this project
 */
const canReceiveWorkspaceProjectsUpdatedMessagePolicy = (loaders) => async ({ userId, projectId, workspaceId }) => {
    // User must be logged in
    const ensuredLoggedIn = await (0, server_js_1.ensureMinimumServerRoleFragment)(loaders)({
        userId
    });
    if (ensuredLoggedIn.isErr) {
        return (0, result_1.err)(ensuredLoggedIn.error);
    }
    // User must be a workspace member
    const ensureWorkspaceAccess = await (0, workspaces_js_1.ensureWorkspaceRoleAndSessionFragment)(loaders)({
        userId: userId,
        workspaceId
    });
    if (ensureWorkspaceAccess.isErr) {
        return (0, result_1.err)(ensureWorkspaceAccess.error);
    }
    // Check if project still exists (may have just been deleted)
    const project = await loaders.getProject({ projectId });
    if (!project) {
        // If it no longer exists, let's just allow the update as it can't really leak anything
        // besides that the project no longer exists, cause there is no way to properly check permissions anymore.
        return (0, result_1.ok)();
    }
    // Implicit canRead check
    const canRead = await (0, canRead_js_1.canReadProjectPolicy)(loaders)({
        userId,
        projectId
    });
    if (canRead.isErr) {
        return (0, result_1.err)(canRead.error);
    }
    // If guest - user must be an explicit project member, regardless if they can read the project or not
    const [workspaceRole, projectRole] = await Promise.all([
        loaders.getWorkspaceRole({
            userId: userId,
            workspaceId
        }),
        loaders.getProjectRole({
            userId: userId,
            projectId
        })
    ]);
    if (workspaceRole === constants_js_1.Roles.Workspace.Guest && !projectRole) {
        return (0, result_1.err)(new authErrors_js_1.ProjectNotEnoughPermissionsError('You must be a project member to receive "projects updated" messages about this project'));
    }
    return (0, result_1.ok)();
};
exports.canReceiveWorkspaceProjectsUpdatedMessagePolicy = canReceiveWorkspaceProjectsUpdatedMessagePolicy;
//# sourceMappingURL=canReceiveProjectsUpdatedMessage.js.map