refactor: enhance authorization checks and update meeting room collaboration logic

- Updated error messages in DocumentSchema to use 'Unauthorized' for better clarity on access issues. - Removed the deprecated testUpdateDocument field from DocumentSchema to streamline the schema. - Introduced a new updateMeetingRoomCollaborators field in MeetingRoomSchema to manage collaborator additions and removals, ensuring proper authorization checks are in place. - Improved overall error handling for unauthorized access in both DocumentSchema and MeetingRoomSchema.
2024-12-02 21:25:07 +07:00
parent 542312b7d8
commit 02bc5fe691
2 changed files with 45 additions and 29 deletions
--- a/src/Document/document.schema.ts
+++ b/src/Document/document.schema.ts
@@ -199,7 +199,7 @@ export class DocumentSchema extends PothosSchema {
        resolve: async (query, _parent, args, ctx: SchemaContext) => {
          if (ctx.isSubscription) throw new Error('Not allowed')
          const userId = ctx.http?.me?.id
-          if (!userId) throw new Error('User not found')
+          if (!userId) throw new Error('Unauthorized')
          return await this.prisma.document.create({
            ...query,
            data: {
@@ -216,26 +216,6 @@ export class DocumentSchema extends PothosSchema {
        },
      }),

-      testUpdateDocument: t.field({
-        type: this.documentDelta(),
-        args: {
-          documentId: t.arg({ type: 'String', required: true }),
-          pageIndex: t.arg({ type: 'Int', required: true }),
-        },
-        resolve: async (_root, args, ctx: SchemaContext) => {
-          if (ctx.isSubscription) throw new Error('Not allowed')
-          const delta = new Delta().insert('test')
-          const documentDelta = {
-            documentId: args.documentId,
-            pageIndex: args.pageIndex,
-            delta,
-            senderId: ctx.http?.me?.id,
-          }
-          ctx.http.pubSub.publish(`${DocumentEvent.CHANGED}.${args.documentId}`, documentDelta)
-          return documentDelta
-        },
-      }),
-
      eventDocumentChanged: t.field({
        type: this.documentDelta(),
        args: {
@@ -304,7 +284,7 @@ export class DocumentSchema extends PothosSchema {
        },
        resolve: async (query, _parent, args, ctx: SchemaContext) => {
          if (ctx.isSubscription) throw new Error('Not allowed')
-          if (!ctx.http?.me?.id) throw new Error('User not found')
+          if (!ctx.http?.me?.id) throw new Error('Unauthorized')
          // check if user is owner or collaborator
          const document = await this.prisma.document.findUnique({
            where: { id: args.documentId },
@@ -313,7 +293,11 @@ export class DocumentSchema extends PothosSchema {
            },
          })
          if (!document) throw new Error('Document not found')
-          if (!document.isPublic && !document.collaborators.some((c) => c.userId === ctx.http?.me?.id && c.writable))
+          if (
+            !document.isPublic ||
+            !document.collaborators.some((c) => c.userId === ctx.http?.me?.id && c.writable) ||
+            document.ownerId !== ctx.http?.me?.id
+          )
            throw new Error('User is not owner or collaborator of document')
          return await this.prisma.document.update({
            ...query,
--- a/src/MeetingRoom/meetingroom.schema.ts
+++ b/src/MeetingRoom/meetingroom.schema.ts
@@ -75,23 +75,55 @@ export class MeetingRoomSchema extends PothosSchema {
        type: this.meetingRoom(),
        args: {
          input: t.arg({
-            type: this.builder.generator.getCreateInput('MeetingRoom', [
-              'id',
-              'createdAt',
-              'updatedAt',
-              'collaborators',
-            ]),
+            type: this.builder.generator.getCreateInput('MeetingRoom', ['id', 'createdAt', 'updatedAt']),
            required: true,
          }),
        },
        resolve: async (query, _parent, args, ctx: SchemaContext) => {
          if (ctx.isSubscription) throw new Error('Not allowed')
+          if (!ctx.http.me) throw new Error('Unauthorized')
          return await this.prisma.meetingRoom.create({
            ...query,
            data: args.input,
          })
        },
      }),
+      updateMeetingRoomCollaborators: t.prismaField({
+        type: this.meetingRoom(),
+        args: {
+          meetingRoomId: t.arg.string({
+            required: true,
+          }),
+          addCollaborators: t.arg.stringList({
+            required: false,
+          }),
+          removeCollaborators: t.arg.stringList({
+            required: false,
+          }),
+        },
+        resolve: async (query, _parent, args, ctx: SchemaContext) => {
+          if (ctx.isSubscription) throw new Error('Not allowed')
+          if (!ctx.http.me) throw new Error('Unauthorized')
+          return await this.prisma.meetingRoom.update({
+            ...query,
+            where: {
+              id: args.meetingRoomId,
+            },
+            data: {
+              collaborators: {
+                createMany: {
+                  data: args.addCollaborators ? args.addCollaborators.map((id) => ({ userId: id })) : [],
+                },
+                deleteMany: {
+                  userId: {
+                    in: args.removeCollaborators || [],
+                  },
+                },
+              },
+            },
+          })
+        },
+      }),
    }))
  }
 }