refactor: enhance authorization checks and update meeting room collaboration logic

- Updated error messages in DocumentSchema to use 'Unauthorized' for better clarity on access issues. - Removed the deprecated testUpdateDocument field from DocumentSchema to streamline the schema. - Introduced a new updateMeetingRoomCollaborators field in MeetingRoomSchema to manage collaborator additions and removals, ensuring proper authorization checks are in place. - Improved overall error handling for unauthorized access in both DocumentSchema and MeetingRoomSchema.
2024-12-02 21:25:07 +07:00
parent 542312b7d8
commit 02bc5fe691
2 changed files with 45 additions and 29 deletions
--- a/src/Document/document.schema.ts
+++ b/src/Document/document.schema.ts
@@ -199,7 +199,7 @@ export class DocumentSchema extends PothosSchema {
        resolve: async (query, _parent, args, ctx: SchemaContext) => {
          if (ctx.isSubscription) throw new Error('Not allowed')
          const userId = ctx.http?.me?.id
-          if (!userId) throw new Error('User not found')
+          if (!userId) throw new Error('Unauthorized')
          return await this.prisma.document.create({
            ...query,
            data: {
@@ -216,26 +216,6 @@ export class DocumentSchema extends PothosSchema {
        },
      }),

-      testUpdateDocument: t.field({
-        type: this.documentDelta(),
-        args: {
-          documentId: t.arg({ type: 'String', required: true }),
-          pageIndex: t.arg({ type: 'Int', required: true }),
-        },
-        resolve: async (_root, args, ctx: SchemaContext) => {
-          if (ctx.isSubscription) throw new Error('Not allowed')
-          const delta = new Delta().insert('test')
-          const documentDelta = {
-            documentId: args.documentId,
-            pageIndex: args.pageIndex,
-            delta,
-            senderId: ctx.http?.me?.id,
-          }
-          ctx.http.pubSub.publish(`${DocumentEvent.CHANGED}.${args.documentId}`, documentDelta)
-          return documentDelta
-        },
-      }),
-
      eventDocumentChanged: t.field({
        type: this.documentDelta(),
        args: {
@@ -304,7 +284,7 @@ export class DocumentSchema extends PothosSchema {
        },
        resolve: async (query, _parent, args, ctx: SchemaContext) => {
          if (ctx.isSubscription) throw new Error('Not allowed')
-          if (!ctx.http?.me?.id) throw new Error('User not found')
+          if (!ctx.http?.me?.id) throw new Error('Unauthorized')
          // check if user is owner or collaborator
          const document = await this.prisma.document.findUnique({
            where: { id: args.documentId },
@@ -313,7 +293,11 @@ export class DocumentSchema extends PothosSchema {
            },
          })
          if (!document) throw new Error('Document not found')
-          if (!document.isPublic && !document.collaborators.some((c) => c.userId === ctx.http?.me?.id && c.writable))
+          if (
+            !document.isPublic ||
+            !document.collaborators.some((c) => c.userId === ctx.http?.me?.id && c.writable) ||
+            document.ownerId !== ctx.http?.me?.id
+          )
            throw new Error('User is not owner or collaborator of document')
          return await this.prisma.document.update({
            ...query,