EPESS/epess-web-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: enhance authorization checks and update meeting room collaboration logic

Browse Source 
- Updated error messages in DocumentSchema to use 'Unauthorized' for better clarity on access issues.
- Removed the deprecated testUpdateDocument field from DocumentSchema to streamline the schema.
- Introduced a new updateMeetingRoomCollaborators field in MeetingRoomSchema to manage collaborator additions and removals, ensuring proper authorization checks are in place.
- Improved overall error handling for unauthorized access in both DocumentSchema and MeetingRoomSchema.
This commit is contained in:
Ly Tuan Kiet
2024-12-02 21:25:07 +07:00
parent 542312b7d8
commit 02bc5fe691
2 changed files with 45 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/Document/document.schema.ts
View File

@@ -199,7 +199,7 @@ export class DocumentSchema extends PothosSchema {
resolve: async (query, _parent, args, ctx: SchemaContext) => { resolve: async (query, _parent, args, ctx: SchemaContext) => {
if (ctx.isSubscription) throw new Error('Not allowed') if (ctx.isSubscription) throw new Error('Not allowed')
const userId = ctx.http?.me?.id const userId = ctx.http?.me?.id
if (!userId) throw new Error('User not found') if (!userId) throw new Error('Unauthorized')
return await this.prisma.document.create({ return await this.prisma.document.create({
...query, ...query,
data: { data: {
@@ -216,26 +216,6 @@ export class DocumentSchema extends PothosSchema {
}, },
}), }),
testUpdateDocument: t.field({
type: this.documentDelta(),
args: {
documentId: t.arg({ type: 'String', required: true }),
pageIndex: t.arg({ type: 'Int', required: true }),
},
resolve: async (_root, args, ctx: SchemaContext) => {
if (ctx.isSubscription) throw new Error('Not allowed')
const delta = new Delta().insert('test')
const documentDelta = {
documentId: args.documentId,
pageIndex: args.pageIndex,
delta,
senderId: ctx.http?.me?.id,
}
ctx.http.pubSub.publish(`${DocumentEvent.CHANGED}.${args.documentId}`, documentDelta)
return documentDelta
},
}),
eventDocumentChanged: t.field({ eventDocumentChanged: t.field({
type: this.documentDelta(), type: this.documentDelta(),
args: { args: {
@@ -304,7 +284,7 @@ export class DocumentSchema extends PothosSchema {
}, },
resolve: async (query, _parent, args, ctx: SchemaContext) => { resolve: async (query, _parent, args, ctx: SchemaContext) => {
if (ctx.isSubscription) throw new Error('Not allowed') if (ctx.isSubscription) throw new Error('Not allowed')
if (!ctx.http?.me?.id) throw new Error('User not found') if (!ctx.http?.me?.id) throw new Error('Unauthorized')
// check if user is owner or collaborator // check if user is owner or collaborator
const document = await this.prisma.document.findUnique({ const document = await this.prisma.document.findUnique({
where: { id: args.documentId }, where: { id: args.documentId },
@@ -313,7 +293,11 @@ export class DocumentSchema extends PothosSchema {
}, },
}) })
if (!document) throw new Error('Document not found') if (!document) throw new Error('Document not found')
if (!document.isPublic && !document.collaborators.some((c) => c.userId === ctx.http?.me?.id && c.writable)) if (
!document.isPublic ||
!document.collaborators.some((c) => c.userId === ctx.http?.me?.id && c.writable) ||
document.ownerId !== ctx.http?.me?.id
)
throw new Error('User is not owner or collaborator of document') throw new Error('User is not owner or collaborator of document')
return await this.prisma.document.update({ return await this.prisma.document.update({
...query, ...query,

44
src/MeetingRoom/meetingroom.schema.ts
View File

@@ -75,23 +75,55 @@ export class MeetingRoomSchema extends PothosSchema {
type: this.meetingRoom(), type: this.meetingRoom(),
args: { args: {
input: t.arg({ input: t.arg({
type: this.builder.generator.getCreateInput('MeetingRoom', [ type: this.builder.generator.getCreateInput('MeetingRoom', ['id', 'createdAt', 'updatedAt']),
'id',
'createdAt',
'updatedAt',
'collaborators',
]),
required: true, required: true,
}), }),
}, },
resolve: async (query, _parent, args, ctx: SchemaContext) => { resolve: async (query, _parent, args, ctx: SchemaContext) => {
if (ctx.isSubscription) throw new Error('Not allowed') if (ctx.isSubscription) throw new Error('Not allowed')
if (!ctx.http.me) throw new Error('Unauthorized')
return await this.prisma.meetingRoom.create({ return await this.prisma.meetingRoom.create({
...query, ...query,
data: args.input, data: args.input,
}) })
}, },
}), }),
updateMeetingRoomCollaborators: t.prismaField({
type: this.meetingRoom(),
args: {
meetingRoomId: t.arg.string({
required: true,
}),
addCollaborators: t.arg.stringList({
required: false,
}),
removeCollaborators: t.arg.stringList({
required: false,
}),
},
resolve: async (query, _parent, args, ctx: SchemaContext) => {
if (ctx.isSubscription) throw new Error('Not allowed')
if (!ctx.http.me) throw new Error('Unauthorized')
return await this.prisma.meetingRoom.update({
...query,
where: {
id: args.meetingRoomId,
},
data: {
collaborators: {
createMany: {
data: args.addCollaborators ? args.addCollaborators.map((id) => ({ userId: id })) : [],
},
deleteMany: {
userId: {
in: args.removeCollaborators || [],
},
},
},
},
})
},
}),
})) }))
} }
} }