Merge pull request #233 from developmentseed/feature/private-teams

Feature/private teams

Author: kamicut

app/db/migrations/20211208161927_org_visibility.js

@@ -0,0 +1,14 @@
+
+exports.up = async (knex) => {
+  return knex.schema.alterTable('organization', table => {
+    table.enum('privacy', ['public', 'private', 'unlisted']).defaultTo('public')
+    table.boolean('teams_can_be_public').defaultTo(true)
+  })
+}
+
+exports.down = async (knex) => {
+  return knex.schema.alterTable('organization', table => {
+    table.dropColumn('privacy')
+    table.dropColumn('teams_can_be_public')
+  })
+}

app/lib/organization.js

@@ -8,6 +8,8 @@ const orgAttributes = [
   'id',
   'name',
   'description',
+  'privacy',
+  'teams_can_be_public',
   'created_at',
   'updated_at'
 ]
@@ -233,7 +235,7 @@ async function getMembers (organizationId, page) {
 }
 
 /**
- * Checks if an osmId is part of an organization
+ * Checks if an osmId is part of an organization members
  * @param {int} organizationId - organization id
  * @param {int} osmId - id of member we are testing
  */
@@ -244,6 +246,23 @@ async function isMember (organizationId, osmId) {
   return includes(Number(osmId), map(Number, memberIds))
 }
 
+/**
+ * Checks if an osmId is part of an organization members or staff
+ * @param {int} organizationId - organization id
+ * @param {int} osmId - id of member we are testing
+ */
+async function isMemberOrStaff (organizationId, osmId) {
+  if (!organizationId) throw new PropertyRequiredError('organization id')
+  if (!osmId) throw new PropertyRequiredError('osm id')
+  const conn = await db()
+  const subquery = conn('organization_team').select('team_id').where('organization_id', organizationId)
+  const memberQuery = conn('member').select('osm_id').where('team_id', 'in', subquery).andWhere('osm_id', osmId)
+  const ownerQuery = conn('organization_owner').select('osm_id').where({ organization_id: organizationId, osm_id: osmId })
+  const managerQuery = conn('organization_manager').select('osm_id').where({ organization_id: organizationId, osm_id: osmId })
+  const result = await memberQuery.union(ownerQuery).union(managerQuery)
+  return result.length > 0
+}
+
 /**
  * Checks if the osm user is an owner of a team
  * @param {int} organizationId - organization id
@@ -290,15 +309,29 @@ async function getOrgStaff (options) {
 
   if (options.organizationId) {
     ownerQuery = ownerQuery.where('organization.id', options.organizationId)
-    managerQuery = ownerQuery.where('organization.id', options.organizationId)
+    managerQuery = managerQuery.where('organization.id', options.organizationId)
   }
   if (options.osmId) {
     ownerQuery = ownerQuery.where('organization_owner.osm_id', options.osmId)
-    managerQuery = ownerQuery.where('organization_manager.osm_id', options.osmId)
+    managerQuery = managerQuery.where('organization_manager.osm_id', options.osmId)
   }
   return ownerQuery.unionAll(managerQuery)
 }
 
+/**
+ * isPublic
+ * Checks if org privacy is public
+ *
+ * @param orgId - ord id
+ * @returns {Boolean} is the org public?
+ */
+async function isPublic (orgId) {
+  if (!orgId) throw new PropertyRequiredError('organization id')
+  const conn = await db()
+  const { privacy } = await unpack(conn('organization').where({ id: orgId }))
+  return (privacy === 'public')
+}
+
 module.exports = {
   get,
   create,
@@ -311,10 +344,12 @@ module.exports = {
   getOwners,
   getManagers,
   getMembers,
+  isMemberOrStaff,
   isOwner,
   isManager,
   isMember,
   createOrgTeam,
   listMyOrganizations,
-  getOrgStaff
+  getOrgStaff,
+  isPublic
 }

app/lib/team.js

@@ -379,7 +379,19 @@ async function isMember (teamId, osmId) {
 async function isPublic (teamId) {
   if (!teamId) throw new Error('team id is required as first argument')
   const conn = await db()
-  const { privacy } = await unpack(conn('team').where({ id: teamId }))
+  const { privacy } = await unpack(
+    conn('team')
+      .select('id', conn.raw(`
+    case
+    when (
+      select teams_can_be_public from organization join organization_team on organization.id = organization_id where team_id = team.id
+    ) = false then 'private'
+    when privacy = 'private' then 'private'
+    when privacy = 'public' then 'public'
+    end privacy
+    `))
+      .where({ id: teamId })
+  )
   return (privacy === 'public')
 }
 

app/manage/index.js

@@ -1,5 +1,6 @@
 const router = require('express-promise-router')()
 const expressPino = require('express-pino-logger')
+const { path } = require('ramda')
 
 const { getClients, createClient, deleteClient } = require('./client')
 const { login, loginAccept, logout } = require('./login')
@@ -12,6 +13,7 @@ const {
   createTeam,
   destroyTeam,
   getTeam,
+  getTeamMembers,
   joinTeam,
   listTeams,
   listMyTeams,
@@ -33,7 +35,8 @@ const {
   createOrgTeam,
   getOrgTeams,
   getOrgMembers,
-  listMyOrgs
+  listMyOrgs,
+  getOrgStaff
 } = require('./organizations')
 
 const {
@@ -49,8 +52,8 @@ const {
   getTeamProfile
 } = require('./profiles')
 
-const { getOrgStaff } = require('../lib/organization')
 const { getUserManageToken } = require('../lib/profile')
+const organization = require('../lib/organization')
 
 /**
  * The manageRouter handles all routes related to the first party
@@ -71,7 +74,7 @@ function manageRouter (nextApp) {
    * Home page
    */
   router.get('/', (req, res) => {
-    return nextApp.render(req, res, '/', { user: req.session.user })
+    return nextApp.render(req, res, '/', { user: path(['session', 'user'], req) })
   })
 
   /**
@@ -95,6 +98,7 @@ function manageRouter (nextApp) {
   router.get('/api/my/teams', can('public:authenticated'), listMyTeams)
   router.post('/api/teams', can('public:authenticated'), createTeam)
   router.get('/api/teams/:id', can('team:view'), getTeam)
+  router.get('/api/teams/:id/members', can('team:view-members'), getTeamMembers)
   router.put('/api/teams/:id', can('team:edit'), updateTeam)
   router.delete('/api/teams/:id', can('team:edit'), destroyTeam)
   router.put('/api/teams/add/:id/:osmId', can('team:edit'), addMember)
@@ -109,10 +113,11 @@ function manageRouter (nextApp) {
    */
   router.get('/api/my/organizations', can('public:authenticated'), listMyOrgs)
   router.post('/api/organizations', can('public:authenticated'), createOrg)
-  router.get('/api/organizations/:id', can('public:authenticated'), getOrg) // TODO handle private organizations
+  router.get('/api/organizations/:id', can('public:authenticated'), getOrg)
   router.put('/api/organizations/:id', can('organization:edit'), updateOrg)
   router.delete('/api/organizations/:id', can('organization:edit'), destroyOrg)
-  router.get('/api/organizations/:id/members', can('public:authenticated'), getOrgMembers)
+  router.get('/api/organizations/:id/staff', can('organization:view-members'), getOrgStaff)
+  router.get('/api/organizations/:id/members', can('organization:view-members'), getOrgMembers)
 
   router.put('/api/organizations/:id/addOwner/:osmId', can('organization:edit'), addOwner)
   router.put('/api/organizations/:id/removeOwner/:osmId', can('organization:edit'), removeOwner)
@@ -166,7 +171,7 @@ function manageRouter (nextApp) {
   })
 
   router.get('/teams/create', can('public:authenticated'), async (req, res) => {
-    const staff = await getOrgStaff(res.locals.user_id)
+    const staff = await organization.getOrgStaff({ osmId: Number(res.locals.user_id) })
     return nextApp.render(req, res, '/team-create', { staff })
   })
 

app/manage/organizations.js

@@ -36,7 +36,7 @@ async function createOrg (req, reply) {
 }
 
 /**
- * Get an organization
+ * Get an organization's metadata
  * Requires id of organization
  */
 async function getOrg (req, reply) {
@@ -48,12 +48,33 @@ async function getOrg (req, reply) {
   }
 
   try {
-    let [data, owners, managers, isMemberOfOrg] = await Promise.all([
+    let [data, isMemberOfOrg] = await Promise.all([
       organization.get(id),
-      organization.getOwners(id),
-      organization.getManagers(id),
       organization.isMember(id, user_id)
     ])
+    reply.send({ ...data, isMemberOfOrg })
+  } catch (err) {
+    console.log(err)
+    return reply.boom.badRequest(err.message)
+  }
+}
+
+/**
+ * Get an organization's staff
+ * Requires id of organization
+ */
+async function getOrgStaff (req, reply) {
+  const { id } = req.params
+
+  if (!id) {
+    return reply.boom.badRequest('organization id is required')
+  }
+
+  try {
+    let [owners, managers] = await Promise.all([
+      organization.getOwners(id),
+      organization.getManagers(id)
+    ])
     const ownerIds = map(prop('osm_id'), owners)
     const managerIds = map(prop('osm_id'), managers)
     if (ownerIds.length > 0) {
@@ -63,7 +84,7 @@ async function getOrg (req, reply) {
       managers = await team.resolveMemberNames(managerIds)
     }
 
-    reply.send({ ...data, owners, managers, isMemberOfOrg })
+    reply.send({ owners, managers })
   } catch (err) {
     console.log(err)
     return reply.boom.badRequest(err.message)
@@ -269,5 +290,6 @@ module.exports = {
   createOrgTeam,
   getOrgTeams,
   listMyOrgs,
+  getOrgStaff,
   getOrgMembers
 }

app/manage/permissions/edit-key.js

@@ -32,7 +32,6 @@ async function editKey (uid, { id }) {
     owners = await organization.getOwners(key.owner_org)
   }
   let osmIds = owners.map(owner => (R.prop('osm_id', owner)).toString())
-  console.log(osmIds, uid, osmIds.includes(uid))
   return osmIds.includes(uid.toString())
 }
 

app/manage/permissions/index.js

@@ -17,14 +17,16 @@ const keyPermissions = {
 const teamPermissions = {
   'team:edit': require('./edit-team'),
   'team:view': require('./view-team'),
+  'team:view-members': require('./view-team-members'),
   'team:join': require('./join-team'),
   'team:member': require('./member-team')
 }
 
 const organizationPermissions = {
   'organization:edit': require('./edit-org'),
   'organization:create-team': require('./create-org-team'),
-  'organization:member': require('./member-org')
+  'organization:member': require('./member-org'),
+  'organization:view-members': require('./view-org-members')
 }
 
 const clientPermissions = {

app/manage/permissions/member-org.js

@@ -1,4 +1,4 @@
-const { isMember, isOwner, isManager } = require('../../lib/organization')
+const { isMemberOrStaff } = require('../../lib/organization')
 
 /**
  * org:member
@@ -11,12 +11,7 @@ const { isMember, isOwner, isManager } = require('../../lib/organization')
  */
 async function memberOrg (uid, { id }) {
   try {
-    const [member, owner, manager] = await Promise.all([
-      isMember(id, uid),
-      isOwner(id, uid),
-      isManager(id, uid)
-    ])
-    return member || owner || manager
+    return await isMemberOrStaff(id, uid)
   } catch (e) {
     return false
   }

app/manage/permissions/view-org-members.js

@@ -0,0 +1,24 @@
+const { isPublic, isMemberOrStaff } = require('../../lib/organization')
+
+/**
+ * org:view-members
+ *
+ * To view an org's members, the org needs to be either public
+ * or the user should be a member of the org
+ *
+ * @param {string} uid user id
+ * @param {Object} params request parameters
+ * @returns {boolean} can the request go through?
+ */
+async function viewOrgMembers (uid, { id }) {
+  try {
+    const publicOrg = await isPublic(id)
+    if (publicOrg) return publicOrg
+    return await isMemberOrStaff(id, uid)
+  } catch (e) {
+    console.error(e)
+    return false
+  }
+}
+
+module.exports = viewOrgMembers

app/manage/permissions/view-team-members.js

@@ -0,0 +1,24 @@
+const { isPublic, isMember } = require('../../lib/team')
+
+/**
+ * team:view-members
+ *
+ * To view a team's members, the team needs to be either public
+ * or the user should be a member of the team
+ *
+ * @param {string} uid user id
+ * @param {Object} params request parameters
+ * @returns {boolean} can the request go through?
+ */
+async function viewTeamMembers (uid, { id }) {
+  const publicTeam = await isPublic(id)
+  if (publicTeam) return publicTeam
+
+  try {
+    return await isMember(id, uid)
+  } catch (e) {
+    return false
+  }
+}
+
+module.exports = viewTeamMembers