Only show leader of group if unauthenticated (#3055)

Author: madsab

apps/rpc/src/modules/authorization-service.ts

@@ -3,6 +3,8 @@ import type { GroupId, GroupRoleType, UserId } from "@dotkomonline/types"
 import { minutesToMilliseconds } from "date-fns"
 import { LRUCache } from "lru-cache"
 
+export const HOVEDSTYRET_GROUP_SLUG = "hs"
+
 export const COMMITTEE_AFFILIATIONS = [
   "appkom",
   "arrkom",
@@ -13,7 +15,7 @@ export const COMMITTEE_AFFILIATIONS = [
   "dotkom",
   "fagkom",
   "feminit",
-  "hs",
+  HOVEDSTYRET_GROUP_SLUG,
   "online-il",
   "fond",
   "prokom",
@@ -24,7 +26,7 @@ export const COMMITTEE_AFFILIATIONS = [
   "velkom",
 ] as const satisfies GroupId[]
 
-export const ADMIN_AFFILIATIONS = ["dotkom", "hs"] as const satisfies GroupId[]
+export const ADMIN_AFFILIATIONS = ["dotkom", HOVEDSTYRET_GROUP_SLUG] as const satisfies GroupId[]
 
 export interface AuthorizationService {
   /**

apps/rpc/src/modules/group/__test__/group-repository.spec.ts

@@ -0,0 +1,56 @@
+import type { DBHandle } from "@dotkomonline/db"
+import { getGroupRepository } from "../group-repository"
+
+describe("GroupRepository.findManyGroupMemberships", () => {
+  const groupRepository = getGroupRepository()
+
+  const createHandle = () => {
+    const findMany = vi.fn().mockResolvedValue([])
+    const handle = {
+      groupMembership: {
+        findMany,
+      },
+    } as unknown as DBHandle
+
+    return { handle, findMany }
+  }
+
+  it("queries all memberships for a group when userId is not provided", async () => {
+    const { handle, findMany } = createHandle()
+
+    await groupRepository.findManyGroupMemberships(handle, "dotkom")
+
+    expect(findMany).toHaveBeenCalledWith({
+      where: {
+        groupId: "dotkom",
+      },
+      include: {
+        roles: {
+          include: {
+            role: true,
+          },
+        },
+      },
+    })
+  })
+
+  it("filters memberships by user when userId is provided", async () => {
+    const { handle, findMany } = createHandle()
+
+    await groupRepository.findManyGroupMemberships(handle, "dotkom", "user-1")
+
+    expect(findMany).toHaveBeenCalledWith({
+      where: {
+        groupId: "dotkom",
+        userId: "user-1",
+      },
+      include: {
+        roles: {
+          include: {
+            role: true,
+          },
+        },
+      },
+    })
+  })
+})

apps/rpc/src/modules/group/__test__/group-router.spec.ts

@@ -0,0 +1,81 @@
+import type { DBHandle } from "@dotkomonline/db"
+import type { TRPCContext } from "../../../trpc"
+import { groupRouter } from "../group-router"
+
+describe("group router service forwarding", () => {
+  it("routes anonymous non-Hovedstyret getMembers to getLeaders", async () => {
+    const txHandle = {} as DBHandle
+    const groupService = {
+      getLeaders: vi.fn().mockResolvedValue([]),
+      getMembers: vi.fn(),
+      getMember: vi.fn(),
+    }
+
+    const ctx = {
+      principal: null,
+      prisma: {
+        $transaction: vi.fn(async (fn: (handle: DBHandle) => Promise<unknown>) => await fn(txHandle)),
+      },
+      groupService,
+      addAuthorizationGuard: vi.fn(),
+    } as unknown as TRPCContext
+
+    const caller = groupRouter.createCaller(ctx)
+
+    await caller.getMembers("dotkom")
+
+    expect(groupService.getLeaders).toHaveBeenCalledWith(txHandle, "dotkom")
+    expect(groupService.getMembers).not.toHaveBeenCalled()
+  })
+
+  it("routes anonymous Hovedstyret getMembers to getMembers", async () => {
+    const txHandle = {} as DBHandle
+    const groupService = {
+      getLeaders: vi.fn(),
+      getMembers: vi.fn().mockResolvedValue(new Map()),
+      getMember: vi.fn(),
+    }
+
+    const ctx = {
+      principal: null,
+      prisma: {
+        $transaction: vi.fn(async (fn: (handle: DBHandle) => Promise<unknown>) => await fn(txHandle)),
+      },
+      groupService,
+      addAuthorizationGuard: vi.fn(),
+    } as unknown as TRPCContext
+
+    const caller = groupRouter.createCaller(ctx)
+
+    await caller.getMembers("hs")
+
+    expect(groupService.getMembers).toHaveBeenCalledWith(txHandle, "hs")
+    expect(groupService.getLeaders).not.toHaveBeenCalled()
+  })
+
+  it("passes through group and user ids to getMember", async () => {
+    const txHandle = {} as DBHandle
+    const groupService = {
+      getMembers: vi.fn(),
+      getMember: vi.fn().mockResolvedValue({}),
+    }
+
+    const ctx = {
+      principal: {
+        subject: "user-1",
+        affiliations: new Map(),
+      },
+      prisma: {
+        $transaction: vi.fn(async (fn: (handle: DBHandle) => Promise<unknown>) => await fn(txHandle)),
+      },
+      groupService,
+      addAuthorizationGuard: vi.fn(),
+    } as unknown as TRPCContext
+
+    const caller = groupRouter.createCaller(ctx)
+
+    await caller.getMember({ groupId: "dotkom", userId: "user-1" })
+
+    expect(groupService.getMember).toHaveBeenCalledWith(txHandle, "dotkom", "user-1")
+  })
+})

apps/rpc/src/modules/group/__test__/group-service.spec.ts

@@ -1,14 +1,13 @@
-import { randomUUID } from "node:crypto"
 import type { S3Client } from "@aws-sdk/client-s3"
 import type { Group } from "@dotkomonline/types"
 import { PrismaClient } from "@prisma/client"
 import type { ManagementClient } from "auth0"
+import { randomUUID } from "node:crypto"
 import { getFeideGroupsRepository } from "src/modules/feide/feide-groups-repository"
 import { getMembershipService } from "src/modules/user/membership-service"
 import { getUserRepository } from "src/modules/user/user-repository"
 import { getUserService } from "src/modules/user/user-service"
 import { mockDeep } from "vitest-mock-extended"
-import { NotFoundError } from "../../../error"
 import { getGroupRepository } from "../group-repository"
 import { getGroupService } from "../group-service"
 
@@ -52,16 +51,20 @@ describe("GroupService", () => {
       showLeaderAsContact: false,
       recruitmentMethod: "AUTUMN_APPLICATION",
     }
-    const id = randomUUID()
+    vi.spyOn(groupRepository, "findBySlug")
+      .mockResolvedValueOnce(null)
+      .mockResolvedValueOnce({ ...group })
     vi.spyOn(groupRepository, "create").mockResolvedValueOnce({ ...group })
+    vi.spyOn(groupRepository, "createGroupRoles").mockResolvedValueOnce([])
+
     const created = await groupService.create(db, group)
-    expect(created).toEqual({ id, ...group })
-    expect(groupRepository.create).toHaveBeenCalledWith(db, group)
+    expect(created).toEqual(group)
+    expect(groupRepository.create).toHaveBeenCalledWith(db, "dotkom", group)
   })
 
   it("does not find non-existent committees", async () => {
     const id = randomUUID()
     vi.spyOn(groupRepository, "findBySlug").mockResolvedValueOnce(null)
-    await expect(async () => groupService.findBySlug(db, id)).rejects.toThrowError(NotFoundError)
+    await expect(groupService.findBySlug(db, id)).resolves.toBeNull()
   })
 })

apps/rpc/src/modules/group/group-repository.ts

@@ -2,13 +2,16 @@ import type { DBHandle } from "@dotkomonline/db"
 import {
   type Group,
   type GroupId,
+  type GroupMember,
+  GroupMemberSchema,
   type GroupMembership,
   type GroupMembershipId,
   GroupMembershipSchema,
   type GroupMembershipWrite,
   type GroupRole,
   type GroupRoleId,
   GroupRoleSchema,
+  type GroupRoleType,
   type GroupRoleWrite,
   GroupSchema,
   type GroupWrite,
@@ -42,6 +45,7 @@ export interface GroupRepository {
     groupRoleIds: Set<GroupRoleId>
   ): Promise<GroupMembership>
   findGroupMembershipById(handle: DBHandle, groupMembershipId: GroupMembershipId): Promise<GroupMembership | null>
+  findGroupMembersByRoleType(handle: DBHandle, groupSlug: GroupId, roleType: GroupRoleType): Promise<GroupMember[]>
   findManyGroupMemberships(handle: DBHandle, groupSlug: GroupId, userId?: UserId): Promise<GroupMembership[]>
 
   createGroupRoles(handle: DBHandle, groupRolesData: GroupRoleWrite[]): Promise<GroupRole[]>
@@ -257,9 +261,63 @@ export function getGroupRepository(): GroupRepository {
         : null
     },
 
+    async findGroupMembersByRoleType(handle, groupSlug, roleType) {
+      const users = await handle.user.findMany({
+        where: {
+          groupMemberships: {
+            some: {
+              groupId: groupSlug,
+              roles: {
+                some: {
+                  role: {
+                    type: roleType,
+                  },
+                },
+              },
+            },
+          },
+        },
+        include: {
+          memberships: true,
+          groupMemberships: {
+            where: {
+              groupId: groupSlug,
+              roles: {
+                some: {
+                  role: {
+                    type: roleType,
+                  },
+                },
+              },
+            },
+            include: {
+              roles: {
+                include: {
+                  role: true,
+                },
+              },
+            },
+          },
+        },
+      })
+
+      const groupMembers = users.map(({ groupMemberships, ...user }) => ({
+        ...user,
+        groupMembership: groupMemberships.map(({ roles, ...membership }) => ({
+          ...membership,
+          roles: roles.map((role) => role.role),
+        })),
+      }))
+
+      return parseOrReport(GroupMemberSchema.array(), groupMembers)
+    },
+
     async findManyGroupMemberships(handle, groupSlug, userId) {
       const memberships = await handle.groupMembership.findMany({
-        where: { groupId: groupSlug, ...(userId ? { userId } : {}) },
+        where: {
+          groupId: groupSlug,
+          ...(userId ? { userId } : {}),
+        },
         include: {
           roles: {
             include: {

apps/rpc/src/modules/group/group-router.ts

@@ -12,6 +12,7 @@ import { z } from "zod"
 import { hasGroupRole, isAdministrator, isCommitteeMember, isGroupMember, or } from "../../authorization"
 import { withAuditLogEntry, withAuthentication, withAuthorization, withDatabaseTransaction } from "../../middlewares"
 import { procedure, t } from "../../trpc"
+import { HOVEDSTYRET_GROUP_SLUG } from "../authorization-service"
 
 export type CreateGroupInput = inferProcedureInput<typeof createGroupProcedure>
 export type CreateGroupOutput = inferProcedureOutput<typeof createGroupProcedure>
@@ -133,7 +134,13 @@ export type GetMembersOutput = inferProcedureOutput<typeof getMembersProcedure>
 const getMembersProcedure = procedure
   .input(GroupSchema.shape.slug)
   .use(withDatabaseTransaction())
-  .query(async ({ input, ctx }) => ctx.groupService.getMembers(ctx.handle, input))
+  .query(async ({ input, ctx }) => {
+    // We only show leaders of groups to unathenticated users, except for Hovedstyret who is public
+    if (!ctx.principal && input !== HOVEDSTYRET_GROUP_SLUG) {
+      return ctx.groupService.getLeaders(ctx.handle, input)
+    }
+    return ctx.groupService.getMembers(ctx.handle, input)
+  })
 
 export type GetMemberInput = inferProcedureInput<typeof getMemberProcedure>
 export type GetMemberOutput = inferProcedureOutput<typeof getMemberProcedure>

apps/rpc/src/modules/group/group-service.ts

@@ -51,6 +51,7 @@ export interface GroupService {
 
   getMember(handle: DBHandle, groupSlug: GroupId, userId: UserId): Promise<GroupMember>
   getMembers(handle: DBHandle, groupSlug: GroupId): Promise<Map<UserId, GroupMember>>
+  getLeaders(handle: DBHandle, groupSlug: GroupId): Promise<Map<UserId, GroupMember>>
 
   startMembership(
     handle: DBHandle,
@@ -154,6 +155,19 @@ export function getGroupService(
       return group
     },
 
+    async getLeaders(handle, groupSlug) {
+      const leaders = await groupRepository.findGroupMembersByRoleType(handle, groupSlug, "LEADER")
+
+      if (leaders.length === 0) {
+        throw new NotFoundError(`Leaders for Group(ID=${groupSlug}) not found`)
+      }
+
+      return leaders.reduce((map, leader) => {
+        map.set(leader.id, leader)
+        return map
+      }, new Map<UserId, GroupMember>())
+    },
+
     async findMany(handle) {
       return groupRepository.findMany(handle)
     },