Enable collaborators

filiptronicek · filiptronicek · commit 6c5616c692ff · 2024-11-08T10:32:13.000Z
diff --git a/components/server/src/projects/projects-service.ts b/components/server/src/projects/projects-service.ts
@@ -62,8 +62,14 @@ export class ProjectsService {
         @inject(InstallationService) private readonly installationService: InstallationService,
     ) {}
 
-    async getProject(userId: string, projectId: string): Promise<Project> {
-        await this.auth.checkPermissionOnProject(userId, "read_info", projectId);
+    /**
+     * Returns a project by its ID.
+     * @param skipPermissionCheck useful either when the caller already checked permissions or when we need to do something purely server-side (e.g. looking up a project when starting a workspace by a collaborator)
+     */
+    async getProject(userId: string, projectId: string, skipPermissionCheck?: boolean): Promise<Project> {
+        if (!skipPermissionCheck) {
+            await this.auth.checkPermissionOnProject(userId, "read_info", projectId);
+        }
         const project = await this.projectDB.findProjectById(projectId);
         if (!project) {
             throw new ApplicationError(ErrorCodes.NOT_FOUND, `Project ${projectId} not found.`);
@@ -132,11 +138,18 @@ export class ProjectsService {
         return filteredProjects;
     }
 
-    async findProjectsByCloneUrl(userId: string, cloneUrl: string, organizationId?: string): Promise<Project[]> {
+    async findProjectsByCloneUrl(
+        userId: string,
+        cloneUrl: string,
+        organizationId?: string,
+        skipPermissionCheck?: boolean,
+    ): Promise<Project[]> {
         const projects = await this.projectDB.findProjectsByCloneUrl(cloneUrl, organizationId);
         const result: Project[] = [];
         for (const project of projects) {
-            if (await this.auth.hasPermissionOnProject(userId, "read_info", project.id)) {
+            const hasPermission =
+                skipPermissionCheck || (await this.auth.hasPermissionOnProject(userId, "read_info", project.id));
+            if (hasPermission) {
                 result.push(project);
             }
         }
diff --git a/components/server/src/workspace/context-service.ts b/components/server/src/workspace/context-service.ts
@@ -158,7 +158,9 @@ export class ContextService {
                 user.id,
                 context.repository.cloneUrl,
                 options?.organizationId,
+                true,
             );
+            // todo(ft): solve for this case with collaborators who can't select projects directly
             if (projects.length > 1) {
                 throw new ApplicationError(ErrorCodes.BAD_REQUEST, "Multiple projects found for clone URL.");
             }
diff --git a/components/server/src/workspace/suggested-repos-sorter.ts b/components/server/src/workspace/suggested-repos-sorter.ts
@@ -20,7 +20,7 @@ export const sortSuggestedRepositories = (repos: SuggestedRepositoryWithSorting[
     // This allows us to consider the lastUse of a recently used project when sorting
     // as it will may have an entry for the project (no lastUse), and another for recent workspaces (w/ lastUse)
 
-    const projectURLs: string[] = [];
+    let projectURLs: string[] = [];
     let uniqueRepositories: SuggestedRepositoryWithSorting[] = [];
 
     for (const repo of repos) {
@@ -88,7 +88,7 @@ export const sortSuggestedRepositories = (repos: SuggestedRepositoryWithSorting[
     uniqueRepositories = uniqueRepositories.map((repo) => {
         if (repo.projectId && !repo.projectName) {
             delete repo.projectId;
-            delete projectURLs[projectURLs.indexOf(repo.url)];
+            projectURLs = projectURLs.filter((url) => url !== repo.url);
         }
 
         return repo;
diff --git a/components/server/src/workspace/workspace-service.ts b/components/server/src/workspace/workspace-service.ts
@@ -819,7 +819,7 @@ export class WorkspaceService {
         }
 
         const projectPromise = workspace.projectId
-            ? ApplicationError.notFoundToUndefined(this.projectsService.getProject(user.id, workspace.projectId))
+            ? ApplicationError.notFoundToUndefined(this.projectsService.getProject(user.id, workspace.projectId, true))
             : Promise.resolve(undefined);
 
         await mayStartPromise;
diff --git a/components/server/src/workspace/workspace-starter.ts b/components/server/src/workspace/workspace-starter.ts
@@ -566,8 +566,8 @@ export class WorkspaceStarter {
             return;
         }
 
-        // implicit project (existing on the same clone URL)
-        const projects = await this.projectService.findProjectsByCloneUrl(user.id, contextURL, organizationId);
+        // implicit project (existing on the same clone URL). We skip the permission check so that collaborators are not stuck
+        const projects = await this.projectService.findProjectsByCloneUrl(user.id, contextURL, organizationId, true);
         if (projects.length === 0) {
             throw new ApplicationError(
                 ErrorCodes.PRECONDITION_FAILED,
@@ -1951,10 +1951,12 @@ export class WorkspaceStarter {
                 {},
             );
             if (isEnabledPrebuildFullClone) {
-                const project = await this.projectService.getProject(user.id, workspace.projectId).catch((err) => {
-                    log.error("failed to get project", err);
-                    return undefined;
-                });
+                const project = await this.projectService
+                    .getProject(user.id, workspace.projectId, true)
+                    .catch((err) => {
+                        log.error("failed to get project", err);
+                        return undefined;
+                    });
                 if (project && project.settings?.prebuilds?.cloneSettings?.fullClone) {
                     result.setFullClone(true);
                 }
diff --git a/components/spicedb/schema/schema.yaml b/components/spicedb/schema/schema.yaml
@@ -92,7 +92,7 @@ schema: |-
       permission read_billing = member + owner + installation->admin
       permission write_billing = owner + installation->admin
 
-      permission read_prebuild = member + owner + installation->admin
+      permission read_prebuild = collaborator + member + owner + installation->admin
 
       permission create_workspace = member + collaborator
 
@@ -118,7 +118,7 @@ schema: |-
       permission write_info = editor + org->owner + org->installation_admin
       permission delete = editor + org->owner + org->installation_admin
 
-      permission read_env_var = viewer + editor + org->owner + org->installation_admin
+      permission read_env_var = viewer + editor + org->collaborator + org->owner + org->installation_admin
       permission write_env_var = editor + org->owner + org->installation_admin
 
       permission read_prebuild = viewer + editor + org->owner + org->installation_admin

Original file line number	Diff line number	Diff line change
`@@ -819,7 +819,7 @@ export class WorkspaceService {`
`819`	`819`	`}`
`820`	`820`
`821`	`821`	`const projectPromise = workspace.projectId`
`822`		`- ? ApplicationError.notFoundToUndefined(this.projectsService.getProject(user.id, workspace.projectId))`
	`822`	`+ ? ApplicationError.notFoundToUndefined(this.projectsService.getProject(user.id, workspace.projectId, true))`
`823`	`823`	`: Promise.resolve(undefined);`
`824`	`824`
`825`	`825`	`await mayStartPromise;`