Account Management API: Updated the /api/v2/projects/update API route to use userQuery instead of a constructed SQL query.

Author: schrodingersket

src/packages/next/lib/api/schema/projects/update.ts

@@ -3,11 +3,16 @@ import { z } from "../../framework";
 import { FailedAPIOperationSchema, OkAPIOperationSchema } from "../common";
 
 import { ProjectIdSchema } from "./common";
+import { AccountIdSchema } from "../accounts/common";
 
 // OpenAPI spec
 //
 export const UpdateProjectInputSchema = z
   .object({
+    account_id: AccountIdSchema.describe(
+      `**Administrators only**. If provided, this operation will be executed on behalf of 
+       the account corresponding to this id.`,
+    ).optional(),
     project_id: ProjectIdSchema,
     title: z
       .string()
@@ -35,7 +40,7 @@ export const UpdateProjectInputSchema = z
   .describe(
     `Update an existing project's title, name, and/or description. If the API client is an 
      admin, they may act on any project. Otherwise, the client may only update projects 
-     for which they are listed as owners.`,
+     for which they are listed as collaborators.`,
   );
 
 export const UpdateProjectOutputSchema = z.union([

src/packages/next/pages/api/v2/accounts/set-name.ts

@@ -36,7 +36,9 @@ async function get(req) {
 
   // This user MUST be an admin:
   if (account_id && !(await userIsInGroup(client_account_id, "admin"))) {
-    throw Error("Only admins are authorized to specify an account id.");
+    throw Error(
+      "The `account_id` field may only be specified by account administrators.",
+    );
   }
 
   return userQuery({

src/packages/next/pages/api/v2/projects/update.ts

@@ -32,17 +32,20 @@ async function get(req) {
     throw Error("Must be signed in to update project.");
   }
 
-  const { title, description, name, project_id } = getParams(req);
+  const { account_id, project_id, title, description, name } = getParams(req);
 
-  // If the API client is an admin, they may act on any project. Otherwise, the client may
-  // only update projects for which they are listed as owners.
+  // If the API client is an admin, they may act on any project on behalf of any account.
+  // Otherwise, the client may only update projects for which they are listed as
+  // collaborators.
   //
-  const acting_account_id = (await userIsInGroup(client_account_id, "admin"))
-    ? undefined
-    : client_account_id;
+  if (account_id && !(await userIsInGroup(client_account_id, "admin"))) {
+    throw Error(
+      "The `account_id` field may only be specified by account administrators.",
+    );
+  }
 
   return setProject({
-    acting_account_id,
+    acting_account_id: account_id || client_account_id,
     project_id,
     project_update: {
       title,

src/packages/server/projects/set-one.ts

@@ -1,75 +1,38 @@
 /* Updates an existing project's name, title, and/or description. May be
    restricted such that the query is executed as though by a specific account_id.
-*/
 
-import getPool from "@cocalc/database/pool";
-import { isValidUUID } from "@cocalc/util/misc";
+   This function is simply a wrapper around the userQuery function.
+*/
+import userQuery from "@cocalc/database/user-query";
 
 import { DBProject } from "./get";
 
 export default async function setProject({
+  acting_account_id,
   project_id,
   project_update,
-  acting_account_id,
 }: {
+  // This function executes as though the account id below made the request; this has the
+  // effect of enforcing an authorization check that the acting account is allowed to
+  // modify the desired project.
+  //
+  acting_account_id: string;
   project_id: string;
   project_update: Omit<DBProject, "project_id">;
-
-  // If this parameter is NOT provided, the specified project will be updated
-  // with NO authorization checks.
-  //
-  // If this parameter IS provided, this function will execute the project update query as
-  // though the account id below had made the request; this has the effect of enforcing an
-  // authorization check that the acting account is allowed to modify the desired project.
-  //
-  acting_account_id?: string;
 }): Promise<DBProject | undefined> {
-  // Filter out any provided fields which are null or undefined (but allow empty strings)
-  // and convert parameter map to an ordered array.
-  //
-  const updateFields = Object.entries(project_update).filter(
-    ([_, v]) => v ?? false,
-  );
-
-  if (!updateFields.length) {
-    return;
-  }
-
-  // Create query param array and append project_id
-  //
-  const queryParams = updateFields.map(([k, v]) => v);
-  queryParams.push(project_id);
-
-  const updateSubQuery = updateFields
-    .map(([k, v], i) => `${k}=$${i + 1}`)
-    .join(",");
-
-  let query = `UPDATE projects SET ${updateSubQuery} WHERE project_id=$${queryParams.length} AND deleted IS NOT TRUE`;
-
-  // If acting_account_id is provided, we restrict the projects which may be updated
-  // to those for which the corresponding account is listed as an owner.
-  //
-  if (acting_account_id) {
-    if (!isValidUUID(acting_account_id)) {
-      throw Error("acting_account_id must be a UUIDv4");
-    }
-
-    queryParams.push(acting_account_id);
-
-    // TODO: Update this to execute only on owned projects.
-    //
-    query += ` AND users ? $${queryParams.length} AND (users#>>'{${acting_account_id},hide}')::BOOLEAN IS NOT TRUE`;
-  }
-
-  // Return updated fields
-  //
-  query += `RETURNING project_id, title, description, name`;
-
-  // Execute query
-  //
-  const pool = getPool();
-  const queryResult = await pool.query(query, queryParams);
-  console.log(queryResult);
-  const { rows } = queryResult;
-  return rows?.[0];
+  const { description, title, name } = project_update;
+  return userQuery({
+    account_id: acting_account_id,
+    query: {
+      projects: {
+        // Any provided values must be non-empty in order for userQuery to SET values
+        // instead of fetching them.
+        //
+        project_id,
+        ...(name && { name }),
+        ...(title && { title }),
+        ...(description && { description }),
+      },
+    },
+  });
 }