Account Management API: Added new /api/v2/projects/update API route to edit project title, name, and/or description on behalf of a particular account. Updated /api/v2/projects/get to return project name field.

Author: schrodingersket

src/packages/next/lib/api/schema/projects/update.ts

@@ -0,0 +1,47 @@
+import { z } from "../../framework";
+
+import { FailedAPIOperationSchema, OkAPIOperationSchema } from "../common";
+
+import { ProjectIdSchema } from "./common";
+
+// OpenAPI spec
+//
+export const UpdateProjectInputSchema = z
+  .object({
+    project_id: ProjectIdSchema,
+    title: z
+      .string()
+      .describe(
+        `The short title of the project. Should use no special formatting, except 
+         hashtags.`,
+      )
+      .optional(),
+    description: z
+      .string()
+      .describe(
+        `A longer textual description of the project. This can include hashtags and should 
+         be formatted using markdown.`,
+      )
+      .optional(),
+    name: z
+      .string()
+      .describe(
+        `The optional name of this project. Must be globally unique (up to case) across 
+         all projects with a given *owner*. It can be between 1 and 100 characters from 
+         a-z A-Z 0-9 period and dash.`,
+      )
+      .optional(),
+  })
+  .describe(
+    `Update an existing project's title, name, and/or description. If the API client is an 
+     admin, they may act on any project. Otherwise, the client may only update projects 
+     for which they are listed as owners.`,
+  );
+
+export const UpdateProjectOutputSchema = z.union([
+  FailedAPIOperationSchema,
+  OkAPIOperationSchema,
+]);
+
+export type UpdateProjectInput = z.infer<typeof UpdateProjectInputSchema>;
+export type UpdateProjectOutput = z.infer<typeof UpdateProjectOutputSchema>;

src/packages/next/pages/api/v2/accounts/set-name.ts

@@ -9,14 +9,16 @@ import getAccountId from "lib/account/get-account";
 import getParams from "lib/api/get-params";
 
 import { apiRoute, apiRouteOperation } from "lib/api";
+import { SuccessStatus } from "lib/api/status";
 import {
   SetAccountNameInputSchema,
   SetAccountNameOutputSchema,
 } from "lib/api/schema/accounts/set-name";
 
 async function handle(req, res) {
   try {
-    res.json(await get(req));
+    await get(req);
+    res.json(SuccessStatus);
   } catch (err) {
     res.json({ error: `${err.message ? err.message : err}` });
     return;

src/packages/next/pages/api/v2/projects/update.ts

@@ -0,0 +1,74 @@
+/*
+Set project title, description, etc.
+*/
+
+import userIsInGroup from "@cocalc/server/accounts/is-in-group";
+import setProject from "@cocalc/server/projects/set-one";
+
+import getAccountId from "lib/account/get-account";
+import getParams from "lib/api/get-params";
+
+import { OkStatus } from "lib/api/status";
+import { apiRoute, apiRouteOperation } from "lib/api";
+import {
+  UpdateProjectInputSchema,
+  UpdateProjectOutputSchema,
+} from "lib/api/schema/projects/update";
+
+async function handle(req, res) {
+  try {
+    await get(req);
+    res.json(OkStatus);
+  } catch (err) {
+    res.json({ error: `${err.message ? err.message : err}` });
+    return;
+  }
+}
+
+async function get(req) {
+  const client_account_id = await getAccountId(req);
+
+  if (client_account_id == null) {
+    throw Error("Must be signed in to update project.");
+  }
+
+  const { title, description, name, project_id } = getParams(req);
+
+  // If the API client is an admin, they may act on any project. Otherwise, the client may
+  // only update projects for which they are listed as owners.
+  //
+  const acting_account_id = (await userIsInGroup(client_account_id, "admin"))
+    ? undefined
+    : client_account_id;
+
+  return setProject({
+    acting_account_id,
+    project_id,
+    project_update: {
+      title,
+      description,
+      name,
+    },
+  });
+}
+
+export default apiRoute({
+  update: apiRouteOperation({
+    method: "POST",
+    openApiOperation: {
+      tags: ["Projects", "Admin"],
+    },
+  })
+    .input({
+      contentType: "application/json",
+      body: UpdateProjectInputSchema,
+    })
+    .outputs([
+      {
+        status: 200,
+        contentType: "application/json",
+        body: UpdateProjectOutputSchema,
+      },
+    ])
+    .handler(handle),
+});

src/packages/server/projects/get.ts

@@ -7,14 +7,21 @@
 import getPool from "@cocalc/database/pool";
 import { isValidUUID } from "@cocalc/util/misc";
 
+export interface DBProject {
+  project_id: string;
+  title?: string;
+  description?: string;
+  name?: string;
+}
+
 // I may add more fields and more options later...
 export default async function getProjects({
   account_id,
   limit = 50,
 }: {
   account_id: string;
   limit?: number;
-}): Promise<{ project_id: string; title?: string; description?: string }[]> {
+}): Promise<DBProject[]> {
   if (!isValidUUID(account_id)) {
     throw Error("account_id must be a UUIDv4");
   }
@@ -23,8 +30,8 @@ export default async function getProjects({
   }
   const pool = getPool();
   const { rows } = await pool.query(
-    `SELECT project_id, title, description FROM projects WHERE DELETED IS NOT true AND users ? $1 AND (users#>>'{${account_id},hide}')::BOOLEAN IS NOT TRUE ORDER BY last_edited DESC LIMIT $2`,
-    [account_id, limit]
+    `SELECT project_id, title, description, name FROM projects WHERE DELETED IS NOT true AND users ? $1 AND (users#>>'{${account_id},hide}')::BOOLEAN IS NOT TRUE ORDER BY last_edited DESC LIMIT $2`,
+    [account_id, limit],
   );
   return rows;
 }

src/packages/server/projects/set-one.ts

@@ -0,0 +1,75 @@
+/* Updates an existing project's name, title, and/or description. May be
+   restricted such that the query is executed as though by a specific account_id.
+*/
+
+import getPool from "@cocalc/database/pool";
+import { isValidUUID } from "@cocalc/util/misc";
+
+import { DBProject } from "./get";
+
+export default async function setProject({
+  project_id,
+  project_update,
+  acting_account_id,
+}: {
+  project_id: string;
+  project_update: Omit<DBProject, "project_id">;
+
+  // If this parameter is NOT provided, the specified project will be updated
+  // with NO authorization checks.
+  //
+  // If this parameter IS provided, this function will execute the project update query as
+  // though the account id below had made the request; this has the effect of enforcing an
+  // authorization check that the acting account is allowed to modify the desired project.
+  //
+  acting_account_id?: string;
+}): Promise<DBProject | undefined> {
+  // Filter out any provided fields which are null or undefined (but allow empty strings)
+  // and convert parameter map to an ordered array.
+  //
+  const updateFields = Object.entries(project_update).filter(
+    ([_, v]) => v ?? false,
+  );
+
+  if (!updateFields.length) {
+    return;
+  }
+
+  // Create query param array and append project_id
+  //
+  const queryParams = updateFields.map(([k, v]) => v);
+  queryParams.push(project_id);
+
+  const updateSubQuery = updateFields
+    .map(([k, v], i) => `${k}=$${i + 1}`)
+    .join(",");
+
+  let query = `UPDATE projects SET ${updateSubQuery} WHERE project_id=$${queryParams.length} AND deleted IS NOT TRUE`;
+
+  // If acting_account_id is provided, we restrict the projects which may be updated
+  // to those for which the corresponding account is listed as an owner.
+  //
+  if (acting_account_id) {
+    if (!isValidUUID(acting_account_id)) {
+      throw Error("acting_account_id must be a UUIDv4");
+    }
+
+    queryParams.push(acting_account_id);
+
+    // TODO: Update this to execute only on owned projects.
+    //
+    query += ` AND users ? $${queryParams.length} AND (users#>>'{${acting_account_id},hide}')::BOOLEAN IS NOT TRUE`;
+  }
+
+  // Return updated fields
+  //
+  query += `RETURNING project_id, title, description, name`;
+
+  // Execute query
+  //
+  const pool = getPool();
+  const queryResult = await pool.query(query, queryParams);
+  console.log(queryResult);
+  const { rows } = queryResult;
+  return rows?.[0];
+}