Minor guests fixes (#8945)

Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>
2025-05-19 22:07:32 +00:00 · 2025-05-15 20:13:01 +05:00 · 2025-05-15 20:13:01 +05:00 · afca633175
commit afca633175
parent 259b3ff921
11 changed files with 51 additions and 21 deletions
--- a/models/time/src/index.ts
+++ b/models/time/src/index.ts
@ -27,7 +27,8 @@ import {
  type Timestamp,
  type Type,
  DateRangeMode,
-  IndexKind
+  IndexKind,
+  AccountRole
 } from '@hcengineering/core'
 import lead from '@hcengineering/lead'
 import {
@ -194,6 +195,7 @@ export function createModel (builder: Builder): void {
    {
      label: time.string.Planner,
      icon: calendarPlugin.icon.Calendar,
+      accessLevel: AccountRole.User,
      alias: timeId,
      hidden: false,
      position: 'top',
@ -208,6 +210,7 @@ export function createModel (builder: Builder): void {
    {
      label: time.string.Team,
      icon: time.icon.Team,
+      accessLevel: AccountRole.User,
      alias: 'team',
      hidden: false,
      component: time.component.Team
--- a/plugins/contact-resources/src/components/AccountArrayEditor.svelte
+++ b/plugins/contact-resources/src/components/AccountArrayEditor.svelte
@ -132,7 +132,7 @@
 </script>

 <UserBoxList
-  _class={!allowGuests ? contact.mixin.Employee : contact.class.Person}
+  _class={contact.mixin.Employee}
  items={employees}
  {label}
  {emptyLabel}
--- a/plugins/contact-resources/src/components/PersonIdArrayEditor.svelte
+++ b/plugins/contact-resources/src/components/PersonIdArrayEditor.svelte
@ -133,7 +133,7 @@
 </script>

 <UserBoxList
-  _class={!allowGuests ? contact.mixin.Employee : contact.class.Person}
+  _class={contact.mixin.Employee}
  items={employees}
  {label}
  {emptyLabel}
--- a/plugins/login-resources/src/components/Join.svelte
+++ b/plugins/login-resources/src/components/Join.svelte
@ -115,7 +115,7 @@
    if (location.query?.inviteId === undefined || location.query?.inviteId === null) return
    status = new Status(Severity.INFO, login.status.ConnectingToServer, {})

-    const [, result] = await checkJoined(location.query.inviteId)
+    const result = await checkJoined(location.query.inviteId)
    status = OK
    if (result != null) {
      setLoginInfo(result)
--- a/plugins/login-resources/src/utils.ts
+++ b/plugins/login-resources/src/utils.ts
@ -491,26 +491,18 @@ export function navigateToWorkspace (
  }
 }

-export async function checkJoined (inviteId: string): Promise<[Status, WorkspaceLoginInfo | null]> {
+export async function checkJoined (inviteId: string): Promise<WorkspaceLoginInfo | undefined> {
  const token = getMetadata(presentation.metadata.Token)

-  if (token == null) {
-    const loginInfo = await getAccountClient().getLoginInfoByToken()
-    if (loginInfo.token == null) {
-      return [unknownStatus('Please login'), null]
-    }
-  }
+  if (token == null) return

  try {
    const workspaceLoginInfo = await getAccountClient(token).checkJoin(inviteId)

-    return [OK, workspaceLoginInfo]
+    return workspaceLoginInfo
  } catch (err: any) {
-    if (err instanceof PlatformError) {
-      return [err.status, null]
-    } else {
+    if (!(err instanceof PlatformError)) {
      Analytics.handleError(err)
-      return [unknownError(err), null]
    }
  }
 }
--- a/server-plugins/calendar-resources/src/index.ts
+++ b/server-plugins/calendar-resources/src/index.ts
@ -110,6 +110,9 @@ export async function OnEmployee (txes: Tx[], control: TriggerControl): Promise<
      )
    )[0]
    if (employee?.personUuid === undefined) continue
+    if (employee.role === 'GUEST') {
+      continue
+    }

    result.push(...(await createCalendar(control, employee.personUuid, socialId, socialId)))
  }
--- a/server-plugins/contact-resources/src/index.ts
+++ b/server-plugins/contact-resources/src/index.ts
@ -102,11 +102,13 @@ export async function OnEmployeeCreate (_txes: Tx[], control: TriggerControl): P
    const account = person?.personUuid as AccountUuid
    if (account === undefined) continue

-    const spaces = await control.findAll(control.ctx, core.class.Space, { autoJoin: true })
-
    const txes = await createPersonSpace(account, mixinTx.objectId, control)
    result.push(...txes)

+    const emp = control.hierarchy.as(person, contact.mixin.Employee)
+    if (emp.role === 'GUEST') continue
+
+    const spaces = await control.findAll(control.ctx, core.class.Space, { autoJoin: true })
    for (const space of spaces) {
      if (space.members.includes(account)) continue

--- a/server-plugins/hr-resources/src/index.ts
+++ b/server-plugins/hr-resources/src/index.ts
@ -218,6 +218,8 @@ export async function OnEmployee (txes: Tx[], control: TriggerControl): Promise<
      continue
    }

+    if (employee.role === 'GUEST') continue
+
    result.push(
      control.txFactory.createTxMixin(ctx.objectId, ctx.objectClass, ctx.objectSpace, hr.mixin.Staff, {
        department: hr.ids.Head
--- a/server-plugins/love-resources/src/index.ts
+++ b/server-plugins/love-resources/src/index.ts
@ -70,6 +70,15 @@ export async function OnEmployee (txes: Tx[], control: TriggerControl): Promise<
    if (val === undefined) {
      continue
    }
+    const user = (
+      await control.findAll(control.ctx, contact.mixin.Employee, { _id: actualTx.objectId as Ref<Employee> })
+    )[0]
+    if (user === undefined) {
+      continue
+    }
+    if (user.role === 'GUEST') {
+      continue
+    }
    if (val) {
      const freeRoom = (await control.findAll(control.ctx, love.class.Office, { person: null }))[0]
      if (freeRoom !== undefined) {
--- a/server/middleware/src/spaceSecurity.ts
+++ b/server/middleware/src/spaceSecurity.ts
@ -371,6 +371,23 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
    }
  }

+  private isForbiddenGuestTx (tx: TxCUD<Space>): boolean {
+    if (tx._class === core.class.TxRemoveDoc) return true
+    if (tx._class === core.class.TxCreateDoc) return false
+    if (tx._class === core.class.TxUpdateDoc) {
+      const updateTx = tx as TxUpdateDoc<Space>
+      const ops = updateTx.operations
+      const keys = ['members', 'private', 'archived', 'owners', 'autoJoin']
+      if (keys.some((key) => (ops as any)[key] !== undefined)) {
+        return true
+      }
+      if (ops.$push !== undefined || ops.$pull !== undefined) {
+        return true
+      }
+    }
+    return false
+  }
+
  private async processTx (ctx: MeasureContext<SessionData>, tx: Tx): Promise<void> {
    const h = this.context.hierarchy
    if (TxProcessor.isExtendsCUD(tx._class)) {
@ -379,7 +396,9 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
      if (isSpace) {
        const account = ctx.contextData.account
        if (account.role === AccountRole.Guest) {
-          throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {}))
+          if (this.isForbiddenGuestTx(cudTx as TxCUD<Space>)) {
+            throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {}))
+          }
        }
        await this.handleTx(ctx, cudTx as TxCUD<Space>)
      }
--- a/services/calendar/pod-calendar/src/main.ts
+++ b/services/calendar/pod-calendar/src/main.ts
@ -54,12 +54,12 @@ export const main = async (): Promise<void> => {
      )
  })

-  const accountClient = getAccountClient(getServiceToken())
-
  setMetadata(serverClient.metadata.Endpoint, config.AccountsURL)
  setMetadata(serverClient.metadata.UserAgent, config.ServiceID)
  setMetadata(serverToken.metadata.Secret, config.Secret)

+  const accountClient = getAccountClient(getServiceToken())
+
  const pushHandler = new PushHandler(ctx, accountClient)
  const calendarController = CalendarController.getCalendarController(ctx, accountClient)
  await calendarController.startAll()