diff --git a/README.md b/README.md index ff3f429..2b8f14b 100644 --- a/README.md +++ b/README.md @@ -96,8 +96,22 @@ npx prisma generate # TODO - add role to membership and have methods for changing role, making sure one owner etc (done) - remove @unique so users can have multiple accounts (done) -- add concept of 'current' account for user.. maybe put account on context or session. maybe just on DB...'current' boolean on membership? (done but app state is messy) +- add concept of 'current' account for user.. (done) - add max_notes property to plan and account as an example of a 'limit' property (done) - add spinup script somehow to create plans???.... should I use some sort of generator like sidebase? -- team invitation thingy -- integration with stripe including web hooks. \ No newline at end of file +- team invitation thingy (not required, admins can add new members to team) +- actions which mutate the current user account should update the context... service methods should maybe return whole user so it can be placed on context. +- integration with stripe including web hooks. + +# Admin Functions Scenario (shitty test) +Pre-condition +User 3 (encumbent id=3) - Owner of own single user account. Admin of Team account +User 4 (noob id = 4) - Owner of own single user account. + +User 3... +- joins user 4 to team account (expect user is a read only member of team account) +- upgrades user 4 to owner (should fail) +- upgrades user 4 to admin +- claims ownership of team account + + diff --git a/lib/services/user.account.service.ts b/lib/services/user.account.service.ts index 5d70778..fafb2ad 100644 --- a/lib/services/user.account.service.ts +++ b/lib/services/user.account.service.ts @@ -75,7 +75,8 @@ export default class UserAccountService { return this.prisma.membership.create({ data: { user_id: user_id, - account_id: account_id + account_id: account_id, + access: ACCOUNT_ACCESS.READ_ONLY }, include: { account: true diff --git a/pages/dashboard.vue b/pages/dashboard.vue index 5d95a11..4079731 100644 --- a/pages/dashboard.vue +++ b/pages/dashboard.vue @@ -17,9 +17,10 @@

Notes Dashboard

{{ note.note_text }}

- - - - + + + + + diff --git a/server/trpc/routers/user.account.router.ts b/server/trpc/routers/user.account.router.ts index 0952131..835a90e 100644 --- a/server/trpc/routers/user.account.router.ts +++ b/server/trpc/routers/user.account.router.ts @@ -1,5 +1,5 @@ import UserAccountService from '~~/lib/services/user.account.service'; -import { protectedProcedure, router } from '../trpc' +import { protectedProcedure, router, adminProcedure } from '../trpc' import { ACCOUNT_ACCESS } from '@prisma/client'; import { z } from 'zod'; @@ -10,7 +10,7 @@ export const userAccountRouter = router({ dbUser: ctx.dbUser, } }), - changeAccountPlan: protectedProcedure + changeAccountPlan: adminProcedure .input(z.object({ account_id: z.number(), plan_id: z.number() })) .query(async ({ ctx, input }) => { const uaService = new UserAccountService(ctx.prisma); @@ -19,16 +19,16 @@ export const userAccountRouter = router({ account, } }), - joinUserToAccount: protectedProcedure - .input(z.object({ account_id: z.number() })) + joinUserToAccount: adminProcedure + .input(z.object({ account_id: z.number(), user_id: z.number() })) .query(async ({ ctx, input }) => { const uaService = new UserAccountService(ctx.prisma); - const membership = (ctx.dbUser?.id)?await uaService.joinUserToAccount(ctx.dbUser?.id, input.account_id):null; + const membership = (ctx.dbUser?.id)?await uaService.joinUserToAccount(input.user_id, input.account_id):null; return { membership, } }), - changeUserAccessWithinAccount: protectedProcedure // TODO - should be protectedAdmin (i.e. ctx.dbUser.id should be admin within the session account) + changeUserAccessWithinAccount: adminProcedure .input(z.object({ user_id: z.number(), account_id: z.number(), access: z.enum([ACCOUNT_ACCESS.ADMIN, ACCOUNT_ACCESS.OWNER, ACCOUNT_ACCESS.READ_ONLY, ACCOUNT_ACCESS.READ_WRITE]) })) .query(async ({ ctx, input }) => { const uaService = new UserAccountService(ctx.prisma); @@ -37,7 +37,7 @@ export const userAccountRouter = router({ membership, } }), - claimOwnershipOfAccount: protectedProcedure // TODO - should be protectedAdmin (i.e. ctx.dbUser.id should be admin within the session account) + claimOwnershipOfAccount: adminProcedure .input(z.object({ account_id: z.number() })) .query(async ({ ctx, input }) => { const uaService = new UserAccountService(ctx.prisma); @@ -46,4 +46,4 @@ export const userAccountRouter = router({ membership, } }), -}) \ No newline at end of file +}) diff --git a/server/trpc/trpc.ts b/server/trpc/trpc.ts index 833ca92..6457352 100644 --- a/server/trpc/trpc.ts +++ b/server/trpc/trpc.ts @@ -9,6 +9,8 @@ */ import { initTRPC, TRPCError } from '@trpc/server' import { Context } from './context'; +import { z } from 'zod'; +import { ACCOUNT_ACCESS } from '@prisma/client'; const t = initTRPC.context().create() @@ -26,10 +28,27 @@ const isAuthed = t.middleware(({ next, ctx }) => { }); }); +const isAdminForInputAccountId = t.middleware(({ next, rawInput, ctx }) => { + if (!ctx.dbUser) { + throw new TRPCError({ code: 'UNAUTHORIZED' }); + } + const result = z.object({ account_id: z.number() }).safeParse(rawInput); + if (!result.success) throw new TRPCError({ code: 'BAD_REQUEST' }); + const { account_id } = result.data; + const test_membership = ctx.dbUser.memberships.find(membership => membership.account_id == account_id); + console.log(`isAdminForInputAccountId test_membership?.access:${test_membership?.access}`); + if(!test_membership || (test_membership?.access !== ACCOUNT_ACCESS.ADMIN && test_membership?.access !== ACCOUNT_ACCESS.OWNER)) { + throw new TRPCError({ code: 'UNAUTHORIZED' }); + } + + return next({ ctx }); +}); + /** * Unprotected procedure **/ export const publicProcedure = t.procedure; export const protectedProcedure = t.procedure.use(isAuthed); +export const adminProcedure = protectedProcedure.use(isAdminForInputAccountId); export const router = t.router; export const middleware = t.middleware; diff --git a/stores/app.store.ts b/stores/app.store.ts index 9ff96c3..b9b9f22 100644 --- a/stores/app.store.ts +++ b/stores/app.store.ts @@ -50,26 +50,26 @@ export const useAppStore = defineStore('app', { this.activeMembership.account = account.value.account; } }, - async joinUserToAccount(account_id: number){ + async joinUserToAccount(user_id: number){ if(!this.activeMembership) { return; } const { $client } = useNuxtApp(); - const { data: membership } = await $client.userAccount.joinUserToAccount.useQuery({account_id}); + const { data: membership } = await $client.userAccount.joinUserToAccount.useQuery({account_id: this.activeMembership.account_id, user_id}); if(membership.value?.membership){ this.activeMembership = membership.value.membership; } }, - async changeUserAccessWithinAccount(user_id: number,account_id: number, access: ACCOUNT_ACCESS){ + async changeUserAccessWithinAccount(user_id: number, access: ACCOUNT_ACCESS){ if(!this.activeMembership) { return; } const { $client } = useNuxtApp(); - const { data: membership } = await $client.userAccount.changeUserAccessWithinAccount.useQuery({user_id, account_id, access}); + const { data: membership } = await $client.userAccount.changeUserAccessWithinAccount.useQuery({account_id: this.activeMembership.account_id, user_id, access}); if(membership.value?.membership){ this.activeMembership = membership.value.membership; } }, - async claimOwnershipOfAccount(account_id: number){ + async claimOwnershipOfAccount(){ if(!this.activeMembership) { return; } const { $client } = useNuxtApp(); - const { data: membership } = await $client.userAccount.claimOwnershipOfAccount.useQuery({account_id}); + const { data: membership } = await $client.userAccount.claimOwnershipOfAccount.useQuery({account_id: this.activeMembership.account_id}); if(membership.value?.membership){ this.activeMembership = membership.value.membership; }