refactor admin functions in store to use active account - introduce admin middleware

2023-02-24 21:09:49 +11:00
parent f2b3a2617d
commit a341a641e8
6 changed files with 57 additions and 22 deletions
--- a/README.md
+++ b/README.md
@@ -96,8 +96,22 @@ npx prisma generate
 # TODO
 - add role to membership and have methods for changing role, making sure one owner etc (done)
 - remove @unique so users can have multiple accounts (done)
- add concept of 'current' account for user.. maybe put account on context or session. maybe just on DB...'current' boolean on membership? (done but app state is messy)
+- add concept of 'current' account for user.. (done)
 - add max_notes property to plan and account as an example of a 'limit' property (done)
 - add spinup script somehow to create plans???.... should I use some sort of generator like sidebase?
- team invitation thingy
+- team invitation thingy (not required, admins can add new members to team)
+- actions which mutate the current user account should update the context... service methods should maybe return whole user so it can be placed on context.
 - integration with stripe including web hooks.
+
+# Admin Functions Scenario (shitty test)
+Pre-condition
+User 3 (encumbent id=3) - Owner of own single user account.  Admin of Team account
+User 4 (noob id = 4) - Owner of own single user account.  
+
+User 3...
+- joins user 4 to team account (expect user is a read only member of team account)
+- upgrades user 4 to owner (should fail)
+- upgrades user 4 to admin
+- claims ownership of team account
+
+
--- a/lib/services/user.account.service.ts
+++ b/lib/services/user.account.service.ts
@@ -75,7 +75,8 @@ export default class UserAccountService {
    return this.prisma.membership.create({
      data: {
        user_id: user_id,
-        account_id: account_id
+        account_id: account_id,
+        access: ACCOUNT_ACCESS.READ_ONLY
      },
      include: {
        account: true
--- a/pages/dashboard.vue
+++ b/pages/dashboard.vue
@@ -17,9 +17,10 @@
    <h3>Notes Dashboard</h3>
    <p v-for="note in notes">{{ note.note_text }}</p>

-    <button @click.prevent="store.changeAccountPlan(2)">Change Account Plan to 2</button>
-    <button @click.prevent="store.joinUserToAccount(5)">Join user to account 5</button>
-    <button @click.prevent="store.changeUserAccessWithinAccount(4, 5, 'ADMIN')">Change user 4 access within account 5 to ADMIN</button>
-    <button @click.prevent="store.claimOwnershipOfAccount(5)">Claim Account 5 Ownership for current user</button>
+    <button @click.prevent="store.changeAccountPlan(2)">Change active Account Plan to 2</button>
+    <button @click.prevent="store.joinUserToAccount(4)">Join user 4 to active account</button>
+    <button @click.prevent="store.changeUserAccessWithinAccount(4, 'OWNER')">Change user 4 access within account 5 to OWNER (SHOULD FAIL)</button>
+    <button @click.prevent="store.changeUserAccessWithinAccount(4, 'ADMIN')">Change user 4 access within account 5 to ADMIN</button>
+    <button @click.prevent="store.claimOwnershipOfAccount()">Claim Account 5 Ownership for current user</button>
  </div>
 </template>
--- a/server/trpc/routers/user.account.router.ts
+++ b/server/trpc/routers/user.account.router.ts
@@ -1,5 +1,5 @@
 import UserAccountService from '~~/lib/services/user.account.service';
-import { protectedProcedure, router } from '../trpc'
+import { protectedProcedure, router, adminProcedure } from '../trpc'
 import { ACCOUNT_ACCESS } from '@prisma/client';
 import { z } from 'zod';

@@ -10,7 +10,7 @@ export const userAccountRouter = router({
        dbUser: ctx.dbUser,
      }
    }),  
-  changeAccountPlan: protectedProcedure
+  changeAccountPlan: adminProcedure
    .input(z.object({ account_id: z.number(), plan_id: z.number() }))
    .query(async ({ ctx, input }) => {
      const uaService = new UserAccountService(ctx.prisma);
@@ -19,16 +19,16 @@ export const userAccountRouter = router({
        account,
      }
    }),
-  joinUserToAccount: protectedProcedure
-    .input(z.object({ account_id: z.number() }))
+  joinUserToAccount: adminProcedure
+    .input(z.object({ account_id: z.number(), user_id: z.number() }))
    .query(async ({ ctx, input }) => {
      const uaService = new UserAccountService(ctx.prisma);
-      const membership = (ctx.dbUser?.id)?await uaService.joinUserToAccount(ctx.dbUser?.id, input.account_id):null;
+      const membership = (ctx.dbUser?.id)?await uaService.joinUserToAccount(input.user_id, input.account_id):null;
      return {
        membership,
      }
    }),
-  changeUserAccessWithinAccount: protectedProcedure // TODO - should be protectedAdmin (i.e. ctx.dbUser.id should be admin within the session account)
+  changeUserAccessWithinAccount: adminProcedure
    .input(z.object({ user_id: z.number(), account_id: z.number(), access: z.enum([ACCOUNT_ACCESS.ADMIN, ACCOUNT_ACCESS.OWNER, ACCOUNT_ACCESS.READ_ONLY, ACCOUNT_ACCESS.READ_WRITE]) }))
    .query(async ({ ctx, input }) => {
      const uaService = new UserAccountService(ctx.prisma);
@@ -37,7 +37,7 @@ export const userAccountRouter = router({
        membership,
      }
    }),
-  claimOwnershipOfAccount: protectedProcedure // TODO - should be protectedAdmin (i.e. ctx.dbUser.id should be admin within the session account)
+  claimOwnershipOfAccount: adminProcedure
    .input(z.object({ account_id: z.number() }))
    .query(async ({ ctx, input }) => {
      const uaService = new UserAccountService(ctx.prisma);
--- a/server/trpc/trpc.ts
+++ b/server/trpc/trpc.ts
@@ -9,6 +9,8 @@
 */
 import { initTRPC, TRPCError } from '@trpc/server'
 import { Context } from './context';
+import { z } from 'zod';
+import { ACCOUNT_ACCESS } from '@prisma/client';

 const t = initTRPC.context<Context>().create()

@@ -26,10 +28,27 @@ const isAuthed = t.middleware(({ next, ctx }) => {
  });
 });

+const isAdminForInputAccountId = t.middleware(({ next, rawInput, ctx }) => {
+  if (!ctx.dbUser) {
+    throw new TRPCError({ code: 'UNAUTHORIZED' });
+  }
+  const result = z.object({ account_id: z.number() }).safeParse(rawInput);
+  if (!result.success) throw new TRPCError({ code: 'BAD_REQUEST' });
+  const { account_id } = result.data;
+  const test_membership = ctx.dbUser.memberships.find(membership => membership.account_id == account_id);
+  console.log(`isAdminForInputAccountId  test_membership?.access:${test_membership?.access}`);
+  if(!test_membership || (test_membership?.access !== ACCOUNT_ACCESS.ADMIN && test_membership?.access !== ACCOUNT_ACCESS.OWNER)) {
+    throw new TRPCError({ code: 'UNAUTHORIZED' });
+  }
+  
+  return next({ ctx });
+});
+
 /**
 * Unprotected procedure
 **/
 export const publicProcedure = t.procedure;
 export const protectedProcedure = t.procedure.use(isAuthed);
+export const adminProcedure = protectedProcedure.use(isAdminForInputAccountId);
 export const router = t.router;
 export const middleware = t.middleware;
--- a/stores/app.store.ts
+++ b/stores/app.store.ts
@@ -50,26 +50,26 @@ export const useAppStore = defineStore('app', {
        this.activeMembership.account = account.value.account;
      }
    },
-    async joinUserToAccount(account_id: number){
+    async joinUserToAccount(user_id: number){
      if(!this.activeMembership) { return; }
      const { $client } = useNuxtApp();
-      const { data: membership } = await $client.userAccount.joinUserToAccount.useQuery({account_id});
+      const { data: membership } = await $client.userAccount.joinUserToAccount.useQuery({account_id: this.activeMembership.account_id, user_id});
      if(membership.value?.membership){
        this.activeMembership = membership.value.membership;
      }
    },
-    async changeUserAccessWithinAccount(user_id: number,account_id: number, access: ACCOUNT_ACCESS){
+    async changeUserAccessWithinAccount(user_id: number, access: ACCOUNT_ACCESS){
      if(!this.activeMembership) { return; }
      const { $client } = useNuxtApp();
-      const { data: membership } = await $client.userAccount.changeUserAccessWithinAccount.useQuery({user_id, account_id, access});
+      const { data: membership } = await $client.userAccount.changeUserAccessWithinAccount.useQuery({account_id: this.activeMembership.account_id, user_id, access});
      if(membership.value?.membership){
        this.activeMembership = membership.value.membership;
      }
    },
-    async claimOwnershipOfAccount(account_id: number){
+    async claimOwnershipOfAccount(){
      if(!this.activeMembership) { return; }
      const { $client } = useNuxtApp();
-      const { data: membership } = await $client.userAccount.claimOwnershipOfAccount.useQuery({account_id});
+      const { data: membership } = await $client.userAccount.claimOwnershipOfAccount.useQuery({account_id: this.activeMembership.account_id});
      if(membership.value?.membership){
        this.activeMembership = membership.value.membership;
      }