Sign upLogin

NodeBB/NodeBB

View on GitHub
Star
src/api/groups.js

Summary

Maintainability
A
2 hrs
Test Coverage
'use strict';

const validator = require('validator');

const privileges = require('../privileges');
const events = require('../events');
const groups = require('../groups');
const user = require('../user');
const meta = require('../meta');
const notifications = require('../notifications');
const slugify = require('../slugify');

const groupsAPI = module.exports;

groupsAPI.list = async (caller, data) => {
    const groupsPerPage = 10;
    const start = parseInt(data.after || 0, 10);
    const stop = start + groupsPerPage - 1;
    const groupData = await groups.getGroupsBySort(data.sort, start, stop);

    return { groups: groupData, nextStart: stop + 1 };
};

groupsAPI.create = async function (caller, data) {
    if (!caller.uid) {
        throw new Error('[[error:no-privileges]]');
    } else if (!data) {
        throw new Error('[[error:invalid-data]]');
    } else if (typeof data.name !== 'string' || groups.isPrivilegeGroup(data.name)) {
        throw new Error('[[error:invalid-group-name]]');
    }

    const canCreate = await privileges.global.can('group:create', caller.uid);
    if (!canCreate) {
        throw new Error('[[error:no-privileges]]');
    }
    data.ownerUid = caller.uid;
    data.system = false;
    const groupData = await groups.create(data);
    logGroupEvent(caller, 'group-create', {
        groupName: data.name,
    });

    return groupData;
};

groupsAPI.update = async function (caller, data) {
    if (!data) {
        throw new Error('[[error:invalid-data]]');
    }
    const groupName = await groups.getGroupNameByGroupSlug(data.slug);
    await isOwner(caller, groupName);

    delete data.slug;
    await groups.update(groupName, data);

    return await groups.getGroupData(data.name || groupName);
};

groupsAPI.delete = async function (caller, data) {
    const groupName = await groups.getGroupNameByGroupSlug(data.slug);
    await isOwner(caller, groupName);
    if (
        groups.systemGroups.includes(groupName) ||
        groups.ephemeralGroups.includes(groupName)
    ) {
        throw new Error('[[error:not-allowed]]');
    }

    await groups.destroy(groupName);
    logGroupEvent(caller, 'group-delete', {
        groupName: groupName,
    });
};

groupsAPI.listMembers = async (caller, data) => {
    // v4 wishlist — search should paginate (with lru caching I guess) to match index listing behaviour
    const groupName = await groups.getGroupNameByGroupSlug(data.slug);

    await canSearchMembers(caller.uid, groupName);
    if (!await privileges.global.can('search:users', caller.uid)) {
        throw new Error('[[error:no-privileges]]');
    }

    const { query } = data;
    const after = parseInt(data.after || 0, 10);
    let response;
    if (query && query.length) {
        response = await groups.searchMembers({
            uid: caller.uid,
            query,
            groupName,
        });
        response.nextStart = null;
    } else {
        response = {
            users: await groups.getOwnersAndMembers(groupName, caller.uid, after, after + 19),
            nextStart: after + 20,
            matchCount: null,
            timing: null,
        };
    }

    return response;
};

async function canSearchMembers(uid, groupName) {
    const [isHidden, isMember, hasAdminPrivilege, isGlobalMod, viewGroups] = await Promise.all([
        groups.isHidden(groupName),
        groups.isMember(uid, groupName),
        privileges.admin.can('admin:groups', uid),
        user.isGlobalModerator(uid),
        privileges.global.can('view:groups', uid),
    ]);

    if (!viewGroups || (isHidden && !isMember && !hasAdminPrivilege && !isGlobalMod)) {
        throw new Error('[[error:no-privileges]]');
    }
}

groupsAPI.join = async function (caller, data) {
    if (!data) {
        throw new Error('[[error:invalid-data]]');
    }
    if (caller.uid <= 0 || !data.uid) {
        throw new Error('[[error:invalid-uid]]');
    }

    const groupName = await groups.getGroupNameByGroupSlug(data.slug);
    if (!groupName) {
        throw new Error('[[error:no-group]]');
    }

    const isCallerAdmin = await privileges.admin.can('admin:groups', caller.uid);
    if (!isCallerAdmin && (
        groups.systemGroups.includes(groupName) ||
        groups.isPrivilegeGroup(groupName)
    )) {
        throw new Error('[[error:not-allowed]]');
    }

    const [groupData, userExists] = await Promise.all([
        groups.getGroupData(groupName),
        user.exists(data.uid),
    ]);

    if (!userExists) {
        throw new Error('[[error:invalid-uid]]');
    }

    const isSelf = parseInt(caller.uid, 10) === parseInt(data.uid, 10);
    if (!meta.config.allowPrivateGroups && isSelf) {
        // all groups are public!
        await groups.join(groupName, data.uid);
        logGroupEvent(caller, 'group-join', {
            groupName: groupName,
            targetUid: data.uid,
        });
        return;
    }

    if (!isCallerAdmin && isSelf && groupData.private && groupData.disableJoinRequests) {
        throw new Error('[[error:group-join-disabled]]');
    }

    if ((!groupData.private && isSelf) || isCallerAdmin) {
        await groups.join(groupName, data.uid);
        logGroupEvent(caller, `group-${isSelf ? 'join' : 'add-member'}`, {
            groupName: groupName,
            targetUid: data.uid,
        });
    } else if (isSelf) {
        await groups.requestMembership(groupName, caller.uid);
        logGroupEvent(caller, 'group-request-membership', {
            groupName: groupName,
            targetUid: data.uid,
        });
    } else {
        throw new Error('[[error:not-allowed]]');
    }
};

groupsAPI.leave = async function (caller, data) {
    if (!data) {
        throw new Error('[[error:invalid-data]]');
    }
    if (caller.uid <= 0) {
        throw new Error('[[error:invalid-uid]]');
    }
    const isSelf = parseInt(caller.uid, 10) === parseInt(data.uid, 10);
    const groupName = await groups.getGroupNameByGroupSlug(data.slug);
    if (!groupName) {
        throw new Error('[[error:no-group]]');
    }

    if (typeof groupName !== 'string') {
        throw new Error('[[error:invalid-group-name]]');
    }

    if (groupName === 'administrators' && isSelf) {
        throw new Error('[[error:cant-remove-self-as-admin]]');
    }

    const [groupData, isCallerOwner, userExists, isMember] = await Promise.all([
        groups.getGroupData(groupName),
        isOwner(caller, groupName, false),
        user.exists(data.uid),
        groups.isMember(data.uid, groupName),
    ]);

    if (!isMember) {
        throw new Error('[[error:group-not-member]]');
    }

    if (!userExists) {
        throw new Error('[[error:invalid-uid]]');
    }

    if (groupData.disableLeave && isSelf) {
        throw new Error('[[error:group-leave-disabled]]');
    }

    if (isSelf || isCallerOwner) {
        await groups.leave(groupName, data.uid);
    } else {
        throw new Error('[[error:no-privileges]]');
    }

    const { displayname } = await user.getUserFields(data.uid, ['username']);

    const notification = await notifications.create({
        type: 'group-leave',
        bodyShort: `[[groups:membership.leave.notification-title, ${displayname}, ${groupName}]]`,
        nid: `group:${validator.escape(groupName)}:uid:${data.uid}:group-leave`,
        path: `/groups/${slugify(groupName)}`,
        from: data.uid,
    });
    const uids = await groups.getOwners(groupName);
    await notifications.push(notification, uids);

    logGroupEvent(caller, `group-${isSelf ? 'leave' : 'kick'}`, {
        groupName: groupName,
        targetUid: data.uid,
    });
};

groupsAPI.grant = async (caller, data) => {
    const groupName = await groups.getGroupNameByGroupSlug(data.slug);
    await isOwner(caller, groupName);

    await groups.ownership.grant(data.uid, groupName);
    logGroupEvent(caller, 'group-owner-grant', {
        groupName: groupName,
        targetUid: data.uid,
    });
};

groupsAPI.rescind = async (caller, data) => {
    const groupName = await groups.getGroupNameByGroupSlug(data.slug);
    await isOwner(caller, groupName);

    await groups.ownership.rescind(data.uid, groupName);
    logGroupEvent(caller, 'group-owner-rescind', {
        groupName,
        targetUid: data.uid,
    });
};

groupsAPI.getPending = async (caller, { slug }) => {
    const groupName = await groups.getGroupNameByGroupSlug(slug);
    await isOwner(caller, groupName);

    return await groups.getPending(groupName);
};

groupsAPI.accept = async (caller, { slug, uid }) => {
    const groupName = await groups.getGroupNameByGroupSlug(slug);

    await isOwner(caller, groupName);
    const isPending = await groups.isPending(uid, groupName);
    if (!isPending) {
        throw new Error('[[error:group-user-not-pending]]');
    }

    await groups.acceptMembership(groupName, uid);
    logGroupEvent(caller, 'group-accept-membership', {
        groupName,
        targetUid: uid,
    });
};

groupsAPI.reject = async (caller, { slug, uid }) => {
    const groupName = await groups.getGroupNameByGroupSlug(slug);

    await isOwner(caller, groupName);
    const isPending = await groups.isPending(uid, groupName);
    if (!isPending) {
        throw new Error('[[error:group-user-not-pending]]');
    }

    await groups.rejectMembership(groupName, uid);
    logGroupEvent(caller, 'group-reject-membership', {
        groupName,
        targetUid: uid,
    });
};

groupsAPI.getInvites = async (caller, { slug }) => {
    const groupName = await groups.getGroupNameByGroupSlug(slug);
    await isOwner(caller, groupName);

    return await groups.getInvites(groupName);
};

groupsAPI.issueInvite = async (caller, { slug, uid }) => {
    const groupName = await groups.getGroupNameByGroupSlug(slug);
    await isOwner(caller, groupName);

    await groups.invite(groupName, uid);
    logGroupEvent(caller, 'group-invite', {
        groupName,
        targetUid: uid,
    });
};

groupsAPI.acceptInvite = async (caller, { slug, uid }) => {
    const groupName = await groups.getGroupNameByGroupSlug(slug);

    // Can only be called by the invited user
    const invited = await groups.isInvited(uid, groupName);
    if (caller.uid !== parseInt(uid, 10)) {
        throw new Error('[[error:not-allowed]]');
    }
    if (!invited) {
        throw new Error('[[error:not-invited]]');
    }

    await groups.acceptMembership(groupName, uid);
    logGroupEvent(caller, 'group-invite-accept', { groupName });
};

groupsAPI.rejectInvite = async (caller, { slug, uid }) => {
    const groupName = await groups.getGroupNameByGroupSlug(slug);

    // Can be called either by invited user, or group owner
    const owner = await isOwner(caller, groupName, false);
    const invited = await groups.isInvited(uid, groupName);

    if (!owner && caller.uid !== parseInt(uid, 10)) {
        throw new Error('[[error:not-allowed]]');
    }
    if (!invited) {
        throw new Error('[[error:not-invited]]');
    }

    await groups.rejectMembership(groupName, uid);
    if (!owner) {
        logGroupEvent(caller, 'group-invite-reject', { groupName });
    }
};

async function isOwner(caller, groupName, throwOnFalse = true) {
    if (typeof groupName !== 'string') {
        throw new Error('[[error:invalid-group-name]]');
    }
    const [hasAdminPrivilege, isGlobalModerator, isOwner, group] = await Promise.all([
        privileges.admin.can('admin:groups', caller.uid),
        user.isGlobalModerator(caller.uid),
        groups.ownership.isOwner(caller.uid, groupName),
        groups.getGroupData(groupName),
    ]);

    const check = isOwner || hasAdminPrivilege || (isGlobalModerator && !group.system);
    if (!check && throwOnFalse) {
        throw new Error('[[error:no-privileges]]');
    }

    return check;
}

function logGroupEvent(caller, event, additional) {
    events.log({
        type: event,
        uid: caller.uid,
        ip: caller.ip,
        ...additional,
    });
}