Feature: create invites that (optionally) cascade perms to children

Author: norrisng-bc

app/src/controllers/bucketPermission.js

@@ -1,4 +1,3 @@
-const { Permissions } = require('../components/constants');
 const errorToProblem = require('../components/errorToProblem');
 const utils = require('../db/models/utils');
 const {
@@ -18,26 +17,6 @@ const SERVICE = 'BucketPermissionService';
  */
 const controller = {
 
-  /**
-   * Gets all child bucket records for a given bucket, where the specified user
-   * has MANAGE permission on said child buckets.
-   * @param {string} parentBucketId bucket id of the parent bucket
-   * @param {string} userId user id
-   * @returns {Promise<object[]>} An array of bucket records that are children of the parent,
-   *                              where the user has MANAGE permissions.
-   */
-  async _getChildrenWithManagePerms(parentBucketId, userId) {
-
-    const parentBucket = await bucketService.read(parentBucketId);
-    const allChildren = await bucketService.searchChildBuckets(parentBucket, true, userId);
-
-    const filteredChildren = allChildren.filter(bucket =>
-      bucket.bucketPermission?.some(perm => perm.userId === userId && perm.permCode === Permissions.MANAGE)
-    );
-
-    return filteredChildren;
-  },
-
   /**
    * @function searchPermissions
    * Searches for bucket permissions
@@ -123,7 +102,7 @@ const controller = {
         // Only apply permissions to child buckets that currentUser can MANAGE
         // If the current user is SYSTEM_USER, apply permissions to all child buckets
         const childBuckets = currUserId !== SYSTEM_USER ?
-          await this._getChildrenWithManagePerms(currBucketId, currUserId) :
+          await bucketService.getChildrenWithManagePermissions(currBucketId, currUserId) :
           await bucketService.searchChildBuckets(parentBucket, true, currUserId);
 
         const allBuckets = [parentBucket, ...childBuckets];
@@ -171,7 +150,7 @@ const controller = {
         // Only apply permissions to child buckets that currentUser can MANAGE
         // If the current user is SYSTEM_USER, apply permissions to all child buckets
         const childBuckets = currUserId !== SYSTEM_USER ?
-          await this._getChildrenWithManagePerms(currBucketId, currUserId) :
+          await bucketService.getChildrenWithManagePermissions(currBucketId, currUserId) :
           await bucketService.searchChildBuckets(parentBucket, true, currUserId);
 
         const allBuckets = [parentBucket, ...childBuckets];

app/src/controllers/invite.js

@@ -3,7 +3,8 @@ const { v4: uuidv4, NIL: SYSTEM_USER } = require('uuid');
 
 const { AuthType, Permissions, ResourceType } = require('../components/constants');
 const errorToProblem = require('../components/errorToProblem');
-const { addDashesToUuid, getCurrentIdentity } = require('../components/utils');
+const { addDashesToUuid, getCurrentIdentity, isTruthy } = require('../components/utils');
+const utils = require('../db/models/utils');
 const {
   bucketPermissionService,
   bucketService,
@@ -29,7 +30,6 @@ const controller = {
    */
   async createInvite(req, res, next) {
     let resource, type;
-
     try {
       // Reject if expiresAt is more than 30 days away
       const maxExpiresAt = Math.floor(Date.now() / 1000) + 2592000;
@@ -120,12 +120,13 @@ const controller = {
         type: type,
         expiresAt: req.body.expiresAt ? new Date(req.body.expiresAt * 1000).toISOString() : undefined,
         userId: userId,
-        permCodes: req.body.permCodes
+        permCodes: req.body.permCodes,
+        recursive: (req.body.bucketId && isTruthy(req.body.recursive)) ?? false
       });
       res.status(201).json(response.token);
     } catch (e) {
       if (e.statusCode === 404) {
-        next(errorToProblem(SERVICE, new Problem(409, {
+        next(errorToProblem(SERVICE, new Problem(404, {
           detail: `Resource type '${type}' not found`,
           instance: req.originalUrl,
           resource: resource
@@ -186,7 +187,7 @@ const controller = {
         await objectPermissionService.addPermissions(invite.resource,
           permCodes.map(permCode => ({ userId, permCode })), invite.createdBy);
       } else if (invite.type === ResourceType.BUCKET) {
-        // Check for object existence
+        // Check for bucket existence
         await bucketService.read(invite.resource).catch(() => {
           inviteService.delete(token);
           throw new Problem(409, {
@@ -196,14 +197,37 @@ const controller = {
           });
         });
 
-        // Grant invitation permission and cleanup
-        await bucketPermissionService.addPermissions(invite.resource,
-          permCodes.map(permCode => ({ userId, permCode })), invite.createdBy);
+        // Grant invitation permission
+        // if invite was for specified folder AND all subfolders
+        if (invite.recursive) {
+          const parentBucket = await bucketService.read(invite.resource);
+          // Only apply permissions to child buckets that inviter can MANAGE
+          // If the invite was created via basic auth, apply permissions to all child buckets
+          const childBuckets = invite.createdBy !== SYSTEM_USER ?
+            await bucketService.getChildrenWithManagePermissions(invite.resource, invite.createdBy) :
+            await bucketService.searchChildBuckets(parentBucket, true, invite.createdBy);
+
+          const allBuckets = [parentBucket, ...childBuckets];
+
+          await utils.trxWrapper(async (trx) => {
+            return await Promise.all(
+              allBuckets.map(b =>
+                bucketPermissionService.addPermissions(b.bucketId, permCodes.map(
+                  permCode => ({ userId, permCode })), invite.createdBy, trx)
+              )
+            );
+          });
+        }
+        // else not recursive
+        else {
+          await bucketPermissionService.addPermissions(invite.resource,
+            permCodes.map(permCode => ({ userId, permCode })), invite.createdBy);
+        }
       }
 
       // Cleanup invite on success
       inviteService.delete(token);
-      res.status(200).json({ resource: invite.resource, type: invite.type });
+      res.status(200).json({ resource: invite.resource, type: invite.type, recursive: invite.recursive });
     } catch (e) {
       if (e.statusCode === 404) {
         next(errorToProblem(SERVICE, new Problem(404, {

app/src/db/migrations/20250625000000_016-invite-cascade-child-buckets.js

@@ -0,0 +1,23 @@
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.up = function (knex) {
+  return Promise.resolve()
+    // add recursive column to invite table
+    .then(() => knex.schema.alterTable('invite', table => {
+      table.boolean('recursive').notNullable().defaultTo(false);
+    }));
+};
+
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.down = function (knex) {
+  return Promise.resolve()
+    // drop recursive column from invite table
+    .then(() => knex.schema.alterTable('invite', table => {
+      table.dropColumn('recursive');
+    }));
+};

app/src/db/models/tables/invite.js

@@ -23,6 +23,7 @@ class ObjectModel extends Timestamps(Model) {
         type: { type: 'string', enum: ['bucketId', 'objectId'] },
         expiresAt: { type: 'string', format: 'date-time' },
         permCodes: { type: 'array', items: { type: 'string' } },
+        recursive: { type: 'boolean' },
         ...stamps
       },
       additionalProperties: false

app/src/services/bucket.js

@@ -2,6 +2,7 @@ const { v4: uuidv4, NIL: SYSTEM_USER } = require('uuid');
 
 const bucketPermissionService = require('./bucketPermission');
 const { Bucket } = require('../db/models');
+const { Permissions } = require('../components/constants');
 
 /**
  * The Bucket DB Service
@@ -173,6 +174,25 @@ const service = {
     }
   },
 
+  /**
+   * Gets all child bucket records for a given bucket, where the specified user
+   * has MANAGE permission on said child buckets.
+   * @param {string} parentBucketId bucket id of the parent bucket
+   * @param {string} userId user id
+   * @param {object} [etrx=undefined] An optional Objection Transaction object
+   * @returns {Promise<object[]>} An array of bucket records that are children of the parent,
+   *                              where the user has MANAGE permissions.
+   */
+  getChildrenWithManagePermissions: async (parentBucketId, userId, etrx = undefined) => {
+    const parentBucket = await service.read(parentBucketId);
+    const allChildren = await service.searchChildBuckets(parentBucket, true, userId, etrx);
+
+    const filteredChildren = allChildren.filter(bucket =>
+      bucket.bucketPermission?.some(perm => perm.userId === userId && perm.permCode === Permissions.MANAGE)
+    );
+    return filteredChildren;
+  },
+
   /**
    * @function searchBuckets
    * Search and filter for specific bucket records

app/src/services/invite.js

@@ -33,7 +33,8 @@ const service = {
         // if permCodes provided set as unique permCodes otherwise just ['READ']
         permCodes: data.permCodes ? Array.from(new Set(data.permCodes)) : ['READ'],
         expiresAt: data.expiresAt,
-        createdBy: data.userId ?? SYSTEM_USER
+        createdBy: data.userId ?? SYSTEM_USER,
+        recursive: data.recursive ?? false
       });
 
       if (!etrx) await trx.commit();

app/src/validators/invite.js

@@ -17,7 +17,7 @@ const schema = {
           then: Joi.array().items(...Object.values(InviteBucketAllowedPermissions)).min(1),
           otherwise: Joi.array().items(...Object.values(InviteObjectAllowedPermissions)).min(1)
         }),
-
+      recursive: type.truthy.optional() // TODO: make forbidden if body.objectId exists
     }).xor('bucketId', 'objectId'),
     query: Joi.object({
     })