Fix permissions for mixins/tags (#10294)

* Fix permissions for mixins/tags

Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>

* Fix

Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>

---------

Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>

Author: BykhovDenis

foundations/server/packages/middleware/src/spacePermissions.ts

@@ -174,10 +174,10 @@ export class SpacePermissionsMiddleware extends BaseMiddleware implements Middle
     const permissions = this.permissionsBySpace[space]?.[account.uuid] ?? []
     let withoutMatch: Permission | undefined
     for (const permission of permissions) {
-      if (permission.txClass === undefined || permission.txClass !== tx._class) continue
+      if (!isTxClassMatched(tx, permission)) continue
       if (
         permission.objectClass !== undefined &&
-        !this.context.hierarchy.isDerived(tx.objectClass, permission.objectClass)
+        !this.context.hierarchy.isDerived(getTxObjectClass(tx), permission.objectClass)
       ) {
         continue
       }
@@ -203,12 +203,13 @@ export class SpacePermissionsMiddleware extends BaseMiddleware implements Middle
 
     if (this.restrictedSpaces.has(space)) {
       const attachedDocAncestors = this.context.hierarchy.getAncestors(core.class.AttachedDoc)
-      const ancestors = this.context.hierarchy.getAncestors(tx.objectClass)
+      const ancestors = this.context.hierarchy.getAncestors(getTxObjectClass(tx))
       const targetAncestors = ancestors.filter((a) => !attachedDocAncestors.includes(a))
+      const txClass = getTxClass(tx)
 
       const permissions = this.context.modelDb.findAllSync(core.class.Permission, {
         objectClass: { $in: targetAncestors },
-        txClass: tx._class
+        txClass
       })
       const matched = permissions.filter((p) => {
         if (p.txMatch === undefined) return false
@@ -460,3 +461,20 @@ export class SpacePermissionsMiddleware extends BaseMiddleware implements Middle
     }
   }
 }
+
+function getTxClass (tx: Tx): Ref<Class<Tx>> {
+  let _class = tx._class
+  if (tx._class === core.class.TxMixin && Object.keys((tx as TxMixin<Doc, Doc>).attributes).length > 0) {
+    _class = core.class.TxUpdateDoc
+  }
+  return _class
+}
+
+function isTxClassMatched (tx: Tx, permission: Permission): boolean {
+  const txClass = getTxClass(tx)
+  return permission.txClass === txClass
+}
+
+function getTxObjectClass (tx: TxCUD<Doc>): Ref<Class<Doc>> {
+  return tx._class === core.class.TxMixin ? (tx as TxMixin<Doc, Doc>).mixin : tx.objectClass
+}

plugins/card-resources/src/components/CreateCardPopup.svelte

@@ -217,7 +217,16 @@
       <Component is={extension.component} props={{ collaborators, data, space: _space }} on:change={handleChange} />
     {/if}
   </div>
+
+  <div slot="afterContent" class="error p-4 flex-row-reverse">
+    {#if !allowed}
+      <Label label={view.string.NoCreatePermissionTitle} />
+    {/if}
+  </div>
 </Modal>
 
 <style lang="scss">
+  .error {
+    color: var(--theme-error-color);
+  }
 </style>

plugins/contact-resources/src/utils.ts

@@ -751,33 +751,18 @@ export const permissionsStore = derived(
   }
 )
 
-const spaceTypesQuery = createQuery(true)
 const permissionsQuery = createQuery(true)
-type TargetClassesProjection = Record<Ref<Class<Space>>, number>
 
-spaceTypesQuery.query(core.class.SpaceType, {}, (types) => {
-  const targetClasses = types.reduce<TargetClassesProjection>((acc, st) => {
-    acc[st.targetClass] = 1
-    return acc
-  }, {})
-
-  permissionsQuery.query(
-    core.class.Space,
-    {},
-    (res) => {
-      spacesStore.set(res)
-    },
-    {
-      showArchived: true,
-      projection: {
-        _id: 1,
-        type: 1,
-        members: 1,
-        ...targetClasses
-      } as any
-    }
-  )
-})
+permissionsQuery.query(
+  core.class.Space,
+  {},
+  (res) => {
+    spacesStore.set(res)
+  },
+  {
+    showArchived: true
+  }
+)
 
 export function getAccountClient (): AccountClient {
   const accountsUrl = getMetadata(login.metadata.AccountsUrl)

plugins/view-assets/lang/cs.json

@@ -15,6 +15,7 @@
     "Role": "Role",
     "DeleteObject": "Smazat objekt",
     "DeleteObjectConfirm": "Chcete smazat {count, plural, =1 {tento objekt} other {těchto # objektů}}?",
+    "NoCreatePermissionTitle": "Nemáte dostatečná oprávnění pro vytvoření",
     "DeletePopupNoPermissionTitle": "Nemáte dostatečná oprávnění pro smazání.",
     "DeletePopupNoPermissionLabel": "Kontaktujte prosím osoby ze seznamu níže, aby to mohly provést.",
     "DeletePopupCreatorLabel": "Tvůrci (mohou mazat pouze objekty, které vytvořili):",

plugins/view-assets/lang/de.json

@@ -15,6 +15,7 @@
     "Role": "Rolle",
     "DeleteObject": "Objekt löschen",
     "DeleteObjectConfirm": "Möchten Sie {count, plural, =1 {dieses Objekt} other {diese # Objekte}} löschen?",
+    "NoCreatePermissionTitle": "Keine ausreichenden Berechtigungen zum Erstellen",
     "DeletePopupNoPermissionTitle": "Keine ausreichenden Berechtigungen zum Löschen.",
     "DeletePopupNoPermissionLabel": "Bitte kontaktieren Sie Personen aus der folgenden Liste.",
     "DeletePopupCreatorLabel": "Ersteller (können nur von ihnen erstellte Objekte löschen):",

plugins/view-assets/lang/en.json

@@ -15,6 +15,7 @@
     "Role": "Role",
     "DeleteObject": "Delete object",
     "DeleteObjectConfirm": "Do you want to delete {count, plural, =1 {this object} other {these # objects}}?",
+    "NoCreatePermissionTitle": "Not enough permissions to create",
     "DeletePopupNoPermissionTitle": "Not enough permissions to delete.",
     "DeletePopupNoPermissionLabel": "Please contact people from the list below for them to do so.",
     "DeletePopupCreatorLabel": "Creators (can delete only ones that were created by them):",

plugins/view-assets/lang/es.json

@@ -15,6 +15,7 @@
     "Role": "Rol",
     "DeleteObject": "Eliminar objeto",
     "DeleteObjectConfirm": "¿Desea eliminar {count, plural, =1 {este objeto} other {estos # objetos}}?",
+    "NoCreatePermissionTitle": "Permisos insuficientes para crear",
     "DeletePopupNoPermissionTitle": "Permisos insuficientes para eliminar.",
     "DeletePopupNoPermissionLabel": "Por favor, contacte con las personas de la siguiente lista para que puedan eliminarlo.",
     "DeletePopupCreatorLabel": "Creadores (pueden eliminar solo los que ellos crearon):",

plugins/view-assets/lang/fr.json

@@ -15,6 +15,7 @@
     "Role": "Rôle",
     "DeleteObject": "Supprimer l'objet",
     "DeleteObjectConfirm": "Voulez-vous supprimer {count, plural, =1 {cet objet} other {ces # objets}} ?",
+    "NoCreatePermissionTitle": "Permissions insuffisantes pour créer",
     "DeletePopupNoPermissionTitle": "Permissions insuffisantes pour supprimer.",
     "DeletePopupNoPermissionLabel": "Veuillez contacter les personnes de la liste ci-dessous pour qu'elles le fassent.",
     "DeletePopupCreatorLabel": "Créateurs (peuvent supprimer uniquement ceux qu'ils ont créés) :",

plugins/view-assets/lang/it.json

@@ -15,6 +15,7 @@
     "Role": "Ruolo",
     "DeleteObject": "Elimina oggetto",
     "DeleteObjectConfirm": "Vuoi eliminare {count, plural, =1 {questo oggetto} other {questi # oggetti}}?",
+    "NoCreatePermissionTitle": "Permessi insufficienti per creare",
     "DeletePopupNoPermissionTitle": "Permessi insufficienti per eliminare.",
     "DeletePopupNoPermissionLabel": "Contatta le persone della lista qui sotto affinché possano farlo.",
     "DeletePopupCreatorLabel": "Creatori (possono eliminare solo quelli creati da loro):",

plugins/view-assets/lang/ja.json

@@ -15,6 +15,7 @@
     "Role": "役割",
     "DeleteObject": "オブジェクトを削除",
     "DeleteObjectConfirm": "{count, plural, =1 {このオブジェクト} other {これらの # 個のオブジェクト}}を削除しますか？",
+    "NoCreatePermissionTitle": "作成する権限がありません",
     "DeletePopupNoPermissionTitle": "削除する権限がありません。",
     "DeletePopupNoPermissionLabel": "削除するには、以下のリストの担当者にご連絡ください。",
     "DeletePopupCreatorLabel": "作成者 (自分で作成したもののみ削除できます):",