wiki/server/graph/resolvers/group.js

const graphHelper = require('../../helpers/graph')
const safeRegex = require('safe-regex')
const _ = require('lodash')
const gql = require('graphql')

/* global WIKI */

module.exports = {
  Query: {
    async groups () { return {} }
  },
  Mutation: {
    async groups () { return {} }
  },
  GroupQuery: {
    /**
     * FETCH ALL GROUPS
     */
    async list () {
      return WIKI.models.groups.query().select(
        'groups.*',
        WIKI.models.groups.relatedQuery('users').count().as('userCount')
      )
    },
    /**
     * FETCH A SINGLE GROUP
     */
    async single(obj, args) {
      return WIKI.models.groups.query().findById(args.id)
    }
  },
  GroupMutation: {
    /**
     * ASSIGN USER TO GROUP
     */
    async assignUser (obj, args, { req }) {
      // Check for guest user
      if (args.userId === 2) {
        throw new gql.GraphQLError('Cannot assign the Guest user to a group.')
      }

      // Check for valid group
      const grp = await WIKI.models.groups.query().findById(args.groupId)
      if (!grp) {
        throw new gql.GraphQLError('Invalid Group ID')
      }

      // Check assigned permissions for write:groups
      if (
        WIKI.auth.checkExclusiveAccess(req.user, ['write:groups'], ['manage:groups', 'manage:system']) &&
        grp.permissions.some(p => {
          const resType = _.last(p.split(':'))
          return ['users', 'groups', 'navigation', 'theme', 'api', 'system'].includes(resType)
        })
      ) {
        throw new gql.GraphQLError('You are not authorized to assign a user to this elevated group.')
      }

      // Check for valid user
      const usr = await WIKI.models.users.query().findById(args.userId)
      if (!usr) {
        throw new gql.GraphQLError('Invalid User ID')
      }

      // Check for existing relation
      const relExist = await WIKI.models.knex('userGroups').where({
        userId: args.userId,
        groupId: args.groupId
      }).first()
      if (relExist) {
        throw new gql.GraphQLError('User is already assigned to group.')
      }

      // Assign user to group
      await grp.$relatedQuery('users').relate(usr.id)

      // Revoke tokens for this user
      WIKI.auth.revokeUserTokens({ id: usr.id, kind: 'u' })
      WIKI.events.outbound.emit('addAuthRevoke', { id: usr.id, kind: 'u' })

      return {
        responseResult: graphHelper.generateSuccess('User has been assigned to group.')
      }
    },
    /**
     * CREATE NEW GROUP
     */
    async create (obj, args, { req }) {
      const group = await WIKI.models.groups.query().insertAndFetch({
        name: args.name,
        permissions: JSON.stringify(WIKI.data.groups.defaultPermissions),
        pageRules: JSON.stringify(WIKI.data.groups.defaultPageRules),
        isSystem: false
      })
      await WIKI.auth.reloadGroups()
      WIKI.events.outbound.emit('reloadGroups')
      return {
        responseResult: graphHelper.generateSuccess('Group created successfully.'),
        group
      }
    },
    /**
     * DELETE GROUP
     */
    async delete (obj, args) {
      if (args.id === 1 || args.id === 2) {
        throw new gql.GraphQLError('Cannot delete this group.')
      }

      await WIKI.models.groups.query().deleteById(args.id)

      WIKI.auth.revokeUserTokens({ id: args.id, kind: 'g' })
      WIKI.events.outbound.emit('addAuthRevoke', { id: args.id, kind: 'g' })

      await WIKI.auth.reloadGroups()
      WIKI.events.outbound.emit('reloadGroups')

      return {
        responseResult: graphHelper.generateSuccess('Group has been deleted.')
      }
    },
    /**
     * UNASSIGN USER FROM GROUP
     */
    async unassignUser (obj, args) {
      if (args.userId === 2) {
        throw new gql.GraphQLError('Cannot unassign Guest user')
      }
      if (args.userId === 1 && args.groupId === 1) {
        throw new gql.GraphQLError('Cannot unassign Administrator user from Administrators group.')
      }
      const grp = await WIKI.models.groups.query().findById(args.groupId)
      if (!grp) {
        throw new gql.GraphQLError('Invalid Group ID')
      }
      const usr = await WIKI.models.users.query().findById(args.userId)
      if (!usr) {
        throw new gql.GraphQLError('Invalid User ID')
      }
      await grp.$relatedQuery('users').unrelate().where('userId', usr.id)

      WIKI.auth.revokeUserTokens({ id: usr.id, kind: 'u' })
      WIKI.events.outbound.emit('addAuthRevoke', { id: usr.id, kind: 'u' })

      return {
        responseResult: graphHelper.generateSuccess('User has been unassigned from group.')
      }
    },
    /**
     * UPDATE GROUP
     */
    async update (obj, args, { req }) {
      // Check for unsafe regex page rules
      if (_.some(args.pageRules, pr => {
        return pr.match === 'REGEX' && !safeRegex(pr.path)
      })) {
        throw new gql.GraphQLError('Some Page Rules contains unsafe or exponential time regex.')
      }

      // Set default redirect on login value
      if (_.isEmpty(args.redirectOnLogin)) {
        args.redirectOnLogin = '/'
      }

      // Check assigned permissions for write:groups
      if (
        WIKI.auth.checkExclusiveAccess(req.user, ['write:groups'], ['manage:groups', 'manage:system']) &&
        args.permissions.some(p => {
          const resType = _.last(p.split(':'))
          return ['users', 'groups', 'navigation', 'theme', 'api', 'system'].includes(resType)
        })
      ) {
        throw new gql.GraphQLError('You are not authorized to manage this group or assign these permissions.')
      }

      // Update group
      await WIKI.models.groups.query().patch({
        name: args.name,
        redirectOnLogin: args.redirectOnLogin,
        permissions: JSON.stringify(args.permissions),
        pageRules: JSON.stringify(args.pageRules)
      }).where('id', args.id)

      // Revoke tokens for this group
      WIKI.auth.revokeUserTokens({ id: args.id, kind: 'g' })
      WIKI.events.outbound.emit('addAuthRevoke', { id: args.id, kind: 'g' })

      // Reload group permissions
      await WIKI.auth.reloadGroups()
      WIKI.events.outbound.emit('reloadGroups')

      return {
        responseResult: graphHelper.generateSuccess('Group has been updated.')
      }
    }
  },
  Group: {
    users (grp) {
      return grp.$relatedQuery('users')
    }
  }
}
feat: admin groups - list + create, gql refactoring 7 years ago			`const graphHelper = require('../../helpers/graph')`
feat: page Rules access check 6 years ago			`const safeRegex = require('safe-regex')`
fix: graphql error notifications 6 years ago			`const _ = require('lodash')`
fix: prevent write:groups from self-promoting 4 years ago			`const gql = require('graphql')`
feat: GraphQL schema 7 years ago
refactor: global namespace + admin pages UI 7 years ago			`/* global WIKI */`
feat: GraphQL schema 7 years ago
			`module.exports = {`
feat: GraphQL mutations for User + Group 7 years ago			`Query: {`
fix: prevent write:groups from self-promoting 4 years ago			`async groups () { return {} }`
feat: navigation, editor improvements + graphql refactor 7 years ago			`},`
			`Mutation: {`
fix: prevent write:groups from self-promoting 4 years ago			`async groups () { return {} }`
feat: navigation, editor improvements + graphql refactor 7 years ago			`},`
			`GroupQuery: {`
fix: prevent write:groups from self-promoting 4 years ago			`/**`
			`* FETCH ALL GROUPS`
			`*/`
			`async list () {`
feat: core improvements + local fs provider + UI fixes 6 years ago			`return WIKI.models.groups.query().select(`
refactor: migrate to objection.js + knex 7 years ago			`'groups.*',`
feat: core improvements + local fs provider + UI fixes 6 years ago			`WIKI.models.groups.relatedQuery('users').count().as('userCount')`
refactor: migrate to objection.js + knex 7 years ago			`)`
feat: admin - groups single view 7 years ago			`},`
fix: prevent write:groups from self-promoting 4 years ago			`/**`
			`* FETCH A SINGLE GROUP`
			`*/`
			`async single(obj, args) {`
feat: core improvements + local fs provider + UI fixes 6 years ago			`return WIKI.models.groups.query().findById(args.id)`
feat: GraphQL mutations for User + Group 7 years ago			`}`
			`},`
feat: navigation, editor improvements + graphql refactor 7 years ago			`GroupMutation: {`
fix: prevent write:groups from self-promoting 4 years ago			`/**`
			`* ASSIGN USER TO GROUP`
			`*/`
			`async assignUser (obj, args, { req }) {`
			`// Check for guest user`
			`if (args.userId === 2) {`
			`throw new gql.GraphQLError('Cannot assign the Guest user to a group.')`
			`}`

			`// Check for valid group`
feat: core improvements + local fs provider + UI fixes 6 years ago			`const grp = await WIKI.models.groups.query().findById(args.groupId)`
feat: admin group edit / assign / unassign 7 years ago			`if (!grp) {`
			`throw new gql.GraphQLError('Invalid Group ID')`
			`}`
fix: prevent write:groups from self-promoting 4 years ago
			`// Check assigned permissions for write:groups`
			`if (`
			`WIKI.auth.checkExclusiveAccess(req.user, ['write:groups'], ['manage:groups', 'manage:system']) &&`
			`grp.permissions.some(p => {`
			`const resType = _.last(p.split(':'))`
			`return ['users', 'groups', 'navigation', 'theme', 'api', 'system'].includes(resType)`
			`})`
			`) {`
			`throw new gql.GraphQLError('You are not authorized to assign a user to this elevated group.')`
			`}`

			`// Check for valid user`
feat: core improvements + local fs provider + UI fixes 6 years ago			`const usr = await WIKI.models.users.query().findById(args.userId)`
feat: admin group edit / assign / unassign 7 years ago			`if (!usr) {`
			`throw new gql.GraphQLError('Invalid User ID')`
			`}`
fix: prevent write:groups from self-promoting 4 years ago
			`// Check for existing relation`
fix: prevent duplicate group assignment (#1081) 5 years ago			`const relExist = await WIKI.models.knex('userGroups').where({`
			`userId: args.userId,`
			`groupId: args.groupId`
			`}).first()`
			`if (relExist) {`
			`throw new gql.GraphQLError('User is already assigned to group.')`
			`}`
fix: prevent write:groups from self-promoting 4 years ago
			`// Assign user to group`
refactor: migrate to objection.js + knex 7 years ago			`await grp.$relatedQuery('users').relate(usr.id)`
fix: revocation token list for users + groups 4 years ago
fix: prevent write:groups from self-promoting 4 years ago			`// Revoke tokens for this user`
fix: revocation token list for users + groups 4 years ago			`WIKI.auth.revokeUserTokens({ id: usr.id, kind: 'u' })`
			`WIKI.events.outbound.emit('addAuthRevoke', { id: usr.id, kind: 'u' })`

feat: admin group edit / assign / unassign 7 years ago			`return {`
			`responseResult: graphHelper.generateSuccess('User has been assigned to group.')`
			`}`
feat: GraphQL mutations for folder, group, tag, user 7 years ago			`},`
fix: prevent write:groups from self-promoting 4 years ago			`/**`
			`* CREATE NEW GROUP`
			`*/`
			`async create (obj, args, { req }) {`
feat: core improvements + local fs provider + UI fixes 6 years ago			`const group = await WIKI.models.groups.query().insertAndFetch({`
feat: group permissions 6 years ago			`name: args.name,`
			`permissions: JSON.stringify(WIKI.data.groups.defaultPermissions),`
feat: markdown editor toolbar + default group rules fix 6 years ago			`pageRules: JSON.stringify(WIKI.data.groups.defaultPageRules),`
feat: group permissions 6 years ago			`isSystem: false`
feat: admin groups - list + create, gql refactoring 7 years ago			`})`
feat: page Rules access check 6 years ago			`await WIKI.auth.reloadGroups()`
feat: HA event handling + emitting 5 years ago			`WIKI.events.outbound.emit('reloadGroups')`
feat: admin groups - list + create, gql refactoring 7 years ago			`return {`
			`responseResult: graphHelper.generateSuccess('Group created successfully.'),`
			`group`
			`}`
feat: GraphQL mutations for folder, group, tag, user 7 years ago			`},`
fix: prevent write:groups from self-promoting 4 years ago			`/**`
			`* DELETE GROUP`
			`*/`
			`async delete (obj, args) {`
			`if (args.id === 1 \|\| args.id === 2) {`
			`throw new gql.GraphQLError('Cannot delete this group.')`
			`}`

feat: core improvements + local fs provider + UI fixes 6 years ago			`await WIKI.models.groups.query().deleteById(args.id)`
fix: revocation token list for users + groups 4 years ago
			`WIKI.auth.revokeUserTokens({ id: args.id, kind: 'g' })`
			`WIKI.events.outbound.emit('addAuthRevoke', { id: args.id, kind: 'g' })`

feat: page Rules access check 6 years ago			`await WIKI.auth.reloadGroups()`
feat: HA event handling + emitting 5 years ago			`WIKI.events.outbound.emit('reloadGroups')`
fix: revocation token list for users + groups 4 years ago
feat: admin - groups edit UI 7 years ago			`return {`
			`responseResult: graphHelper.generateSuccess('Group has been deleted.')`
			`}`
feat: GraphQL mutations for folder, group, tag, user 7 years ago			`},`
fix: prevent write:groups from self-promoting 4 years ago			`/**`
			`* UNASSIGN USER FROM GROUP`
			`*/`
			`async unassignUser (obj, args) {`
			`if (args.userId === 2) {`
			`throw new gql.GraphQLError('Cannot unassign Guest user')`
			`}`
			`if (args.userId === 1 && args.groupId === 1) {`
			`throw new gql.GraphQLError('Cannot unassign Administrator user from Administrators group.')`
			`}`
feat: core improvements + local fs provider + UI fixes 6 years ago			`const grp = await WIKI.models.groups.query().findById(args.groupId)`
feat: admin group edit / assign / unassign 7 years ago			`if (!grp) {`
			`throw new gql.GraphQLError('Invalid Group ID')`
			`}`
feat: core improvements + local fs provider + UI fixes 6 years ago			`const usr = await WIKI.models.users.query().findById(args.userId)`
feat: admin group edit / assign / unassign 7 years ago			`if (!usr) {`
			`throw new gql.GraphQLError('Invalid User ID')`
			`}`
refactor: migrate to objection.js + knex 7 years ago			`await grp.$relatedQuery('users').unrelate().where('userId', usr.id)`
fix: revocation token list for users + groups 4 years ago
			`WIKI.auth.revokeUserTokens({ id: usr.id, kind: 'u' })`
			`WIKI.events.outbound.emit('addAuthRevoke', { id: usr.id, kind: 'u' })`

feat: admin group edit / assign / unassign 7 years ago			`return {`
			`responseResult: graphHelper.generateSuccess('User has been unassigned from group.')`
			`}`
feat: GraphQL setting, right, folder resolvers 7 years ago			`},`
fix: prevent write:groups from self-promoting 4 years ago			`/**`
			`* UPDATE GROUP`
			`*/`
			`async update (obj, args, { req }) {`
			`// Check for unsafe regex page rules`
fix: Switch converted to Object Literal (#940) * updating a switch into object literal and fixed a couple linter errors * added a comment about weird formatting * style: use lodash get * fix: pass eslint + puglint + jest 5 years ago			`if (_.some(args.pageRules, pr => {`
feat: check for updates 6 years ago			`return pr.match === 'REGEX' && !safeRegex(pr.path)`
feat: page Rules access check 6 years ago			`})) {`
			`throw new gql.GraphQLError('Some Page Rules contains unsafe or exponential time regex.')`
			`}`

fix: prevent write:groups from self-promoting 4 years ago			`// Set default redirect on login value`
feat: new login experience (#2139) * feat: multiple auth instances * fix: auth setup + strategy initialization * feat: admin auth - add strategy * feat: redirect on login - group setting * feat: oauth2 generic - props definitions * feat: new login UI (wip) * feat: new login UI (wip) * feat: admin security login settings * feat: tabset editor indicators + print view improvements * fix: code styling 4 years ago			`if (_.isEmpty(args.redirectOnLogin)) {`
			`args.redirectOnLogin = '/'`
			`}`

fix: prevent write:groups from self-promoting 4 years ago			`// Check assigned permissions for write:groups`
			`if (`
			`WIKI.auth.checkExclusiveAccess(req.user, ['write:groups'], ['manage:groups', 'manage:system']) &&`
			`args.permissions.some(p => {`
			`const resType = _.last(p.split(':'))`
			`return ['users', 'groups', 'navigation', 'theme', 'api', 'system'].includes(resType)`
			`})`
			`) {`
			`throw new gql.GraphQLError('You are not authorized to manage this group or assign these permissions.')`
			`}`

			`// Update group`
feat: admin - manage groups + permissions + page rules 6 years ago			`await WIKI.models.groups.query().patch({`
			`name: args.name,`
feat: new login experience (#2139) * feat: multiple auth instances * fix: auth setup + strategy initialization * feat: admin auth - add strategy * feat: redirect on login - group setting * feat: oauth2 generic - props definitions * feat: new login UI (wip) * feat: new login UI (wip) * feat: admin security login settings * feat: tabset editor indicators + print view improvements * fix: code styling 4 years ago			`redirectOnLogin: args.redirectOnLogin,`
feat: admin - manage groups + permissions + page rules 6 years ago			`permissions: JSON.stringify(args.permissions),`
			`pageRules: JSON.stringify(args.pageRules)`
			`}).where('id', args.id)`
feat: page Rules access check 6 years ago
fix: prevent write:groups from self-promoting 4 years ago			`// Revoke tokens for this group`
fix: revocation token list for users + groups 4 years ago			`WIKI.auth.revokeUserTokens({ id: args.id, kind: 'g' })`
			`WIKI.events.outbound.emit('addAuthRevoke', { id: args.id, kind: 'g' })`

fix: prevent write:groups from self-promoting 4 years ago			`// Reload group permissions`
feat: page Rules access check 6 years ago			`await WIKI.auth.reloadGroups()`
feat: HA event handling + emitting 5 years ago			`WIKI.events.outbound.emit('reloadGroups')`
feat: page Rules access check 6 years ago
feat: admin group edit / assign / unassign 7 years ago			`return {`
			`responseResult: graphHelper.generateSuccess('Group has been updated.')`
			`}`
feat: GraphQL mutations for User + Group 7 years ago			`}`
feat: GraphQL schema 7 years ago			`},`
feat: GraphQL mutations for User + Group 7 years ago			`Group: {`
fix: prevent write:groups from self-promoting 4 years ago			`users (grp) {`
refactor: migrate to objection.js + knex 7 years ago			`return grp.$relatedQuery('users')`
feat: GraphQL schema 7 years ago			`}`
			`}`
			`}`