Merge pull request #2932 from withspectrum/private-channel-mod-fixes

Private channel mod fixes

Author: brianlovin

api/mutations/channel/disableChannelTokenJoin.js

@@ -22,12 +22,28 @@ export default async (
     return new UserError('You must be signed in to manage this channel.');
   }
 
-  const [permissions, settings] = await Promise.all([
+  const [channelPermissions, channel, settings] = await Promise.all([
     loaders.userPermissionsInChannel.load([currentUser.id, channelId]),
+    loaders.channel.load(channelId),
     loaders.channelSettings.load(channelId),
   ]);
 
-  if (!permissions.isOwner) {
+  const communityPermissions = await loaders.userPermissionsInCommunity.load([
+    currentUser.id,
+    channel.communityId,
+  ]);
+
+  if (!channelPermissions || !communityPermissions) {
+    return new UserError("You don't have permission to do this.");
+  }
+
+  const canEdit =
+    channelPermissions.isOwner ||
+    channelPermissions.isModerator ||
+    communityPermissions.isOwner ||
+    communityPermissions.isModerator;
+
+  if (!canEdit) {
     return new UserError("You don't have permission to do this.");
   }
 

api/mutations/channel/enableChannelTokenJoin.js

@@ -22,12 +22,28 @@ export default async (
     return new UserError('You must be signed in to manage this channel.');
   }
 
-  const [permissions, settings] = await Promise.all([
+  const [channelPermissions, channel, settings] = await Promise.all([
     loaders.userPermissionsInChannel.load([currentUser.id, channelId]),
+    loaders.channel.load(channelId),
     loaders.channelSettings.load(channelId),
   ]);
 
-  if (!permissions.isOwner) {
+  const communityPermissions = await loaders.userPermissionsInCommunity.load([
+    currentUser.id,
+    channel.communityId,
+  ]);
+
+  if (!channelPermissions || !communityPermissions) {
+    return new UserError("You don't have permission to do this.");
+  }
+
+  const canEdit =
+    channelPermissions.isOwner ||
+    channelPermissions.isModerator ||
+    communityPermissions.isOwner ||
+    communityPermissions.isModerator;
+
+  if (!canEdit) {
     return new UserError("You don't have permission to do this.");
   }
 

api/mutations/channel/resetChannelJoinToken.js

@@ -23,12 +23,28 @@ export default async (
     return new UserError('You must be signed in to manage this channel.');
   }
 
-  const [permissions, settings] = await Promise.all([
+  const [channelPermissions, channel, settings] = await Promise.all([
     loaders.userPermissionsInChannel.load([currentUser.id, channelId]),
+    loaders.channel.load(channelId),
     loaders.channelSettings.load(channelId),
   ]);
 
-  if (!permissions.isOwner) {
+  const communityPermissions = await loaders.userPermissionsInCommunity.load([
+    currentUser.id,
+    channel.communityId,
+  ]);
+
+  if (!channelPermissions || !communityPermissions) {
+    return new UserError("You don't have permission to do this.");
+  }
+
+  const canEdit =
+    channelPermissions.isOwner ||
+    channelPermissions.isModerator ||
+    communityPermissions.isOwner ||
+    communityPermissions.isModerator;
+
+  if (!canEdit) {
     return new UserError("You don't have permission to do this.");
   }
 

api/mutations/channel/togglePendingUser.js

@@ -12,6 +12,7 @@ import {
   getUserPermissionsInCommunity,
   createMemberInCommunity,
 } from '../../models/usersCommunities';
+import { sendPrivateChannelRequestApprovedQueue } from 'shared/bull/queues';
 
 type TogglePendingUserInput = {
   input: {
@@ -74,7 +75,9 @@ export default async (
   // user is neither a community or channel owner, they don't have permission
   if (
     currentUserChannelPermissions.isOwner ||
-    currentUserCommunityPermissions.isOwner
+    currentUserCommunityPermissions.isOwner ||
+    currentUserChannelPermissions.isModerator ||
+    currentUserCommunityPermissions.isModerator
   ) {
     // all checks passed
     // determine whether to approve or block them
@@ -91,6 +94,13 @@ export default async (
         input.userId
       );
 
+      sendPrivateChannelRequestApprovedQueue.add({
+        userId: input.userId,
+        channelId: input.channelId,
+        communityId: channelToEvaluate.communityId,
+        moderatorId: currentUser.id,
+      });
+
       // if the user is a member of the parent community, we can return
       if (evaluatedUserCommunityPermissions.isMember) {
         return Promise.all([channelToEvaluate, approveUser]).then(
@@ -113,6 +123,6 @@ export default async (
   }
 
   return new UserError(
-    "You don't have permission to make changes to this channel."
+    "You don't have permission to manage users in this channel."
   );
 };

api/mutations/channel/unblockUser.js

@@ -59,7 +59,9 @@ export default async (
   // if a user owns the community or owns the channel, they can make this change
   if (
     currentUserChannelPermissions.isOwner ||
-    currentUserCommunityPermissions.isOwner
+    currentUserCommunityPermissions.isOwner ||
+    currentUserChannelPermissions.isModerator ||
+    currentUserCommunityPermissions.isModerator
   ) {
     return unblockMemberInChannel(input.channelId, input.userId).then(
       () => channelToEvaluate

api/mutations/community/disableBrandedLogin.js

@@ -27,7 +27,13 @@ export default async (
     loaders.communitySettings.load(communityId),
   ]);
 
-  if (!permissions.isOwner) {
+  if (!permissions) {
+    return new UserError("You don't have permission to do this.");
+  }
+
+  const { isOwner, isModerator } = permissions;
+
+  if (!isOwner && !isModerator) {
     return new UserError("You don't have permission to do this.");
   }
 

api/mutations/community/enableBrandedLogin.js

@@ -27,7 +27,13 @@ export default async (
     loaders.communitySettings.load(communityId),
   ]);
 
-  if (!permissions.isOwner) {
+  if (!permissions) {
+    return new UserError("You don't have permission to do this.");
+  }
+
+  const { isOwner, isModerator } = permissions;
+
+  if (!isOwner && !isModerator) {
     return new UserError("You don't have permission to do this.");
   }
 

api/mutations/community/saveBrandedLoginSettings.js

@@ -34,7 +34,13 @@ export default async (
     loaders.communitySettings.load(communityId),
   ]);
 
-  if (!permissions.isOwner) {
+  if (!permissions) {
+    return new UserError("You don't have permission to do this.");
+  }
+
+  const { isOwner, isModerator } = permissions;
+
+  if (!isOwner && !isModerator) {
     return new UserError("You don't have permission to do this.");
   }
 

api/queries/community/billingSettings.js

@@ -29,6 +29,8 @@ export default async (
     loaders.stripeCustomers.load(stripeCustomerId),
   ]);
 
+  if (!permissions) return defaultResult;
+
   const { isOwner, isModerator } = permissions;
   const customer =
     stripeCustomer && stripeCustomer.reduction.length > 0
@@ -49,8 +51,9 @@ export default async (
       : subscriptions;
 
   return {
-    pendingAdministratorEmail: isOwner ? pendingAdministratorEmail : null,
-    administratorEmail: isOwner ? administratorEmail : null,
+    pendingAdministratorEmail:
+      isOwner || isModerator ? pendingAdministratorEmail : null,
+    administratorEmail: isOwner || isModerator ? administratorEmail : null,
     sources: sources,
     invoices: cleanInvoices,
     subscriptions: subscriptions,

api/queries/community/hasChargeableSource.js

@@ -9,10 +9,14 @@ export default async (
 ) => {
   if (!stripeCustomerId || !user) return false;
 
-  const {
-    isOwner,
-    isModerator,
-  } = await loaders.userPermissionsInCommunity.load([user.id, id]);
+  const permissions = await loaders.userPermissionsInCommunity.load([
+    user.id,
+    id,
+  ]);
+
+  if (!permissions) return null;
+
+  const { isOwner, isModerator } = permissions;
 
   if (!isOwner && !isModerator) return null;
   return loaders.stripeCustomers.load(stripeCustomerId).then(results => {

athena/models/usersChannels.js

@@ -48,3 +48,14 @@ export const getOwnersInChannel = (
     .map(user => user('userId'))
     .run();
 };
+
+export const getModeratorsInChannel = (
+  channelId: string
+): Promise<Array<string>> => {
+  return db
+    .table('usersChannels')
+    .getAll(channelId, { index: 'channelId' })
+    .filter({ isModerator: true })
+    .map(user => user('userId'))
+    .run();
+};

athena/models/usersCommunities.js

@@ -23,6 +23,17 @@ export const getOwnersInCommunity = (
     .then(users => users.map(user => user.userId));
 };
 
+export const getModeratorsInCommunity = (
+  communityId: string
+): Promise<Array<string>> => {
+  return db
+    .table('usersCommunities')
+    .getAll(communityId, { index: 'communityId' })
+    .filter({ isModerator: true })
+    .run()
+    .then(users => users.map(user => user.userId));
+};
+
 export const getUserPermissionsInCommunity = (
   communityId: string,
   userId: string

athena/queues/private-channel-request-approved.js

@@ -10,16 +10,12 @@ import { getUsers } from '../models/user';
 import { fetchPayload } from '../utils/payloads';
 import isEmail from 'validator/lib/isEmail';
 import { sendPrivateChannelRequestApprovedEmailQueue } from 'shared/bull/queues';
+import type {
+  Job,
+  PrivateChannelRequestApprovedJobData,
+} from 'shared/bull/types';
 
-type JobData = {
-  data: {
-    userId: string,
-    channelId: string,
-    communityId: string,
-    moderatorId: string,
-  },
-};
-export default async (job: JobData) => {
+export default async (job: Job<PrivateChannelRequestApprovedJobData>) => {
   const { userId, channelId, communityId, moderatorId } = job.data;
   debug(`user request to join channel ${channelId} approved`);
 

athena/queues/private-channel-request-sent.js

@@ -6,12 +6,18 @@ import Raven from 'shared/raven';
 import { getCommunityById } from '../models/community';
 import { storeNotification } from '../models/notification';
 import { storeUsersNotifications } from '../models/usersNotifications';
-import { getOwnersInChannel } from '../models/usersChannels';
+import {
+  getOwnersInChannel,
+  getModeratorsInChannel,
+} from '../models/usersChannels';
+import {
+  getOwnersInCommunity,
+  getModeratorsInCommunity,
+} from '../models/usersCommunities';
 import { getUsers } from '../models/user';
 import { fetchPayload, createPayload } from '../utils/payloads';
 import isEmail from 'validator/lib/isEmail';
 import { sendPrivateChannelRequestEmailQueue } from 'shared/bull/queues';
-import type { DBChannel } from 'shared/types';
 import type { Job, PrivateChannelRequestJobData } from 'shared/bull/types';
 
 export default async (job: Job<PrivateChannelRequestJobData>) => {
@@ -45,12 +51,29 @@ export default async (job: Job<PrivateChannelRequestJobData>) => {
   const updatedNotification = await storeNotification(nextNotificationRecord);
 
   // get the owners of the channel
-  const recipients = await getOwnersInChannel(channel.id);
+  const [
+    ownersInCommunity,
+    moderatorsInCommunity,
+    ownersInChannel,
+    moderatorsInChannel,
+  ] = await Promise.all([
+    getOwnersInCommunity(channel.communityId),
+    getModeratorsInCommunity(channel.communityId),
+    getOwnersInChannel(channel.id),
+    getModeratorsInChannel(channel.id),
+  ]);
+
+  const uniqueRecipientIds = [
+    ...ownersInCommunity,
+    ...moderatorsInCommunity,
+    ...ownersInChannel,
+    ...moderatorsInChannel,
+  ].filter((item, i, ar) => ar.indexOf(item) === i);
 
   // get all the user data for the owners
-  const recipientsWithUserData = await getUsers([...recipients]);
+  const recipientsWithUserData = await getUsers([...uniqueRecipientIds]);
 
-  // only get owners with emails
+  // only get owners + moderators with emails
   const filteredRecipients = recipientsWithUserData.filter(
     owner => owner.email && isEmail(owner.email)
   );

cypress/integration/community_settings_overview_spec.js

@@ -48,6 +48,7 @@ describe('Community settings overview tab', () => {
       .type(website);
     // Submit changes
     cy.get('button[type="submit"]').click();
+    cy.visit(`/${community.slug}`);
     cy.location('pathname').should('eq', `/${community.slug}`);
     // Make sure changes were applied
     cy.contains(description);
@@ -68,13 +69,13 @@ describe('Community settings overview tab', () => {
       .clear()
       .type(community.website);
     cy.get('button[type="submit"]').click();
+    cy.visit(`/${community.slug}`);
     cy.location('pathname').should('eq', `/${community.slug}`);
     cy.contains(community.name);
     cy.contains(community.description);
     cy.contains(community.website);
   });
 
-  // TODO: FIXME
   it.skip('should allow managing branded login settings', () => {
     const brandedLoginString = 'Testing branded login custom message';
 

shared/bull/queues.js

@@ -63,6 +63,7 @@ import {
   COMMUNITY_INVOICE_PAID_NOTIFICATION,
   REACTION_NOTIFICATION,
   PRIVATE_CHANNEL_REQUEST_SENT,
+  PRIVATE_CHANNEL_REQUEST_APPROVED,
   COMMUNITY_INVITE_NOTIFICATION,
   CHANNEL_NOTIFICATION,
   DIRECT_MESSAGE_NOTIFICATION,
@@ -83,6 +84,7 @@ exports.QUEUE_NAMES = {
   sendCommunityInvoicePaidNotificationQueue: COMMUNITY_INVOICE_PAID_NOTIFICATION,
   sendReactionNotificationQueue: REACTION_NOTIFICATION,
   sendPrivateChannelRequestQueue: PRIVATE_CHANNEL_REQUEST_SENT,
+  sendPrivateChannelRequestApprovedQueue: PRIVATE_CHANNEL_REQUEST_APPROVED,
   sendPrivateChannelInviteNotificationQueue:
     'private channel invite notification',
   sendCommunityInviteNotificationQueue: COMMUNITY_INVITE_NOTIFICATION,