server: page permissions

apps/server/src/collaboration/extensions/authentication.extension.ts

@@ -2,12 +2,18 @@ import { Extension, onAuthenticatePayload } from '@hocuspocus/server';
 import { Injectable, UnauthorizedException } from '@nestjs/common';
 import { TokenService } from '../../core/auth/services/token.service';
 import { UserRepo } from '@docmost/db/repos/user/user.repo';
+import { PageRepo } from '@docmost/db/repos/page/page.repo';
+import { SpaceMemberRepo } from '@docmost/db/repos/space/space-member.repo';
+import { findHighestUserSpaceRole } from '@docmost/db/repos/space/utils';
+import { SpaceRole } from '../../helpers/types/permission';
 
 @Injectable()
 export class AuthenticationExtension implements Extension {
   constructor(
     private tokenService: TokenService,
     private userRepo: UserRepo,
+    private pageRepo: PageRepo,
+    private readonly spaceMemberRepo: SpaceMemberRepo,
   ) {}
 
   async onAuthenticate(data: onAuthenticatePayload) {
@@ -30,8 +36,25 @@ export class AuthenticationExtension implements Extension {
       throw new UnauthorizedException();
     }
 
-    //TODO: Check if the page exists and verify user permissions for page.
-    // if all fails, abort connection
+    const page = await this.pageRepo.findById(documentName);
+    if (!page) {
+      throw new UnauthorizedException('Page not found');
+    }
+
+    const userSpaceRoles = await this.spaceMemberRepo.getUserSpaceRoles(
+      user.id,
+      page.spaceId,
+    );
+
+    const userSpaceRole = findHighestUserSpaceRole(userSpaceRoles);
+
+    if (!userSpaceRole) {
+      throw new UnauthorizedException();
+    }
+
+    if (userSpaceRole === SpaceRole.READER) {
+      data.connection.readOnly = true;
+    }
 
     return {
       user,