feat: add global settings for teams (#1391)

## Description This PR introduces global settings for teams. At the moment, it allows team admins to configure the following: * The default visibility of the documents uploaded to the team account * Whether to include the document owner (sender) details when sending emails to the recipients. ### Include Sender Details If the Sender Details setting is enabled, the emails sent by the team will include the sender's name: > "Example User" on behalf of "Example Team" has invited you to sign "document.pdf" Otherwise, the email will say: > "Example Team" has invited you to sign "document.pdf" ### Default Document Visibility This new option allows users to set the default visibility for the documents uploaded to the team account. It can have the following values: * Everyone * Manager and above * Admins only If the default document visibility isn't set, the document will be set to the role of the user who created the document: * If a user with the "User" role creates a document, the document's visibility is set to "Everyone". * Manager role -> "Manager and above" * Admin role -> "Admins only" Otherwise, if there is a default document visibility value, it uses that value. #### Gotcha To avoid issues, the `document owner` and the `recipient` can access the document irrespective of their role. For example: * If a team member with the role "Member" uploads a document and the default document visibility is "Admins", only the document owner and admins can access the document. * Similar to the other scenarios. * If an admin uploads a document and the default document visibility is "Admins", the recipient can access the document. * The admins have access to all the documents. * Managers have access to documents with the visibility set to "Everyone" and "Manager and above" * Members have access only to the documents with the visibility set to "Everyone". ## Testing Performed Tested it locally.
2025-11-13 16:23:06 +10:00 · 2024-11-08 13:50:49 +02:00
parent f6bcf921d5
commit 23a0537648
99 changed files with 4372 additions and 1037 deletions
--- a/packages/lib/server-only/document/create-document.ts
+++ b/packages/lib/server-only/document/create-document.ts
@ -5,7 +5,9 @@ import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-log
 import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
-import { DocumentSource, WebhookTriggerEvents } from '@documenso/prisma/client';
+import { DocumentSource, DocumentVisibility, WebhookTriggerEvents } from '@documenso/prisma/client';
+import type { Team, TeamGlobalSettings } from '@documenso/prisma/client';
+import { TeamMemberRole } from '@documenso/prisma/client';

 import { triggerWebhook } from '../webhooks/trigger/trigger-webhook';

@ -48,6 +50,51 @@ export const createDocument = async ({
    throw new AppError(AppErrorCode.NOT_FOUND, 'Team not found');
  }

+  let team: (Team & { teamGlobalSettings: TeamGlobalSettings | null }) | null = null;
+  let userTeamRole: TeamMemberRole | undefined;
+
+  if (teamId) {
+    const teamWithUserRole = await prisma.team.findFirstOrThrow({
+      where: {
+        id: teamId,
+      },
+      include: {
+        teamGlobalSettings: true,
+        members: {
+          where: {
+            userId: userId,
+          },
+          select: {
+            role: true,
+          },
+        },
+      },
+    });
+
+    team = teamWithUserRole;
+    userTeamRole = teamWithUserRole.members[0]?.role;
+  }
+
+  const determineVisibility = (
+    globalVisibility: DocumentVisibility | null | undefined,
+    userRole: TeamMemberRole,
+  ): DocumentVisibility => {
+    const defaultVisibility = globalVisibility ?? DocumentVisibility.EVERYONE;
+
+    if (userRole === TeamMemberRole.ADMIN) {
+      return defaultVisibility;
+    }
+
+    if (userRole === TeamMemberRole.MANAGER) {
+      if (defaultVisibility === DocumentVisibility.ADMIN) {
+        return DocumentVisibility.MANAGER_AND_ABOVE;
+      }
+      return defaultVisibility;
+    }
+
+    return DocumentVisibility.EVERYONE;
+  };
+
  return await prisma.$transaction(async (tx) => {
    const document = await tx.document.create({
      data: {
@ -56,8 +103,17 @@ export const createDocument = async ({
        documentDataId,
        userId,
        teamId,
+        visibility: determineVisibility(
+          team?.teamGlobalSettings?.documentVisibility,
+          userTeamRole ?? TeamMemberRole.MEMBER,
+        ),
        formValues,
        source: DocumentSource.DOCUMENT,
+        documentMeta: {
+          create: {
+            language: team?.teamGlobalSettings?.documentLanguage,
+          },
+        },
      },
    });

--- a/packages/lib/server-only/document/delete-document.ts
+++ b/packages/lib/server-only/document/delete-document.ts
@ -7,7 +7,14 @@ import { msg } from '@lingui/macro';
 import { mailer } from '@documenso/email/mailer';
 import DocumentCancelTemplate from '@documenso/email/templates/document-cancel';
 import { prisma } from '@documenso/prisma';
-import type { Document, DocumentMeta, Recipient, User } from '@documenso/prisma/client';
+import type {
+  Document,
+  DocumentMeta,
+  Recipient,
+  Team,
+  TeamGlobalSettings,
+  User,
+} from '@documenso/prisma/client';
 import { DocumentStatus, SendStatus } from '@documenso/prisma/client';

 import { getI18nInstance } from '../../client-only/providers/i18n.server';
@ -18,6 +25,7 @@ import { extractDerivedDocumentEmailSettings } from '../../types/document-email'
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
 import { renderEmailWithI18N } from '../../utils/render-email-with-i18n';
+import { teamGlobalSettingsToBranding } from '../../utils/team-global-settings-to-branding';

 export type DeleteDocumentOptions = {
  id: number;
@ -50,8 +58,9 @@ export const deleteDocument = async ({
      Recipient: true,
      documentMeta: true,
      team: {
-        select: {
+        include: {
          members: true,
+          teamGlobalSettings: true,
        },
      },
    },
@ -74,6 +83,7 @@ export const deleteDocument = async ({
    await handleDocumentOwnerDelete({
      document,
      user,
+      team: document.team,
      requestMetadata,
    });
  }
@ -114,6 +124,11 @@ type HandleDocumentOwnerDeleteOptions = {
    Recipient: Recipient[];
    documentMeta: DocumentMeta | null;
  };
+  team?:
+    | (Team & {
+        teamGlobalSettings?: TeamGlobalSettings | null;
+      })
+    | null;
  user: User;
  requestMetadata?: RequestMetadata;
 };
@ -121,6 +136,7 @@ type HandleDocumentOwnerDeleteOptions = {
 const handleDocumentOwnerDelete = async ({
  document,
  user,
+  team,
  requestMetadata,
 }: HandleDocumentOwnerDeleteOptions) => {
  if (document.deletedAt) {
@ -203,9 +219,17 @@ const handleDocumentOwnerDelete = async ({
        assetBaseUrl,
      });

+      const branding = team?.teamGlobalSettings
+        ? teamGlobalSettingsToBranding(team.teamGlobalSettings)
+        : undefined;
+
      const [html, text] = await Promise.all([
-        renderEmailWithI18N(template, { lang: document.documentMeta?.language }),
-        renderEmailWithI18N(template, { lang: document.documentMeta?.language, plainText: true }),
+        renderEmailWithI18N(template, { lang: document.documentMeta?.language, branding }),
+        renderEmailWithI18N(template, {
+          lang: document.documentMeta?.language,
+          branding,
+          plainText: true,
+        }),
      ]);

      const i18n = await getI18nInstance(document.documentMeta?.language);
--- a/packages/lib/server-only/document/find-documents.ts
+++ b/packages/lib/server-only/document/find-documents.ts
@ -124,11 +124,18 @@ export const findDocuments = async ({
      }))
      .otherwise(() => ({ visibility: DocumentVisibility.EVERYONE })),
    {
-      Recipient: {
-        some: {
-          email: user.email,
+      OR: [
+        {
+          Recipient: {
+            some: {
+              email: user.email,
+            },
+          },
        },
-      },
+        {
+          userId: user.id,
+        },
+      ],
    },
  ];

--- a/packages/lib/server-only/document/get-document-by-id.ts
+++ b/packages/lib/server-only/document/get-document-by-id.ts
@ -143,11 +143,18 @@ export const getDocumentWhereInput = async ({
      ])
      .otherwise(() => [{ visibility: DocumentVisibility.EVERYONE }]),
    {
-      Recipient: {
-        some: {
-          email: user.email,
+      OR: [
+        {
+          Recipient: {
+            some: {
+              email: user.email,
+            },
+          },
        },
-      },
+        {
+          userId: user.id,
+        },
+      ],
    },
  ];

--- a/packages/lib/server-only/document/get-stats.ts
+++ b/packages/lib/server-only/document/get-stats.ts
@ -6,11 +6,10 @@ import { prisma } from '@documenso/prisma';
 import { TeamMemberRole } from '@documenso/prisma/client';
 import type { Prisma, User } from '@documenso/prisma/client';
 import { SigningStatus } from '@documenso/prisma/client';
+import { DocumentVisibility } from '@documenso/prisma/client';
 import { isExtendedDocumentStatus } from '@documenso/prisma/guards/is-extended-document-status';
 import { ExtendedDocumentStatus } from '@documenso/prisma/types/extended-document-status';

-import { DocumentVisibility } from '../../types/document-visibility';
-
 export type GetStatsInput = {
  user: User;
  team?: Omit<GetTeamCountsOption, 'createdAt'>;
@ -207,47 +206,45 @@ const getTeamCounts = async (options: GetTeamCountsOption) => {
  let notSignedCountsGroupByArgs = null;
  let hasSignedCountsGroupByArgs = null;

-  const visibilityFilters = [
-    ...match(options.currentTeamMemberRole)
-      .with(TeamMemberRole.ADMIN, () => [
-        { visibility: DocumentVisibility.EVERYONE },
-        { visibility: DocumentVisibility.MANAGER_AND_ABOVE },
-        { visibility: DocumentVisibility.ADMIN },
-      ])
-      .with(TeamMemberRole.MANAGER, () => [
-        { visibility: DocumentVisibility.EVERYONE },
-        { visibility: DocumentVisibility.MANAGER_AND_ABOVE },
-      ])
-      .otherwise(() => [{ visibility: DocumentVisibility.EVERYONE }]),
-  ];
-
-  ownerCountsWhereInput = {
-    ...ownerCountsWhereInput,
-    OR: [
+  const visibilityFiltersWhereInput: Prisma.DocumentWhereInput = {
+    AND: [
+      { deletedAt: null },
      {
-        AND: [
-          {
-            visibility: {
-              in: visibilityFilters.map((filter) => filter.visibility),
-            },
-          },
-          {
-            Recipient: {
-              none: {
-                email: options.currentUserEmail,
+        OR: [
+          match(options.currentTeamMemberRole)
+            .with(TeamMemberRole.ADMIN, () => ({
+              visibility: {
+                in: [
+                  DocumentVisibility.EVERYONE,
+                  DocumentVisibility.MANAGER_AND_ABOVE,
+                  DocumentVisibility.ADMIN,
+                ],
              },
-            },
+            }))
+            .with(TeamMemberRole.MANAGER, () => ({
+              visibility: {
+                in: [DocumentVisibility.EVERYONE, DocumentVisibility.MANAGER_AND_ABOVE],
+              },
+            }))
+            .otherwise(() => ({
+              visibility: {
+                equals: DocumentVisibility.EVERYONE,
+              },
+            })),
+          {
+            OR: [
+              { userId: options.userId },
+              { Recipient: { some: { email: options.currentUserEmail } } },
+            ],
          },
        ],
      },
-      {
-        Recipient: {
-          some: {
-            email: options.currentUserEmail,
-          },
-        },
-      },
    ],
+  };
+
+  ownerCountsWhereInput = {
+    ...ownerCountsWhereInput,
+    ...visibilityFiltersWhereInput,
    ...searchFilter,
  };

--- a/packages/lib/server-only/document/resend-document.tsx
+++ b/packages/lib/server-only/document/resend-document.tsx
@ -21,6 +21,7 @@ import { getI18nInstance } from '../../client-only/providers/i18n.server';
 import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
 import { extractDerivedDocumentEmailSettings } from '../../types/document-email';
 import { renderEmailWithI18N } from '../../utils/render-email-with-i18n';
+import { teamGlobalSettingsToBranding } from '../../utils/team-global-settings-to-branding';
 import { getDocumentWhereInput } from './get-document-by-id';

 export type ResendDocumentOptions = {
@ -66,6 +67,7 @@ export const resendDocument = async ({
        select: {
          teamEmail: true,
          name: true,
+          teamGlobalSettings: true,
        },
      },
    },
@ -158,12 +160,20 @@ export const resendDocument = async ({
        teamName: document.team?.name,
      });

+      const branding = document.team?.teamGlobalSettings
+        ? teamGlobalSettingsToBranding(document.team.teamGlobalSettings)
+        : undefined;
+
      await prisma.$transaction(
        async (tx) => {
          const [html, text] = await Promise.all([
-            renderEmailWithI18N(template, { lang: document.documentMeta?.language }),
            renderEmailWithI18N(template, {
              lang: document.documentMeta?.language,
+              branding,
+            }),
+            renderEmailWithI18N(template, {
+              lang: document.documentMeta?.language,
+              branding,
              plainText: true,
            }),
          ]);
--- a/packages/lib/server-only/document/send-completed-email.ts
+++ b/packages/lib/server-only/document/send-completed-email.ts
@ -16,6 +16,7 @@ import { getFile } from '../../universal/upload/get-file';
 import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
 import { renderCustomEmailTemplate } from '../../utils/render-custom-email-template';
 import { renderEmailWithI18N } from '../../utils/render-email-with-i18n';
+import { teamGlobalSettingsToBranding } from '../../utils/team-global-settings-to-branding';

 export interface SendDocumentOptions {
  documentId: number;
@ -36,6 +37,7 @@ export const sendCompletedEmail = async ({ documentId, requestMetadata }: SendDo
        select: {
          id: true,
          url: true,
+          teamGlobalSettings: true,
        },
      },
    },
@ -82,9 +84,17 @@ export const sendCompletedEmail = async ({ documentId, requestMetadata }: SendDo
      downloadLink: documentOwnerDownloadLink,
    });

+    const branding = document.team?.teamGlobalSettings
+      ? teamGlobalSettingsToBranding(document.team.teamGlobalSettings)
+      : undefined;
+
    const [html, text] = await Promise.all([
-      renderEmailWithI18N(template, { lang: document.documentMeta?.language }),
-      renderEmailWithI18N(template, { lang: document.documentMeta?.language, plainText: true }),
+      renderEmailWithI18N(template, { lang: document.documentMeta?.language, branding }),
+      renderEmailWithI18N(template, {
+        lang: document.documentMeta?.language,
+        branding,
+        plainText: true,
+      }),
    ]);

    await mailer.sendMail({
@ -151,9 +161,17 @@ export const sendCompletedEmail = async ({ documentId, requestMetadata }: SendDo
            : undefined,
      });

+      const branding = document.team?.teamGlobalSettings
+        ? teamGlobalSettingsToBranding(document.team.teamGlobalSettings)
+        : undefined;
+
      const [html, text] = await Promise.all([
-        renderEmailWithI18N(template, { lang: document.documentMeta?.language }),
-        renderEmailWithI18N(template, { lang: document.documentMeta?.language, plainText: true }),
+        renderEmailWithI18N(template, { lang: document.documentMeta?.language, branding }),
+        renderEmailWithI18N(template, {
+          lang: document.documentMeta?.language,
+          branding,
+          plainText: true,
+        }),
      ]);

      await mailer.sendMail({
--- a/packages/lib/server-only/document/send-delete-email.ts
+++ b/packages/lib/server-only/document/send-delete-email.ts
@ -10,6 +10,7 @@ import { getI18nInstance } from '../../client-only/providers/i18n.server';
 import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
 import { extractDerivedDocumentEmailSettings } from '../../types/document-email';
 import { renderEmailWithI18N } from '../../utils/render-email-with-i18n';
+import { teamGlobalSettingsToBranding } from '../../utils/team-global-settings-to-branding';

 export interface SendDeleteEmailOptions {
  documentId: number;
@ -24,6 +25,11 @@ export const sendDeleteEmail = async ({ documentId, reason }: SendDeleteEmailOpt
    include: {
      User: true,
      documentMeta: true,
+      team: {
+        include: {
+          teamGlobalSettings: true,
+        },
+      },
    },
  });

@ -49,9 +55,17 @@ export const sendDeleteEmail = async ({ documentId, reason }: SendDeleteEmailOpt
    assetBaseUrl,
  });

+  const branding = document.team?.teamGlobalSettings
+    ? teamGlobalSettingsToBranding(document.team.teamGlobalSettings)
+    : undefined;
+
  const [html, text] = await Promise.all([
-    renderEmailWithI18N(template),
-    renderEmailWithI18N(template, { plainText: true }),
+    renderEmailWithI18N(template, { lang: document.documentMeta?.language, branding }),
+    renderEmailWithI18N(template, {
+      lang: document.documentMeta?.language,
+      branding,
+      plainText: true,
+    }),
  ]);

  const i18n = await getI18nInstance();
--- a/packages/lib/server-only/document/send-pending-email.ts
+++ b/packages/lib/server-only/document/send-pending-email.ts
@ -10,6 +10,7 @@ import { getI18nInstance } from '../../client-only/providers/i18n.server';
 import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
 import { extractDerivedDocumentEmailSettings } from '../../types/document-email';
 import { renderEmailWithI18N } from '../../utils/render-email-with-i18n';
+import { teamGlobalSettingsToBranding } from '../../utils/team-global-settings-to-branding';

 export interface SendPendingEmailOptions {
  documentId: number;
@ -33,6 +34,11 @@ export const sendPendingEmail = async ({ documentId, recipientId }: SendPendingE
        },
      },
      documentMeta: true,
+      team: {
+        include: {
+          teamGlobalSettings: true,
+        },
+      },
    },
  });

@ -63,12 +69,20 @@ export const sendPendingEmail = async ({ documentId, recipientId }: SendPendingE
    assetBaseUrl,
  });

+  const branding = document.team?.teamGlobalSettings
+    ? teamGlobalSettingsToBranding(document.team.teamGlobalSettings)
+    : undefined;
+
  const [html, text] = await Promise.all([
-    renderEmailWithI18N(template, { lang: document.documentMeta?.language }),
-    renderEmailWithI18N(template, { lang: document.documentMeta?.language, plainText: true }),
+    renderEmailWithI18N(template, { lang: document.documentMeta?.language, branding }),
+    renderEmailWithI18N(template, {
+      lang: document.documentMeta?.language,
+      branding,
+      plainText: true,
+    }),
  ]);

-  const i18n = await getI18nInstance();
+  const i18n = await getI18nInstance(document.documentMeta?.language);

  await mailer.sendMail({
    to: {
--- a/packages/lib/server-only/document/super-delete-document.ts
+++ b/packages/lib/server-only/document/super-delete-document.ts
@ -17,6 +17,7 @@ import { extractDerivedDocumentEmailSettings } from '../../types/document-email'
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
 import { renderEmailWithI18N } from '../../utils/render-email-with-i18n';
+import { teamGlobalSettingsToBranding } from '../../utils/team-global-settings-to-branding';

 export type SuperDeleteDocumentOptions = {
  id: number;
@ -32,6 +33,11 @@ export const superDeleteDocument = async ({ id, requestMetadata }: SuperDeleteDo
      Recipient: true,
      documentMeta: true,
      User: true,
+      team: {
+        include: {
+          teamGlobalSettings: true,
+        },
+      },
    },
  });

@ -65,9 +71,17 @@ export const superDeleteDocument = async ({ id, requestMetadata }: SuperDeleteDo
          assetBaseUrl,
        });

+        const branding = document.team?.teamGlobalSettings
+          ? teamGlobalSettingsToBranding(document.team.teamGlobalSettings)
+          : undefined;
+
        const [html, text] = await Promise.all([
-          renderEmailWithI18N(template, { lang: document.documentMeta?.language }),
-          renderEmailWithI18N(template, { lang: document.documentMeta?.language, plainText: true }),
+          renderEmailWithI18N(template, { lang: document.documentMeta?.language, branding }),
+          renderEmailWithI18N(template, {
+            lang: document.documentMeta?.language,
+            branding,
+            plainText: true,
+          }),
        ]);

        const i18n = await getI18nInstance(document.documentMeta?.language);
--- a/packages/lib/server-only/document/update-document-settings.ts
+++ b/packages/lib/server-only/document/update-document-settings.ts
@ -1,13 +1,15 @@
 'use server';

+import { match } from 'ts-pattern';
+
 import { isUserEnterprise } from '@documenso/ee/server-only/util/is-document-enterprise';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
 import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 import type { CreateDocumentAuditLogDataResponse } from '@documenso/lib/utils/document-audit-logs';
 import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
-import type { DocumentVisibility } from '@documenso/prisma/client';
-import { DocumentStatus } from '@documenso/prisma/client';
+import { DocumentVisibility } from '@documenso/prisma/client';
+import { DocumentStatus, TeamMemberRole } from '@documenso/prisma/client';

 import { AppError, AppErrorCode } from '../../errors/app-error';
 import type { TDocumentAccessAuthTypes, TDocumentActionAuthTypes } from '../../types/document-auth';
@ -20,7 +22,7 @@ export type UpdateDocumentSettingsOptions = {
  data: {
    title?: string;
    externalId?: string | null;
-    visibility?: string | null;
+    visibility?: DocumentVisibility | null;
    globalAccessAuth?: TDocumentAccessAuthTypes | null;
    globalActionAuth?: TDocumentActionAuthTypes | null;
  };
@ -63,8 +65,62 @@ export const updateDocumentSettings = async ({
            teamId: null,
          }),
    },
+    include: {
+      team: {
+        select: {
+          members: {
+            where: {
+              userId,
+            },
+            select: {
+              role: true,
+            },
+          },
+        },
+      },
+    },
  });

+  if (teamId) {
+    const currentUserRole = document.team?.members[0]?.role;
+
+    match(currentUserRole)
+      .with(TeamMemberRole.ADMIN, () => true)
+      .with(TeamMemberRole.MANAGER, () => {
+        const allowedVisibilities: DocumentVisibility[] = [
+          DocumentVisibility.EVERYONE,
+          DocumentVisibility.MANAGER_AND_ABOVE,
+        ];
+
+        if (
+          !allowedVisibilities.includes(document.visibility) ||
+          (data.visibility && !allowedVisibilities.includes(data.visibility))
+        ) {
+          throw new AppError(
+            AppErrorCode.UNAUTHORIZED,
+            'You do not have permission to update the document visibility',
+          );
+        }
+      })
+      .with(TeamMemberRole.MEMBER, () => {
+        if (
+          document.visibility !== DocumentVisibility.EVERYONE ||
+          (data.visibility && data.visibility !== DocumentVisibility.EVERYONE)
+        ) {
+          throw new AppError(
+            AppErrorCode.UNAUTHORIZED,
+            'You do not have permission to update the document visibility',
+          );
+        }
+      })
+      .otherwise(() => {
+        throw new AppError(
+          AppErrorCode.UNAUTHORIZED,
+          'You do not have permission to update the document',
+        );
+      });
+  }
+
  const { documentAuthOption } = extractDocumentAuthMethods({
    documentAuth: document.authOptions,
  });