feat: add global settings for teams (#1391)

## Description This PR introduces global settings for teams. At the moment, it allows team admins to configure the following: * The default visibility of the documents uploaded to the team account * Whether to include the document owner (sender) details when sending emails to the recipients. ### Include Sender Details If the Sender Details setting is enabled, the emails sent by the team will include the sender's name: > "Example User" on behalf of "Example Team" has invited you to sign "document.pdf" Otherwise, the email will say: > "Example Team" has invited you to sign "document.pdf" ### Default Document Visibility This new option allows users to set the default visibility for the documents uploaded to the team account. It can have the following values: * Everyone * Manager and above * Admins only If the default document visibility isn't set, the document will be set to the role of the user who created the document: * If a user with the "User" role creates a document, the document's visibility is set to "Everyone". * Manager role -> "Manager and above" * Admin role -> "Admins only" Otherwise, if there is a default document visibility value, it uses that value. #### Gotcha To avoid issues, the `document owner` and the `recipient` can access the document irrespective of their role. For example: * If a team member with the role "Member" uploads a document and the default document visibility is "Admins", only the document owner and admins can access the document. * Similar to the other scenarios. * If an admin uploads a document and the default document visibility is "Admins", the recipient can access the document. * The admins have access to all the documents. * Managers have access to documents with the visibility set to "Everyone" and "Manager and above" * Members have access only to the documents with the visibility set to "Everyone". ## Testing Performed Tested it locally.
2025-11-13 00:03:33 +10:00 · 2024-11-08 13:50:49 +02:00
parent f6bcf921d5
commit 23a0537648
99 changed files with 4372 additions and 1037 deletions
--- a/packages/lib/server-only/document/update-document-settings.ts
+++ b/packages/lib/server-only/document/update-document-settings.ts
@ -1,13 +1,15 @@
 'use server';

+import { match } from 'ts-pattern';
+
 import { isUserEnterprise } from '@documenso/ee/server-only/util/is-document-enterprise';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
 import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 import type { CreateDocumentAuditLogDataResponse } from '@documenso/lib/utils/document-audit-logs';
 import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { prisma } from '@documenso/prisma';
-import type { DocumentVisibility } from '@documenso/prisma/client';
-import { DocumentStatus } from '@documenso/prisma/client';
+import { DocumentVisibility } from '@documenso/prisma/client';
+import { DocumentStatus, TeamMemberRole } from '@documenso/prisma/client';

 import { AppError, AppErrorCode } from '../../errors/app-error';
 import type { TDocumentAccessAuthTypes, TDocumentActionAuthTypes } from '../../types/document-auth';
@ -20,7 +22,7 @@ export type UpdateDocumentSettingsOptions = {
  data: {
    title?: string;
    externalId?: string | null;
-    visibility?: string | null;
+    visibility?: DocumentVisibility | null;
    globalAccessAuth?: TDocumentAccessAuthTypes | null;
    globalActionAuth?: TDocumentActionAuthTypes | null;
  };
@ -63,8 +65,62 @@ export const updateDocumentSettings = async ({
            teamId: null,
          }),
    },
+    include: {
+      team: {
+        select: {
+          members: {
+            where: {
+              userId,
+            },
+            select: {
+              role: true,
+            },
+          },
+        },
+      },
+    },
  });

+  if (teamId) {
+    const currentUserRole = document.team?.members[0]?.role;
+
+    match(currentUserRole)
+      .with(TeamMemberRole.ADMIN, () => true)
+      .with(TeamMemberRole.MANAGER, () => {
+        const allowedVisibilities: DocumentVisibility[] = [
+          DocumentVisibility.EVERYONE,
+          DocumentVisibility.MANAGER_AND_ABOVE,
+        ];
+
+        if (
+          !allowedVisibilities.includes(document.visibility) ||
+          (data.visibility && !allowedVisibilities.includes(data.visibility))
+        ) {
+          throw new AppError(
+            AppErrorCode.UNAUTHORIZED,
+            'You do not have permission to update the document visibility',
+          );
+        }
+      })
+      .with(TeamMemberRole.MEMBER, () => {
+        if (
+          document.visibility !== DocumentVisibility.EVERYONE ||
+          (data.visibility && data.visibility !== DocumentVisibility.EVERYONE)
+        ) {
+          throw new AppError(
+            AppErrorCode.UNAUTHORIZED,
+            'You do not have permission to update the document visibility',
+          );
+        }
+      })
+      .otherwise(() => {
+        throw new AppError(
+          AppErrorCode.UNAUTHORIZED,
+          'You do not have permission to update the document',
+        );
+      });
+  }
+
  const { documentAuthOption } = extractDocumentAuthMethods({
    documentAuth: document.authOptions,
  });