Ryan/documenso
1
0
Fork 1
mirror of https://github.com/documenso/documenso.git synced 2026-06-22 04:12:06 +10:00
Code Issues Packages Projects Releases Wiki Activity

fix: allow users to download templates (#2746)

Browse Source
This commit is contained in:
David Nguyen
2026-04-30 16:50:07 +10:00
committed by GitHub
parent 84fc866cfb
commit c428170b5c
4 changed files with 265 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/remix/app/components/tables/templates-table-action-dropdown.tsx
+86 -82
View File
@@ -1,14 +1,10 @@
import { useState } from 'react';
import { Trans } from '@lingui/react/macro';
import {
DocumentStatus,
EnvelopeType,
type Recipient,
type TemplateDirectLink,
} from '@prisma/client';
import { DocumentStatus, EnvelopeType, type TemplateDirectLink } from '@prisma/client';
import {
Copy,
Download,
Edit,
FolderIcon,
MoreHorizontal,
@@ -30,6 +26,7 @@ import {
} from '@documenso/ui/primitives/dropdown-menu';
import { EnvelopeDeleteDialog } from '../dialogs/envelope-delete-dialog';
import { EnvelopeDownloadDialog } from '../dialogs/envelope-download-dialog';
import { EnvelopeDuplicateDialog } from '../dialogs/envelope-duplicate-dialog';
import { EnvelopeRenameDialog } from '../dialogs/envelope-rename-dialog';
import { TemplateBulkSendDialog } from '../dialogs/template-bulk-send-dialog';
@@ -77,87 +74,94 @@ export const TemplatesTableActionDropdown = ({
<DropdownMenuContent className="w-52" align="start" forceMount>
<DropdownMenuLabel>Action</DropdownMenuLabel>
<DropdownMenuItem disabled={!canMutate} asChild>
<Link to={formatPath}>
<Edit className="mr-2 h-4 w-4" />
<Trans>Edit</Trans>
</Link>
</DropdownMenuItem>
{canMutate && (
<DropdownMenuItem onClick={() => setRenameDialogOpen(true)}>
<Pencil className="mr-2 h-4 w-4" />
<Trans>Rename</Trans>
</DropdownMenuItem>
)}
{canMutate && (
<EnvelopeDuplicateDialog
envelopeId={row.envelopeId}
envelopeType={EnvelopeType.TEMPLATE}
trigger={
<DropdownMenuItem asChild onSelect={(e) => e.preventDefault()}>
<div>
<Copy className="mr-2 h-4 w-4" />
<Trans>Duplicate</Trans>
</div>
</DropdownMenuItem>
}
/>
)}
{canMutate && (
<TemplateDirectLinkDialog
templateId={row.id}
recipients={row.recipients}
directLink={row.directLink}
trigger={
<div
data-testid="template-direct-link"
className="relative flex cursor-pointer select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none transition-colors hover:bg-accent hover:text-accent-foreground"
>
<Share2Icon className="mr-2 h-4 w-4" />
<Trans>Direct link</Trans>
<EnvelopeDownloadDialog
envelopeId={row.envelopeId}
envelopeStatus={DocumentStatus.DRAFT}
trigger={
<DropdownMenuItem asChild onSelect={(e) => e.preventDefault()}>
<div>
<Download className="mr-2 h-4 w-4" />
<Trans>Download</Trans>
</div>
}
/>
)}
<DropdownMenuItem disabled={!canMutate} onClick={() => setMoveToFolderDialogOpen(true)}>
<FolderIcon className="mr-2 h-4 w-4" />
<Trans>Move to Folder</Trans>
</DropdownMenuItem>
</DropdownMenuItem>
}
/>
{canMutate && (
<TemplateBulkSendDialog
templateId={row.id}
recipients={row.recipients}
trigger={
<div className="relative flex cursor-pointer select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none transition-colors hover:bg-accent hover:text-accent-foreground">
<Upload className="mr-2 h-4 w-4" />
<Trans>Bulk Send via CSV</Trans>
</div>
}
/>
)}
<>
<DropdownMenuItem asChild>
<Link to={formatPath}>
<Edit className="mr-2 h-4 w-4" />
<Trans>Edit</Trans>
</Link>
</DropdownMenuItem>
{canMutate && (
<EnvelopeDeleteDialog
id={row.envelopeId}
type={EnvelopeType.TEMPLATE}
status={DocumentStatus.DRAFT}
title={row.title}
canManageDocument={canMutate}
onDelete={onDelete}
trigger={
<DropdownMenuItem asChild onSelect={(e) => e.preventDefault()}>
<div>
<Trash2 className="mr-2 h-4 w-4" />
<Trans>Delete</Trans>
<DropdownMenuItem onClick={() => setRenameDialogOpen(true)}>
<Pencil className="mr-2 h-4 w-4" />
<Trans>Rename</Trans>
</DropdownMenuItem>
<EnvelopeDuplicateDialog
envelopeId={row.envelopeId}
envelopeType={EnvelopeType.TEMPLATE}
trigger={
<DropdownMenuItem asChild onSelect={(e) => e.preventDefault()}>
<div>
<Copy className="mr-2 h-4 w-4" />
<Trans>Duplicate</Trans>
</div>
</DropdownMenuItem>
}
/>
<TemplateDirectLinkDialog
templateId={row.id}
recipients={row.recipients}
directLink={row.directLink}
trigger={
<div
data-testid="template-direct-link"
className="relative flex cursor-pointer select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none transition-colors hover:bg-accent hover:text-accent-foreground"
>
<Share2Icon className="mr-2 h-4 w-4" />
<Trans>Direct link</Trans>
</div>
</DropdownMenuItem>
}
/>
}
/>
<DropdownMenuItem onClick={() => setMoveToFolderDialogOpen(true)}>
<FolderIcon className="mr-2 h-4 w-4" />
<Trans>Move to Folder</Trans>
</DropdownMenuItem>
<TemplateBulkSendDialog
templateId={row.id}
recipients={row.recipients}
trigger={
<div className="relative flex cursor-pointer select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none transition-colors hover:bg-accent hover:text-accent-foreground">
<Upload className="mr-2 h-4 w-4" />
<Trans>Bulk Send via CSV</Trans>
</div>
}
/>
<EnvelopeDeleteDialog
id={row.envelopeId}
type={EnvelopeType.TEMPLATE}
status={DocumentStatus.DRAFT}
title={row.title}
canManageDocument={canMutate}
onDelete={onDelete}
trigger={
<DropdownMenuItem asChild onSelect={(e) => e.preventDefault()}>
<div>
<Trash2 className="mr-2 h-4 w-4" />
<Trans>Delete</Trans>
</div>
</DropdownMenuItem>
}
/>
</>
)}
</DropdownMenuContent>
apps/remix/app/routes/_authenticated+/t.$teamUrl+/templates.$id._index.tsx
+12 -14
View File
@@ -248,20 +248,18 @@ export default function TemplatePage({ params }: Route.ComponentProps) {
<Trans>Template</Trans>
</h3>
{isOwnTeamTemplate && (
<div>
<TemplatesTableActionDropdown
row={{
...envelope,
id: mapSecondaryIdToTemplateId(envelope.secondaryId),
envelopeId: envelope.id,
}}
teamId={team?.id}
templateRootPath={templateRootPath}
onDelete={async () => navigate(templateRootPath)}
/>
</div>
)}
<div>
<TemplatesTableActionDropdown
row={{
...envelope,
id: mapSecondaryIdToTemplateId(envelope.secondaryId),
envelopeId: envelope.id,
}}
teamId={team?.id}
templateRootPath={templateRootPath}
onDelete={async () => navigate(templateRootPath)}
/>
</div>
</div>
<p className="mt-2 px-4 text-sm text-muted-foreground">
packages/app-tests/e2e/templates/organisation-templates.spec.ts
+141
View File
@@ -551,3 +551,144 @@ test.describe('Organisation Templates - Adversarial', () => {
expect(titles).not.toContain(orgTemplate.title);
});
});
// ─── API: envelope.item.getManyByToken (org template fallback) ───────────────
test.describe('Organisation Templates - envelope.item.getManyByToken API', () => {
test('should allow a sibling team member to fetch envelope items for an org template', async ({
page,
}) => {
const { memberB, teamB, orgTemplate } = await seedOrgTemplateScenario();
await apiSignin({ page, email: memberB.email });
const { res, json } = await trpcQuery(
page,
'envelope.item.getManyByToken',
{ envelopeId: orgTemplate.id, access: { type: 'user' } },
teamB.id,
);
expect(res.ok()).toBeTruthy();
const items = json.result.data.json.data;
expect(Array.isArray(items)).toBe(true);
expect(items.length).toBeGreaterThan(0);
expect(items[0].envelopeId).toBe(orgTemplate.id);
});
test('should allow the owning team member to fetch envelope items (own-team path)', async ({
page,
}) => {
const { ownerA, teamA, orgTemplate } = await seedOrgTemplateScenario();
await apiSignin({ page, email: ownerA.email });
const { res, json } = await trpcQuery(
page,
'envelope.item.getManyByToken',
{ envelopeId: orgTemplate.id, access: { type: 'user' } },
teamA.id,
);
expect(res.ok()).toBeTruthy();
const items = json.result.data.json.data;
expect(items.length).toBeGreaterThan(0);
expect(items[0].envelopeId).toBe(orgTemplate.id);
});
test('should reject a user outside the organisation', async ({ page }) => {
const { orgTemplate } = await seedOrgTemplateScenario();
const { user: outsider, team: outsiderTeam } = await seedUser();
await apiSignin({ page, email: outsider.email });
const { res } = await trpcQuery(
page,
'envelope.item.getManyByToken',
{ envelopeId: orgTemplate.id, access: { type: 'user' } },
outsiderTeam.id,
);
expect(res.ok()).toBeFalsy();
});
test('should reject fetching items for a PRIVATE template from a sibling team', async ({
page,
}) => {
const { ownerA, teamA, memberB, teamB } = await seedOrgTemplateScenario();
const privateTemplate = await seedBlankTemplate(ownerA, teamA.id, {
createTemplateOptions: {
title: `Private Items ${nanoid()}`,
templateType: TemplateType.PRIVATE,
},
});
await apiSignin({ page, email: memberB.email });
const { res } = await trpcQuery(
page,
'envelope.item.getManyByToken',
{ envelopeId: privateTemplate.id, access: { type: 'user' } },
teamB.id,
);
expect(res.ok()).toBeFalsy();
});
test('should respect document visibility for the viewer team role', async ({ page }) => {
const { ownerA, teamA, memberB, teamB } = await seedOrgTemplateScenario();
const adminOnlyTemplate = await seedBlankTemplate(ownerA, teamA.id, {
createTemplateOptions: {
title: `Items Admin Only ${nanoid()}`,
templateType: TemplateType.ORGANISATION,
visibility: 'ADMIN',
},
});
// memberB is a MEMBER on teamB — must not be able to read items for an ADMIN-only template.
await apiSignin({ page, email: memberB.email });
const { res: memberRes } = await trpcQuery(
page,
'envelope.item.getManyByToken',
{ envelopeId: adminOnlyTemplate.id, access: { type: 'user' } },
teamB.id,
);
expect(memberRes.ok()).toBeFalsy();
await apiSignout({ page });
// ownerA is ADMIN on teamA — should succeed via the own-team path.
await apiSignin({ page, email: ownerA.email });
const { res: adminRes, json: adminJson } = await trpcQuery(
page,
'envelope.item.getManyByToken',
{ envelopeId: adminOnlyTemplate.id, access: { type: 'user' } },
teamA.id,
);
expect(adminRes.ok()).toBeTruthy();
expect(adminJson.result.data.json.data.length).toBeGreaterThan(0);
});
test('should reject unauthenticated callers using the user access type', async ({ page }) => {
const { orgTemplate, teamB } = await seedOrgTemplateScenario();
// No apiSignin — unauthenticated.
const { res } = await trpcQuery(
page,
'envelope.item.getManyByToken',
{ envelopeId: orgTemplate.id, access: { type: 'user' } },
teamB.id,
);
expect(res.ok()).toBeFalsy();
});
});
packages/trpc/server/envelope-router/get-envelope-items-by-token.ts
+26 -2
View File
@@ -2,6 +2,7 @@ import { EnvelopeType } from '@prisma/client';
import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
import { getEnvelopeWhereInput } from '@documenso/lib/server-only/envelope/get-envelope-by-id';
import { getOrganisationTemplateWhereInput } from '@documenso/lib/server-only/template/get-organisation-template-by-id';
import { prisma } from '@documenso/prisma';
import { maybeAuthenticatedProcedure } from '../trpc';
@@ -101,7 +102,7 @@ const handleGetEnvelopeItemsByUser = async ({
userId: number;
teamId: number;
}) => {
const { envelopeWhereInput } = await getEnvelopeWhereInput({
const { envelopeWhereInput, team: callerTeam } = await getEnvelopeWhereInput({
id: {
type: 'envelopeId',
id: envelopeId,
@@ -111,7 +112,8 @@ const handleGetEnvelopeItemsByUser = async ({
teamId,
});
const envelope = await prisma.envelope.findUnique({
// Try the standard team-scoped access path first (owner / current team / team email).
let envelope = await prisma.envelope.findUnique({
where: envelopeWhereInput,
include: {
envelopeItems: {
@@ -122,6 +124,28 @@ const handleGetEnvelopeItemsByUser = async ({
},
});
// Fallback: if the envelope is an ORGANISATION template owned by a sibling team
// in the caller's organisation, allow read access to the items metadata.
// Mirrors the access logic used by `createDocumentFromTemplate` and the
// file-download endpoint's `checkEnvelopeFileAccess` so this route stays in
// sync with where actual file access is granted.
if (!envelope) {
envelope = await prisma.envelope.findFirst({
where: getOrganisationTemplateWhereInput({
id: { type: 'envelopeId', id: envelopeId },
organisationId: callerTeam.organisationId,
teamRole: callerTeam.currentTeamRole,
}),
include: {
envelopeItems: {
include: {
documentData: true,
},
},
},
});
}
if (!envelope) {
throw new AppError(AppErrorCode.NOT_FOUND, {
message: 'Envelope could not be found',