feat: add organisations (#1820)

2025-11-13 16:23:06 +10:00 · 2025-06-10 11:49:52 +10:00
parent 0b37f19641
commit e6dc237ad2
631 changed files with 37616 additions and 25695 deletions
--- a/packages/lib/server-only/public-api/create-api-token.ts
+++ b/packages/lib/server-only/public-api/create-api-token.ts
@ -1,13 +1,14 @@
-import { TeamMemberRole } from '@prisma/client';
 import type { Duration } from 'luxon';
 import { DateTime } from 'luxon';

 import { prisma } from '@documenso/prisma';

+import { TEAM_MEMBER_ROLE_PERMISSIONS_MAP } from '../../constants/teams';
 // temporary choice for testing only
 import * as timeConstants from '../../constants/time';
 import { AppError, AppErrorCode } from '../../errors/app-error';
 import { alphaid } from '../../universal/id';
+import { buildTeamWhereQuery } from '../../utils/teams';
 import { hashString } from '../auth/hash';

 type TimeConstants = typeof timeConstants & {
@ -16,7 +17,7 @@ type TimeConstants = typeof timeConstants & {

 type CreateApiTokenInput = {
  userId: number;
-  teamId?: number;
+  teamId: number;
  tokenName: string;
  expiresIn: string | null;
 };
@ -33,20 +34,18 @@ export const createApiToken = async ({

  const timeConstantsRecords: TimeConstants = timeConstants;

-  if (teamId) {
-    const member = await prisma.teamMember.findFirst({
-      where: {
-        userId,
-        teamId,
-        role: TeamMemberRole.ADMIN,
-      },
-    });
+  const team = await prisma.team.findFirst({
+    where: buildTeamWhereQuery({
+      teamId,
+      userId,
+      roles: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+    }),
+  });

-    if (!member) {
-      throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'You do not have permission to create a token for this team',
-      });
-    }
+  if (!team) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, {
+      message: 'You do not have permission to create a token for this team',
+    });
  }

  const storedToken = await prisma.apiToken.create({
--- a/packages/lib/server-only/public-api/delete-api-token-by-id.ts
+++ b/packages/lib/server-only/public-api/delete-api-token-by-id.ts
@ -1,32 +1,34 @@
-import { TeamMemberRole } from '@prisma/client';
-
 import { prisma } from '@documenso/prisma';

+import { TEAM_MEMBER_ROLE_PERMISSIONS_MAP } from '../../constants/teams';
+import { AppError, AppErrorCode } from '../../errors/app-error';
+import { buildTeamWhereQuery } from '../../utils/teams';
+
 export type DeleteTokenByIdOptions = {
  id: number;
  userId: number;
-  teamId?: number;
+  teamId: number;
 };

 export const deleteTokenById = async ({ id, userId, teamId }: DeleteTokenByIdOptions) => {
-  if (teamId) {
-    const member = await prisma.teamMember.findFirst({
-      where: {
-        userId,
-        teamId,
-        role: TeamMemberRole.ADMIN,
-      },
-    });
+  const team = await prisma.team.findFirst({
+    where: buildTeamWhereQuery({
+      teamId,
+      userId,
+      roles: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+    }),
+  });

-    if (!member) {
-      throw new Error('You do not have permission to delete this token');
-    }
+  if (!team) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, {
+      message: 'You do not have permission to delete this token',
+    });
  }

  return await prisma.apiToken.delete({
    where: {
      id,
-      teamId: teamId ?? null,
+      teamId,
    },
  });
 };
--- a/packages/lib/server-only/public-api/get-api-token-by-token.ts
+++ b/packages/lib/server-only/public-api/get-api-token-by-token.ts
@ -10,8 +10,30 @@ export const getApiTokenByToken = async ({ token }: { token: string }) => {
      token: hashedToken,
    },
    include: {
-      team: true,
-      user: true,
+      team: {
+        include: {
+          organisation: {
+            include: {
+              owner: {
+                select: {
+                  id: true,
+                  name: true,
+                  email: true,
+                  disabled: true,
+                },
+              },
+            },
+          },
+        },
+      },
+      user: {
+        select: {
+          id: true,
+          name: true,
+          email: true,
+          disabled: true,
+        },
+      },
    },
  });

@ -25,11 +47,7 @@ export const getApiTokenByToken = async ({ token }: { token: string }) => {

  // Handle a silly choice from many moons ago
  if (apiToken.team && !apiToken.user) {
-    apiToken.user = await prisma.user.findFirst({
-      where: {
-        id: apiToken.team.ownerUserId,
-      },
-    });
+    apiToken.user = apiToken.team.organisation.owner;
  }

  const { user } = apiToken;
--- a/packages/lib/server-only/public-api/get-api-tokens.ts
+++ b/packages/lib/server-only/public-api/get-api-tokens.ts
@ -1,31 +1,22 @@
-import { TeamMemberRole } from '@prisma/client';
-
 import { prisma } from '@documenso/prisma';

+import { TEAM_MEMBER_ROLE_PERMISSIONS_MAP } from '../../constants/teams';
+import { buildTeamWhereQuery } from '../../utils/teams';
+
 export type GetApiTokensOptions = {
  userId: number;
-  teamId?: number;
+  teamId: number;
 };

 export const getApiTokens = async ({ userId, teamId }: GetApiTokensOptions) => {
  return await prisma.apiToken.findMany({
    where: {
-      ...(teamId
-        ? {
-            team: {
-              id: teamId,
-              members: {
-                some: {
-                  userId,
-                  role: TeamMemberRole.ADMIN,
-                },
-              },
-            },
-          }
-        : {
-            userId,
-            teamId: null,
-          }),
+      userId,
+      team: buildTeamWhereQuery({
+        teamId,
+        userId,
+        roles: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+      }),
    },
    select: {
      id: true,