mirror of
https://github.com/documenso/documenso.git
synced 2025-11-10 04:22:32 +10:00
23a0537648
## Description This PR introduces global settings for teams. At the moment, it allows team admins to configure the following: * The default visibility of the documents uploaded to the team account * Whether to include the document owner (sender) details when sending emails to the recipients. ### Include Sender Details If the Sender Details setting is enabled, the emails sent by the team will include the sender's name: > "Example User" on behalf of "Example Team" has invited you to sign "document.pdf" Otherwise, the email will say: > "Example Team" has invited you to sign "document.pdf" ### Default Document Visibility This new option allows users to set the default visibility for the documents uploaded to the team account. It can have the following values: * Everyone * Manager and above * Admins only If the default document visibility isn't set, the document will be set to the role of the user who created the document: * If a user with the "User" role creates a document, the document's visibility is set to "Everyone". * Manager role -> "Manager and above" * Admin role -> "Admins only" Otherwise, if there is a default document visibility value, it uses that value. #### Gotcha To avoid issues, the `document owner` and the `recipient` can access the document irrespective of their role. For example: * If a team member with the role "Member" uploads a document and the default document visibility is "Admins", only the document owner and admins can access the document. * Similar to the other scenarios. * If an admin uploads a document and the default document visibility is "Admins", the recipient can access the document. * The admins have access to all the documents. * Managers have access to documents with the visibility set to "Everyone" and "Manager and above" * Members have access only to the documents with the visibility set to "Everyone". ## Testing Performed Tested it locally.
407 lines
12 KiB
TypeScript
407 lines
12 KiB
TypeScript
import { expect, test } from '@playwright/test';
|
|
|
|
import { ZRecipientAuthOptionsSchema } from '@documenso/lib/types/document-auth';
|
|
import {
|
|
createDocumentAuthOptions,
|
|
createRecipientAuthOptions,
|
|
} from '@documenso/lib/utils/document-auth';
|
|
import { FieldType } from '@documenso/prisma/client';
|
|
import {
|
|
seedPendingDocumentNoFields,
|
|
seedPendingDocumentWithFullFields,
|
|
} from '@documenso/prisma/seed/documents';
|
|
import { seedTestEmail, seedUser } from '@documenso/prisma/seed/users';
|
|
|
|
import { apiSignin, apiSignout } from '../fixtures/authentication';
|
|
|
|
test.describe.configure({ mode: 'parallel', timeout: 60000 });
|
|
|
|
test('[DOCUMENT_AUTH]: should allow signing when no auth setup', async ({ page }) => {
|
|
const user = await seedUser();
|
|
|
|
const recipientWithAccount = await seedUser();
|
|
|
|
const { recipients } = await seedPendingDocumentWithFullFields({
|
|
owner: user,
|
|
recipients: [recipientWithAccount, seedTestEmail()],
|
|
});
|
|
|
|
// Check that both are granted access.
|
|
for (const recipient of recipients) {
|
|
const { token, Field } = recipient;
|
|
|
|
const signUrl = `/sign/${token}`;
|
|
|
|
await page.goto(signUrl);
|
|
await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
|
|
|
|
// Add signature.
|
|
const canvas = page.locator('canvas').first();
|
|
const box = await canvas.boundingBox();
|
|
if (box) {
|
|
await page.mouse.move(box.x + box.width / 2, box.y + box.height / 2);
|
|
await page.mouse.down();
|
|
await page.mouse.move(box.x + box.width / 4, box.y + box.height / 4);
|
|
await page.mouse.up();
|
|
}
|
|
|
|
for (const field of Field) {
|
|
await page.locator(`#field-${field.id}`).getByRole('button').click();
|
|
|
|
if (field.type === FieldType.TEXT) {
|
|
await page.locator('#custom-text').fill('TEXT');
|
|
await page.getByRole('button', { name: 'Save' }).click();
|
|
}
|
|
|
|
await expect(page.locator(`#field-${field.id}`)).toHaveAttribute('data-inserted', 'true');
|
|
}
|
|
|
|
await page.getByRole('button', { name: 'Complete' }).click();
|
|
await page.getByRole('button', { name: 'Sign' }).click();
|
|
await page.waitForURL(`${signUrl}/complete`);
|
|
}
|
|
});
|
|
|
|
test('[DOCUMENT_AUTH]: should allow signing with valid global auth', async ({ page }) => {
|
|
const user = await seedUser();
|
|
|
|
const recipientWithAccount = await seedUser();
|
|
|
|
const { recipients } = await seedPendingDocumentWithFullFields({
|
|
owner: user,
|
|
recipients: [recipientWithAccount],
|
|
updateDocumentOptions: {
|
|
authOptions: createDocumentAuthOptions({
|
|
globalAccessAuth: null,
|
|
globalActionAuth: 'ACCOUNT',
|
|
}),
|
|
},
|
|
});
|
|
|
|
const recipient = recipients[0];
|
|
|
|
const { token, Field } = recipient;
|
|
|
|
const signUrl = `/sign/${token}`;
|
|
|
|
await apiSignin({
|
|
page,
|
|
email: recipientWithAccount.email,
|
|
redirectPath: signUrl,
|
|
});
|
|
|
|
await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
|
|
|
|
// Add signature.
|
|
const canvas = page.locator('canvas').first();
|
|
const box = await canvas.boundingBox();
|
|
if (box) {
|
|
await page.mouse.move(box.x + box.width / 2, box.y + box.height / 2);
|
|
await page.mouse.down();
|
|
await page.mouse.move(box.x + box.width / 4, box.y + box.height / 4);
|
|
await page.mouse.up();
|
|
}
|
|
|
|
for (const field of Field) {
|
|
await page.locator(`#field-${field.id}`).getByRole('button').click();
|
|
|
|
if (field.type === FieldType.TEXT) {
|
|
await page.locator('#custom-text').fill('TEXT');
|
|
await page.getByRole('button', { name: 'Save' }).click();
|
|
}
|
|
|
|
await expect(page.locator(`#field-${field.id}`)).toHaveAttribute('data-inserted', 'true');
|
|
}
|
|
|
|
await page.getByRole('button', { name: 'Complete' }).click();
|
|
await page.getByRole('button', { name: 'Sign' }).click();
|
|
await page.waitForURL(`${signUrl}/complete`);
|
|
});
|
|
|
|
// Currently document auth for signing/approving/viewing is not required.
|
|
test.skip('[DOCUMENT_AUTH]: should deny signing document when required for global auth', async ({
|
|
page,
|
|
}) => {
|
|
const user = await seedUser();
|
|
|
|
const recipientWithAccount = await seedUser();
|
|
|
|
const { recipients } = await seedPendingDocumentNoFields({
|
|
owner: user,
|
|
recipients: [recipientWithAccount],
|
|
updateDocumentOptions: {
|
|
authOptions: createDocumentAuthOptions({
|
|
globalAccessAuth: null,
|
|
globalActionAuth: 'ACCOUNT',
|
|
}),
|
|
},
|
|
});
|
|
|
|
const recipient = recipients[0];
|
|
|
|
const { token } = recipient;
|
|
|
|
await page.goto(`/sign/${token}`);
|
|
await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
|
|
|
|
await page.getByRole('button', { name: 'Complete' }).click();
|
|
await expect(page.getByRole('paragraph')).toContainText(
|
|
'Reauthentication is required to sign the document',
|
|
);
|
|
});
|
|
|
|
test('[DOCUMENT_AUTH]: should deny signing fields when required for global auth', async ({
|
|
page,
|
|
}) => {
|
|
const user = await seedUser();
|
|
|
|
const recipientWithAccount = await seedUser();
|
|
|
|
const { recipients } = await seedPendingDocumentWithFullFields({
|
|
owner: user,
|
|
recipients: [recipientWithAccount, seedTestEmail()],
|
|
updateDocumentOptions: {
|
|
authOptions: createDocumentAuthOptions({
|
|
globalAccessAuth: null,
|
|
globalActionAuth: 'ACCOUNT',
|
|
}),
|
|
},
|
|
});
|
|
|
|
// Check that both are denied access.
|
|
for (const recipient of recipients) {
|
|
const { token, Field } = recipient;
|
|
|
|
await page.goto(`/sign/${token}`);
|
|
await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
|
|
|
|
for (const field of Field) {
|
|
if (field.type !== FieldType.SIGNATURE) {
|
|
continue;
|
|
}
|
|
|
|
await page.locator(`#field-${field.id}`).getByRole('button').click();
|
|
await expect(page.getByRole('paragraph')).toContainText(
|
|
'Reauthentication is required to sign this field',
|
|
);
|
|
await page.getByRole('button', { name: 'Cancel' }).click();
|
|
}
|
|
}
|
|
});
|
|
|
|
test('[DOCUMENT_AUTH]: should allow field signing when required for recipient auth', async ({
|
|
page,
|
|
}) => {
|
|
const user = await seedUser();
|
|
|
|
const recipientWithInheritAuth = await seedUser();
|
|
const recipientWithExplicitNoneAuth = await seedUser();
|
|
const recipientWithExplicitAccountAuth = await seedUser();
|
|
|
|
const { recipients } = await seedPendingDocumentWithFullFields({
|
|
owner: user,
|
|
recipients: [
|
|
recipientWithInheritAuth,
|
|
recipientWithExplicitNoneAuth,
|
|
recipientWithExplicitAccountAuth,
|
|
],
|
|
recipientsCreateOptions: [
|
|
{
|
|
authOptions: createRecipientAuthOptions({
|
|
accessAuth: null,
|
|
actionAuth: null,
|
|
}),
|
|
},
|
|
{
|
|
authOptions: createRecipientAuthOptions({
|
|
accessAuth: null,
|
|
actionAuth: 'EXPLICIT_NONE',
|
|
}),
|
|
},
|
|
{
|
|
authOptions: createRecipientAuthOptions({
|
|
accessAuth: null,
|
|
actionAuth: 'ACCOUNT',
|
|
}),
|
|
},
|
|
],
|
|
fields: [FieldType.DATE],
|
|
});
|
|
|
|
for (const recipient of recipients) {
|
|
const { token, Field } = recipient;
|
|
const { actionAuth } = ZRecipientAuthOptionsSchema.parse(recipient.authOptions);
|
|
|
|
// This document has no global action auth, so only account should require auth.
|
|
const isAuthRequired = actionAuth === 'ACCOUNT';
|
|
|
|
const signUrl = `/sign/${token}`;
|
|
|
|
await page.goto(signUrl);
|
|
await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
|
|
|
|
if (isAuthRequired) {
|
|
for (const field of Field) {
|
|
if (field.type !== FieldType.SIGNATURE) {
|
|
continue;
|
|
}
|
|
|
|
await page.locator(`#field-${field.id}`).getByRole('button').click();
|
|
await expect(page.getByRole('paragraph')).toContainText(
|
|
'Reauthentication is required to sign this field',
|
|
);
|
|
await page.getByRole('button', { name: 'Cancel' }).click();
|
|
}
|
|
|
|
// Sign in and it should work.
|
|
await apiSignin({
|
|
page,
|
|
email: recipient.email,
|
|
redirectPath: signUrl,
|
|
});
|
|
}
|
|
|
|
// Add signature.
|
|
const canvas = page.locator('canvas').first();
|
|
const box = await canvas.boundingBox();
|
|
if (box) {
|
|
await page.mouse.move(box.x + box.width / 2, box.y + box.height / 2);
|
|
await page.mouse.down();
|
|
await page.mouse.move(box.x + box.width / 4, box.y + box.height / 4);
|
|
await page.mouse.up();
|
|
}
|
|
|
|
for (const field of Field) {
|
|
await page.locator(`#field-${field.id}`).getByRole('button').click();
|
|
|
|
if (field.type === FieldType.TEXT) {
|
|
await page.locator('#custom-text').fill('TEXT');
|
|
await page.getByRole('button', { name: 'Save' }).click();
|
|
}
|
|
|
|
await expect(page.locator(`#field-${field.id}`)).toHaveAttribute('data-inserted', 'true', {
|
|
timeout: 5000,
|
|
});
|
|
}
|
|
|
|
await page.getByRole('button', { name: 'Complete' }).click();
|
|
await page.getByRole('button', { name: 'Sign' }).click();
|
|
await page.waitForURL(`${signUrl}/complete`);
|
|
|
|
if (isAuthRequired) {
|
|
await apiSignout({ page });
|
|
}
|
|
}
|
|
});
|
|
|
|
test('[DOCUMENT_AUTH]: should allow field signing when required for recipient and global auth', async ({
|
|
page,
|
|
}) => {
|
|
const user = await seedUser();
|
|
|
|
const recipientWithInheritAuth = await seedUser();
|
|
const recipientWithExplicitNoneAuth = await seedUser();
|
|
const recipientWithExplicitAccountAuth = await seedUser();
|
|
|
|
const { recipients } = await seedPendingDocumentWithFullFields({
|
|
owner: user,
|
|
recipients: [
|
|
recipientWithInheritAuth,
|
|
recipientWithExplicitNoneAuth,
|
|
recipientWithExplicitAccountAuth,
|
|
],
|
|
recipientsCreateOptions: [
|
|
{
|
|
authOptions: createRecipientAuthOptions({
|
|
accessAuth: null,
|
|
actionAuth: null,
|
|
}),
|
|
},
|
|
{
|
|
authOptions: createRecipientAuthOptions({
|
|
accessAuth: null,
|
|
actionAuth: 'EXPLICIT_NONE',
|
|
}),
|
|
},
|
|
{
|
|
authOptions: createRecipientAuthOptions({
|
|
accessAuth: null,
|
|
actionAuth: 'ACCOUNT',
|
|
}),
|
|
},
|
|
],
|
|
fields: [FieldType.DATE],
|
|
updateDocumentOptions: {
|
|
authOptions: createDocumentAuthOptions({
|
|
globalAccessAuth: null,
|
|
globalActionAuth: 'ACCOUNT',
|
|
}),
|
|
},
|
|
});
|
|
|
|
for (const recipient of recipients) {
|
|
const { token, Field } = recipient;
|
|
const { actionAuth } = ZRecipientAuthOptionsSchema.parse(recipient.authOptions);
|
|
|
|
// This document HAS global action auth, so account and inherit should require auth.
|
|
const isAuthRequired = actionAuth === 'ACCOUNT' || actionAuth === null;
|
|
|
|
const signUrl = `/sign/${token}`;
|
|
|
|
await page.goto(signUrl);
|
|
await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
|
|
|
|
if (isAuthRequired) {
|
|
for (const field of Field) {
|
|
if (field.type !== FieldType.SIGNATURE) {
|
|
continue;
|
|
}
|
|
|
|
await page.locator(`#field-${field.id}`).getByRole('button').click();
|
|
await expect(page.getByRole('paragraph')).toContainText(
|
|
'Reauthentication is required to sign this field',
|
|
);
|
|
await page.getByRole('button', { name: 'Cancel' }).click();
|
|
}
|
|
|
|
// Sign in and it should work.
|
|
await apiSignin({
|
|
page,
|
|
email: recipient.email,
|
|
redirectPath: signUrl,
|
|
});
|
|
}
|
|
|
|
// Add signature.
|
|
const canvas = page.locator('canvas').first();
|
|
const box = await canvas.boundingBox();
|
|
if (box) {
|
|
await page.mouse.move(box.x + box.width / 2, box.y + box.height / 2);
|
|
await page.mouse.down();
|
|
await page.mouse.move(box.x + box.width / 4, box.y + box.height / 4);
|
|
await page.mouse.up();
|
|
}
|
|
|
|
for (const field of Field) {
|
|
await page.locator(`#field-${field.id}`).getByRole('button').click();
|
|
|
|
if (field.type === FieldType.TEXT) {
|
|
await page.locator('#custom-text').fill('TEXT');
|
|
await page.getByRole('button', { name: 'Save' }).click();
|
|
}
|
|
|
|
await expect(page.locator(`#field-${field.id}`)).toHaveAttribute('data-inserted', 'true', {
|
|
timeout: 5000,
|
|
});
|
|
}
|
|
|
|
await page.getByRole('button', { name: 'Complete' }).click();
|
|
await page.getByRole('button', { name: 'Sign' }).click();
|
|
await page.waitForURL(`${signUrl}/complete`);
|
|
|
|
if (isAuthRequired) {
|
|
await apiSignout({ page });
|
|
}
|
|
}
|
|
});
|