feat(config): add config vars for default permissions for special groups

Co-authored-by: Tilman Vatteroth <git@tilmanvatteroth.de> Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> Signed-off-by: Philip Molares <philip.molares@udo.edu>
2025-05-17 16:44:49 -04:00 · 2022-08-21 21:09:24 +02:00 · 2022-08-21 21:09:24 +02:00 · df976b5fe1
commit df976b5fe1
parent 7dd093a44f
10 changed files with 518 additions and 36 deletions
--- a/src/config/note.config.ts
+++ b/src/config/note.config.ts
@ -6,14 +6,26 @@
 import { registerAs } from '@nestjs/config';
 import * as Joi from 'joi';

+import {
+  DefaultAccessPermission,
+  getDefaultAccessPermissionOrdinal,
+} from './default-access-permission.enum';
+import { GuestAccess } from './guest_access.enum';
 import { buildErrorMessage, parseOptionalNumber, toArrayConfig } from './utils';

 export interface NoteConfig {
  forbiddenNoteIds: string[];
  maxDocumentLength: number;
+  guestAccess: GuestAccess;
+  permissions: {
+    default: {
+      everyone: DefaultAccessPermission;
+      loggedIn: DefaultAccessPermission;
+    };
+  };
 }

-const schema = Joi.object({
+const schema = Joi.object<NoteConfig>({
  forbiddenNoteIds: Joi.array()
    .items(Joi.string())
    .optional()
@ -25,8 +37,52 @@ const schema = Joi.object({
    .integer()
    .optional()
    .label('HD_MAX_DOCUMENT_LENGTH'),
+  guestAccess: Joi.string()
+    .valid(...Object.values(GuestAccess))
+    .optional()
+    .default(GuestAccess.WRITE)
+    .label('HD_GUEST_ACCESS'),
+  permissions: {
+    default: {
+      everyone: Joi.string()
+        .valid(...Object.values(DefaultAccessPermission))
+        .optional()
+        .default(DefaultAccessPermission.READ)
+        .label('HD_PERMISSION_DEFAULT_EVERYONE'),
+      loggedIn: Joi.string()
+        .valid(...Object.values(DefaultAccessPermission))
+        .optional()
+        .default(DefaultAccessPermission.WRITE)
+        .label('HD_PERMISSION_DEFAULT_LOGGED_IN'),
+    },
+  },
 });

+function checkEveryoneConfigIsConsistent(config: NoteConfig): void {
+  const everyoneDefaultSet =
+    process.env.HD_PERMISSION_DEFAULT_EVERYONE !== undefined;
+  if (config.guestAccess === GuestAccess.DENY && everyoneDefaultSet) {
+    throw new Error(
+      `'HD_GUEST_ACCESS' is set to '${config.guestAccess}', but 'HD_PERMISSION_DEFAULT_EVERYONE' is also configured. Please remove 'HD_PERMISSION_DEFAULT_EVERYONE'.`,
+    );
+  }
+}
+
+function checkLoggedInUsersHaveHigherDefaultPermissionsThanGuests(
+  config: NoteConfig,
+): void {
+  const everyone = config.permissions.default.everyone;
+  const loggedIn = config.permissions.default.loggedIn;
+  if (
+    getDefaultAccessPermissionOrdinal(everyone) >
+    getDefaultAccessPermissionOrdinal(loggedIn)
+  ) {
+    throw new Error(
+      `'HD_PERMISSION_DEFAULT_EVERYONE' is set to '${everyone}', but 'HD_PERMISSION_DEFAULT_LOGGED_IN' is set to '${loggedIn}'. This gives everyone greater permissions than logged-in users which is not allowed.`,
+    );
+  }
+}
+
 export default registerAs('noteConfig', () => {
  const noteConfig = schema.validate(
    {
@ -34,7 +90,14 @@ export default registerAs('noteConfig', () => {
      maxDocumentLength: parseOptionalNumber(
        process.env.HD_MAX_DOCUMENT_LENGTH,
      ),
-    },
+      guestAccess: process.env.HD_GUEST_ACCESS,
+      permissions: {
+        default: {
+          everyone: process.env.HD_PERMISSION_DEFAULT_EVERYONE,
+          loggedIn: process.env.HD_PERMISSION_DEFAULT_LOGGED_IN,
+        },
+      },
+    } as NoteConfig,
    {
      abortEarly: false,
      presence: 'required',
@ -46,5 +109,8 @@ export default registerAs('noteConfig', () => {
    );
    throw new Error(buildErrorMessage(errorMessages));
  }
-  return noteConfig.value as NoteConfig;
+  const config = noteConfig.value;
+  checkEveryoneConfigIsConsistent(config);
+  checkLoggedInUsersHaveHigherDefaultPermissionsThanGuests(config);
+  return config;
 });