-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(server): fixed validation in regards to workspaces, when they're secondary resource targets #2814
Conversation
@@ -31,6 +31,11 @@ export const validateProjectInviteBeforeFinalizationFactory = | |||
) | |||
} | |||
|
|||
// If decline, skip all further validation | |||
if (action === InviteFinalizationAction.DECLINE) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've had scenarios when something went wrong and the invite was stuck in a busted state and you couldn't even decline it. I've changed the logic so that declining skips a lot of validation so that you can always get rid of these.
/** | ||
* Convert the initial validation function to a finalization validation function so same logic can be reused | ||
*/ | ||
export const convertToFinalizationValidation = (params: { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Allows running the same validation logic we do on invite create also on invite finalization (more DRY)
expect(res.data?.projectMutations.invites.createForWorkspace.id).to.be.ok | ||
}) | ||
|
||
it("can't indirectly invite to workspace if not workspace admin", async () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This validates: "Workspace project invites must be validated, only workspace admins can send out project invites, that also have workspace invites in them"
expect(res.data?.projectMutations.invites.createForWorkspace.id).to.not.be.ok | ||
}) | ||
|
||
it('can invite to workspace project even if not workspace admin, if target already belongs to workspace', async () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This validates that a project owner can invite workspace members into a project, even if they're not a workspace admin
@@ -210,7 +293,7 @@ export const finalizeResourceInviteFactory = | |||
|
|||
try { | |||
// Add email | |||
if (isNewEmailTarget) { | |||
if (isNewEmailTarget && action === InviteFinalizationAction.ACCEPT) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a bug here where new email was added even if action was DECLINE (new test case added for this too)
// If workspace project, ensure secondaryResourceRoles are set (channeling users | ||
// to the correct gql resolver) | ||
const project = await deps.getStream({ streamId: resourceId }) | ||
if (!allowWorkspacedProjects && project && project?.workspaceId) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This prevents workspace project invite creation from the default mutation resolver
@@ -1,5 +1,24 @@ | |||
import { InviteResourceTarget } from '@/modules/serverinvites/domain/types' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
moved some constants & types to workspacesCore, since I needed to reference them outside of workspaces
*/ | ||
haveGraphQLErrors(message?: string): void | ||
haveGraphQLErrors( | ||
messageOrOptions?: string | ({ message: string } | { code: string }) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added support for checking for error codes, instead of messages - less brittle tests that way
expect(res.data?.projectMutations.invites.createForWorkspace.id).to.be.ok | ||
}) | ||
|
||
it("can't invite invalid domain email to domain protected workspace project", async () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Validates that workspace project invites also follow workspace domain policy restrictions
This might possibly also address the issue of domain policy validation being skipped, because its the same solution for both issues: Ensuring that workspace validation occurs even when the workspace is a secondary resource target.
I also added logic that re-runs the same validation that runs on invite create also on finalization, that way we don't need to duplicate a lot of it in both places
Also added new tests, where it made sense