mirror of
https://github.com/screentinker/screentinker.git
synced 2026-05-15 07:32:23 -06:00
fc29843035
Fix: at connect, enumerate the user's accessible workspace_ids (direct workspace_members + org_owner/admin paths + platform_admin 'all') via new accessibleWorkspaceIds() helper in lib/tenancy.js; socket.join one room per workspace. All 12 dashboardNs.emit sites across deviceSocket / heartbeat / server.js / devices route / video-walls route now route via dashboardNs.to(workspaceRoom(...)).emit() with the workspace looked up from the relevant device or wall. New lib/socket-rooms.js holds the helpers and breaks a circular dependency (dashboardSocket already requires heartbeat, so heartbeat can't require dashboardSocket). Inbound 6 commands rewired to canActOnDevice(socket, deviceId, tier): request-screenshot is read tier (workspace_viewer+); remote-touch/key/start/stop and device-command are write tier (workspace_editor+). Platform_admin and org_owner/admin always pass via actingAs. Legacy admin/superadmin branch dropped. Lifecycle note: workspace-switch already calls window.location.reload (Phase 3 switcher), which forces a fresh socket with updated memberships - no per-emit re-evaluation needed. Smoke tested with 3 simultaneous socket.io-client connections (switcher-test, swninja, dw5304 platform_admin) + direct canActOnDevice invocation for 6 user/device/tier combinations. All 9 outbound isolation cells and all 6 permission gates pass. Fixture mutation: switcher-test's Field Crew membership flipped from workspace_editor to workspace_viewer to exercise the read/write tier split in one login.
172 lines
6.3 KiB
JavaScript
172 lines
6.3 KiB
JavaScript
// Phase 2.1: per-request tenancy resolver.
|
|
//
|
|
// Runs after requireAuth (which sets req.user and req.jwtWorkspaceId).
|
|
// Resolves the active workspace context for this request and attaches:
|
|
//
|
|
// req.workspaceId string | null the workspace this request operates in
|
|
// req.workspace object | null the full workspaces row
|
|
// req.organizationId string | null parent org of req.workspace
|
|
// req.workspaceRole string | null 'workspace_admin' | 'workspace_editor' | 'workspace_viewer'
|
|
// req.orgRole string | null 'org_owner' | 'org_admin'
|
|
// req.isPlatformAdmin boolean shortcut for req.user.role === 'platform_admin'
|
|
// req.actingAs boolean true when the user reached this workspace via
|
|
// org-level or platform-level access rather than
|
|
// a direct workspace_members row
|
|
//
|
|
// Resolution order, top wins:
|
|
// 1. X-Workspace-Id header (for explicit per-request override)
|
|
// 2. ?workspace_id= query param (same purpose, easier in browser dev)
|
|
// 3. JWT current_workspace_id (the user's last switched-to workspace)
|
|
// 4. First workspace_members row for user (sorted by joined_at ASC)
|
|
// 5. For platform_admin only: any workspace
|
|
//
|
|
// Steps 1-3 are validated against access. If a stale value (e.g. user was
|
|
// removed from the workspace) is found, it's discarded and we fall through.
|
|
|
|
'use strict';
|
|
|
|
const { db } = require('../db/database');
|
|
|
|
function membershipOf(userId, workspaceId) {
|
|
return db.prepare(
|
|
'SELECT role FROM workspace_members WHERE workspace_id = ? AND user_id = ?'
|
|
).get(workspaceId, userId);
|
|
}
|
|
|
|
function orgMembershipOf(userId, organizationId) {
|
|
return db.prepare(
|
|
'SELECT role FROM organization_members WHERE organization_id = ? AND user_id = ?'
|
|
).get(organizationId, userId);
|
|
}
|
|
|
|
function loadWorkspace(workspaceId) {
|
|
if (!workspaceId) return null;
|
|
return db.prepare('SELECT * FROM workspaces WHERE id = ?').get(workspaceId);
|
|
}
|
|
|
|
function firstAccessibleWorkspace(userId) {
|
|
return db.prepare(`
|
|
SELECT w.* FROM workspaces w
|
|
JOIN workspace_members wm ON wm.workspace_id = w.id
|
|
WHERE wm.user_id = ?
|
|
ORDER BY wm.joined_at ASC
|
|
LIMIT 1
|
|
`).get(userId);
|
|
}
|
|
|
|
// Check whether userId can access workspace via any path (member, org admin,
|
|
// or platform admin). Returns the access context: { workspaceRole, actingAs }
|
|
// or null if no access.
|
|
function accessContext(userId, role, workspace) {
|
|
const isPlatformAdmin = role === 'platform_admin';
|
|
const wsMembership = membershipOf(userId, workspace.id);
|
|
if (wsMembership) {
|
|
return { workspaceRole: wsMembership.role, actingAs: false };
|
|
}
|
|
const orgMembership = orgMembershipOf(userId, workspace.organization_id);
|
|
if (orgMembership && (orgMembership.role === 'org_owner' || orgMembership.role === 'org_admin')) {
|
|
return { workspaceRole: null, actingAs: true };
|
|
}
|
|
if (isPlatformAdmin) {
|
|
return { workspaceRole: null, actingAs: true };
|
|
}
|
|
return null;
|
|
}
|
|
|
|
function resolveTenancy(req, res, next) {
|
|
if (!req.user) {
|
|
// Should not happen when chained after requireAuth, but tolerate optionalAuth flows.
|
|
return next();
|
|
}
|
|
|
|
const isPlatformAdmin = req.user.role === 'platform_admin';
|
|
req.isPlatformAdmin = isPlatformAdmin;
|
|
|
|
// Build the ordered candidate list of workspace_ids to try.
|
|
const candidates = [];
|
|
const headerWs = (req.headers['x-workspace-id'] || '').trim();
|
|
if (headerWs) candidates.push(headerWs);
|
|
if (req.query && req.query.workspace_id) candidates.push(String(req.query.workspace_id));
|
|
if (req.jwtWorkspaceId) candidates.push(req.jwtWorkspaceId);
|
|
|
|
let workspace = null;
|
|
let context = null;
|
|
for (const wsId of candidates) {
|
|
const ws = loadWorkspace(wsId);
|
|
if (!ws) continue;
|
|
const ctx = accessContext(req.user.id, req.user.role, ws);
|
|
if (!ctx) continue;
|
|
workspace = ws;
|
|
context = ctx;
|
|
break;
|
|
}
|
|
|
|
if (!workspace) {
|
|
// Fall back to the user's first workspace_members row.
|
|
const first = firstAccessibleWorkspace(req.user.id);
|
|
if (first) {
|
|
workspace = first;
|
|
const wm = membershipOf(req.user.id, first.id);
|
|
context = { workspaceRole: wm.role, actingAs: false };
|
|
} else if (isPlatformAdmin) {
|
|
// Platform admin with no direct memberships: pick any workspace (acting-as).
|
|
const any = db.prepare('SELECT * FROM workspaces LIMIT 1').get();
|
|
if (any) {
|
|
workspace = any;
|
|
context = { workspaceRole: null, actingAs: true };
|
|
}
|
|
}
|
|
}
|
|
|
|
if (workspace) {
|
|
req.workspaceId = workspace.id;
|
|
req.workspace = workspace;
|
|
req.organizationId = workspace.organization_id;
|
|
req.workspaceRole = context.workspaceRole;
|
|
req.actingAs = context.actingAs;
|
|
const orgMembership = orgMembershipOf(req.user.id, workspace.organization_id);
|
|
req.orgRole = orgMembership ? orgMembership.role : null;
|
|
} else {
|
|
req.workspaceId = null;
|
|
req.workspace = null;
|
|
req.organizationId = null;
|
|
req.workspaceRole = null;
|
|
req.orgRole = null;
|
|
req.actingAs = false;
|
|
}
|
|
|
|
next();
|
|
}
|
|
|
|
// Enumerate every workspace_id the given user has any path into:
|
|
// - direct workspace_members rows
|
|
// - any workspace in an org where they are org_owner / org_admin
|
|
// - platform_admin / superadmin: every workspace in the system
|
|
// Used by socket.io rooms (Phase 2.3) to scope outbound broadcasts. Also a
|
|
// candidate to broaden /me's accessible_workspaces query - currently /me only
|
|
// returns direct workspace_members for non-admins, missing the org-admin
|
|
// path. Future cleanup tracked in the handoff doc.
|
|
function accessibleWorkspaceIds(userId, role) {
|
|
if (!userId) return [];
|
|
if (role === 'platform_admin' || role === 'superadmin') {
|
|
return db.prepare('SELECT id FROM workspaces').all().map(r => r.id);
|
|
}
|
|
return db.prepare(`
|
|
SELECT workspace_id AS id FROM workspace_members WHERE user_id = ?
|
|
UNION
|
|
SELECT w.id FROM workspaces w
|
|
JOIN organization_members om ON om.organization_id = w.organization_id
|
|
WHERE om.user_id = ? AND om.role IN ('org_owner', 'org_admin')
|
|
`).all(userId, userId).map(r => r.id);
|
|
}
|
|
|
|
module.exports = {
|
|
resolveTenancy,
|
|
// Exported for testing / direct use by routes that need ad-hoc checks.
|
|
accessContext,
|
|
membershipOf,
|
|
orgMembershipOf,
|
|
firstAccessibleWorkspace,
|
|
accessibleWorkspaceIds,
|
|
};
|