diff --git a/front/lib/api/vaults.ts b/front/lib/api/vaults.ts index 4ae3aaaff73f..0abac1c443e4 100644 --- a/front/lib/api/vaults.ts +++ b/front/lib/api/vaults.ts @@ -5,13 +5,11 @@ import { uniq } from "lodash"; import { hardDeleteApp } from "@app/lib/api/apps"; import type { Authenticator } from "@app/lib/auth"; -import { DustError } from "@app/lib/error"; import { AppResource } from "@app/lib/resources/app_resource"; import { DataSourceResource } from "@app/lib/resources/data_source_resource"; import { DataSourceViewResource } from "@app/lib/resources/data_source_view_resource"; import { KeyResource } from "@app/lib/resources/key_resource"; import { frontSequelize } from "@app/lib/resources/storage"; -import { UserResource } from "@app/lib/resources/user_resource"; import type { VaultResource } from "@app/lib/resources/vault_resource"; import { launchScrubVaultWorkflow } from "@app/poke/temporal/client"; @@ -150,62 +148,3 @@ export async function hardDeleteVault( return new Ok(undefined); } - -export async function updateVaultPermissions( - auth: Authenticator, - vault: VaultResource, - { - isRestricted, - memberIds, - }: { isRestricted: boolean; memberIds: string[] | null } -): Promise> { - if (!vault.canAdministrate(auth)) { - return new Err( - new DustError("unauthorized", "Cannot update permissions for vault.") - ); - } - - const regularGroups = vault.groups.filter( - (group) => group.kind === "regular" - ); - // Assert that there is exactly one regular group associated with the vault. - assert( - regularGroups.length === 1, - `Expected exactly one regular group for the vault, but found ${regularGroups.length}.` - ); - const [defaultVaultGroup] = regularGroups; - - const wasRestricted = vault.groups.every((g) => !g.isGlobal()); - - if (isRestricted) { - // If the vault should be restricted and was not restricted before, remove the global group. - if (!wasRestricted) { - const updateRes = await vault.updatePermissions(auth, true); - if (updateRes.isErr()) { - return updateRes; - } - } - - if (memberIds) { - const users = await UserResource.fetchByIds(memberIds); - - return defaultVaultGroup.setMembers( - auth, - users.map((u) => u.toJSON()) - ); - } - - return new Ok(undefined); - } else { - // If the vault should not be restricted and was restricted before, add the global group. - if (wasRestricted) { - const updateRes = await vault.updatePermissions(auth, false); - if (updateRes.isErr()) { - return updateRes; - } - } - - // Remove all members. - return defaultVaultGroup.setMembers(auth, []); - } -} diff --git a/front/lib/resources/vault_resource.ts b/front/lib/resources/vault_resource.ts index 1817ed3f7f7e..dfb447474de0 100644 --- a/front/lib/resources/vault_resource.ts +++ b/front/lib/resources/vault_resource.ts @@ -28,6 +28,8 @@ import type { ReadonlyAttributesType } from "@app/lib/resources/storage/types"; import type { ModelStaticSoftDeletable } from "@app/lib/resources/storage/wrappers"; import { getResourceIdFromSId, makeSId } from "@app/lib/resources/string_ids"; import type { ResourceFindOptions } from "@app/lib/resources/types"; +import { DustError } from "@app/lib/error"; +import { UserResource } from "@app/lib/resources/user_resource"; // Attributes are marked as read-only to reflect the stateless nature of our Resource. // This design will be moved up to BaseResource once we transition away from Sequelize. @@ -286,14 +288,32 @@ export class VaultResource extends BaseResource { async updatePermissions( auth: Authenticator, - isRestricted: boolean - ): Promise> { + { + isRestricted, + memberIds, + }: { isRestricted: boolean; memberIds: string[] | null } + ): Promise> { if (!this.canAdministrate(auth)) { return new Err( - new Error("You do not have permission to update vault permissions.") + new DustError( + "unauthorized", + "You do not have permission to update vault permissions." + ) ); } + const regularGroups = this.groups.filter( + (group) => group.kind === "regular" + ); + // Assert that there is exactly one regular group associated with the vault. + assert( + regularGroups.length === 1, + `Expected exactly one regular group for the vault, but found ${regularGroups.length}.` + ); + const [defaultVaultGroup] = regularGroups; + + const wasRestricted = this.groups.every((g) => !g.isGlobal()); + const groupRes = await GroupResource.fetchWorkspaceGlobalGroup(auth); if (groupRes.isErr()) { return groupRes; @@ -301,12 +321,32 @@ export class VaultResource extends BaseResource { const globalGroup = groupRes.value; if (isRestricted) { - await this.removeGroup(globalGroup); + // If the vault should be restricted and was not restricted before, remove the global group. + if (!wasRestricted) { + await this.removeGroup(globalGroup); + } + + if (memberIds) { + const users = await UserResource.fetchByIds(memberIds); + + return defaultVaultGroup.setMembers( + auth, + users.map((u) => u.toJSON()) + ); + } + + return new Ok(undefined); } else { - await this.addGroup(globalGroup); - } + // If the vault should not be restricted and was restricted before, add the global group. + if (wasRestricted) { + await this.addGroup(globalGroup); + } - return new Ok(undefined); + // Remove all members. + await defaultVaultGroup.setMembers(auth, []); + + return new Ok(undefined); + } } private async addGroup(group: GroupResource) {