@openneuro/server 4.38.3 → 4.39.0-alpha.0

package/src/graphql/resolvers/user.ts

@@ -1,7 +1,7 @@
-/**
- * User resolvers
- */
+import type { PipelineStage } from "mongoose"
 import User from "../../models/user"
+import DatasetEvent from "../../models/datasetEvents"
+import type { UserNotificationStatusDocument } from "../../models/userNotificationStatus"
 
 function isValidOrcid(orcid: string): boolean {
   return /^[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{3}[0-9X]$/.test(orcid || "")
@@ -15,12 +15,16 @@ export async function user(
   let user
   if (isValidOrcid(id)) {
     user = await User.findOne({
-      $or: [{ "provider": "orcid", "providerId": id }],
+      $or: [{ provider: "orcid", providerId: id }],
     }).exec()
   } else {
-    // If it's not a valid ORCID, fall back to querying by user id
-    user = await User.findOne({ "id": id }).exec()
+    user = await User.findOne({ id }).exec()
+  }
+
+  if (!user) {
+    return null // Fail silently
   }
+
   if (userInfo?.admin || user.id === userInfo?.id) {
     return user.toObject()
   } else {
@@ -37,6 +41,7 @@ export interface UserInfo {
   provider?: string
   providerId?: string
   blocked?: boolean
+  orcidConsent?: boolean | null
 }
 
 export interface GraphQLContext {
@@ -50,16 +55,18 @@ type MongoOperatorValue =
   | RegExp
   | (string | number | boolean | RegExp)[]
 
-type MongoQueryOperator<T> = T | {
-  $ne?: T
-  $regex?: string
-  $options?: string
-  $gt?: T
-  $gte?: T
-  $lt?: T
-  $lte?: T
-  $in?: T[]
-}
+type MongoQueryOperator<T> =
+  | T
+  | {
+    $ne?: T
+    $regex?: string
+    $options?: string
+    $gt?: T
+    $gte?: T
+    $lt?: T
+    $lte?: T
+    $in?: T[]
+  }
 
 type MongoFilterValue =
   | MongoOperatorValue
@@ -68,9 +75,17 @@ type MongoFilterValue =
 interface MongoQueryCondition {
   [key: string]: MongoFilterValue
 }
+
 export const users = async (
   obj: unknown,
-  { isAdmin, isBlocked, search, limit = 100, offset = 0, orderBy }: {
+  {
+    isAdmin,
+    isBlocked,
+    search,
+    limit = 100,
+    offset = 0,
+    orderBy,
+  }: {
     isAdmin?: boolean
     isBlocked?: boolean
     search?: string
@@ -80,13 +95,9 @@ export const users = async (
   },
   context: GraphQLContext,
 ) => {
-  // --- check admin ---
-  if (!context.userInfo?.admin) {
-    return Promise.reject(
-      new Error("You must be a site admin to retrieve users"),
-    )
-  }
+  const isSiteAdmin = context.userInfo?.admin === true
 
+  // Build filter for all users (admin or not)
   const filter: {
     admin?: MongoQueryOperator<boolean>
     blocked?: MongoQueryOperator<boolean>
@@ -105,6 +116,7 @@ export const users = async (
     filter.$or = [
       { name: { $regex: search, $options: "i" } },
       { email: { $regex: search, $options: "i" } },
+      { orcid: { $regex: search, $options: "i" } },
     ]
   }
 
@@ -133,9 +145,18 @@ export const users = async (
 
   const users = await query.exec()
 
+  // If the requester is not a site admin, hide sensitive fields
+  const sanitizedUsers = isSiteAdmin ? users : users.map((u) => {
+    const obj = u.toObject()
+    obj.email = null
+    obj.blocked = null
+    obj.admin = null
+    return obj
+  })
+
   return {
-    users: users,
-    totalCount: totalCount,
+    users: sanitizedUsers,
+    totalCount,
   }
 }
 
@@ -165,16 +186,19 @@ export const setBlocked = (obj, { id, blocked }, { userInfo }) => {
   }
 }
 
-export const updateUser = async (obj, { id, location, institution, links }) => {
+export const updateUser = async (
+  obj,
+  { id, location, institution, links, orcidConsent },
+) => {
   try {
-    let user // Declare user outside the if block
+    let user
 
     if (isValidOrcid(id)) {
       user = await User.findOne({
-        $or: [{ "orcid": id }, { "providerId": id }],
+        $or: [{ orcid: id }, { providerId: id }],
       }).exec()
     } else {
-      user = await User.findOne({ "id": id }).exec()
+      user = await User.findOne({ id: id }).exec()
     }
 
     if (!user) {
@@ -185,16 +209,141 @@ export const updateUser = async (obj, { id, location, institution, links }) => {
     if (location !== undefined) user.location = location
     if (institution !== undefined) user.institution = institution
     if (links !== undefined) user.links = links
+    if (orcidConsent !== undefined) user.orcidConsent = orcidConsent
 
-    // Save the updated user
     await user.save()
 
-    return user // Return the updated user object
+    return user
   } catch (err) {
     throw new Error("Failed to update user: " + err.message)
   }
 }
 
+/**
+ * Get all events associated with a specific user (for their notifications feed).
+ * Uses a single aggregation pipeline for improved performance.
+ */
+export async function notifications(obj, _, { userInfo }) {
+  const userId = obj.id
+
+  // --- authorization ---
+  if (!userInfo || (userInfo.id !== userId && !userInfo.admin)) {
+    throw new Error("Not authorized to view these notifications.")
+  }
+
+  // --- get user and orcid ---
+  const currentUser = await User.findOne({ id: userId }).exec()
+  const orcid = currentUser?.orcid
+
+  // --- base match conditions: either the user created it OR it targets them ---
+  const matchConditions: Record<string, unknown>[] = [
+    { userId },
+    { "event.targetUserId": userId },
+  ]
+  if (orcid) matchConditions.push({ "event.targetUserId": orcid })
+
+  const pipeline: PipelineStage[] = [
+    { $match: { $or: matchConditions } },
+    {
+      $lookup: {
+        from: "permissions",
+        let: { datasetId: "$datasetId", currentUserId: userId },
+        pipeline: [
+          {
+            $match: {
+              $expr: {
+                $and: [
+                  { $eq: ["$datasetId", "$$datasetId"] },
+                  { $eq: ["$userId", "$$currentUserId"] },
+                ],
+              },
+            },
+          },
+        ],
+        as: "permissions",
+      },
+    },
+    { $unwind: { path: "$permissions", preserveNullAndEmptyArrays: true } },
+    { $sort: { timestamp: -1 } },
+    {
+      $lookup: {
+        from: "users",
+        localField: "userId",
+        foreignField: "id",
+        as: "user",
+      },
+    },
+    { $unwind: { path: "$user", preserveNullAndEmptyArrays: true } },
+    {
+      $lookup: {
+        from: "usernotificationstatuses",
+        let: { eventId: "$id" },
+        pipeline: [
+          {
+            $match: {
+              $expr: {
+                $and: [
+                  { $eq: ["$datasetEventId", "$$eventId"] },
+                  { $eq: ["$userId", userId] },
+                ],
+              },
+            },
+          },
+        ],
+        as: "notificationStatus",
+      },
+    },
+    {
+      $unwind: {
+        path: "$notificationStatus",
+        preserveNullAndEmptyArrays: true,
+      },
+    },
+  ]
+
+  const events = await DatasetEvent.aggregate(pipeline).exec()
+
+  // --- apply visibility rules ---
+  const filtered = events.filter((ev) => {
+    if (!ev.event || !ev.event.type) return false
+
+    const type = ev.event.type
+    const targetId = ev.event.targetUserId
+    const isDatasetAdmin = userInfo.admin || ev.permissions?.level === "admin"
+    const isTargetUser = targetId === userId || (orcid && targetId === orcid)
+
+    switch (type) {
+      case "contributorRequest":
+        return isDatasetAdmin
+      case "contributorCitation":
+        return isTargetUser
+      case "contributorRequestResponse":
+      case "contributorCitationResponse":
+        return isDatasetAdmin || isTargetUser
+      // Reduce the notification noise by hiding non-actionable events
+      case "created":
+      case "versioned":
+      case "deleted":
+      case "published":
+      case "permissionChange":
+      case "git":
+      case "upload":
+        return false
+      default:
+        return isDatasetAdmin
+    }
+  })
+
+  // --- map results with notification status ---
+  return filtered.map((event) => {
+    const notificationStatus = event.notificationStatus
+      ? event.notificationStatus
+      : ({ status: "UNREAD" } as UserNotificationStatusDocument)
+
+    return { ...event, notificationStatus }
+  })
+}
+
 const UserResolvers = {
   id: (obj) => obj.id,
   provider: (obj) => obj.provider,
@@ -209,7 +358,9 @@ const UserResolvers = {
   location: (obj) => obj.location,
   institution: (obj) => obj.institution,
   links: (obj) => obj.links,
+  orcidConsent: (obj) => obj.orcidConsent,
   modified: (obj) => obj.updatedAt,
+  notifications: notifications,
 }
 
 export default UserResolvers

package/src/graphql/schema.ts

@@ -110,6 +110,7 @@ export const typeDefs = `
     ): [FlaggedFile]
     # All public dataset metadata
     publicMetadata: [Metadata] @cacheControl(maxAge: 86400, scope: PUBLIC)
+    orcidConsent: Boolean
   }
 
   type Mutation {
@@ -146,7 +147,7 @@ export const typeDefs = `
     # Sets a users admin status
     setBlocked(id: ID!, blocked: Boolean!): User
     # Mutation for updating user data
-    updateUser(id: ID!, location: String, institution: String, links: [String]): User
+    updateUser(id: ID!, location: String, institution: String, links: [String], orcidConsent: Boolean): User
     # Tracks a view or download for a dataset
     trackAnalytics(datasetId: ID!, tag: String, type: AnalyticTypes): Boolean
     # Follow dataset
@@ -175,8 +176,8 @@ export const typeDefs = `
     prepareUpload(datasetId: ID!, uploadId: ID!): UploadMetadata
     # Add files from a completed upload to the dataset draft
     finishUpload(uploadId: ID!): Boolean
-    # Drop download cache for a snapshot - requires site admin access
-    cacheClear(datasetId: ID!, tag: String!): Boolean
+    # Drop cached data for a dataset - requires site admin access
+    cacheClear(datasetId: ID!): Boolean
     # Rerun the latest validator on a given commit
     revalidate(datasetId: ID!, ref: String!): Boolean
     # Request a temporary token for git access
@@ -205,6 +206,16 @@ export const typeDefs = `
     saveAdminNote(id: ID, datasetId: ID!, note: String!): DatasetEvent
     # Create a git event log for dataset changes
     createGitEvent(datasetId: ID!, commit: String!, reference: String!): DatasetEvent
+    # Request contributor status for a dataset
+    createContributorRequestEvent(datasetId: ID!): DatasetEvent
+    # Save contributor request response data
+    processContributorRequest(
+      datasetId: ID!
+      targetUserId: ID!
+      requestId: ID!
+      resolutionStatus: String!
+      reason: String 
+    ): DatasetEvent
     # Create or update a fileCheck document
     updateFileCheck(
       datasetId: ID!
@@ -213,6 +224,21 @@ export const typeDefs = `
       annexFsck: [AnnexFsckInput!]!
       remote: String
     ): FileCheck
+    # Profile Event Status updates
+    updateEventStatus(eventId: ID!, status: NotificationStatusType!): UserNotificationStatus
+    updateContributors(
+      datasetId: String!
+      newContributors: [ContributorInput!]!
+    ): UpdateContributorsPayload!
+    createContributorCitationEvent(
+      datasetId: ID!
+      targetUserId: ID!
+      contributorData: ContributorInput!
+    ): DatasetEvent
+    processContributorCitation(
+      eventId: ID!
+      status: String!
+    ): DatasetEvent
     # Update worker task queue status
     updateWorkerTask(
       id: ID!,
@@ -351,7 +377,7 @@ export const typeDefs = `
 
   # OpenNeuro user records from all providers
   type User {
-    id: ID!
+    id: ID
     provider: UserProvider
     avatar: String
     orcid: String
@@ -367,6 +393,8 @@ export const typeDefs = `
     github: String
     githubSynced: Date
     links: [String]
+    notifications: [DatasetEvent!] 
+    orcidConsent: Boolean
   }
 
   type UserList {
@@ -561,6 +589,8 @@ export const typeDefs = `
     size: BigInt
     # File issues
     fileCheck: FileCheck
+    # Contributors list from datacite.yml
+    contributors: [Contributor]
   }
 
   # Tagged snapshot of a draft
@@ -600,6 +630,8 @@ export const typeDefs = `
     size: BigInt
     # Single list of files to download this snapshot (only available on snapshots)
     downloadFiles: [DatasetFile]
+    # Contributors list from datacite.yml
+    contributors: [Contributor]
   }
 
   # RelatedObject nature of relationship
@@ -669,6 +701,33 @@ export const typeDefs = `
     EthicsApprovals: [String]
   }
 
+
+  # Defines the Contributor type in contributors.ts
+  type Contributor {
+    name: String!
+    givenName: String
+    familyName: String
+    orcid: String
+    contributorType: String!
+    order: Int
+  }
+
+  # ContributorInput input type
+  input ContributorInput {
+    name: String
+    givenName: String
+    familyName: String
+    orcid: String
+    contributorType: String
+    order: Int
+  }
+
+  type UpdateContributorsPayload {
+    success: Boolean!
+    dataset: Dataset
+  }
+
+
   # User permissions on a dataset
   type Permission {
     datasetId: ID!
@@ -903,12 +962,18 @@ export const typeDefs = `
     version: String
     public: Boolean
     target: User
+    targetUserId: ID
     level: String
     ref: String
     message: String
+    requestId: ID
+    reason: String
+    datasetId: ID
+    resolutionStatus: String
+    contributorData: Contributor
   }
 
-  # Dataset events
+    # Dataset events
   type DatasetEvent {
     # Unique identifier for the event
     id: ID
@@ -922,8 +987,36 @@ export const typeDefs = `
     success: Boolean
     # Notes associated with the event
     note: String
+    # top-level datasetId field
+    datasetId: ID
+    # User's notification status event
+    notificationStatus: UserNotificationStatus
+    responseStatus: String 
+    hasBeenRespondedTo: Boolean
+  }
+
+
+ # Possible statuses for user notification/events
+  enum NotificationStatusType {
+    UNREAD
+    SAVED
+    ARCHIVED
+  }
+
+  # Define the enum for responseStatus
+  enum ResponseStatusType {
+    PENDING
+    ACCEPTED
+    DENIED
   }
 
+  # User's notification status
+  type UserNotificationStatus {
+    status: NotificationStatusType!
+  }
+
+
+
   type FileCheck {
     datasetId: String!
     hexsha: String!

package/src/libs/events.ts

@@ -27,6 +27,11 @@ export async function createEvent(
     },
   }
   Sentry.addBreadcrumb(breadcrumb)
+
+  if (!event.datasetId) {
+    event.datasetId = datasetId
+  }
+
   const created = new DatasetEvent({
     datasetId,
     userId: user,