@stamhoofd/backend 2.2.0 → 2.4.0

package/src/helpers/AdminPermissionChecker.ts

@@ -1,6 +1,6 @@
 import { AutoEncoderPatchType, PatchMap } from "@simonbackx/simple-encoding"
 import { SimpleError } from "@simonbackx/simple-errors"
-import { BalanceItem, Document, DocumentTemplate, EmailTemplate, Group, Member, MemberWithRegistrations, Order, Organization, Payment, Registration, User, Webshop } from "@stamhoofd/models"
+import { BalanceItem, Document, DocumentTemplate, EmailTemplate, Event, Group, Member, MemberWithRegistrations, Order, Organization, Payment, Registration, User, Webshop } from "@stamhoofd/models"
 import { AccessRight, GroupCategory, GroupStatus, MemberWithRegistrationsBlob, PermissionLevel, PermissionsResourceType, Platform as PlatformStruct, RecordCategory } from "@stamhoofd/structures"
 import { Formatter } from "@stamhoofd/utility"
 
@@ -11,6 +11,10 @@ import { Formatter } from "@stamhoofd/utility"
 export class AdminPermissionChecker {
     organization: Organization|null
     user: User
+    /**
+     * The member that is linked to this user = is this user
+     */
+    member: MemberWithRegistrations|null = null
     platform: PlatformStruct
 
     organizationCache: Map<string, Organization|Promise<Organization|undefined>> = new Map()
@@ -143,6 +147,13 @@ export class AdminPermissionChecker {
         if (!this.checkScope(group.organizationId)) {
             return false
         }
+        const organization = await this.getOrganization(group.organizationId)
+
+        if (group.periodId !== organization.periodId) {
+            if (!await this.hasFullAccess(group.organizationId)) {
+                return false
+            }
+        }
 
         if (group.deletedAt || group.status === GroupStatus.Archived) {
             return await this.canAccessArchivedGroups(group.organizationId);
@@ -160,7 +171,6 @@ export class AdminPermissionChecker {
         }
 
         // Check parent categories
-        const organization = await this.getOrganization(group.organizationId)
         const parentCategories = group.getParentCategories(organization.meta.categories)
         for (const category of parentCategories) {
             if (organizationPermissions.hasResourceAccess(PermissionsResourceType.GroupCategories, category.id, permissionLevel)) {
@@ -171,6 +181,28 @@ export class AdminPermissionChecker {
         return false;
     }
 
+    async canAccessEvent(event: Event, permissionLevel: PermissionLevel = PermissionLevel.Read): Promise<boolean> {
+        // Check permissions aren't scoped to a specific organization, and they mismatch
+        if (!this.checkScope(event.organizationId)) {
+            return false
+        }
+
+        if (permissionLevel !== PermissionLevel.Read) {
+            if (event.organizationId) {
+                // Need full access for now
+                if (!await this.hasFullAccess(event.organizationId)) {
+                    return false
+                }
+            } else {
+                if (!this.hasPlatformFullAccess()) {
+                    return false
+                }
+            }
+        }
+
+        return true;
+    }
+
     async canAccessArchivedGroups(organizationId: string) {
         return await this.hasFullAccess(organizationId)
     }
@@ -221,7 +253,8 @@ export class AdminPermissionChecker {
             return false;
         }
 
-        if (organizationPermissions.hasAccess(permissionLevel)) {
+        if (organizationPermissions.hasAccess(PermissionLevel.Full)) {
+            // Only full permissions; because non-full doesn't have access to other periods
             return true;
         }
 
@@ -853,6 +886,24 @@ export class AdminPermissionChecker {
         return set
     }
 
+
+    async getAccessibleGroups(organizationId: string, level: PermissionLevel = PermissionLevel.Read): Promise<string[] | 'all'> {
+        if (await this.hasFullAccess(organizationId)) {
+            return 'all'
+        }
+
+        const groups = await this.getOrganizationGroups(organizationId)
+        const accessibleGroups: string[] = []
+
+        for (const group of groups) {
+            if (await this.canAccessGroup(group, level)) {
+                accessibleGroups.push(group.id)
+            }
+        }
+        return accessibleGroups
+    }
+
+
     /**
      * Changes data inline
      */

package/src/helpers/AuthenticatedStructures.ts

@@ -1,8 +1,9 @@
 import { SimpleError } from "@simonbackx/simple-errors";
-import { Group, MemberPlatformMembership, MemberResponsibilityRecord, MemberWithRegistrations, Organization, OrganizationRegistrationPeriod, Payment, RegistrationPeriod, User, Webshop } from "@stamhoofd/models";
-import { MemberPlatformMembership as MemberPlatformMembershipStruct, MemberResponsibilityRecord as MemberResponsibilityRecordStruct, MemberWithRegistrationsBlob, MembersBlob, Organization as OrganizationStruct, PaymentGeneral, PermissionLevel, PrivateWebshop, User as UserStruct, WebshopPreview, Webshop as WebshopStruct } from '@stamhoofd/structures';
+import { Event, Group, Member, MemberPlatformMembership, MemberResponsibilityRecord, MemberWithRegistrations, Organization, OrganizationRegistrationPeriod, Payment, RegistrationPeriod, User, Webshop } from "@stamhoofd/models";
+import { Event as EventStruct, MemberPlatformMembership as MemberPlatformMembershipStruct, MemberResponsibilityRecord as MemberResponsibilityRecordStruct, MemberWithRegistrationsBlob, MembersBlob, Organization as OrganizationStruct, PaymentGeneral, PermissionLevel, PrivateWebshop, User as UserStruct, UserWithMembers, WebshopPreview, Webshop as WebshopStruct } from '@stamhoofd/structures';
 
 import { Context } from "./Context";
+import { Formatter } from "@stamhoofd/utility";
 
 /**
  * Builds authenticated structures for the current user
@@ -66,7 +67,6 @@ export class AuthenticatedStructures {
 
     static async organization(organization: Organization): Promise<OrganizationStruct> {
         if (await Context.optionalAuth?.canAccessPrivateOrganizationData(organization)) {
-            const groups = await Group.getAll(organization.id, organization.periodId)
             const webshops = await Webshop.where({ organizationId: organization.id }, { select: Webshop.selectColumnsWithout(undefined, "products", "categories")})
             const webshopStructures: WebshopPreview[] = [] 
 
@@ -77,20 +77,7 @@ export class AuthenticatedStructures {
                 webshopStructures.push(WebshopPreview.create(w))
             }
 
-            const oPeriods = await OrganizationRegistrationPeriod.where({ periodId: organization.periodId }, {limit: 1})
-            let oPeriod = oPeriods[0];
-            const period = (await RegistrationPeriod.getByID(organization.periodId))!
-
-            if (!oPeriod) {
-                const organizationPeriod = new OrganizationRegistrationPeriod();
-                organizationPeriod.organizationId = organization.id;
-                organizationPeriod.periodId = period.id
-                organizationPeriod.settings.categories = organization.meta.categories
-                organizationPeriod.settings.rootCategoryId = organization.meta.rootCategoryId
-                await organizationPeriod.save();
-
-                oPeriod = organizationPeriod
-            }
+            const {groups, organizationPeriod, period} = await organization.getPeriod({emptyGroups: false})
 
             return OrganizationStruct.create({
                 id: organization.id,
@@ -103,7 +90,7 @@ export class AuthenticatedStructures {
                 privateMeta: organization.privateMeta,
                 webshops: webshopStructures,
                 createdAt: organization.createdAt,
-                period: oPeriod.getStructure(period, groups)
+                period: organizationPeriod.getPrivateStructure(period, groups)
             })
         }
         
@@ -112,19 +99,64 @@ export class AuthenticatedStructures {
 
     static async adminOrganizations(organizations: Organization[]): Promise<OrganizationStruct[]> {
         const structs: OrganizationStruct[] = [];
-        const admins = await User.getAdmins(organizations.map(o => o.id))
 
         for (const organization of organizations) {
             const base = await organization.getStructure({emptyGroups: true})
-            base.admins = admins.filter(a => a.permissions?.organizationPermissions.has(organization.id)).map(a => UserStruct.create({...a, hasAccount: a.hasAccount()}))
             structs.push(base)
         }
         
         return structs
     }
 
-    static async membersBlob(members: MemberWithRegistrations[], includeContextOrganization = false): Promise<MembersBlob> {
+    static async userWithMembers(user: User): Promise<UserWithMembers> {
+        const members = await Member.getMembersWithRegistrationForUser(user)
+
+        return UserWithMembers.create({
+            ...user,
+            hasAccount: user.hasAccount(),
+            members: await this.membersBlob(members, false, user)
+        })
+    }
+
+    /**
+     * This version only returns connected members that are 1:1, skips other members
+     */
+    static async usersWithMembers(users: User[]): Promise<UserWithMembers[]> {
+        const structs: UserWithMembers[] = [];
+        const memberIds = Formatter.uniqueArray(users.map(u => u.memberId).filter(id => id !== null) as string[])
+        const members = memberIds.length > 0 ? await Member.getBlobByIds(...memberIds) : []
+
+        for (const user of users) {
+            const filteredMembers = user.memberId ? members.filter(m => m.id === user.memberId) : []
+            structs.push(UserWithMembers.create({
+                ...user,
+                hasAccount: user.hasAccount(),
+                members: await this.membersBlob(filteredMembers, false)
+            }))
+        }
+        
+        return structs
+    }
+
+    static async membersBlob(members: MemberWithRegistrations[], includeContextOrganization = false, includeUser?: User): Promise<MembersBlob> {
+        if (members.length === 0 && !includeUser) {
+            return MembersBlob.create({members: [], organizations: []})
+        }
         const organizations = new Map<string, Organization>()
+ 
+        if (includeUser) {
+            for (const organizationId of includeUser.permissions?.organizationPermissions.keys() ?? []) {
+                if (includeContextOrganization || organizationId !== Context.auth.organization?.id) {
+                    const found = organizations.get(organizationId);
+                    if (!found) {
+                        const organization = await Context.auth.getOrganization(organizationId)
+                        organizations.set(organization.id, organization)
+                    }
+                }
+            }
+        }
+
+
         const memberBlobs: MemberWithRegistrationsBlob[] = []
         for (const member of members) {
             for (const registration of member.registrations) {
@@ -137,6 +169,7 @@ export class AuthenticatedStructures {
                 }
             }
 
+
             const blob = member.getStructureWithRegistrations()
             memberBlobs.push(
                 await Context.auth.filterMemberData(member, blob)
@@ -145,10 +178,22 @@ export class AuthenticatedStructures {
 
         // Load responsibilities
         const responsibilities = members.length > 0 ? await MemberResponsibilityRecord.where({ memberId: { sign: 'IN', value: members.map(m => m.id) } }) : []
-        const platformMemberships = members.length > 0 ? await MemberPlatformMembership.where({ memberId: { sign: 'IN', value: members.map(m => m.id) } }) : []
+        const platformMemberships = members.length > 0 ? await MemberPlatformMembership.where({ deletedAt: null, memberId: { sign: 'IN', value: members.map(m => m.id) } }) : []
+
+        // Load missing organizations
+        const organizationIds = Formatter.uniqueArray(responsibilities.map(r => r.organizationId).filter(id => id !== null) as string[])
+        for (const id of organizationIds) {
+            if (includeContextOrganization || id !== Context.auth.organization?.id) {
+                const found = organizations.get(id);
+                if (!found) {
+                    const organization = await Context.auth.getOrganization(id)
+                    organizations.set(organization.id, organization)
+                }
+            }
+        }
 
         for (const blob of memberBlobs) {
-            blob.responsibilities = responsibilities.filter(r => r.memberId == blob.id).map(r => MemberResponsibilityRecordStruct.create(r))
+            blob.responsibilities = responsibilities.filter(r => r.memberId == blob.id).map(r => r.getStructure())
             blob.platformMemberships = platformMemberships.filter(r => r.memberId == blob.id).map(r => MemberPlatformMembershipStruct.create(r))
         }
 
@@ -157,4 +202,24 @@ export class AuthenticatedStructures {
             organizations: await Promise.all([...organizations.values()].map(o => this.organization(o)))
         })
     }
+
+    static async events(events: Event[]): Promise<EventStruct[]> {
+        // Load groups
+        const groupIds = events.map(e => e.groupId).filter(id => id !== null) as string[]
+        const groups = groupIds.length > 0 ? await Group.getByIDs(...groupIds) : []
+
+        const result: EventStruct[] = []
+
+        for (const event of events) {
+            const group = groups.find(g => g.id == event.groupId) ?? null
+
+            if (group && await Context.auth.canAccessGroup(group)) {
+                result.push(event.getPrivateStructure(group))
+            } else {
+                result.push(event.getStructure(group))
+            }
+        }
+        
+        return result
+    }
 }

package/src/helpers/Context.ts

@@ -185,6 +185,10 @@ export class ContextInstance {
 
         const user = token.user
         this.user = user
+
+        // Load member of user
+        // todo
+
         this.#auth = new AdminPermissionChecker(user, await Platform.getSharedPrivateStruct(), this.organization);
 
         return {user, token};

package/src/helpers/EmailResumer.ts

@@ -0,0 +1,17 @@
+import { Email } from "@stamhoofd/models";
+import { SQL } from "@stamhoofd/sql";
+import { EmailStatus } from "@stamhoofd/structures";
+
+export async function resumeEmails() {
+    const query = SQL.select()
+        .from(SQL.table(Email.table))
+        .where(SQL.column('status'), EmailStatus.Sending);
+
+    const result = await query.fetch();
+    const emails = Email.fromRows(result, Email.table);
+
+    for (const email of emails) {
+        console.log('Resuming email that has sending status on boot', email.id);
+        await email.send()
+    }
+}

package/src/helpers/MemberUserSyncer.ts

@@ -0,0 +1,221 @@
+import { Member, MemberResponsibilityRecord, MemberWithRegistrations, User } from "@stamhoofd/models";
+import { SQL } from "@stamhoofd/sql";
+import { Permissions, UserPermissions } from "@stamhoofd/structures";
+
+export class MemberUserSyncerStatic {
+    /**
+     * Call when:
+     * - responsibilities have changed
+     * - email addresses have changed
+     */
+    async onChangeMember(member: MemberWithRegistrations) {
+        const userEmails = [...member.details.alternativeEmails]
+
+        if (member.details.email) {
+            userEmails.push(member.details.email)
+        }
+
+        const parentEmails = member.details.parentsHaveAccess ? member.details.parents.flatMap(p => p.email ? [p.email, ...p.alternativeEmails] : p.alternativeEmails) : []
+
+        // Make sure all these users have access to the member
+        for (const email of userEmails) {
+            // Link users that are found with these email addresses.
+            await this.linkUser(email, member, false)
+        }
+
+        for (const email of parentEmails) {
+            // Link parents
+            await this.linkUser(email, member, true)
+        }
+
+        // Remove access of users that are not in this list
+        for (const user of member.users) {
+            if (!userEmails.includes(user.email) && !parentEmails.includes(user.email)) {
+                await this.unlinkUser(user, member)
+            }
+        }
+
+    }
+
+    async onDeleteMember(member: MemberWithRegistrations) {
+        for (const u of member.users) {
+            console.log("Unlinking user "+u.email+" from deleted member "+member.id)
+            await this.unlinkUser(u, member)
+        }
+    }
+
+    async getResponsibilitiesForMembers(memberIds: string[]) {
+        const rows = await SQL.select()
+            .from(SQL.table(MemberResponsibilityRecord.table))
+            .where(SQL.column("memberId"), memberIds)
+            .where(SQL.column("endDate"), null)
+            .fetch();
+
+        return MemberResponsibilityRecord.fromRows(rows, MemberResponsibilityRecord.table)
+    }
+
+    async updateInheritedPermissions(user: User) {
+        const responsibilities = user.memberId ? (await this.getResponsibilitiesForMembers([user.memberId])) : []
+
+        // Check if the member has active registrations
+        // otherwise -> do not inherit any permissions
+
+        user.permissions = user.permissions ?? UserPermissions.create({})
+
+        // Group responsibilities by organization
+        const responsibilitiesByOrganization: Map<string|null, MemberResponsibilityRecord[]> = new Map()
+
+        responsibilitiesByOrganization.set(null, [])
+
+        for (const organizationId of user.permissions.organizationPermissions.keys()) {
+            // Make sure we reset responsibilities for organizations that are not in the list
+            responsibilitiesByOrganization.set(organizationId, [])
+        }
+
+        for (const responsibility of responsibilities) {
+            const v = responsibilitiesByOrganization.get(responsibility.organizationId) ?? []
+            responsibilitiesByOrganization.set(responsibility.organizationId, v)
+            v.push(responsibility)
+        }
+
+        for (const organizationId of responsibilitiesByOrganization.keys()) {
+            if (organizationId === null) {
+                const patch = user.permissions.convertPlatformPatch(
+                    Permissions.patch({
+                        responsibilities: (responsibilitiesByOrganization.get(organizationId) ?? []).map(r => r.getStructure()) as any
+                    })
+                )
+                user.permissions = user.permissions.patch(patch)
+            } else {
+                const patch = user.permissions.convertPatch(
+                    Permissions.patch({
+                        responsibilities: (responsibilitiesByOrganization.get(organizationId) ?? []).map(r => r.getStructure()) as any
+                    }),
+                    organizationId
+                )
+                user.permissions = user.permissions.patch(patch)
+            }
+            
+        }
+
+        // Platform permissions
+        user.permissions.clearEmptyPermissions()
+
+        if (user.permissions.isEmpty) {
+            user.permissions = null;
+        }
+
+        await user.save()
+    }
+
+    async unlinkUser(user: User, member: MemberWithRegistrations) {
+        console.log("Removing access for "+ user.id +" to member "+member.id)
+        await Member.users.reverse("members").unlink(user, member)
+
+        if (user.memberId === member.id) {
+            user.memberId = null;
+            await user.save()
+        }
+
+        // Update model relation to correct response
+        const existingIndex = member.users.findIndex(u => u.id === user.id)
+        if (existingIndex !== -1) {
+            member.users.splice(existingIndex, 1)
+        }
+
+        await this.updateInheritedPermissions(user)
+    }
+
+    async linkUser(email: string, member: MemberWithRegistrations, asParent: boolean) {
+        let user = member.users.find(u => u.email.toLocaleLowerCase() === email.toLocaleLowerCase()) ?? await User.getForAuthentication(member.organizationId, email, {allowWithoutAccount: true})
+
+        if (user) {
+            console.log("Giving an existing user access to a member: " + user.id + ' - ' + member.id)
+            if (!asParent) {
+                if (user.memberId && user.memberId !== member.id) {
+                    console.error('Found conflicting user with multiple members', user.id, 'members', user.memberId, 'to', member.id)
+                    
+                    const otherMember = await Member.getWithRegistrations(user.memberId)
+
+                    if (otherMember) {
+                        if (otherMember.registrations.length > 0 && member.registrations.length === 0) {
+                            // Choose the other member
+                            // don't make changes
+                            console.error('Resolved to current member - no changes made')
+                            return
+                        }
+
+                        const responsibilities = await this.getResponsibilitiesForMembers([otherMember.id, member.id])
+                        const responsibilitiesOther = responsibilities.filter(r => r.memberId === otherMember.id)
+                        const responsibilitiesCurrent = responsibilities.filter(r => r.memberId === member.id)
+
+                        if (responsibilitiesOther.length >= responsibilitiesCurrent.length) {
+                            console.error('Resolved to current member because of more responsibilities - no changes made')
+                            return
+                        }
+                    }
+                }
+                user.firstName = member.details.firstName
+                user.lastName = member.details.lastName
+                user.memberId = member.id;
+                await this.updateInheritedPermissions(user)
+            } else {
+                if (user.memberId === member.id) {
+                    // Unlink: parents are never 'equal' to the member
+                    user.memberId = null;
+                    await this.updateInheritedPermissions(user)
+                }
+
+                if (!user.firstName && !user.lastName) {
+                    const parents = member.details.parents.filter(p => p.email === email)
+                    if (parents.length === 1) {
+                        user.firstName = parents[0].firstName
+                        user.lastName = parents[0].lastName
+                        await user.save()
+                    }
+                }
+
+                if (user.firstName === member.details.firstName && user.lastName === member.details.lastName) {
+                    user.firstName = null;
+                    user.lastName = null;
+                    await user.save()
+                }
+            }
+        } else {
+            // Create a new placeholder user
+            user = new User()
+            user.organizationId = member.organizationId
+            user.email = email
+
+            if (!asParent) {
+                user.firstName = member.details.firstName
+                user.lastName = member.details.lastName
+                user.memberId = member.id;
+                await this.updateInheritedPermissions(user)
+            } else {
+                const parents = member.details.parents.filter(p => p.email === email)
+                if (parents.length === 1) {
+                    user.firstName = parents[0].firstName
+                    user.lastName = parents[0].lastName
+                }
+
+                if (user.firstName === member.details.firstName && user.lastName === member.details.lastName) {
+                    user.firstName = null;
+                    user.lastName = null;
+                }
+
+                await user.save()
+            }
+
+            console.log("Created new (placeholder) user that has access to a member: "+user.id)
+        }
+
+        // Update model relation to correct response
+        if (!member.users.find(u => u.id === user.id)) {
+            await Member.users.reverse("members").link(user, [member])
+            member.users.push(user)
+        }
+    }
+}
+
+export const MemberUserSyncer = new MemberUserSyncerStatic()

package/src/seeds/1722256498-group-update-occupancy.ts

@@ -0,0 +1,52 @@
+import { Migration } from '@simonbackx/simple-database';
+import { Group } from '@stamhoofd/models';
+
+export default new Migration(async () => {
+    if (STAMHOOFD.environment == "test") {
+        console.log("skipped in tests")
+        return;
+    }
+
+    if(STAMHOOFD.userMode !== "platform") {
+        console.log("skipped seed group-update-occupancy because usermode not platform")
+        return;
+    }
+
+    process.stdout.write('\n');
+    let c = 0;
+    let id: string = '';
+
+    while(true) {
+        const rawGroups = await Group.where({
+            id: {
+                value: id,
+                sign: '>'
+            }
+        }, {limit: 100, sort: ['id']});
+
+        const groups = await Group.getByIDs(...rawGroups.map(g => g.id));
+
+        for (const group of groups) {
+            await group.updateOccupancy();
+            await group.save();
+
+            c++;
+
+            if (c%1000 === 0) {
+                process.stdout.write('.');
+            }
+            if (c%10000 === 0) {
+                process.stdout.write('\n');
+            }
+        }
+
+        if (groups.length === 0) {
+            break;
+        }
+
+        id = groups[groups.length - 1].id;
+    }
+
+    // Do something here
+    return Promise.resolve()
+})