v0.10.5 added some new permission options

2026-03-20 20:27:44 -04:00
parent f49fd5b885
commit 241d913e0f
11 changed files with 374 additions and 7 deletions
--- a/backend/src/routes/groups.js
+++ b/backend/src/routes/groups.js
@@ -97,6 +97,46 @@ router.post('/', authMiddleware, async (req, res) => {
    // Direct message
    if (isDirect && memberIds?.length === 1) {
      const otherUserId = memberIds[0], userId = req.user.id;
+
+      // U2U restriction check — admins always exempt
+      if (req.user.role !== 'admin') {
+        // Get all user groups the initiating user belongs to
+        const initiatorGroups = await query(req.schema,
+          'SELECT user_group_id FROM user_group_members WHERE user_id = $1', [userId]
+        );
+        const initiatorGroupIds = initiatorGroups.map(r => r.user_group_id);
+
+        // Get all user groups the target user belongs to
+        const targetGroups = await query(req.schema,
+          'SELECT user_group_id FROM user_group_members WHERE user_id = $1', [otherUserId]
+        );
+        const targetGroupIds = targetGroups.map(r => r.user_group_id);
+
+        // Least-restrictive-wins: the initiator needs at least ONE group
+        // that has no restriction against ALL of the target's groups.
+        // If initiatorGroups is empty, no restrictions apply (user not in any managed group).
+        if (initiatorGroupIds.length > 0 && targetGroupIds.length > 0) {
+          // For each initiator group, check if it is restricted from ANY of the target groups
+          let canDm = false;
+          for (const igId of initiatorGroupIds) {
+            const restrictions = await query(req.schema,
+              'SELECT blocked_group_id FROM user_group_dm_restrictions WHERE restricting_group_id = $1',
+              [igId]
+            );
+            const blockedIds = new Set(restrictions.map(r => r.blocked_group_id));
+            // This initiator group is unrestricted if none of the target's groups are blocked
+            const isRestricted = targetGroupIds.some(tgId => blockedIds.has(tgId));
+            if (!isRestricted) { canDm = true; break; }
+          }
+          if (!canDm) {
+            return res.status(403).json({
+              error: 'Direct messages with this user are not permitted.',
+              code: 'DM_RESTRICTED'
+            });
+          }
+        }
+      }
+
      const existing = await queryOne(req.schema, `
        SELECT g.id FROM groups g
        JOIN group_members gm1 ON gm1.group_id=g.id AND gm1.user_id=$1
--- a/backend/src/routes/host.js
+++ b/backend/src/routes/host.js
@@ -13,7 +13,7 @@ const router  = express.Router();
 const {
  query, queryOne, queryResult, exec,
  runMigrations, ensureSchema,
-  seedSettings, seedEventTypes, seedAdmin,
+  seedSettings, seedEventTypes, seedAdmin, seedUserGroups,
  refreshTenantCache,
 } = require('../models/db');

@@ -123,6 +123,9 @@ router.post('/tenants', async (req, res) => {
    // 3. Seed event types
    await seedEventTypes(schemaName);

+    // 3b. Seed default user groups (Coaches, Players, Parents)
+    await seedUserGroups(schemaName);
+
    // 4. Seed admin user — temporarily override env vars for this tenant
    const origEmail = process.env.ADMIN_EMAIL;
    const origName  = process.env.ADMIN_NAME;
--- a/backend/src/routes/usergroups.js
+++ b/backend/src/routes/usergroups.js
@@ -310,5 +310,44 @@ router.delete('/:id', authMiddleware, teamManagerMiddleware, async (req, res) =>
  } catch (e) { res.status(500).json({ error: e.message }); }
 });

+
+// ── U2U DM Restrictions ───────────────────────────────────────────────────────
+
+// GET /:id/restrictions — get blocked group IDs for a user group
+router.get('/:id/restrictions', authMiddleware, teamManagerMiddleware, async (req, res) => {
+  try {
+    const rows = await query(req.schema,
+      'SELECT blocked_group_id FROM user_group_dm_restrictions WHERE restricting_group_id = $1',
+      [req.params.id]
+    );
+    res.json({ blockedGroupIds: rows.map(r => r.blocked_group_id) });
+  } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+// PUT /:id/restrictions — replace the full restriction list for a user group
+// Body: { blockedGroupIds: [id, id, ...] }
+router.put('/:id/restrictions', authMiddleware, teamManagerMiddleware, async (req, res) => {
+  const { blockedGroupIds = [] } = req.body;
+  const restrictingId = parseInt(req.params.id);
+  try {
+    const ug = await queryOne(req.schema, 'SELECT id FROM user_groups WHERE id = $1', [restrictingId]);
+    if (!ug) return res.status(404).json({ error: 'User group not found' });
+
+    // Clear all existing restrictions for this group then insert new ones
+    await exec(req.schema,
+      'DELETE FROM user_group_dm_restrictions WHERE restricting_group_id = $1',
+      [restrictingId]
+    );
+    for (const blockedId of blockedGroupIds) {
+      if (parseInt(blockedId) === restrictingId) continue; // cannot restrict own group
+      await exec(req.schema,
+        'INSERT INTO user_group_dm_restrictions (restricting_group_id, blocked_group_id) VALUES ($1, $2) ON CONFLICT DO NOTHING',
+        [restrictingId, parseInt(blockedId)]
+      );
+    }
+    res.json({ success: true, blockedGroupIds });
+  } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
 return router;
 };