v0.10.5 added some new permission options

2026-03-20 20:27:44 -04:00
parent f49fd5b885
commit 241d913e0f
11 changed files with 374 additions and 7 deletions
--- a/backend/src/routes/groups.js
+++ b/backend/src/routes/groups.js
@@ -97,6 +97,46 @@ router.post('/', authMiddleware, async (req, res) => {
    // Direct message
    if (isDirect && memberIds?.length === 1) {
      const otherUserId = memberIds[0], userId = req.user.id;
+
+      // U2U restriction check — admins always exempt
+      if (req.user.role !== 'admin') {
+        // Get all user groups the initiating user belongs to
+        const initiatorGroups = await query(req.schema,
+          'SELECT user_group_id FROM user_group_members WHERE user_id = $1', [userId]
+        );
+        const initiatorGroupIds = initiatorGroups.map(r => r.user_group_id);
+
+        // Get all user groups the target user belongs to
+        const targetGroups = await query(req.schema,
+          'SELECT user_group_id FROM user_group_members WHERE user_id = $1', [otherUserId]
+        );
+        const targetGroupIds = targetGroups.map(r => r.user_group_id);
+
+        // Least-restrictive-wins: the initiator needs at least ONE group
+        // that has no restriction against ALL of the target's groups.
+        // If initiatorGroups is empty, no restrictions apply (user not in any managed group).
+        if (initiatorGroupIds.length > 0 && targetGroupIds.length > 0) {
+          // For each initiator group, check if it is restricted from ANY of the target groups
+          let canDm = false;
+          for (const igId of initiatorGroupIds) {
+            const restrictions = await query(req.schema,
+              'SELECT blocked_group_id FROM user_group_dm_restrictions WHERE restricting_group_id = $1',
+              [igId]
+            );
+            const blockedIds = new Set(restrictions.map(r => r.blocked_group_id));
+            // This initiator group is unrestricted if none of the target's groups are blocked
+            const isRestricted = targetGroupIds.some(tgId => blockedIds.has(tgId));
+            if (!isRestricted) { canDm = true; break; }
+          }
+          if (!canDm) {
+            return res.status(403).json({
+              error: 'Direct messages with this user are not permitted.',
+              code: 'DM_RESTRICTED'
+            });
+          }
+        }
+      }
+
      const existing = await queryOne(req.schema, `
        SELECT g.id FROM groups g
        JOIN group_members gm1 ON gm1.group_id=g.id AND gm1.user_id=$1