v0.10.5 added some new permission options

2026-03-20 20:27:44 -04:00
parent f49fd5b885
commit 241d913e0f
11 changed files with 374 additions and 7 deletions
--- a/backend/package.json
+++ b/backend/package.json
@@ -1,6 +1,6 @@
 {
  "name": "jama-backend",
-  "version": "0.10.3",
+  "version": "0.10.5",
  "description": "TeamChat backend server",
  "main": "src/index.js",
  "scripts": {
--- a/backend/src/models/db.js
+++ b/backend/src/models/db.js
@@ -240,6 +240,33 @@ async function seedEventTypes(schema) {
  );
 }

+async function seedUserGroups(schema) {
+  // Seed three default user groups with their associated DM groups.
+  // Uses ON CONFLICT DO NOTHING so re-runs on existing installs are safe.
+  const defaults = ['Coaches', 'Players', 'Parents'];
+  for (const name of defaults) {
+    // Skip if a group with this name already exists
+    const existing = await queryOne(schema,
+      'SELECT id FROM user_groups WHERE name = $1', [name]
+    );
+    if (existing) continue;
+
+    // Create the managed DM chat group first
+    const gr = await queryResult(schema,
+      "INSERT INTO groups (name, type, is_readonly, is_managed) VALUES ($1, 'private', FALSE, TRUE) RETURNING id",
+      [name]
+    );
+    const dmGroupId = gr.rows[0].id;
+
+    // Create the user group linked to the DM group
+    await exec(schema,
+      'INSERT INTO user_groups (name, dm_group_id) VALUES ($1, $2) ON CONFLICT (name) DO NOTHING',
+      [name, dmGroupId]
+    );
+    console.log(`[DB:${schema}] Default user group created: ${name}`);
+  }
+}
+
 async function seedAdmin(schema) {
  const strip = s => (s || '').replace(/^['"]+|['"]+$/g, '').trim();
  const adminEmail = strip(process.env.ADMIN_EMAIL) || 'admin@jama.local';
@@ -317,6 +344,7 @@ async function initDb() {
  await seedSettings('public');
  await seedEventTypes('public');
  await seedAdmin('public');
+  await seedUserGroups('public');

  // Host mode: the public schema is the host's own workspace — always full JAMA-Team plan.
  // ON CONFLICT DO UPDATE ensures existing installs get corrected on restart too.
@@ -391,5 +419,5 @@ module.exports = {
  tenantMiddleware, resolveSchema, refreshTenantCache,
  APP_TYPE, pool,
  addUserToPublicGroups, getOrCreateSupportGroup,
-  seedSettings, seedEventTypes, seedAdmin,
+  seedSettings, seedEventTypes, seedAdmin, seedUserGroups,
 };
--- a/backend/src/models/migrations/005_u2u_restrictions.sql
+++ b/backend/src/models/migrations/005_u2u_restrictions.sql
@@ -0,0 +1,30 @@
+-- Migration 005: User-to-user DM restrictions
+--
+-- Stores which user groups are blocked from initiating 1-to-1 DMs with
+-- users in another group. This is an allowlist-by-omission model:
+--   - No rows for a group = no restrictions (can DM anyone)
+--   - A row (A, B) = users in group A cannot INITIATE a DM with users in group B
+--
+-- Enforcement rules:
+--   - Restriction is one-way (A→B does not imply B→A)
+--   - Least-restrictive-wins: if the initiating user is in any group that is
+--     NOT restricted from the target, the DM is allowed
+--   - Own group is always exempt (users can DM members of their own groups)
+--   - Admins are always exempt from all restrictions
+--   - Existing DMs are preserved when a restriction is added
+--   - Only 1-to-1 DMs are affected; group chats (3+ people) are always allowed
+
+CREATE TABLE IF NOT EXISTS user_group_dm_restrictions (
+  restricting_group_id INTEGER NOT NULL REFERENCES user_groups(id) ON DELETE CASCADE,
+  blocked_group_id     INTEGER NOT NULL REFERENCES user_groups(id) ON DELETE CASCADE,
+  created_at           TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  PRIMARY KEY (restricting_group_id, blocked_group_id),
+  -- A group cannot restrict itself (own group is always exempt)
+  CHECK (restricting_group_id != blocked_group_id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_dm_restrictions_restricting
+  ON user_group_dm_restrictions(restricting_group_id);
+
+CREATE INDEX IF NOT EXISTS idx_dm_restrictions_blocked
+  ON user_group_dm_restrictions(blocked_group_id);
--- a/backend/src/routes/groups.js
+++ b/backend/src/routes/groups.js
@@ -97,6 +97,46 @@ router.post('/', authMiddleware, async (req, res) => {
    // Direct message
    if (isDirect && memberIds?.length === 1) {
      const otherUserId = memberIds[0], userId = req.user.id;
+
+      // U2U restriction check — admins always exempt
+      if (req.user.role !== 'admin') {
+        // Get all user groups the initiating user belongs to
+        const initiatorGroups = await query(req.schema,
+          'SELECT user_group_id FROM user_group_members WHERE user_id = $1', [userId]
+        );
+        const initiatorGroupIds = initiatorGroups.map(r => r.user_group_id);
+
+        // Get all user groups the target user belongs to
+        const targetGroups = await query(req.schema,
+          'SELECT user_group_id FROM user_group_members WHERE user_id = $1', [otherUserId]
+        );
+        const targetGroupIds = targetGroups.map(r => r.user_group_id);
+
+        // Least-restrictive-wins: the initiator needs at least ONE group
+        // that has no restriction against ALL of the target's groups.
+        // If initiatorGroups is empty, no restrictions apply (user not in any managed group).
+        if (initiatorGroupIds.length > 0 && targetGroupIds.length > 0) {
+          // For each initiator group, check if it is restricted from ANY of the target groups
+          let canDm = false;
+          for (const igId of initiatorGroupIds) {
+            const restrictions = await query(req.schema,
+              'SELECT blocked_group_id FROM user_group_dm_restrictions WHERE restricting_group_id = $1',
+              [igId]
+            );
+            const blockedIds = new Set(restrictions.map(r => r.blocked_group_id));
+            // This initiator group is unrestricted if none of the target's groups are blocked
+            const isRestricted = targetGroupIds.some(tgId => blockedIds.has(tgId));
+            if (!isRestricted) { canDm = true; break; }
+          }
+          if (!canDm) {
+            return res.status(403).json({
+              error: 'Direct messages with this user are not permitted.',
+              code: 'DM_RESTRICTED'
+            });
+          }
+        }
+      }
+
      const existing = await queryOne(req.schema, `
        SELECT g.id FROM groups g
        JOIN group_members gm1 ON gm1.group_id=g.id AND gm1.user_id=$1
--- a/backend/src/routes/host.js
+++ b/backend/src/routes/host.js
@@ -13,7 +13,7 @@ const router  = express.Router();
 const {
  query, queryOne, queryResult, exec,
  runMigrations, ensureSchema,
-  seedSettings, seedEventTypes, seedAdmin,
+  seedSettings, seedEventTypes, seedAdmin, seedUserGroups,
  refreshTenantCache,
 } = require('../models/db');

@@ -123,6 +123,9 @@ router.post('/tenants', async (req, res) => {
    // 3. Seed event types
    await seedEventTypes(schemaName);

+    // 3b. Seed default user groups (Coaches, Players, Parents)
+    await seedUserGroups(schemaName);
+
    // 4. Seed admin user — temporarily override env vars for this tenant
    const origEmail = process.env.ADMIN_EMAIL;
    const origName  = process.env.ADMIN_NAME;
--- a/backend/src/routes/usergroups.js
+++ b/backend/src/routes/usergroups.js
@@ -310,5 +310,44 @@ router.delete('/:id', authMiddleware, teamManagerMiddleware, async (req, res) =>
  } catch (e) { res.status(500).json({ error: e.message }); }
 });

+
+// ── U2U DM Restrictions ───────────────────────────────────────────────────────
+
+// GET /:id/restrictions — get blocked group IDs for a user group
+router.get('/:id/restrictions', authMiddleware, teamManagerMiddleware, async (req, res) => {
+  try {
+    const rows = await query(req.schema,
+      'SELECT blocked_group_id FROM user_group_dm_restrictions WHERE restricting_group_id = $1',
+      [req.params.id]
+    );
+    res.json({ blockedGroupIds: rows.map(r => r.blocked_group_id) });
+  } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+// PUT /:id/restrictions — replace the full restriction list for a user group
+// Body: { blockedGroupIds: [id, id, ...] }
+router.put('/:id/restrictions', authMiddleware, teamManagerMiddleware, async (req, res) => {
+  const { blockedGroupIds = [] } = req.body;
+  const restrictingId = parseInt(req.params.id);
+  try {
+    const ug = await queryOne(req.schema, 'SELECT id FROM user_groups WHERE id = $1', [restrictingId]);
+    if (!ug) return res.status(404).json({ error: 'User group not found' });
+
+    // Clear all existing restrictions for this group then insert new ones
+    await exec(req.schema,
+      'DELETE FROM user_group_dm_restrictions WHERE restricting_group_id = $1',
+      [restrictingId]
+    );
+    for (const blockedId of blockedGroupIds) {
+      if (parseInt(blockedId) === restrictingId) continue; // cannot restrict own group
+      await exec(req.schema,
+        'INSERT INTO user_group_dm_restrictions (restricting_group_id, blocked_group_id) VALUES ($1, $2) ON CONFLICT DO NOTHING',
+        [restrictingId, parseInt(blockedId)]
+      );
+    }
+    res.json({ success: true, blockedGroupIds });
+  } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
 return router;
 };