v0.9.44 permissions changes

2026-03-16 20:15:28 -04:00
parent 177c05d7da
commit ccfccaac0c
11 changed files with 52 additions and 62 deletions
--- a/.env.example
+++ b/.env.example
@@ -10,7 +10,7 @@
 PROJECT_NAME=jama

 # Image version to run (set by build.sh, or use 'latest')
-JAMA_VERSION=0.9.43
+JAMA_VERSION=0.9.44

 # App port — the host port Docker maps to the container
 PORT=3000
--- a/backend/package.json
+++ b/backend/package.json
@@ -1,6 +1,6 @@
 {
  "name": "jama-backend",
-  "version": "0.9.43",
+  "version": "0.9.44",
  "description": "TeamChat backend server",
  "main": "src/index.js",
  "scripts": {
--- a/backend/src/middleware/auth.js
+++ b/backend/src/middleware/auth.js
@@ -43,15 +43,18 @@ function adminMiddleware(req, res, next) {
  next();
 }

-// Allows admins OR members of groups designated as Group Managers or Schedule Managers
+// Allows admins OR members of groups designated as Tool Managers
 function teamManagerMiddleware(req, res, next) {
  if (req.user?.role === 'admin') return next();
  const db = getDb();
+  // Prefer unified key, fall back to legacy keys for older installs
+  const tmSetting = db.prepare("SELECT value FROM settings WHERE key = 'team_tool_managers'").get();
  const gmSetting = db.prepare("SELECT value FROM settings WHERE key = 'team_group_managers'").get();
-  const smSetting  = db.prepare("SELECT value FROM settings WHERE key = 'team_schedule_managers'").get();
  const allowedGroupIds = [
+    ...new Set([
+      ...JSON.parse(tmSetting?.value || '[]'),
      ...JSON.parse(gmSetting?.value || '[]'),
-    ...JSON.parse(smSetting?.value  || '[]'),
+    ])
  ];
  if (allowedGroupIds.length === 0) return res.status(403).json({ error: 'Access denied' });
  const member = db.prepare(`
--- a/backend/src/models/db.js
+++ b/backend/src/models/db.js
@@ -220,6 +220,7 @@ function initDb() {
  insertSetting.run('app_type', 'JAMA-Chat');
  insertSetting.run('team_group_managers', '');
  insertSetting.run('team_schedule_managers', '');
+  insertSetting.run('team_tool_managers', '');

  // Migration: add hide_admin_tag if upgrading from older version
  try {
--- a/backend/src/routes/settings.js
+++ b/backend/src/routes/settings.js
@@ -174,11 +174,16 @@ router.post('/register', authMiddleware, adminMiddleware, (req, res) => {

 // Save team management group assignments
 router.patch('/team', authMiddleware, adminMiddleware, (req, res) => {
-  const { groupManagers, scheduleManagers } = req.body;
+  const { toolManagers } = req.body;
  const db = getDb();
  const upd = db.prepare("INSERT INTO settings (key, value) VALUES (?, ?) ON CONFLICT(key) DO UPDATE SET value = ?, updated_at = datetime('now')");
-  if (groupManagers    !== undefined) upd.run('team_group_managers',    JSON.stringify(groupManagers    || []), JSON.stringify(groupManagers    || []));
-  if (scheduleManagers !== undefined) upd.run('team_schedule_managers', JSON.stringify(scheduleManagers || []), JSON.stringify(scheduleManagers || []));
+  if (toolManagers !== undefined) {
+    const val = JSON.stringify(toolManagers || []);
+    upd.run('team_tool_managers',    val, val);
+    // Keep legacy keys in sync so existing teamManagerMiddleware still works
+    upd.run('team_group_managers',   val, val);
+    upd.run('team_schedule_managers', val, val);
+  }
  res.json({ success: true });
 });

--- a/build.sh
+++ b/build.sh
@@ -13,7 +13,7 @@
 # ─────────────────────────────────────────────────────────────
 set -euo pipefail

-VERSION="${1:-0.9.43}"
+VERSION="${1:-0.9.44}"
 ACTION="${2:-}"
 REGISTRY="${REGISTRY:-}"
 IMAGE_NAME="jama"
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,6 +1,6 @@
 {
  "name": "jama-frontend",
-  "version": "0.9.43",
+  "version": "0.9.44",
  "private": true,
  "scripts": {
    "dev": "vite",
--- a/frontend/src/components/NavDrawer.jsx
+++ b/frontend/src/components/NavDrawer.jsx
@@ -17,11 +17,9 @@ export default function NavDrawer({ open, onClose, onMessages, onGroupManager, o
  const isAdmin = user?.role === 'admin';
  const isMobile = window.matchMedia('(pointer: coarse)').matches || window.innerWidth < 768;

-  // Team-managed access: check if user is in any of the designated manager groups
-  // (frontend-only — no API enforcement yet)
+  // Tool Manager access: admin always passes; non-admins pass if in a designated tool manager group
  const userGroupIds = features.userGroupMemberships || [];
-  const canAccessGroupManager = isAdmin || (features.teamGroupManagers || []).some(gid => userGroupIds.includes(gid));
-  const canAccessScheduleManager = isAdmin || (features.teamScheduleManagers || []).some(gid => userGroupIds.includes(gid));
+  const canAccessTools = isAdmin || (features.teamToolManagers || []).some(gid => userGroupIds.includes(gid));

  // Close on outside click
  useEffect(() => {
@@ -74,22 +72,22 @@ export default function NavDrawer({ open, onClose, onMessages, onGroupManager, o
        {item(NAV_ICON.messages,  'Messages',  onMessages)}
        {item(NAV_ICON.schedules, 'Schedules', () => {}, true)}

-        {/* Admin-only tools */}
+        {/* Admin-only: Branding + Settings */}
        {isAdmin && (
          <>
            <div className="nav-drawer-section-label admin">Admin</div>
-            {item(NAV_ICON.users, 'User Manager', onUsers)}
            {features.branding && item(NAV_ICON.branding, 'Branding', onBranding)}
            {item(NAV_ICON.settings, 'Settings', onSettings)}
          </>
        )}

-        {/* Tools accessible to admins OR designated team groups */}
-        {(features.groupManager || features.scheduleManager) && !isMobile && (canAccessGroupManager || canAccessScheduleManager) && (
+        {/* Tools: accessible to admins OR designated tool manager groups */}
+        {canAccessTools && (
          <>
            <div className="nav-drawer-section-label admin">Tools</div>
-            {features.groupManager    && canAccessGroupManager    && item(NAV_ICON.groups,   'Group Manager',    onGroupManager)}
-            {features.scheduleManager && canAccessScheduleManager && item(NAV_ICON.schedules, 'Schedule Manager', onScheduleManager || (() => {}))}
+            {item(NAV_ICON.users, 'User Manager', onUsers)}
+            {features.groupManager    && !isMobile && item(NAV_ICON.groups,   'Group Manager',    onGroupManager)}
+            {features.scheduleManager && !isMobile && item(NAV_ICON.schedules, 'Schedule Manager', onScheduleManager || (() => {}))}
          </>
        )}
      </div>
--- a/frontend/src/components/SettingsModal.jsx
+++ b/frontend/src/components/SettingsModal.jsx
@@ -11,46 +11,47 @@ const APP_TYPES = {
 };

 // ── Team Management Tab ───────────────────────────────────────────────────────
-function TeamManagementTab({ features }) {
+function TeamManagementTab() {
  const toast = useToast();
  const [userGroups, setUserGroups] = useState([]);
-  const [groupManagers, setGroupManagers] = useState([]);
-  const [scheduleManagers, setScheduleManagers] = useState([]);
+  const [toolManagers, setToolManagers] = useState([]);
  const [saving, setSaving] = useState(false);

  useEffect(() => {
    api.getUserGroups().then(({ groups }) => setUserGroups(groups || [])).catch(() => {});
    api.getSettings().then(({ settings }) => {
-      setGroupManagers(JSON.parse(settings.team_group_managers || '[]'));
-      setScheduleManagers(JSON.parse(settings.team_schedule_managers || '[]'));
+      // Read from unified key, fall back to legacy key
+      setToolManagers(JSON.parse(settings.team_tool_managers || settings.team_group_managers || '[]'));
    }).catch(() => {});
  }, []);

-  const toggle = (id, list, setList) => {
-    setList(prev => prev.includes(id) ? prev.filter(x => x !== id) : [...prev, id]);
+  const toggle = (id) => {
+    setToolManagers(prev => prev.includes(id) ? prev.filter(x => x !== id) : [...prev, id]);
  };

  const handleSave = async () => {
    setSaving(true);
    try {
-      await api.updateTeamSettings({ groupManagers, scheduleManagers });
+      await api.updateTeamSettings({ toolManagers });
      toast('Team settings saved', 'success');
      window.dispatchEvent(new Event('jama:settings-changed'));
    } catch (e) { toast(e.message, 'error'); }
    finally { setSaving(false); }
  };

-  const GroupSelectList = ({ title, description, selected, onToggle }) => (
-    <div style={{ marginBottom: 24 }}>
-      <div className="settings-section-label">{title}</div>
-      <p style={{ fontSize: 12, color: 'var(--text-tertiary)', marginBottom: 10 }}>{description}</p>
+  return (
+    <div>
+      <div className="settings-section-label">Tool Managers</div>
+      <p style={{ fontSize: 12, color: 'var(--text-tertiary)', marginBottom: 12 }}>
+        Members of selected groups can access Group Manager, Schedule Manager, and User Manager. Admin users always have access to all three tools.
+      </p>
      {userGroups.length === 0 ? (
-        <p style={{ fontSize: 13, color: 'var(--text-tertiary)' }}>No user groups created yet. Create groups in the Group Manager first.</p>
+        <p style={{ fontSize: 13, color: 'var(--text-tertiary)', marginBottom: 16 }}>No user groups created yet. Create groups in the Group Manager first.</p>
      ) : (
-        <div style={{ border: '1px solid var(--border)', borderRadius: 'var(--radius)', overflow: 'hidden' }}>
+        <div style={{ border: '1px solid var(--border)', borderRadius: 'var(--radius)', overflow: 'hidden', marginBottom: 16 }}>
          {userGroups.map(g => (
            <label key={g.id} style={{ display: 'flex', alignItems: 'center', gap: 10, padding: '9px 14px', borderBottom: '1px solid var(--border)', cursor: 'pointer' }}>
-              <input type="checkbox" checked={selected.includes(g.id)} onChange={() => onToggle(g.id)}
+              <input type="checkbox" checked={toolManagers.includes(g.id)} onChange={() => toggle(g.id)}
                style={{ accentColor: 'var(--primary)', width: 15, height: 15 }} />
              <div style={{ width: 24, height: 24, borderRadius: 5, background: 'var(--primary)', display: 'flex', alignItems: 'center', justifyContent: 'center', color: 'white', fontSize: 9, fontWeight: 700, flexShrink: 0 }}>UG</div>
              <span style={{ flex: 1, fontSize: 14 }}>{g.name}</span>
@@ -59,28 +60,11 @@ function TeamManagementTab({ features }) {
          ))}
        </div>
      )}
-      {selected.length === 0 && (
-        <p style={{ fontSize: 12, color: 'var(--text-tertiary)', marginTop: 6 }}>No groups selected — admins only.</p>
+      {toolManagers.length === 0 && (
+        <p style={{ fontSize: 12, color: 'var(--text-tertiary)', marginBottom: 16 }}>No groups selected — tools are admin-only.</p>
      )}
-    </div>
-  );
-
-  return (
-    <div>
-      <GroupSelectList
-        title="Group Managers"
-        description="Members of selected groups can access the Group Manager tool."
-        selected={groupManagers}
-        onToggle={id => toggle(id, groupManagers, setGroupManagers)}
-      />
-      <GroupSelectList
-        title="Schedule Managers"
-        description="Members of selected groups can access the Schedule Manager tool."
-        selected={scheduleManagers}
-        onToggle={id => toggle(id, scheduleManagers, setScheduleManagers)}
-      />
      <button className="btn btn-primary" onClick={handleSave} disabled={saving}>
-        {saving ? 'Saving…' : 'Save Team Settings'}
+        {saving ? 'Saving…' : 'Save'}
      </button>
    </div>
  );
@@ -324,7 +308,7 @@ export default function SettingsModal({ onClose, onFeaturesChanged }) {
          ))}
        </div>

-        {tab === 'team'         && <TeamManagementTab features={{ appType }} />}
+        {tab === 'team'         && <TeamManagementTab />}
        {tab === 'registration' && <RegistrationTab onFeaturesChanged={onFeaturesChanged} />}
        {tab === 'webpush'      && <WebPushTab />}
      </div>
--- a/frontend/src/pages/Chat.jsx
+++ b/frontend/src/pages/Chat.jsx
@@ -38,7 +38,7 @@ export default function Chat() {
  const [unreadGroups, setUnreadGroups] = useState(new Map());
  const [modal, setModal] = useState(null); // 'profile' | 'users' | 'settings' | 'newchat' | 'help' | 'groupmanager'
  const [drawerOpen, setDrawerOpen] = useState(false);
-  const [features, setFeatures] = useState({ branding: false, groupManager: false, scheduleManager: false, appType: 'JAMA-Chat', teamGroupManagers: [], teamScheduleManagers: [] });
+  const [features, setFeatures] = useState({ branding: false, groupManager: false, scheduleManager: false, appType: 'JAMA-Chat', teamToolManagers: [] });
  const [helpDismissed, setHelpDismissed] = useState(true); // true until status loaded
  const [isMobile, setIsMobile] = useState(window.innerWidth < 768);
  const [showSidebar, setShowSidebar] = useState(true);
@@ -78,8 +78,7 @@ export default function Chat() {
        groupManager:         settings.feature_group_manager     === 'true',
        scheduleManager:      settings.feature_schedule_manager  === 'true',
        appType:              settings.app_type || 'JAMA-Chat',
-        teamGroupManagers:    JSON.parse(settings.team_group_managers    || '[]'),
-        teamScheduleManagers: JSON.parse(settings.team_schedule_managers || '[]'),
+        teamToolManagers: JSON.parse(settings.team_tool_managers || settings.team_group_managers || '[]'),
      }));
    }).catch(() => {});
    api.getMyUserGroups().then(({ groupIds }) => {
--- a/frontend/src/utils/api.js
+++ b/frontend/src/utils/api.js
@@ -102,7 +102,7 @@ export const api = {
  updateAppName: (name) => req('PATCH', '/settings/app-name', { name }),
  updateColors: (body) => req('PATCH', '/settings/colors', body),
  registerCode: (code) => req('POST', '/settings/register', { code }),
-  updateTeamSettings: (body) => req('PATCH', '/settings/team', body),
+  updateTeamSettings: (body) => req('PATCH', '/settings/team', body), // body: { toolManagers: [groupId,...] }

  // User groups (Group Manager)
  getMyUserGroups: () => req('GET', '/usergroups/me'),