Refactored groupPermissions

libs/model/src/community/CreateGroup.command.ts

@@ -1,10 +1,11 @@
 import { InvalidState, type Command } from '@hicommonwealth/core';
 import * as schemas from '@hicommonwealth/schemas';
+import { ForumActionsEnum } from '@hicommonwealth/schemas';
 import { Op } from 'sequelize';
-import { models, sequelize } from '../database';
+import { models } from '../database';
 import { isCommunityAdminOrModerator } from '../middleware';
 import { mustNotExist } from '../middleware/guards';
-import { GroupAttributes } from '../models';
+import { GroupAttributes, GroupPermissionAttributes } from '../models';
 
 export const MAX_GROUPS_PER_COMMUNITY = 20;
 export const Errors = {
@@ -55,21 +56,19 @@ export function CreateGroup(): Command<typeof schemas.CreateGroup> {
             { transaction },
           );
           if (topicsToAssociate.length > 0) {
-            // add group to all specified topics
-            await models.Topic.update(
-              {
-                group_ids: sequelize.fn(
-                  'array_append',
-                  sequelize.col('group_ids'),
-                  group.id,
-                ),
-              },
+            const permissions = topicsToAssociate.map((topic) => ({
+              group_id: group.id,
+              topic_id: topic.id,
+              allowed_actions: models.sequelize.literal(
+                `ARRAY[${Object.values(ForumActionsEnum)
+                  .map((value) => `'${value}'`)
+                  .join(', ')}]::"enum_GroupPermissions_allowed_actions"[]`,
+              ),
+            }));
+
+            await models.GroupPermission.bulkCreate(
+              permissions as unknown as GroupPermissionAttributes[],
               {
-                where: {
-                  id: {
-                    [Op.in]: topicsToAssociate.map(({ id }) => id!),
-                  },
-                },
                 transaction,
               },
             );

libs/model/src/middleware/authorization.ts

@@ -8,11 +8,11 @@ import {
   type CommandHandler,
 } from '@hicommonwealth/core';
 import * as schemas from '@hicommonwealth/schemas';
-import { Address, Group, GroupPermissionAction } from '@hicommonwealth/schemas';
+import { Address, ForumActions } from '@hicommonwealth/schemas';
 import { Role } from '@hicommonwealth/shared';
 import { Op, QueryTypes } from 'sequelize';
 import { ZodObject, ZodSchema, ZodString, z } from 'zod';
-import { models } from '..';
+import { GroupInstance, models } from '..';
 
 export type CommunityAuth = CommandHandler<ZodSchema, ZodSchema>;
 export type ThreadAuth = CommandHandler<ZodSchema, typeof schemas.Thread>;
@@ -29,7 +29,7 @@ export class NonMember extends InvalidActor {
   constructor(
     public actor: Actor,
     public topic: string,
-    public action: GroupPermissionAction,
+    public action: ForumActions,
   ) {
     super(
       actor,
@@ -103,44 +103,40 @@ const authorizeAddress = async (
  */
 async function isTopicMember(
   { actor, payload }: CommandContext<ZodSchema>,
-  action: GroupPermissionAction,
+  action: ForumActions,
 ): Promise<void> {
   // By convention, topic_id must by part of the body
   const topic_id = 'topic_id' in payload && payload.topic_id;
   if (!topic_id) throw new InvalidInput('Must provide a topic id');
 
-  const topic = await models.Topic.findOne({ where: { id: topic_id } });
-  if (!topic) throw new InvalidInput('Topic not found');
-  if (topic.group_ids?.length === 0) return;
-
-  const groups = await models.sequelize.query<
-    z.infer<typeof Group> & {
-      allowed_actions?: GroupPermissionAction[];
-    }
-  >(
+  const groups: (GroupInstance & {
+    allowed_actions?: ForumActions[];
+  })[] = await models.sequelize.query(
     `
-    SELECT g.*, gp.allowed_actions
-    FROM "Groups" as g 
-    LEFT JOIN "GroupPermissions" gp ON g.id = gp.group_id
-    WHERE g.community_id = :community_id AND g.id IN (:group_ids);
-    `,
+        SELECT g.*, gp.allowed_actions FROM "Groups" as g LEFT JOIN "GroupPermissions" gp ON g.id = gp.group_id
+        WHERE gp.topic_id = :topicId;
+      `,
     {
       type: QueryTypes.SELECT,
       raw: true,
-      replacements: {
-        community_id: topic.community_id,
-        group_ids: topic.group_ids,
-      },
+      replacements: { topicId: topic_id },
     },
   );
 
-  // There are 2 cases here. We either have the old group permission system where the group doesn't have
-  // any allowed_actions, or we have the new fine-grained permission system where the action must be in
-  // the allowed_actions list.
+  // if there are no permissions for this topic, then anyone can perform any action on it (default behaviour).
+  if (groups.length === 0) {
+    return;
+  }
+
   const allowed = groups.filter(
     (g) => !g.allowed_actions || g.allowed_actions.includes(action),
   );
-  if (!allowed.length!) throw new NonMember(actor, topic.name, action);
+
+  // if no group allows the specified action for the given topic, then reject because regardless of membership the user
+  // will not be allowed.
+  if (allowed?.length === 0) {
+    throw new NonMember(actor, groups[0]!.metadata!.name, action);
+  }
 
   // check membership for all groups of topic
   const memberships = await models.Membership.findAll({
@@ -155,7 +151,9 @@ async function isTopicMember(
       },
     ],
   });
-  if (!memberships.length) throw new NonMember(actor, topic.name, action);
+
+  if (!memberships.length)
+    throw new NonMember(actor, groups[0]!.metadata!.name, action);
 
   const rejects = memberships.filter((m) => m.reject_reason);
   if (rejects.length === memberships.length)
@@ -202,7 +200,7 @@ export const isCommunityAdminOrModerator: CommunityAuth = async (ctx) => {
 };
 
 export function isCommunityAdminOrTopicMember(
-  action: GroupPermissionAction,
+  action: ForumActions,
 ): CommunityAuth {
   return async (ctx) => {
     // super admin is always allowed

libs/model/src/models/associations.ts

@@ -86,7 +86,9 @@ export const buildAssociations = (db: DB) => {
     asMany: 'threads',
     onUpdate: 'CASCADE',
     onDelete: 'SET NULL',
-  }).withMany(db.ContestTopic);
+  })
+    .withMany(db.ContestTopic)
+    .withMany(db.GroupPermission);
 
   db.Thread.withMany(db.Poll)
     .withMany(db.ContestAction, {

libs/model/src/models/group.ts

@@ -2,13 +2,15 @@ import { Group } from '@hicommonwealth/schemas';
 import Sequelize from 'sequelize';
 import z from 'zod';
 import type { CommunityAttributes } from './community';
+import { GroupPermissionAttributes } from './groupPermission';
 import type { MembershipAttributes } from './membership';
 import type { ModelInstance } from './types';
 
 export type GroupAttributes = z.infer<typeof Group> & {
   // associations
   community?: CommunityAttributes;
   memberships?: MembershipAttributes[];
+  groupPermissions?: GroupPermissionAttributes[];
 };
 
 export type GroupInstance = ModelInstance<GroupAttributes>;

libs/model/src/models/groupPermission.ts

@@ -27,6 +27,11 @@ export default (
         type: Sequelize.ARRAY(Sequelize.STRING),
         allowNull: false,
       },
+      topic_id: {
+        type: Sequelize.INTEGER,
+        allowNull: false,
+        primaryKey: true,
+      },
     },
     {
       tableName: 'GroupPermissions',

libs/model/src/models/index.ts

@@ -60,6 +60,7 @@ export * from './discord_bot_config';
 export * from './email_update_token';
 export * from './evmEventSource';
 export * from './group';
+export * from './groupPermission';
 export * from './lastProcessedEvmBlock';
 export * from './membership';
 export * from './notification';

libs/model/src/models/topic.ts

@@ -16,7 +16,6 @@ export type TopicAttributes = {
   updated_at?: Date;
   deleted_at?: Date;
   default_offchain_template?: string;
-  group_ids?: number[];
   telegram?: string;
 
   // associations
@@ -57,11 +56,6 @@ export default (
         allowNull: true,
       },
       channel_id: { type: Sequelize.STRING, allowNull: true },
-      group_ids: {
-        type: Sequelize.ARRAY(Sequelize.INTEGER),
-        allowNull: false,
-        defaultValue: [],
-      },
       telegram: { type: Sequelize.STRING, allowNull: true },
     },
     {

libs/model/src/thread/CreateThread.command.ts

@@ -99,7 +99,7 @@ export function CreateThread(): Command<typeof schemas.CreateThread> {
   return {
     ...schemas.CreateThread,
     auth: [
-      isCommunityAdminOrTopicMember(schemas.PermissionEnum.CREATE_THREAD),
+      isCommunityAdminOrTopicMember(schemas.ForumActionsEnum.CREATE_THREAD),
       verifyThreadSignature,
     ],
     body: async ({ actor, payload }) => {

libs/model/test/thread/thread-lifecycle.spec.ts

@@ -1,6 +1,6 @@
 import { Actor, command, dispose } from '@hicommonwealth/core';
 import { models } from '@hicommonwealth/model';
-import { PermissionEnum } from '@hicommonwealth/schemas';
+import { ForumActionsEnum } from '@hicommonwealth/schemas';
 import { Chance } from 'chance';
 import { BannedActor, NonMember, RejectedMember } from 'model/src/middleware';
 import { afterAll, beforeAll, describe, expect, it } from 'vitest';
@@ -47,11 +47,10 @@ describe('Thread lifecycle', () => {
         is_banned: role === 'banned',
       })),
       groups: [{ id: groupId }],
-      topics: [{ group_ids: [groupId] }],
     });
     await seed('GroupPermission', {
       group_id: groupId,
-      allowed_actions: [PermissionEnum.CREATE_THREAD],
+      allowed_actions: [ForumActionsEnum.CREATE_THREAD],
     });
 
     roles.forEach((role) => {

libs/schemas/src/entities/group-permission.schemas.ts

@@ -1,19 +1,20 @@
 import { z } from 'zod';
 import { PG_INT } from '../utils';
 
-export enum PermissionEnum {
+export enum ForumActionsEnum {
   CREATE_THREAD = 'CREATE_THREAD',
   CREATE_COMMENT = 'CREATE_COMMENT',
   CREATE_THREAD_REACTION = 'CREATE_THREAD_REACTION',
   CREATE_COMMENT_REACTION = 'CREATE_COMMENT_REACTION',
   UPDATE_POLL = 'UPDATE_POLL',
 }
 
-export type GroupPermissionAction = keyof typeof PermissionEnum;
+export type ForumActions = keyof typeof ForumActionsEnum;
 
 export const GroupPermission = z.object({
   group_id: PG_INT.optional(),
-  allowed_actions: z.array(z.nativeEnum(PermissionEnum)),
+  allowed_actions: z.array(z.nativeEnum(ForumActionsEnum)),
+  topic_id: PG_INT.optional(),
 
   created_at: z.coerce.date().optional(),
   updated_at: z.coerce.date().optional(),

libs/schemas/src/entities/topic.schemas.ts

@@ -12,6 +12,5 @@ export const Topic = z.object({
   default_offchain_template: z.string().nullish(),
   order: PG_INT.nullish(),
   channel_id: z.string().max(255).nullish(),
-  group_ids: z.array(PG_INT).default([]),
   default_offchain_template_backup: z.string().nullish(),
 });

packages/commonwealth/client/scripts/hooks/useForumActionGated.ts

@@ -0,0 +1,108 @@
+import { ForumActions, ForumActionsEnum } from '@hicommonwealth/schemas';
+import { useRefreshMembershipQuery } from '../state/api/groups';
+
+type UseAllowedGroupsParams = {
+  communityId: string;
+  address: string;
+  topicId?: number;
+  isAdmin: boolean;
+};
+
+export type UseForumActionGatedResponse = {
+  canCreateThread: boolean;
+  canCreateComment: boolean;
+  canReactToThread: boolean;
+  canReactToComment: boolean;
+  canUpdatePoll: boolean;
+};
+
+const allowEverything = {
+  canCreateThread: true,
+  canCreateComment: true,
+  canReactToThread: true,
+  canReactToComment: true,
+  canUpdatePoll: true,
+};
+
+const notInGroup = {
+  canCreateThread: false,
+  canCreateComment: false,
+  canReactToThread: false,
+  canReactToComment: false,
+  canUpdatePoll: false,
+};
+
+export const useForumActionGated = ({
+  communityId,
+  address,
+  topicId,
+  isAdmin,
+}: UseAllowedGroupsParams): UseForumActionGatedResponse => {
+  const { data: memberships = [] } = useRefreshMembershipQuery({
+    communityId,
+    address,
+    topicId: topicId?.toString(),
+    apiEnabled: !!address,
+  });
+
+  if (memberships.length === 0 || isAdmin || !topicId) {
+    return allowEverything;
+  }
+
+  const validGroups = (memberships || []).filter(
+    (membership) => membership?.rejectReason?.length === 0,
+  );
+
+  const flatMemberships = validGroups
+    .flatMap((m) =>
+      m.topicIds.map((t) => ({
+        topic_id: t,
+        allowedActions: m.allowedActions,
+      })),
+    )
+    .map((g) => [g.topic_id, g.allowedActions]) as unknown as [
+    number,
+    ForumActions[],
+  ][];
+
+  const topicIdToIsAllowedMap: Map<number, ForumActions[]> = new Map(
+    flatMemberships,
+  );
+
+  // Each map entry represents a topic and associated forumActions they are allowed to perform. We want to find for
+  // each topic, the set union of all associated forumActions to get the actions that the address can perform.
+  topicIdToIsAllowedMap.forEach((value, key) => {
+    const oldAllowList = topicIdToIsAllowedMap.get(key);
+    if (!oldAllowList) {
+      topicIdToIsAllowedMap.set(key, Array.from(new Set(value)));
+    }
+    topicIdToIsAllowedMap.set(
+      key,
+      Array.from(new Set([...(oldAllowList as []), ...(value as [])])),
+    );
+  });
+
+  const allowedActionsForTopic = topicIdToIsAllowedMap.get(topicId ?? 0);
+
+  if (!allowedActionsForTopic) {
+    return notInGroup;
+  }
+
+  return {
+    canCreateThread: allowedActionsForTopic.includes(
+      ForumActionsEnum.CREATE_THREAD,
+    ),
+    canCreateComment: allowedActionsForTopic.includes(
+      ForumActionsEnum.CREATE_COMMENT,
+    ),
+    canReactToThread: allowedActionsForTopic.includes(
+      ForumActionsEnum.CREATE_THREAD_REACTION,
+    ),
+    canReactToComment: allowedActionsForTopic.includes(
+      ForumActionsEnum.CREATE_COMMENT_REACTION,
+    ),
+    canUpdatePoll: allowedActionsForTopic.includes(
+      ForumActionsEnum.UPDATE_POLL,
+    ),
+  };
+};