project/collaborators: check the api in a similar way

Author: haraldschilly

src/packages/server/projects/collab.ts

@@ -1,5 +1,5 @@
 /*
- *  This file is part of CoCalc: Copyright © 2020 Sagemath, Inc.
+ *  This file is part of CoCalc: Copyright © 2020 - 2025 Sagemath, Inc.
  *  License: MS-RSL – see LICENSE.md for details
  */
 
@@ -8,6 +8,7 @@ import { is_array, is_valid_uuid_string } from "@cocalc/util/misc";
 import { callback2 } from "@cocalc/util/async-utils";
 import isSandbox from "@cocalc/server/projects/is-sandbox";
 import idleSandboxUsers from "@cocalc/server/projects/idle-sandbox-users";
+import { ensureCanManageCollaborators } from "./ownership-checks";
 
 const GROUPS = ["owner", "collaborator"] as const;
 
@@ -40,6 +41,19 @@ export async function add_collaborators_to_projects(
     Also, the input is uuid's, which typescript can't check. */
   verify_types(account_id, accounts, projects);
 
+  // Check strict_collaborator_management setting before database changes
+  // Only check if not using tokens (tokens have their own permission system)
+  if (!tokens) {
+    for (const project_id of new Set(projects)) {
+      if (!project_id) continue; // skip empty strings
+      await ensureCanManageCollaborators({
+        project_id,
+        account_id,
+        db,
+      });
+    }
+  }
+
   // We now know that account_id is allowed to add users to all of the projects,
   // *OR* at that there are valid tokens to permit adding users.
 
@@ -71,7 +85,7 @@ export async function remove_collaborators_from_projects(
   db: PostgreSQL,
   account_id: string,
   accounts: string[],
-  projects: string[], // can be empty strings if tokens specified (since they determine project_id)
+  projects: string[],
 ): Promise<void> {
   try {
     // Ensure user is allowed to modify project(s)
@@ -92,6 +106,21 @@ export async function remove_collaborators_from_projects(
     Also, the input is uuid's, which typescript can't check. */
   verify_types(account_id, accounts, projects);
 
+  // Check strict_collaborator_management setting before database changes
+  // Skip check if the user is only removing themselves
+  const is_self_remove_only =
+    accounts.length === 1 && accounts[0] === account_id;
+  if (!is_self_remove_only) {
+    for (const project_id of new Set(projects)) {
+      if (!project_id) continue; // skip empty strings
+      await ensureCanManageCollaborators({
+        project_id,
+        account_id,
+        db,
+      });
+    }
+  }
+
   // Remove users from projects
   //
   for (const i in projects) {

src/packages/server/projects/collaborators-ownership.test.ts

@@ -16,6 +16,10 @@ import {
   inviteCollaboratorWithoutAccount,
   removeCollaborator,
 } from "@cocalc/server/projects/collaborators";
+import {
+  add_collaborators_to_projects,
+  remove_collaborators_from_projects,
+} from "@cocalc/server/projects/collab";
 import {
   resetServerSettingsCache,
   getServerSettings,
@@ -320,3 +324,218 @@ describe("invite permissions", () => {
     ).rejects.toMatchObject({ code: OwnershipErrorCode.NOT_OWNER });
   });
 });
+
+describe("REST API level protection (collab.ts functions)", () => {
+  test("add_collaborators_to_projects bypasses check when using tokens", async () => {
+    const { projectId } = await createProjectWithOwner();
+    const outsideUserId = await createUser("outsider");
+
+    // Create a project invite token
+    const { rows } = await getPool().query(
+      "INSERT INTO project_invite_tokens (token, project_id, usage_limit) VALUES ($1, $2, $3) RETURNING token",
+      ["test-token-123", projectId, 10],
+    );
+    const token = rows[0].token;
+
+    // Enable site-wide strict collaborator management
+    await setSiteStrictCollab("yes");
+
+    // Outside user should be able to add themselves using a token
+    // even though they're not a collaborator or owner
+    await expect(
+      add_collaborators_to_projects(
+        db(),
+        outsideUserId,
+        [outsideUserId],
+        [""], // empty project_id because token determines the project
+        [token],
+      ),
+    ).resolves.toBeUndefined();
+
+    // Verify the user was actually added
+    const { rows: projectRows } = await getPool().query(
+      "SELECT users FROM projects WHERE project_id=$1",
+      [projectId],
+    );
+    expect(projectRows[0].users[outsideUserId]).toBeDefined();
+  });
+
+  test("add_collaborators_to_projects enforces strict_collaborator_management site setting", async () => {
+    const { ownerId, projectId } = await createProjectWithOwner();
+    const collaboratorId = await createUser("collab");
+    const newCollabId = await createUser("newcollab");
+
+    // Add first collaborator as owner
+    await add_collaborators_to_projects(
+      db(),
+      ownerId,
+      [collaboratorId],
+      [projectId],
+    );
+
+    // Enable site-wide strict collaborator management
+    await setSiteStrictCollab("yes");
+
+    // Collaborator should not be able to add another user
+    await expect(
+      add_collaborators_to_projects(
+        db(),
+        collaboratorId,
+        [newCollabId],
+        [projectId],
+      ),
+    ).rejects.toThrow("Only owners can manage collaborators");
+  });
+
+  test("add_collaborators_to_projects enforces project-level manage_users_owner_only", async () => {
+    const { ownerId, projectId } = await createProjectWithOwner();
+    const collaboratorId = await createUser("collab");
+    const newCollabId = await createUser("newcollab");
+
+    // Add first collaborator as owner
+    await add_collaborators_to_projects(
+      db(),
+      ownerId,
+      [collaboratorId],
+      [projectId],
+    );
+
+    // Enable project-level strict management
+    await getPool().query(
+      "UPDATE projects SET manage_users_owner_only=$1 WHERE project_id=$2",
+      [true, projectId],
+    );
+
+    // Collaborator should not be able to add another user
+    await expect(
+      add_collaborators_to_projects(
+        db(),
+        collaboratorId,
+        [newCollabId],
+        [projectId],
+      ),
+    ).rejects.toThrow("Only owners can manage collaborators");
+  });
+
+  test("remove_collaborators_from_projects enforces strict_collaborator_management site setting", async () => {
+    const { ownerId, projectId } = await createProjectWithOwner();
+    const collaborator1Id = await createUser("collab1");
+    const collaborator2Id = await createUser("collab2");
+
+    // Add collaborators as owner
+    await add_collaborators_to_projects(
+      db(),
+      ownerId,
+      [collaborator1Id, collaborator2Id],
+      [projectId, projectId],
+    );
+
+    // Enable site-wide strict collaborator management
+    await setSiteStrictCollab("yes");
+
+    // Collaborator should not be able to remove another collaborator
+    await expect(
+      remove_collaborators_from_projects(
+        db(),
+        collaborator1Id,
+        [collaborator2Id],
+        [projectId],
+      ),
+    ).rejects.toThrow("Only owners can manage collaborators");
+  });
+
+  test("remove_collaborators_from_projects allows self-removal even with strict_collaborator_management", async () => {
+    const { ownerId, projectId } = await createProjectWithOwner();
+    const collaboratorId = await createUser("collab");
+
+    // Add collaborator as owner
+    await add_collaborators_to_projects(
+      db(),
+      ownerId,
+      [collaboratorId],
+      [projectId],
+    );
+
+    // Enable site-wide strict collaborator management
+    await setSiteStrictCollab("yes");
+
+    // Collaborator should be able to remove themselves
+    await expect(
+      remove_collaborators_from_projects(
+        db(),
+        collaboratorId,
+        [collaboratorId],
+        [projectId],
+      ),
+    ).resolves.toBeUndefined();
+  });
+
+  test("remove_collaborators_from_projects enforces project-level manage_users_owner_only", async () => {
+    const { ownerId, projectId } = await createProjectWithOwner();
+    const collaborator1Id = await createUser("collab1");
+    const collaborator2Id = await createUser("collab2");
+
+    // Add collaborators as owner
+    await add_collaborators_to_projects(
+      db(),
+      ownerId,
+      [collaborator1Id, collaborator2Id],
+      [projectId, projectId],
+    );
+
+    // Enable project-level strict management
+    await getPool().query(
+      "UPDATE projects SET manage_users_owner_only=$1 WHERE project_id=$2",
+      [true, projectId],
+    );
+
+    // Collaborator should not be able to remove another collaborator
+    await expect(
+      remove_collaborators_from_projects(
+        db(),
+        collaborator1Id,
+        [collaborator2Id],
+        [projectId],
+      ),
+    ).rejects.toThrow("Only owners can manage collaborators");
+  });
+
+  test("add_collaborators_to_projects allows owners to add when strict management is enabled", async () => {
+    const { ownerId, projectId } = await createProjectWithOwner();
+    const newCollabId = await createUser("newcollab");
+
+    // Enable site-wide strict collaborator management
+    await setSiteStrictCollab("yes");
+
+    // Owner should be able to add a collaborator
+    await expect(
+      add_collaborators_to_projects(db(), ownerId, [newCollabId], [projectId]),
+    ).resolves.toBeUndefined();
+  });
+
+  test("remove_collaborators_from_projects allows owners to remove when strict management is enabled", async () => {
+    const { ownerId, projectId } = await createProjectWithOwner();
+    const collaboratorId = await createUser("collab");
+
+    // Add collaborator
+    await add_collaborators_to_projects(
+      db(),
+      ownerId,
+      [collaboratorId],
+      [projectId],
+    );
+
+    // Enable site-wide strict collaborator management
+    await setSiteStrictCollab("yes");
+
+    // Owner should be able to remove a collaborator
+    await expect(
+      remove_collaborators_from_projects(
+        db(),
+        ownerId,
+        [collaboratorId],
+        [projectId],
+      ),
+    ).resolves.toBeUndefined();
+  });
+});

src/packages/server/projects/collaborators.ts

@@ -25,63 +25,14 @@ import {
   OwnershipErrorCode,
 } from "@cocalc/util/project-ownership";
 import { query } from "@cocalc/database/postgres/query";
-import { getServerSettings } from "@cocalc/database/settings/server-settings";
+import {
+  ensureCanManageCollaborators,
+  OwnershipError,
+} from "./ownership-checks";
 
 const logger = getLogger("project:collaborators");
 
-export class OwnershipError extends Error {
-  code: OwnershipErrorCode;
-  constructor(message: string, code: OwnershipErrorCode) {
-    super(message);
-    this.name = "OwnershipError";
-    this.code = code;
-  }
-}
-
-/**
- * Helper function to check if a user can manage collaborators based on the
- * manage_users_owner_only setting.
- *
- * @throws {OwnershipError} If the project is not found or the user is not allowed to manage collaborators
- */
-async function ensureCanManageCollaborators(opts: {
-  project_id: string;
-  account_id: string;
-  database?: any;
-}): Promise<void> {
-  const { project_id, account_id, database = db() } = opts;
-  const serverSettings = await getServerSettings();
-  const siteEnforced = !!serverSettings.strict_collaborator_management;
-
-  const project = await query({
-    db: database,
-    table: "projects",
-    select: ["users", "manage_users_owner_only"],
-    where: { project_id },
-    one: true,
-  });
-
-  if (!project) {
-    throw new OwnershipError(
-      "Project not found",
-      OwnershipErrorCode.INVALID_PROJECT_STATE,
-    );
-  }
-
-  const manage_users_owner_only = project.manage_users_owner_only ?? false;
-  const requesting_user_group = project.users?.[account_id]?.group as
-    | UserGroup
-    | undefined;
-
-  const restrictToOwners = siteEnforced || manage_users_owner_only;
-
-  if (restrictToOwners && requesting_user_group !== "owner") {
-    throw new OwnershipError(
-      "Only owners can manage collaborators when this setting is enabled",
-      OwnershipErrorCode.NOT_OWNER,
-    );
-  }
-}
+export { OwnershipError } from "./ownership-checks";
 
 export async function removeCollaborator({
   account_id,
@@ -311,7 +262,7 @@ export async function inviteCollaborator({
   await ensureCanManageCollaborators({
     project_id: opts.project_id,
     account_id,
-    database,
+    db: database,
   });
 
   // Actually add user to project
@@ -412,7 +363,7 @@ export async function inviteCollaboratorWithoutAccount({
   await ensureCanManageCollaborators({
     project_id: opts.project_id,
     account_id,
-    database,
+    db: database,
   });
 
   if (opts.to.length > 1024) {