WPB-18191: Add route to collaborator permissions from team

Author: blackheaven

changelog.d/2-features/WPB-18191

@@ -0,0 +1 @@
+Allow member permissions to be updated in a team.

integration/test/API/Brig.hs

@@ -1098,6 +1098,14 @@ getAllTeamCollaborators owner tid = do
   req <- baseRequest owner Brig Versioned $ joinHttpPath ["teams", tid, "collaborators"]
   submit "GET" req
 
+updateTeamCollaborator :: (MakesValue owner, MakesValue collaborator, HasCallStack) => owner -> String -> collaborator -> [String] -> App Response
+updateTeamCollaborator owner tid collaborator permissions = do
+  (_, collabId) <- objQid collaborator
+  req <- baseRequest owner Brig Versioned $ joinHttpPath ["teams", tid, "collaborators", collabId]
+  submit "PUT" $
+    req
+      & addJSON permissions
+
 removeTeamCollaborator :: (MakesValue owner, MakesValue collaborator, HasCallStack) => owner -> String -> collaborator -> App Response
 removeTeamCollaborator owner tid collaborator = do
   (_, collabId) <- objQid collaborator

integration/test/Test/TeamCollaborators.hs

@@ -157,3 +157,33 @@ testRemoveMember = do
   removeTeamCollaborator owner team bob >>= assertSuccess
 
   postOne2OneConversation bob alice team "chit-chat" >>= assertLabel 403 "no-team-member"
+
+testUpdateMember :: (HasCallStack) => App ()
+testUpdateMember = do
+  (owner, team, [alice]) <- createTeam OwnDomain 2
+
+  -- At the time of writing, it wasn't clear if this should be a bot instead.
+  bob <- randomUser OwnDomain def
+  addTeamCollaborator
+    owner
+    team
+    bob
+    ["implicit_connection"]
+    >>= assertSuccess
+  postOne2OneConversation bob alice team "chit-chat" >>= assertSuccess
+
+  updateTeamCollaborator
+    owner
+    team
+    bob
+    ["create_team_conversation", "implicit_connection"]
+    >>= assertSuccess
+  postOne2OneConversation bob alice team "chit-chat" >>= assertSuccess
+
+  updateTeamCollaborator
+    owner
+    team
+    bob
+    []
+    >>= assertSuccess
+  postOne2OneConversation bob alice team "chit-chat" >>= assertLabel 403 "operation-denied"

libs/wire-api/src/Wire/API/Event/Team.hs

@@ -124,6 +124,7 @@ data EventType
   | ConvCreate
   | ConvDelete
   | CollaboratorAdd
+  | CollaboratorUpdate
   | CollaboratorRemove
   deriving stock (Eq, Show, Generic)
   deriving (Arbitrary) via (GenericUniform EventType)
@@ -142,6 +143,7 @@ instance ToSchema EventType where
           element "team.conversation-create" ConvCreate,
           element "team.conversation-delete" ConvDelete,
           element "team.collaborator-add" CollaboratorAdd,
+          element "team.collaborator-update" CollaboratorUpdate,
           element "team.collaborator-remove" CollaboratorRemove
         ]
 
@@ -158,6 +160,7 @@ data EventData
   | EdConvCreate ConvId
   | EdConvDelete ConvId
   | EdCollaboratorAdd UserId [CollaboratorPermission]
+  | EdCollaboratorUpdate UserId [CollaboratorPermission]
   | EdCollaboratorRemove UserId
   deriving stock (Eq, Show, Generic)
 
@@ -188,6 +191,11 @@ instance ToJSON EventData where
       [ "user" A..= usr,
         "permissions" A..= perms
       ]
+  toJSON (EdCollaboratorUpdate usr perms) =
+    A.object
+      [ "user" A..= usr,
+        "permissions" A..= perms
+      ]
   toJSON (EdCollaboratorRemove usr) = A.object ["user" A..= usr]
 
 eventDataType :: EventData -> EventType
@@ -200,6 +208,7 @@ eventDataType (EdMemberUpdate _ _) = MemberUpdate
 eventDataType (EdConvCreate _) = ConvCreate
 eventDataType (EdConvDelete _) = ConvDelete
 eventDataType (EdCollaboratorAdd _ _) = CollaboratorAdd
+eventDataType (EdCollaboratorUpdate _ _) = CollaboratorUpdate
 eventDataType (EdCollaboratorRemove _) = CollaboratorRemove
 
 parseEventData :: EventType -> Maybe Value -> Parser EventData
@@ -231,6 +240,10 @@ parseEventData CollaboratorAdd Nothing = fail "missing event data for type 'team
 parseEventData CollaboratorAdd (Just j) = do
   let f o = EdCollaboratorAdd <$> o .: "user" <*> o .: "permissions"
   withObject "collaborator add data" f j
+parseEventData CollaboratorUpdate Nothing = fail "missing event data for type 'team.collaborator-update"
+parseEventData CollaboratorUpdate (Just j) = do
+  let f o = EdCollaboratorUpdate <$> o .: "user" <*> o .: "permissions"
+  withObject "collaborator update data" f j
 parseEventData CollaboratorRemove Nothing = fail "missing event data for type 'team.collaborator-remove"
 parseEventData CollaboratorRemove (Just j) = do
   let f o = EdCollaboratorRemove <$> o .: "user"
@@ -249,6 +262,7 @@ genEventData = \case
   ConvCreate -> EdConvCreate <$> arbitrary
   ConvDelete -> EdConvDelete <$> arbitrary
   CollaboratorAdd -> EdCollaboratorAdd <$> arbitrary <*> arbitrary
+  CollaboratorUpdate -> EdCollaboratorUpdate <$> arbitrary <*> arbitrary
   CollaboratorRemove -> EdCollaboratorRemove <$> arbitrary
 
 makeLenses ''Event

libs/wire-api/src/Wire/API/Routes/Public/Brig.hs

@@ -1979,6 +1979,18 @@ type TeamsAPI =
                :> ReqBody '[JSON] NewTeamCollaborator
                :> MultiVerb1 'POST '[JSON] (RespondEmpty 200 "")
            )
+    :<|> Named
+           "update-team-collaborator"
+           ( Summary "Update a collaborator permissions from the team."
+               :> From 'V11
+               :> ZLocalUser
+               :> "teams"
+               :> Capture "tid" TeamId
+               :> "collaborators"
+               :> Capture "uid" UserId
+               :> ReqBody '[JSON] (Set CollaboratorPermission)
+               :> MultiVerb1 'PUT '[JSON] (RespondEmpty 200 "")
+           )
     :<|> Named
            "remove-team-collaborator"
            ( Summary "Remove a collaborator from the team."

libs/wire-api/src/Wire/API/Team/Member.hs

@@ -478,6 +478,7 @@ data HiddenPerm
   | ChangeTeamMemberProfiles
   | SearchContacts
   | NewTeamCollaborator
+  | UpdateTeamCollaborator
   | RemoveTeamCollaborator
   deriving (Eq, Ord, Show)
 
@@ -564,6 +565,7 @@ roleHiddenPermissions role = HiddenPermissions p p
             CreateReadDeleteScimToken,
             DownloadTeamMembersCsv,
             NewTeamCollaborator,
+            UpdateTeamCollaborator,
             RemoveTeamCollaborator
           ]
     roleHiddenPerms RoleMember =

libs/wire-subsystems/src/Wire/TeamCollaboratorsStore.hs

@@ -11,6 +11,7 @@ data TeamCollaboratorsStore m a where
   CreateTeamCollaborator :: UserId -> TeamId -> Set CollaboratorPermission -> TeamCollaboratorsStore m ()
   GetAllTeamCollaborators :: TeamId -> TeamCollaboratorsStore m [TeamCollaborator]
   GetTeamCollaborator :: TeamId -> UserId -> TeamCollaboratorsStore m (Maybe TeamCollaborator)
+  UpdateTeamCollaborator :: UserId -> TeamId -> Set CollaboratorPermission -> TeamCollaboratorsStore m ()
   RemoveTeamCollaborator :: UserId -> TeamId -> TeamCollaboratorsStore m ()
 
 makeSem ''TeamCollaboratorsStore

libs/wire-subsystems/src/Wire/TeamCollaboratorsStore/Postgres.hs

@@ -36,6 +36,7 @@ interpretTeamCollaboratorsStoreToPostgres =
     CreateTeamCollaborator userId teamId permissions -> createTeamCollaboratorImpl userId teamId permissions
     GetAllTeamCollaborators teamId -> getAllTeamCollaboratorsImpl teamId
     GetTeamCollaborator teamId userId -> getTeamCollaboratorImpl teamId userId
+    UpdateTeamCollaborator userId teamId permissions -> updateTeamCollaboratorImpl userId teamId permissions
     RemoveTeamCollaborator userId teamId -> removeTeamCollaboratorImpl userId teamId
 
 getTeamCollaboratorImpl ::
@@ -123,6 +124,33 @@ getAllTeamCollaboratorsImpl teamId = do
           select user_id :: uuid, team_id :: uuid, permissions :: int2[] from collaborators where team_id = ($1 :: uuid)
           |]
 
+updateTeamCollaboratorImpl ::
+  ( Member (Input Pool) r,
+    Member (Embed IO) r,
+    Member (Error UsageError) r
+  ) =>
+  UserId ->
+  TeamId ->
+  Set CollaboratorPermission ->
+  Sem r ()
+updateTeamCollaboratorImpl userId teamId permissions = do
+  pool <- input
+  eitherErrorOrUnit <- liftIO $ use pool session
+  either throw pure eitherErrorOrUnit
+  where
+    session :: Session ()
+    session = statement (userId, teamId, permissions) updateStatement
+
+    updateStatement :: Statement (UserId, TeamId, Set CollaboratorPermission) ()
+    updateStatement =
+      lmap
+        ( \(uid, tid, pms) ->
+            (toUUID uid, toUUID tid, collaboratorPermissionToPostgreslRep <$> (Data.Vector.fromList . toAscList) pms)
+        )
+        $ [resultlessStatement|
+          update collaborators set permissions = ($3 :: smallint[]) where user_id = ($1 :: uuid) and team_id = ($2 :: uuid)
+          |]
+
 removeTeamCollaboratorImpl ::
   ( Member (Input Pool) r,
     Member (Embed IO) r,

libs/wire-subsystems/src/Wire/TeamCollaboratorsSubsystem.hs

@@ -12,6 +12,7 @@ data TeamCollaboratorsSubsystem m a where
   CreateTeamCollaborator :: Local UserId -> UserId -> TeamId -> Set CollaboratorPermission -> TeamCollaboratorsSubsystem m ()
   GetAllTeamCollaborators :: Local UserId -> TeamId -> TeamCollaboratorsSubsystem m [TeamCollaborator]
   InternalGetTeamCollaborator :: TeamId -> UserId -> TeamCollaboratorsSubsystem m (Maybe TeamCollaborator)
+  UpdateTeamCollaborator :: Local UserId -> UserId -> TeamId -> Set CollaboratorPermission -> TeamCollaboratorsSubsystem m ()
   RemoveTeamCollaborator :: Local UserId -> UserId -> TeamId -> TeamCollaboratorsSubsystem m ()
 
 makeSem ''TeamCollaboratorsSubsystem

libs/wire-subsystems/src/Wire/TeamCollaboratorsSubsystem/Interpreter.hs

@@ -37,6 +37,7 @@ interpretTeamCollaboratorsSubsystem = interpret $ \case
   CreateTeamCollaborator zUser user team perms -> createTeamCollaboratorImpl zUser user team perms
   GetAllTeamCollaborators zUser team -> getAllTeamCollaboratorsImpl zUser team
   InternalGetTeamCollaborator team user -> internalGetTeamCollaboratorImpl team user
+  UpdateTeamCollaborator zUser user team perms -> updateTeamCollaboratorImpl zUser user team perms
   RemoveTeamCollaborator zUser user team -> removeTeamCollaboratorImpl zUser user team
 
 internalGetTeamCollaboratorImpl ::
@@ -96,6 +97,46 @@ getAllTeamCollaboratorsImpl zUser team = do
   guardPermission (tUnqualified zUser) team TeamMember.NewTeamCollaborator InsufficientRights
   Store.getAllTeamCollaborators team
 
+updateTeamCollaboratorImpl ::
+  ( Member TeamSubsystem r,
+    Member (Error TeamCollaboratorsError) r,
+    Member Store.TeamCollaboratorsStore r,
+    Member Now r,
+    Member NotificationSubsystem r
+  ) =>
+  Local UserId ->
+  UserId ->
+  TeamId ->
+  Set CollaboratorPermission ->
+  Sem r ()
+updateTeamCollaboratorImpl zUser user team perms = do
+  guardPermission (tUnqualified zUser) team TeamMember.UpdateTeamCollaborator InsufficientRights
+  Store.updateTeamCollaborator user team perms
+  unless (Set.member ImplicitConnection perms) $
+    -- TODO gdf remove O2O conversations
+    pure ()
+
+  now <- get
+  let event = newEvent team now (EdCollaboratorUpdate user $ Set.toList perms)
+  teamMembersList <- internalGetTeamAdmins team
+  let teamMembers :: [UserId] = view TeamMember.userId <$> (teamMembersList ^. TeamMember.teamMembers)
+  -- TODO: Review the event's values
+  pushNotifications
+    [ def
+        { origin = Just (tUnqualified zUser),
+          json = toJSONObject $ event,
+          recipients =
+            ( \uid ->
+                Recipient
+                  { recipientUserId = uid,
+                    recipientClients = Push.RecipientClientsAll
+                  }
+            )
+              <$> teamMembers,
+          transient = False
+        }
+    ]
+
 removeTeamCollaboratorImpl ::
   ( Member TeamSubsystem r,
     Member (Error TeamCollaboratorsError) r,