aboutsummaryrefslogtreecommitdiffstats
path: root/packages/trpc/models/bookmarks.ts
diff options
context:
space:
mode:
Diffstat (limited to 'packages/trpc/models/bookmarks.ts')
-rw-r--r--packages/trpc/models/bookmarks.ts309
1 files changed, 298 insertions, 11 deletions
diff --git a/packages/trpc/models/bookmarks.ts b/packages/trpc/models/bookmarks.ts
index c689f64d..e4bfdab2 100644
--- a/packages/trpc/models/bookmarks.ts
+++ b/packages/trpc/models/bookmarks.ts
@@ -15,19 +15,23 @@ import {
import invariant from "tiny-invariant";
import { z } from "zod";
+import { db as DONT_USE_db } from "@karakeep/db";
import {
assets,
AssetTypes,
bookmarkAssets,
bookmarkLinks,
+ bookmarkLists,
bookmarks,
bookmarksInLists,
bookmarkTags,
bookmarkTexts,
+ listCollaborators,
rssFeedImportsTable,
tagsOnBookmarks,
} from "@karakeep/db/schema";
-import { readAsset } from "@karakeep/shared/assetdb";
+import { SearchIndexingQueue, triggerWebhook } from "@karakeep/shared-server";
+import { deleteAsset, readAsset } from "@karakeep/shared/assetdb";
import serverConfig from "@karakeep/shared/config";
import {
createSignedToken,
@@ -37,6 +41,7 @@ import { zAssetSignedTokenSchema } from "@karakeep/shared/types/assets";
import {
BookmarkTypes,
DEFAULT_NUM_BOOKMARKS_PER_PAGE,
+ ZBareBookmark,
ZBookmark,
ZBookmarkContent,
zGetBookmarksRequestSchema,
@@ -54,26 +59,225 @@ import { mapDBAssetTypeToUserType } from "../lib/attachments";
import { List } from "./lists";
import { PrivacyAware } from "./privacy";
-export class Bookmark implements PrivacyAware {
+async function dummyDrizzleReturnType() {
+ const x = await DONT_USE_db.query.bookmarks.findFirst({
+ with: {
+ tagsOnBookmarks: {
+ with: {
+ tag: true,
+ },
+ },
+ link: true,
+ text: true,
+ asset: true,
+ assets: true,
+ },
+ });
+ if (!x) {
+ throw new Error();
+ }
+ return x;
+}
+
+type BookmarkQueryReturnType = Awaited<
+ ReturnType<typeof dummyDrizzleReturnType>
+>;
+
+export class BareBookmark implements PrivacyAware {
protected constructor(
protected ctx: AuthedContext,
- public bookmark: ZBookmark & { userId: string },
+ private bareBookmark: ZBareBookmark,
) {}
+ get id() {
+ return this.bareBookmark.id;
+ }
+
+ get createdAt() {
+ return this.bareBookmark.createdAt;
+ }
+
+ static async bareFromId(ctx: AuthedContext, bookmarkId: string) {
+ const bookmark = await ctx.db.query.bookmarks.findFirst({
+ where: eq(bookmarks.id, bookmarkId),
+ });
+
+ if (!bookmark) {
+ throw new TRPCError({
+ code: "NOT_FOUND",
+ message: "Bookmark not found",
+ });
+ }
+
+ if (!(await BareBookmark.isAllowedToAccessBookmark(ctx, bookmark))) {
+ throw new TRPCError({
+ code: "NOT_FOUND",
+ message: "Bookmark not found",
+ });
+ }
+
+ return new BareBookmark(ctx, bookmark);
+ }
+
+ protected static async isAllowedToAccessBookmark(
+ ctx: AuthedContext,
+ { id: bookmarkId, userId: bookmarkOwnerId }: { id: string; userId: string },
+ ): Promise<boolean> {
+ if (bookmarkOwnerId == ctx.user.id) {
+ return true;
+ }
+ const bookmarkLists = await List.forBookmark(ctx, bookmarkId);
+ return bookmarkLists.some((l) => l.canUserView());
+ }
+
+ ensureOwnership() {
+ if (this.bareBookmark.userId != this.ctx.user.id) {
+ throw new TRPCError({
+ code: "FORBIDDEN",
+ message: "User is not allowed to access resource",
+ });
+ }
+ }
+
ensureCanAccess(ctx: AuthedContext): void {
- if (this.bookmark.userId != ctx.user.id) {
+ if (this.bareBookmark.userId != ctx.user.id) {
throw new TRPCError({
code: "FORBIDDEN",
message: "User is not allowed to access resource",
});
}
}
+}
- static fromData(ctx: AuthedContext, data: ZBookmark) {
- return new Bookmark(ctx, {
- ...data,
- userId: ctx.user.id,
+export class Bookmark extends BareBookmark {
+ protected constructor(
+ ctx: AuthedContext,
+ private bookmark: ZBookmark,
+ ) {
+ super(ctx, bookmark);
+ }
+
+ private static async toZodSchema(
+ bookmark: BookmarkQueryReturnType,
+ includeContent: boolean,
+ ): Promise<ZBookmark> {
+ const { tagsOnBookmarks, link, text, asset, assets, ...rest } = bookmark;
+
+ let content: ZBookmarkContent = {
+ type: BookmarkTypes.UNKNOWN,
+ };
+ if (bookmark.link) {
+ content = {
+ type: BookmarkTypes.LINK,
+ screenshotAssetId: assets.find(
+ (a) => a.assetType == AssetTypes.LINK_SCREENSHOT,
+ )?.id,
+ fullPageArchiveAssetId: assets.find(
+ (a) => a.assetType == AssetTypes.LINK_FULL_PAGE_ARCHIVE,
+ )?.id,
+ precrawledArchiveAssetId: assets.find(
+ (a) => a.assetType == AssetTypes.LINK_PRECRAWLED_ARCHIVE,
+ )?.id,
+ imageAssetId: assets.find(
+ (a) => a.assetType == AssetTypes.LINK_BANNER_IMAGE,
+ )?.id,
+ videoAssetId: assets.find((a) => a.assetType == AssetTypes.LINK_VIDEO)
+ ?.id,
+ url: link.url,
+ title: link.title,
+ description: link.description,
+ imageUrl: link.imageUrl,
+ favicon: link.favicon,
+ htmlContent: includeContent
+ ? await Bookmark.getBookmarkHtmlContent(link, bookmark.userId)
+ : null,
+ crawledAt: link.crawledAt,
+ author: link.author,
+ publisher: link.publisher,
+ datePublished: link.datePublished,
+ dateModified: link.dateModified,
+ };
+ }
+ if (bookmark.text) {
+ content = {
+ type: BookmarkTypes.TEXT,
+ // It's ok to include the text content as it's usually not big and is used to render the text bookmark card.
+ text: text.text ?? "",
+ sourceUrl: text.sourceUrl,
+ };
+ }
+ if (bookmark.asset) {
+ content = {
+ type: BookmarkTypes.ASSET,
+ assetType: asset.assetType,
+ assetId: asset.assetId,
+ fileName: asset.fileName,
+ sourceUrl: asset.sourceUrl,
+ size: assets.find((a) => a.id == asset.assetId)?.size,
+ content: includeContent ? asset.content : null,
+ };
+ }
+
+ return {
+ tags: tagsOnBookmarks
+ .map((t) => ({
+ attachedBy: t.attachedBy,
+ ...t.tag,
+ }))
+ .sort((a, b) =>
+ a.attachedBy === "ai" ? 1 : b.attachedBy === "ai" ? -1 : 0,
+ ),
+ content,
+ assets: assets.map((a) => ({
+ id: a.id,
+ assetType: mapDBAssetTypeToUserType(a.assetType),
+ fileName: a.fileName,
+ })),
+ ...rest,
+ };
+ }
+
+ static async fromId(
+ ctx: AuthedContext,
+ bookmarkId: string,
+ includeContent: boolean,
+ ) {
+ const bookmark = await ctx.db.query.bookmarks.findFirst({
+ where: eq(bookmarks.id, bookmarkId),
+ with: {
+ tagsOnBookmarks: {
+ with: {
+ tag: true,
+ },
+ },
+ link: true,
+ text: true,
+ asset: true,
+ assets: true,
+ },
});
+
+ if (!bookmark) {
+ throw new TRPCError({
+ code: "NOT_FOUND",
+ message: "Bookmark not found",
+ });
+ }
+
+ if (!(await BareBookmark.isAllowedToAccessBookmark(ctx, bookmark))) {
+ throw new TRPCError({
+ code: "NOT_FOUND",
+ message: "Bookmark not found",
+ });
+ }
+ return Bookmark.fromData(
+ ctx,
+ await Bookmark.toZodSchema(bookmark, includeContent),
+ );
+ }
+
+ static fromData(ctx: AuthedContext, data: ZBookmark) {
+ return new Bookmark(ctx, data);
}
static async loadMulti(
@@ -103,7 +307,42 @@ export class Bookmark implements PrivacyAware {
.from(bookmarks)
.where(
and(
- eq(bookmarks.userId, ctx.user.id),
+ // Access control: User can access bookmarks if they either:
+ // 1. Own the bookmark (always)
+ // 2. The bookmark is in a specific shared list being viewed
+ // When listId is specified, we need special handling to show all bookmarks in that list
+ input.listId !== undefined
+ ? // If querying a specific list, check if user has access to that list
+ or(
+ eq(bookmarks.userId, ctx.user.id),
+ // User is the owner of the list being queried
+ exists(
+ ctx.db
+ .select()
+ .from(bookmarkLists)
+ .where(
+ and(
+ eq(bookmarkLists.id, input.listId),
+ eq(bookmarkLists.userId, ctx.user.id),
+ ),
+ ),
+ ),
+ // User is a collaborator on the list being queried
+ exists(
+ ctx.db
+ .select()
+ .from(listCollaborators)
+ .where(
+ and(
+ eq(listCollaborators.listId, input.listId),
+ eq(listCollaborators.userId, ctx.user.id),
+ ),
+ ),
+ ),
+ )
+ : // If not querying a specific list, only show bookmarks the user owns
+ // Shared bookmarks should only appear when viewing the specific shared list
+ eq(bookmarks.userId, ctx.user.id),
input.archived !== undefined
? eq(bookmarks.archived, input.archived)
: undefined,
@@ -317,7 +556,7 @@ export class Bookmark implements PrivacyAware {
) {
try {
const asset = await readAsset({
- userId: ctx.user.id,
+ userId: bookmark.userId,
assetId: bookmark.content.contentAssetId,
});
bookmark.content.htmlContent = asset.asset.toString("utf8");
@@ -365,7 +604,18 @@ export class Bookmark implements PrivacyAware {
}
asZBookmark(): ZBookmark {
- return this.bookmark;
+ if (this.bookmark.userId === this.ctx.user.id) {
+ return this.bookmark;
+ }
+
+ // Collaborators shouldn't see owner-specific state such as favourites,
+ // archived flag, or personal notes.
+ return {
+ ...this.bookmark,
+ archived: false,
+ favourited: false,
+ note: null,
+ };
}
asPublicBookmark(): ZPublicBookmark {
@@ -512,4 +762,41 @@ export class Bookmark implements PrivacyAware {
}
return htmlToPlainText(content);
}
+
+ private async cleanupAssets() {
+ const assetIds: Set<string> = new Set<string>(
+ this.bookmark.assets.map((a) => a.id),
+ );
+ // Todo: Remove when the bookmark asset is also in the assets table
+ if (this.bookmark.content.type == BookmarkTypes.ASSET) {
+ assetIds.add(this.bookmark.content.assetId);
+ }
+ await Promise.all(
+ Array.from(assetIds).map((assetId) =>
+ deleteAsset({ userId: this.bookmark.userId, assetId }),
+ ),
+ );
+ }
+
+ async delete() {
+ this.ensureOwnership();
+ const deleted = await this.ctx.db
+ .delete(bookmarks)
+ .where(
+ and(
+ eq(bookmarks.userId, this.ctx.user.id),
+ eq(bookmarks.id, this.bookmark.id),
+ ),
+ );
+
+ await SearchIndexingQueue.enqueue({
+ bookmarkId: this.bookmark.id,
+ type: "delete",
+ });
+
+ await triggerWebhook(this.bookmark.id, "deleted", this.ctx.user.id);
+ if (deleted.changes > 0) {
+ await this.cleanupAssets();
+ }
+ }
}
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2026-02-18 11:33:41 +0000