Granular level topic gating

libs/model/src/comment/CreateComment.command.ts

@@ -32,7 +32,9 @@ export function CreateComment(): Command<
   return {
     ...schemas.CreateComment,
     auth: [
-      isAuthorized({ action: schemas.PermissionEnum.CREATE_COMMENT }),
+      isAuthorized({
+        action: schemas.PermissionEnum.CREATE_COMMENT,
+      }),
       verifyCommentSignature,
     ],
     body: async ({ actor, payload, auth }) => {

libs/model/src/comment/CreateCommentReaction.command.ts

@@ -13,7 +13,9 @@ export function CreateCommentReaction(): Command<
   return {
     ...schemas.CreateCommentReaction,
     auth: [
-      isAuthorized({ action: schemas.PermissionEnum.CREATE_COMMENT_REACTION }),
+      isAuthorized({
+        action: schemas.PermissionEnum.CREATE_COMMENT_REACTION,
+      }),
       verifyReactionSignature,
     ],
     body: async ({ payload, actor, auth }) => {

libs/model/src/community/CreateGroup.command.ts

@@ -25,7 +25,7 @@ export function CreateGroup(): Command<
 
       const topics = await models.Topic.findAll({
         where: {
-          id: { [Op.in]: payload.topics || [] },
+          id: { [Op.in]: payload.topics?.map((t) => t.id) || [] },
           community_id,
         },
       });
@@ -70,6 +70,20 @@ export function CreateGroup(): Command<
                 transaction,
               },
             );
+
+            if (group.id) {
+              // add topic level interaction permissions for current group
+              const groupPermissions = (payload.topics || []).map((t) => ({
+                group_id: group.id!,
+                topic_id: t.id,
+                allowed_actions: sequelize.literal(
+                  `ARRAY[${t.permissions.map((p) => `'${p}'`).join(', ')}]::"enum_GroupPermissions_allowed_actions"[]`,
+                ) as unknown as schemas.PermissionEnum[],
+              }));
+              await models.GroupPermission.bulkCreate(groupPermissions, {
+                transaction,
+              });
+            }
           }
           return group.toJSON();
         },

libs/model/src/community/UpdateGroup.command.ts

@@ -33,7 +33,7 @@ export function UpdateGroup(): Command<
 
       const topics = await models.Topic.findAll({
         where: {
-          id: { [Op.in]: payload.topics || [] },
+          id: { [Op.in]: payload.topics?.map((t) => t.id) || [] },
           community_id,
         },
       });
@@ -90,6 +90,26 @@ export function UpdateGroup(): Command<
               transaction,
             },
           );
+
+          // update topic level interaction permissions for current group
+          await Promise.all(
+            (payload.topics || [])?.map(async (t) => {
+              if (group.id) {
+                await models.GroupPermission.update(
+                  {
+                    allowed_actions: t.permissions,
+                  },
+                  {
+                    where: {
+                      group_id: group_id,
+                      topic_id: t.id,
+                    },
+                    transaction,
+                  },
+                );
+              }
+            }),
+          );
         }
 
         return group.toJSON();

libs/model/src/middleware/authorization.ts

@@ -6,7 +6,10 @@ import {
   type Context,
   type Handler,
 } from '@hicommonwealth/core';
-import { Group, GroupPermissionAction } from '@hicommonwealth/schemas';
+import {
+  Group,
+  GroupPermissionAction,
+} from '@hicommonwealth/schemas';
 import { Role } from '@hicommonwealth/shared';
 import { Op, QueryTypes } from 'sequelize';
 import { ZodSchema, z } from 'zod';
@@ -182,7 +185,7 @@ async function buildAuth(
 /**
  * Checks if actor passes a set of requirements and grants access for all groups of the given topic
  */
-async function isTopicMember(
+async function hasTopicInteractionPermissions(
   actor: Actor,
   auth: AuthContext,
   action: GroupPermissionAction,
@@ -194,39 +197,45 @@ async function isTopicMember(
 
   if (auth.topic.group_ids?.length === 0) return;
 
+  // check if user has permission to perform "action" in 'topic_id'
+  // the 'topic_id' can belong to any group where user has membership
+  // the group with 'topic_id' having higher permissions will take precedence
   const groups = await models.sequelize.query<
     z.infer<typeof Group> & {
       allowed_actions?: GroupPermissionAction[];
     }
   >(
     `
-    SELECT g.*, gp.allowed_actions
+    SELECT 
+      g.*, 
+      gp.allowed_actions as allowed_actions
     FROM "Groups" as g 
-    LEFT JOIN "GroupPermissions" gp ON g.id = gp.group_id
-    WHERE g.community_id = :community_id AND g.id IN (:group_ids);
+    LEFT JOIN "GroupPermissions" gp ON g.id = gp.group_id AND gp.topic_id = :topic_id
+    WHERE g.community_id = :community_id
     `,
     {
       type: QueryTypes.SELECT,
       raw: true,
       replacements: {
         community_id: auth.topic.community_id,
-        group_ids: auth.topic.group_ids,
+        topic_id: auth.topic.id,
       },
     },
   );
 
   // There are 2 cases here. We either have the old group permission system where the group doesn't have
-  // any allowed_actions, or we have the new fine-grained permission system where the action must be in
-  // the allowed_actions list.
-  const allowed = groups.filter(
+  // any group_allowed_actions, or we have the new fine-grained permission system where the action must be in
+  // the group_allowed_actions list.
+  const allowedGroupActions = groups.filter(
     (g) => !g.allowed_actions || g.allowed_actions.includes(action),
   );
-  if (!allowed.length!) throw new NonMember(actor, auth.topic.name, action);
+  if (!allowedGroupActions.length!)
+    throw new NonMember(actor, auth.topic.name, action);
 
   // check membership for all groups of topic
   const memberships = await models.Membership.findAll({
     where: {
-      group_id: { [Op.in]: allowed.map((g) => g.id!) },
+      group_id: { [Op.in]: allowedGroupActions.map((g) => g.id!) },
       address_id: auth.address!.id,
     },
     include: [
@@ -295,7 +304,11 @@ export function isAuthorized({
 
     if (action) {
       // waterfall stops here after validating the action
-      await isTopicMember(ctx.actor, auth, action);
+      await hasTopicInteractionPermissions(
+        ctx.actor,
+        auth,
+        action,
+      );
       return;
     }
 

libs/model/src/models/associations.ts

@@ -89,7 +89,13 @@ export const buildAssociations = (db: DB) => {
     asMany: 'threads',
     onUpdate: 'CASCADE',
     onDelete: 'SET NULL',
-  }).withMany(db.ContestTopic, { asMany: 'contest_topics' });
+  })
+    .withMany(db.ContestTopic, { asMany: 'contest_topics' })
+    .withMany(db.GroupPermission, {
+      foreignKey: 'topic_id',
+      onUpdate: 'CASCADE',
+      onDelete: 'CASCADE',
+    });
 
   db.Thread.withMany(db.Poll)
     .withMany(db.ContestAction, {
@@ -130,7 +136,11 @@ export const buildAssociations = (db: DB) => {
     onDelete: 'CASCADE',
   });
 
-  db.Group.withMany(db.GroupPermission);
+  db.Group.withMany(db.GroupPermission, {
+    foreignKey: 'group_id',
+    onUpdate: 'CASCADE',
+    onDelete: 'CASCADE',
+  });
 
   // Many-to-many associations (cross-references)
   db.Membership.withManyToMany(

libs/model/src/models/groupPermission.ts

@@ -2,11 +2,13 @@ import { GroupPermission } from '@hicommonwealth/schemas';
 import Sequelize from 'sequelize'; // must use "* as" to avoid scope errors
 import { z } from 'zod';
 import { GroupAttributes } from './group';
+import { TopicAttributes } from './topic';
 import type { ModelInstance } from './types';
 
 export type GroupPermissionAttributes = z.infer<typeof GroupPermission> & {
   // associations
   Group?: GroupAttributes;
+  Topic?: TopicAttributes;
 };
 
 export type GroupPermissionInstance = ModelInstance<GroupPermissionAttributes>;
@@ -22,6 +24,11 @@ export default (
         allowNull: false,
         primaryKey: true,
       },
+      topic_id: {
+        type: Sequelize.INTEGER,
+        allowNull: false,
+        primaryKey: true,
+      },
       allowed_actions: {
         // This needs to be a string[] because enum[] will break sequelize.sync and fail tests
         type: Sequelize.ARRAY(Sequelize.STRING),

libs/model/src/thread/CreateThread.command.ts

@@ -88,7 +88,9 @@ export function CreateThread(): Command<
   return {
     ...schemas.CreateThread,
     auth: [
-      isAuthorized({ action: schemas.PermissionEnum.CREATE_THREAD }),
+      isAuthorized({
+        action: schemas.PermissionEnum.CREATE_THREAD
+      }),
       verifyThreadSignature,
     ],
     body: async ({ actor, payload, auth }) => {

libs/model/test/community/community-lifecycle.spec.ts

@@ -7,7 +7,10 @@ import {
   dispose,
   query,
 } from '@hicommonwealth/core';
-import { TopicWeightedVoting } from '@hicommonwealth/schemas';
+import {
+  PermissionEnum,
+  TopicWeightedVoting,
+} from '@hicommonwealth/schemas';
 import { ChainBase, ChainType } from '@hicommonwealth/shared';
 import { Chance } from 'chance';
 import { CreateTopic } from 'model/src/community/CreateTopic.command';
@@ -38,7 +41,10 @@ import { seed } from '../../src/tester';
 
 const chance = Chance();
 
-function buildCreateGroupPayload(community_id: string, topics: number[] = []) {
+function buildCreateGroupPayload(
+  community_id: string,
+  topics: { id: number; permissions: PermissionEnum[] }[] = [],
+) {
   return {
     community_id,
     metadata: {
@@ -355,7 +361,20 @@ describe('Community lifecycle', () => {
       await expect(
         command(CreateGroup(), {
           actor: ethAdminActor,
-          payload: buildCreateGroupPayload(community.id, [1, 2, 3]),
+          payload: buildCreateGroupPayload(community.id, [
+            {
+              id: 1,
+              permissions: [PermissionEnum.CREATE_COMMENT, PermissionEnum.CREATE_THREAD, PermissionEnum.CREATE_COMMENT_REACTION,PermissionEnum.CREATE_THREAD_REACTION],
+            },
+            {
+              id: 2,
+              permissions: [PermissionEnum.CREATE_COMMENT, PermissionEnum.CREATE_THREAD, PermissionEnum.CREATE_COMMENT_REACTION,PermissionEnum.CREATE_THREAD_REACTION],
+            },
+            {
+              id: 3,
+              permissions: [PermissionEnum.CREATE_COMMENT, PermissionEnum.CREATE_THREAD, PermissionEnum.CREATE_COMMENT_REACTION,PermissionEnum.CREATE_THREAD_REACTION],
+            },
+          ]),
         }),
       ).rejects.toThrow(CreateGroupErrors.InvalidTopics);
     });

libs/model/test/thread/thread-lifecycle.spec.ts

@@ -163,6 +163,7 @@ describe('Thread lifecycle', () => {
     });
     await seed('GroupPermission', {
       group_id: threadGroupId,
+      topic_id: _community?.topics?.[0]?.id || 0,
       allowed_actions: [
         schemas.PermissionEnum.CREATE_THREAD,
         schemas.PermissionEnum.CREATE_THREAD_REACTION,
@@ -171,6 +172,7 @@ describe('Thread lifecycle', () => {
     });
     await seed('GroupPermission', {
       group_id: commentGroupId,
+      topic_id: _community?.topics?.[0]?.id || 0,
       allowed_actions: [schemas.PermissionEnum.CREATE_COMMENT],
     });
 

libs/schemas/src/commands/community.schemas.ts

@@ -12,6 +12,7 @@ import { z } from 'zod';
 import {
   Community,
   Group,
+  PermissionEnum,
   Requirement,
   StakeTransaction,
   Topic,
@@ -228,7 +229,14 @@ export const CreateGroup = {
     community_id: z.string(),
     metadata: GroupMetadata,
     requirements: z.array(Requirement).optional(),
-    topics: z.array(PG_INT).optional(),
+    topics: z
+      .array(
+        z.object({
+          id: PG_INT,
+          permissions: z.array(z.nativeEnum(PermissionEnum)),
+        }),
+      )
+      .optional(),
   }),
   output: Community.extend({ groups: z.array(Group).optional() }).partial(),
 };
@@ -239,7 +247,14 @@ export const UpdateGroup = {
     group_id: PG_INT,
     metadata: GroupMetadata.optional(),
     requirements: z.array(Requirement).optional(),
-    topics: z.array(PG_INT).optional(),
+    topics: z
+      .array(
+        z.object({
+          id: PG_INT,
+          permissions: z.array(z.nativeEnum(PermissionEnum)),
+        }),
+      )
+      .optional(),
   }),
   output: Group.partial(),
 };

libs/schemas/src/entities/group-permission.schemas.ts

@@ -6,15 +6,15 @@ export enum PermissionEnum {
   CREATE_COMMENT = 'CREATE_COMMENT',
   CREATE_THREAD_REACTION = 'CREATE_THREAD_REACTION',
   CREATE_COMMENT_REACTION = 'CREATE_COMMENT_REACTION',
-  UPDATE_POLL = 'UPDATE_POLL',
+  UPDATE_POLL = 'UPDATE_POLL'
 }
 
 export type GroupPermissionAction = keyof typeof PermissionEnum;
 
 export const GroupPermission = z.object({
-  group_id: PG_INT.optional(),
+  group_id: PG_INT,
+  topic_id: PG_INT,
   allowed_actions: z.array(z.nativeEnum(PermissionEnum)),
-
   created_at: z.coerce.date().optional(),
   updated_at: z.coerce.date().optional(),
 });

packages/commonwealth/client/scripts/helpers/threads.ts

@@ -1,5 +1,8 @@
+import { PermissionEnum } from '@hicommonwealth/schemas';
 import { re_weburl } from 'lib/url-validation';
 import { Link, LinkSource } from 'models/Thread';
+// eslint-disable-next-line max-len
+import { convertGranularPermissionsToAccumulatedPermissions } from '../views/pages/CommunityGroupsAndMembers/Groups/common/GroupForm/helpers';
 
 export function detectURL(str: string) {
   if (str.slice(0, 4) !== 'http') str = `http://${str}`; // no https required because this is only used for regex match
@@ -55,17 +58,24 @@ export const getThreadActionTooltipText = ({
   isThreadArchived = false,
   isThreadLocked = false,
   isThreadTopicGated = false,
+  threadTopicInteractionRestrictions,
 }: {
   isCommunityMember?: boolean;
   isThreadArchived?: boolean;
   isThreadLocked?: boolean;
   isThreadTopicGated?: boolean;
+  threadTopicInteractionRestrictions?: PermissionEnum[];
 }): GetThreadActionTooltipTextResponse => {
   if (!isCommunityMember) {
     return getActionTooltipForNonCommunityMember;
   }
   if (isThreadArchived) return 'Thread is archived';
   if (isThreadLocked) return 'Thread is locked';
   if (isThreadTopicGated) return 'Topic is gated';
+  if (threadTopicInteractionRestrictions) {
+    return `Topic members are only allowed to ${convertGranularPermissionsToAccumulatedPermissions(
+      threadTopicInteractionRestrictions,
+    )}`;
+  }
   return '';
 };