UBERF-8445: More smart admin mode (#6897)

Signed-off-by: Andrey Sobolev <[email protected]>

Author: haiodo

server/middleware/src/spaceSecurity.ts

@@ -503,6 +503,14 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
     const isSpace = this.context.hierarchy.isDerived(_class, core.class.Space)
     const field = this.getKey(domain)
 
+    if (
+      ctx.contextData.admin === true &&
+      this.context.hierarchy.isDerived(_class, core.class.Space) &&
+      (newQuery as DocumentQuery<Space>).members !== undefined
+    ) {
+      delete (newQuery as any).members
+    }
+
     let clientFilterSpaces: Set<Ref<Space>> | undefined
 
     if (!this.skipFindCheck && !isSystem(account) && account.role !== AccountRole.DocGuest && domain !== DOMAIN_MODEL) {
@@ -558,6 +566,12 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
         }
       }
     }
+    if (ctx.contextData.admin === true && this.context.hierarchy.isDerived(_class, core.class.Space)) {
+      // We need to add amin to all spaces.
+      for (const d of findResult) {
+        ;(d as unknown as Space).members = [...((d as unknown as Space).members ?? []), ctx.contextData.account._id]
+      }
+    }
     return findResult
   }
 

server/middleware/src/utils.ts

@@ -20,5 +20,5 @@ export function isOwner (account: Account, ctx: MeasureContext<SessionData>): bo
 }
 
 export function isSystem (account: Account): boolean {
-  return account._id === core.account.System
+  return account._id === core.account.System || account._id.startsWith('system:')
 }

server/server/src/client.ts

@@ -108,34 +108,37 @@ export class ClientSession implements Session {
   async getAccount (ctx: ClientSessionCtx): Promise<void> {
     const account = this._pipeline.context.modelDb.getAccountByEmail(this.token.email)
     if (account === undefined && this.token.extra?.admin === 'true') {
-      const systemAccount = this._pipeline.context.modelDb.findObject(this.token.email as Ref<Account>)
-      if (systemAccount === undefined) {
-        // Generate account for admin user
-        const factory = new TxFactory(core.account.System)
-        const email = `system:${this.token.email}`
-        const createTx = factory.createTxCreateDoc(
-          core.class.Account,
-          core.space.Model,
-          {
-            role: AccountRole.Owner,
-            email
-          },
-          this.token.email as Ref<Account>
-        )
-        this.includeSessionContext(ctx.ctx)
-        await this._pipeline.tx(ctx.ctx, [createTx])
-        const acc = TxProcessor.createDoc2Doc(createTx)
-        await ctx.sendResponse(acc)
-        return
-      } else {
-        await ctx.sendResponse(systemAccount)
-        return
-      }
+      await ctx.sendResponse(this.getSystemAccount())
+      return
     }
     await ctx.sendResponse(account)
   }
 
+  private getSystemAccount (): Account {
+    // Generate account for admin user
+    const factory = new TxFactory(core.account.System)
+    const email = `system:${this.token.email}`
+    const createTx = factory.createTxCreateDoc(
+      core.class.Account,
+      core.space.Model,
+      {
+        role: AccountRole.Owner,
+        email
+      },
+      email as Ref<Account>
+    )
+    return TxProcessor.createDoc2Doc(createTx)
+  }
+
   includeSessionContext (ctx: MeasureContext): void {
+    let account: Account | undefined
+    if (this.token.extra?.admin === 'true') {
+      account = this._pipeline.context.modelDb.getAccountByEmail(this.token.email)
+      if (account === undefined) {
+        account = this.getSystemAccount()
+      }
+    }
+
     const contextData = new SessionDataImpl(
       this.token.email,
       this.sessionId,
@@ -149,7 +152,8 @@ export class ClientSession implements Session {
       false,
       new Map(),
       new Map(),
-      this._pipeline.context.modelDb
+      this._pipeline.context.modelDb,
+      account
     )
     ctx.contextData = contextData
   }