mirror of
https://github.com/sourcebot-dev/sourcebot.git
synced 2025-12-13 21:05:22 +00:00
85 lines
3.1 KiB
TypeScript
85 lines
3.1 KiB
TypeScript
import 'server-only';
|
|
import { env, getDBConnectionString } from "@sourcebot/shared";
|
|
import { Prisma, PrismaClient, UserWithAccounts } from "@sourcebot/db";
|
|
import { hasEntitlement } from "@sourcebot/shared";
|
|
|
|
// @see: https://authjs.dev/getting-started/adapters/prisma
|
|
const globalForPrisma = globalThis as unknown as { prisma: PrismaClient }
|
|
|
|
const dbConnectionString = getDBConnectionString();
|
|
|
|
// @NOTE: In almost all cases, the userScopedPrismaClientExtension should be used
|
|
// (since actions & queries are scoped to a particular user). There are some exceptions
|
|
// (e.g., in initialize.ts).
|
|
//
|
|
// @todo: we can mark this as `__unsafePrisma` in the future once we've migrated
|
|
// all of the actions & queries to use the userScopedPrismaClientExtension to avoid
|
|
// accidental misuse.
|
|
export const prisma = globalForPrisma.prisma || new PrismaClient({
|
|
// @note: this code is evaluated at build time, and will throw exceptions if these env vars are not set.
|
|
// Here we explicitly check if the DATABASE_URL or the individual database variables are set, and only
|
|
...(dbConnectionString !== undefined ? {
|
|
datasources: {
|
|
db: {
|
|
url: dbConnectionString,
|
|
},
|
|
}
|
|
} : {}),
|
|
})
|
|
if (env.NODE_ENV !== "production") globalForPrisma.prisma = prisma
|
|
|
|
/**
|
|
* Creates a prisma client extension that scopes queries to striclty information
|
|
* a given user should be able to access.
|
|
*/
|
|
export const userScopedPrismaClientExtension = (user?: UserWithAccounts) => {
|
|
return Prisma.defineExtension(
|
|
(prisma) => {
|
|
return prisma.$extends({
|
|
query: {
|
|
...(env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && hasEntitlement('permission-syncing') ? {
|
|
repo: {
|
|
async $allOperations({ args, query }) {
|
|
const argsWithWhere = args as Record<string, unknown> & {
|
|
where?: Prisma.RepoWhereInput;
|
|
}
|
|
|
|
argsWithWhere.where = {
|
|
...(argsWithWhere.where || {}),
|
|
...getRepoPermissionFilterForUser(user),
|
|
};
|
|
|
|
return query(args);
|
|
}
|
|
}
|
|
} : {})
|
|
}
|
|
})
|
|
})
|
|
}
|
|
|
|
/**
|
|
* Returns a filter for repositories that the user has access to.
|
|
*/
|
|
export const getRepoPermissionFilterForUser = (user?: UserWithAccounts): Prisma.RepoWhereInput => {
|
|
return {
|
|
OR: [
|
|
// Only include repos that are permitted to the user
|
|
...((user && user.accounts.length > 0) ? [
|
|
{
|
|
permittedAccounts: {
|
|
some: {
|
|
accountId: {
|
|
in: user.accounts.map(account => account.id),
|
|
}
|
|
}
|
|
}
|
|
},
|
|
] : []),
|
|
// or are public.
|
|
{
|
|
isPublic: true,
|
|
}
|
|
]
|
|
}
|
|
}
|