User accounts

Allows for the creation of user accounts. A few notes on the specifics: - Experiments are the main access control objects. If you can view an experiment, you can view all its prompts/scenarios/evals. If you can edit it, you can edit or delete all of those as well. - Experiments are owned by Organizations in the database. Organizations can have multiple members and members can have roles of ADMIN, MEMBER or VIEWER. - Organizations can either be "personal" or general. Each user has a "personal" organization created as soon as they try to create an experiment. There's currently no UI support for creating general orgs or adding users to them; they're just in the database to future-proof all the ACL logic. - You can require that a user is signed-in to see a route using the `protectedProcedure` helper. When you use `protectedProcedure`, you also have to call `ctx.markAccessControlRun()` (or delegate to a function that does it for you; see accessControl.ts). This is to remind us to actually check for access control when we define a new endpoint.
2023-07-18 17:39:14 -07:00
parent e0e64c4207
commit 1dcdba04a6
34 changed files with 963 additions and 416 deletions
--- a/src/server/api/routers/scenarios.router.ts
+++ b/src/server/api/routers/scenarios.router.ts
@@ -1,32 +1,39 @@
 import { z } from "zod";
-import { createTRPCRouter, publicProcedure } from "~/server/api/trpc";
+import { createTRPCRouter, protectedProcedure, publicProcedure } from "~/server/api/trpc";
 import { prisma } from "~/server/db";
 import { autogenerateScenarioValues } from "../autogen";
 import { recordExperimentUpdated } from "~/server/utils/recordExperimentUpdated";
 import { runAllEvals } from "~/server/utils/evaluations";
 import { generateNewCell } from "~/server/utils/generateNewCell";
+import { requireCanModifyExperiment, requireCanViewExperiment } from "~/utils/accessControl";

 export const scenariosRouter = createTRPCRouter({
-  list: publicProcedure.input(z.object({ experimentId: z.string() })).query(async ({ input }) => {
-    return await prisma.testScenario.findMany({
-      where: {
-        experimentId: input.experimentId,
-        visible: true,
-      },
-      orderBy: {
-        sortIndex: "asc",
-      },
-    });
-  }),
+  list: publicProcedure
+    .input(z.object({ experimentId: z.string() }))
+    .query(async ({ input, ctx }) => {
+      await requireCanViewExperiment(input.experimentId, ctx);

-  create: publicProcedure
+      return await prisma.testScenario.findMany({
+        where: {
+          experimentId: input.experimentId,
+          visible: true,
+        },
+        orderBy: {
+          sortIndex: "asc",
+        },
+      });
+    }),
+
+  create: protectedProcedure
    .input(
      z.object({
        experimentId: z.string(),
        autogenerate: z.boolean().optional(),
      }),
    )
-    .mutation(async ({ input }) => {
+    .mutation(async ({ input, ctx }) => {
+      await requireCanModifyExperiment(input.experimentId, ctx);
+
      const maxSortIndex =
        (
          await prisma.testScenario.aggregate({
@@ -66,7 +73,14 @@ export const scenariosRouter = createTRPCRouter({
      }
    }),

-  hide: publicProcedure.input(z.object({ id: z.string() })).mutation(async ({ input }) => {
+  hide: protectedProcedure.input(z.object({ id: z.string() })).mutation(async ({ input, ctx }) => {
+    const experimentId = (
+      await prisma.testScenario.findUniqueOrThrow({
+        where: { id: input.id },
+      })
+    ).experimentId;
+
+    await requireCanModifyExperiment(experimentId, ctx);
    const hiddenScenario = await prisma.testScenario.update({
      where: { id: input.id },
      data: { visible: false, experiment: { update: { updatedAt: new Date() } } },
@@ -78,14 +92,14 @@ export const scenariosRouter = createTRPCRouter({
    return hiddenScenario;
  }),

-  reorder: publicProcedure
+  reorder: protectedProcedure
    .input(
      z.object({
        draggedId: z.string(),
        droppedId: z.string(),
      }),
    )
-    .mutation(async ({ input }) => {
+    .mutation(async ({ input, ctx }) => {
      const dragged = await prisma.testScenario.findUnique({
        where: {
          id: input.draggedId,
@@ -104,6 +118,8 @@ export const scenariosRouter = createTRPCRouter({
        );
      }

+      await requireCanModifyExperiment(dragged.experimentId, ctx);
+
      const visibleItems = await prisma.testScenario.findMany({
        where: {
          experimentId: dragged.experimentId,
@@ -147,14 +163,14 @@ export const scenariosRouter = createTRPCRouter({
      );
    }),

-  replaceWithValues: publicProcedure
+  replaceWithValues: protectedProcedure
    .input(
      z.object({
        id: z.string(),
        values: z.record(z.string()),
      }),
    )
-    .mutation(async ({ input }) => {
+    .mutation(async ({ input, ctx }) => {
      const existing = await prisma.testScenario.findUnique({
        where: {
          id: input.id,
@@ -165,6 +181,8 @@ export const scenariosRouter = createTRPCRouter({
        throw new Error(`Scenario with id ${input.id} does not exist`);
      }

+      await requireCanModifyExperiment(existing.experimentId, ctx);
+
      const newScenario = await prisma.testScenario.create({
        data: {
          experimentId: existing.experimentId,