From de7dded19763bbf5c3a17d13ece6d1ed4fe598d9 Mon Sep 17 00:00:00 2001
From: Moriz Wahl <moriz.wahl@gmx.de>
Date: Fri, 3 Mar 2023 16:42:49 +0100
Subject: [PATCH] add permisson for removeUserFromGroup

---
 .../src/middleware/permissionsMiddleware.js   | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/backend/src/middleware/permissionsMiddleware.js b/backend/src/middleware/permissionsMiddleware.js
index 9aef8646b..7e9f40246 100644
--- a/backend/src/middleware/permissionsMiddleware.js
+++ b/backend/src/middleware/permissionsMiddleware.js
@@ -253,6 +253,39 @@ const isMemberOfGroup = rule({
   }
 })
 
+const canRemoveUserFromGroup = rule({
+  cache: 'no_cache',
+})(async (_parent, args, { user, driver }) => {
+  if (!(user && user.id)) return false
+  const { groupId, userId } = args
+  const currentUserId = user.id
+  if (currentUserId === userId) return false
+  const session = driver.session()
+  const readTxPromise = session.readTransaction(async (transaction) => {
+    const transactionResponse = await transaction.run(
+      `
+        MATCH (User {id: $currentUserId})-[currentUserMembership:MEMBER_OF]->(group:Group {id: $groupId})
+        OPTIONAL MATCH (group)<-[userMembership:MEMBER_OF]-(user:User { id: $userId })
+        RETURN currentUserMembership.role AS currentUserRole, userMembership.role AS userRole
+      `,
+      { currentUserId, groupId, userId },
+    )
+    return {
+      currentUserRole: transactionResponse.records.map((record) => record.get('currentUserRole'))[0],
+      userRole: transactionResponse.records.map((record) => record.get('userRole'))[0],
+    }
+  })
+  try {
+    const { currentUserRole, userRole } = await readTxPromise
+    return currentUserRole && ['admin', 'owner'].includes(currentUserRole)
+      && userRole && userRole !== 'owner'
+  } catch (error) {
+    throw new Error(error)
+  } finally {
+    session.close()
+  }  
+})
+
 const canCommentPost = rule({
   cache: 'no_cache',
 })(async (_parent, args, { user, driver }) => {
@@ -382,6 +415,7 @@ export default shield(
       JoinGroup: isAllowedToJoinGroup,
       LeaveGroup: isAllowedToLeaveGroup,
       ChangeGroupMemberRole: isAllowedToChangeGroupMemberRole,
+      RemoveUserFromGroup: canRemoveUserFromGroup,
       CreatePost: and(isAuthenticated, isMemberOfGroup),
       UpdatePost: isAuthor,
       DeletePost: isAuthor,