DeepNotesApp
diff --git a/‎apps/app-server/src/trpc/api/groups/privacy/index.ts
+2 b/‎apps/app-server/src/trpc/api/groups/privacy/index.ts
+2
diff --git a/‎apps/app-server/src/trpc/api/groups/privacy/set-join-requests-allowed.ts
+51 b/‎apps/app-server/src/trpc/api/groups/privacy/set-join-requests-allowed.ts
+51
diff --git a/‎apps/app-server/src/websocket/groups/change-user-role.ts
+3-1 b/‎apps/app-server/src/websocket/groups/change-user-role.ts
+3-1
diff --git a/‎apps/app-server/src/websocket/groups/join-requests/send.ts
+20-1 b/‎apps/app-server/src/websocket/groups/join-requests/send.ts
+20-1
diff --git a/‎apps/app-server/src/websocket/groups/remove-user.ts
+3-1 b/‎apps/app-server/src/websocket/groups/remove-user.ts
+3-1
diff --git a/‎apps/client/components.d.ts
+3 b/‎apps/client/components.d.ts
+3
diff --git a/‎apps/client/package.json
+1-1 b/‎apps/client/package.json
+1-1
diff --git a/‎apps/client/quasar.config.js
+4-1 b/‎apps/client/quasar.config.js
+4-1
diff --git a/‎apps/client/src/boot/disable-cache.universal.ts renamed to ‎apps/client/src/boot/http-headers/disable-cache.universal.ts b/‎apps/client/src/boot/disable-cache.universal.ts renamed to ‎apps/client/src/boot/http-headers/disable-cache.universal.ts
diff --git a/‎apps/client/src/boot/http-headers/referrer-policy.universal.ts
+5 b/‎apps/client/src/boot/http-headers/referrer-policy.universal.ts
+5
diff --git a/‎apps/client/src/boot/http-headers/x-frame-options.universal.ts
+5 b/‎apps/client/src/boot/http-headers/x-frame-options.universal.ts
+5
diff --git a/‎apps/client/src/components/Checklist.vue
+105 b/‎apps/client/src/components/Checklist.vue
+105
diff --git a/‎apps/client/src/components/CustomInfiniteScroll.vue
+14 b/‎apps/client/src/components/CustomInfiniteScroll.vue
+14
diff --git a/‎apps/client/src/components/PassthroughComponent.vue
+18 b/‎apps/client/src/components/PassthroughComponent.vue
+18
diff --git a/‎apps/client/src/layouts/PagesLayout/MainContent/DisplayPage/DisplayScreens/DisplayUnauthorizedScreen.vue
+2-1 b/‎apps/client/src/layouts/PagesLayout/MainContent/DisplayPage/DisplayScreens/DisplayUnauthorizedScreen.vue
+2-1
diff --git a/‎apps/client/src/layouts/PagesLayout/MainToolbar/Notifications/Items/GroupRequestSent.vue
+1-1 b/‎apps/client/src/layouts/PagesLayout/MainToolbar/Notifications/Items/GroupRequestSent.vue
+1-1
diff --git a/‎apps/client/src/layouts/PagesLayout/MainToolbar/Notifications/NotificationsPopup.vue
+1-1 b/‎apps/client/src/layouts/PagesLayout/MainToolbar/Notifications/NotificationsPopup.vue
+1-1
@@ -1,7 +1,9 @@
 import { trpc } from 'src/trpc/server';
 
 import { makePublicProcedure } from './make-public';
+import { setJoinRequestsAllowedProcedure } from './set-join-requests-allowed';
 
 export const privacyRouter = trpc.router({
   makePublic: makePublicProcedure(),
+  setJoinRequestsAllowed: setJoinRequestsAllowedProcedure(),
 });
@@ -0,0 +1,51 @@
+import { isNanoID } from '@stdlib/misc';
+import { checkRedlockSignalAborted } from '@stdlib/redlock';
+import { once } from 'lodash';
+import type { InferProcedureOpts } from 'src/trpc/helpers';
+import { authProcedure } from 'src/trpc/helpers';
+import { z } from 'zod';
+
+const baseProcedure = authProcedure.input(
+  z.object({
+    groupId: z.string().refine(isNanoID),
+
+    areJoinRequestsAllowed: z.boolean(),
+  }),
+);
+
+export const setJoinRequestsAllowedProcedure = once(() =>
+  baseProcedure.mutation(setJoinRequestsAllowed),
+);
+
+export async function setJoinRequestsAllowed({
+  ctx,
+  input,
+}: InferProcedureOpts<typeof baseProcedure>) {
+  return await ctx.usingLocks(
+    [[`user-lock:${ctx.userId}`], [`group-lock:${input.groupId}`]],
+    async (signals) => {
+      return await ctx.dataAbstraction.transaction(async (dtrx) => {
+        // Assert agent is subscribed
+
+        await ctx.assertUserSubscribed({ userId: ctx.userId });
+
+        // Check if user has sufficient permissions
+
+        await ctx.assertSufficientGroupPermissions({
+          userId: ctx.userId,
+          groupId: input.groupId,
+          permission: 'editGroupSettings',
+        });
+
+        await ctx.dataAbstraction.hmset(
+          'group',
+          input.groupId,
+          { 'are-join-requests-allowed': input.areJoinRequestsAllowed },
+          { dtrx },
+        );
+
+        checkRedlockSignalAborted(signals);
+      });
+    },
+  );
+}
@@ -39,7 +39,9 @@ export function registerGroupsChangeUserRole(
       await ctx.usingLocks(
         [
           [`user-lock:${ctx.userId}`],
-          [`user-lock:${input.patientId}`],
+          ...(input.patientId !== ctx.userId
+            ? [[`user-lock:${input.patientId}`]]
+            : []),
           [`group-lock:${input.groupId}`],
         ],
         performCommunication,
 
@@ -55,7 +55,17 @@ export async function sendStep1({
 
     await ctx.assertUserSubscribed({ userId: ctx.userId });
 
-    const [groupJoinRequestRejected, groupMemberRole] = await Promise.all([
+    const [
+      groupAreJoinRequestsAllowed,
+      groupJoinRequestRejected,
+      groupMemberRole,
+    ] = await Promise.all([
+      ctx.dataAbstraction.hget(
+        'group',
+        input.groupId,
+        'are-join-requests-allowed',
+      ),
+
       ctx.dataAbstraction.hget(
         'group-join-request',
         `${input.groupId}:${ctx.userId}`,
@@ -69,6 +79,15 @@ export async function sendStep1({
       ),
     ]);
 
+    // Check if group allows join requests
+
+    if (!groupAreJoinRequestsAllowed) {
+      throw new TRPCError({
+        code: 'FORBIDDEN',
+        message: 'This group does not allow join requests.',
+      });
+    }
+
     // Check if user has been rejected from the group
 
     if (groupJoinRequestRejected) {
 
@@ -36,7 +36,9 @@ export function registerGroupsRemoveUser(fastify: ReturnType<typeof Fastify>) {
       await ctx.usingLocks(
         [
           [`user-lock:${ctx.userId}`],
-          [`user-lock:${input.patientId}`],
+          ...(input.patientId !== ctx.userId
+            ? [[`user-lock:${input.patientId}`]]
+            : []),
           [`group-lock:${input.groupId}`],
         ],
         performCommunication,
 
@@ -9,11 +9,13 @@ declare module '@vue/runtime-core' {
   export interface GlobalComponents {
     BillingFrequencyToggle: typeof import('./src/components/BillingFrequencyToggle.vue')['default']
     Checkbox: typeof import('./src/components/Checkbox.vue')['default']
+    Checklist: typeof import('./src/components/Checklist.vue')['default']
     ColorPalette: typeof import('./src/components/ColorPalette.vue')['default']
     ColorSquare: typeof import('./src/components/ColorSquare.vue')['default']
     Combobox: typeof import('./src/components/Combobox.vue')['default']
     CopyBtn: typeof import('./src/components/CopyBtn.vue')['default']
     CustomDialog: typeof import('./src/components/CustomDialog.vue')['default']
+    CustomInfiniteScroll: typeof import('./src/components/CustomInfiniteScroll.vue')['default']
     DeepBtn: typeof import('./src/components/DeepBtn.vue')['default']
     DeepBtnDropdown: typeof import('./src/components/DeepBtnDropdown.vue')['default']
     DisplayBtn: typeof import('./src/components/DisplayBtn.vue')['default']
@@ -26,6 +28,7 @@ declare module '@vue/runtime-core' {
     MiniSidebarBtn: typeof import('./src/components/MiniSidebarBtn.vue')['default']
     PageItem: typeof import('./src/components/PageItem.vue')['default']
     PageItemContent: typeof import('./src/components/PageItemContent.vue')['default']
+    PassthroughComponent: typeof import('./src/components/PassthroughComponent.vue')['default']
     PasswordField: typeof import('./src/components/PasswordField.vue')['default']
     QMenuHover: typeof import('./src/components/QMenuHover.vue')['default']
     Radio: typeof import('./src/components/Radio.vue')['default']
 
@@ -2,7 +2,7 @@
   "name": "@deepnotes/client",
   "description": "DeepNotes",
   "homepage": "https://deepnotes.app",
-  "version": "1.0.13",
+  "version": "1.0.14",
   "author": "Gustavo Toyota <[email protected]>",
   "dependencies": {
     "@_ueberdosis/prosemirror-tables": "~1.1.3",
 
@@ -62,7 +62,10 @@ module.exports = configure(function (ctx) {
       { path: 'sodium.universal' },
       { path: 'i18n.universal' },
       { path: 'vue.universal' },
-      { path: 'disable-cache.universal' },
+
+      { path: 'http-headers/disable-cache.universal' },
+      { path: 'http-headers/x-frame-options.universal' },
+      { path: 'http-headers/referrer-policy.universal' },
 
       { path: 'array-at-polyfill.client', server: false },
       { path: 'logger.client', server: false },
 
@@ -0,0 +1,5 @@
+import { boot } from 'quasar/wrappers';
+
+export default boot(async ({ ssrContext }) => {
+  ssrContext?.res.setHeader('Referrer-Policy', 'no-referrer');
+});
@@ -0,0 +1,5 @@
+import { boot } from 'quasar/wrappers';
+
+export default boot(async ({ ssrContext }) => {
+  ssrContext?.res.setHeader('X-Frame-Options', 'DENY');
+});
@@ -0,0 +1,105 @@
+<template>
+  <q-list>
+    <PassthroughComponent
+      :is="itemsWrapper"
+      v-bind="wrapperProps"
+      v-on="wrapperEvents"
+    >
+      <slot
+        v-if="itemIds.length === 0"
+        name="empty"
+      ></slot>
+
+      <q-item
+        v-for="(itemId, itemIndex) of itemIds"
+        :key="itemId"
+        clickable
+        v-ripple
+        :style="{
+          'background-color': selectedItemIds.has(itemId) ? '#505050' : '',
+        }"
+        @click="(event) => selectItem(itemId, event as any)"
+        v-bind="props.itemProps?.(itemId, itemIndex)"
+      >
+        <q-item-section
+          avatar
+          style="padding-right: 4px"
+        >
+          <Checkbox
+            :model-value="selectedItemIds.has(itemId)"
+            style="pointer-events: none"
+          />
+        </q-item-section>
+
+        <slot
+          name="item"
+          :item-id="itemId"
+          :item-index="itemIndex"
+        ></slot>
+      </q-item>
+    </PassthroughComponent>
+  </q-list>
+</template>
+
+<script setup lang="ts">
+import type { QItemProps, QListProps } from 'quasar';
+import type { Component } from 'vue';
+
+const emit = defineEmits(['select', 'unselect']);
+
+// eslint-disable-next-line @typescript-eslint/no-empty-interface
+interface Props extends QListProps {
+  itemIds: string[];
+  selectedItemIds: Set<string>;
+
+  itemProps?: (
+    itemId: string,
+    itemIndex: number,
+  ) => QItemProps & Record<string, unknown>;
+
+  itemsWrapper?: string | Component;
+  wrapperProps?: Record<string, unknown>;
+  wrapperEvents?: Record<string, unknown>;
+}
+
+const props = defineProps<Props>();
+
+let lastSelectedItemId: string;
+
+function selectItem(itemId: string, event: MouseEvent) {
+  if (event.shiftKey || internals.mobileAltKey) {
+    const sourceItemIndex = props.itemIds.indexOf(lastSelectedItemId);
+    const targetItemIndex = props.itemIds.indexOf(itemId);
+
+    if (
+      sourceItemIndex >= 0 &&
+      targetItemIndex >= 0 &&
+      sourceItemIndex !== targetItemIndex
+    ) {
+      const sign = Math.sign(targetItemIndex - sourceItemIndex);
+
+      const add = !props.selectedItemIds.has(itemId);
+
+      for (let i = sourceItemIndex; i !== targetItemIndex + sign; i += sign) {
+        if (add) {
+          props.selectedItemIds.add(props.itemIds[i]);
+          emit('select', props.itemIds[i]);
+        } else {
+          props.selectedItemIds.delete(props.itemIds[i]);
+          emit('unselect', props.itemIds[i]);
+        }
+      }
+    }
+  } else {
+    if (props.selectedItemIds.has(itemId)) {
+      props.selectedItemIds.delete(itemId);
+      emit('unselect', itemId);
+    } else {
+      props.selectedItemIds.add(itemId);
+      emit('select', itemId);
+    }
+  }
+
+  lastSelectedItemId = itemId;
+}
+</script>
@@ -0,0 +1,14 @@
+<template>
+  <q-infinite-scroll>
+    <slot></slot>
+
+    <template v-slot:loading>
+      <div class="row justify-center q-my-md">
+        <q-circular-progress
+          indeterminate
+          size="md"
+        />
+      </div>
+    </template>
+  </q-infinite-scroll>
+</template>
@@ -0,0 +1,18 @@
+<template>
+  <component
+    v-if="is != null"
+    :is="is"
+  >
+    <slot></slot>
+  </component>
+
+  <slot v-else></slot>
+</template>
+
+<script setup lang="ts">
+import type { Component } from 'vue';
+
+defineProps<{
+  is?: string | Component;
+}>();
+</script>
@@ -5,7 +5,8 @@
     v-if="
       uiStore().loggedIn &&
       !realtimeCtx.loading &&
-      !realtimeCtx.hget('group', page.react.groupId, 'is-personal')
+      !realtimeCtx.hget('group', page.react.groupId, 'is-personal') &&
+      realtimeCtx.hget('group', page.react.groupId, 'are-join-requests-allowed')
     "
   >
     <Gap style="height: 12px" />
 
@@ -78,7 +78,7 @@ const canCancelRequest = computed(
 const canAcceptRequest = computed(() => {
   const rejected = realtimeCtx.hget(
     'group-join-request',
-    `${notificationContent.value.groupId}:${authStore().userId}`,
+    `${notificationContent.value.groupId}:${notificationContent.value.agentId}`,
     'rejected',
   );
 
 
@@ -3,7 +3,7 @@
     ref="notificationsMenu"
     anchor="bottom middle"
     self="top middle"
-    style="width: 250px; display: flex; flex-direction: column"
+    style="width: 250px"
     @before-show="onBeforeShow()"
   >
     <template v-if="pagesStore().notifications.items.length === 0">
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,8 @@`
`5`	`5`	`v-if="`
`6`	`6`	`uiStore().loggedIn &&`
`7`	`7`	`!realtimeCtx.loading &&`
`8`		`- !realtimeCtx.hget('group', page.react.groupId, 'is-personal')`
	`8`	`+ !realtimeCtx.hget('group', page.react.groupId, 'is-personal') &&`
	`9`	`+ realtimeCtx.hget('group', page.react.groupId, 'are-join-requests-allowed')`
`9`	`10`	`"`
`10`	`11`	`>`
`11`	`12`	`<Gap style="height: 12px" />`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`ref="notificationsMenu"`
`4`	`4`	`anchor="bottom middle"`
`5`	`5`	`self="top middle"`
`6`		`- style="width: 250px; display: flex; flex-direction: column"`
	`6`	`+ style="width: 250px"`
`7`	`7`	`@before-show="onBeforeShow()"`
`8`	`8`	`>`
`9`	`9`	`<template v-if="pagesStore().notifications.items.length === 0">`