refactor(html-embed): extract the admin-gate strip into one tested helper (#90)

The 4-step html-embed gate (feature-enabled AND role-allowed -> stripHtmlEmbedNodes) was replicated across call-sites, pinned only by brittle source-regex tests. Add stripHtmlEmbedIfNotAllowed(json, {featureEnabled, role, onStrip}) and migrate the 5 plain strip-all sites (collab handler, page create+duplicate, both import paths, transclusion) to it, each keeping its own feature/role resolve + log via onStrip. Left the 2 sites with different semantics: persistence.extension (#29 preserve- admin) and share.service (feature-only kill-switch, no role gate). Real unit tests replace the regex pins; behavior identical. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 03:49:52 +03:00
parent c486750b2a
commit a2ded7ecfb
7 changed files with 193 additions and 63 deletions
--- a/apps/server/src/integrations/import/services/file-import-task.service.ts
+++ b/apps/server/src/integrations/import/services/file-import-task.service.ts
@@ -21,10 +21,8 @@ import { FileTask, InsertablePage } from '@docmost/db/types/entity.types';
 import { markdownToHtml } from '@docmost/editor-ext';
 import { getProsemirrorContent } from '../../../common/helpers/prosemirror/utils';
 import {
-  hasHtmlEmbedNode,
-  htmlEmbedAllowed,
  isHtmlEmbedFeatureEnabled,
-  stripHtmlEmbedNodes,
+  stripHtmlEmbedIfNotAllowed,
 } from '../../../common/helpers/prosemirror/html-embed.util';
 import { UserRepo } from '@docmost/db/repos/user/user.repo';
 import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
@@ -177,10 +175,6 @@ export class FileImportTaskService {
    const htmlEmbedEnabled = isHtmlEmbedFeatureEnabled(
      (await this.workspaceRepo.findById(fileTask.workspaceId))?.settings,
    );
-    const importerCanAuthorHtmlEmbed = htmlEmbedAllowed(
-      htmlEmbedEnabled,
-      importingUser?.role,
-    );

    const pagesMap = new Map<string, ImportPageNode>();

@@ -534,15 +528,16 @@ export class FileImportTaskService {

            // SECURITY (Variant C admin gate): strip htmlEmbed nodes from pages
            // imported by a non-admin BEFORE computing textContent/ydoc/insert.
-            if (
-              !importerCanAuthorHtmlEmbed &&
-              hasHtmlEmbedNode(prosemirrorJson)
-            ) {
-              this.logger.warn(
-                `Stripping htmlEmbed node(s) from non-admin import by user ${fileTask.creatorId} (page ${page.id}, file ${filePath})`,
-              );
-              prosemirrorJson = stripHtmlEmbedNodes(prosemirrorJson);
-            }
+            // Gate (featureEnabled AND admin) is resolved once above and recomputed
+            // by the helper from the same htmlEmbedEnabled + importer role.
+            prosemirrorJson = stripHtmlEmbedIfNotAllowed(prosemirrorJson, {
+              featureEnabled: htmlEmbedEnabled,
+              role: importingUser?.role,
+              onStrip: () =>
+                this.logger.warn(
+                  `Stripping htmlEmbed node(s) from non-admin import by user ${fileTask.creatorId} (page ${page.id}, file ${filePath})`,
+                ),
+            });

            const insertablePage: InsertablePage = {
              id: page.id,
--- a/apps/server/src/integrations/import/services/import.service.ts
+++ b/apps/server/src/integrations/import/services/import.service.ts
@@ -3,9 +3,8 @@ import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import { UserRepo } from '@docmost/db/repos/user/user.repo';
 import {
  hasHtmlEmbedNode,
-  htmlEmbedAllowed,
  isHtmlEmbedFeatureEnabled,
-  stripHtmlEmbedNodes,
+  stripHtmlEmbedIfNotAllowed,
 } from '../../../common/helpers/prosemirror/html-embed.util';
 import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
 import { MultipartFile } from '@fastify/multipart';
@@ -102,6 +101,8 @@ export class ImportService {
    // serialized form), which would execute raw JS in readers' browsers. Only
    // workspace admins/owners may author it, so strip htmlEmbed nodes from
    // imports performed by a non-admin user.
+    // Outer has-check first so the user/workspace lookups below run only when an
+    // embed is actually present (the common case carries none).
    if (prosemirrorJson && hasHtmlEmbedNode(prosemirrorJson)) {
      const importingUser = await this.userRepo.findById(userId, workspaceId);
      // Toggle-AND-admin gate: htmlEmbed survives only when the workspace
@@ -110,12 +111,14 @@ export class ImportService {
      const htmlEmbedEnabled = isHtmlEmbedFeatureEnabled(
        (await this.workspaceRepo.findById(workspaceId))?.settings,
      );
-      if (!htmlEmbedAllowed(htmlEmbedEnabled, importingUser?.role)) {
-        this.logger.warn(
-          `Stripping htmlEmbed node(s) from import by user ${userId}`,
-        );
-        prosemirrorJson = stripHtmlEmbedNodes(prosemirrorJson);
-      }
+      prosemirrorJson = stripHtmlEmbedIfNotAllowed(prosemirrorJson, {
+        featureEnabled: htmlEmbedEnabled,
+        role: importingUser?.role,
+        onStrip: () =>
+          this.logger.warn(
+            `Stripping htmlEmbed node(s) from import by user ${userId}`,
+          ),
+      });
    }

    const pageTitle = title || fileName;