ryan/lunarfront-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add shared file storage with folder tree, permissions, and file manager UI

Browse Source 
New document hub for centralized file storage — replaces scattered
drives and USB sticks for non-technical SMBs. Three new tables:
storage_folder (nested hierarchy), storage_folder_permission (role
and user-level access control), storage_file.

Backend: folder CRUD with nested paths, file upload/download via
signed URLs, permission checks (view/edit/admin with inheritance
from parent folders), public/private toggle, breadcrumb navigation,
file search.

Frontend: two-panel file manager — collapsible folder tree on left,
icon grid view on right. Folder icons by type, file size display,
upload button, context menu for download/delete. Breadcrumb nav.
Files sidebar link added.
This commit is contained in:
Ryan Moon
2026-03-29 15:31:20 -05:00
parent d36c6f7135
commit 0f6cc104d2
13 changed files with 1093 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

185
packages/backend/src/routes/v1/storage.ts Normal file
View File

@@ -0,0 +1,185 @@
import type { FastifyPluginAsync } from 'fastify'
import multipart from '@fastify/multipart'
import { PaginationSchema } from '@forte/shared/schemas'
import { StorageFolderService, StorageFileService, StoragePermissionService } from '../../services/storage.service.js'
import { ValidationError } from '../../lib/errors.js'
export const storageRoutes: FastifyPluginAsync = async (app) => {
await app.register(multipart, {
limits: { fileSize: 50 * 1024 * 1024, files: 1 },
})
// --- Folders ---
app.post('/storage/folders', { preHandler: [app.authenticate, app.requirePermission('files.upload')] }, async (request, reply) => {
const { name, parentId, isPublic } = request.body as { name?: string; parentId?: string; isPublic?: boolean }
if (!name?.trim()) throw new ValidationError('Folder name is required')
// Check parent access if creating subfolder
if (parentId) {
const accessLevel = await StoragePermissionService.getAccessLevel(app.db, parentId, request.user.id)
if (!accessLevel || accessLevel === 'view') {
return reply.status(403).send({ error: { message: 'No edit access to parent folder', statusCode: 403 } })
}
}
const folder = await StorageFolderService.create(app.db, { name: name.trim(), parentId, isPublic, createdBy: request.user.id })
return reply.status(201).send(folder)
})
app.get('/storage/folders', { preHandler: [app.authenticate, app.requirePermission('files.view')] }, async (request, reply) => {
const { parentId } = request.query as { parentId?: string }
const folders = parentId
? await StorageFolderService.listChildren(app.db, parentId)
: await StorageFolderService.listChildren(app.db, null)
return reply.send({ data: folders })
})
app.get('/storage/folders/tree', { preHandler: [app.authenticate, app.requirePermission('files.view')] }, async (request, reply) => {
const folders = await StorageFolderService.listAllAccessible(app.db, request.user.id)
return reply.send({ data: folders })
})
app.get('/storage/folders/:id', { preHandler: [app.authenticate, app.requirePermission('files.view')] }, async (request, reply) => {
const { id } = request.params as { id: string }
const folder = await StorageFolderService.getById(app.db, id)
if (!folder) return reply.status(404).send({ error: { message: 'Folder not found', statusCode: 404 } })
const hasAccess = await StoragePermissionService.canAccess(app.db, id, request.user.id)
if (!hasAccess) return reply.status(403).send({ error: { message: 'Access denied', statusCode: 403 } })
const breadcrumbs = await StorageFolderService.getBreadcrumbs(app.db, id)
return reply.send({ ...folder, breadcrumbs })
})
app.patch('/storage/folders/:id', { preHandler: [app.authenticate, app.requirePermission('files.upload')] }, async (request, reply) => {
const { id } = request.params as { id: string }
const { name, isPublic } = request.body as { name?: string; isPublic?: boolean }
const accessLevel = await StoragePermissionService.getAccessLevel(app.db, id, request.user.id)
if (!accessLevel || accessLevel === 'view') {
return reply.status(403).send({ error: { message: 'No edit access', statusCode: 403 } })
}
const folder = await StorageFolderService.update(app.db, id, { name, isPublic })
if (!folder) return reply.status(404).send({ error: { message: 'Folder not found', statusCode: 404 } })
return reply.send(folder)
})
app.delete('/storage/folders/:id', { preHandler: [app.authenticate, app.requirePermission('files.delete')] }, async (request, reply) => {
const { id } = request.params as { id: string }
const accessLevel = await StoragePermissionService.getAccessLevel(app.db, id, request.user.id)
if (accessLevel !== 'admin') {
return reply.status(403).send({ error: { message: 'Admin access required', statusCode: 403 } })
}
const folder = await StorageFolderService.delete(app.db, id)
if (!folder) return reply.status(404).send({ error: { message: 'Folder not found', statusCode: 404 } })
return reply.send(folder)
})
// --- Folder Permissions ---
app.get('/storage/folders/:id/permissions', { preHandler: [app.authenticate, app.requirePermission('files.view')] }, async (request, reply) => {
const { id } = request.params as { id: string }
const permissions = await StoragePermissionService.listPermissions(app.db, id)
return reply.send({ data: permissions })
})
app.post('/storage/folders/:id/permissions', { preHandler: [app.authenticate, app.requirePermission('files.upload')] }, async (request, reply) => {
const { id } = request.params as { id: string }
const { roleId, userId, accessLevel } = request.body as { roleId?: string; userId?: string; accessLevel?: string }
const myAccess = await StoragePermissionService.getAccessLevel(app.db, id, request.user.id)
if (myAccess !== 'admin') {
return reply.status(403).send({ error: { message: 'Admin access required to manage permissions', statusCode: 403 } })
}
if (!roleId && !userId) throw new ValidationError('Either roleId or userId is required')
if (!accessLevel || !['view', 'edit', 'admin'].includes(accessLevel)) throw new ValidationError('accessLevel must be view, edit, or admin')
const perm = await StoragePermissionService.setPermission(app.db, id, roleId, userId, accessLevel)
return reply.status(201).send(perm)
})
app.delete('/storage/folder-permissions/:id', { preHandler: [app.authenticate, app.requirePermission('files.delete')] }, async (request, reply) => {
const { id } = request.params as { id: string }
const perm = await StoragePermissionService.removePermission(app.db, id)
if (!perm) return reply.status(404).send({ error: { message: 'Permission not found', statusCode: 404 } })
return reply.send(perm)
})
// --- Files ---
app.post('/storage/folders/:folderId/files', { preHandler: [app.authenticate, app.requirePermission('files.upload')] }, async (request, reply) => {
const { folderId } = request.params as { folderId: string }
const accessLevel = await StoragePermissionService.getAccessLevel(app.db, folderId, request.user.id)
if (!accessLevel || accessLevel === 'view') {
return reply.status(403).send({ error: { message: 'No edit access to this folder', statusCode: 403 } })
}
const data = await request.file()
if (!data) throw new ValidationError('No file provided')
const buffer = await data.toBuffer()
const file = await StorageFileService.upload(app.db, app.storage, {
folderId,
data: buffer,
filename: data.filename,
contentType: data.mimetype,
uploadedBy: request.user.id,
})
return reply.status(201).send(file)
})
app.get('/storage/folders/:folderId/files', { preHandler: [app.authenticate, app.requirePermission('files.view')] }, async (request, reply) => {
const { folderId } = request.params as { folderId: string }
const hasAccess = await StoragePermissionService.canAccess(app.db, folderId, request.user.id)
if (!hasAccess) return reply.status(403).send({ error: { message: 'Access denied', statusCode: 403 } })
const params = PaginationSchema.parse(request.query)
const result = await StorageFileService.listByFolder(app.db, folderId, params)
return reply.send(result)
})
app.delete('/storage/files/:id', { preHandler: [app.authenticate, app.requirePermission('files.delete')] }, async (request, reply) => {
const { id } = request.params as { id: string }
const file = await StorageFileService.getById(app.db, id)
if (!file) return reply.status(404).send({ error: { message: 'File not found', statusCode: 404 } })
const accessLevel = await StoragePermissionService.getAccessLevel(app.db, file.folderId, request.user.id)
if (!accessLevel || accessLevel === 'view') {
return reply.status(403).send({ error: { message: 'No edit access', statusCode: 403 } })
}
const deleted = await StorageFileService.delete(app.db, app.storage, id)
return reply.send(deleted)
})
app.get('/storage/files/:id/signed-url', { preHandler: [app.authenticate, app.requirePermission('files.view')] }, async (request, reply) => {
const { id } = request.params as { id: string }
const file = await StorageFileService.getById(app.db, id)
if (!file) return reply.status(404).send({ error: { message: 'File not found', statusCode: 404 } })
const hasAccess = await StoragePermissionService.canAccess(app.db, file.folderId, request.user.id)
if (!hasAccess) return reply.status(403).send({ error: { message: 'Access denied', statusCode: 403 } })
const token = app.jwt.sign({ path: file.path, purpose: 'file-access' } as any, { expiresIn: '15m' })
const signedUrl = `/v1/files/s/${file.path}?token=${token}`
return reply.send({ url: signedUrl })
})
app.get('/storage/files/search', { preHandler: [app.authenticate, app.requirePermission('files.view')] }, async (request, reply) => {
const { q } = request.query as { q?: string }
if (!q) return reply.send({ data: [], pagination: { page: 1, limit: 25, total: 0, totalPages: 0 } })
const params = PaginationSchema.parse(request.query)
const result = await StorageFileService.search(app.db, q, params)
return reply.send(result)
})
}