feat: Anonymous guest permissions (#10726)

ArtyomSavchenko · web-flow · commit d0b27dce72c1 · 2026-04-06T23:29:11.000+07:00
* Anonymous guest permissions

Signed-off-by: Artem Savchenko &lt;armisav@gmail.com&gt;

* Fix channels dropdown

Signed-off-by: Artem Savchenko &lt;armisav@gmail.com&gt;

* Update guest layout

Signed-off-by: Artem Savchenko &lt;armisav@gmail.com&gt;

---------

Signed-off-by: Artem Savchenko &lt;armisav@gmail.com&gt;
diff --git a/dev/docker-compose.yaml b/dev/docker-compose.yaml
@@ -310,7 +310,7 @@ services:
       - PAYMENT_URL=http://huly.local:3040
       - COMMUNICATION_API_ENABLED=true
       - BACKUP_URL=http://huly.local:4039/api/backup,
-      - EXCLUDED_APPLICATIONS_FOR_ANONYMOUS=["chunter", "notification"]
+      - EXCLUDED_APPLICATIONS_FOR_ANONYMOUS=[]
       # - DISABLE_SIGNUP=true
       - OTEL_EXPORTER_OTLP_ENDPOINT=http://jaeger:4318/v1/traces
       - PULSE_URL=ws://huly.local:8099/ws
diff --git a/dev/prod/public/config.json b/dev/prod/public/config.json
@@ -30,7 +30,7 @@
   "BACKUP_URL": "http://huly.local:4039/api/backup",
   "PULSE_URL": "ws://huly.local:8099/ws",
   "HULYLAKE_URL": "http://huly.local:8096",
-  "EXCLUDED_APPLICATIONS_FOR_ANONYMOUS": "[\"chunter\", \"notification\"]",
+  "EXCLUDED_APPLICATIONS_FOR_ANONYMOUS": "[]",
   "ANALYTICS_COLLECTOR_URL": "http://huly.local:4017",
   "LINK_PREVIEW_URL": "http://huly.local:4041"
 }
diff --git a/models/card/src/index.ts b/models/card/src/index.ts
@@ -947,6 +947,20 @@ export function createModel (builder: Builder): void {
     card.ids.ModulePermissionGroup
   )
 
+  builder.createDoc(
+    core.class.ModulePermissionGroup,
+    core.space.Model,
+    {
+      application: card.app.Card,
+      role: AccountRole.ReadOnlyGuest,
+      permissions: [],
+      spaceClass: card.class.CardSpace,
+      enabled: false,
+      order: 20
+    },
+    card.ids.ModulePermissionGroupReadOnlyGuest
+  )
+
   builder.mixin(card.class.Card, core.class.Class, view.mixin.ClassFilters, {
     filters: ['space'],
     ignoreKeys: ['parent']
diff --git a/models/chunter/src/index.ts b/models/chunter/src/index.ts
@@ -83,6 +83,20 @@ export function createModel (builder: Builder): void {
     chunter.ids.ModulePermissionGroup
   )
 
+  builder.createDoc(
+    core.class.ModulePermissionGroup,
+    core.space.Model,
+    {
+      application: chunter.app.Chunter,
+      role: AccountRole.ReadOnlyGuest,
+      permissions: [],
+      spaceClass: chunter.class.ChunterSpace,
+      enabled: true,
+      order: 15
+    },
+    chunter.ids.ModulePermissionGroupReadOnlyGuest
+  )
+
   builder.createDoc(
     workbench.class.Widget,
     core.space.Model,
diff --git a/models/chunter/src/plugin.ts b/models/chunter/src/plugin.ts
@@ -95,7 +95,8 @@ export default mergeIds(chunterId, chunter, {
   },
   ids: {
     ChunterNotificationGroup: '' as Ref<NotificationGroup>,
-    ModulePermissionGroup: '' as Ref<Doc>
+    ModulePermissionGroup: '' as Ref<Doc>,
+    ModulePermissionGroupReadOnlyGuest: '' as Ref<Doc>
   },
   space: {
     General: '' as Ref<Channel>,
diff --git a/models/controlled-documents/src/index.ts b/models/controlled-documents/src/index.ts
@@ -1124,6 +1124,20 @@ export function createModel (builder: Builder): void {
     },
     documents.ids.ModulePermissionGroup
   )
+
+  builder.createDoc(
+    core.class.ModulePermissionGroup,
+    core.space.Model,
+    {
+      application: documents.app.Documents,
+      role: AccountRole.ReadOnlyGuest,
+      permissions: [],
+      spaceClass: documents.class.OrgSpace,
+      enabled: false,
+      order: 42
+    },
+    documents.ids.ModulePermissionGroupReadOnlyGuest
+  )
   definePermissions(builder)
   defineNotifications(builder)
   defineSearch(builder)
diff --git a/models/controlled-documents/src/plugin.ts b/models/controlled-documents/src/plugin.ts
@@ -93,6 +93,7 @@ export default mergeIds(documentsId, documents, {
     StateNotification: '' as Ref<NotificationType>
   },
   ids: {
-    ModulePermissionGroup: '' as Ref<Doc>
+    ModulePermissionGroup: '' as Ref<Doc>,
+    ModulePermissionGroupReadOnlyGuest: '' as Ref<Doc>
   }
 })
diff --git a/models/document/src/index.ts b/models/document/src/index.ts
@@ -553,6 +553,20 @@ export function createModel (builder: Builder): void {
     },
     document.ids.ModulePermissionGroup
   )
+
+  builder.createDoc(
+    core.class.ModulePermissionGroup,
+    core.space.Model,
+    {
+      application: document.app.Documents,
+      role: AccountRole.ReadOnlyGuest,
+      permissions: [],
+      spaceClass: document.class.Teamspace,
+      enabled: false,
+      order: 40
+    },
+    document.ids.ModulePermissionGroupReadOnlyGuest
+  )
   definePermissions(builder)
 
   builder.createDoc(core.class.DomainIndexConfiguration, core.space.Model, {
diff --git a/models/document/src/plugin.ts b/models/document/src/plugin.ts
@@ -62,7 +62,8 @@ export default mergeIds(documentId, document, {
     Other: '' as Ref<TagCategory>
   },
   ids: {
-    ModulePermissionGroup: '' as Ref<Doc>
+    ModulePermissionGroup: '' as Ref<Doc>,
+    ModulePermissionGroupReadOnlyGuest: '' as Ref<Doc>
   },
   string: {
     ConfigDescription: '' as IntlString,
diff --git a/models/drive/src/index.ts b/models/drive/src/index.ts
@@ -855,5 +855,19 @@ export function createModel (builder: Builder): void {
     },
     drive.ids.ModulePermissionGroup
   )
+
+  builder.createDoc(
+    core.class.ModulePermissionGroup,
+    core.space.Model,
+    {
+      application: drive.app.Drive,
+      role: AccountRole.ReadOnlyGuest,
+      permissions: [],
+      spaceClass: drive.class.Drive,
+      enabled: false,
+      order: 60
+    },
+    drive.ids.ModulePermissionGroupReadOnlyGuest
+  )
   definePermissions(builder)
 }
diff --git a/models/drive/src/plugin.ts b/models/drive/src/plugin.ts
@@ -102,7 +102,8 @@ export default mergeIds(driveId, drive, {
     RestoreFileVersion: '' as ViewAction
   },
   ids: {
-    ModulePermissionGroup: '' as Ref<Doc>
+    ModulePermissionGroup: '' as Ref<Doc>,
+    ModulePermissionGroupReadOnlyGuest: '' as Ref<Doc>
   },
   string: {
     Grid: '' as IntlString,
diff --git a/models/love/src/index.ts b/models/love/src/index.ts
@@ -280,6 +280,20 @@ export function createModel (builder: Builder): void {
     love.ids.ModulePermissionGroup
   )
 
+  builder.createDoc(
+    core.class.ModulePermissionGroup,
+    core.space.Model,
+    {
+      application: love.app.Love,
+      role: AccountRole.ReadOnlyGuest,
+      permissions: [],
+      spaceClass: love.class.Office,
+      enabled: false,
+      order: 50
+    },
+    love.ids.ModulePermissionGroupReadOnlyGuest
+  )
+
   builder.createDoc(
     workbench.class.Widget,
     core.space.Model,
diff --git a/models/love/src/plugin.ts b/models/love/src/plugin.ts
@@ -51,7 +51,8 @@ export default mergeIds(loveId, love, {
     Settings: '' as Ref<Doc>,
     LoveNotificationGroup: '' as Ref<NotificationGroup>,
     MeetingMinutesChatNotification: '' as Ref<NotificationType>,
-    ModulePermissionGroup: '' as Ref<Doc>
+    ModulePermissionGroup: '' as Ref<Doc>,
+    ModulePermissionGroupReadOnlyGuest: '' as Ref<Doc>
   },
   function: {
     MeetingMinutesTitleProvider: '' as Resource<(client: Client, ref: Ref<Doc>, doc?: Doc) => Promise<string>>
diff --git a/models/test-management/src/index.ts b/models/test-management/src/index.ts
@@ -216,6 +216,20 @@ export function createModel (builder: Builder): void {
     testManagement.ids.ModulePermissionGroup
   )
 
+  builder.createDoc(
+    core.class.ModulePermissionGroup,
+    core.space.Model,
+    {
+      application: testManagement.app.TestManagement,
+      role: AccountRole.ReadOnlyGuest,
+      permissions: [],
+      spaceClass: testManagement.class.TestProject,
+      enabled: false,
+      order: 70
+    },
+    testManagement.ids.ModulePermissionGroupReadOnlyGuest
+  )
+
   builder.mixin(testManagement.class.TestCase, core.class.Class, view.mixin.ObjectIcon, {
     component: testManagement.component.TestCaseStatusPresenter
   })
diff --git a/models/test-management/src/plugin.ts b/models/test-management/src/plugin.ts
@@ -50,6 +50,7 @@ export default mergeIds(testManagementId, testManganement, {
     RunTestPlanButton: '' as AnyComponent
   },
   ids: {
-    ModulePermissionGroup: '' as Ref<Doc>
+    ModulePermissionGroup: '' as Ref<Doc>,
+    ModulePermissionGroupReadOnlyGuest: '' as Ref<Doc>
   }
 })
diff --git a/models/tracker/src/index.ts b/models/tracker/src/index.ts
@@ -682,6 +682,20 @@ export function createModel (builder: Builder): void {
     tracker.ids.ModulePermissionGroup
   )
 
+  builder.createDoc(
+    core.class.ModulePermissionGroup,
+    core.space.Model,
+    {
+      application: tracker.app.Tracker,
+      role: AccountRole.ReadOnlyGuest,
+      permissions: [],
+      spaceClass: tracker.class.Project,
+      enabled: true,
+      order: 10
+    },
+    tracker.ids.ModulePermissionGroupReadOnlyGuest
+  )
+
   builder.createDoc(
     chunter.class.ChatMessageViewlet,
     core.space.Model,
diff --git a/models/tracker/src/plugin.ts b/models/tracker/src/plugin.ts
@@ -82,6 +82,7 @@ export default mergeIds(trackerId, tracker, {
     BaseProjectType: '' as Ref<ProjectType>,
     GuestIssueClassPermission: '' as Ref<Doc>,
     ModulePermissionGroup: '' as Ref<Doc>,
+    ModulePermissionGroupReadOnlyGuest: '' as Ref<Doc>,
     IssueUpdatedActivityViewlet: '' as Ref<DocUpdateMessageViewlet>,
     IssueCreatedActivityViewlet: '' as Ref<DocUpdateMessageViewlet>,
     IssueRemovedActivityViewlet: '' as Ref<DocUpdateMessageViewlet>,
diff --git a/models/training/src/index.ts b/models/training/src/index.ts
@@ -923,6 +923,20 @@ function defineSettings (builder: Builder): void {
     },
     training.ids.ModulePermissionGroup
   )
+
+  builder.createDoc(
+    core.class.ModulePermissionGroup,
+    core.space.Model,
+    {
+      application: training.app.Training,
+      role: AccountRole.ReadOnlyGuest,
+      permissions: [],
+      spaceClass: core.class.TypedSpace,
+      enabled: false,
+      order: 25
+    },
+    training.ids.ModulePermissionGroupReadOnlyGuest
+  )
 }
 
 const columns = {
diff --git a/models/training/src/plugin.ts b/models/training/src/plugin.ts
@@ -35,7 +35,8 @@ export default mergeIds(trainingId, training, {
   },
   ids: {
     GuestTrainingAttemptClassPermission: '' as Ref<Doc>,
-    ModulePermissionGroup: '' as Ref<Doc>
+    ModulePermissionGroup: '' as Ref<Doc>,
+    ModulePermissionGroupReadOnlyGuest: '' as Ref<Doc>
   },
 
   // TODO: Move function resources declarations to plugins/*-resources
diff --git a/packages/ui/src/components/SwitcherBase.svelte b/packages/ui/src/components/SwitcherBase.svelte
@@ -80,10 +80,11 @@
       background-color: var(--global-accent-BackgroundColor);
 
       .icon {
-        color: var(--global-on-nuance-TextColor);
+        color: var(--global-on-accent-TextColor);
       }
       span {
-        color: var(--global-on-nuance-TextColor);
+        color: var(--global-on-accent-TextColor);
+        font-weight: 500;
       }
     }
     &:checked + .switcher-element.subtle {
diff --git a/plugins/card/src/index.ts b/plugins/card/src/index.ts
@@ -226,7 +226,8 @@ const cardPlugin = plugin(cardId, {
   ids: {
     CardWidget: '' as Ref<Doc>,
     GuestCardClassPermission: '' as Ref<Doc>,
-    ModulePermissionGroup: '' as Ref<Doc>
+    ModulePermissionGroup: '' as Ref<Doc>,
+    ModulePermissionGroupReadOnlyGuest: '' as Ref<Doc>
   },
   component: {
     LabelsPresenter: '' as AnyComponent,
diff --git a/plugins/setting-assets/lang/cs.json b/plugins/setting-assets/lang/cs.json
@@ -212,9 +212,12 @@
     "OfficeDefaultSettings": "Výchozí nastavení pro jednací místnosti",
     "DefaultStartWithTranscription": "Povolit přepis v nových kancelářích",
     "DefaultStartWithRecording": "Povolit záznam v nových kancelářích",
-    "GuestPermissionsSettings": "Oprávnění hostů",
-    "GuestPermissionsModulePermissions": "Oprávnění modulů",
-    "GuestPermissionsModulePermissionsHint": "Vyberte, které moduly mohou hosté používat, a níže upravte oprávnění pro jednotlivé aplikace.",
+    "GuestPermissionsSettings": "Hosté",
+    "GuestPermissionsApplicationPermissions": "Oprávnění aplikací",
+    "GuestPermissionsApplicationPermissionsHint": "Vyberte, které aplikace mohou hosté používat, a níže upravte oprávnění pro jednotlivé aplikace.",
+    "GuestPermissionsTabGuest": "Host",
+    "GuestPermissionsTabAnonymousGuest": "Anonymní host",
+    "GuestPermissionsAnonymousApplicationHint": "Přístup k aplikacím pro anonymní (pouze pro čtení) hosty. Které aplikace uvidí, může záviset i na konfiguraci nasazení.",
     "ImportDocumentPermission": "Importovat dokumenty",
     "ImportDocumentDescription": "Umožňuje uživatelům importovat dokumenty do pracovního prostoru",
     "SelectUsers": "Vybrat uživatele",
diff --git a/plugins/setting-assets/lang/de.json b/plugins/setting-assets/lang/de.json
@@ -214,9 +214,12 @@
     "OfficeDefaultSettings": "Standardeinstellungen für Besprechungsräume",
     "DefaultStartWithTranscription": "Transkription in neuen Büroräumen aktivieren",
     "DefaultStartWithRecording": "Aufnahme in neuen Büroräumen aktivieren",
-    "GuestPermissionsSettings": "Gastberechtigungen",
-    "GuestPermissionsModulePermissions": "Modulberechtigungen",
-    "GuestPermissionsModulePermissionsHint": "Wählen Sie, welche Module Gäste nutzen dürfen, und passen Sie unten die Berechtigungen für jede App an.",
+    "GuestPermissionsSettings": "Gäste",
+    "GuestPermissionsApplicationPermissions": "Anwendungsberechtigungen",
+    "GuestPermissionsApplicationPermissionsHint": "Wählen Sie, welche Anwendungen Gäste nutzen dürfen, und passen Sie unten die Berechtigungen für jede Anwendung an.",
+    "GuestPermissionsTabGuest": "Gast",
+    "GuestPermissionsTabAnonymousGuest": "Anonymer Gast",
+    "GuestPermissionsAnonymousApplicationHint": "Anwendungszugriff für anonyme (nur lesende) Gäste. Welche Anwendungen sie sehen, kann auch von der Bereitstellungskonfiguration abhängen.",
     "ImportDocumentPermission": "Dokumente importieren",
     "ImportDocumentDescription": "Gewährt Benutzern die Möglichkeit, Dokumente in den Arbeitsbereich zu importieren",
     "SelectUsers": "Benutzer auswählen",
diff --git a/plugins/setting-assets/lang/en.json b/plugins/setting-assets/lang/en.json
@@ -215,9 +215,12 @@
     "OfficeDefaultSettings": "Default settings for meeting rooms",
     "DefaultStartWithTranscription": "Enable transcription in new office rooms",
     "DefaultStartWithRecording": "Enable recording in new office rooms",
-    "GuestPermissionsSettings": "Guest permissions",
-    "GuestPermissionsModulePermissions": "Module permissions",
-    "GuestPermissionsModulePermissionsHint": "Choose which modules guests can use, then adjust permissions for each app below.",
+    "GuestPermissionsSettings": "Guests",
+    "GuestPermissionsApplicationPermissions": "Application permissions",
+    "GuestPermissionsApplicationPermissionsHint": "Choose which applications guests can use, then adjust permissions for each application below.",
+    "GuestPermissionsTabGuest": "Guest",
+    "GuestPermissionsTabAnonymousGuest": "Anonymous guest",
+    "GuestPermissionsAnonymousApplicationHint": "Application access for anonymous (read-only) guests. Which applications they see can also depend on deployment configuration.",
     "ImportDocumentPermission": "Import documents",
     "ImportDocumentDescription": "Grants users ability to import documents into the workspace",
     "SelectUsers": "Select users",
diff --git a/plugins/setting-assets/lang/es.json b/plugins/setting-assets/lang/es.json
@@ -205,9 +205,12 @@
     "OfficeDefaultSettings": "Configuración predeterminada para salas de reuniones",
     "DefaultStartWithTranscription": "Habilitar transcripción en nuevas oficinas",
     "DefaultStartWithRecording": "Habilitar grabación en nuevas oficinas",
-    "GuestPermissionsSettings": "Permisos de invitados",
-    "GuestPermissionsModulePermissions": "Permisos de módulos",
-    "GuestPermissionsModulePermissionsHint": "Elija qué módulos pueden usar los invitados y luego ajuste los permisos de cada aplicación a continuación.",
+    "GuestPermissionsSettings": "Invitados",
+    "GuestPermissionsApplicationPermissions": "Permisos de aplicaciones",
+    "GuestPermissionsApplicationPermissionsHint": "Elija qué aplicaciones pueden usar los invitados y luego ajuste los permisos de cada aplicación a continuación.",
+    "GuestPermissionsTabGuest": "Invitado",
+    "GuestPermissionsTabAnonymousGuest": "Invitado anónimo",
+    "GuestPermissionsAnonymousApplicationHint": "Acceso a aplicaciones para invitados anónimos (solo lectura). Las aplicaciones que ven también pueden depender de la configuración de despliegue.",
     "ImportDocumentPermission": "Importar documentos",
     "ImportDocumentDescription": "Otorga a los usuarios la capacidad de importar documentos al espacio de trabajo",
     "SelectUsers": "Seleccionar usuarios",
diff --git a/plugins/setting-assets/lang/fr.json b/plugins/setting-assets/lang/fr.json
@@ -214,9 +214,12 @@
     "OfficeDefaultSettings": "Paramètres par défaut pour les salles de réunion",
     "DefaultStartWithTranscription": "Activer la transcription dans les nouveaux bureaux",
     "DefaultStartWithRecording": "Activer l'enregistrement dans les nouveaux bureaux",
-    "GuestPermissionsSettings": "Permissions des invités",
-    "GuestPermissionsModulePermissions": "Permissions des modules",
-    "GuestPermissionsModulePermissionsHint": "Choisissez les modules accessibles aux invités, puis ajustez les permissions pour chaque application ci-dessous.",
+    "GuestPermissionsSettings": "Invités",
+    "GuestPermissionsApplicationPermissions": "Permissions des applications",
+    "GuestPermissionsApplicationPermissionsHint": "Choisissez les applications accessibles aux invités, puis ajustez les permissions pour chaque application ci-dessous.",
+    "GuestPermissionsTabGuest": "Invité",
+    "GuestPermissionsTabAnonymousGuest": "Invité anonyme",
+    "GuestPermissionsAnonymousApplicationHint": "Accès aux applications pour les invités anonymes (lecture seule). Les applications visibles peuvent aussi dépendre de la configuration de déploiement.",
     "ImportDocumentPermission": "Importer des documents",
     "ImportDocumentDescription": "Accorde aux utilisateurs la possibilité d'importer des documents dans l'espace de travail",
     "SelectUsers": "Sélectionner des utilisateurs",
diff --git a/plugins/setting-assets/lang/it.json b/plugins/setting-assets/lang/it.json
diff --git a/plugins/setting-assets/lang/ja.json b/plugins/setting-assets/lang/ja.json
diff --git a/plugins/setting-assets/lang/pt-br.json b/plugins/setting-assets/lang/pt-br.json
diff --git a/plugins/setting-assets/lang/pt.json b/plugins/setting-assets/lang/pt.json
diff --git a/plugins/setting-assets/lang/ru.json b/plugins/setting-assets/lang/ru.json
diff --git a/plugins/setting-assets/lang/tr.json b/plugins/setting-assets/lang/tr.json
diff --git a/plugins/setting-assets/lang/zh.json b/plugins/setting-assets/lang/zh.json
diff --git a/plugins/setting-resources/src/components/General.svelte b/plugins/setting-resources/src/components/General.svelte
diff --git a/plugins/setting-resources/src/components/GuestPermissionsSettings.svelte b/plugins/setting-resources/src/components/GuestPermissionsSettings.svelte
diff --git a/plugins/setting/src/index.ts b/plugins/setting/src/index.ts
diff --git a/plugins/workbench-resources/src/components/Applications.svelte b/plugins/workbench-resources/src/components/Applications.svelte

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@`
`30`	`30`	`"BACKUP_URL": "http://huly.local:4039/api/backup",`
`31`	`31`	`"PULSE_URL": "ws://huly.local:8099/ws",`
`32`	`32`	`"HULYLAKE_URL": "http://huly.local:8096",`
`33`		`- "EXCLUDED_APPLICATIONS_FOR_ANONYMOUS": "[\"chunter\", \"notification\"]",`
	`33`	`+ "EXCLUDED_APPLICATIONS_FOR_ANONYMOUS": "[]",`
`34`	`34`	`"ANALYTICS_COLLECTOR_URL": "http://huly.local:4017",`
`35`	`35`	`"LINK_PREVIEW_URL": "http://huly.local:4041"`
`36`	`36`	`}`
Original file line number	Diff line number	Diff line change
`@@ -93,6 +93,7 @@ export default mergeIds(documentsId, documents, {`
`93`	`93`	`StateNotification: '' as Ref<NotificationType>`
`94`	`94`	`},`
`95`	`95`	`ids: {`
`96`		`- ModulePermissionGroup: '' as Ref<Doc>`
	`96`	`+ ModulePermissionGroup: '' as Ref<Doc>,`
	`97`	`+ ModulePermissionGroupReadOnlyGuest: '' as Ref<Doc>`
`97`	`98`	`}`
`98`	`99`	`})`