fosrl.pangolin/server/auth/actions.ts

import { Request } from 'express';
import { db } from '@server/db';
import { userActions, roleActions, userOrgs } from '@server/db/schema';
import { and, eq } from 'drizzle-orm';
import createHttpError from 'http-errors';
import HttpCode from '@server/types/HttpCode';

export enum ActionsEnum {
    createOrg = "createOrg",
    deleteOrg = "deleteOrg",
    getOrg = "getOrg",
    listOrgs = "listOrgs",
    updateOrg = "updateOrg",
    createSite = "createSite",
    deleteSite = "deleteSite",
    getSite = "getSite",
    listSites = "listSites",
    updateSite = "updateSite",
    createResource = "createResource",
    deleteResource = "deleteResource",
    getResource = "getResource",
    listResources = "listResources",
    updateResource = "updateResource",
    createTarget = "createTarget",
    deleteTarget = "deleteTarget",
    getTarget = "getTarget",
    listTargets = "listTargets",
    updateTarget = "updateTarget",
    createRole = "createRole",
    deleteRole = "deleteRole",
    getRole = "getRole",
    listRoles = "listRoles",
    updateRole = "updateRole",
    addUser = "addUser",
    removeUser = "removeUser",
    listUsers = "listUsers",
    listSiteRoles = "listSiteRoles",
    listResourceRoles = "listResourceRoles",
    addRoleSite = "addRoleSite",
    addRoleResource = "addRoleResource",
    removeRoleResource = "removeRoleResource",
    removeRoleSite = "removeRoleSite",
    addRoleAction = "addRoleAction",
    removeRoleAction = "removeRoleAction",
    listRoleSites = "listRoleSites",
    listRoleResources = "listRoleResources",
    listRoleActions = "listRoleActions",
    addUserRole = "addUserRole",
    addUserResource = "addUserResource",
    addUserSite = "addUserSite",
    addUserAction = "addUserAction",
    removeUserAction = "removeUserAction",
    removeUserResource = "removeUserResource",
    removeUserSite = "removeUserSite",
}

export async function checkUserActionPermission(actionId: string, req: Request): Promise<boolean> {
    const userId = req.user?.userId;
    let onlyCheckUser = false;

    if (actionId = ActionsEnum.createOrg) {
        onlyCheckUser = true;
    }

    if (!userId) {
        throw createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated');
    }

    if (!req.userOrgId && !onlyCheckUser) {
        throw createHttpError(HttpCode.BAD_REQUEST, 'Organization ID is required');
    }

    try {
        let userOrgRoleId = req.userOrgRoleId;

        // If userOrgRoleId is not available on the request, fetch it
        if (userOrgRoleId === undefined && !onlyCheckUser) {
            const userOrgRole = await db.select()
                .from(userOrgs)
                .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, req.userOrgId!)))
                .limit(1);

            if (userOrgRole.length === 0) {
                throw createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization');
            }

            userOrgRoleId = userOrgRole[0].roleId;
        }

        // Check if the user has direct permission for the action in the current org
        const userActionPermission = await db.select()
            .from(userActions)
            .where(
                and(
                    eq(userActions.userId, userId),
                    eq(userActions.actionId, actionId),
                    eq(userActions.orgId, req.userOrgId!) // TODO: we cant pass the org id if we are not checking the org
                )
            )
            .limit(1);

        if (userActionPermission.length > 0) {
            return true;
        }
        if (!onlyCheckUser) {

            // If no direct permission, check role-based permission
            const roleActionPermission = await db.select()
                .from(roleActions)
                .where(
                    and(
                        eq(roleActions.actionId, actionId),
                        eq(roleActions.roleId, userOrgRoleId!),
                        eq(roleActions.orgId, req.userOrgId!)
                    )
                )
                .limit(1);

            return roleActionPermission.length > 0;
        }

        return false;

    } catch (error) {
        console.error('Error checking user action permission:', error);
        throw createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error checking action permission');
    }
}
Update to verify middleware & lists agenst new permissions tables 2024-10-06 16:19:04 -04:00			`import { Request } from 'express';`
			`import { db } from '@server/db';`
			`import { userActions, roleActions, userOrgs } from '@server/db/schema';`
Add actions check to all endpoints 2024-10-06 16:43:59 -04:00			`import { and, eq } from 'drizzle-orm';`
Update to verify middleware & lists agenst new permissions tables 2024-10-06 16:19:04 -04:00			`import createHttpError from 'http-errors';`
			`import HttpCode from '@server/types/HttpCode';`

Format files and fix http response 2024-10-06 18:05:20 -04:00			`export enum ActionsEnum {`
			`createOrg = "createOrg",`
			`deleteOrg = "deleteOrg",`
			`getOrg = "getOrg",`
			`listOrgs = "listOrgs",`
			`updateOrg = "updateOrg",`
			`createSite = "createSite",`
			`deleteSite = "deleteSite",`
			`getSite = "getSite",`
			`listSites = "listSites",`
			`updateSite = "updateSite",`
			`createResource = "createResource",`
			`deleteResource = "deleteResource",`
			`getResource = "getResource",`
			`listResources = "listResources",`
			`updateResource = "updateResource",`
			`createTarget = "createTarget",`
			`deleteTarget = "deleteTarget",`
			`getTarget = "getTarget",`
			`listTargets = "listTargets",`
			`updateTarget = "updateTarget",`
Add role aware updates & endpoints 2024-10-12 21:36:14 -04:00			`createRole = "createRole",`
			`deleteRole = "deleteRole",`
			`getRole = "getRole",`
			`listRoles = "listRoles",`
			`updateRole = "updateRole",`
Add user endpoints 2024-10-12 22:31:24 -04:00			`addUser = "addUser",`
			`removeUser = "removeUser",`
Add role aware updates & endpoints 2024-10-12 21:36:14 -04:00			`listUsers = "listUsers",`
			`listSiteRoles = "listSiteRoles",`
			`listResourceRoles = "listResourceRoles",`
			`addRoleSite = "addRoleSite",`
			`addRoleResource = "addRoleResource",`
			`removeRoleResource = "removeRoleResource",`
			`removeRoleSite = "removeRoleSite",`
			`addRoleAction = "addRoleAction",`
			`removeRoleAction = "removeRoleAction",`
			`listRoleSites = "listRoleSites",`
			`listRoleResources = "listRoleResources",`
Add user endpoints 2024-10-12 22:31:24 -04:00			`listRoleActions = "listRoleActions",`
			`addUserRole = "addUserRole",`
			`addUserResource = "addUserResource",`
			`addUserSite = "addUserSite",`
			`addUserAction = "addUserAction",`
			`removeUserAction = "removeUserAction",`
			`removeUserResource = "removeUserResource",`
			`removeUserSite = "removeUserSite",`
Add actions check to all endpoints 2024-10-06 16:43:59 -04:00			`}`

Format files and fix http response 2024-10-06 18:05:20 -04:00			`export async function checkUserActionPermission(actionId: string, req: Request): Promise<boolean> {`
remove lucia 2024-10-13 17:13:47 -04:00			`const userId = req.user?.userId;`
Add stepper 2024-10-14 19:30:38 -04:00			`let onlyCheckUser = false;`

			`if (actionId = ActionsEnum.createOrg) {`
			`onlyCheckUser = true;`
			`}`

Format files and fix http response 2024-10-06 18:05:20 -04:00			`if (!userId) {`
			`throw createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated');`
Add actions check to all endpoints 2024-10-06 16:43:59 -04:00			`}`

Add stepper 2024-10-14 19:30:38 -04:00			`if (!req.userOrgId && !onlyCheckUser) {`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`throw createHttpError(HttpCode.BAD_REQUEST, 'Organization ID is required');`
Update to verify middleware & lists agenst new permissions tables 2024-10-06 16:19:04 -04:00			`}`

Format files and fix http response 2024-10-06 18:05:20 -04:00			`try {`
			`let userOrgRoleId = req.userOrgRoleId;`

			`// If userOrgRoleId is not available on the request, fetch it`
Add stepper 2024-10-14 19:30:38 -04:00			`if (userOrgRoleId === undefined && !onlyCheckUser) {`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`const userOrgRole = await db.select()`
			`.from(userOrgs)`
Add stepper 2024-10-14 19:30:38 -04:00			`.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, req.userOrgId!)))`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`.limit(1);`

			`if (userOrgRole.length === 0) {`
			`throw createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization');`
			`}`

			`userOrgRoleId = userOrgRole[0].roleId;`
			`}`

			`// Check if the user has direct permission for the action in the current org`
			`const userActionPermission = await db.select()`
			`.from(userActions)`
			`.where(`
			`and(`
			`eq(userActions.userId, userId),`
			`eq(userActions.actionId, actionId),`
Add stepper 2024-10-14 19:30:38 -04:00			`eq(userActions.orgId, req.userOrgId!) // TODO: we cant pass the org id if we are not checking the org`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`)`
			`)`
			`.limit(1);`

			`if (userActionPermission.length > 0) {`
			`return true;`
			`}`
Add stepper 2024-10-14 19:30:38 -04:00			`if (!onlyCheckUser) {`
Format files and fix http response 2024-10-06 18:05:20 -04:00
Add stepper 2024-10-14 19:30:38 -04:00			`// If no direct permission, check role-based permission`
			`const roleActionPermission = await db.select()`
			`.from(roleActions)`
			`.where(`
			`and(`
			`eq(roleActions.actionId, actionId),`
			`eq(roleActions.roleId, userOrgRoleId!),`
			`eq(roleActions.orgId, req.userOrgId!)`
			`)`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`)`
Add stepper 2024-10-14 19:30:38 -04:00			`.limit(1);`

			`return roleActionPermission.length > 0;`
			`}`
Format files and fix http response 2024-10-06 18:05:20 -04:00
Add stepper 2024-10-14 19:30:38 -04:00			`return false;`
Format files and fix http response 2024-10-06 18:05:20 -04:00
			`} catch (error) {`
			`console.error('Error checking user action permission:', error);`
			`throw createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error checking action permission');`
			`}`
remove lucia 2024-10-13 17:13:47 -04:00			`}`