@alanszp/access-list 10.2.0

package/.gitignore

@@ -0,0 +1,3 @@
+node_modules
+*.log
+dist

package/.npmignore

@@ -0,0 +1,3 @@
+node_modules
+src
+*.log

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Alan Szpigiel
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/clients/AccessListClient.d.ts

@@ -0,0 +1,32 @@
+import { JWTUser } from "@alanszp/jwt";
+export declare enum RoleCode {
+    ADMIN = "admin",
+    HRBP = "hrbp",
+    MANAGER = "manager",
+    INTEGRATIONS = "integrations",
+    VIEWER = "viewer"
+}
+export declare class AccessListClient {
+    protected organizationReference: string;
+    protected roles: string[];
+    protected segmentReference: string | null;
+    protected addFormerEmployees: boolean;
+    constructor({ roles, segmentReference, organizationReference, }: Pick<JWTUser, "roles" | "segmentReference" | "organizationReference">, addFormerEmployees?: boolean);
+    hasAccessToAll(): boolean;
+    isAdmin(): boolean;
+    needsToValidateAccess(): boolean;
+    hasAccessToSomeEmployees(employeeReference: string[]): Promise<boolean>;
+    hasAccessTo(employeeReference: string): Promise<boolean>;
+    shouldAddFormerEmployees(): boolean;
+    /**
+     * @param employeeReference Employee reference to validate access to
+     * @throws {NoPermissionError} if user has no access to employee
+     */
+    validateAccessTo(employeeReference: string): Promise<void>;
+    /**
+     * @throws {ModelValidationError} if segment reference is not present
+     * @returns Segment reference
+     */
+    getSegmentReferenceOrFail(): string;
+    getSegmentReference(): string | null;
+}

package/dist/clients/AccessListClient.js

@@ -0,0 +1,90 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccessListClient = exports.RoleCode = void 0;
+const NoPermissionError_1 = require("../errors/NoPermissionError");
+const accessListRepository_1 = require("../repositories/accessListRepository");
+const validations_1 = require("@alanszp/validations");
+const lodash_1 = require("lodash");
+var RoleCode;
+(function (RoleCode) {
+    RoleCode["ADMIN"] = "admin";
+    RoleCode["HRBP"] = "hrbp";
+    RoleCode["MANAGER"] = "manager";
+    RoleCode["INTEGRATIONS"] = "integrations";
+    RoleCode["VIEWER"] = "viewer";
+})(RoleCode = exports.RoleCode || (exports.RoleCode = {}));
+class AccessListClient {
+    constructor({ roles, segmentReference, organizationReference, }, addFormerEmployees) {
+        this.organizationReference = organizationReference;
+        this.roles = roles;
+        this.segmentReference = segmentReference;
+        this.addFormerEmployees = addFormerEmployees !== null && addFormerEmployees !== void 0 ? addFormerEmployees : false;
+    }
+    hasAccessToAll() {
+        return this.isAdmin();
+    }
+    isAdmin() {
+        return this.roles.includes(RoleCode.ADMIN);
+    }
+    needsToValidateAccess() {
+        return !this.hasAccessToAll();
+    }
+    hasAccessToSomeEmployees(employeeReference) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (this.hasAccessToAll())
+                return true;
+            if (!this.segmentReference)
+                return false;
+            const hasAccess = yield (0, accessListRepository_1.hasAccessToSomeEmployees)(this.segmentReference, (0, lodash_1.castArray)(employeeReference), this.shouldAddFormerEmployees());
+            return hasAccess;
+        });
+    }
+    hasAccessTo(employeeReference) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this.hasAccessToSomeEmployees((0, lodash_1.castArray)(employeeReference));
+        });
+    }
+    shouldAddFormerEmployees() {
+        return this.addFormerEmployees;
+    }
+    /**
+     * @param employeeReference Employee reference to validate access to
+     * @throws {NoPermissionError} if user has no access to employee
+     */
+    validateAccessTo(employeeReference) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!(yield this.hasAccessTo(employeeReference))) {
+                throw new NoPermissionError_1.NoPermissionError();
+            }
+        });
+    }
+    /**
+     * @throws {ModelValidationError} if segment reference is not present
+     * @returns Segment reference
+     */
+    getSegmentReferenceOrFail() {
+        if (!this.segmentReference) {
+            throw validations_1.ModelValidationError.from({
+                property: "segmentReference",
+                constraints: {
+                    segmentReference: "segment reference should be present",
+                },
+            });
+        }
+        return this.segmentReference;
+    }
+    getSegmentReference() {
+        return this.segmentReference;
+    }
+}
+exports.AccessListClient = AccessListClient;
+//# sourceMappingURL=AccessListClient.js.map

package/dist/clients/AccessListClient.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AccessListClient.js","sourceRoot":"","sources":["../../src/clients/AccessListClient.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,mEAAgE;AAChE,+EAAgF;AAEhF,sDAA4D;AAC5D,mCAAmC;AAEnC,IAAY,QAMX;AAND,WAAY,QAAQ;IAClB,2BAAe,CAAA;IACf,yBAAa,CAAA;IACb,+BAAmB,CAAA;IACnB,yCAA6B,CAAA;IAC7B,6BAAiB,CAAA;AACnB,CAAC,EANW,QAAQ,GAAR,gBAAQ,KAAR,gBAAQ,QAMnB;AAED,MAAa,gBAAgB;IAS3B,YACE,EACE,KAAK,EACL,gBAAgB,EAChB,qBAAqB,GACiD,EACxE,kBAA4B;QAE5B,IAAI,CAAC,qBAAqB,GAAG,qBAAqB,CAAC;QACnD,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CAAC;QACzC,IAAI,CAAC,kBAAkB,GAAG,kBAAkB,aAAlB,kBAAkB,cAAlB,kBAAkB,GAAI,KAAK,CAAC;IACxD,CAAC;IAEM,cAAc;QACnB,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;IACxB,CAAC;IAEM,OAAO;QACZ,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC;IAEM,qBAAqB;QAC1B,OAAO,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;IAChC,CAAC;IAEY,wBAAwB,CACnC,iBAA2B;;YAE3B,IAAI,IAAI,CAAC,cAAc,EAAE;gBAAE,OAAO,IAAI,CAAC;YAEvC,IAAI,CAAC,IAAI,CAAC,gBAAgB;gBAAE,OAAO,KAAK,CAAC;YAEzC,MAAM,SAAS,GAAG,MAAM,IAAA,+CAAwB,EAC9C,IAAI,CAAC,gBAAgB,EACrB,IAAA,kBAAS,EAAC,iBAAiB,CAAC,EAC5B,IAAI,CAAC,wBAAwB,EAAE,CAChC,CAAC;YAEF,OAAO,SAAS,CAAC;QACnB,CAAC;KAAA;IAEY,WAAW,CAAC,iBAAyB;;YAChD,OAAO,IAAI,CAAC,wBAAwB,CAAC,IAAA,kBAAS,EAAC,iBAAiB,CAAC,CAAC,CAAC;QACrE,CAAC;KAAA;IAEM,wBAAwB;QAC7B,OAAO,IAAI,CAAC,kBAAkB,CAAC;IACjC,CAAC;IAED;;;OAGG;IACU,gBAAgB,CAAC,iBAAyB;;YACrD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC,EAAE;gBAChD,MAAM,IAAI,qCAAiB,EAAE,CAAC;aAC/B;QACH,CAAC;KAAA;IAED;;;OAGG;IACI,yBAAyB;QAC9B,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE;YAC1B,MAAM,kCAAoB,CAAC,IAAI,CAAC;gBAC9B,QAAQ,EAAE,kBAAkB;gBAC5B,WAAW,EAAE;oBACX,gBAAgB,EAAE,qCAAqC;iBACxD;aACF,CAAC,CAAC;SACJ;QAED,OAAO,IAAI,CAAC,gBAAgB,CAAC;IAC/B,CAAC;IAEM,mBAAmB;QACxB,OAAO,IAAI,CAAC,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAzFD,4CAyFC"}

package/dist/errors/NoPermissionError.d.ts

@@ -0,0 +1,7 @@
+import { BaseError, RenderableContext, RenderableError } from "@alanszp/errors";
+export declare class NoPermissionError extends BaseError implements RenderableError {
+    constructor();
+    code(): string;
+    renderMessage(): string;
+    context(): RenderableContext;
+}

package/dist/errors/NoPermissionError.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NoPermissionError = void 0;
+const errors_1 = require("@alanszp/errors");
+class NoPermissionError extends errors_1.BaseError {
+    constructor() {
+        super("No Permission");
+    }
+    code() {
+        return "no_permission";
+    }
+    renderMessage() {
+        return "You don't have permission to perform this action";
+    }
+    context() {
+        return {};
+    }
+}
+exports.NoPermissionError = NoPermissionError;
+//# sourceMappingURL=NoPermissionError.js.map

package/dist/errors/NoPermissionError.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"NoPermissionError.js","sourceRoot":"","sources":["../../src/errors/NoPermissionError.ts"],"names":[],"mappings":";;;AAAA,4CAAgF;AAEhF,MAAa,iBAAkB,SAAQ,kBAAS;IAC9C;QACE,KAAK,CAAC,eAAe,CAAC,CAAC;IACzB,CAAC;IAED,IAAI;QACF,OAAO,eAAe,CAAC;IACzB,CAAC;IAED,aAAa;QACX,OAAO,kDAAkD,CAAC;IAC5D,CAAC;IAED,OAAO;QACL,OAAO,EAAE,CAAC;IACZ,CAAC;CACF;AAhBD,8CAgBC"}

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+export * from "./inputs/AccessListInput";
+export * from "./clients/AccessListClient";
+export * from "./repositories/accessListRepository";
+export * from "./errors//NoPermissionError";

package/dist/index.js

@@ -0,0 +1,21 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./inputs/AccessListInput"), exports);
+__exportStar(require("./clients/AccessListClient"), exports);
+__exportStar(require("./repositories/accessListRepository"), exports);
+__exportStar(require("./errors//NoPermissionError"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2DAAyC;AACzC,6DAA2C;AAC3C,sEAAoD;AACpD,8DAA4C"}

package/dist/inputs/AccessListInput.d.ts

@@ -0,0 +1,8 @@
+import { AccessListClient } from "../clients/AccessListClient";
+import { JWTUser } from "@alanszp/jwt";
+import { BaseModel } from "@alanszp/validations";
+export declare class AccessListInput extends BaseModel {
+    user: JWTUser;
+    constructor(user: JWTUser);
+    getAccessList(shouldAddFormerEmployees?: boolean): AccessListClient;
+}

package/dist/inputs/AccessListInput.js

@@ -0,0 +1,26 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccessListInput = void 0;
+const AccessListClient_1 = require("../clients/AccessListClient");
+const validations_1 = require("@alanszp/validations");
+const class_validator_1 = require("class-validator");
+class AccessListInput extends validations_1.BaseModel {
+    constructor(user) {
+        super();
+        this.user = user;
+    }
+    getAccessList(shouldAddFormerEmployees) {
+        return new AccessListClient_1.AccessListClient(this.user, shouldAddFormerEmployees);
+    }
+}
+__decorate([
+    (0, class_validator_1.IsDefined)()
+], AccessListInput.prototype, "user", void 0);
+exports.AccessListInput = AccessListInput;
+//# sourceMappingURL=AccessListInput.js.map

package/dist/inputs/AccessListInput.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AccessListInput.js","sourceRoot":"","sources":["../../src/inputs/AccessListInput.ts"],"names":[],"mappings":";;;;;;;;;AAAA,kEAA+D;AAE/D,sDAAiD;AACjD,qDAA4C;AAE5C,MAAa,eAAgB,SAAQ,uBAAS;IAI5C,YAAY,IAAa;QACvB,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;IAEM,aAAa,CAAC,wBAAkC;QACrD,OAAO,IAAI,mCAAgB,CAAC,IAAI,CAAC,IAAI,EAAE,wBAAwB,CAAC,CAAC;IACnE,CAAC;CACF;AAVC;IADC,IAAA,2BAAS,GAAE;6CACS;AAFvB,0CAYC"}

package/dist/repositories/accessListRepository.d.ts

@@ -0,0 +1,20 @@
+import { SelectQueryBuilder } from "typeorm";
+import { AccessListClient } from "..";
+/**
+ * Check access to list of employees
+ * @param segmentReference the segment which wants to know if it has access to the employee
+ * @param employeeReference list of employees
+ * @param addFormerEmployees consider left employees
+ * @returns true if segment reference can access to any of the employees on the list
+ */
+export declare function hasAccessToSomeEmployees(segmentReference: string, employeeReference: string[], addFormerEmployees: boolean): Promise<boolean>;
+/**
+ * Adds accessList filters to a given queryBuilder. Should be called at the end, or at least
+ * after the first where is set to the queryBuilder.
+ * @param queryBuilder The query to be filtered with accessList
+ * @param segmentId The segment from which the accessList is calculated.
+ * @param fullEmployeeReferenceFieldName The alias and name of the field that has the employee reference
+ * @returns a query builder with accessList filters
+ */
+export declare function addFiltersToSelectQuery<T>(queryBuilder: SelectQueryBuilder<T>, accessList: AccessListClient, fullEmployeeReferenceFieldName: string, segmentParamAlias?: string, subTableAlias?: string, segmentReference?: string): SelectQueryBuilder<T>;
+export declare function getSQLJoinFilters(accessList: AccessListClient, fullEmployeeReferenceFieldName: string, segmentReferenceIndex: string, subTableAlias?: string): string;

package/dist/repositories/accessListRepository.js

@@ -0,0 +1,76 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getSQLJoinFilters = exports.addFiltersToSelectQuery = exports.hasAccessToSomeEmployees = void 0;
+const typeorm_1 = require("typeorm");
+/**
+ * Check access to list of employees
+ * @param segmentReference the segment which wants to know if it has access to the employee
+ * @param employeeReference list of employees
+ * @param addFormerEmployees consider left employees
+ * @returns true if segment reference can access to any of the employees on the list
+ */
+function hasAccessToSomeEmployees(segmentReference, employeeReference, addFormerEmployees) {
+    var _a, _b;
+    return __awaiter(this, void 0, void 0, function* () {
+        const query = `SELECT bool_or(true) as granted
+    FROM segments_employee_relation_with_attrition ser
+    WHERE ser.segment_id = $2 AND ser.employee_id::text = ANY($1)
+    ${addFormerEmployees ? "" : " AND left_organization_at IS NULL"};`;
+        const response = (yield (0, typeorm_1.getManager)().query(query, [
+            employeeReference,
+            segmentReference,
+        ]));
+        return (_b = (_a = response[0]) === null || _a === void 0 ? void 0 : _a.granted) !== null && _b !== void 0 ? _b : false;
+    });
+}
+exports.hasAccessToSomeEmployees = hasAccessToSomeEmployees;
+/**
+ * Adds accessList filters to a given queryBuilder. Should be called at the end, or at least
+ * after the first where is set to the queryBuilder.
+ * @param queryBuilder The query to be filtered with accessList
+ * @param segmentId The segment from which the accessList is calculated.
+ * @param fullEmployeeReferenceFieldName The alias and name of the field that has the employee reference
+ * @returns a query builder with accessList filters
+ */
+function addFiltersToSelectQuery(queryBuilder, accessList, fullEmployeeReferenceFieldName, segmentParamAlias = "segmentId", subTableAlias, segmentReference) {
+    if (accessList.hasAccessToAll() && !segmentReference)
+        return queryBuilder;
+    let segmentReferenceParam = segmentReference;
+    if (!segmentReferenceParam) {
+        segmentReferenceParam = accessList.getSegmentReferenceOrFail();
+    }
+    const subTable = subTableAlias !== null && subTableAlias !== void 0 ? subTableAlias : "ser";
+    const query = `(SELECT employee_id
+    FROM public.segments_employee_relation_with_attrition
+    WHERE segment_id = :${segmentParamAlias}
+    ${accessList.shouldAddFormerEmployees()
+        ? ""
+        : "AND left_organization_at IS NULL"})`;
+    return queryBuilder.innerJoin(query, subTable, `${subTable}.employee_id::text = ${fullEmployeeReferenceFieldName}`, {
+        [segmentParamAlias]: segmentReferenceParam,
+    });
+}
+exports.addFiltersToSelectQuery = addFiltersToSelectQuery;
+function getSQLJoinFilters(accessList, fullEmployeeReferenceFieldName, segmentReferenceIndex, subTableAlias) {
+    if (!segmentReferenceIndex.includes("$")) {
+        throw new Error("getSQLJoinFilters#segmentReferenceIndex param should be an index");
+    }
+    const subTable = subTableAlias !== null && subTableAlias !== void 0 ? subTableAlias : "ser";
+    return `JOIN (SELECT employee_id
+    FROM public.segments_employee_relation_with_attrition
+    WHERE segment_id = ${segmentReferenceIndex}
+    ${accessList.shouldAddFormerEmployees()
+        ? ""
+        : "AND left_organization_at IS NULL"}) ${subTable} on ${subTable}.employee_id = ${fullEmployeeReferenceFieldName}`;
+}
+exports.getSQLJoinFilters = getSQLJoinFilters;
+//# sourceMappingURL=accessListRepository.js.map

package/dist/repositories/accessListRepository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessListRepository.js","sourceRoot":"","sources":["../../src/repositories/accessListRepository.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qCAAyD;AAGzD;;;;;;GAMG;AACH,SAAsB,wBAAwB,CAC5C,gBAAwB,EACxB,iBAA2B,EAC3B,kBAA2B;;;QAE3B,MAAM,KAAK,GAAG;;;MAGV,kBAAkB,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,mCAAmC,GAAG,CAAC;QAErE,MAAM,QAAQ,GAAG,CAAC,MAAM,IAAA,oBAAU,GAAE,CAAC,KAAK,CAAC,KAAK,EAAE;YAChD,iBAAiB;YACjB,gBAAgB;SACjB,CAAC,CAA4B,CAAC;QAE/B,OAAO,MAAA,MAAA,QAAQ,CAAC,CAAC,CAAC,0CAAE,OAAO,mCAAI,KAAK,CAAC;;CACtC;AAhBD,4DAgBC;AAED;;;;;;;GAOG;AACH,SAAgB,uBAAuB,CACrC,YAAmC,EACnC,UAA4B,EAC5B,8BAAsC,EACtC,iBAAiB,GAAG,WAAW,EAC/B,aAAsB,EACtB,gBAAyB;IAEzB,IAAI,UAAU,CAAC,cAAc,EAAE,IAAI,CAAC,gBAAgB;QAAE,OAAO,YAAY,CAAC;IAE1E,IAAI,qBAAqB,GAAG,gBAAgB,CAAC;IAC7C,IAAI,CAAC,qBAAqB,EAAE;QAC1B,qBAAqB,GAAG,UAAU,CAAC,yBAAyB,EAAE,CAAC;KAChE;IAED,MAAM,QAAQ,GAAG,aAAa,aAAb,aAAa,cAAb,aAAa,GAAI,KAAK,CAAC;IAExC,MAAM,KAAK,GAAG;;0BAEU,iBAAiB;MAErC,UAAU,CAAC,wBAAwB,EAAE;QACnC,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC,kCACN,GAAG,CAAC;IAEN,OAAO,YAAY,CAAC,SAAS,CAC3B,KAAK,EACL,QAAQ,EACR,GAAG,QAAQ,wBAAwB,8BAA8B,EAAE,EACnE;QACE,CAAC,iBAAiB,CAAC,EAAE,qBAAqB;KAC3C,CACF,CAAC;AACJ,CAAC;AAlCD,0DAkCC;AAED,SAAgB,iBAAiB,CAC/B,UAA4B,EAC5B,8BAAsC,EACtC,qBAA6B,EAC7B,aAAsB;IAEtB,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;QACxC,MAAM,IAAI,KAAK,CACb,kEAAkE,CACnE,CAAC;KACH;IACD,MAAM,QAAQ,GAAG,aAAa,aAAb,aAAa,cAAb,aAAa,GAAI,KAAK,CAAC;IAExC,OAAO;;yBAEgB,qBAAqB;MAExC,UAAU,CAAC,wBAAwB,EAAE;QACnC,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC,kCACN,KAAK,QAAQ,OAAO,QAAQ,kBAAkB,8BAA8B,EAAE,CAAC;AACnF,CAAC;AArBD,8CAqBC"}

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "@alanszp/access-list",
+  "version": "10.2.0",
+  "description": "Alan's validation utils.",
+  "main": "dist/index.js",
+  "typings": "dist/index.d.ts",
+  "license": "MIT",
+  "files": [
+    "**/*"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "compile": "rm -rf ./dist && tsc --declaration",
+    "compile-watch": "tsc -w",
+    "build": "yarn run compile",
+    "prepack": "yarn run build",
+    "yalc-publish": "yarn run yalc publish"
+  },
+  "devDependencies": {
+    "@types/node": "^20.11.17",
+    "class-validator": "^0.14.0",
+    "ts-node": "^10.0.0",
+    "tslint": "^6.1.3",
+    "typescript": "^4.3.4"
+  },
+  "peerDependencies": {
+    "class-validator": "^0.14.0"
+  },
+  "dependencies": {
+    "@alanszp/jwt": "^10.0.1",
+    "@alanszp/validations": "^10.0.1"
+  },
+  "gitHead": "7a365de48d5a7e7c87b28690b2e06f7de7f5a9d3"
+}

package/src/clients/AccessListClient.ts

@@ -0,0 +1,104 @@
+import { NoPermissionError } from "../errors/NoPermissionError";
+import { hasAccessToSomeEmployees } from "../repositories/accessListRepository";
+import { JWTUser } from "@alanszp/jwt";
+import { ModelValidationError } from "@alanszp/validations";
+import { castArray } from "lodash";
+
+export enum RoleCode {
+  ADMIN = "admin",
+  HRBP = "hrbp",
+  MANAGER = "manager",
+  INTEGRATIONS = "integrations",
+  VIEWER = "viewer",
+}
+
+export class AccessListClient {
+  protected organizationReference: string;
+
+  protected roles: string[];
+
+  protected segmentReference: string | null;
+
+  protected addFormerEmployees: boolean;
+
+  constructor(
+    {
+      roles,
+      segmentReference,
+      organizationReference,
+    }: Pick<JWTUser, "roles" | "segmentReference" | "organizationReference">,
+    addFormerEmployees?: boolean,
+  ) {
+    this.organizationReference = organizationReference;
+    this.roles = roles;
+    this.segmentReference = segmentReference;
+    this.addFormerEmployees = addFormerEmployees ?? false;
+  }
+
+  public hasAccessToAll(): boolean {
+    return this.isAdmin();
+  }
+
+  public isAdmin(): boolean {
+    return this.roles.includes(RoleCode.ADMIN);
+  }
+
+  public needsToValidateAccess(): boolean {
+    return !this.hasAccessToAll();
+  }
+
+  public async hasAccessToSomeEmployees(
+    employeeReference: string[],
+  ): Promise<boolean> {
+    if (this.hasAccessToAll()) return true;
+
+    if (!this.segmentReference) return false;
+
+    const hasAccess = await hasAccessToSomeEmployees(
+      this.segmentReference,
+      castArray(employeeReference),
+      this.shouldAddFormerEmployees(),
+    );
+
+    return hasAccess;
+  }
+
+  public async hasAccessTo(employeeReference: string): Promise<boolean> {
+    return this.hasAccessToSomeEmployees(castArray(employeeReference));
+  }
+
+  public shouldAddFormerEmployees(): boolean {
+    return this.addFormerEmployees;
+  }
+
+  /**
+   * @param employeeReference Employee reference to validate access to
+   * @throws {NoPermissionError} if user has no access to employee
+   */
+  public async validateAccessTo(employeeReference: string): Promise<void> {
+    if (!(await this.hasAccessTo(employeeReference))) {
+      throw new NoPermissionError();
+    }
+  }
+
+  /**
+   * @throws {ModelValidationError} if segment reference is not present
+   * @returns Segment reference
+   */
+  public getSegmentReferenceOrFail(): string {
+    if (!this.segmentReference) {
+      throw ModelValidationError.from({
+        property: "segmentReference",
+        constraints: {
+          segmentReference: "segment reference should be present",
+        },
+      });
+    }
+
+    return this.segmentReference;
+  }
+
+  public getSegmentReference(): string | null {
+    return this.segmentReference;
+  }
+}

package/src/errors/NoPermissionError.ts

@@ -0,0 +1,19 @@
+import { BaseError, RenderableContext, RenderableError } from "@alanszp/errors";
+
+export class NoPermissionError extends BaseError implements RenderableError {
+  constructor() {
+    super("No Permission");
+  }
+
+  code(): string {
+    return "no_permission";
+  }
+
+  renderMessage(): string {
+    return "You don't have permission to perform this action";
+  }
+
+  context(): RenderableContext {
+    return {};
+  }
+}

package/src/index.ts

@@ -0,0 +1,4 @@
+export * from "./inputs/AccessListInput";
+export * from "./clients/AccessListClient";
+export * from "./repositories/accessListRepository";
+export * from "./errors//NoPermissionError";

package/src/inputs/AccessListInput.ts

@@ -0,0 +1,18 @@
+import { AccessListClient } from "../clients/AccessListClient";
+import { JWTUser } from "@alanszp/jwt";
+import { BaseModel } from "@alanszp/validations";
+import { IsDefined } from "class-validator";
+
+export class AccessListInput extends BaseModel {
+  @IsDefined()
+  public user: JWTUser;
+
+  constructor(user: JWTUser) {
+    super();
+    this.user = user;
+  }
+
+  public getAccessList(shouldAddFormerEmployees?: boolean): AccessListClient {
+    return new AccessListClient(this.user, shouldAddFormerEmployees);
+  }
+}

package/src/repositories/accessListRepository.ts

@@ -0,0 +1,94 @@
+import { getManager, SelectQueryBuilder } from "typeorm";
+import { AccessListClient } from "..";
+
+/**
+ * Check access to list of employees
+ * @param segmentReference the segment which wants to know if it has access to the employee
+ * @param employeeReference list of employees
+ * @param addFormerEmployees consider left employees
+ * @returns true if segment reference can access to any of the employees on the list
+ */
+export async function hasAccessToSomeEmployees(
+  segmentReference: string,
+  employeeReference: string[],
+  addFormerEmployees: boolean,
+): Promise<boolean> {
+  const query = `SELECT bool_or(true) as granted
+    FROM segments_employee_relation_with_attrition ser
+    WHERE ser.segment_id = $2 AND ser.employee_id::text = ANY($1)
+    ${addFormerEmployees ? "" : " AND left_organization_at IS NULL"};`;
+
+  const response = (await getManager().query(query, [
+    employeeReference,
+    segmentReference,
+  ])) as { granted?: boolean }[];
+
+  return response[0]?.granted ?? false;
+}
+
+/**
+ * Adds accessList filters to a given queryBuilder. Should be called at the end, or at least
+ * after the first where is set to the queryBuilder.
+ * @param queryBuilder The query to be filtered with accessList
+ * @param segmentId The segment from which the accessList is calculated.
+ * @param fullEmployeeReferenceFieldName The alias and name of the field that has the employee reference
+ * @returns a query builder with accessList filters
+ */
+export function addFiltersToSelectQuery<T>(
+  queryBuilder: SelectQueryBuilder<T>,
+  accessList: AccessListClient,
+  fullEmployeeReferenceFieldName: string,
+  segmentParamAlias = "segmentId",
+  subTableAlias?: string,
+  segmentReference?: string,
+): SelectQueryBuilder<T> {
+  if (accessList.hasAccessToAll() && !segmentReference) return queryBuilder;
+
+  let segmentReferenceParam = segmentReference;
+  if (!segmentReferenceParam) {
+    segmentReferenceParam = accessList.getSegmentReferenceOrFail();
+  }
+
+  const subTable = subTableAlias ?? "ser";
+
+  const query = `(SELECT employee_id
+    FROM public.segments_employee_relation_with_attrition
+    WHERE segment_id = :${segmentParamAlias}
+    ${
+      accessList.shouldAddFormerEmployees()
+        ? ""
+        : "AND left_organization_at IS NULL"
+    })`;
+
+  return queryBuilder.innerJoin(
+    query,
+    subTable,
+    `${subTable}.employee_id::text = ${fullEmployeeReferenceFieldName}`,
+    {
+      [segmentParamAlias]: segmentReferenceParam,
+    },
+  );
+}
+
+export function getSQLJoinFilters(
+  accessList: AccessListClient,
+  fullEmployeeReferenceFieldName: string,
+  segmentReferenceIndex: string,
+  subTableAlias?: string,
+): string {
+  if (!segmentReferenceIndex.includes("$")) {
+    throw new Error(
+      "getSQLJoinFilters#segmentReferenceIndex param should be an index",
+    );
+  }
+  const subTable = subTableAlias ?? "ser";
+
+  return `JOIN (SELECT employee_id
+    FROM public.segments_employee_relation_with_attrition
+    WHERE segment_id = ${segmentReferenceIndex}
+    ${
+      accessList.shouldAddFormerEmployees()
+        ? ""
+        : "AND left_organization_at IS NULL"
+    }) ${subTable} on ${subTable}.employee_id = ${fullEmployeeReferenceFieldName}`;
+}

package/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist",
+    "module": "commonjs",
+    "target": "es6",
+    "types": ["node"],
+    "esModuleInterop": true,
+    "sourceMap": true,
+    "experimentalDecorators": true,
+
+    "alwaysStrict": true,
+    "strictNullChecks": true
+  },
+  "exclude": ["node_modules"]
+}