@axium/server 0.38.2 → 0.39.0

package/dist/acl.d.ts

@@ -16,23 +16,22 @@ type _TargetNames = keyof db.Schema & keyof {
  */
 export type TableName = _TableNames extends never ? keyof db.Schema : _TableNames;
 export type TargetName = _TargetNames extends never ? keyof db.Schema : _TargetNames;
-export interface AccessControlInternal extends AccessControl {
-}
-export type PermissionsFor<TB extends TableName> = Omit<kysely.Selectable<db.Schema[TB]>, keyof AccessControlInternal | number | symbol>;
-export type Result<TB extends TableName> = AccessControlInternal & PermissionsFor<TB>;
+export type PermissionsFor<TB extends TableName> = Omit<kysely.Selectable<db.Schema[TB]>, keyof AccessControl | number | symbol>;
+export type Result<TB extends TableName> = AccessControl & PermissionsFor<TB>;
 export type WithACL<TB extends TargetName> = kysely.Selectable<db.Schema[TB]> & {
     userId: string;
     parentId?: string | null;
     acl: Result<`acl.${TB}`>[];
 };
+/** Match ACL entries, optionally selecting for a given user-like object */
+export declare function match(user?: Pick<UserInternal, 'id' | 'roles' | 'tags'>): (eb: kysely.ExpressionBuilder<db.Schema, any>) => kysely.ExpressionWrapper<db.Schema, any, kysely.SqlBool>;
+export declare function controlMatchesUser(control: AccessControl, user: Pick<UserInternal, 'id' | 'roles' | 'tags'>): boolean | "" | null | undefined;
 export interface ACLSelectionOptions {
-    /** If specified, filters by user UUID */
-    user?: Pick<UserInternal, 'id' | 'roles' | 'tags'>;
     /** Instead of using the `id` from `table`, use the `id` from this instead */
     alias?: string;
+    /** If set, only ACLs that match the provided info will be selected. */
+    filterByUser?: Pick<UserInternal, 'id' | 'roles' | 'tags'>;
 }
-/** Match ACL entries, optionally selecting for a given user-like object */
-export declare function match(user?: Pick<UserInternal, 'id' | 'roles' | 'tags'>): (eb: kysely.ExpressionBuilder<db.Schema, any>) => kysely.ExpressionWrapper<db.Schema, any, kysely.SqlBool>;
 /**
  * Helper to select all access controls for a given table, including the user information.
  * Optionally filter for the entries applicable to a specific user.

package/dist/acl.js

@@ -15,6 +15,12 @@ export function match(user) {
         return eb.or(ors);
     };
 }
+export function controlMatchesUser(control, user) {
+    return ((!control.role && !control.tag && !control.userId) ||
+        control.userId === user.id ||
+        (control.role && user.roles.includes(control.role)) ||
+        (control.tag && user.tags.includes(control.tag)));
+}
 /**
  * Helper to select all access controls for a given table, including the user information.
  * Optionally filter for the entries applicable to a specific user.
@@ -24,9 +30,9 @@ export function from(table, opt = {}) {
     return (eb) => jsonArrayFrom(eb
         .selectFrom(`acl.${table} as _acl`)
         .selectAll()
-        .$if(!opt.user, qb => qb.select(db.userFromId))
+        .select(db.userFromId)
         .whereRef('_acl.itemId', '=', `${opt.alias || table}.id`)
-        .where(match(opt.user)))
+        .$if(!!opt.filterByUser, qb => qb.where(match(opt.filterByUser))))
         .$castTo()
         .as('acl');
 }

package/dist/auth.js

@@ -118,7 +118,7 @@ export async function authSessionForItem(itemType, itemId, permissions, session,
         .selectFrom(itemType)
         .selectAll()
         .where('id', '=', itemId)
-        .select(acl.from(itemType, { user }))
+        .select(acl.from(itemType))
         .executeTakeFirstOrThrow()
         .catch(e => {
         if (e.message.includes('no rows'))
@@ -138,19 +138,19 @@ export async function authSessionForItem(itemType, itemId, permissions, session,
     if (userId == item.userId)
         return result;
     result.fromACL = true;
-    const matchingControls = recursive
+    const controls = recursive
         ? await db
             .withRecursive('parents', qc => qc.selectFrom(itemType)
             .select(['id', 'parentId'])
             .$castTo()
-            .select(acl.from(itemType, { user }))
+            .select(acl.from(itemType))
             .select(eb => eb.lit(0).as('depth'))
             .where('id', '=', itemId)
             .unionAll(qc.selectFrom(`${itemType} as item`)
             .select(['item.id', 'item.parentId'])
             .innerJoin('parents as p', 'item.id', 'p.parentId')
-            .select(eb => eb(eb.ref('p.depth'), '+', eb.lit(1)).as('depth'))
-            .select(acl.from(itemType, { user, alias: 'item' }))))
+            .select(acl.from(itemType, { alias: 'item', filterByUser: user }))
+            .select(eb => eb(eb.ref('p.depth'), '+', eb.lit(1)).as('depth'))))
             .selectFrom('parents')
             .select('acl')
             .execute()
@@ -166,9 +166,10 @@ export async function authSessionForItem(itemType, itemId, permissions, session,
             }
         })
         : item.acl;
-    if (!matchingControls.length)
+    const matching = controls.filter(c => acl.controlMatchesUser(c, user));
+    if (!matching.length)
         error(403, 'Item is not shared with you');
-    const missing = Array.from(acl.check(matchingControls, permissions));
+    const missing = Array.from(acl.check(matching, permissions));
     if (missing.length)
         error(403, 'Missing permissions: ' + missing.join(', '));
     return result;

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@axium/server",
-	"version": "0.38.2",
+	"version": "0.39.0",
 	"author": "James Prevett <axium@jamespre.dev>",
 	"funding": {
 		"type": "individual",

package/routes/admin/+layout.ts

@@ -1,7 +1,6 @@
-import { getCurrentSession } from '@axium/client/user';
+import { getCurrentSession, text } from '@axium/client';
 import type { Session, User } from '@axium/core';
 import type { LayoutLoadEvent, LayoutRouteId } from './$types';
-import { text } from '@axium/client';
 
 export const ssr = false;