npm - @cfast/permissions - Versions diffs - 0.5.0 → 0.6.0 - Mend

@cfast/permissions 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/{client-DpwiMpD0.d.ts → client-DyadVgmx.d.ts} +1 -1
package/dist/client.d.ts +1 -1
package/dist/index.d.ts +32 -3
package/dist/index.js +20 -0
package/llms.txt +15 -0
package/package.json +1 -1

package/dist/{client-DpwiMpD0.d.ts → client-DyadVgmx.d.ts} RENAMED Viewed

@@ -420,4 +420,4 @@ declare class PermissionRegistrationError extends Error {
     constructor(subject: string, availableTables: readonly string[]);
 }
-export { CRUD_ACTIONS as C, type DrizzleTable as D, ForbiddenError as F, type Grant as G, type LookupDb as L, type PermissionsConfig as P, type SchemaMap as S, type TableName as T, type WithLookups as W, type Permissions as a, type PermissionAction as b, type SubjectInput as c, type WhereClause as d, type PermissionDescriptor as e, type PermissionCheckResult as f, type ColumnsOf as g, type CrudAction as h, type GrantFn as i, type LookupFn as j, PermissionRegistrationError as k, type SqlNameOf as l, getTableName as m };
+export { type CrudAction as C, type DrizzleTable as D, ForbiddenError as F, type Grant as G, type LookupDb as L, type PermissionsConfig as P, type SchemaMap as S, type TableName as T, type WithLookups as W, type Permissions as a, type PermissionAction as b, type SubjectInput as c, type WhereClause as d, type PermissionDescriptor as e, type PermissionCheckResult as f, CRUD_ACTIONS as g, type ColumnsOf as h, type GrantFn as i, type LookupFn as j, PermissionRegistrationError as k, type SqlNameOf as l, getTableName as m };

package/dist/client.d.ts CHANGED Viewed

	@@ -1 +1 @@
1	- export { h as CrudAction, F as ForbiddenError, b as PermissionAction, f as PermissionCheckResult, e as PermissionDescriptor } from './client-~~DpwiMpD0~~.js';
1	+ export { C as CrudAction, F as ForbiddenError, b as PermissionAction, f as PermissionCheckResult, e as PermissionDescriptor } from './client-DyadVgmx.js';

package/dist/index.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { P as PermissionsConfig, a as Permissions, S as SchemaMap, b as PermissionAction, c as SubjectInput, W as WithLookups, d as WhereClause, G as Grant, e as PermissionDescriptor, f as PermissionCheckResult } from './client-DpwiMpD0.js';
-export { C as CRUD_ACTIONS, g as ColumnsOf, h as CrudAction, D as DrizzleTable, F as ForbiddenError, i as GrantFn, L as LookupDb, j as LookupFn, k as PermissionRegistrationError, l as SqlNameOf, T as TableName, m as getTableName } from './client-DpwiMpD0.js';
+import { P as PermissionsConfig, a as Permissions, S as SchemaMap, b as PermissionAction, c as SubjectInput, W as WithLookups, d as WhereClause, G as Grant, e as PermissionDescriptor, f as PermissionCheckResult, C as CrudAction, D as DrizzleTable } from './client-DyadVgmx.js';
+export { g as CRUD_ACTIONS, h as ColumnsOf, F as ForbiddenError, i as GrantFn, L as LookupDb, j as LookupFn, k as PermissionRegistrationError, l as SqlNameOf, T as TableName, m as getTableName } from './client-DyadVgmx.js';
 /**
  * Creates a permission configuration that can be shared between server-side
@@ -263,4 +263,33 @@ type UserWithRoles = {
 declare function resolveGrants(permissions: Permissions, user: UserWithRoles): Grant[];
 declare function resolveGrants(permissions: Permissions, roles: readonly string[]): Grant[];
-export { Grant, PermissionAction, PermissionCheckResult, PermissionDescriptor, Permissions, PermissionsConfig, SchemaMap, SubjectInput, type UserWithRoles, WhereClause, WithLookups, can, checkPermissions, definePermissions, grant, resolveGrants };
+/**
+ * A single granted action for a table, including the matching grants.
+ *
+ * - `unrestricted: true` means at least one grant has no `where` clause,
+ *   so the action is unconditionally permitted for every row.
+ * - `unrestricted: false` means all matching grants have `where` clauses,
+ *   so whether the action is permitted depends on the specific row.
+ */
+type GrantedAction = {
+    action: CrudAction;
+    grants: Grant[];
+    unrestricted: boolean;
+};
+/**
+ * Returns the distinct CRUD actions that are granted for a given table.
+ *
+ * `manage` grants are expanded into the four CRUD actions. For each action,
+ * the result includes the matching grants and whether any of them is
+ * unrestricted (no `where` clause). Actions with no matching grant at all
+ * are excluded from the result.
+ *
+ * Used by `@cfast/db` to build `_can` annotations on query results.
+ *
+ * @param grants - The user's resolved permission grants.
+ * @param table - The Drizzle table to check grants against.
+ * @returns Array of GrantedAction objects for each permitted action.
+ */
+declare function getGrantedActions(grants: Grant[], table: DrizzleTable): GrantedAction[];
+export { CrudAction, DrizzleTable, Grant, type GrantedAction, PermissionAction, PermissionCheckResult, PermissionDescriptor, Permissions, PermissionsConfig, SchemaMap, SubjectInput, type UserWithRoles, WhereClause, WithLookups, can, checkPermissions, definePermissions, getGrantedActions, grant, resolveGrants };

package/dist/index.js CHANGED Viewed

@@ -234,6 +234,25 @@ function resolveGrants(permissions, userOrRoles) {
   }
   return result;
 }
+// src/granted-actions.ts
+function getGrantedActions(grants, table) {
+  const targetName = getTableName(table);
+  const result = [];
+  for (const action of CRUD_ACTIONS) {
+    const matching = grants.filter((g) => {
+      const actionOk = g.action === action || g.action === "manage";
+      if (!actionOk) return false;
+      if (g.subject === "all") return true;
+      if (g.subject === table) return true;
+      return getTableName(g.subject) === targetName;
+    });
+    if (matching.length === 0) continue;
+    const unrestricted = matching.some((g) => !g.where);
+    result.push({ action, grants: matching, unrestricted });
+  }
+  return result;
+}
 export {
   CRUD_ACTIONS,
   ForbiddenError,
@@ -241,6 +260,7 @@ export {
   can,
   checkPermissions,
   definePermissions,
+  getGrantedActions,
   getTableName,
   grant,
   resolveGrants

package/llms.txt CHANGED Viewed

@@ -209,6 +209,21 @@ can<typeof schema>(grants, "create", "posts")        // ✓ string form, type-ch
 // can<typeof schema>(grants, "create", "unknownTable")  // ✗ TypeScript error
 ```
+### `getGrantedActions(grants, table): GrantedAction[]`
+```typescript
+import { getGrantedActions } from "@cfast/permissions";
+function getGrantedActions(grants: Grant[], table: DrizzleTable): GrantedAction[]
+type GrantedAction = {
+  action: CrudAction;         // "read" | "create" | "update" | "delete"
+  grants: Grant[];            // the matching grants
+  unrestricted: boolean;      // true if any grant has no `where` clause
+};
+```
+Returns the distinct CRUD actions that are granted for a given table. `manage` grants are expanded into the four CRUD actions. For each action, the result includes the matching grants and whether any of them is unrestricted (no `where` clause). Actions with no matching grant are excluded.
+Used internally by `@cfast/db` to build row-level `_can` annotations on query results.
 ### `CRUD_ACTIONS`
 ```typescript
 const CRUD_ACTIONS: readonly CrudAction[] = ["read", "create", "update", "delete"];

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cfast/permissions",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "Isomorphic, composable permission system with Drizzle-native row-level access control",
   "keywords": [
     "cfast",