npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.87.1 → 0.87.3 - Mend

@cosmicdrift/kumiko-bundled-features 0.87.1 → 0.87.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.87.1",
+  "version": "0.87.3",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -86,11 +86,11 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.87.1",
-    "@cosmicdrift/kumiko-framework": "0.87.1",
-    "@cosmicdrift/kumiko-headless": "0.87.1",
-    "@cosmicdrift/kumiko-renderer": "0.87.1",
-    "@cosmicdrift/kumiko-renderer-web": "0.87.1",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.87.3",
+    "@cosmicdrift/kumiko-framework": "0.87.3",
+    "@cosmicdrift/kumiko-headless": "0.87.3",
+    "@cosmicdrift/kumiko-renderer": "0.87.3",
+    "@cosmicdrift/kumiko-renderer-web": "0.87.3",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/auth-email-password/__tests__/invite-flow.integration.test.ts CHANGED Viewed

@@ -429,3 +429,38 @@ describe("invitations-query (pending list)", () => {
     expect(list[0]?.status).toBe("pending");
   });
 });
+// Privilege-escalation regression: a Tenant-Admin must not be able to seed a
+// platform-global/reserved role (SystemAdmin, system, all, anonymous) into a
+// tenant membership via the invite flow — once it lands in membership.roles it
+// merges flat into the session and unlocks the SystemAdmin-gated cross-tenant
+// handler surface (hasAccess can't tell membership roles from global ones).
+describe("privilege escalation via invite role", () => {
+  // Each forbidden value is a platform-global/reserved role that must never
+  // reach a tenant membership. Proven exploitable before the fix: inviting
+  // "SystemAdmin" gave the invitee a JWT carrying SystemAdmin flat, which
+  // passed every SystemAdmin gate cross-tenant.
+  const FORBIDDEN_ROLES = ["SystemAdmin", "system", "all", "anonymous"];
+  test("invite-create rejects reserved/global roles — no invitation persisted", async () => {
+    for (const role of FORBIDDEN_ROLES) {
+      const err = await stack.http.writeErr(
+        AuthHandlers.inviteCreate,
+        { email: CAROL_EMAIL, role },
+        aliceSession(),
+      );
+      expect(err.code).toBe("access_denied");
+      const rows = await selectMany(stack.db, tenantInvitationsTable, { email: CAROL_EMAIL });
+      expect(rows).toHaveLength(0);
+    }
+  });
+  test("legitimate tenant role still issues an invitation", async () => {
+    const result = (await stack.http.writeOk(
+      AuthHandlers.inviteCreate,
+      { email: CAROL_EMAIL, role: "Editor" },
+      aliceSession(),
+    )) as { role: string };
+    expect(result.role).toBe("Editor");
+  });
+});

package/src/auth-email-password/__tests__/multi-roles.integration.test.ts CHANGED Viewed

@@ -251,3 +251,46 @@ describe("multi-roles: switch-tenant erhält globale rollen", () => {
     expect(switchBody.roles).toEqual(["User"]);
   });
 });
+// Read-time backstop (engine/membership-roles): the write paths reject reserved
+// roles at command time, but a projection rebuild replays stored membership
+// events through the apply path, bypassing that check. addMembership inserts
+// straight into the projection table — the same shape a rebuild would produce —
+// so a forbidden role lands in the membership without going through a handler.
+// Every JWT mint must strip it; globalRoles must survive untouched.
+describe("multi-roles: reserved membership role stripped at the mint", () => {
+  test("login: resurrected ['SystemAdmin'] in membership → stripped, ['Admin'] survives", async () => {
+    const userId = await seedUser("resurrect@example.com", "pw-long-enough");
+    await addMembership(userId, tenantA, ["SystemAdmin", "Admin"]);
+    const { user } = await login("resurrect@example.com", "pw-long-enough");
+    expect(user.roles).toEqual(["Admin"]);
+    expect(user.roles).not.toContain("SystemAdmin");
+  });
+  test("login: global SystemAdmin survives even when membership repeats it", async () => {
+    const userId = await seedUser("realadmin@example.com", "pw-long-enough", ["SystemAdmin"]);
+    await addMembership(userId, tenantA, ["SystemAdmin", "Admin"]);
+    const { user } = await login("realadmin@example.com", "pw-long-enough");
+    expect(user.roles.sort()).toEqual(["Admin", "SystemAdmin"]);
+  });
+  test("switch-tenant: resurrected ['SystemAdmin'] on target tenant → stripped", async () => {
+    const userId = await seedUser("resurrect2@example.com", "pw-long-enough");
+    await addMembership(userId, tenantA, ["Admin"]);
+    await addMembership(userId, tenantB, ["SystemAdmin", "User"]);
+    const { token } = await login("resurrect2@example.com", "pw-long-enough");
+    const switchRes = await stack.http.raw(
+      "POST",
+      "/api/auth/switch-tenant",
+      { tenantId: tenantB },
+      { authorization: `Bearer ${token}` },
+    );
+    expect(switchRes.status).toBe(200);
+    const switchBody = (await switchRes.json()) as { roles: string[] };
+    expect(switchBody.roles).toEqual(["User"]);
+    expect(switchBody.roles).not.toContain("SystemAdmin");
+  });
+});

package/src/auth-email-password/handlers/invite-accept-with-login.write.ts CHANGED Viewed

@@ -23,6 +23,7 @@ import {
   createSystemUser,
   defineWriteHandler,
   type SessionUser,
+  stripForbiddenMembershipRoles,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
@@ -164,7 +165,7 @@ export function createInviteAcceptWithLoginHandler() {
         const session: SessionUser = {
           id: userId,
           tenantId: invitationTenantId,
-          roles: [invitationRole],
+          roles: stripForbiddenMembershipRoles([invitationRole]),
         };
         committed = true;

package/src/auth-email-password/handlers/invite-create.write.ts CHANGED Viewed

@@ -27,6 +27,11 @@ import {
   tenantInvitationEntity,
   tenantInvitationsTable,
 } from "../../tenant/invitation-table";
+// kumiko-lint-ignore cross-feature-import membership-role validation owned by tenant-feature
+import {
+  findForbiddenMembershipRole,
+  reservedMembershipRoleError,
+} from "../../tenant/membership-roles";
 import { AUTH_INVITE_DEFAULT_TTL_MINUTES } from "../constants";
 import { getTokenForInvitation, storeInviteToken } from "../invite-token-store";
@@ -69,6 +74,11 @@ export function createInviteCreateHandler(opts: InviteCreateOptions = {}) {
         );
       }
+      const forbiddenRole = findForbiddenMembershipRole([event.payload.role]);
+      if (forbiddenRole !== undefined) {
+        return writeFailure(reservedMembershipRoleError(forbiddenRole));
+      }
       const email = event.payload.email.toLowerCase();
       const tenantId = event.user.tenantId;
       const expiresAt = Temporal.Now.instant().add({ seconds: ttlSeconds });

package/src/auth-email-password/handlers/invite-signup-complete.write.ts CHANGED Viewed

@@ -27,6 +27,7 @@ import {
   createSystemUser,
   defineWriteHandler,
   type SessionUser,
+  stripForbiddenMembershipRoles,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
@@ -160,7 +161,7 @@ export function createInviteSignupCompleteHandler() {
         const session: SessionUser = {
           id: userId,
           tenantId: invitationTenantId,
-          roles: [invitationRole],
+          roles: stripForbiddenMembershipRoles([invitationRole]),
         };
         committed = true;

package/src/auth-email-password/handlers/login.write.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import {
   createSystemUser,
   defineWriteHandler,
   type SessionUser,
+  stripForbiddenMembershipRoles,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { parseRoles } from "@cosmicdrift/kumiko-framework/utils";
@@ -165,7 +166,11 @@ export function createLoginHandler(opts: LoginHandlerOptions = {}) {
       // membership. Dedupe via Set damit eine Rolle die in beiden Quellen
       // steht nicht doppelt im Session-Roles landet.
       const globalRoles = parseRoles(found.roles ?? null);
-      const mergedRoles = Array.from(new Set([...globalRoles, ...chosen.roles]));
+      // Strip reserved roles from the membership portion only (globalRoles keeps
+      // SystemAdmin) — read-time backstop against a rebuild-resurrected role.
+      const mergedRoles = Array.from(
+        new Set([...globalRoles, ...stripForbiddenMembershipRoles(chosen.roles)]),
+      );
       const baseSession: SessionUser = {
         id: found.id,
         tenantId: chosen.tenantId,

package/src/compliance-profiles/handlers/set-profile.write.ts CHANGED Viewed

@@ -5,9 +5,12 @@ import {
   SELECTABLE_PROFILE_KEYS,
 } from "@cosmicdrift/kumiko-framework/compliance";
 import { createEventStoreExecutor } from "@cosmicdrift/kumiko-framework/db";
-import { defineWriteHandler, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import {
-  AccessDeniedError,
+  crossTenantOverrideDenied,
+  defineWriteHandler,
+  type TenantId,
+} from "@cosmicdrift/kumiko-framework/engine";
+import {
   UnprocessableError,
   validationErrorFromZod,
   writeFailure,
@@ -58,14 +61,12 @@ export const setProfileWrite = defineWriteHandler({
   access: { roles: [ROLES.TenantAdmin, ROLES.SystemAdmin] },
   handler: async (event, ctx) => {
     const tenantOverride = event.payload.tenantIdOverride;
-    if (tenantOverride !== undefined && !event.user.roles.includes(ROLES.SystemAdmin)) {
-      return writeFailure(
-        new AccessDeniedError({
-          i18nKey: "complianceProfiles.errors.tenantOverrideRequiresSystemAdmin",
-          details: { reason: "tenant_override_requires_system_admin" },
-        }),
-      );
-    }
+    const overrideDenied = crossTenantOverrideDenied(
+      event.user,
+      tenantOverride,
+      "complianceProfiles.errors.tenantOverrideRequiresSystemAdmin",
+    );
+    if (overrideDenied) return writeFailure(overrideDenied);
     const tenantId = (tenantOverride ?? event.user.tenantId) as TenantId; // @cast-boundary engine-payload
     const executorUser = tenantOverride !== undefined ? { ...event.user, tenantId } : event.user;

package/src/managed-pages/handlers/set.write.ts CHANGED Viewed

@@ -1,7 +1,11 @@
 import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEventStoreExecutor, createTenantDb } from "@cosmicdrift/kumiko-framework/db";
-import { defineWriteHandler, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
-import { AccessDeniedError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
+import {
+  crossTenantOverrideDenied,
+  defineWriteHandler,
+  type TenantId,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { type PageRow, pageEntity, pagesTable } from "../table";
@@ -42,14 +46,12 @@ export const setWrite = defineWriteHandler({
   handler: async (event, ctx) => {
     const db = ctx.db;
     const override = event.payload.tenantIdOverride;
-    if (override !== undefined && !event.user.roles.includes("SystemAdmin")) {
-      return writeFailure(
-        new AccessDeniedError({
-          i18nKey: "managedPages.errors.tenantOverrideRequiresSystemAdmin",
-          details: { reason: "tenant_override_requires_system_admin" },
-        }),
-      );
-    }
+    const overrideDenied = crossTenantOverrideDenied(
+      event.user,
+      override,
+      "managedPages.errors.tenantOverrideRequiresSystemAdmin",
+    );
+    if (overrideDenied) return writeFailure(overrideDenied);
     const tenantId = override ?? event.user.tenantId;
     // override: point the executor context at the target tenant, else getStreamVersion runs against user.tenantId → version_conflict.
     const executorUser =

package/src/template-resolver/handlers/upsert-tenant.write.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import {
+  crossTenantOverrideDenied,
   defineWriteHandler,
   SYSTEM_TENANT_ID,
   type TenantId,
@@ -25,14 +26,12 @@ export const upsertTenantWrite = defineWriteHandler({
   handler: async (event, ctx) => {
     const db = ctx.db;
     const override = event.payload.tenantIdOverride;
-    if (override !== undefined && !event.user.roles.includes("SystemAdmin")) {
-      return writeFailure(
-        new AccessDeniedError({
-          i18nKey: "templateResolver.errors.tenantOverrideRequiresSystemAdmin",
-          details: { reason: "tenant_override_requires_system_admin" },
-        }),
-      );
-    }
+    const overrideDenied = crossTenantOverrideDenied(
+      event.user,
+      override,
+      "templateResolver.errors.tenantOverrideRequiresSystemAdmin",
+    );
+    if (overrideDenied) return writeFailure(overrideDenied);
     // upsertTenant erzeugt scope='tenant'. SYSTEM_TENANT_ID-Override würde
     // scope='tenant' unter SYSTEM_TENANT_ID schreiben → inkonsistenter Zustand
     // (Resolver-Logik trennt sauber zwischen system+tenant). SystemAdmin muss

package/src/tenant/__tests__/tenant.integration.test.ts CHANGED Viewed

@@ -433,3 +433,34 @@ describe("scenario 8: entityList/entityEdit convention QNs", () => {
     ]);
   });
 });
+// Privilege-escalation guard: platform-global/reserved roles must never be
+// writable into a tenant membership, not even by a SystemAdmin — once present
+// they merge flat into the session and grant cross-tenant authority. The
+// forbidden-role check runs before any DB access, so these reject without the
+// memberships table being mounted in this stack.
+describe("scenario 9: membership role escalation guard", () => {
+  const FORBIDDEN_ROLES = ["SystemAdmin", "system", "all", "anonymous"];
+  test("add-member rejects reserved/global roles even for SystemAdmin", async () => {
+    for (const role of FORBIDDEN_ROLES) {
+      const err = await stack.http.writeErr(
+        TenantHandlers.addMember,
+        { userId: systemAdmin.id, tenantId: systemAdmin.tenantId, roles: [role] },
+        systemAdmin,
+      );
+      expectErrorIncludes(err, "access_denied");
+    }
+  });
+  test("update-member-roles rejects reserved/global roles even for SystemAdmin", async () => {
+    for (const role of FORBIDDEN_ROLES) {
+      const err = await stack.http.writeErr(
+        TenantHandlers.updateMemberRoles,
+        { userId: systemAdmin.id, tenantId: systemAdmin.tenantId, roles: [role] },
+        systemAdmin,
+      );
+      expectErrorIncludes(err, "access_denied");
+    }
+  });
+});

package/src/tenant/handlers/add-member.write.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { ConflictError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { TenantErrors } from "../constants";
+import { findForbiddenMembershipRole, reservedMembershipRoleError } from "../membership-roles";
 import { tenantMembershipEntity, tenantMembershipsTable } from "../membership-table";
 const executor = createEventStoreExecutor(tenantMembershipsTable, tenantMembershipEntity, {
@@ -20,6 +21,8 @@ export const addMemberWrite = defineWriteHandler({
   access: { roles: ["SystemAdmin"] },
   handler: async (event, ctx) => {
     const db = ctx.db;
+    const forbidden = findForbiddenMembershipRole(event.payload.roles);
+    if (forbidden !== undefined) return writeFailure(reservedMembershipRoleError(forbidden));
     const existing = await fetchOne(db, tenantMembershipsTable, {
       userId: event.payload.userId,
       tenantId: event.payload.tenantId,

package/src/tenant/handlers/update-member-roles.write.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import { createEventStoreExecutor, type DbRow } from "@cosmicdrift/kumiko-framew
 import { defineWriteHandler, withResponseData } from "@cosmicdrift/kumiko-framework/engine";
 import { NotFoundError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
+import { findForbiddenMembershipRole, reservedMembershipRoleError } from "../membership-roles";
 import { tenantMembershipEntity, tenantMembershipsTable } from "../membership-table";
 const executor = createEventStoreExecutor(tenantMembershipsTable, tenantMembershipEntity, {
@@ -23,6 +24,8 @@ export const updateMemberRolesWrite = defineWriteHandler({
   access: { roles: ["system", "SystemAdmin"] },
   handler: async (event, ctx) => {
     const db = ctx.db;
+    const forbidden = findForbiddenMembershipRole(event.payload.roles);
+    if (forbidden !== undefined) return writeFailure(reservedMembershipRoleError(forbidden));
     const existing = await fetchOne(db, tenantMembershipsTable, {
       userId: event.payload.userId,
       tenantId: event.payload.tenantId,

package/src/tenant/membership-roles.test.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import { describe, expect, test } from "bun:test";
+import { AccessDeniedError } from "@cosmicdrift/kumiko-framework/errors";
+import { assertAssignableMembershipRoles, findForbiddenMembershipRole } from "./membership-roles";
+describe("membership-roles", () => {
+  const FORBIDDEN = ["system", "SystemAdmin", "all", "anonymous"];
+  test("findForbiddenMembershipRole flags each reserved/global role", () => {
+    for (const role of FORBIDDEN) {
+      expect(findForbiddenMembershipRole([role])).toBe(role);
+      expect(findForbiddenMembershipRole(["Admin", role, "User"])).toBe(role);
+    }
+  });
+  test("findForbiddenMembershipRole allows legitimate tenant roles", () => {
+    expect(findForbiddenMembershipRole(["Admin", "Editor", "User", "TenantAdmin"])).toBeUndefined();
+    expect(findForbiddenMembershipRole([])).toBeUndefined();
+  });
+  test("assertAssignableMembershipRoles throws AccessDeniedError on a forbidden role", () => {
+    expect(() => assertAssignableMembershipRoles(["Admin", "SystemAdmin"])).toThrow(
+      AccessDeniedError,
+    );
+  });
+  test("assertAssignableMembershipRoles passes legitimate roles", () => {
+    expect(() => assertAssignableMembershipRoles(["Admin", "User"])).not.toThrow();
+  });
+});

package/src/tenant/membership-roles.ts ADDED Viewed

@@ -0,0 +1,24 @@
+// A tenant membership must never carry a platform-global/reserved role.
+// hasAccess checks session.roles flat, with no notion of where a role came
+// from — so a membership role like "SystemAdmin" merges into the session at
+// login/switch and unlocks the SystemAdmin-gated, cross-tenant handler
+// surface. The seed path already keeps these roles global-only (users.roles);
+// this validator makes every membership-role write path enforce the same
+// invariant. Derived from the framework presets so it tracks access.privileged.
+import { findForbiddenMembershipRole } from "@cosmicdrift/kumiko-framework/engine";
+import { AccessDeniedError } from "@cosmicdrift/kumiko-framework/errors";
+export { findForbiddenMembershipRole };
+export function reservedMembershipRoleError(role: string): AccessDeniedError {
+  return new AccessDeniedError({
+    message: `role "${role}" is reserved and cannot be assigned to a tenant membership`,
+    details: { reason: "reserved_membership_role", role },
+  });
+}
+export function assertAssignableMembershipRoles(roles: readonly string[]): void {
+  const forbidden = findForbiddenMembershipRole(roles);
+  if (forbidden !== undefined) throw reservedMembershipRoleError(forbidden);
+}

package/src/tenant/seeding.ts CHANGED Viewed

@@ -37,6 +37,7 @@ import {
 import type { SessionUser, TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import { getAggregateStreamMaxVersion } from "@cosmicdrift/kumiko-framework/event-store";
 import { TestUsers } from "@cosmicdrift/kumiko-framework/stack";
+import { assertAssignableMembershipRoles } from "./membership-roles";
 import { tenantMembershipEntity, tenantMembershipsTable } from "./membership-table";
 import { tenantEntity, tenantTable } from "./schema/tenant";
@@ -127,6 +128,9 @@ export async function seedTenantMembership(
   db: DbRunner,
   options: SeedTenantMembershipOptions,
 ): Promise<{ id: string }> {
+  // Chokepoint: invite-accept (×3) + seedAdmin/provisionSignup all flow
+  // through here — reject reserved/global roles before they ever persist.
+  assertAssignableMembershipRoles(options.roles);
   const by = options.by ?? TestUsers.systemAdmin;
   // Wrap into a system-scoped TenantDb so the insert respects the tenant-
   // override (we write into options.tenantId, which may differ from by.tenantId).

package/src/text-content/handlers/by-slug.query.ts CHANGED Viewed

@@ -1,6 +1,8 @@
 import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
-import { defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
-import { AccessDeniedError } from "@cosmicdrift/kumiko-framework/errors";
+import {
+  crossTenantOverrideDenied,
+  defineQueryHandler,
+} from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
 import { type TextBlockRow, textBlocksTable } from "../table";
@@ -27,12 +29,12 @@ export const bySlugQuery = defineQueryHandler({
   access: { roles: ["anonymous", "User", "TenantAdmin", "SystemAdmin"] },
   handler: async (query, ctx) => {
     const override = query.payload.tenantIdOverride;
-    if (override !== undefined && !query.user.roles.includes("SystemAdmin")) {
-      throw new AccessDeniedError({
-        i18nKey: "textContent.errors.tenantOverrideRequiresSystemAdmin",
-        details: { reason: "tenant_override_requires_system_admin" },
-      });
-    }
+    const overrideDenied = crossTenantOverrideDenied(
+      query.user,
+      override,
+      "textContent.errors.tenantOverrideRequiresSystemAdmin",
+    );
+    if (overrideDenied) throw overrideDenied;
     const tenantId = override ?? query.user.tenantId;
     const row = await fetchOne<TextBlockRow>(ctx.db, textBlocksTable, {
       tenantId,

package/src/text-content/handlers/by-tenant.query.ts CHANGED Viewed

@@ -1,7 +1,9 @@
 import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { castTenantRows } from "@cosmicdrift/kumiko-framework/db";
-import { defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
-import { AccessDeniedError } from "@cosmicdrift/kumiko-framework/errors";
+import {
+  crossTenantOverrideDenied,
+  defineQueryHandler,
+} from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
 import { type TextBlockRow, textBlocksTable } from "../table";
@@ -34,12 +36,12 @@ export const byTenantQuery = defineQueryHandler({
   access: { roles: ["anonymous", "User", "TenantAdmin", "SystemAdmin"] },
   handler: async (query, ctx) => {
     const override = query.payload.tenantIdOverride;
-    if (override !== undefined && !query.user.roles.includes("SystemAdmin")) {
-      throw new AccessDeniedError({
-        i18nKey: "textContent.errors.tenantOverrideRequiresSystemAdmin",
-        details: { reason: "tenant_override_requires_system_admin" },
-      });
-    }
+    const overrideDenied = crossTenantOverrideDenied(
+      query.user,
+      override,
+      "textContent.errors.tenantOverrideRequiresSystemAdmin",
+    );
+    if (overrideDenied) throw overrideDenied;
     const tenantId = override ?? query.user.tenantId;
     const rows = castTenantRows<TextBlockRow>(
       await selectMany(ctx.db, textBlocksTable, { tenantId: tenantId }),

package/src/text-content/handlers/set.write.ts CHANGED Viewed

@@ -1,7 +1,11 @@
 import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEventStoreExecutor } from "@cosmicdrift/kumiko-framework/db";
-import { defineWriteHandler, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
-import { AccessDeniedError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
+import {
+  crossTenantOverrideDenied,
+  defineWriteHandler,
+  type TenantId,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { type TextBlockRow, textBlockEntity, textBlocksTable } from "../table";
@@ -68,14 +72,12 @@ export const setWrite = defineWriteHandler({
   handler: async (event, ctx) => {
     const db = ctx.db;
     const override = event.payload.tenantIdOverride;
-    if (override !== undefined && !event.user.roles.includes("SystemAdmin")) {
-      return writeFailure(
-        new AccessDeniedError({
-          i18nKey: "textContent.errors.tenantOverrideRequiresSystemAdmin",
-          details: { reason: "tenant_override_requires_system_admin" },
-        }),
-      );
-    }
+    const overrideDenied = crossTenantOverrideDenied(
+      event.user,
+      override,
+      "textContent.errors.tenantOverrideRequiresSystemAdmin",
+    );
+    if (overrideDenied) return writeFailure(overrideDenied);
     const tenantId = override ?? event.user.tenantId;
     // Bei tenantIdOverride muss auch der user-context auf den ziel-tenant
     // umgestellt werden, sonst läuft der event-store-Lookup