@flowerforce/flowerbase 1.7.5-beta.2 → 1.7.5-beta.3

package/src/utils/__tests__/WRITE_STEP_B_STATES.test.ts

@@ -0,0 +1,184 @@
+import { MachineContext } from '../roles/machines/interface'
+import { STEP_B_STATES } from '../roles/machines/write/B'
+import {
+  checkFieldsPropertyExists,
+  evaluateTopLevelPermissionsFn
+} from '../roles/machines/commonValidators'
+
+const {
+  checkDeleteRequest,
+  evaluateTopLevelDelete,
+  evaluateTopLevelWrite,
+  evaluateTopLevelInsert,
+  checkFieldsProperty
+} = STEP_B_STATES
+
+jest.mock('../roles/machines/commonValidators', () => ({
+  checkFieldsPropertyExists: jest.fn(),
+  evaluateTopLevelPermissionsFn: jest.fn()
+}))
+
+const endValidation = jest.fn()
+const goToNextValidationStage = jest.fn()
+const next = jest.fn()
+
+describe('WRITE STEP_B_STATES', () => {
+  beforeEach(() => {
+    jest.clearAllMocks()
+  })
+
+  it('routes delete requests to evaluateTopLevelDelete', async () => {
+    const context = { params: { type: 'delete' } } as MachineContext
+    await checkDeleteRequest({
+      context,
+      endValidation,
+      goToNextValidationStage,
+      next,
+      initialStep: null
+    })
+    expect(next).toHaveBeenCalledWith('evaluateTopLevelDelete')
+  })
+
+  it('routes non-delete requests to evaluateTopLevelWrite', async () => {
+    const context = { params: { type: 'write' } } as MachineContext
+    await checkDeleteRequest({
+      context,
+      endValidation,
+      goToNextValidationStage,
+      next,
+      initialStep: null
+    })
+    expect(next).toHaveBeenCalledWith('evaluateTopLevelWrite')
+  })
+
+  it('allows delete only when top-level delete is true', async () => {
+    ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(true)
+    const context = {} as MachineContext
+    await evaluateTopLevelDelete({
+      context,
+      endValidation,
+      goToNextValidationStage,
+      next,
+      initialStep: null
+    })
+    expect(endValidation).toHaveBeenCalledWith({ success: true })
+  })
+
+  it('denies delete when top-level delete is false/undefined', async () => {
+    ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(undefined)
+    const context = {} as MachineContext
+    await evaluateTopLevelDelete({
+      context,
+      endValidation,
+      goToNextValidationStage,
+      next,
+      initialStep: null
+    })
+    expect(endValidation).toHaveBeenCalledWith({ success: false })
+  })
+
+  it('routes to insert check when write=true', async () => {
+    ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(true)
+    const context = {} as MachineContext
+    await evaluateTopLevelWrite({
+      context,
+      endValidation,
+      goToNextValidationStage,
+      next,
+      initialStep: null
+    })
+    expect(next).toHaveBeenCalledWith('evaluateTopLevelInsert')
+  })
+
+  it('routes to insert check when write=true and field-level rules exist', async () => {
+    ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(true)
+    ;(checkFieldsPropertyExists as jest.Mock).mockReturnValue(true)
+    const context = {} as MachineContext
+    await evaluateTopLevelWrite({
+      context,
+      endValidation,
+      goToNextValidationStage,
+      next,
+      initialStep: null
+    })
+    expect(next).toHaveBeenCalledWith('evaluateTopLevelInsert')
+  })
+
+  it('denies when write=false', async () => {
+    ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(false)
+    const context = {} as MachineContext
+    await evaluateTopLevelWrite({
+      context,
+      endValidation,
+      goToNextValidationStage,
+      next,
+      initialStep: null
+    })
+    expect(endValidation).toHaveBeenCalledWith({ success: false })
+  })
+
+  it('routes to field-level checks when write is undefined', async () => {
+    ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(undefined)
+    const context = {} as MachineContext
+    await evaluateTopLevelWrite({
+      context,
+      endValidation,
+      goToNextValidationStage,
+      next,
+      initialStep: null
+    })
+    expect(next).toHaveBeenCalledWith('checkFieldsProperty')
+  })
+
+  it('denies insert when insert is false/undefined', async () => {
+    ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(false)
+    const context = {} as MachineContext
+    await evaluateTopLevelInsert({
+      context,
+      endValidation,
+      goToNextValidationStage,
+      next,
+      initialStep: null
+    })
+    expect(endValidation).toHaveBeenCalledWith({ success: false })
+  })
+
+  it('allows when insert=true', async () => {
+    ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(true)
+    const context = {} as MachineContext
+    await evaluateTopLevelInsert({
+      context,
+      endValidation,
+      goToNextValidationStage,
+      next,
+      initialStep: null
+    })
+    expect(endValidation).toHaveBeenCalledWith({ success: true })
+  })
+
+  it('routes checkFieldsProperty to checkIsValidFieldName when field rules exist', async () => {
+    ;(checkFieldsPropertyExists as jest.Mock).mockReturnValue(true)
+    const context = {} as MachineContext
+    await checkFieldsProperty({
+      context,
+      endValidation,
+      goToNextValidationStage,
+      next,
+      initialStep: null
+    })
+    expect(goToNextValidationStage).toHaveBeenCalledWith('checkIsValidFieldName')
+  })
+
+  it('routes checkFieldsProperty to checkAdditionalFields when no field rules exist', async () => {
+    ;(checkFieldsPropertyExists as jest.Mock).mockReturnValue(false)
+    const context = {} as MachineContext
+    await checkFieldsProperty({
+      context,
+      endValidation,
+      goToNextValidationStage,
+      next,
+      initialStep: null
+    })
+    expect(goToNextValidationStage).toHaveBeenCalledWith('checkAdditionalFields')
+  })
+})

package/src/utils/__tests__/checkAdditionalFieldsFn.test.ts

@@ -34,12 +34,12 @@ describe('comparePassword', () => {
     })
     expect(isDefined).toBe(false)
   })
-  it('should return false for empty additional fields', () => {
+  it('should return true for empty additional fields (defined)', () => {
     const isDefined = checkAdditionalFieldsFn({
       role: { ...mockedRole, additional_fields: {} },
       user: mockUser,
       params: mockParams
     })
-    expect(isDefined).toBe(false)
+    expect(isDefined).toBe(true)
   })
 })

package/src/utils/__tests__/checkFieldsPropertyExists.test.ts

@@ -44,4 +44,17 @@ describe('checkFieldsPropertyExists', () => {
     })
     expect(isValid).toBe(true)
   })
+  it('should return true if additional_fields is defined (even empty)', () => {
+    const isValid = checkFieldsPropertyExists({
+      role: {
+        fields: {},
+        additional_fields: {},
+        apply_when: {},
+        name: 'test'
+      } as Role,
+      user: mockUser,
+      params: mockParams
+    })
+    expect(isValid).toBe(true)
+  })
 })

package/src/utils/__tests__/checkIsValidFieldNameFn.test.ts

@@ -11,17 +11,16 @@ describe('checkIsValidFieldNameFn', () => {
   beforeEach(() => {
     jest.clearAllMocks()
   })
-  it('should return filtered fields based on role permissions, without excluding _id', () => {
+
+  it('returns only explicitly allowed fields when no fallback is configured', async () => {
     const mockedRole = {
       name: 'test',
-      apply_when: {
-        '%%true': true
-      },
+      apply_when: { '%%true': true },
       fields: {
         name: { read: true, write: false },
-        email: { read: false, write: true }
-      },
-      additional_fields: {}
+        email: { read: false, write: true },
+        age: { read: false, write: false }
+      }
     } as Role
     const context = {
       user: mockUser,
@@ -29,168 +28,100 @@ describe('checkIsValidFieldNameFn', () => {
       params: {
         cursor: { _id: mockId, name: 'Alice', email: 'alice@example.com', age: 25 }
       }
-    }
+    } as MachineContext
 
-    const result = checkIsValidFieldNameFn(context as MachineContext)
+    const result = await checkIsValidFieldNameFn(context)
     expect(result).toEqual({
-      _id: mockId,
       name: 'Alice',
-      email: 'alice@example.com',
-      age: 25
+      email: 'alice@example.com'
     })
   })
-  it("should exclude _id if role doesn't allows it", () => {
-    const mockedRole = {
-      name: 'test',
-      apply_when: {
-        '%%true': true
-      },
-      fields: {
-        _id: { read: false, write: false },
-        name: { read: true, write: false }
-      },
-      additional_fields: {}
-    } as Role
-    const context = {
-      user: mockUser,
-      role: mockedRole,
-      params: {
-        cursor: { _id: mockId, name: 'Alice' }
-      }
-    }
 
-    const result = checkIsValidFieldNameFn(context as MachineContext)
-
-    expect(result).toEqual({ name: 'Alice' })
-  })
-  it('should include _id if write role allows it', () => {
+  it('uses per-field additional_fields as fallback for unknown fields', async () => {
     const mockedRole = {
       name: 'test',
-      apply_when: {
-        '%%true': true
-      },
-      fields: {
-        _id: { read: false, write: true },
-        name: { read: true, write: false }
-      },
-      additional_fields: {}
-    } as Role
-    const context = {
-      user: mockUser,
-      role: mockedRole,
-      params: {
-        cursor: { _id: mockId, name: 'Alice' }
+      apply_when: { '%%true': true },
+      fields: {},
+      additional_fields: {
+        phone: { read: true, write: false },
+        address: { read: false, write: true }
       }
-    }
-
-    const result = checkIsValidFieldNameFn(context as MachineContext)
-
-    expect(result).toEqual({ _id: mockId, name: 'Alice' })
-  })
-  it('should include _id if read role allows it', () => {
-    const mockedRole = {
-      name: 'test',
-      apply_when: {
-        '%%true': true
-      },
-      fields: {
-        _id: { read: true, write: false },
-        name: { read: true, write: false }
-      },
-      additional_fields: {}
     } as Role
     const context = {
-      user: mockUser,
       role: mockedRole,
       params: {
-        cursor: { _id: mockId, name: 'Alice' }
+        cursor: { _id: mockId, phone: '123456789', address: 'Unknown', city: 'Rome' }
       }
-    }
+    } as MachineContext
 
-    const result = checkIsValidFieldNameFn(context as MachineContext)
-
-    expect(result).toEqual({ _id: mockId, name: 'Alice' })
+    const result = await checkIsValidFieldNameFn(context)
+    expect(result).toEqual({
+      phone: '123456789',
+      address: 'Unknown'
+    })
   })
 
-  it('should return an empty object if no fields are readable/writable', () => {
+  it('supports realm-style global additional_fields fallback', async () => {
     const mockedRole = {
-      name: 'test',
-      apply_when: {
-        '%%true': true
-      },
+      name: 'collaborator',
+      apply_when: { '%%true': true },
       fields: {
-        name: { read: false, write: false }
+        roles: { read: true, write: false }
       },
-      additional_fields: {}
-    } as Role
-    const context = {
-      role: mockedRole,
-      params: {
-        cursor: { name: 'Charlie', email: 'charlie@example.com' }
+      additional_fields: {
+        read: false,
+        write: false
       }
-    }
-
-    const result = checkIsValidFieldNameFn(context as MachineContext)
-
-    expect(result).toEqual({ email: 'charlie@example.com' })
-  })
-
-  it('should handle additional_fields correctly for read permission', () => {
-    const mockedRole = {
-      name: 'test',
-      apply_when: {
-        '%%true': true
-      },
-      fields: {},
-      additional_fields: { phone: { read: true, write: false } }
     } as Role
     const context = {
       role: mockedRole,
       params: {
-        cursor: { _id: mockId, phone: '123456789', address: 'Unknown' }
+        cursor: { roles: ['editor'], email: 'user@example.com' }
       }
-    }
+    } as MachineContext
 
-    const result = checkIsValidFieldNameFn(context as MachineContext)
-    expect(result).toEqual({ _id: mockId, phone: '123456789', address: 'Unknown' })
+    const result = await checkIsValidFieldNameFn(context)
+    expect(result).toEqual({
+      roles: ['editor']
+    })
   })
-  it('should handle additional_fields correctly for write permission', () => {
+
+  it('denies unknown fields when additional_fields global fallback is false', async () => {
     const mockedRole = {
       name: 'test',
-      apply_when: {
-        '%%true': true
+      apply_when: { '%%true': true },
+      fields: {
+        roles: { read: true }
       },
-      fields: {},
       additional_fields: {
-        phone: { read: false, write: true },
-        address: { read: false, write: true }
+        read: false,
+        write: false
       }
     } as Role
     const context = {
       role: mockedRole,
       params: {
-        cursor: { _id: mockId, phone: '123456789', address: 'Unknown' }
+        cursor: { email: 'user@example.com' }
       }
-    }
+    } as MachineContext
 
-    const result = checkIsValidFieldNameFn(context as MachineContext)
-    expect(result).toEqual({ _id: mockId, phone: '123456789', address: 'Unknown' })
+    const result = await checkIsValidFieldNameFn(context)
+    expect(result).toEqual({})
   })
-  it('should return only the _id if fields and additional fields are not defined', () => {
+
+  it('returns empty object when no field permissions are available', async () => {
     const mockedRole = {
       name: 'test',
-      apply_when: {
-        '%%true': true
-      }
+      apply_when: { '%%true': true }
     } as Role
     const context = {
       role: mockedRole,
       params: {
         cursor: { _id: mockId, phone: '123456789', address: 'Unknown' }
       }
-    }
+    } as MachineContext
 
-    const result = checkIsValidFieldNameFn(context as MachineContext)
-    expect(result).toEqual({ _id: mockId, phone: '123456789', address: 'Unknown' })
+    const result = await checkIsValidFieldNameFn(context)
+    expect(result).toEqual({})
   })
 })

package/src/utils/__tests__/evaluateTopLevelReadFn.test.ts

@@ -17,7 +17,7 @@ describe('evaluateTopLevelReadFn', () => {
   beforeEach(() => {
     jest.clearAllMocks()
   })
-  it('should return false if type is different from read', async () => {
+  it('should return false if type is neither read nor search', async () => {
     const isValid = await evaluateTopLevelReadFn({
       role: mockedRole,
       user: mockUser,
@@ -35,6 +35,15 @@ describe('evaluateTopLevelReadFn', () => {
     expect(isValid).toBe(undefined)
     expect(evaluateExpression).not.toHaveBeenCalled()
   })
+  it('should return undefined if type is search and role read is not defined', async () => {
+    const isValid = await evaluateTopLevelReadFn({
+      role: mockedRole,
+      user: mockUser,
+      params: { type: 'search' } as Params
+    })
+    expect(isValid).toBe(undefined)
+    expect(evaluateExpression).not.toHaveBeenCalled()
+  })
   it('should return false if type is read and role read defined but evaluate expression returns false', async () => {
     (evaluateExpression as jest.Mock).mockResolvedValueOnce(false)
     const isValid = await evaluateTopLevelReadFn({

package/src/utils/__tests__/evaluateTopLevelWriteFn.test.ts

@@ -14,7 +14,10 @@ const mockParams = {
 } as Params
 
 describe('evaluateTopLevelWriteFn', () => {
-  it('should return undefined if type is different from read and write', async () => {
+  beforeEach(() => {
+    jest.clearAllMocks()
+  })
+  it('should return undefined if type is different from read, search and write', async () => {
     const isValid = await evaluateTopLevelWriteFn({
       role: mockedRole,
       user: mockUser,
@@ -23,6 +26,17 @@ describe('evaluateTopLevelWriteFn', () => {
     expect(isValid).toBe(undefined)
     expect(evaluateExpression).not.toHaveBeenCalled()
   })
+  it('should evaluate write for search requests', async () => {
+    (evaluateExpression as jest.Mock).mockResolvedValueOnce(true)
+    const searchParams = { type: 'search' } as Params
+    const isValid = await evaluateTopLevelWriteFn({
+      role: { ...mockedRole, write: true },
+      user: mockUser,
+      params: searchParams
+    })
+    expect(isValid).toBe(true)
+    expect(evaluateExpression).toHaveBeenCalledWith(searchParams, true, mockUser)
+  })
   it('should return false if type is read but evaluate expression returns false', async () => {
     (evaluateExpression as jest.Mock).mockResolvedValueOnce(false)
     const isValid = await evaluateTopLevelWriteFn({
@@ -45,22 +59,24 @@ describe('evaluateTopLevelWriteFn', () => {
   })
   it('should return false if type is write but evaluate expression returns false', async () => {
     (evaluateExpression as jest.Mock).mockResolvedValueOnce(false)
+    const writeParams = { type: 'write' } as Params
     const isValid = await evaluateTopLevelWriteFn({
       role: { ...mockedRole, write: false },
       user: mockUser,
-      params: { type: 'write' } as Params
+      params: writeParams
     })
     expect(isValid).toBe(false)
-    expect(evaluateExpression).toHaveBeenCalledWith(mockParams, false, mockUser)
+    expect(evaluateExpression).toHaveBeenCalledWith(writeParams, false, mockUser)
   })
   it('should return true if type is write and evaluate expression returns true', async () => {
     (evaluateExpression as jest.Mock).mockResolvedValueOnce(true)
+    const writeParams = { type: 'write' } as Params
     const isValid = await evaluateTopLevelWriteFn({
       role: { ...mockedRole, write: false },
       user: mockUser,
-      params: { type: 'write' } as Params
+      params: writeParams
     })
     expect(isValid).toBe(true)
-    expect(evaluateExpression).toHaveBeenCalledWith(mockParams, false, mockUser)
+    expect(evaluateExpression).toHaveBeenCalledWith(writeParams, false, mockUser)
   })
 })

package/src/utils/roles/helpers.ts

@@ -8,17 +8,30 @@ import { MachineContext } from './machines/interface'
 
 const functionsConditions = ['%%true', '%%false']
 
+const normalizeUserRole = (user?: MachineContext['user']) => {
+  if (!user) return user
+  if (typeof user !== 'object') return user
+  const candidate = user as Record<string, unknown>
+  if (typeof candidate.role === 'string') return user
+  const customRole =
+    typeof candidate.custom_data === 'object' && candidate.custom_data !== null
+      ? (candidate.custom_data as Record<string, unknown>).role
+      : undefined
+  return typeof customRole === 'string' ? ({ ...candidate, role: customRole } as MachineContext['user']) : user
+}
+
 export const evaluateExpression = async (
   params: MachineContext['params'],
   expression?: PermissionExpression,
   user?: MachineContext['user']
 ): Promise<boolean> => {
   if (!expression || typeof expression === 'boolean') return !!expression
+  const normalizedUser = normalizeUserRole(user)
 
   const value = {
     ...params.expansions,
     ...params.cursor,
-    '%%user': user,
+    '%%user': normalizedUser,
     '%%true': true
   }
   const conditions = expandQuery(expression, value)
@@ -26,7 +39,7 @@ export const evaluateExpression = async (
     functionsConditions.includes(key)
   )
   return complexCondition
-    ? await evaluateComplexExpression(complexCondition, params, user)
+    ? await evaluateComplexExpression(complexCondition, params, normalizedUser)
     : rulesMatcherUtils.checkRule(conditions, value, {})
 }
 
@@ -36,6 +49,7 @@ const evaluateComplexExpression = async (
   user: MachineContext['user']
 ): Promise<boolean> => {
   const [key, config] = condition
+  const normalizedUser = normalizeUserRole(user)
 
   const functionConfig = config['%function']
   const { name, arguments: fnArguments } = functionConfig
@@ -47,7 +61,7 @@ const evaluateComplexExpression = async (
     ...params.expansions,
     ...params.cursor,
     '%%root': params.cursor,
-    '%%user': user,
+    '%%user': normalizedUser,
     '%%true': true,
     '%%false': false
   }
@@ -62,7 +76,7 @@ const evaluateComplexExpression = async (
     args: expandedArguments,
     app,
     rules: StateManager.select("rules"),
-    user,
+    user: normalizedUser,
     currentFunction,
     functionName: name,
     functionsList,

package/src/utils/roles/interface.ts

@@ -1,10 +1,19 @@
-export type PermissionExpression = boolean // TODO: add complex condition (%%true: %function)
+export type PermissionExpression = boolean | Record<string, unknown>
 
 export type FieldPermissionExpression = {
-  read?: boolean
-  write?: boolean
+  read?: PermissionExpression
+  write?: PermissionExpression
+  fields?: {
+    [K: string]: FieldPermissionExpression
+  }
 }
 
+export type AdditionalFieldsPermissionExpression =
+  | FieldPermissionExpression
+  | {
+      [K: string]: FieldPermissionExpression
+    }
+
 export interface DocumentFiltersPermissions {
   read?: PermissionExpression
   write?: PermissionExpression
@@ -23,9 +32,7 @@ export interface Role {
   fields?: {
     [K: string]: FieldPermissionExpression
   }
-  additional_fields?: {
-    [K: string]: FieldPermissionExpression
-  }
+  additional_fields?: AdditionalFieldsPermissionExpression
 }
 
 export interface Params {

package/src/utils/roles/machines/commonValidators.ts

@@ -33,6 +33,6 @@ export const evaluateTopLevelPermissionsFn = async (
 
 export const checkFieldsPropertyExists = ({ role }: MachineContext) => {
   const hasFields = !!Object.keys(role?.fields ?? {}).length
-  const hasAdditional = !!Object.keys(role?.additional_fields ?? {}).length
+  const hasAdditional = typeof role?.additional_fields !== 'undefined'
   return hasFields || hasAdditional
 }