@forestadmin/agent 1.0.0-alpha.1

package/dist/services/authorization/authorization.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const types_1 = require("./internal/types");
+const generate_action_identifier_1 = require("./internal/generate-action-identifier");
+class AuthorizationService {
+    constructor(actionPermissionService) {
+        this.actionPermissionService = actionPermissionService;
+    }
+    async assertCanBrowse(context, collectionName) {
+        await this.assertCanOnCollection(context, types_1.CollectionActionEvent.Browse, collectionName);
+    }
+    async assertCanRead(context, collectionName) {
+        await this.assertCanOnCollection(context, types_1.CollectionActionEvent.Read, collectionName);
+    }
+    async assertCanAdd(context, collectionName) {
+        await this.assertCanOnCollection(context, types_1.CollectionActionEvent.Add, collectionName);
+    }
+    async assertCanEdit(context, collectionName) {
+        await this.assertCanOnCollection(context, types_1.CollectionActionEvent.Edit, collectionName);
+    }
+    async assertCanDelete(context, collectionName) {
+        await this.assertCanOnCollection(context, types_1.CollectionActionEvent.Delete, collectionName);
+    }
+    async assertCanExport(context, collectionName) {
+        await this.assertCanOnCollection(context, types_1.CollectionActionEvent.Export, collectionName);
+    }
+    async assertCanOnCollection(context, event, collectionName) {
+        const { id: userId } = context.state.user;
+        if (!(await this.actionPermissionService.can(`${userId}`, (0, generate_action_identifier_1.generateCollectionActionIdentifier)(event, collectionName)))) {
+            context.throw(403, 'Forbidden');
+        }
+    }
+    async assertCanExecuteCustomAction(context, customActionName, collectionName) {
+        const { id: userId } = context.state.user;
+        if (!(await this.actionPermissionService.canOneOf(`${userId}`, [
+            (0, generate_action_identifier_1.generateCustomActionIdentifier)(types_1.CustomActionEvent.Trigger, customActionName, collectionName),
+            (0, generate_action_identifier_1.generateCustomActionIdentifier)(types_1.CustomActionEvent.Approve, customActionName, collectionName),
+            (0, generate_action_identifier_1.generateCustomActionIdentifier)(types_1.CustomActionEvent.SelfApprove, customActionName, collectionName),
+        ]))) {
+            context.throw(403, 'Forbidden');
+        }
+    }
+}
+exports.default = AuthorizationService;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXV0aG9yaXphdGlvbi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9zZXJ2aWNlcy9hdXRob3JpemF0aW9uL2F1dGhvcml6YXRpb24udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFFQSw0Q0FBNEU7QUFDNUUsc0ZBRytDO0FBRy9DLE1BQXFCLG9CQUFvQjtJQUN2QyxZQUE2Qix1QkFBZ0Q7UUFBaEQsNEJBQXVCLEdBQXZCLHVCQUF1QixDQUF5QjtJQUFHLENBQUM7SUFFMUUsS0FBSyxDQUFDLGVBQWUsQ0FBQyxPQUFnQixFQUFFLGNBQXNCO1FBQ25FLE1BQU0sSUFBSSxDQUFDLHFCQUFxQixDQUFDLE9BQU8sRUFBRSw2QkFBcUIsQ0FBQyxNQUFNLEVBQUUsY0FBYyxDQUFDLENBQUM7SUFDMUYsQ0FBQztJQUVNLEtBQUssQ0FBQyxhQUFhLENBQUMsT0FBZ0IsRUFBRSxjQUFzQjtRQUNqRSxNQUFNLElBQUksQ0FBQyxxQkFBcUIsQ0FBQyxPQUFPLEVBQUUsNkJBQXFCLENBQUMsSUFBSSxFQUFFLGNBQWMsQ0FBQyxDQUFDO0lBQ3hGLENBQUM7SUFFTSxLQUFLLENBQUMsWUFBWSxDQUFDLE9BQWdCLEVBQUUsY0FBc0I7UUFDaEUsTUFBTSxJQUFJLENBQUMscUJBQXFCLENBQUMsT0FBTyxFQUFFLDZCQUFxQixDQUFDLEdBQUcsRUFBRSxjQUFjLENBQUMsQ0FBQztJQUN2RixDQUFDO0lBRU0sS0FBSyxDQUFDLGFBQWEsQ0FBQyxPQUFnQixFQUFFLGNBQXNCO1FBQ2pFLE1BQU0sSUFBSSxDQUFDLHFCQUFxQixDQUFDLE9BQU8sRUFBRSw2QkFBcUIsQ0FBQyxJQUFJLEVBQUUsY0FBYyxDQUFDLENBQUM7SUFDeEYsQ0FBQztJQUVNLEtBQUssQ0FBQyxlQUFlLENBQUMsT0FBZ0IsRUFBRSxjQUFzQjtRQUNuRSxNQUFNLElBQUksQ0FBQyxxQkFBcUIsQ0FBQyxPQUFPLEVBQUUsNkJBQXFCLENBQUMsTUFBTSxFQUFFLGNBQWMsQ0FBQyxDQUFDO0lBQzFGLENBQUM7SUFFTSxLQUFLLENBQUMsZUFBZSxDQUFDLE9BQWdCLEVBQUUsY0FBc0I7UUFDbkUsTUFBTSxJQUFJLENBQUMscUJBQXFCLENBQUMsT0FBTyxFQUFFLDZCQUFxQixDQUFDLE1BQU0sRUFBRSxjQUFjLENBQUMsQ0FBQztJQUMxRixDQUFDO0lBRU8sS0FBSyxDQUFDLHFCQUFxQixDQUNqQyxPQUFnQixFQUNoQixLQUE0QixFQUM1QixjQUFzQjtRQUV0QixNQUFNLEVBQUUsRUFBRSxFQUFFLE1BQU0sRUFBRSxHQUFHLE9BQU8sQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDO1FBRTFDLElBQ0UsQ0FBQyxDQUFDLE1BQU0sSUFBSSxDQUFDLHVCQUF1QixDQUFDLEdBQUcsQ0FDdEMsR0FBRyxNQUFNLEVBQUUsRUFDWCxJQUFBLCtEQUFrQyxFQUFDLEtBQUssRUFBRSxjQUFjLENBQUMsQ0FDMUQsQ0FBQyxFQUNGO1lBQ0EsT0FBTyxDQUFDLEtBQUssQ0FBQyxHQUFHLEVBQUUsV0FBVyxDQUFDLENBQUM7U0FDakM7SUFDSCxDQUFDO0lBRU0sS0FBSyxDQUFDLDRCQUE0QixDQUN2QyxPQUFnQixFQUNoQixnQkFBd0IsRUFDeEIsY0FBc0I7UUFFdEIsTUFBTSxFQUFFLEVBQUUsRUFBRSxNQUFNLEVBQUUsR0FBRyxPQUFPLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQztRQUUxQyxJQUNFLENBQUMsQ0FBQyxNQUFNLElBQUksQ0FBQyx1QkFBdUIsQ0FBQyxRQUFRLENBQUMsR0FBRyxNQUFNLEVBQUUsRUFBRTtZQUN6RCxJQUFBLDJEQUE4QixFQUFDLHlCQUFpQixDQUFDLE9BQU8sRUFBRSxnQkFBZ0IsRUFBRSxjQUFjLENBQUM7WUFDM0YsSUFBQSwyREFBOEIsRUFBQyx5QkFBaUIsQ0FBQyxPQUFPLEVBQUUsZ0JBQWdCLEVBQUUsY0FBYyxDQUFDO1lBQzNGLElBQUEsMkRBQThCLEVBQzVCLHlCQUFpQixDQUFDLFdBQVcsRUFDN0IsZ0JBQWdCLEVBQ2hCLGNBQWMsQ0FDZjtTQUNGLENBQUMsQ0FBQyxFQUNIO1lBQ0EsT0FBTyxDQUFDLEtBQUssQ0FBQyxHQUFHLEVBQUUsV0FBVyxDQUFDLENBQUM7U0FDakM7SUFDSCxDQUFDO0NBQ0Y7QUFqRUQsdUNBaUVDIn0=

package/dist/services/authorization/index.d.ts

@@ -0,0 +1,5 @@
+import { AgentOptionsWithDefaults } from '../../types';
+import AuthorizationService from './authorization';
+export default function authorizationServiceFactory(options: AgentOptionsWithDefaults): AuthorizationService;
+export { CustomActionEvent, EnvironmentPermissionsV4, UserPermissionV4 } from './internal/types';
+//# sourceMappingURL=index.d.ts.map

package/dist/services/authorization/index.js

@@ -0,0 +1,16 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CustomActionEvent = void 0;
+const action_permission_1 = __importDefault(require("./internal/action-permission"));
+const authorization_1 = __importDefault(require("./authorization"));
+function authorizationServiceFactory(options) {
+    const actionPermissionService = new action_permission_1.default(options);
+    return new authorization_1.default(actionPermissionService);
+}
+exports.default = authorizationServiceFactory;
+var types_1 = require("./internal/types");
+Object.defineProperty(exports, "CustomActionEvent", { enumerable: true, get: function () { return types_1.CustomActionEvent; } });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvc2VydmljZXMvYXV0aG9yaXphdGlvbi9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7QUFDQSxxRkFBbUU7QUFDbkUsb0VBQW1EO0FBRW5ELFNBQXdCLDJCQUEyQixDQUNqRCxPQUFpQztJQUVqQyxNQUFNLHVCQUF1QixHQUFHLElBQUksMkJBQXVCLENBQUMsT0FBTyxDQUFDLENBQUM7SUFFckUsT0FBTyxJQUFJLHVCQUFvQixDQUFDLHVCQUF1QixDQUFDLENBQUM7QUFDM0QsQ0FBQztBQU5ELDhDQU1DO0FBRUQsMENBQWlHO0FBQXhGLDBHQUFBLGlCQUFpQixPQUFBIn0=

package/dist/services/authorization/internal/action-permission.d.ts

@@ -0,0 +1,16 @@
+import { AgentOptionsWithDefaults } from '../../../types';
+export declare type ActionPermissionOptions = Pick<AgentOptionsWithDefaults, 'forestServerUrl' | 'envSecret' | 'isProduction' | 'permissionsCacheDurationInSeconds'>;
+export default class ActionPermissionService {
+    private readonly options;
+    private permissionsPromise;
+    private permissionExpirationTimestamp;
+    constructor(options: ActionPermissionOptions);
+    canOneOf(userId: string, actionNames: string[]): Promise<boolean>;
+    can(userId: string, actionName: string): Promise<boolean>;
+    private hasPermissionOrRefetch;
+    private isAllowedOneOf;
+    private isAllowed;
+    private getPermissions;
+    private fetchEnvironmentPermissions;
+}
+//# sourceMappingURL=action-permission.d.ts.map

package/dist/services/authorization/internal/action-permission.js

@@ -0,0 +1,68 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const forest_http_api_1 = __importDefault(require("../../../utils/forest-http-api"));
+const generate_actions_from_permissions_1 = __importDefault(require("./generate-actions-from-permissions"));
+class ActionPermissionService {
+    constructor(options) {
+        this.options = options;
+    }
+    canOneOf(userId, actionNames) {
+        return this.hasPermissionOrRefetch({
+            userId,
+            actionNames,
+            allowRefetch: true,
+        });
+    }
+    can(userId, actionName) {
+        return this.hasPermissionOrRefetch({
+            userId,
+            actionNames: [actionName],
+            allowRefetch: true,
+        });
+    }
+    async hasPermissionOrRefetch({ userId, actionNames, allowRefetch, }) {
+        const permissions = await this.getPermissions();
+        const isAllowed = this.isAllowedOneOf({ permissions, actionNames, userId });
+        if (!isAllowed && allowRefetch) {
+            this.permissionsPromise = undefined;
+            this.permissionExpirationTimestamp = undefined;
+            return this.hasPermissionOrRefetch({
+                userId,
+                actionNames,
+                allowRefetch: false,
+            });
+        }
+        return isAllowed;
+    }
+    isAllowedOneOf({ permissions, actionNames, userId, }) {
+        return actionNames.some(actionName => this.isAllowed({ permissions, actionName, userId }));
+    }
+    isAllowed({ permissions, actionName, userId, }) {
+        return (permissions.everythingAllowed ||
+            permissions.actionsGloballyAllowed.has(actionName) ||
+            permissions.actionsAllowedByUser.get(actionName)?.has(userId));
+    }
+    async getPermissions() {
+        if (this.permissionsPromise &&
+            this.permissionExpirationTimestamp &&
+            this.permissionExpirationTimestamp > Date.now()) {
+            return this.permissionsPromise;
+        }
+        this.permissionsPromise = this.fetchEnvironmentPermissions();
+        this.permissionExpirationTimestamp =
+            Date.now() + this.options.permissionsCacheDurationInSeconds * 1000;
+        return this.permissionsPromise;
+    }
+    async fetchEnvironmentPermissions() {
+        const [rawPermissions, users] = await Promise.all([
+            forest_http_api_1.default.getEnvironmentPermissions(this.options),
+            forest_http_api_1.default.getUsers(this.options),
+        ]);
+        return (0, generate_actions_from_permissions_1.default)(rawPermissions, users);
+    }
+}
+exports.default = ActionPermissionService;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWN0aW9uLXBlcm1pc3Npb24uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvc2VydmljZXMvYXV0aG9yaXphdGlvbi9pbnRlcm5hbC9hY3Rpb24tcGVybWlzc2lvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7OztBQUNBLHFGQUEyRDtBQUMzRCw0R0FFNkM7QUFPN0MsTUFBcUIsdUJBQXVCO0lBSTFDLFlBQTZCLE9BQWdDO1FBQWhDLFlBQU8sR0FBUCxPQUFPLENBQXlCO0lBQUcsQ0FBQztJQUUxRCxRQUFRLENBQUMsTUFBYyxFQUFFLFdBQXFCO1FBQ25ELE9BQU8sSUFBSSxDQUFDLHNCQUFzQixDQUFDO1lBQ2pDLE1BQU07WUFDTixXQUFXO1lBQ1gsWUFBWSxFQUFFLElBQUk7U0FDbkIsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVNLEdBQUcsQ0FBQyxNQUFjLEVBQUUsVUFBa0I7UUFDM0MsT0FBTyxJQUFJLENBQUMsc0JBQXNCLENBQUM7WUFDakMsTUFBTTtZQUNOLFdBQVcsRUFBRSxDQUFDLFVBQVUsQ0FBQztZQUN6QixZQUFZLEVBQUUsSUFBSTtTQUNuQixDQUFDLENBQUM7SUFDTCxDQUFDO0lBRU8sS0FBSyxDQUFDLHNCQUFzQixDQUFDLEVBQ25DLE1BQU0sRUFDTixXQUFXLEVBQ1gsWUFBWSxHQUtiO1FBQ0MsTUFBTSxXQUFXLEdBQUcsTUFBTSxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUM7UUFDaEQsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLGNBQWMsQ0FBQyxFQUFFLFdBQVcsRUFBRSxXQUFXLEVBQUUsTUFBTSxFQUFFLENBQUMsQ0FBQztRQUU1RSxJQUFJLENBQUMsU0FBUyxJQUFJLFlBQVksRUFBRTtZQUM5QixJQUFJLENBQUMsa0JBQWtCLEdBQUcsU0FBUyxDQUFDO1lBQ3BDLElBQUksQ0FBQyw2QkFBNkIsR0FBRyxTQUFTLENBQUM7WUFFL0MsT0FBTyxJQUFJLENBQUMsc0JBQXNCLENBQUM7Z0JBQ2pDLE1BQU07Z0JBQ04sV0FBVztnQkFDWCxZQUFZLEVBQUUsS0FBSzthQUNwQixDQUFDLENBQUM7U0FDSjtRQUVELE9BQU8sU0FBUyxDQUFDO0lBQ25CLENBQUM7SUFFTyxjQUFjLENBQUMsRUFDckIsV0FBVyxFQUNYLFdBQVcsRUFDWCxNQUFNLEdBS1A7UUFDQyxPQUFPLFdBQVcsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLEVBQUUsV0FBVyxFQUFFLFVBQVUsRUFBRSxNQUFNLEVBQUUsQ0FBQyxDQUFDLENBQUM7SUFDN0YsQ0FBQztJQUVPLFNBQVMsQ0FBQyxFQUNoQixXQUFXLEVBQ1gsVUFBVSxFQUNWLE1BQU0sR0FLUDtRQUNDLE9BQU8sQ0FDTCxXQUFXLENBQUMsaUJBQWlCO1lBQzdCLFdBQVcsQ0FBQyxzQkFBc0IsQ0FBQyxHQUFHLENBQUMsVUFBVSxDQUFDO1lBQ2xELFdBQVcsQ0FBQyxvQkFBb0IsQ0FBQyxHQUFHLENBQUMsVUFBVSxDQUFDLEVBQUUsR0FBRyxDQUFDLE1BQU0sQ0FBQyxDQUM5RCxDQUFDO0lBQ0osQ0FBQztJQUVPLEtBQUssQ0FBQyxjQUFjO1FBQzFCLElBQ0UsSUFBSSxDQUFDLGtCQUFrQjtZQUN2QixJQUFJLENBQUMsNkJBQTZCO1lBQ2xDLElBQUksQ0FBQyw2QkFBNkIsR0FBRyxJQUFJLENBQUMsR0FBRyxFQUFFLEVBQy9DO1lBQ0EsT0FBTyxJQUFJLENBQUMsa0JBQWtCLENBQUM7U0FDaEM7UUFFRCxJQUFJLENBQUMsa0JBQWtCLEdBQUcsSUFBSSxDQUFDLDJCQUEyQixFQUFFLENBQUM7UUFDN0QsSUFBSSxDQUFDLDZCQUE2QjtZQUNoQyxJQUFJLENBQUMsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDLE9BQU8sQ0FBQyxpQ0FBaUMsR0FBRyxJQUFJLENBQUM7UUFFckUsT0FBTyxJQUFJLENBQUMsa0JBQWtCLENBQUM7SUFDakMsQ0FBQztJQUVPLEtBQUssQ0FBQywyQkFBMkI7UUFDdkMsTUFBTSxDQUFDLGNBQWMsRUFBRSxLQUFLLENBQUMsR0FBRyxNQUFNLE9BQU8sQ0FBQyxHQUFHLENBQUM7WUFDaEQseUJBQWEsQ0FBQyx5QkFBeUIsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDO1lBQ3JELHlCQUFhLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUM7U0FDckMsQ0FBQyxDQUFDO1FBRUgsT0FBTyxJQUFBLDJDQUE4QixFQUFDLGNBQWMsRUFBRSxLQUFLLENBQUMsQ0FBQztJQUMvRCxDQUFDO0NBQ0Y7QUFwR0QsMENBb0dDIn0=

package/dist/services/authorization/internal/generate-action-identifier.d.ts

@@ -0,0 +1,4 @@
+import { CollectionActionEvent, CustomActionEvent } from './types';
+export declare function generateCustomActionIdentifier(actionEventName: CustomActionEvent, customActionName: string, collectionName: string): string;
+export declare function generateCollectionActionIdentifier(action: CollectionActionEvent, collectionName: string): string;
+//# sourceMappingURL=generate-action-identifier.d.ts.map

package/dist/services/authorization/internal/generate-action-identifier.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateCollectionActionIdentifier = exports.generateCustomActionIdentifier = void 0;
+function generateCustomActionIdentifier(actionEventName, customActionName, collectionName) {
+    return `custom:${collectionName}:${customActionName}:${actionEventName}`;
+}
+exports.generateCustomActionIdentifier = generateCustomActionIdentifier;
+function generateCollectionActionIdentifier(action, collectionName) {
+    return `collection:${collectionName}:${action}`;
+}
+exports.generateCollectionActionIdentifier = generateCollectionActionIdentifier;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZ2VuZXJhdGUtYWN0aW9uLWlkZW50aWZpZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvc2VydmljZXMvYXV0aG9yaXphdGlvbi9pbnRlcm5hbC9nZW5lcmF0ZS1hY3Rpb24taWRlbnRpZmllci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFFQSxTQUFnQiw4QkFBOEIsQ0FDNUMsZUFBa0MsRUFDbEMsZ0JBQXdCLEVBQ3hCLGNBQXNCO0lBRXRCLE9BQU8sVUFBVSxjQUFjLElBQUksZ0JBQWdCLElBQUksZUFBZSxFQUFFLENBQUM7QUFDM0UsQ0FBQztBQU5ELHdFQU1DO0FBRUQsU0FBZ0Isa0NBQWtDLENBQ2hELE1BQTZCLEVBQzdCLGNBQXNCO0lBRXRCLE9BQU8sY0FBYyxjQUFjLElBQUksTUFBTSxFQUFFLENBQUM7QUFDbEQsQ0FBQztBQUxELGdGQUtDIn0=

package/dist/services/authorization/internal/generate-actions-from-permissions.d.ts

@@ -0,0 +1,8 @@
+import { EnvironmentPermissionsV4, UserPermissionV4 } from './types';
+export declare type ActionPermissions = {
+    everythingAllowed: boolean;
+    actionsGloballyAllowed: Set<string>;
+    actionsAllowedByUser: Map<string, Set<string>>;
+};
+export default function generateActionsFromPermissions(environmentPermissions: EnvironmentPermissionsV4, users: UserPermissionV4[]): ActionPermissions;
+//# sourceMappingURL=generate-actions-from-permissions.d.ts.map

package/dist/services/authorization/internal/generate-actions-from-permissions.js

@@ -0,0 +1,87 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const types_1 = require("./types");
+const generate_action_identifier_1 = require("./generate-action-identifier");
+function generateCollectionPermissions(permissions) {
+    return Object.entries(permissions).reduce((acc, [collectionId, collectionPermissions]) => {
+        const { collection } = collectionPermissions;
+        return {
+            ...acc,
+            [(0, generate_action_identifier_1.generateCollectionActionIdentifier)(types_1.CollectionActionEvent.Browse, collectionId)]: collection.browseEnabled,
+            [(0, generate_action_identifier_1.generateCollectionActionIdentifier)(types_1.CollectionActionEvent.Read, collectionId)]: collection.readEnabled,
+            [(0, generate_action_identifier_1.generateCollectionActionIdentifier)(types_1.CollectionActionEvent.Edit, collectionId)]: collection.editEnabled,
+            [(0, generate_action_identifier_1.generateCollectionActionIdentifier)(types_1.CollectionActionEvent.Add, collectionId)]: collection.addEnabled,
+            [(0, generate_action_identifier_1.generateCollectionActionIdentifier)(types_1.CollectionActionEvent.Delete, collectionId)]: collection.deleteEnabled,
+            [(0, generate_action_identifier_1.generateCollectionActionIdentifier)(types_1.CollectionActionEvent.Export, collectionId)]: collection.exportEnabled,
+        };
+    }, {});
+}
+function generateCollectionActionPermission(collectionId, actions) {
+    return Object.entries(actions).reduce((acc, [actionName, actionPermissions]) => {
+        return {
+            ...acc,
+            ...{
+                [(0, generate_action_identifier_1.generateCustomActionIdentifier)(types_1.CustomActionEvent.Approve, actionName, collectionId)]: actionPermissions.userApprovalEnabled,
+                [(0, generate_action_identifier_1.generateCustomActionIdentifier)(types_1.CustomActionEvent.SelfApprove, actionName, collectionId)]: actionPermissions.selfApprovalEnabled,
+                [(0, generate_action_identifier_1.generateCustomActionIdentifier)(types_1.CustomActionEvent.Trigger, actionName, collectionId)]: actionPermissions.triggerEnabled,
+                [(0, generate_action_identifier_1.generateCustomActionIdentifier)(types_1.CustomActionEvent.RequireApproval, actionName, collectionId)]: actionPermissions.approvalRequired,
+            },
+        };
+    }, {});
+}
+function generateActionPermissions(permissions) {
+    return Object.entries(permissions).reduce((acc, [collectionId, collectionPermissions]) => {
+        const { actions } = collectionPermissions;
+        return {
+            ...acc,
+            ...generateCollectionActionPermission(collectionId, actions),
+        };
+    }, {});
+}
+function generateActionsGloballyAllowed(permissions) {
+    return new Set(Object.entries(permissions)
+        .filter(([, permission]) => permission === true)
+        .map(([action]) => action));
+}
+function getUsersForRoles(roles, userIdsByRole) {
+    return new Set(roles.reduce((acc, roleId) => {
+        const userIds = (userIdsByRole.get(roleId) || []).map(userId => `${userId}`);
+        if (userIds) {
+            return [...acc, ...userIds];
+        }
+        return acc;
+    }, []));
+}
+function generateActionsAllowedByUser(permissions, users) {
+    const userIdsByRole = users.reduce((acc, user) => {
+        acc.set(user.roleId, [...(acc.get(user.roleId) || []), user.id]);
+        return acc;
+    }, new Map());
+    return new Map(Object.entries(permissions)
+        .filter(([, permission]) => typeof permission !== 'boolean')
+        .map(([name, permission]) => [
+        name,
+        getUsersForRoles(permission.roles, userIdsByRole),
+    ]));
+}
+function generateActionsFromPermissions(environmentPermissions, users) {
+    if (environmentPermissions === true) {
+        return {
+            everythingAllowed: true,
+            actionsGloballyAllowed: new Set(),
+            actionsAllowedByUser: new Map(),
+        };
+    }
+    const remotePermissions = environmentPermissions;
+    const allPermissions = {
+        ...generateCollectionPermissions(remotePermissions.collections),
+        ...generateActionPermissions(remotePermissions.collections),
+    };
+    return {
+        everythingAllowed: false,
+        actionsGloballyAllowed: generateActionsGloballyAllowed(allPermissions),
+        actionsAllowedByUser: generateActionsAllowedByUser(allPermissions, users),
+    };
+}
+exports.default = generateActionsFromPermissions;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZ2VuZXJhdGUtYWN0aW9ucy1mcm9tLXBlcm1pc3Npb25zLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL3NlcnZpY2VzL2F1dGhvcml6YXRpb24vaW50ZXJuYWwvZ2VuZXJhdGUtYWN0aW9ucy1mcm9tLXBlcm1pc3Npb25zLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBQUEsbUNBVWlCO0FBQ2pCLDZFQUdzQztBQVl0QyxTQUFTLDZCQUE2QixDQUNwQyxXQUFnRDtJQUVoRCxPQUFPLE1BQU0sQ0FBQyxPQUFPLENBQUMsV0FBVyxDQUFDLENBQUMsTUFBTSxDQUFDLENBQUMsR0FBRyxFQUFFLENBQUMsWUFBWSxFQUFFLHFCQUFxQixDQUFDLEVBQUUsRUFBRTtRQUN2RixNQUFNLEVBQUUsVUFBVSxFQUFFLEdBQUcscUJBQXFCLENBQUM7UUFFN0MsT0FBTztZQUNMLEdBQUcsR0FBRztZQUNOLENBQUMsSUFBQSwrREFBa0MsRUFBQyw2QkFBcUIsQ0FBQyxNQUFNLEVBQUUsWUFBWSxDQUFDLENBQUMsRUFDOUUsVUFBVSxDQUFDLGFBQWE7WUFDMUIsQ0FBQyxJQUFBLCtEQUFrQyxFQUFDLDZCQUFxQixDQUFDLElBQUksRUFBRSxZQUFZLENBQUMsQ0FBQyxFQUM1RSxVQUFVLENBQUMsV0FBVztZQUN4QixDQUFDLElBQUEsK0RBQWtDLEVBQUMsNkJBQXFCLENBQUMsSUFBSSxFQUFFLFlBQVksQ0FBQyxDQUFDLEVBQzVFLFVBQVUsQ0FBQyxXQUFXO1lBQ3hCLENBQUMsSUFBQSwrREFBa0MsRUFBQyw2QkFBcUIsQ0FBQyxHQUFHLEVBQUUsWUFBWSxDQUFDLENBQUMsRUFDM0UsVUFBVSxDQUFDLFVBQVU7WUFDdkIsQ0FBQyxJQUFBLCtEQUFrQyxFQUFDLDZCQUFxQixDQUFDLE1BQU0sRUFBRSxZQUFZLENBQUMsQ0FBQyxFQUM5RSxVQUFVLENBQUMsYUFBYTtZQUMxQixDQUFDLElBQUEsK0RBQWtDLEVBQUMsNkJBQXFCLENBQUMsTUFBTSxFQUFFLFlBQVksQ0FBQyxDQUFDLEVBQzlFLFVBQVUsQ0FBQyxhQUFhO1NBQzNCLENBQUM7SUFDSixDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUM7QUFDVCxDQUFDO0FBRUQsU0FBUyxrQ0FBa0MsQ0FDekMsWUFBb0IsRUFDcEIsT0FBaUQ7SUFFakQsT0FBTyxNQUFNLENBQUMsT0FBTyxDQUFDLE9BQU8sQ0FBQyxDQUFDLE1BQU0sQ0FBQyxDQUFDLEdBQUcsRUFBRSxDQUFDLFVBQVUsRUFBRSxpQkFBaUIsQ0FBQyxFQUFFLEVBQUU7UUFDN0UsT0FBTztZQUNMLEdBQUcsR0FBRztZQUNOLEdBQUc7Z0JBQ0QsQ0FBQyxJQUFBLDJEQUE4QixFQUFDLHlCQUFpQixDQUFDLE9BQU8sRUFBRSxVQUFVLEVBQUUsWUFBWSxDQUFDLENBQUMsRUFDbkYsaUJBQWlCLENBQUMsbUJBQW1CO2dCQUN2QyxDQUFDLElBQUEsMkRBQThCLEVBQUMseUJBQWlCLENBQUMsV0FBVyxFQUFFLFVBQVUsRUFBRSxZQUFZLENBQUMsQ0FBQyxFQUN2RixpQkFBaUIsQ0FBQyxtQkFBbUI7Z0JBQ3ZDLENBQUMsSUFBQSwyREFBOEIsRUFBQyx5QkFBaUIsQ0FBQyxPQUFPLEVBQUUsVUFBVSxFQUFFLFlBQVksQ0FBQyxDQUFDLEVBQ25GLGlCQUFpQixDQUFDLGNBQWM7Z0JBQ2xDLENBQUMsSUFBQSwyREFBOEIsRUFDN0IseUJBQWlCLENBQUMsZUFBZSxFQUNqQyxVQUFVLEVBQ1YsWUFBWSxDQUNiLENBQUMsRUFBRSxpQkFBaUIsQ0FBQyxnQkFBZ0I7YUFDdkM7U0FDRixDQUFDO0lBQ0osQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDO0FBQ1QsQ0FBQztBQUVELFNBQVMseUJBQXlCLENBQ2hDLFdBQWdEO0lBRWhELE9BQU8sTUFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUMsQ0FBQyxNQUFNLENBQUMsQ0FBQyxHQUFHLEVBQUUsQ0FBQyxZQUFZLEVBQUUscUJBQXFCLENBQUMsRUFBRSxFQUFFO1FBQ3ZGLE1BQU0sRUFBRSxPQUFPLEVBQUUsR0FBRyxxQkFBcUIsQ0FBQztRQUUxQyxPQUFPO1lBQ0wsR0FBRyxHQUFHO1lBQ04sR0FBRyxrQ0FBa0MsQ0FBQyxZQUFZLEVBQUUsT0FBTyxDQUFDO1NBQzdELENBQUM7SUFDSixDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUM7QUFDVCxDQUFDO0FBRUQsU0FBUyw4QkFBOEIsQ0FBQyxXQUFtQztJQUN6RSxPQUFPLElBQUksR0FBRyxDQUNaLE1BQU0sQ0FBQyxPQUFPLENBQUMsV0FBVyxDQUFDO1NBQ3hCLE1BQU0sQ0FBQyxDQUFDLENBQUMsRUFBRSxVQUFVLENBQUMsRUFBRSxFQUFFLENBQUMsVUFBVSxLQUFLLElBQUksQ0FBQztTQUMvQyxHQUFHLENBQUMsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxFQUFFLEVBQUUsQ0FBQyxNQUFNLENBQUMsQ0FDN0IsQ0FBQztBQUNKLENBQUM7QUFFRCxTQUFTLGdCQUFnQixDQUFDLEtBQWUsRUFBRSxhQUFvQztJQUM3RSxPQUFPLElBQUksR0FBRyxDQUNaLEtBQUssQ0FBQyxNQUFNLENBQUMsQ0FBQyxHQUFHLEVBQUUsTUFBTSxFQUFFLEVBQUU7UUFDM0IsTUFBTSxPQUFPLEdBQUcsQ0FBQyxhQUFhLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxJQUFJLEVBQUUsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLEdBQUcsTUFBTSxFQUFFLENBQUMsQ0FBQztRQUU3RSxJQUFJLE9BQU8sRUFBRTtZQUNYLE9BQU8sQ0FBQyxHQUFHLEdBQUcsRUFBRSxHQUFHLE9BQU8sQ0FBQyxDQUFDO1NBQzdCO1FBRUQsT0FBTyxHQUFHLENBQUM7SUFDYixDQUFDLEVBQUUsRUFBRSxDQUFDLENBQ1AsQ0FBQztBQUNKLENBQUM7QUFFRCxTQUFTLDRCQUE0QixDQUNuQyxXQUFtQyxFQUNuQyxLQUF5QjtJQUV6QixNQUFNLGFBQWEsR0FBRyxLQUFLLENBQUMsTUFBTSxDQUFDLENBQUMsR0FBRyxFQUFFLElBQUksRUFBRSxFQUFFO1FBQy9DLEdBQUcsQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLE1BQU0sRUFBRSxDQUFDLEdBQUcsQ0FBQyxHQUFHLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxFQUFFLENBQUMsRUFBRSxJQUFJLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQztRQUVqRSxPQUFPLEdBQUcsQ0FBQztJQUNiLENBQUMsRUFBRSxJQUFJLEdBQUcsRUFBb0IsQ0FBQyxDQUFDO0lBRWhDLE9BQU8sSUFBSSxHQUFHLENBQ1osTUFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUM7U0FDeEIsTUFBTSxDQUFDLENBQUMsQ0FBQyxFQUFFLFVBQVUsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxPQUFPLFVBQVUsS0FBSyxTQUFTLENBQUM7U0FDM0QsR0FBRyxDQUFDLENBQUMsQ0FBQyxJQUFJLEVBQUUsVUFBVSxDQUFDLEVBQUUsRUFBRSxDQUFDO1FBQzNCLElBQUk7UUFDSixnQkFBZ0IsQ0FBRSxVQUEwQyxDQUFDLEtBQUssRUFBRSxhQUFhLENBQUM7S0FDbkYsQ0FBQyxDQUNMLENBQUM7QUFDSixDQUFDO0FBRUQsU0FBd0IsOEJBQThCLENBQ3BELHNCQUFnRCxFQUNoRCxLQUF5QjtJQUV6QixJQUFJLHNCQUFzQixLQUFLLElBQUksRUFBRTtRQUNuQyxPQUFPO1lBQ0wsaUJBQWlCLEVBQUUsSUFBSTtZQUN2QixzQkFBc0IsRUFBRSxJQUFJLEdBQUcsRUFBRTtZQUNqQyxvQkFBb0IsRUFBRSxJQUFJLEdBQUcsRUFBRTtTQUNoQyxDQUFDO0tBQ0g7SUFFRCxNQUFNLGlCQUFpQixHQUFtQyxzQkFBc0IsQ0FBQztJQUVqRixNQUFNLGNBQWMsR0FBRztRQUNyQixHQUFHLDZCQUE2QixDQUFDLGlCQUFpQixDQUFDLFdBQVcsQ0FBQztRQUMvRCxHQUFHLHlCQUF5QixDQUFDLGlCQUFpQixDQUFDLFdBQVcsQ0FBQztLQUM1RCxDQUFDO0lBRUYsT0FBTztRQUNMLGlCQUFpQixFQUFFLEtBQUs7UUFDeEIsc0JBQXNCLEVBQUUsOEJBQThCLENBQUMsY0FBYyxDQUFDO1FBQ3RFLG9CQUFvQixFQUFFLDRCQUE0QixDQUFDLGNBQWMsRUFBRSxLQUFLLENBQUM7S0FDMUUsQ0FBQztBQUNKLENBQUM7QUF4QkQsaURBd0JDIn0=

package/dist/services/authorization/internal/types.d.ts

@@ -0,0 +1,61 @@
+export declare type EnvironmentPermissionsV4 = EnvironmentPermissionsV4Remote | true;
+export declare type RightDescriptionWithRolesV4 = {
+    roles: number[];
+};
+export declare type RightDescriptionV4 = boolean | RightDescriptionWithRolesV4;
+export interface EnvironmentCollectionAccessPermissionsV4 {
+    browseEnabled: RightDescriptionV4;
+    readEnabled: RightDescriptionV4;
+    editEnabled: RightDescriptionV4;
+    addEnabled: RightDescriptionV4;
+    deleteEnabled: RightDescriptionV4;
+    exportEnabled: RightDescriptionV4;
+}
+export interface EnvironmentSmartActionPermissionsV4 {
+    triggerEnabled: RightDescriptionV4;
+    approvalRequired: RightDescriptionV4;
+    userApprovalEnabled: RightDescriptionV4;
+    selfApprovalEnabled: RightDescriptionV4;
+}
+export interface EnvironmentCollectionActionPermissionsV4 {
+    [actionName: string]: EnvironmentSmartActionPermissionsV4;
+}
+export interface EnvironmentCollectionPermissionsV4 {
+    collection: EnvironmentCollectionAccessPermissionsV4;
+    actions: EnvironmentCollectionActionPermissionsV4;
+}
+export interface EnvironmentCollectionsPermissionsV4 {
+    [id: string]: EnvironmentCollectionPermissionsV4;
+}
+export interface EnvironmentPermissionsV4Remote {
+    collections: EnvironmentCollectionsPermissionsV4;
+}
+export declare enum PermissionLevel {
+    Admin = "admin",
+    User = "user",
+    Developer = "developer"
+}
+export declare type UserPermissionV4 = {
+    id: number;
+    firstName: string;
+    lastName: string;
+    email: string;
+    roleId: number;
+    permissionLevel: PermissionLevel;
+    tags: Record<string, string>;
+};
+export declare enum CollectionActionEvent {
+    Browse = "browse",
+    Export = "export",
+    Read = "read",
+    Edit = "edit",
+    Delete = "delete",
+    Add = "add"
+}
+export declare enum CustomActionEvent {
+    Trigger = "trigger",
+    Approve = "approve",
+    SelfApprove = "self-approve",
+    RequireApproval = "require-approval"
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/services/authorization/internal/types.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CustomActionEvent = exports.CollectionActionEvent = exports.PermissionLevel = void 0;
+var PermissionLevel;
+(function (PermissionLevel) {
+    PermissionLevel["Admin"] = "admin";
+    PermissionLevel["User"] = "user";
+    PermissionLevel["Developer"] = "developer";
+})(PermissionLevel = exports.PermissionLevel || (exports.PermissionLevel = {}));
+var CollectionActionEvent;
+(function (CollectionActionEvent) {
+    CollectionActionEvent["Browse"] = "browse";
+    CollectionActionEvent["Export"] = "export";
+    CollectionActionEvent["Read"] = "read";
+    CollectionActionEvent["Edit"] = "edit";
+    CollectionActionEvent["Delete"] = "delete";
+    CollectionActionEvent["Add"] = "add";
+})(CollectionActionEvent = exports.CollectionActionEvent || (exports.CollectionActionEvent = {}));
+var CustomActionEvent;
+(function (CustomActionEvent) {
+    CustomActionEvent["Trigger"] = "trigger";
+    CustomActionEvent["Approve"] = "approve";
+    CustomActionEvent["SelfApprove"] = "self-approve";
+    CustomActionEvent["RequireApproval"] = "require-approval";
+})(CustomActionEvent = exports.CustomActionEvent || (exports.CustomActionEvent = {}));
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidHlwZXMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvc2VydmljZXMvYXV0aG9yaXphdGlvbi9pbnRlcm5hbC90eXBlcy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFzQ0EsSUFBWSxlQUlYO0FBSkQsV0FBWSxlQUFlO0lBQ3pCLGtDQUFlLENBQUE7SUFDZixnQ0FBYSxDQUFBO0lBQ2IsMENBQXVCLENBQUE7QUFDekIsQ0FBQyxFQUpXLGVBQWUsR0FBZix1QkFBZSxLQUFmLHVCQUFlLFFBSTFCO0FBWUQsSUFBWSxxQkFPWDtBQVBELFdBQVkscUJBQXFCO0lBQy9CLDBDQUFpQixDQUFBO0lBQ2pCLDBDQUFpQixDQUFBO0lBQ2pCLHNDQUFhLENBQUE7SUFDYixzQ0FBYSxDQUFBO0lBQ2IsMENBQWlCLENBQUE7SUFDakIsb0NBQVcsQ0FBQTtBQUNiLENBQUMsRUFQVyxxQkFBcUIsR0FBckIsNkJBQXFCLEtBQXJCLDZCQUFxQixRQU9oQztBQUVELElBQVksaUJBS1g7QUFMRCxXQUFZLGlCQUFpQjtJQUMzQix3Q0FBbUIsQ0FBQTtJQUNuQix3Q0FBbUIsQ0FBQTtJQUNuQixpREFBNEIsQ0FBQTtJQUM1Qix5REFBb0MsQ0FBQTtBQUN0QyxDQUFDLEVBTFcsaUJBQWlCLEdBQWpCLHlCQUFpQixLQUFqQix5QkFBaUIsUUFLNUIifQ==

package/dist/services/index.d.ts

@@ -0,0 +1,12 @@
+import { AgentOptionsWithDefaults } from '../types';
+import AuthorizationService from './authorization/authorization';
+import PermissionService from './permissions';
+import Serializer from './serializer';
+export declare type ForestAdminHttpDriverServices = {
+    permissions: PermissionService;
+    serializer: Serializer;
+    authorization: AuthorizationService;
+};
+declare const _default: (options: AgentOptionsWithDefaults) => ForestAdminHttpDriverServices;
+export default _default;
+//# sourceMappingURL=index.d.ts.map

package/dist/services/index.js

@@ -0,0 +1,16 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const permissions_1 = __importDefault(require("./permissions"));
+const serializer_1 = __importDefault(require("./serializer"));
+const authorization_1 = __importDefault(require("./authorization"));
+exports.default = (options) => {
+    return {
+        permissions: new permissions_1.default(options),
+        authorization: (0, authorization_1.default)(options),
+        serializer: new serializer_1.default(),
+    };
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvc2VydmljZXMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7QUFFQSxnRUFBOEM7QUFDOUMsOERBQXNDO0FBQ3RDLG9FQUEwRDtBQVExRCxrQkFBZSxDQUFDLE9BQWlDLEVBQWlDLEVBQUU7SUFDbEYsT0FBTztRQUNMLFdBQVcsRUFBRSxJQUFJLHFCQUFpQixDQUFDLE9BQU8sQ0FBQztRQUMzQyxhQUFhLEVBQUUsSUFBQSx1QkFBMkIsRUFBQyxPQUFPLENBQUM7UUFDbkQsVUFBVSxFQUFFLElBQUksb0JBQVUsRUFBRTtLQUM3QixDQUFDO0FBQ0osQ0FBQyxDQUFDIn0=

package/dist/services/permissions.d.ts

@@ -0,0 +1,19 @@
+import { Collection, ConditionTree } from '@forestadmin/datasource-toolkit';
+import { Context } from 'koa';
+import { AgentOptionsWithDefaults } from '../types';
+declare type RolesOptions = Pick<AgentOptionsWithDefaults, 'forestServerUrl' | 'envSecret' | 'isProduction' | 'permissionsCacheDurationInSeconds'>;
+export default class PermissionService {
+    private options;
+    private cache;
+    constructor(options: RolesOptions);
+    invalidateCache(renderingId: number): void;
+    /** Checks that a charting query is in the list of allowed queries */
+    canChart(context: Context): Promise<void>;
+    /** Check if a user is allowed to perform a specific action */
+    can(context: Context, action: string, allowRefetch?: boolean): Promise<void>;
+    getScope(collection: Collection, context: Context): Promise<ConditionTree>;
+    /** Get cached version of "rendering permissions" */
+    private getRenderingPermissions;
+}
+export {};
+//# sourceMappingURL=permissions.d.ts.map

package/dist/services/permissions.js

@@ -0,0 +1,85 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const lru_cache_1 = __importDefault(require("lru-cache"));
+const object_hash_1 = __importDefault(require("object-hash"));
+const types_1 = require("../types");
+const condition_tree_parser_1 = __importDefault(require("../utils/condition-tree-parser"));
+const forest_http_api_1 = __importDefault(require("../utils/forest-http-api"));
+class PermissionService {
+    constructor(options) {
+        this.options = options;
+        this.cache = new lru_cache_1.default({
+            max: 256,
+            ttl: this.options.permissionsCacheDurationInSeconds * 1000,
+        });
+    }
+    invalidateCache(renderingId) {
+        this.cache.delete(renderingId);
+    }
+    /** Checks that a charting query is in the list of allowed queries */
+    async canChart(context) {
+        // If the permissions level already allow the chart, no need to check further
+        if (['admin', 'editor', 'developer'].includes(context.state.user.permissionLevel)) {
+            return;
+        }
+        const chart = { ...context.request.body };
+        // When the server sends the data of the allowed charts, the target column is not specified
+        // for relations => allow them all.
+        if (chart?.group_by_field?.includes(':'))
+            chart.group_by_field = chart.group_by_field.substring(0, chart.group_by_field.indexOf(':'));
+        const chartHash = (0, object_hash_1.default)(chart, {
+            respectType: false,
+            excludeKeys: key => chart[key] === null,
+        });
+        await this.can(context, `chart:${chartHash}`);
+    }
+    /** Check if a user is allowed to perform a specific action */
+    async can(context, action, allowRefetch = true) {
+        const { id: userId, renderingId } = context.state.user;
+        const perms = await this.getRenderingPermissions(renderingId);
+        const isAllowed = perms.actions.has(action) || perms.actionsByUser[action]?.has(userId);
+        if (!isAllowed && allowRefetch) {
+            this.invalidateCache(renderingId);
+            return this.can(context, action, false);
+        }
+        if (!isAllowed) {
+            context.throw(types_1.HttpCode.Forbidden, 'Forbidden');
+        }
+    }
+    async getScope(collection, context) {
+        const { user } = context.state;
+        const perms = await this.getRenderingPermissions(user.renderingId);
+        const scopes = perms.scopes[collection.name];
+        if (!scopes)
+            return null;
+        const conditionTree = condition_tree_parser_1.default.fromPlainObject(collection, scopes.conditionTree);
+        return conditionTree.replaceLeafs(leaf => {
+            const dynamicValues = scopes.dynamicScopeValues?.[user.id];
+            if (typeof leaf.value === 'string' && leaf.value.startsWith('$currentUser')) {
+                // Search replacement hash from forestadmin server
+                if (dynamicValues) {
+                    return leaf.override({ value: dynamicValues[leaf.value] });
+                }
+                // Search JWT token (new user)
+                return leaf.override({
+                    value: leaf.value.startsWith('$currentUser.tags.')
+                        ? user.tags[leaf.value.substring(18)]
+                        : user[leaf.value.substring(13)],
+                });
+            }
+            return leaf;
+        });
+    }
+    /** Get cached version of "rendering permissions" */
+    getRenderingPermissions(renderingId) {
+        if (!this.cache.has(renderingId))
+            this.cache.set(renderingId, forest_http_api_1.default.getPermissions(this.options, renderingId));
+        // We already checked the entry is up-to-date with the .has() call => allowStale
+        return this.cache.get(renderingId, { allowStale: true });
+    }
+}
+exports.default = PermissionService;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicGVybWlzc2lvbnMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvc2VydmljZXMvcGVybWlzc2lvbnMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7QUFFQSwwREFBaUM7QUFDakMsOERBQXFDO0FBRXJDLG9DQUE4RDtBQUM5RCwyRkFBaUU7QUFDakUsK0VBQStFO0FBTy9FLE1BQXFCLGlCQUFpQjtJQUlwQyxZQUFZLE9BQXFCO1FBQy9CLElBQUksQ0FBQyxPQUFPLEdBQUcsT0FBTyxDQUFDO1FBQ3ZCLElBQUksQ0FBQyxLQUFLLEdBQUcsSUFBSSxtQkFBUSxDQUFDO1lBQ3hCLEdBQUcsRUFBRSxHQUFHO1lBQ1IsR0FBRyxFQUFFLElBQUksQ0FBQyxPQUFPLENBQUMsaUNBQWlDLEdBQUcsSUFBSTtTQUMzRCxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsZUFBZSxDQUFDLFdBQW1CO1FBQ2pDLElBQUksQ0FBQyxLQUFLLENBQUMsTUFBTSxDQUFDLFdBQVcsQ0FBQyxDQUFDO0lBQ2pDLENBQUM7SUFFRCxxRUFBcUU7SUFDckUsS0FBSyxDQUFDLFFBQVEsQ0FBQyxPQUFnQjtRQUM3Qiw2RUFBNkU7UUFDN0UsSUFBSSxDQUFDLE9BQU8sRUFBRSxRQUFRLEVBQUUsV0FBVyxDQUFDLENBQUMsUUFBUSxDQUFDLE9BQU8sQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDLGVBQWUsQ0FBQyxFQUFFO1lBQ2pGLE9BQU87U0FDUjtRQUVELE1BQU0sS0FBSyxHQUFHLEVBQUUsR0FBRyxPQUFPLENBQUMsT0FBTyxDQUFDLElBQUksRUFBRSxDQUFDO1FBRTFDLDJGQUEyRjtRQUMzRixtQ0FBbUM7UUFDbkMsSUFBSSxLQUFLLEVBQUUsY0FBYyxFQUFFLFFBQVEsQ0FBQyxHQUFHLENBQUM7WUFDdEMsS0FBSyxDQUFDLGNBQWMsR0FBRyxLQUFLLENBQUMsY0FBYyxDQUFDLFNBQVMsQ0FBQyxDQUFDLEVBQUUsS0FBSyxDQUFDLGNBQWMsQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQztRQUU5RixNQUFNLFNBQVMsR0FBRyxJQUFBLHFCQUFVLEVBQUMsS0FBSyxFQUFFO1lBQ2xDLFdBQVcsRUFBRSxLQUFLO1lBQ2xCLFdBQVcsRUFBRSxHQUFHLENBQUMsRUFBRSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsS0FBSyxJQUFJO1NBQ3hDLENBQUMsQ0FBQztRQUVILE1BQU0sSUFBSSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsU0FBUyxTQUFTLEVBQUUsQ0FBQyxDQUFDO0lBQ2hELENBQUM7SUFFRCw4REFBOEQ7SUFDOUQsS0FBSyxDQUFDLEdBQUcsQ0FBQyxPQUFnQixFQUFFLE1BQWMsRUFBRSxZQUFZLEdBQUcsSUFBSTtRQUM3RCxNQUFNLEVBQUUsRUFBRSxFQUFFLE1BQU0sRUFBRSxXQUFXLEVBQUUsR0FBRyxPQUFPLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQztRQUN2RCxNQUFNLEtBQUssR0FBRyxNQUFNLElBQUksQ0FBQyx1QkFBdUIsQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUM5RCxNQUFNLFNBQVMsR0FBRyxLQUFLLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsSUFBSSxLQUFLLENBQUMsYUFBYSxDQUFDLE1BQU0sQ0FBQyxFQUFFLEdBQUcsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUV4RixJQUFJLENBQUMsU0FBUyxJQUFJLFlBQVksRUFBRTtZQUM5QixJQUFJLENBQUMsZUFBZSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1lBRWxDLE9BQU8sSUFBSSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsTUFBTSxFQUFFLEtBQUssQ0FBQyxDQUFDO1NBQ3pDO1FBRUQsSUFBSSxDQUFDLFNBQVMsRUFBRTtZQUNkLE9BQU8sQ0FBQyxLQUFLLENBQUMsZ0JBQVEsQ0FBQyxTQUFTLEVBQUUsV0FBVyxDQUFDLENBQUM7U0FDaEQ7SUFDSCxDQUFDO0lBRUQsS0FBSyxDQUFDLFFBQVEsQ0FBQyxVQUFzQixFQUFFLE9BQWdCO1FBQ3JELE1BQU0sRUFBRSxJQUFJLEVBQUUsR0FBRyxPQUFPLENBQUMsS0FBSyxDQUFDO1FBQy9CLE1BQU0sS0FBSyxHQUFHLE1BQU0sSUFBSSxDQUFDLHVCQUF1QixDQUFDLElBQUksQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUNuRSxNQUFNLE1BQU0sR0FBRyxLQUFLLENBQUMsTUFBTSxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUU3QyxJQUFJLENBQUMsTUFBTTtZQUFFLE9BQU8sSUFBSSxDQUFDO1FBRXpCLE1BQU0sYUFBYSxHQUFHLCtCQUFtQixDQUFDLGVBQWUsQ0FBQyxVQUFVLEVBQUUsTUFBTSxDQUFDLGFBQWEsQ0FBQyxDQUFDO1FBRTVGLE9BQU8sYUFBYSxDQUFDLFlBQVksQ0FBQyxJQUFJLENBQUMsRUFBRTtZQUN2QyxNQUFNLGFBQWEsR0FBRyxNQUFNLENBQUMsa0JBQWtCLEVBQUUsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLENBQUM7WUFFM0QsSUFBSSxPQUFPLElBQUksQ0FBQyxLQUFLLEtBQUssUUFBUSxJQUFJLElBQUksQ0FBQyxLQUFLLENBQUMsVUFBVSxDQUFDLGNBQWMsQ0FBQyxFQUFFO2dCQUMzRSxrREFBa0Q7Z0JBQ2xELElBQUksYUFBYSxFQUFFO29CQUNqQixPQUFPLElBQUksQ0FBQyxRQUFRLENBQUMsRUFBRSxLQUFLLEVBQUUsYUFBYSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLENBQUM7aUJBQzVEO2dCQUVELDhCQUE4QjtnQkFDOUIsT0FBTyxJQUFJLENBQUMsUUFBUSxDQUFDO29CQUNuQixLQUFLLEVBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxVQUFVLENBQUMsb0JBQW9CLENBQUM7d0JBQ2hELENBQUMsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsU0FBUyxDQUFDLEVBQUUsQ0FBQyxDQUFDO3dCQUNyQyxDQUFDLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsU0FBUyxDQUFDLEVBQUUsQ0FBQyxDQUFDO2lCQUNuQyxDQUFDLENBQUM7YUFDSjtZQUVELE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQyxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsb0RBQW9EO0lBQzVDLHVCQUF1QixDQUFDLFdBQW1CO1FBQ2pELElBQUksQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxXQUFXLENBQUM7WUFDOUIsSUFBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsV0FBVyxFQUFFLHlCQUFhLENBQUMsY0FBYyxDQUFDLElBQUksQ0FBQyxPQUFPLEVBQUUsV0FBVyxDQUFDLENBQUMsQ0FBQztRQUV2RixnRkFBZ0Y7UUFDaEYsT0FBTyxJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxXQUFXLEVBQUUsRUFBRSxVQUFVLEVBQUUsSUFBSSxFQUFFLENBQUMsQ0FBQztJQUMzRCxDQUFDO0NBQ0Y7QUE3RkQsb0NBNkZDIn0=

package/dist/services/serializer.d.ts

@@ -0,0 +1,12 @@
+import { Collection, RecordData } from '@forestadmin/datasource-toolkit';
+export default class Serializer {
+    private readonly serializers;
+    serialize(collection: Collection, data: RecordData | RecordData[]): unknown;
+    deserialize(collection: Collection, body: unknown): RecordData;
+    serializeWithSearchMetadata(collection: Collection, data: RecordData[], searchValue: string): unknown;
+    private getSerializer;
+    private registerCollection;
+    private buildRelationshipsConfiguration;
+    private stripUndefinedsInPlace;
+}
+//# sourceMappingURL=serializer.d.ts.map