@holoyan/adonisjs-permissions 1.3.3 → 1.3.4

package/README.md

@@ -2,6 +2,7 @@
 
 Checkout other AdonisJS packages
 
+- [AdonisJs Lucid Polymorphic Relations](https://github.com/holoyan/adonisjs-polymorphic)
 - [AdonisJs activity log](https://github.com/holoyan/adonisjs-activitylog)
 
 [//]: # ([![test](https://github.com/holoyan/adonisjs-permissions/actions/workflows/test.yml/badge.svg)](https://github.com/holoyan/adonisjs-permissions/actions/workflows/test.yml))
@@ -14,8 +15,8 @@ Checkout other AdonisJS packages
 
 ## Release Notes
 
-Version: >= v1.3.2
-* Fixed `permissionQueryHelpers()` mixin leaking internal relations (`_roles`, `_permissions`, `_model_roles`) into the public `related()` API, which caused incorrect IDE type inference on user-defined relations
+Version: v1.3.4
+* Fixed `PermissionsService.forbidden()` returning `false` for explicitly denied permissions ([#36](https://github.com/holoyan/adonisjs-permissions/issues/36)). The method was missing `await` on an async call (`!Promise` is always `false`) and used the wrong semantic (negating `hasAny` conflated "never granted" with "explicitly denied"). It now queries the forbid rows directly and is correctly `async`.
 
 ## Table of Contents
 

package/build/src/services/permissions/permissions_service.d.ts

@@ -78,9 +78,9 @@ export default class PermissionsService extends BaseService {
      */
     containsAnyDirect(modelType: string, modelId: ModelIdType, permission: string[]): Promise<boolean>;
     /**
-     * check if permission is forbidden, if there is same permission with allowed=false then return true;
+     * check if permission is forbidden if there is the same permission with allowed=false then return true;
      */
-    forbidden(modelType: string, modelId: ModelIdType, permission: string, entityType: string | null, entityId: ModelIdType | null): boolean;
+    forbidden(modelType: string, modelId: ModelIdType, permission: string, entityType: string | null, entityId: ModelIdType | null): Promise<boolean>;
     /**
      * give permission to model
      */

package/build/src/services/permissions/permissions_service.js

@@ -291,10 +291,24 @@ export default class PermissionsService extends BaseService {
         return r.length > 0;
     }
     /**
-     * check if permission is forbidden, if there is same permission with allowed=false then return true;
+     * check if permission is forbidden if there is the same permission with allowed=false then return true;
      */
-    forbidden(modelType, modelId, permission, entityType, entityId) {
-        return !this.hasAny(modelType, modelId, [permission], entityType, entityId);
+    async forbidden(modelType, modelId, permission, entityType, entityId) {
+        const { slugs, ids } = this.formatList([permission]);
+        const q = this.permissionQuery
+            .leftJoin(this.modelPermissionTable + ' as mp', 'mp.permission_id', '=', this.permissionTable + '.id')
+            .where('mp.model_type', modelType)
+            .where('mp.model_id', modelId)
+            .where(this.permissionTable + '.allowed', false)
+            .where((sub) => {
+            if (slugs.length)
+                sub.orWhereIn(this.permissionTable + '.slug', slugs);
+            if (ids.length)
+                sub.orWhereIn(this.permissionTable + '.id', ids);
+        });
+        this.applyTargetRestriction(this.permissionTable, q, entityType, entityId);
+        const r = await q.select(this.permissionTable + '.id').limit(1);
+        return r.length > 0;
     }
     /**
      * give permission to model

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@holoyan/adonisjs-permissions",
   "description": "AdonisJs roles and permissions system",
-  "version": "1.3.3",
+  "version": "1.3.4",
   "engines": {
     "node": ">=18.16.0"
   },