@jmruthers/pace-core 0.5.109 → 0.5.110

package/src/components/NavigationMenu/NavigationMenu.tsx

@@ -462,10 +462,16 @@ export const NavigationMenu = React.forwardRef<
       return (items || []).filter(item => !item.meta?.hidden);
     }
     
-    return (items || []).filter(item => {
-      // Check if item should be hidden
-      if (item.meta?.hidden) return false;
-      
+    // Helper function to derive page ID from href
+    const getPageIdFromHref = (href?: string): string | null => {
+      if (!href) return null;
+      // Remove leading slash and any query params/hash
+      const path = href.split('?')[0].split('#')[0].replace(/^\//, '');
+      return path || 'home';
+    };
+    
+    // Helper function to check if item has permission to be shown
+    const hasItemPermission = (item: NavigationItem): boolean => {
       // Check permissions if available
       if (item.permissions && item.permissions.length > 0) {
         // Convert string permissions to Permission type and check
@@ -547,8 +553,66 @@ export const NavigationMenu = React.forwardRef<
         }
       }
       
+      // NEW: Auto-check page permissions for items with href but no explicit permissions
+      // If item has an href but no explicit permissions/roles/accessLevel, check page permission
+      if (item.href && !item.permissions && !item.roles && !item.accessLevel) {
+        const pageId = item.pageId || getPageIdFromHref(item.href);
+        if (pageId) {
+          // Check for read permission on the page
+          const pagePermission: Permission = `read:page.${pageId}` as Permission;
+          
+          // Check permission map (super admin has access to everything via '*' key)
+          const hasPagePermission = permissionMap['*'] === true || permissionMap[pagePermission] === true;
+          
+          if (!hasPagePermission) {
+            if (auditLog) {
+              console.log(`[NavigationMenu] Filtering out navigation item "${item.label}" - no page permission:`, {
+                itemId: item.id,
+                href: item.href,
+                pageId,
+                permission: pagePermission,
+                hasPermission: hasPagePermission
+              });
+            }
+            return false;
+          }
+        }
+      }
+      
       return true;
-    });
+    };
+    
+    // Helper function to filter items recursively (creates new objects to avoid mutations)
+    const filterItem = (item: NavigationItem): NavigationItem | null => {
+      // Check if item should be hidden
+      if (item.meta?.hidden) return null;
+      
+      // Check if item has permission
+      if (!hasItemPermission(item)) return null;
+      
+      // Recursively filter children if present
+      let filteredChildren: NavigationItem[] | undefined;
+      if (item.children && item.children.length > 0) {
+        filteredChildren = item.children
+          .map(child => filterItem(child))
+          .filter((child): child is NavigationItem => child !== null);
+        
+        // If parent has no accessible children, hide the parent too (unless it has its own href)
+        if (filteredChildren.length === 0 && !item.href) {
+          return null;
+        }
+      }
+      
+      // Return filtered item (with filtered children if applicable)
+      return {
+        ...item,
+        children: filteredChildren
+      };
+    };
+    
+    return (items || [])
+      .map(item => filterItem(item))
+      .filter((item): item is NavigationItem => item !== null);
   }, [
     items, 
     filterByPermissions, 
@@ -558,7 +622,8 @@ export const NavigationMenu = React.forwardRef<
     hasAnyPermission, 
     scopeLoading, 
     permissionsLoading,
-    resolvedScope
+    resolvedScope,
+    auditLog
   ]);
 
   // Log navigation access attempts for debugging

package/src/rbac/api.test.ts

@@ -119,7 +119,7 @@ describe('RBAC API', () => {
       
       process.env.NODE_ENV = originalEnv;
 
-      expect(mockCreateRBACEngine).toHaveBeenCalledWith(mockSupabase);
+      expect(mockCreateRBACEngine).toHaveBeenCalledWith(mockSupabase, undefined);
       expect(mockCreateAuditManager).toHaveBeenCalledWith(mockSupabase);
       expect(mockSetGlobalAuditManager).toHaveBeenCalledWith(mockAuditManager);
       expect(mockLogger.info).toHaveBeenCalledWith('RBAC system initialized successfully');
@@ -203,7 +203,7 @@ describe('RBAC API', () => {
 
       setupRBAC(mockSupabase as any);
 
-      expect(mockCreateRBACEngine).toHaveBeenCalledWith(mockSupabase);
+      expect(mockCreateRBACEngine).toHaveBeenCalledWith(mockSupabase, undefined);
     });
 
     it('handles multiple initialization calls', () => {

package/src/rbac/api.ts

@@ -49,7 +49,8 @@ export function setupRBAC(supabase: SupabaseClient<Database>, config?: Partial<R
   
   createRBACConfig(fullConfig);
   
-  globalEngine = createRBACEngine(supabase);
+  // Pass security config to engine if provided
+  globalEngine = createRBACEngine(supabase, config?.security);
   
   // Setup audit manager
   const auditManager = createAuditManager(supabase);

package/src/rbac/components/PagePermissionGuard.tsx

@@ -148,41 +148,6 @@ const PagePermissionGuardComponent = ({
   const supabaseRef = useRef(supabase);
   supabaseRef.current = supabase;
   
-  // Track the last scope we called useCan with to prevent infinite loops
-  const lastScopeRef = useRef<string | null>(null);
-  
-  // Use a ref to store the stable scope and only update it when it actually changes
-  const stableScopeRef = useRef<{ organisationId: string; appId: string; eventId: string | undefined }>({ 
-    organisationId: '', 
-    appId: '', 
-    eventId: undefined 
-  });
-  
-  // Only update the stable scope if the resolved scope has actually changed
-  if (resolvedScope && resolvedScope.organisationId) {
-    const newScope = {
-      organisationId: resolvedScope.organisationId,
-      appId: resolvedScope.appId,
-      eventId: resolvedScope.eventId
-    };
-    
-      // Only update if the scope has actually changed
-      if (stableScopeRef.current.organisationId !== newScope.organisationId ||
-          stableScopeRef.current.eventId !== newScope.eventId ||
-          stableScopeRef.current.appId !== newScope.appId) {
-        stableScopeRef.current = {
-          organisationId: newScope.organisationId,
-          appId: newScope.appId || '',
-          eventId: newScope.eventId
-        };
-      }
-  } else if (!resolvedScope) {
-    // Reset to empty scope when no resolved scope
-    stableScopeRef.current = { organisationId: '', appId: '', eventId: undefined };
-  }
-  
-  const stableScope = stableScopeRef.current;
-
   // Resolve scope - either use provided scope or resolve from context
   useEffect(() => {
     const abortController = new AbortController();
@@ -412,9 +377,22 @@ const PagePermissionGuardComponent = ({
     return `${operation}:page.${pageName}` as Permission;
   }, [operation, pageName]);
 
+  // Create a stable scope that only includes valid values
+  // This ensures useCan doesn't run with empty organisationId which causes it to stay in loading state
+  const stableScope = useMemo(() => {
+    if (resolvedScope && resolvedScope.organisationId) {
+      return {
+        organisationId: resolvedScope.organisationId,
+        appId: resolvedScope.appId || undefined,
+        eventId: resolvedScope.eventId || undefined
+      };
+    }
+    // Return a scope with empty string organisationId - useCan will handle this by keeping loading state
+    return { organisationId: '', appId: undefined, eventId: undefined };
+  }, [resolvedScope]);
 
-  // Check if user has permission - only call useCan when we have a resolved scope
-  // If resolvedScope is null, we're still resolving, so show loading state
+  // Check if user has permission - only call useCan when we have a resolved scope with valid organisationId
+  // If resolvedScope is null or has no organisationId, useCan will keep isLoading=true
   const { can, isLoading: canIsLoading, error: canError } = useCan(
     user?.id || '',
     stableScope,
@@ -464,12 +442,17 @@ const PagePermissionGuardComponent = ({
       console.error(`[PagePermissionGuard] STRICT MODE VIOLATION: User attempted to access protected page without permission`, {
         pageName,
         operation,
+        permission: `${operation}:page.${pageName}`,
+        pageId: effectivePageId,
         userId: user?.id,
         scope: resolvedScope,
+        scopeValid: resolvedScope && resolvedScope.organisationId ? true : false,
+        checkError,
+        canError,
         timestamp: new Date().toISOString()
       });
     }
-  }, [strictMode, hasChecked, isLoading, can, pageName, operation, user?.id, resolvedScope]);
+  }, [strictMode, hasChecked, isLoading, can, pageName, operation, effectivePageId, user?.id, resolvedScope, checkError, canError]);
 
   // Calculate the actual render state - FIXED: Proper state calculation
   // Add defensive checks to ensure we have valid state

package/src/rbac/components/__tests__/PagePermissionGuard.test.tsx

@@ -949,7 +949,7 @@ describe('PagePermissionGuard Component', () => {
         expect.objectContaining({
           organisationId: '',
           eventId: undefined,
-          appId: ''
+          appId: undefined  // appId is optional and should be undefined when not resolved
         }),
         'read:page.dashboard',
         'dashboard',

package/src/rbac/config.ts

@@ -9,6 +9,7 @@
 
 import { SupabaseClient } from '@supabase/supabase-js';
 import { Database } from '../types/database';
+import { RBACSecurityConfig } from './security';
 
 export type LogLevel = 'error' | 'warn' | 'info' | 'debug';
 
@@ -26,6 +27,7 @@ export interface RBACConfig {
     enabled?: boolean;
     logLevel?: LogLevel;
   };
+  security?: Partial<RBACSecurityConfig>;
 }
 
 export interface RBACLogger {

package/src/rbac/engine.ts

@@ -36,7 +36,8 @@ import {
   RBACSecurityValidator, 
   RBACSecurityMiddleware, 
   SecurityContext,
-  DEFAULT_SECURITY_CONFIG 
+  DEFAULT_SECURITY_CONFIG,
+  RBACSecurityConfig
 } from './security';
 
 /**
@@ -49,9 +50,14 @@ export class RBACEngine {
   private supabase: SupabaseClient<Database>;
   private securityMiddleware: RBACSecurityMiddleware;
 
-  constructor(supabase: SupabaseClient<Database>) {
+  constructor(supabase: SupabaseClient<Database>, securityConfig?: Partial<RBACSecurityConfig>) {
     this.supabase = supabase;
-    this.securityMiddleware = new RBACSecurityMiddleware(DEFAULT_SECURITY_CONFIG);
+    // Merge provided security config with defaults
+    const mergedSecurityConfig: RBACSecurityConfig = {
+      ...DEFAULT_SECURITY_CONFIG,
+      ...securityConfig,
+    };
+    this.securityMiddleware = new RBACSecurityMiddleware(mergedSecurityConfig);
     
     // Initialize cache invalidation for automatic cache clearing
     initializeCacheInvalidation(supabase);
@@ -589,9 +595,13 @@ export class RBACEngine {
  * Create an RBAC engine instance
  * 
  * @param supabase - Supabase client
+ * @param securityConfig - Optional security configuration
  * @returns RBACEngine instance
  */
-export function createRBACEngine(supabase: SupabaseClient<Database>): RBACEngine {
-  return new RBACEngine(supabase);
+export function createRBACEngine(
+  supabase: SupabaseClient<Database>,
+  securityConfig?: Partial<RBACSecurityConfig>
+): RBACEngine {
+  return new RBACEngine(supabase, securityConfig);
 }
 

package/src/rbac/security.ts

@@ -251,7 +251,7 @@ export const DEFAULT_SECURITY_CONFIG: RBACSecurityConfig = {
   enableInputValidation: true,
   enableRateLimiting: true,
   enableAuditLogging: true,
-  maxPermissionChecksPerMinute: 100,
+  maxPermissionChecksPerMinute: 1000, // Increased from 100 to 1000 for normal app usage
   suspiciousActivityThreshold: 10,
 };