npm - @jmruthers/pace-core - Versions diffs - 0.5.185 → 0.5.186 - Mend

@jmruthers/pace-core 0.5.185 → 0.5.186

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (205) hide show

package/src/rbac/__tests__/rbac-role-isolation.test.ts ADDED Viewed

@@ -0,0 +1,456 @@
+/**
+ * @file RBAC Role Isolation Tests
+ * @package @jmruthers/pace-core
+ * @module RBAC/Tests
+ * @since 2.0.0
+ *
+ * Regression tests for RBAC role isolation security fix.
+ *
+ * These tests verify that organisation roles (e.g., 'leader', 'member') do NOT
+ * implicitly grant event-app page permissions. Only the user's actual event-app
+ * role (e.g., 'planner', 'event_admin') should determine page permissions.
+ *
+ * Bug Reference: Organisation role bypasses event-app page permissions
+ * Security Impact: HIGH
+ */
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import { RBACEngine } from '../engine';
+import {
+  UUID,
+  Permission,
+  Scope,
+  PermissionCheck
+} from '../types';
+import { rbacCache } from '../cache';
+// Mock Supabase client
+const createMockSupabaseClient = () => ({
+  from: vi.fn(() => ({
+    select: vi.fn().mockReturnThis(),
+    eq: vi.fn().mockReturnThis(),
+    neq: vi.fn().mockReturnThis(),
+    in: vi.fn().mockReturnThis(),
+    is: vi.fn().mockReturnThis(),
+    lte: vi.fn().mockReturnThis(),
+    or: vi.fn().mockReturnThis(),
+    limit: vi.fn().mockResolvedValue({
+      data: [],
+      error: null
+    }),
+    single: vi.fn(),
+    maybeSingle: vi.fn(),
+  })),
+  rpc: vi.fn(),
+});
+// Test data matching the bug report scenario
+const testData = {
+  userId: '00000000-0000-0000-0000-000000000001' as UUID,
+  organisationId: '00000000-0000-0000-0000-000000000002' as UUID, // scouts-victoria
+  eventId: 'baloo-bistro-event-123',
+  appId: '00000000-0000-0000-0000-000000000003' as UUID, // BASE app
+  pageId: '00000000-0000-0000-0000-000000000004' as UUID, // configuration page
+  pageName: 'configuration'
+};
+describe('RBAC Role Isolation Tests', () => {
+  let engine: RBACEngine;
+  let mockSupabase: any;
+  beforeEach(() => {
+    mockSupabase = createMockSupabaseClient();
+    engine = new RBACEngine(mockSupabase as any);
+    rbacCache.clear();
+  });
+  afterEach(() => {
+    vi.clearAllMocks();
+    rbacCache.clear();
+  });
+  describe('Organisation Role vs Event-App Role Isolation', () => {
+    /**
+     * Bug Scenario:
+     * - User has organisation role: 'leader' (for scouts-victoria)
+     * - User has event-app role: 'planner' (for BASE app)
+     * - Page permissions: 'event_admin' has full CRUD, 'planner' has only 'read'
+     * - User should NOT get 'update' permission just because they are a 'leader'
+     */
+    it('should deny update permission when user has leader org role but planner event-app role', async () => {
+      // Mock: rbac_check_permission_simplified should return FALSE
+      // because 'planner' only has 'read' permission, not 'update'
+      // The 'leader' org role should NOT grant implicit page permissions
+      mockSupabase.rpc.mockResolvedValue({
+        data: false,
+        error: null
+      });
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'update:page.configuration' as Permission,
+        pageId: testData.pageId
+      };
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+      // CRITICAL: Permission must be denied
+      expect(result).toBe(false);
+      // Verify the RPC was called with correct parameters
+      expect(mockSupabase.rpc).toHaveBeenCalledWith(
+        'rbac_check_permission_simplified',
+        expect.objectContaining({
+          p_user_id: testData.userId,
+          p_permission: 'update:page.configuration',
+          p_organisation_id: testData.organisationId,
+          p_event_id: testData.eventId,
+          p_app_id: testData.appId,
+          p_page_id: testData.pageId
+        })
+      );
+    });
+    it('should allow read permission when user has planner event-app role', async () => {
+      // Mock: rbac_check_permission_simplified should return TRUE
+      // because 'planner' has 'read' permission
+      mockSupabase.rpc.mockResolvedValue({
+        data: true,
+        error: null
+      });
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'read:page.configuration' as Permission,
+        pageId: testData.pageId
+      };
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+      expect(result).toBe(true);
+    });
+    it('should deny delete permission when user has planner event-app role', async () => {
+      // 'planner' should NOT have delete permission
+      mockSupabase.rpc.mockResolvedValue({
+        data: false,
+        error: null
+      });
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'delete:page.configuration' as Permission,
+        pageId: testData.pageId
+      };
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+      expect(result).toBe(false);
+    });
+    it('should deny create permission when user has planner event-app role', async () => {
+      // 'planner' should NOT have create permission
+      mockSupabase.rpc.mockResolvedValue({
+        data: false,
+        error: null
+      });
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'create:page.configuration' as Permission,
+        pageId: testData.pageId
+      };
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+      expect(result).toBe(false);
+    });
+  });
+  describe('Event Admin Role Permissions', () => {
+    it('should allow full CRUD when user has event_admin role', async () => {
+      // event_admin should have all permissions
+      mockSupabase.rpc.mockResolvedValue({
+        data: true,
+        error: null
+      });
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+      const operations = ['read', 'create', 'update', 'delete'];
+      for (const operation of operations) {
+        const permissionCheck: PermissionCheck = {
+          userId: testData.userId,
+          scope,
+          permission: `${operation}:page.configuration` as Permission,
+          pageId: testData.pageId
+        };
+        const result = await engine.isPermitted(permissionCheck, securityContext);
+        expect(result).toBe(true);
+      }
+    });
+  });
+  describe('Super Admin Bypass', () => {
+    it('should allow all permissions for super_admin regardless of event-app role', async () => {
+      // Super admin bypasses all checks
+      mockSupabase.rpc.mockResolvedValue({
+        data: true,
+        error: null
+      });
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'delete:page.configuration' as Permission,
+        pageId: testData.pageId
+      };
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+      expect(result).toBe(true);
+    });
+  });
+  describe('Org Admin Bypass', () => {
+    it('should allow org_admin to have all permissions within their organisation', async () => {
+      // org_admin has all permissions within their org (org-level bypass)
+      mockSupabase.rpc.mockResolvedValue({
+        data: true,
+        error: null
+      });
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'update:page.configuration' as Permission,
+        pageId: testData.pageId
+      };
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+      expect(result).toBe(true);
+    });
+  });
+  describe('Role Isolation Edge Cases', () => {
+    it('should not leak permissions from organisation role to event-app context', async () => {
+      // Even if user has a high-level org role (like 'leader'), they should NOT
+      // get event-app page permissions unless their event-app role grants it
+      mockSupabase.rpc.mockResolvedValue({
+        data: false,
+        error: null
+      });
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+      // Test with page name instead of UUID (the bug could manifest differently)
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'update:page.configuration' as Permission,
+        pageId: testData.pageName // Using page name
+      };
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+      expect(result).toBe(false);
+    });
+    it('should deny permission when user has no event-app role at all', async () => {
+      // User with org membership but no event-app role should be denied
+      mockSupabase.rpc.mockResolvedValue({
+        data: false,
+        error: null
+      });
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'read:page.configuration' as Permission,
+        pageId: testData.pageId
+      };
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+      expect(result).toBe(false);
+    });
+    it('should handle mixed permission checks correctly', async () => {
+      // Test scenario: user has 'planner' role which grants 'read' but not 'update'
+      // First call returns true (read), subsequent calls return false (update, create, delete)
+      const rpcResponses = [
+        { data: true, error: null },  // read: allowed
+        { data: false, error: null }, // update: denied
+        { data: false, error: null }, // create: denied
+        { data: false, error: null }  // delete: denied
+      ];
+      let callIndex = 0;
+      mockSupabase.rpc.mockImplementation(() => {
+        const response = rpcResponses[callIndex];
+        callIndex++;
+        return Promise.resolve(response);
+      });
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+      // Test read permission (should be allowed for planner)
+      const readResult = await engine.isPermitted({
+        userId: testData.userId,
+        scope,
+        permission: 'read:page.configuration' as Permission,
+        pageId: testData.pageId
+      }, securityContext);
+      expect(readResult).toBe(true);
+      // Test update permission (should be denied for planner)
+      const updateResult = await engine.isPermitted({
+        userId: testData.userId,
+        scope,
+        permission: 'update:page.configuration' as Permission,
+        pageId: testData.pageId
+      }, securityContext);
+      expect(updateResult).toBe(false);
+      // Test create permission (should be denied for planner)
+      const createResult = await engine.isPermitted({
+        userId: testData.userId,
+        scope,
+        permission: 'create:page.configuration' as Permission,
+        pageId: testData.pageId
+      }, securityContext);
+      expect(createResult).toBe(false);
+      // Test delete permission (should be denied for planner)
+      const deleteResult = await engine.isPermitted({
+        userId: testData.userId,
+        scope,
+        permission: 'delete:page.configuration' as Permission,
+        pageId: testData.pageId
+      }, securityContext);
+      expect(deleteResult).toBe(false);
+    });
+  });
+});

package/src/styles/core.css CHANGED Viewed

@@ -240,14 +240,14 @@
   /* Custom utility styles go here */
-  /* Hide spinner arrows on number inputs in DataTable */
-  .datatable-number-no-spinners::-webkit-inner-spin-button,
-  .datatable-number-no-spinners::-webkit-outer-spin-button {
+  /* Hide spinner arrows on all number inputs (modern UX convention) */
+  input[type="number"]::-webkit-inner-spin-button,
+  input[type="number"]::-webkit-outer-spin-button {
     -webkit-appearance: none;
     margin: 0;
   }
-  .datatable-number-no-spinners {
+  input[type="number"] {
     -moz-appearance: textfield;
   }
 }

package/src/types/database.generated.ts CHANGED Viewed

@@ -3320,13 +3320,13 @@ export type Database = {
           },
         ]
       }
-      pace_id_documents: {
+      pace_identification: {
         Row: {
           created_at: string | null
           document_number: string | null
-          document_type: string
           expiry_date: string | null
           id: string
+          identification_type_id: number | null
           issue_city: string | null
           issue_country: string | null
           issue_date: string | null
@@ -3339,9 +3339,9 @@ export type Database = {
         Insert: {
           created_at?: string | null
           document_number?: string | null
-          document_type: string
           expiry_date?: string | null
           id?: string
+          identification_type_id?: number | null
           issue_city?: string | null
           issue_country?: string | null
           issue_date?: string | null
@@ -3354,9 +3354,9 @@ export type Database = {
         Update: {
           created_at?: string | null
           document_number?: string | null
-          document_type?: string
           expiry_date?: string | null
           id?: string
+          identification_type_id?: number | null
           issue_city?: string | null
           issue_country?: string | null
           issue_date?: string | null
@@ -3368,14 +3368,21 @@ export type Database = {
         }
         Relationships: [
           {
-            foreignKeyName: "fk_pace_id_documents_organisation_id"
+            foreignKeyName: "fk_pace_identification_organisation_id"
             columns: ["organisation_id"]
             isOneToOne: false
             referencedRelation: "organisations"
             referencedColumns: ["id"]
           },
           {
-            foreignKeyName: "identification_documents_member_id_fkey"
+            foreignKeyName: "fk_pace_identification_type_id"
+            columns: ["identification_type_id"]
+            isOneToOne: false
+            referencedRelation: "pace_identification_type"
+            referencedColumns: ["id"]
+          },
+          {
+            foreignKeyName: "pace_identification_member_id_fkey"
             columns: ["member_id"]
             isOneToOne: false
             referencedRelation: "pace_member"
@@ -3383,6 +3390,53 @@ export type Database = {
           },
         ]
       }
+      pace_identification_type: {
+        Row: {
+          created_at: string | null
+          created_by: string | null
+          description: string | null
+          id: number
+          is_active: boolean | null
+          name: string
+          organisation_id: string
+          sort_order: number | null
+          updated_at: string | null
+          updated_by: string | null
+        }
+        Insert: {
+          created_at?: string | null
+          created_by?: string | null
+          description?: string | null
+          id?: never
+          is_active?: boolean | null
+          name: string
+          organisation_id: string
+          sort_order?: number | null
+          updated_at?: string | null
+          updated_by?: string | null
+        }
+        Update: {
+          created_at?: string | null
+          created_by?: string | null
+          description?: string | null
+          id?: never
+          is_active?: boolean | null
+          name?: string
+          organisation_id?: string
+          sort_order?: number | null
+          updated_at?: string | null
+          updated_by?: string | null
+        }
+        Relationships: [
+          {
+            foreignKeyName: "pace_identification_type_organisation_id_fkey"
+            columns: ["organisation_id"]
+            isOneToOne: false
+            referencedRelation: "organisations"
+            referencedColumns: ["id"]
+          },
+        ]
+      }
       pace_member: {
         Row: {
           address_id: string | null
@@ -3858,7 +3912,7 @@ export type Database = {
           },
         ]
       }
-      pace_qualifications: {
+      pace_qualification: {
         Row: {
           created_at: string | null
           credential_id: string | null
@@ -3900,14 +3954,14 @@ export type Database = {
         }
         Relationships: [
           {
-            foreignKeyName: "fk_pace_qualifications_organisation_id"
+            foreignKeyName: "fk_pace_qualification_organisation_id"
             columns: ["organisation_id"]
             isOneToOne: false
             referencedRelation: "organisations"
             referencedColumns: ["id"]
           },
           {
-            foreignKeyName: "qualifications_member_id_fkey"
+            foreignKeyName: "pace_qualification_member_id_fkey"
             columns: ["member_id"]
             isOneToOne: false
             referencedRelation: "pace_member"

package/src/types/file-reference.ts CHANGED Viewed

@@ -55,6 +55,7 @@ export enum FileCategory {
  * Options for uploading a file with a file reference
  * @property pageContext - The page context where the file upload occurs (e.g., 'configuration', 'forms', 'applications')
  *                          Used for context-aware permission checks. Required to check appropriate page-level permissions.
+ * @property event_id - Optional event ID for event-scoped permission checks. Required for event-based apps.
  */
 export interface FileUploadOptions {
   table_name: string;
@@ -62,7 +63,9 @@ export interface FileUploadOptions {
   organisation_id: string;
   app_id: AppId;
   category: FileCategory;
+  folder: string; // Folder name in storage bucket (e.g., 'profile_photos', 'documents')
   pageContext: string;
+  event_id?: string;
   is_public?: boolean;
   custom_metadata?: Record<string, unknown>;
 }