@jmruthers/pace-core 0.5.54 → 0.5.55

package/src/rbac/hooks/useRBAC.ts

@@ -116,26 +116,30 @@ export function useRBAC(pageId?: string): UserRBACContext {
     setError(null);
 
     try {
-      // First resolve app name to app_id
-      const { data: appData, error: appError } = await supabase
-        .from('rbac_apps')
-        .select('id')
-        .eq('name', appName)
-        .eq('is_active', true)
-        .single();
+      // First resolve app name to app_id using secure RPC function
+      const { data: appData, error: appError } = await supabase.rpc('rbac_app_resolve', {
+        p_app_name: appName,
+        p_user_id: user.id
+      });
 
-      if (appError || !appData) {
+      if (appError || !appData || appData.length === 0) {
         console.warn('App not found or inactive:', appName);
         setIsLoading(false);
         return;
       }
 
-      const { data, error: rpcError } = await supabase.rpc('get_rbac_permissions', {
+      const app = appData[0];
+      if (!app.has_access) {
+        console.warn('User does not have access to app:', appName);
+        setIsLoading(false);
+        return;
+      }
+
+      const { data, error: rpcError } = await supabase.rpc('rbac_permissions_get', {
         p_user_id: user.id,
-        p_app_id: appData.id,
+        p_app_id: app.app_id,
         p_event_id: selectedEvent?.event_id || null,
-        p_organisation_id: selectedOrganisation?.id || null,
-        p_page_id: pageId || null
+        p_organisation_id: selectedOrganisation?.id || null
       });
 
       if (rpcError) {
@@ -175,22 +179,26 @@ export function useRBAC(pageId?: string): UserRBACContext {
     }
 
     try {
-      // First resolve app name to app_id
-      const { data: appData, error: appError } = await supabase
-        .from('rbac_apps')
-        .select('id')
-        .eq('name', appName)
-        .eq('is_active', true)
-        .single();
+      // First resolve app name to app_id using secure RPC function
+      const { data: appData, error: appError } = await supabase.rpc('rbac_app_resolve', {
+        p_app_name: appName,
+        p_user_id: user.id
+      });
 
-      if (appError || !appData) {
+      if (appError || !appData || appData.length === 0) {
         console.warn('App not found or inactive:', appName);
         return false;
       }
 
-      const { data, error } = await supabase.rpc('check_page_permission', {
+      const app = appData[0];
+      if (!app.has_access) {
+        console.warn('User does not have access to app:', appName);
+        return false;
+      }
+
+      const { data, error } = await supabase.rpc('rbac_page_access_check', {
         p_user_id: user.id,
-        p_app_id: appData.id,
+        p_app_id: app.app_id,
         p_page_id: targetPageId || pageId || 'default',
         p_operation: operation,
         p_event_id: selectedEvent?.event_id,

package/src/rbac/permissions.test.ts

@@ -0,0 +1,128 @@
+/**
+ * @fileoverview RBAC Permissions Tests
+ * @package @jmruthers/pace-core
+ * @module RBAC/Permissions/Tests
+ * @since 1.0.0
+ * 
+ * Tests for RBAC permission validation functions and database-driven permissions.
+ * Note: Hardcoded permission groups and role mappings have been removed for RBAC compliance.
+ */
+
+import { describe, it, expect } from 'vitest';
+import {
+  isValidPermission
+} from './permissions';
+import { Permission } from './types';
+
+describe('RBAC Permissions', () => {
+  describe('Permission Validation Functions', () => {
+    it('validates correct CRUD permission format', () => {
+      expect(isValidPermission('read:users')).toBe(true);
+      expect(isValidPermission('create:organisation')).toBe(true);
+      expect(isValidPermission('update:event.content')).toBe(true);
+      expect(isValidPermission('delete:team.members')).toBe(true);
+      expect(isValidPermission('read:*')).toBe(true);
+    });
+
+    it('rejects invalid permission format', () => {
+      expect(isValidPermission('invalid')).toBe(false);
+      expect(isValidPermission('READ:users')).toBe(false); // uppercase not allowed
+      expect(isValidPermission('read:')).toBe(false);
+      expect(isValidPermission(':users')).toBe(false);
+      expect(isValidPermission('read:users*')).toBe(false); // wildcard not at end
+      expect(isValidPermission('read:*users')).toBe(false); // wildcard not at end
+    });
+
+    it('rejects manage permission (not allowed in RBAC)', () => {
+      expect(isValidPermission('manage:users')).toBe(false);
+      expect(isValidPermission('manage:*')).toBe(false);
+      expect(isValidPermission('manage:organisation')).toBe(false);
+    });
+
+    it('validates resource naming conventions', () => {
+      // Valid resource names
+      expect(isValidPermission('read:users')).toBe(true);
+      expect(isValidPermission('create:event.content')).toBe(true);
+      expect(isValidPermission('update:team.members')).toBe(true);
+      expect(isValidPermission('delete:organisation.settings')).toBe(true);
+      
+      // Invalid resource names
+      expect(isValidPermission('read:Users')).toBe(false); // uppercase
+      expect(isValidPermission('read:user-settings')).toBe(false); // hyphen not allowed
+      expect(isValidPermission('read:user_settings')).toBe(false); // underscore not allowed
+      expect(isValidPermission('read:user.settings.')).toBe(false); // trailing dot
+    });
+
+    it('validates wildcard permissions', () => {
+      expect(isValidPermission('read:*')).toBe(true);
+      expect(isValidPermission('create:*')).toBe(true);
+      expect(isValidPermission('update:*')).toBe(true);
+      expect(isValidPermission('delete:*')).toBe(true);
+      
+      // Invalid wildcard usage
+      expect(isValidPermission('*:users')).toBe(false);
+      expect(isValidPermission('read:*users')).toBe(false);
+      expect(isValidPermission('read:users*')).toBe(false);
+    });
+  });
+
+  describe('Type Safety', () => {
+    it('validates Permission type structure', () => {
+      const validPermissions: Permission[] = [
+        'read:users',
+        'create:organisation',
+        'update:event.content',
+        'delete:team.members',
+        'read:*'
+      ];
+
+      validPermissions.forEach(permission => {
+        expect(typeof permission).toBe('string');
+        expect(isValidPermission(permission)).toBe(true);
+      });
+    });
+
+    it('rejects invalid Permission types', () => {
+      const invalidPermissions = [
+        'manage:users',
+        'READ:users',
+        'read:',
+        ':users',
+        'read:users*',
+        'read:*users',
+        'invalid'
+      ];
+
+      invalidPermissions.forEach(permission => {
+        expect(isValidPermission(permission)).toBe(false);
+      });
+    });
+  });
+
+  describe('RBAC Compliance', () => {
+    it('only allows CRUD operations', () => {
+      const validOperations = ['read', 'create', 'update', 'delete'];
+      const invalidOperations = ['manage', 'admin', 'execute', 'view'];
+      
+      validOperations.forEach(operation => {
+        expect(isValidPermission(`${operation}:users`)).toBe(true);
+      });
+      
+      invalidOperations.forEach(operation => {
+        expect(isValidPermission(`${operation}:users`)).toBe(false);
+      });
+    });
+
+    it('enforces lowercase resource names', () => {
+      expect(isValidPermission('read:users')).toBe(true);
+      expect(isValidPermission('read:Users')).toBe(false);
+      expect(isValidPermission('read:USERS')).toBe(false);
+    });
+
+    it('allows dot notation for hierarchical resources', () => {
+      expect(isValidPermission('read:event.content')).toBe(true);
+      expect(isValidPermission('update:team.members')).toBe(true);
+      expect(isValidPermission('create:organisation.settings')).toBe(true);
+    });
+  });
+});

package/src/rbac/permissions.ts

@@ -15,7 +15,6 @@ import { Permission } from './types';
 // ============================================================================
 
 export const GLOBAL_PERMISSIONS = {
-  MANAGE_ALL: 'manage:*' as Permission,
   READ_ALL: 'read:*' as Permission,
   CREATE_ALL: 'create:*' as Permission,
   UPDATE_ALL: 'update:*' as Permission,
@@ -28,33 +27,29 @@ export const GLOBAL_PERMISSIONS = {
 
 export const ORGANISATION_PERMISSIONS = {
   // Organisation management
-  MANAGE_ORGANISATION: 'manage:organisation' as Permission,
   READ_ORGANISATION: 'read:organisation' as Permission,
   UPDATE_ORGANISATION: 'update:organisation' as Permission,
+  DELETE_ORGANISATION: 'delete:organisation' as Permission,
   
   // User management
-  MANAGE_USERS: 'manage:users' as Permission,
   READ_USERS: 'read:users' as Permission,
   CREATE_USERS: 'create:users' as Permission,
   UPDATE_USERS: 'update:users' as Permission,
   DELETE_USERS: 'delete:users' as Permission,
   
   // Role management
-  MANAGE_ROLES: 'manage:roles' as Permission,
   READ_ROLES: 'read:roles' as Permission,
   CREATE_ROLES: 'create:roles' as Permission,
   UPDATE_ROLES: 'update:roles' as Permission,
   DELETE_ROLES: 'delete:roles' as Permission,
   
   // Event management
-  MANAGE_EVENTS: 'manage:events' as Permission,
   READ_EVENTS: 'read:events' as Permission,
   CREATE_EVENTS: 'create:events' as Permission,
   UPDATE_EVENTS: 'update:events' as Permission,
   DELETE_EVENTS: 'delete:events' as Permission,
   
   // App management
-  MANAGE_APPS: 'manage:apps' as Permission,
   READ_APPS: 'read:apps' as Permission,
   CREATE_APPS: 'create:apps' as Permission,
   UPDATE_APPS: 'update:apps' as Permission,
@@ -67,40 +62,40 @@ export const ORGANISATION_PERMISSIONS = {
 
 export const EVENT_APP_PERMISSIONS = {
   // Event management
-  MANAGE_EVENT: 'manage:event' as Permission,
   READ_EVENT: 'read:event' as Permission,
+  CREATE_EVENT: 'create:event' as Permission,
   UPDATE_EVENT: 'update:event' as Permission,
+  DELETE_EVENT: 'delete:event' as Permission,
   
   // App management
-  MANAGE_APP: 'manage:app' as Permission,
   READ_APP: 'read:app' as Permission,
+  CREATE_APP: 'create:app' as Permission,
   UPDATE_APP: 'update:app' as Permission,
+  DELETE_APP: 'delete:app' as Permission,
   
   // Team management
-  MANAGE_TEAM: 'manage:team' as Permission,
   READ_TEAM: 'read:team' as Permission,
   CREATE_TEAM: 'create:team' as Permission,
   UPDATE_TEAM: 'update:team' as Permission,
   DELETE_TEAM: 'delete:team' as Permission,
   
   // Team members
-  MANAGE_TEAM_MEMBERS: 'manage:team.members' as Permission,
   READ_TEAM_MEMBERS: 'read:team.members' as Permission,
   CREATE_TEAM_MEMBERS: 'create:team.members' as Permission,
   UPDATE_TEAM_MEMBERS: 'update:team.members' as Permission,
   DELETE_TEAM_MEMBERS: 'delete:team.members' as Permission,
   
   // Event content
-  MANAGE_EVENT_CONTENT: 'manage:event.content' as Permission,
   READ_EVENT_CONTENT: 'read:event.content' as Permission,
   CREATE_EVENT_CONTENT: 'create:event.content' as Permission,
   UPDATE_EVENT_CONTENT: 'update:event.content' as Permission,
   DELETE_EVENT_CONTENT: 'delete:event.content' as Permission,
   
   // Event settings
-  MANAGE_EVENT_SETTINGS: 'manage:event.settings' as Permission,
   READ_EVENT_SETTINGS: 'read:event.settings' as Permission,
+  CREATE_EVENT_SETTINGS: 'create:event.settings' as Permission,
   UPDATE_EVENT_SETTINGS: 'update:event.settings' as Permission,
+  DELETE_EVENT_SETTINGS: 'delete:event.settings' as Permission,
 } as const;
 
 // ============================================================================
@@ -110,131 +105,43 @@ export const EVENT_APP_PERMISSIONS = {
 export const PAGE_PERMISSIONS = {
   // General page access
   READ_PAGE: 'read:page' as Permission,
-  MANAGE_PAGE: 'manage:page' as Permission,
+  CREATE_PAGE: 'create:page' as Permission,
+  UPDATE_PAGE: 'update:page' as Permission,
+  DELETE_PAGE: 'delete:page' as Permission,
   
   // Admin pages
   READ_ADMIN: 'read:admin' as Permission,
-  MANAGE_ADMIN: 'manage:admin' as Permission,
+  CREATE_ADMIN: 'create:admin' as Permission,
+  UPDATE_ADMIN: 'update:admin' as Permission,
+  DELETE_ADMIN: 'delete:admin' as Permission,
   
   // Dashboard pages
   READ_DASHBOARD: 'read:dashboard' as Permission,
-  MANAGE_DASHBOARD: 'manage:dashboard' as Permission,
+  CREATE_DASHBOARD: 'create:dashboard' as Permission,
+  UPDATE_DASHBOARD: 'update:dashboard' as Permission,
+  DELETE_DASHBOARD: 'delete:dashboard' as Permission,
   
   // Settings pages
   READ_SETTINGS: 'read:settings' as Permission,
-  MANAGE_SETTINGS: 'manage:settings' as Permission,
+  CREATE_SETTINGS: 'create:settings' as Permission,
+  UPDATE_SETTINGS: 'update:settings' as Permission,
+  DELETE_SETTINGS: 'delete:settings' as Permission,
   
   // Reports pages
   READ_REPORTS: 'read:reports' as Permission,
-  MANAGE_REPORTS: 'manage:reports' as Permission,
+  CREATE_REPORTS: 'create:reports' as Permission,
+  UPDATE_REPORTS: 'update:reports' as Permission,
+  DELETE_REPORTS: 'delete:reports' as Permission,
 } as const;
 
 // ============================================================================
-// PERMISSION GROUPS
+// PERMISSION GROUPS - REMOVED
 // ============================================================================
-
-export const PERMISSION_GROUPS = {
-  // Global admin permissions
-  GLOBAL_ADMIN: [
-    GLOBAL_PERMISSIONS.MANAGE_ALL,
-    GLOBAL_PERMISSIONS.READ_ALL,
-    GLOBAL_PERMISSIONS.CREATE_ALL,
-    GLOBAL_PERMISSIONS.UPDATE_ALL,
-    GLOBAL_PERMISSIONS.DELETE_ALL,
-  ],
-  
-  // Organisation admin permissions
-  ORG_ADMIN: [
-    ORGANISATION_PERMISSIONS.MANAGE_ORGANISATION,
-    ORGANISATION_PERMISSIONS.READ_ORGANISATION,
-    ORGANISATION_PERMISSIONS.UPDATE_ORGANISATION,
-    ORGANISATION_PERMISSIONS.MANAGE_USERS,
-    ORGANISATION_PERMISSIONS.READ_USERS,
-    ORGANISATION_PERMISSIONS.CREATE_USERS,
-    ORGANISATION_PERMISSIONS.UPDATE_USERS,
-    ORGANISATION_PERMISSIONS.DELETE_USERS,
-    ORGANISATION_PERMISSIONS.MANAGE_ROLES,
-    ORGANISATION_PERMISSIONS.READ_ROLES,
-    ORGANISATION_PERMISSIONS.CREATE_ROLES,
-    ORGANISATION_PERMISSIONS.UPDATE_ROLES,
-    ORGANISATION_PERMISSIONS.DELETE_ROLES,
-    ORGANISATION_PERMISSIONS.MANAGE_EVENTS,
-    ORGANISATION_PERMISSIONS.READ_EVENTS,
-    ORGANISATION_PERMISSIONS.CREATE_EVENTS,
-    ORGANISATION_PERMISSIONS.UPDATE_EVENTS,
-    ORGANISATION_PERMISSIONS.DELETE_EVENTS,
-    ORGANISATION_PERMISSIONS.MANAGE_APPS,
-    ORGANISATION_PERMISSIONS.READ_APPS,
-    ORGANISATION_PERMISSIONS.CREATE_APPS,
-    ORGANISATION_PERMISSIONS.UPDATE_APPS,
-    ORGANISATION_PERMISSIONS.DELETE_APPS,
-  ],
-  
-  // Event admin permissions
-  EVENT_ADMIN: [
-    EVENT_APP_PERMISSIONS.MANAGE_EVENT,
-    EVENT_APP_PERMISSIONS.READ_EVENT,
-    EVENT_APP_PERMISSIONS.UPDATE_EVENT,
-    EVENT_APP_PERMISSIONS.MANAGE_APP,
-    EVENT_APP_PERMISSIONS.READ_APP,
-    EVENT_APP_PERMISSIONS.UPDATE_APP,
-    EVENT_APP_PERMISSIONS.MANAGE_TEAM,
-    EVENT_APP_PERMISSIONS.READ_TEAM,
-    EVENT_APP_PERMISSIONS.CREATE_TEAM,
-    EVENT_APP_PERMISSIONS.UPDATE_TEAM,
-    EVENT_APP_PERMISSIONS.DELETE_TEAM,
-    EVENT_APP_PERMISSIONS.MANAGE_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.READ_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.CREATE_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.UPDATE_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.DELETE_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.MANAGE_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.READ_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.CREATE_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.UPDATE_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.DELETE_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.MANAGE_EVENT_SETTINGS,
-    EVENT_APP_PERMISSIONS.READ_EVENT_SETTINGS,
-    EVENT_APP_PERMISSIONS.UPDATE_EVENT_SETTINGS,
-  ],
-  
-  // Planner permissions
-  PLANNER: [
-    EVENT_APP_PERMISSIONS.READ_EVENT,
-    EVENT_APP_PERMISSIONS.UPDATE_EVENT,
-    EVENT_APP_PERMISSIONS.READ_APP,
-    EVENT_APP_PERMISSIONS.UPDATE_APP,
-    EVENT_APP_PERMISSIONS.READ_TEAM,
-    EVENT_APP_PERMISSIONS.CREATE_TEAM,
-    EVENT_APP_PERMISSIONS.UPDATE_TEAM,
-    EVENT_APP_PERMISSIONS.READ_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.CREATE_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.UPDATE_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.READ_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.CREATE_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.UPDATE_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.READ_EVENT_SETTINGS,
-    EVENT_APP_PERMISSIONS.UPDATE_EVENT_SETTINGS,
-  ],
-  
-  // Participant permissions
-  PARTICIPANT: [
-    EVENT_APP_PERMISSIONS.READ_EVENT,
-    EVENT_APP_PERMISSIONS.READ_APP,
-    EVENT_APP_PERMISSIONS.READ_TEAM,
-    EVENT_APP_PERMISSIONS.READ_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.READ_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.READ_EVENT_SETTINGS,
-  ],
-  
-  // Viewer permissions
-  VIEWER: [
-    EVENT_APP_PERMISSIONS.READ_EVENT,
-    EVENT_APP_PERMISSIONS.READ_APP,
-    EVENT_APP_PERMISSIONS.READ_TEAM,
-    EVENT_APP_PERMISSIONS.READ_EVENT_CONTENT,
-  ],
-} as const;
+// NOTE: Hardcoded permission groups have been removed to ensure RBAC compliance.
+// Permissions must be queried from the rbac_page_permissions database table.
+// This ensures organizations can customize their own page-level permissions.
+// The permission string constants above can still be used for TypeScript
+// type safety and autocomplete, but actual permission grants come from the database.
 
 // ============================================================================
 // PERMISSION VALIDATION
@@ -247,36 +154,44 @@ export const PERMISSION_GROUPS = {
  * @returns True if valid, false otherwise
  */
 export function isValidPermission(permission: string): permission is Permission {
-  // Allow wildcard only at the end: manage:* or read:events
+  // Allow wildcard only at the end: read:* or read:events
   // But not: read:events* or read:*events
   // Also reject uppercase operations and resource names
-  const pattern = /^(read|create|update|delete|manage):[a-z0-9._-]+$|^(read|create|update|delete|manage):\*$/;
+  // NOTE: Only CRUD operations are allowed (read, create, update, delete)
+  // Resource names must be lowercase letters, numbers, and dots only
+  // Cannot start or end with dots, cannot have consecutive dots
+  const pattern = /^(read|create|update|delete):[a-z0-9]+(\.[a-z0-9]+)*$|^(read|create|update|delete):\*$/;
   return pattern.test(permission);
 }
 
 /**
- * Get all permissions for a role
+ * Get all permissions for a role - REMOVED
+ * 
+ * @deprecated This function has been removed to ensure RBAC compliance.
+ * Permissions must be queried from the rbac_page_permissions database table,
+ * not hardcoded in application code. This allows organizations to customize
+ * their own page-level permissions as required by the RBAC specification.
+ * 
+ * To get permissions for a role, query the database:
+ * ```typescript
+ * const { data } = await supabase
+ *   .from('rbac_page_permissions')
+ *   .select('operation, allowed')
+ *   .eq('role_name', roleName)
+ *   .eq('organisation_id', organisationId)
+ *   .eq('allowed', true);
+ * ```
  * 
  * @param role - Role name
- * @returns Array of permissions for the role
+ * @returns Empty array (function deprecated)
  */
 export function getPermissionsForRole(role: string): Permission[] {
-  switch (role) {
-    case 'super_admin':
-      return [...PERMISSION_GROUPS.GLOBAL_ADMIN];
-    case 'org_admin':
-      return [...PERMISSION_GROUPS.ORG_ADMIN];
-    case 'event_admin':
-      return [...PERMISSION_GROUPS.EVENT_ADMIN];
-    case 'planner':
-      return [...PERMISSION_GROUPS.PLANNER];
-    case 'participant':
-      return [...PERMISSION_GROUPS.PARTICIPANT];
-    case 'viewer':
-      return [...PERMISSION_GROUPS.VIEWER];
-    default:
-      return [];
-  }
+  console.warn(
+    '[RBAC] getPermissionsForRole() is deprecated. ' +
+    'Permissions must be queried from rbac_page_permissions table. ' +
+    `Called with role: ${role}`
+  );
+  return [];
 }
 
 // ============================================================================

package/src/rbac/providers/RBACProvider.tsx

@@ -388,7 +388,7 @@ export function RBACProvider({
         return;
       }
 
-      const { data, error } = await supabaseClient.rpc('get_rbac_permissions', {
+      const { data, error } = await supabaseClient.rpc('rbac_permissions_get', {
         p_user_id: user.id,
         p_app_id: appData.id,
         p_event_id: eventId || null,