@jmruthers/pace-core 0.5.76 → 0.5.78

package/src/rbac/providers/RBACProvider.tsx

@@ -1,645 +0,0 @@
-/**
- * @file RBAC Provider
- * @package @jmruthers/pace-core
- * @module RBAC/Providers
- * @since 0.1.0
- *
- * Handles role-based access control, permissions, and event access management.
- * Separated from UnifiedAuthProvider for better maintainability.
- */
-
-import React, { createContext, useContext, useState, useEffect, useCallback, useMemo } from 'react';
-import { type SupabaseClient, type User, type Session } from '@supabase/supabase-js';
-import { AccessLevel } from '../../types/unified';
-import { DebugLogger } from '../../utils/debugLogger';
-
-// App configuration type
-interface AppConfig {
-  supports_direct_access: boolean;
-  requires_event: boolean;
-}
-
-// User event access type - now includes organisation context for security
-export interface UserEventAccess {
-  event_id: string;
-  event_name: string;
-  event_description?: string | null;
-  start_date: string;
-  end_date: string;
-  event_status: string;
-  app_id: string;
-  access_level: string;
-  granted_at: string;
-  organisation_id: string; // MANDATORY for security
-}
-
-// RBAC context type
-export interface RBACContextType {
-  // RBAC state
-  permissions: Record<string, boolean>;
-  roles: string[];
-  accessLevel: AccessLevel;
-  rbacLoading: boolean;
-  rbacError: Error | null;
-  selectedEventId: string | null;
-  appConfig: AppConfig | null;
-  userEventAccess: UserEventAccess[];
-  eventAccessLoading: boolean;
-  
-  // Organisation context integration
-  selectedOrganisationId: string | null;
-  requireOrganisationContext: () => string; // Throws if no organisation context
-  
-  // RBAC methods
-  hasPermission: (permission: string, orgId?: string) => boolean;
-  hasAnyPermission: (permissions: string[], orgId?: string) => boolean;
-  hasAllPermissions: (permissions: string[], orgId?: string) => boolean;
-  hasRole: (role: string) => boolean;
-  hasAccessLevel: (level: AccessLevel) => boolean;
-  canAccess: (resource: string, action: string, orgId?: string) => boolean;
-  validatePermission: (permission: string, orgId?: string) => Promise<boolean>;
-  validateAccess: (resource: string, action: string, orgId?: string) => Promise<boolean>;
-  refreshPermissions: (eventId?: string, orgId?: string) => Promise<void>;
-  setSelectedEventId: (eventId: string | null) => void;
-  loadUserEventAccess: (orgId?: string) => Promise<void>;
-  getUserEventAccess: (eventId: string) => UserEventAccess | undefined;
-  
-  // New RBAC system support
-  rbacEnabled: boolean;
-  rbacContext?: any; // Will be populated by useRBAC hook when enabled
-}
-
-const RBACContext = createContext<RBACContextType | undefined>(undefined);
-
-export const useRBAC = () => {
-  const context = useContext(RBACContext);
-  if (!context) {
-    throw new Error('useRBAC must be used within an RBACProvider');
-  }
-  return context;
-};
-
-export interface RBACProviderProps {
-  children: React.ReactNode;
-  supabaseClient?: SupabaseClient;
-  user: User | null;
-  session: Session | null;
-  appName: string;
-  enableRBAC?: boolean;
-  persistState?: boolean;
-  enablePersistence?: boolean;
-  requireOrganisationContext?: boolean;
-}
-
-// Storage keys for persistence
-const STORAGE_KEYS = {
-  SELECTED_EVENT: 'pace-core-selected-event',
-} as const;
-
-// Helper function to transform RBAC permissions to the format expected by UnifiedAuthProvider
-const transformRBACPermissions = (rbacData: any[], _appName: string) => {
-  const permissions: Record<string, boolean> = {};
-  let roles: string[] = [];
-  let access_level: AccessLevel = AccessLevel.VIEWER;
-
-  if (!rbacData || !Array.isArray(rbacData)) {
-    return { permissions: {}, roles: ['viewer'], access_level: AccessLevel.VIEWER };
-  }
-
-  // Check for super admin first
-  const superAdminPerm = rbacData.find((p: any) => p.permission_type === 'all_permissions');
-  if (superAdminPerm) {
-    return { 
-      permissions: { 'all:all': true } as Record<string, boolean>, 
-      roles: ['super'], 
-      access_level: AccessLevel.SUPER 
-    };
-  }
-
-  // Process event-app permissions
-  const eventAppPerms = rbacData.filter((p: any) => p.permission_type === 'event_app_access');
-  if (eventAppPerms.length > 0) {
-    const role = eventAppPerms[0].role_name;
-    
-    // Map RBAC roles to AccessLevel
-    switch (role) {
-      case 'event_admin':
-        access_level = AccessLevel.ADMIN;
-        roles = ['admin'];
-        break;
-      case 'planner':
-        access_level = AccessLevel.PLANNER;
-        roles = ['planner'];
-        break;
-      case 'participant':
-        access_level = AccessLevel.PARTICIPANT;
-        roles = ['participant'];
-        break;
-      case 'editor':
-        access_level = AccessLevel.EDITOR;
-        roles = ['editor'];
-        break;
-      case 'viewer':
-      default:
-        access_level = AccessLevel.VIEWER;
-        roles = ['viewer'];
-        break;
-    }
-
-    // For now, we'll set basic permissions based on role
-    // In a full implementation, you'd want to fetch page-specific permissions
-    const basePermissions = ['read'];
-    if (['event_admin', 'planner'].includes(role)) {
-      basePermissions.push('create', 'update');
-    }
-    if (role === 'event_admin') {
-      basePermissions.push('delete');
-    }
-
-    // Set permissions for all pages (simplified approach)
-    // In a real implementation, you'd want to get actual page permissions
-    basePermissions.forEach(operation => {
-      permissions[`default:${operation}`] = true;
-    });
-  }
-
-  // Process organisation permissions
-  const orgPerms = rbacData.filter((p: any) => p.permission_type === 'organisation_access');
-  if (orgPerms.length > 0) {
-    const role = orgPerms[0].role_name;
-    if (role === 'org_admin') {
-      access_level = AccessLevel.ADMIN;
-      roles = ['admin'];
-      // Org admins get all permissions
-      ['create', 'read', 'update', 'delete'].forEach(operation => {
-        permissions[`default:${operation}`] = true;
-      });
-    }
-  }
-
-  return { permissions, roles, access_level };
-};
-
-export function RBACProvider({
-  children,
-  supabaseClient,
-  user,
-  session,
-  appName,
-  enableRBAC = false,
-  persistState = true,
-  enablePersistence,
-  requireOrganisationContext: _requireOrganisationContext = true,
-}: RBACProviderProps) {
-  // Use enablePersistence if provided, otherwise use persistState
-  const shouldPersist = enablePersistence !== undefined ? enablePersistence : persistState;
-
-  // RBAC state
-  const [permissions, setPermissions] = useState<Record<string, boolean>>({});
-  const [roles, setRoles] = useState<string[]>([]);
-  const [accessLevel, setAccessLevel] = useState<AccessLevel>(AccessLevel.VIEWER);
-  const [rbacLoading, setRbacLoading] = useState(false);
-  const [rbacError, setRbacError] = useState<Error | null>(null);
-  const [selectedEventId, setSelectedEventId] = useState<string | null>(null);
-  const [appConfig, setAppConfig] = useState<AppConfig | null>(null);
-  const [userEventAccess, setUserEventAccess] = useState<UserEventAccess[]>([]);
-  const [eventAccessLoading, setEventAccessLoading] = useState(false);
-  
-  // Organisation context state
-  const [selectedOrganisationId, _setSelectedOrganisationId] = useState<string | null>(null);
-
-  // Load app configuration on mount and when appName changes
-  useEffect(() => {
-    if (!supabaseClient) return;
-
-    const loadAppConfig = async () => {
-      try {
-        // Use the same app name resolution as PagePermissionGuard
-        const { getCurrentAppName } = await import('../../utils/appNameResolver');
-        const resolvedAppName = getCurrentAppName() || appName;
-        
-        // First resolve app name to app_id
-        const { data: appData, error: appError } = await supabaseClient
-          .from('rbac_apps')
-          .select('id')
-          .eq('name', resolvedAppName)
-          .eq('is_active', true)
-          .single();
-
-        if (appError || !appData) {
-          console.warn('App not found or inactive:', resolvedAppName);
-          setAppConfig({
-            supports_direct_access: false, // Field removed from rbac_apps table
-            requires_event: true
-          });
-          return;
-        }
-
-        const response = await supabaseClient.rpc('get_app_config', {
-          app_id: appData.id
-        });
-        
-        const { data } = response || {};
-
-        if (data && data.length > 0) {
-          setAppConfig({
-            supports_direct_access: false, // Field removed from rbac_apps table
-            requires_event: data[0].requires_event
-          });
-        } else {
-          // Default configuration if app not found
-          setAppConfig({
-            supports_direct_access: false,
-            requires_event: true
-          });
-        }
-      } catch (error) {
-        console.warn("Clearing corrupted localStorage data");
-        if (typeof localStorage !== 'undefined') {
-          localStorage.removeItem(STORAGE_KEYS.SELECTED_EVENT);
-        }
-        console.warn('Failed to load app configuration:', error);
-        // Default configuration on error
-        setAppConfig({
-          supports_direct_access: false, // Field removed from rbac_apps table
-          requires_event: true
-        });
-      }
-    };
-
-    loadAppConfig();
-  }, [supabaseClient, appName]);
-
-  // Set super admin roles based on user metadata
-  useEffect(() => {
-    // Check if user has super admin role in metadata
-    const isSuperAdmin = user?.user_metadata?.globalRole === 'super_admin';
-    if (isSuperAdmin) {
-      setRoles(['super_admin']);
-    } else {
-      setRoles([]);
-    }
-  }, [user]);
-
-  // Load persisted auth state on mount
-  useEffect(() => {
-    if (!shouldPersist) return;
-
-    try {
-      const persistedEvent = localStorage.getItem(STORAGE_KEYS.SELECTED_EVENT);
-      if (persistedEvent) {
-        setSelectedEventId(JSON.parse(persistedEvent));
-      }
-    } catch (error) {
-      console.warn("Clearing corrupted localStorage data");
-      localStorage.removeItem(STORAGE_KEYS.SELECTED_EVENT);
-    }
-  }, [shouldPersist]);
-
-  // Persist auth state changes
-  useEffect(() => {
-    if (!shouldPersist) return;
-
-    try {
-      if (selectedEventId) {
-        localStorage.setItem(
-          STORAGE_KEYS.SELECTED_EVENT,
-          JSON.stringify(selectedEventId),
-        );
-      } else {
-        localStorage.removeItem(STORAGE_KEYS.SELECTED_EVENT);
-      }
-    } catch (error) {
-      console.warn("Clearing corrupted localStorage data");
-      localStorage.removeItem(STORAGE_KEYS.SELECTED_EVENT);
-      console.warn('Failed to persist auth state:', error);
-    }
-  }, [selectedEventId, shouldPersist]);
-
-    // Load RBAC data when user is authenticated
-  const refreshPermissions = useCallback(async (eventId?: string) => {
-    if (!supabaseClient || !user || !appConfig || !session) {
-      DebugLogger.log('RBACProvider', 'refreshPermissions: Missing required dependencies, clearing permissions');
-      setPermissions({});
-      setRoles([]);
-      setAccessLevel(AccessLevel.VIEWER);
-      return;
-    }
-
-    // Check for super admin first by querying the database
-    // This ensures we check against the rbac_global_roles table, not just user metadata
-    const { data: globalRoles } = await supabaseClient
-      .from('rbac_global_roles')
-      .select('role')
-      .eq('user_id', user.id)
-      .eq('role', 'super_admin')
-      .lte('valid_from', new Date().toISOString())
-      .or(`valid_to.is.null,valid_to.gte.${new Date().toISOString()}`)
-      .limit(1);
-
-    const isSuperAdmin = globalRoles && globalRoles.length > 0;
-    
-    if (isSuperAdmin) {
-      setPermissions({
-        'admin:create': true,
-        'admin:read': true,
-        'admin:update': true,
-        'admin:delete': true,
-        'users:create': true,
-        'users:read': true,
-        'users:update': true,
-        'users:delete': true,
-        'events:create': true,
-        'events:read': true,
-        'events:update': true,
-        'events:delete': true
-      });
-      setRoles(['super_admin']);
-      setAccessLevel(AccessLevel.SUPER);
-      return;
-    }
-
-    // Determine if we should load permissions without an event
-    const shouldLoadDirectPermissions = !eventId && !appConfig.requires_event;
-    const shouldLoadEventPermissions = eventId;
-    const shouldClearPermissions = !eventId && appConfig.requires_event;
-
-    // If no eventId and app requires events, clear permissions
-    if (shouldClearPermissions) {
-      setPermissions({});
-      setRoles([]);
-      setAccessLevel(AccessLevel.VIEWER);
-      return;
-    }
-
-    // Only proceed if we should load permissions
-    if (!shouldLoadDirectPermissions && !shouldLoadEventPermissions) {
-      return;
-    }
-
-    setRbacLoading(true);
-    setRbacError(null);
-
-    try {
-      // Use the same app name resolution as PagePermissionGuard
-      const { getCurrentAppName } = await import('../../utils/appNameResolver');
-      const resolvedAppName = getCurrentAppName() || appName;
-      
-      // First resolve app name to app_id
-      const { data: appData, error: appError } = await supabaseClient
-        .from('rbac_apps')
-        .select('id')
-        .eq('name', resolvedAppName)
-        .eq('is_active', true)
-        .single();
-
-      if (appError || !appData) {
-        console.warn('App not found or inactive:', resolvedAppName);
-        setRbacLoading(false);
-        return;
-      }
-
-      const { data, error } = await supabaseClient.rpc('rbac_permissions_get', {
-        p_user_id: user.id,
-        p_app_id: appData.id,
-        p_event_id: eventId || null,
-        p_organisation_id: selectedOrganisationId || null
-      });
-
-      if (error) {
-        throw error;
-      }
-
-      const { permissions, roles, access_level } = transformRBACPermissions(data, appName);
-
-      setPermissions(permissions);
-      setRoles(roles);
-      setAccessLevel(access_level);
-    } catch (err: any) {
-      setRbacError(err);
-    } finally {
-      setRbacLoading(false);
-    }
-  }, [supabaseClient, user, session, appName, appConfig, selectedOrganisationId]);
-
-  // Load user event access data
-  const loadUserEventAccess = useCallback(async () => {
-    if (!supabaseClient || !user || !session) {
-      DebugLogger.log('RBACProvider', 'loadUserEventAccess: Missing required dependencies, clearing event access');
-      setUserEventAccess([]);
-      return;
-    }
-
-    setEventAccessLoading(true);
-    try {
-      // Use the same app name resolution as PagePermissionGuard
-      const { getCurrentAppName } = await import('../../utils/appNameResolver');
-      const resolvedAppName = getCurrentAppName() || appName;
-      
-      // First resolve app name to app_id
-      const { data: appData, error: appError } = await supabaseClient
-        .from('rbac_apps')
-        .select('id')
-        .eq('name', resolvedAppName)
-        .eq('is_active', true)
-        .single();
-
-      if (appError || !appData) {
-        console.warn('App not found or inactive:', resolvedAppName);
-        setEventAccessLoading(false);
-        return;
-      }
-
-      const { data, error } = await supabaseClient
-        .from('rbac_event_app_roles')
-        .select(`
-          event_id,
-          role,
-          granted_at
-        `)
-        .eq('user_id', user.id)
-        .eq('app_id', appData.id);
-
-      if (error) {
-        console.error('Failed to load user event access:', error);
-        setUserEventAccess([]);
-        return;
-      }
-
-      const eventAccess = data?.map(item => ({
-        event_id: item.event_id,
-        event_name: 'Unknown Event', // Event details not available in this query
-        event_description: null, // Not available in this schema
-        start_date: '', // Event date not available in this query
-        end_date: '', // Event date not available in this query
-        event_status: 'unknown', // Not available in this schema
-        app_id: appData.id,
-        access_level: item.role, // Map role to access_level
-        granted_at: item.granted_at,
-        organisation_id: '' // Will be populated from event's organisation_id if needed
-      })) || [];
-
-      setUserEventAccess(eventAccess);
-    } catch (error) {
-      console.warn("Clearing corrupted localStorage data");
-      localStorage.removeItem(STORAGE_KEYS.SELECTED_EVENT);
-      console.error('Error loading user event access:', error);
-      setUserEventAccess([]);
-    } finally {
-      setEventAccessLoading(false);
-    }
-  }, [supabaseClient, user, session, appName]);
-
-  // Helper function to get access for a specific event
-  const getUserEventAccess = useCallback((eventId: string) => {
-    return userEventAccess.find(access => access.event_id === eventId);
-  }, [userEventAccess]);
-
-  // When the selected event ID changes, user logs in, or app config loads, refresh permissions
-  useEffect(() => {
-    // Don't run if user is null (signed out) or no app config
-    if (!user || !appConfig || !session) {
-      DebugLogger.log('RBACProvider', 'Skipping permission refresh - no user, session, or app config');
-      return;
-    }
-
-    // Check for super admin first - admin override should happen regardless of app configuration
-    const isSuperAdmin = user?.user_metadata?.globalRole === 'super_admin';
-    if (isSuperAdmin) {
-      setPermissions({
-        'admin:create': true,
-        'admin:read': true,
-        'admin:update': true,
-        'admin:delete': true,
-        'users:create': true,
-        'users:read': true,
-        'users:update': true,
-        'users:delete': true,
-        'events:create': true,
-        'events:read': true,
-        'events:update': true,
-        'events:delete': true
-      });
-      setRoles(['super_admin']);
-      setAccessLevel(AccessLevel.ADMIN);
-      return;
-    }
-
-    if (selectedEventId) {
-      // Event-based permissions
-      refreshPermissions(selectedEventId);
-    } else if (!appConfig.requires_event) {
-      // Direct app permissions (no event needed)
-      refreshPermissions();
-    } else {
-      // No event and app requires events - clear permissions
-      setPermissions({});
-      setRoles([]);
-      setAccessLevel(AccessLevel.VIEWER);
-    }
-  }, [selectedEventId, user, session, appConfig, refreshPermissions]);
-
-  // Load user event access when user changes
-  useEffect(() => {
-    let isMounted = true;
-
-    if (user && session) {
-      DebugLogger.log('RBACProvider', 'Loading user event access for authenticated user');
-      loadUserEventAccess().catch(error => {
-        if (isMounted) {
-          console.error('Error loading user event access:', error);
-        }
-      });
-    } else {
-      DebugLogger.log('RBACProvider', 'Clearing user event access - no user or session');
-      if (isMounted) {
-        setUserEventAccess([]);
-      }
-    }
-
-    return () => {
-      isMounted = false;
-    };
-  }, [user, session, loadUserEventAccess]);
-
-  // Permission methods
-  const hasPermission = useCallback((permission: string) => {
-    const hasPerm = !!permissions[permission];
-    return hasPerm;
-  }, [permissions]);
-  const hasAnyPermission = useCallback((perms: string[]) => perms.some(p => !!permissions[p]), [permissions]);
-  const hasAllPermissions = useCallback((perms: string[]) => perms.every(p => !!permissions[p]), [permissions]);
-  const hasRole = useCallback((role: string) => {
-    const isSuperAdmin = user?.user_metadata?.globalRole === 'super_admin';
-    if (role.toLowerCase() === 'super_admin') {
-      return isSuperAdmin;
-    }
-    return roles.includes(role);
-  }, [roles, user]);
-  const hasAccessLevel = useCallback((level: AccessLevel) => {
-    const levels = Object.values(AccessLevel);
-    return levels.indexOf(accessLevel) >= levels.indexOf(level);
-  }, [accessLevel]);
-  const canAccess = useCallback((resource: string, action: string) => {
-    const permission = `${resource}:${action}`;
-    const hasAccess = hasPermission(permission);
-    return hasAccess;
-  }, [hasPermission]);
-  const validatePermission = useCallback(async (permission: string) => hasPermission(permission), [hasPermission]);
-  const validateAccess = useCallback(async (resource: string, action: string) => {
-    // Placeholder for more complex logic, e.g., re-validating with backend
-    return Promise.resolve(canAccess(resource, action));
-  }, [canAccess]);
-
-  // Memoized context value
-  const contextValue = useMemo<RBACContextType>(() => ({
-    permissions,
-    roles,
-    accessLevel,
-    rbacLoading,
-    rbacError,
-    selectedEventId,
-    appConfig,
-    userEventAccess,
-    eventAccessLoading,
-
-    // Organisation context
-    selectedOrganisationId,
-    requireOrganisationContext: () => {
-      if (!selectedOrganisationId) {
-        throw new Error('Organisation context is required but not available');
-      }
-      return selectedOrganisationId;
-    },
-
-    hasPermission,
-    hasAnyPermission,
-    hasAllPermissions,
-    hasRole,
-    hasAccessLevel,
-    canAccess,
-    validatePermission,
-    validateAccess,
-    refreshPermissions,
-    setSelectedEventId,
-    
-    // New RBAC system support
-    rbacEnabled: enableRBAC,
-    rbacContext: undefined, // Will be populated by useRBAC hook when enabled
-    
-    loadUserEventAccess,
-    getUserEventAccess
-  }), [
-    permissions, roles, accessLevel, rbacLoading, rbacError, selectedEventId, appConfig,
-    userEventAccess, eventAccessLoading, selectedOrganisationId,
-    hasPermission, hasAnyPermission, hasAllPermissions, hasRole, hasAccessLevel, canAccess,
-    validatePermission, validateAccess, refreshPermissions, setSelectedEventId,
-    enableRBAC, loadUserEventAccess, getUserEventAccess
-  ]);
-
-  return (
-    <RBACContext.Provider value={contextValue}>
-      {children}
-    </RBACContext.Provider>
-  );
-}