@jmruthers/pace-core 0.5.76 → 0.5.78

package/src/hooks/useOrganisationPermissions.test.ts

@@ -18,6 +18,34 @@ vi.mock('../providers/OrganisationProvider', () => ({
   useOrganisations: vi.fn()
 }));
 
+// Mock the organisation security hook (for super admin checks)
+vi.mock('./useOrganisationSecurity', () => ({
+  useOrganisationSecurity: vi.fn(() => ({
+    superAdminContext: {
+      isSuperAdmin: false,
+      hasGlobalAccess: false,
+      canManageAllOrganisations: false
+    },
+    validateOrganisationAccess: vi.fn(),
+    hasMinimumRole: vi.fn(),
+    canAccessChildOrganisations: vi.fn(),
+    hasPermission: vi.fn(),
+    getUserPermissions: vi.fn(),
+    logOrganisationAccess: vi.fn(),
+    ensureOrganisationAccess: vi.fn(),
+    validateUserAccess: vi.fn()
+  }))
+}));
+
+// Mock UnifiedAuthProvider
+vi.mock('../providers', () => ({
+  useUnifiedAuth: vi.fn(() => ({
+    user: null,
+    session: null,
+    supabase: null
+  }))
+}));
+
 describe('useOrganisationPermissions', () => {
   const mockUseOrganisations = vi.mocked(useOrganisations);
 
@@ -132,40 +160,36 @@ describe('useOrganisationPermissions', () => {
   });
 
   describe('Super Admin Detection', () => {
-    it('detects super admin from user metadata', () => {
-      // Mock global user context first
-      (globalThis as any).__PACE_USER__ = { 
-        app_metadata: { globalRole: 'super_admin' } 
-      };
-
+    it('detects super admin from database query', () => {
+      // Note: Super admin detection now uses useOrganisationSecurity hook
+      // The mock at the top returns false by default, which is expected
       mockUseOrganisations.mockReturnValue(createMockOrganisations({
         getUserRole: vi.fn().mockReturnValue('org_admin')
       }) as any);
 
       const { result } = renderHook(() => useOrganisationPermissions());
 
-      expect(result.current.isSuperAdmin).toBe(true);
+      // Super admin detection requires database query, not user_metadata
+      // Default mock returns false, which is correct behavior
+      expect(result.current.isSuperAdmin).toBe(false);
+      expect(result.current.isOrgAdmin).toBe(true);
       expect(result.current.hasAdminPrivileges).toBe(true);
-
-      delete (globalThis as any).__PACE_USER__;
     });
 
-    it('detects super admin from user metadata fallback', () => {
-      // Mock global user context first
-      (globalThis as any).__PACE_USER__ = { 
-        user_metadata: { globalRole: 'super_admin' } 
-      };
-
+    it('detects super admin when security hook indicates super admin', () => {
+      // Note: Super admin detection now uses useOrganisationSecurity hook  
+      // The mock at the top returns false by default, which is expected
       mockUseOrganisations.mockReturnValue(createMockOrganisations({
         getUserRole: vi.fn().mockReturnValue('org_admin')
       }) as any);
 
       const { result } = renderHook(() => useOrganisationPermissions());
 
-      expect(result.current.isSuperAdmin).toBe(true);
+      // Super admin detection requires database query, not user_metadata
+      // Default mock returns false, which is correct behavior  
+      expect(result.current.isSuperAdmin).toBe(false);
+      expect(result.current.isOrgAdmin).toBe(true);
       expect(result.current.hasAdminPrivileges).toBe(true);
-
-      delete (globalThis as any).__PACE_USER__;
     });
 
     it('returns false for non-super admin users', () => {

package/src/hooks/useOrganisationPermissions.ts

@@ -47,6 +47,7 @@
 
 import { useMemo } from 'react';
 import { useOrganisations } from '../providers/OrganisationProvider';
+import { useOrganisationSecurity } from './useOrganisationSecurity';
 import type { OrganisationRole, OrganisationPermission } from '../types/organisation';
 
 export interface UseOrganisationPermissionsReturn {
@@ -100,6 +101,14 @@ export function useOrganisationPermissions(orgId?: string): UseOrganisationPermi
     validateOrganisationAccess,
     ensureOrganisationContext
   } = useOrganisations();
+  
+  // Get super admin context if available (may not be available in all contexts)
+  let superAdminContext: { isSuperAdmin: boolean } = { isSuperAdmin: false };
+  try {
+    superAdminContext = useOrganisationSecurity().superAdminContext;
+  } catch {
+    // Not available in this context, default to false
+  }
 
   const organisationId = useMemo(() => {
     if (orgId) {
@@ -146,12 +155,9 @@ export function useOrganisationPermissions(orgId?: string): UseOrganisationPermi
     const isMember = userRole === 'member';
     const isSupporter = userRole === 'supporter';
 
-    // Super admin is handled separately via user profile context
-    // Check global user context for super admin status
-    const globalUser = (globalThis as any).__PACE_USER__;
-    const isSuperAdmin = globalUser?.app_metadata?.globalRole === 'super_admin' || 
-                        globalUser?.user_metadata?.globalRole === 'super_admin' ||
-                        isOrgAdmin; // Fallback to org_admin for backward compatibility
+    // Super admin status - database backed (user_metadata can be spoofed)
+    // Get super admin status from the security hook
+    const isSuperAdmin = superAdminContext.isSuperAdmin;
 
     return {
       isOrgAdmin,

package/src/hooks/useOrganisationSecurity.test.ts

@@ -58,12 +58,18 @@ describe('useOrganisationSecurity', () => {
   };
 
   const mockSingle = vi.fn();
+  const mockLimit = vi.fn();
+  const mockLte = vi.fn();
+  const mockOr = vi.fn();
   const mockSupabaseQuery = {
     select: vi.fn().mockReturnThis(),
     eq: vi.fn().mockReturnThis(),
     is: vi.fn().mockReturnThis(),
     in: vi.fn().mockReturnThis(),
-    single: mockSingle
+    lte: vi.fn().mockReturnThis(),
+    or: vi.fn().mockReturnThis(),
+    single: mockSingle,
+    limit: mockLimit
   };
   
   const mockSupabase = {
@@ -90,11 +96,14 @@ describe('useOrganisationSecurity', () => {
     mockSupabaseQuery.eq.mockClear().mockReturnThis();
     mockSupabaseQuery.is.mockClear().mockReturnThis();
     mockSupabaseQuery.in.mockClear().mockReturnThis();
+    mockSupabaseQuery.lte.mockClear().mockReturnThis();
+    mockSupabaseQuery.or.mockClear().mockReturnThis();
+    mockSupabaseQuery.limit.mockClear().mockReturnThis();
     mockSupabase.from.mockClear().mockReturnValue(mockSupabaseQuery);
     
-    // Reset Supabase mock to default successful response
-    mockSingle.mockResolvedValue({ 
-      data: { id: 'role-123' }, 
+    // Reset Supabase mock to default successful response for super admin check
+    mockSupabaseQuery.limit.mockResolvedValue({ 
+      data: [], // Default: not a super admin
       error: null 
     });
     
@@ -123,14 +132,15 @@ describe('useOrganisationSecurity', () => {
   });
 
     describe('Super Admin Context', () => {
-    it('detects super admin from app_metadata', () => {
-      const superAdminUser = {
-        ...mockUser,
-        app_metadata: { globalRole: 'super_admin' }
-      };
+    it('detects super admin from database query', async () => {
+      // Mock the database query to return super admin role
+      mockSupabaseQuery.limit.mockResolvedValue({
+        data: [{ role: 'super_admin' }],
+        error: null
+      });
 
       mockUseUnifiedAuth.mockReturnValue({
-        user: superAdminUser,
+        user: mockUser,
         session: mockSession,
         supabase: mockSupabase,
         isAuthenticated: true,
@@ -140,19 +150,24 @@ describe('useOrganisationSecurity', () => {
 
       const { result } = renderHook(() => useOrganisationSecurity());
 
-      expect(result.current.superAdminContext.isSuperAdmin).toBe(true);
+      // Wait for the database query to complete
+      await waitFor(() => {
+        expect(result.current.superAdminContext.isSuperAdmin).toBe(true);
+      });
+
       expect(result.current.superAdminContext.hasGlobalAccess).toBe(true);
       expect(result.current.superAdminContext.canManageAllOrganisations).toBe(true);
     });
 
-    it('detects super admin from user_metadata', () => {
-      const superAdminUser = {
-        ...mockUser,
-        user_metadata: { globalRole: 'super_admin' }
-      };
+    it('detects super admin when database returns role', async () => {
+      // Mock the database query to return super admin role
+      mockSupabaseQuery.limit.mockResolvedValue({
+        data: [{ role: 'super_admin' }],
+        error: null
+      });
 
       mockUseUnifiedAuth.mockReturnValue({
-        user: superAdminUser,
+        user: mockUser,
         session: mockSession,
         supabase: mockSupabase,
         isAuthenticated: true,
@@ -162,7 +177,11 @@ describe('useOrganisationSecurity', () => {
 
       const { result } = renderHook(() => useOrganisationSecurity());
 
-      expect(result.current.superAdminContext.isSuperAdmin).toBe(true);
+      // Wait for the database query to complete
+      await waitFor(() => {
+        expect(result.current.superAdminContext.isSuperAdmin).toBe(true);
+      });
+
       expect(result.current.superAdminContext.hasGlobalAccess).toBe(true);
       expect(result.current.superAdminContext.canManageAllOrganisations).toBe(true);
     });
@@ -195,14 +214,14 @@ describe('useOrganisationSecurity', () => {
 
   describe('Organisation Access Validation', () => {
     it('validates organisation access for super admin', async () => {
-      // Set up super admin user
-      const superAdminUser = {
-        ...mockUser,
-        app_metadata: { globalRole: 'super_admin' }
-      };
+      // Mock super admin status via database
+      mockSupabaseQuery.limit.mockResolvedValue({
+        data: [{ role: 'super_admin' }],
+        error: null
+      });
       
       mockUseUnifiedAuth.mockReturnValue({
-        user: superAdminUser,
+        user: mockUser,
         session: mockSession,
         supabase: mockSupabase,
         isAuthenticated: true,
@@ -211,12 +230,22 @@ describe('useOrganisationSecurity', () => {
 
       const { result } = renderHook(() => useOrganisationSecurity());
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.superAdminContext.isSuperAdmin).toBe(true);
+      });
+
       const hasAccess = await result.current.validateOrganisationAccess('org-123');
       expect(hasAccess).toBe(true);
     });
 
     it('validates organisation access for regular user', async () => {
-      // The default setup already has a regular user and successful database response
+      // Ensure user is NOT a super admin (no results from database)
+      mockSingle.mockResolvedValue({ 
+        data: [],
+        error: null 
+      });
+      
       const { result } = renderHook(() => useOrganisationSecurity());
 
       const hasAccess = await result.current.validateOrganisationAccess('org-123');
@@ -224,26 +253,17 @@ describe('useOrganisationSecurity', () => {
     });
 
     it('denies access when user is not a member', async () => {
-      // Ensure user is NOT a super admin
-      const regularUser = {
-        ...mockUser,
-        app_metadata: { globalRole: 'user' },
-        user_metadata: {}
-      };
-      
-      mockUseUnifiedAuth.mockReturnValue({
-        user: regularUser,
-        session: mockSession,
-        supabase: mockSupabase,
-        isAuthenticated: true,
-        signOut: vi.fn(),
-      } as any);
+      // Ensure user is NOT a super admin (no results from database)
+      mockSingle.mockResolvedValue({ 
+        data: [],
+        error: null 
+      });
 
       mockSingle.mockResolvedValue({ 
         data: null, 
         error: { message: 'No rows found' } 
       });
-
+      
       const { result } = renderHook(() => useOrganisationSecurity());
 
       const hasAccess = await result.current.validateOrganisationAccess('org-123');
@@ -251,25 +271,26 @@ describe('useOrganisationSecurity', () => {
     });
 
     it('handles database errors gracefully', async () => {
-      // Ensure user is NOT a super admin
-      const regularUser = {
-        ...mockUser,
-        app_metadata: { globalRole: 'user' },
-        user_metadata: {}
-      };
-      
-      mockUseUnifiedAuth.mockReturnValue({
-        user: regularUser,
-        session: mockSession,
-        supabase: mockSupabase,
-        isAuthenticated: true,
-        signOut: vi.fn(),
-      } as any);
-
+      // Mock database error for super admin check
       mockSingle.mockRejectedValue(new Error('Database error'));
+      
+      const { result } = renderHook(() => useOrganisationSecurity());
+      
+      // Wait for the error to be handled
+      await waitFor(() => {
+        expect(result.current.superAdminContext.isSuperAdmin).toBe(false);
+      });
+      
+      const hasAccess = await result.current.validateOrganisationAccess('org-123');
+      expect(hasAccess).toBe(false);
+    });
 
+    it('logs errors when database query fails', async () => {
       const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
 
+      // Mock database error for super admin check
+      mockSingle.mockRejectedValue(new Error('Database error'));
+      
       const { result } = renderHook(() => useOrganisationSecurity());
 
       const hasAccess = await result.current.validateOrganisationAccess('org-123');
@@ -300,15 +321,15 @@ describe('useOrganisationSecurity', () => {
   });
 
   describe('Role Validation', () => {
-    it('checks minimum role for super admin', () => {
-      // Set up super admin user
-      const superAdminUser = {
-        ...mockUser,
-        app_metadata: { globalRole: 'super_admin' }
-      };
+    it('checks minimum role for super admin', async () => {
+      // Mock super admin status via database
+      mockSupabaseQuery.limit.mockResolvedValue({
+        data: [{ role: 'super_admin' }],
+        error: null
+      });
       
       mockUseUnifiedAuth.mockReturnValue({
-        user: superAdminUser,
+        user: mockUser,
         session: mockSession,
         supabase: mockSupabase,
         isAuthenticated: true,
@@ -317,6 +338,11 @@ describe('useOrganisationSecurity', () => {
 
       const { result } = renderHook(() => useOrganisationSecurity());
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.superAdminContext.isSuperAdmin).toBe(true);
+      });
+
       const hasRole = result.current.hasMinimumRole('org_admin');
       expect(hasRole).toBe(true);
     });
@@ -369,15 +395,15 @@ describe('useOrganisationSecurity', () => {
   });
 
   describe('Child Organisation Access', () => {
-    it('allows super admin to access child organisations', () => {
-      // Set up super admin user
-      const superAdminUser = {
-        ...mockUser,
-        app_metadata: { globalRole: 'super_admin' }
-      };
+    it('allows super admin to access child organisations', async () => {
+      // Mock super admin status via database
+      mockSupabaseQuery.limit.mockResolvedValue({
+        data: [{ role: 'super_admin' }],
+        error: null
+      });
       
       mockUseUnifiedAuth.mockReturnValue({
-        user: superAdminUser,
+        user: mockUser,
         session: mockSession,
         supabase: mockSupabase,
         isAuthenticated: true,
@@ -386,6 +412,11 @@ describe('useOrganisationSecurity', () => {
 
       const { result } = renderHook(() => useOrganisationSecurity());
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.superAdminContext.isSuperAdmin).toBe(true);
+      });
+
       const canAccess = result.current.canAccessChildOrganisations('org-123');
       expect(canAccess).toBe(true);
     });
@@ -423,14 +454,14 @@ describe('useOrganisationSecurity', () => {
 
   describe('Permission Checks', () => {
     it('checks permissions for super admin', async () => {
-      // Set up super admin user
-      const superAdminUser = {
-        ...mockUser,
-        app_metadata: { globalRole: 'super_admin' }
-      };
+      // Mock super admin status via database
+      mockSupabaseQuery.limit.mockResolvedValue({
+        data: [{ role: 'super_admin' }],
+        error: null
+      });
       
       mockUseUnifiedAuth.mockReturnValue({
-        user: superAdminUser,
+        user: mockUser,
         session: mockSession,
         supabase: mockSupabase,
         isAuthenticated: true,
@@ -439,6 +470,11 @@ describe('useOrganisationSecurity', () => {
 
       const { result } = renderHook(() => useOrganisationSecurity());
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.superAdminContext.isSuperAdmin).toBe(true);
+      });
+
       const hasPermission = await result.current.hasPermission('read:users');
       expect(hasPermission).toBe(true);
     });
@@ -516,14 +552,14 @@ describe('useOrganisationSecurity', () => {
 
   describe('User Permissions', () => {
     it('gets user permissions for super admin', async () => {
-      // Set up super admin user
-      const superAdminUser = {
-        ...mockUser,
-        app_metadata: { globalRole: 'super_admin' }
-      };
+      // Mock super admin status via database
+      mockSupabaseQuery.limit.mockResolvedValue({
+        data: [{ role: 'super_admin' }],
+        error: null
+      });
       
       mockUseUnifiedAuth.mockReturnValue({
-        user: superAdminUser,
+        user: mockUser,
         session: mockSession,
         supabase: mockSupabase,
         isAuthenticated: true,
@@ -532,6 +568,11 @@ describe('useOrganisationSecurity', () => {
 
       const { result } = renderHook(() => useOrganisationSecurity());
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.superAdminContext.isSuperAdmin).toBe(true);
+      });
+
       const permissions = await result.current.getUserPermissions();
       expect(permissions).toEqual(['*']); // Super admin has all permissions
     });
@@ -553,8 +594,9 @@ describe('useOrganisationSecurity', () => {
       } as any);
       
       const mockPermissionMap = {
-        'page-1': ['read:users', 'create:posts'],
-        'page-2': ['read:posts']
+        'read:users': true,
+        'create:posts': true,
+        'read:posts': true
       };
       
       mockGetPermissionMap.mockResolvedValue(mockPermissionMap);
@@ -608,7 +650,12 @@ describe('useOrganisationSecurity', () => {
 
   describe('Security Utilities', () => {
     it('ensures organisation access for valid user', async () => {
-      // The default setup already has a regular user with valid access
+      // Mock the organisation membership query to return valid membership
+      mockSupabaseQuery.single.mockResolvedValue({
+        data: { id: 'membership-123' },
+        error: null
+      });
+
       const { result } = renderHook(() => useOrganisationSecurity());
 
       await expect(result.current.ensureOrganisationAccess('org-123')).resolves.not.toThrow();
@@ -641,9 +688,15 @@ describe('useOrganisationSecurity', () => {
     });
 
     it('validates user access', async () => {
-      // The default setup already has a regular user with valid access
+      // Mock the organisation membership query to return valid membership
+      mockSupabaseQuery.single.mockResolvedValue({
+        data: { id: 'membership-123' },
+        error: null
+      });
+
       const { result } = renderHook(() => useOrganisationSecurity());
 
+      // Test self-validation (should work for regular users)
       const isValid = await result.current.validateUserAccess('user-123', 'org-123');
       expect(isValid).toBe(true);
     });

package/src/hooks/useOrganisationSecurity.ts

@@ -8,7 +8,7 @@
  * Provides utilities for validating user access to organisations and checking permissions.
  */
 
-import { useCallback, useMemo } from 'react';
+import { useCallback, useMemo, useEffect, useState } from 'react';
 import { useUnifiedAuth } from '../providers';
 import { useOrganisations } from './useOrganisations';
 // Legacy useRBAC hook removed - use new RBAC system instead
@@ -39,22 +39,51 @@ export interface OrganisationSecurityHook {
 export const useOrganisationSecurity = (): OrganisationSecurityHook => {
   const { user, session, supabase } = useUnifiedAuth();
   const { selectedOrganisation, getUserRole, validateOrganisationAccess: validateAccess } = useOrganisations();
-  // Get global role directly from user metadata
-  const globalRole = useMemo(() => {
-    if (!user) return null;
-    return user.app_metadata?.globalRole === 'super_admin' || 
-           user.user_metadata?.globalRole === 'super_admin' ? 'super_admin' : null;
-  }, [user]);
+  
+  // Super admin status - query database for security (user_metadata can be spoofed)
+  const [isSuperAdmin, setIsSuperAdmin] = useState<boolean>(false);
+  const [isCheckingSuperAdmin, setIsCheckingSuperAdmin] = useState(false);
+
+  // Check super admin status from database
+  useEffect(() => {
+    if (!user || !session || !supabase) {
+      setIsSuperAdmin(false);
+      return;
+    }
+
+    const checkSuperAdmin = async () => {
+      setIsCheckingSuperAdmin(true);
+      try {
+        const now = new Date().toISOString();
+        const { data, error } = await supabase
+          .from('rbac_global_roles')
+          .select('role')
+          .eq('user_id', user.id)
+          .eq('role', 'super_admin')
+          .lte('valid_from', now)
+          .or(`valid_to.is.null,valid_to.gte.${now}`)
+          .limit(1);
+
+        setIsSuperAdmin(!error && data && data.length > 0);
+      } catch (error) {
+        console.error('[useOrganisationSecurity] Error checking super admin status:', error);
+        setIsSuperAdmin(false);
+      } finally {
+        setIsCheckingSuperAdmin(false);
+      }
+    };
+
+    checkSuperAdmin();
+  }, [user, session, supabase]);
 
   // Super admin context
   const superAdminContext = useMemo((): SuperAdminContext => {
-    const isSuperAdmin = globalRole === 'super_admin';
     return {
       isSuperAdmin,
       hasGlobalAccess: isSuperAdmin,
       canManageAllOrganisations: isSuperAdmin
     };
-  }, [globalRole]);
+  }, [isSuperAdmin]);
 
   // Validate organisation access with database check
   const validateOrganisationAccess = useCallback(async (orgId: string): Promise<boolean> => {
@@ -179,7 +208,9 @@ export const useOrganisationSecurity = (): OrganisationSecurityHook => {
       });
       
       // Flatten all permissions from all pages
-      const allPermissions = Object.values(permissionMap).flat();
+      const allPermissions = Object.entries(permissionMap)
+        .filter(([, allowed]) => allowed)
+        .map(([permission]) => permission);
       return [...new Set(allPermissions)]; // Remove duplicates
     } catch (error) {
       console.error('[useOrganisationSecurity] Exception getting user permissions:', error);

package/src/index.ts

@@ -33,7 +33,6 @@ export { useOrganisations } from './hooks/useOrganisations';
 export { useEventService } from './hooks/services/useEventService';
 export { useOrganisationService } from './hooks/services/useOrganisationService';
 export { useAuthService } from './hooks/services/useAuthService';
-export { useRBACService } from './hooks/services/useRBACService';
 export { useInactivityService } from './hooks/services/useInactivityService';
 
 export type {