@jmruthers/pace-core 0.6.3 → 0.6.5

package/src/rbac/hooks/useResourcePermissions.ts

@@ -46,7 +46,7 @@ import { useOrganisations } from '../../hooks/useOrganisations';
 import { useEvents } from '../../hooks/useEvents';
 import { useResolvedScope } from './useResolvedScope';
 import { useCan } from './usePermissions';
-import type { Scope } from '../types';
+import type { Scope, Permission } from '../types';
 
 export interface UseResourcePermissionsOptions {
   /** Whether to check read permissions (default: false) */
@@ -80,15 +80,22 @@ export interface ResourcePermissions {
  * and provides a simple API for permission checking.
  * 
  * **Page Permission Support:**
- * When an `appId` is available in the resolved scope, the resource name is passed
- * as `pageId` to enable page-based permission checks. This allows the hook to work
- * with both resource-based permissions (when appId is not available) and page-based
- * permissions (when appId is available and the resource is a registered page).
+ * When an `appId` is available in the resolved scope, the hook automatically:
+ * 1. Waits for scope resolution to complete (including `appId` being set)
+ * 2. Constructs permission strings with the `page.` prefix (e.g., `create:page.planning`)
+ * 3. Passes the resource name as `pageId` to enable page-based permission checks
  * 
- * The RPC function `rbac_check_permission_simplified` will automatically resolve
- * the page name to a page ID and check page permissions if the resource matches
- * a registered page in `rbac_app_pages`. If the resource is not a registered page,
- * it will fall back to resource-based permission checking.
+ * This ensures permission strings match the format returned by `rbac_permissions_get`
+ * (e.g., `create:page.planning`) rather than resource-based format (e.g., `create:planning`).
+ * 
+ * **Scope Resolution Timing:**
+ * The hook waits for scope resolution to complete before constructing permission strings.
+ * This prevents timing issues where permission checks use the wrong format (e.g., `delete:planning`
+ * instead of `delete:page.planning`) when `appId` is not yet available in the scope.
+ * 
+ * The RPC function `rbac_check_permission_simplified` will resolve the page name to a page ID
+ * and check page permissions if the resource matches a registered page in `rbac_app_pages`.
+ * If the resource is not a registered page, it will fall back to resource-based permission checking.
  * 
  * @param resource - The resource name (e.g., 'contacts', 'risks', 'planning')
  *                   Can be a resource name or a page name registered in rbac_app_pages
@@ -157,26 +164,42 @@ export function useResourcePermissions(
     selectedEventId: selectedEvent?.event_id || null
   });
 
-  // Create fallback scope if resolvedScope is not available
+  // CRITICAL FIX: Only use resolvedScope when it's available (not during loading)
+  // This ensures we wait for appId to be resolved before constructing permission strings
+  // If resolvedScope is null (still loading), we can't determine if we should use page permissions
+  // so we must wait for scope resolution to complete
   const scope: Scope = resolvedScope || {
     organisationId: selectedOrganisation?.id || '',
     eventId: selectedEvent?.event_id || undefined,
     appId: undefined
   };
 
-  // If we have an appId in scope, pass the resource name as pageId to enable page permission checks
-  // The RPC function rbac_check_permission_simplified will resolve the page name to a page ID
-  // and check page permissions if the resource is a registered page
-  // This allows useResourcePermissions to work with both resource-based and page-based permissions
-  const pageId = scope.appId ? resource : undefined;
+  // CRITICAL FIX: Only use page permissions when appId is actually available in resolvedScope
+  // If scope is still loading (resolvedScope is null), we can't know if appId will be available
+  // so we must wait for scope resolution before constructing page permission strings
+  // This prevents using wrong permission format (delete:planning instead of delete:page.planning)
+  const hasAppId = !!resolvedScope?.appId;
+  const pageId = hasAppId ? resource : undefined;
+  
+  // When appId is available in resolved scope, construct permission strings with page. prefix
+  // This matches the format that rbac_permissions_get returns (e.g., 'create:page.planning')
+  // and ensures consistent permission checking for page-based resources
+  // IMPORTANT: Only use page format when appId is actually resolved, not during loading
+  const isPagePermission = hasAppId && !!pageId;
+  const createPermission = isPagePermission ? `create:page.${resource}` : `create:${resource}`;
+  const updatePermission = isPagePermission ? `update:page.${resource}` : `update:${resource}`;
+  const deletePermission = isPagePermission ? `delete:page.${resource}` : `delete:${resource}`;
+  const readPermission = isPagePermission ? `read:page.${resource}` : `read:${resource}`;
 
   // Permission checks for create, update, delete
   // Pass null for super admin status (not checked yet - hook will check if needed)
   // PERFORMANCE: These hooks will each check super admin separately - could be optimized in future
+  // CRITICAL: useCan will wait for appId when pageId is provided (it checks needsAppIdForPageName)
+  // But we must ensure permission strings are correct before calling useCan
   const { can: canCreateResult, isLoading: createLoading, error: createError } = useCan(
     user?.id || '',
     scope,
-    `create:${resource}` as const,
+    createPermission as Permission,
     pageId, // Pass resource name as pageId when appId is available to enable page permission checks
     true, // useCache
     null, // precomputedSuperAdmin - not checked yet
@@ -186,7 +209,7 @@ export function useResourcePermissions(
   const { can: canUpdateResult, isLoading: updateLoading, error: updateError } = useCan(
     user?.id || '',
     scope,
-    `update:${resource}` as const,
+    updatePermission as Permission,
     pageId, // Pass resource name as pageId when appId is available to enable page permission checks
     true, // useCache
     null, // precomputedSuperAdmin - not checked yet
@@ -196,7 +219,7 @@ export function useResourcePermissions(
   const { can: canDeleteResult, isLoading: deleteLoading, error: deleteError } = useCan(
     user?.id || '',
     scope,
-    `delete:${resource}` as const,
+    deletePermission as Permission,
     pageId, // Pass resource name as pageId when appId is available to enable page permission checks
     true, // useCache
     null, // precomputedSuperAdmin - not checked yet
@@ -207,7 +230,7 @@ export function useResourcePermissions(
   const { can: canReadResult, isLoading: readLoading, error: readError } = useCan(
     user?.id || '',
     scope,
-    `read:${resource}` as const,
+    readPermission as Permission,
     pageId, // Pass resource name as pageId when appId is available to enable page permission checks
     true, // useCache
     null, // precomputedSuperAdmin - not checked yet
@@ -215,9 +238,14 @@ export function useResourcePermissions(
   );
 
   // Aggregate loading states - any permission check or scope resolution loading
+  // CRITICAL: When requireScope is true, we must wait for scope resolution to complete
+  // so we can determine the correct permission format (page vs resource permissions)
+  // This prevents using wrong permission format (delete:planning instead of delete:page.planning)
   const isLoading = useMemo(() => {
-    return scopeLoading || createLoading || updateLoading || deleteLoading || (enableRead && readLoading);
-  }, [scopeLoading, createLoading, updateLoading, deleteLoading, readLoading, enableRead]);
+    // If scope resolution is required, wait for it to complete
+    const waitingForScope = requireScope && scopeLoading;
+    return waitingForScope || createLoading || updateLoading || deleteLoading || (enableRead && readLoading);
+  }, [scopeLoading, requireScope, createLoading, updateLoading, deleteLoading, readLoading, enableRead]);
 
   // Aggregate errors - prefer scope error, then any permission error
   const error = useMemo(() => {
@@ -239,19 +267,19 @@ export function useResourcePermissions(
       if (res !== resource) {
         return false;
       }
-      return canCreateResult;
+      return canCreateResult; // canCreateResult is already the boolean 'can' value from useCan
     },
     canUpdate: (res: string) => {
       if (res !== resource) {
         return false;
       }
-      return canUpdateResult;
+      return canUpdateResult; // canUpdateResult is already the boolean 'can' value from useCan
     },
     canDelete: (res: string) => {
       if (res !== resource) {
         return false;
       }
-      return canDeleteResult;
+      return canDeleteResult; // canDeleteResult is already the boolean 'can' value from useCan
     },
     canRead: (res: string) => {
       if (!enableRead) {
@@ -260,17 +288,17 @@ export function useResourcePermissions(
       if (res !== resource) {
         return false;
       }
-      return canReadResult;
+      return canReadResult; // canReadResult is already the boolean 'can' value from useCan
     },
     scope,
     isLoading,
     error
   }), [
     resource,
-    canCreateResult,
-    canUpdateResult,
-    canDeleteResult,
-    canReadResult,
+    canCreateResult, // This is already the boolean 'can' value
+    canUpdateResult, // This is already the boolean 'can' value
+    canDeleteResult, // This is already the boolean 'can' value
+    canReadResult, // This is already the boolean 'can' value
     enableRead,
     scope,
     isLoading,

package/src/rbac/permissions.ts

@@ -106,35 +106,35 @@ export const EVENT_APP_PERMISSIONS = {
 // ============================================================================
 
 export const PAGE_PERMISSIONS = {
-  // General page access
+  // General page access (generic - used for wildcard checks)
   READ_PAGE: 'read:page' as Permission,
   CREATE_PAGE: 'create:page' as Permission,
   UPDATE_PAGE: 'update:page' as Permission,
   DELETE_PAGE: 'delete:page' as Permission,
   
   // Admin pages
-  READ_ADMIN: 'read:admin' as Permission,
-  CREATE_ADMIN: 'create:admin' as Permission,
-  UPDATE_ADMIN: 'update:admin' as Permission,
-  DELETE_ADMIN: 'delete:admin' as Permission,
+  READ_ADMIN: 'read:page.admin' as Permission,
+  CREATE_ADMIN: 'create:page.admin' as Permission,
+  UPDATE_ADMIN: 'update:page.admin' as Permission,
+  DELETE_ADMIN: 'delete:page.admin' as Permission,
   
   // Dashboard pages
-  READ_DASHBOARD: 'read:dashboard' as Permission,
-  CREATE_DASHBOARD: 'create:dashboard' as Permission,
-  UPDATE_DASHBOARD: 'update:dashboard' as Permission,
-  DELETE_DASHBOARD: 'delete:dashboard' as Permission,
+  READ_DASHBOARD: 'read:page.dashboard' as Permission,
+  CREATE_DASHBOARD: 'create:page.dashboard' as Permission,
+  UPDATE_DASHBOARD: 'update:page.dashboard' as Permission,
+  DELETE_DASHBOARD: 'delete:page.dashboard' as Permission,
   
   // Settings pages
-  READ_SETTINGS: 'read:settings' as Permission,
-  CREATE_SETTINGS: 'create:settings' as Permission,
-  UPDATE_SETTINGS: 'update:settings' as Permission,
-  DELETE_SETTINGS: 'delete:settings' as Permission,
+  READ_SETTINGS: 'read:page.settings' as Permission,
+  CREATE_SETTINGS: 'create:page.settings' as Permission,
+  UPDATE_SETTINGS: 'update:page.settings' as Permission,
+  DELETE_SETTINGS: 'delete:page.settings' as Permission,
   
   // Reports pages
-  READ_REPORTS: 'read:reports' as Permission,
-  CREATE_REPORTS: 'create:reports' as Permission,
-  UPDATE_REPORTS: 'update:reports' as Permission,
-  DELETE_REPORTS: 'delete:reports' as Permission,
+  READ_REPORTS: 'read:page.reports' as Permission,
+  CREATE_REPORTS: 'create:page.reports' as Permission,
+  UPDATE_REPORTS: 'update:page.reports' as Permission,
+  DELETE_REPORTS: 'delete:page.reports' as Permission,
 } as const;
 
 // ============================================================================

package/src/rbac/utils/contextValidator.ts

@@ -89,7 +89,19 @@ export class ContextValidator {
     if (effectiveScopeType === 'both') {
       // For 'both' pages, we need at least one context (org or event)
       // Both will be checked during permission evaluation
+      // For PORTAL/ADMIN apps, both contexts are optional
       if (!scope.organisationId && !scope.eventId) {
+        if (allowsOptionalContexts(appName)) {
+          return {
+            isValid: true,
+            resolvedScope: {
+              organisationId: undefined,
+              eventId: undefined,
+              appId: scope.appId
+            },
+            error: null
+          };
+        }
         return {
           isValid: false,
           resolvedScope: null,
@@ -123,6 +135,18 @@ export class ContextValidator {
     // Handle 'event' scope - requires event context
     if (effectiveScopeType === 'event') {
       if (!scope.eventId) {
+        // For PORTAL/ADMIN apps, event context is optional
+        if (allowsOptionalContexts(appName)) {
+          return {
+            isValid: true,
+            resolvedScope: {
+              organisationId: scope.organisationId,
+              eventId: undefined,
+              appId: scope.appId
+            },
+            error: null
+          };
+        }
         return {
           isValid: false,
           resolvedScope: null,
@@ -167,6 +191,18 @@ export class ContextValidator {
     // Handle 'organisation' scope - requires organisation context
     if (effectiveScopeType === 'organisation') {
       if (!scope.organisationId) {
+        // For PORTAL/ADMIN apps, organisation context is optional
+        if (allowsOptionalContexts(appName)) {
+          return {
+            isValid: true,
+            resolvedScope: {
+              organisationId: undefined,
+              eventId: scope.eventId,
+              appId: scope.appId
+            },
+            error: null
+          };
+        }
         return {
           isValid: false,
           resolvedScope: null,

package/src/services/AuthService.ts

@@ -57,11 +57,8 @@ export class AuthService extends BaseService implements IAuthService {
 
   // Auth state getters
   getUser(): User | null {
-    if (this.user) {
-      logger.debug('AuthService', `getUser() [ID:${this.instanceId}] returning user: ${this.user.id}`);
-    } else {
-      logger.debug('AuthService', `getUser() [ID:${this.instanceId}] returning null`);
-    }
+    // Removed debug logging - getUser() is called frequently and state changes
+    // are already logged in the auth state change handler
     return this.user;
   }
 

package/src/services/EventService.ts

@@ -108,6 +108,9 @@ export class EventService extends BaseService implements IEventService {
       this.resetInitialization();
       this.isInitializedRef = false;
       this.isFetchingRef = false;
+      // Reset user cleared flag when new user logs in - allows auto-selection for new user
+      this.userClearedEventRef = false;
+      this.hasAutoSelectedRef = false;
       
       logger.debug('EventService', `User changed [ID:${this.instanceId}]`, {
         previousUserId,
@@ -177,15 +180,40 @@ export class EventService extends BaseService implements IEventService {
       // Do not clear events for super admins when organisation context is removed
       const shouldClearEvents = !this.isSuperAdmin;
 
+      // Determine if this is the first time an org is being set (from null/undefined to a value)
+      const isFirstOrgSet = (previousOrgId === null || previousOrgId === undefined) && newOrgId !== null && newOrgId !== undefined;
+      
       // Clear events ONLY when switching between different organisations (not when org first becomes available)
-      if (previousOrgId !== null && newOrgId !== null && previousOrgId !== newOrgId) {
+      // IMPORTANT: Check isFirstOrgSet FIRST to prevent clearing when org is first set
+      if (isFirstOrgSet) {
+        // Organisation first becomes available - DO NOT clear the event, preserve it
+        // The event will be validated when events are re-fetched with org context
+        // If it's no longer valid, it will be cleared without setting userClearedEventRef = true
+        const hadAutoSelectedEvent = this.hasAutoSelectedRef && !!this.selectedEvent;
+        this.userClearedEventRef = false;
+        // Don't reset hasAutoSelectedRef if we had an auto-selected event - preserve it
+        // This ensures the event remains selected when org is first set
+        if (!hadAutoSelectedEvent) {
+          this.hasAutoSelectedRef = false;
+        }
+        logger.debug('EventService', 'Organisation first set - preserving event and resetting auto-selection flags', {
+          organisationId: newOrgId,
+          hasSelectedEvent: !!this.selectedEvent,
+          selectedEventId: this.selectedEvent?.event_id,
+          hadAutoSelectedEvent,
+          preservingEvent: hadAutoSelectedEvent,
+          previousOrgId,
+          newOrgId
+        });
+      } else if (previousOrgId !== null && previousOrgId !== undefined && newOrgId !== null && newOrgId !== undefined && previousOrgId !== newOrgId) {
+        // Switching between different organisations - clear events
         if (shouldClearEvents) {
           this.events = [];
           // Use setSelectedEvent(null) to preserve userClearedEventRef flag if user explicitly cleared
           // This prevents auto-selection from re-selecting the event after org switch
           this.setSelectedEvent(null);
         }
-      } else if (previousOrgId !== null && newOrgId === null) {
+      } else if (previousOrgId !== null && previousOrgId !== undefined && newOrgId === null) {
         // Organisation was removed - clear events if not super admin
         if (shouldClearEvents) {
           this.events = [];
@@ -232,7 +260,13 @@ export class EventService extends BaseService implements IEventService {
       });
       // Reset the user cleared flag when selecting an event
       this.userClearedEventRef = false;
+      logger.debug('EventService', 'Event selected', {
+        eventId: event.event_id,
+        eventName: event.event_name,
+        userClearedEventRef: this.userClearedEventRef
+      });
     } else {
+      const previousEventId = this.selectedEvent?.event_id;
       this.selectedEvent = null;
       this.setSelectedEventId?.(null);
       // Clear from secure storage (don't await to avoid blocking)
@@ -243,6 +277,11 @@ export class EventService extends BaseService implements IEventService {
       this.hasAutoSelectedRef = false;
       // Mark that user explicitly cleared the event to prevent auto-selection
       this.userClearedEventRef = true;
+      logger.debug('EventService', 'Event cleared via setSelectedEvent(null)', {
+        previousEventId,
+        userClearedEventRef: this.userClearedEventRef,
+        stackTrace: new Error().stack
+      });
     }
     this.notify();
   }
@@ -617,6 +656,28 @@ export class EventService extends BaseService implements IEventService {
         this.events = sortedEvents;
         this.error = null;
 
+        // Validate selected event - if it's no longer in the events list, clear it
+        // This can happen when org context changes or events are refreshed
+        // Don't set userClearedEventRef to true in this case - it's an automatic clear, not user-initiated
+        if (this.selectedEvent) {
+          const selectedEventId = this.selectedEvent.event_id;
+          const eventStillExists = transformedEvents.some(
+            e => e.event_id === selectedEventId
+          );
+          if (!eventStillExists) {
+            // Event no longer available - clear it but don't mark as user-cleared
+            const previousUserClearedRef = this.userClearedEventRef;
+            this.selectedEvent = null;
+            this.setSelectedEventId?.(null);
+            // Restore the previous userClearedEventRef value - this was an automatic clear, not user-initiated
+            this.userClearedEventRef = previousUserClearedRef;
+            logger.debug('EventService', 'Cleared selected event - no longer in events list', {
+              previousEventId: selectedEventId,
+              eventsCount: transformedEvents.length
+            });
+          }
+        }
+
         // Reset auto-selection ref for new events
         this.hasAutoSelectedRef = false;
 
@@ -624,26 +685,62 @@ export class EventService extends BaseService implements IEventService {
         if (!skipLoadPersisted) {
           const persistedEventLoaded = await this.loadPersistedEvent(transformedEvents);
           
+          logger.debug('EventService', 'Event selection check', {
+            persistedEventLoaded,
+            userClearedEventRef: this.userClearedEventRef,
+            eventsCount: transformedEvents.length,
+            hasSelectedEvent: !!this.selectedEvent
+          });
+          
           // If no persisted event was loaded and user hasn't explicitly cleared an event, auto-select the next event
           if (!persistedEventLoaded && !this.userClearedEventRef) {
             const nextEvent = this.getNextEventByDate(transformedEvents);
+            logger.debug('EventService', 'Auto-selection attempt', {
+              nextEventFound: !!nextEvent,
+              nextEventId: nextEvent?.event_id,
+              nextEventDate: nextEvent?.event_date
+            });
             if (nextEvent) {
               this.hasAutoSelectedRef = true;
               // Use setSelectedEvent() to ensure consistent behavior
               // Theme will be applied by useEventTheme() hook
               this.setSelectedEvent(nextEvent);
+              logger.debug('EventService', 'Auto-selected next event', {
+                eventId: nextEvent.event_id,
+                eventName: nextEvent.event_name,
+                eventDate: nextEvent.event_date
+              });
+            } else {
+              logger.debug('EventService', 'No next event found for auto-selection', {
+                eventsCount: transformedEvents.length,
+                eventsWithDates: transformedEvents.filter(e => e.event_date).length
+              });
             }
+          } else if (persistedEventLoaded) {
+            logger.debug('EventService', 'Skipped auto-selection - persisted event loaded');
+          } else if (this.userClearedEventRef) {
+            logger.debug('EventService', 'Skipped auto-selection - user explicitly cleared event');
           }
         } else {
           // If skipping persisted event load, still do auto-selection for new users
           if (!this.userClearedEventRef) {
             const nextEvent = this.getNextEventByDate(transformedEvents);
+            logger.debug('EventService', 'Auto-selection attempt (skip persisted)', {
+              nextEventFound: !!nextEvent,
+              nextEventId: nextEvent?.event_id
+            });
             if (nextEvent) {
               this.hasAutoSelectedRef = true;
               // Use setSelectedEvent() to ensure consistent behavior
               // Theme will be applied by useEventTheme() hook
               this.setSelectedEvent(nextEvent);
+              logger.debug('EventService', 'Auto-selected next event (skip persisted)', {
+                eventId: nextEvent.event_id,
+                eventName: nextEvent.event_name
+              });
             }
+          } else {
+            logger.debug('EventService', 'Skipped auto-selection (skip persisted) - user explicitly cleared event');
           }
         }
       }