@jmruthers/pace-core 0.6.4 → 0.6.6

package/src/rbac/hooks/useResourcePermissions.ts

@@ -40,13 +40,16 @@
  * - Missing user context results in all permissions being denied
  */
 
-import { useMemo } from 'react';
+import { useMemo, useState, useEffect, useRef } from 'react';
 import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
 import { useOrganisations } from '../../hooks/useOrganisations';
 import { useEvents } from '../../hooks/useEvents';
+import type { Event } from '../../types/event';
 import { useResolvedScope } from './useResolvedScope';
 import { useCan } from './usePermissions';
-import type { Scope } from '../types';
+import { isSuperAdmin } from '../api';
+import { createLogger } from '../../utils/core/logger';
+import type { Scope, Permission } from '../types';
 
 export interface UseResourcePermissionsOptions {
   /** Whether to check read permissions (default: false) */
@@ -80,15 +83,22 @@ export interface ResourcePermissions {
  * and provides a simple API for permission checking.
  * 
  * **Page Permission Support:**
- * When an `appId` is available in the resolved scope, the resource name is passed
- * as `pageId` to enable page-based permission checks. This allows the hook to work
- * with both resource-based permissions (when appId is not available) and page-based
- * permissions (when appId is available and the resource is a registered page).
+ * When an `appId` is available in the resolved scope, the hook automatically:
+ * 1. Waits for scope resolution to complete (including `appId` being set)
+ * 2. Constructs permission strings with the `page.` prefix (e.g., `create:page.planning`)
+ * 3. Passes the resource name as `pageId` to enable page-based permission checks
  * 
- * The RPC function `rbac_check_permission_simplified` will automatically resolve
- * the page name to a page ID and check page permissions if the resource matches
- * a registered page in `rbac_app_pages`. If the resource is not a registered page,
- * it will fall back to resource-based permission checking.
+ * This ensures permission strings match the format returned by `rbac_permissions_get`
+ * (e.g., `create:page.planning`) rather than resource-based format (e.g., `create:planning`).
+ * 
+ * **Scope Resolution Timing:**
+ * The hook waits for scope resolution to complete before constructing permission strings.
+ * This prevents timing issues where permission checks use the wrong format (e.g., `delete:planning`
+ * instead of `delete:page.planning`) when `appId` is not yet available in the scope.
+ * 
+ * The RPC function `rbac_check_permission_simplified` will resolve the page name to a page ID
+ * and check page permissions if the resource matches a registered page in `rbac_app_pages`.
+ * If the resource is not a registered page, it will fall back to resource-based permission checking.
  * 
  * @param resource - The resource name (e.g., 'contacts', 'risks', 'planning')
  *                   Can be a resource name or a page name registered in rbac_app_pages
@@ -133,15 +143,80 @@ export function useResourcePermissions(
   options: UseResourcePermissionsOptions = {}
 ): ResourcePermissions {
   const { enableRead = false, requireScope = true } = options;
+  const logger = createLogger('ResourcePermissions');
 
   // Get user and supabase client from UnifiedAuth
   const { user, supabase } = useUnifiedAuth();
+
+  // Super admin status - check if user has super admin privileges
+  // Super admins bypass all permission checks (similar to useDataTablePermissions)
+  // PERFORMANCE OPTIMIZATION: Check super admin once and share with all useCan hooks to avoid duplicate queries
+  // Use null to indicate "not checked yet" vs false which means "checked and not super admin"
+  const [isSuperAdminUser, setIsSuperAdminUser] = useState<boolean | null>(null);
+  const [isCheckingSuperAdmin, setIsCheckingSuperAdmin] = useState<boolean>(() => !!user?.id);
+  const lastCheckedUserIdRef = useRef<string | null>(null);
+  const isCheckingRef = useRef<boolean>(false);
+
+  useEffect(() => {
+    // Skip if already checked for this user ID
+    if (lastCheckedUserIdRef.current === user?.id && isSuperAdminUser !== null) {
+      return;
+    }
+
+    // Skip if already checking
+    if (isCheckingRef.current) {
+      return;
+    }
+
+    const checkSuperAdminStatus = async () => {
+      if (!user?.id) {
+        setIsSuperAdminUser(false); // No user = not super admin
+        setIsCheckingSuperAdmin(false);
+        lastCheckedUserIdRef.current = null;
+        return;
+      }
+
+      // Mark as checking and track user ID
+      isCheckingRef.current = true;
+      lastCheckedUserIdRef.current = user.id;
+
+      const startTime = Date.now();
+      setIsCheckingSuperAdmin(true);
+      
+      // Add timeout to prevent infinite hanging
+      const timeoutId = setTimeout(() => {
+        logger.warn('useResourcePermissions', 'Super admin check taking longer than 5 seconds', {
+          userId: user?.id,
+          elapsedMs: Date.now() - startTime,
+        });
+      }, 5000);
+
+      try {
+        const superAdminStatus = await isSuperAdmin(user.id);
+        setIsSuperAdminUser(superAdminStatus);
+      } catch (error) {
+        const elapsed = Date.now() - startTime;
+        logger.error('useResourcePermissions', 'Error checking super admin status', {
+          userId: user?.id,
+          error,
+          elapsedMs: elapsed,
+        });
+        setIsSuperAdminUser(false); // Error = assume not super admin for security
+      } finally {
+        clearTimeout(timeoutId);
+        setIsCheckingSuperAdmin(false);
+        isCheckingRef.current = false;
+      }
+    };
+
+    checkSuperAdminStatus();
+  }, [user?.id, logger]);
   
   // Get selected organisation
   const { selectedOrganisation } = useOrganisations();
   
   // Get selected event (optional - wrap in try/catch)
-  let selectedEvent: { event_id: string } | null = null;
+  let selectedEvent: Event | null = null;
   try {
     const eventsContext = useEvents();
     selectedEvent = eventsContext.selectedEvent;
@@ -154,52 +229,70 @@ export function useResourcePermissions(
   const { resolvedScope, isLoading: scopeLoading, error: scopeError } = useResolvedScope({
     supabase,
     selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null
+    selectedEventId: selectedEvent?.event_id || null,
+    selectedEventOrganisationId: selectedEvent?.organisation_id || null
   });
 
-  // Create fallback scope if resolvedScope is not available
+  // CRITICAL FIX: Only use resolvedScope when it's available (not during loading)
+  // This ensures we wait for appId to be resolved before constructing permission strings
+  // If resolvedScope is null (still loading), we can't determine if we should use page permissions
+  // so we must wait for scope resolution to complete
   const scope: Scope = resolvedScope || {
     organisationId: selectedOrganisation?.id || '',
     eventId: selectedEvent?.event_id || undefined,
     appId: undefined
   };
 
-  // If we have an appId in scope, pass the resource name as pageId to enable page permission checks
-  // The RPC function rbac_check_permission_simplified will resolve the page name to a page ID
-  // and check page permissions if the resource is a registered page
-  // This allows useResourcePermissions to work with both resource-based and page-based permissions
-  const pageId = scope.appId ? resource : undefined;
+  // CRITICAL FIX: Only use page permissions when appId is actually available in resolvedScope
+  // If scope is still loading (resolvedScope is null), we can't know if appId will be available
+  // so we must wait for scope resolution before constructing page permission strings
+  // This prevents using wrong permission format (delete:planning instead of delete:page.planning)
+  const hasAppId = !!resolvedScope?.appId;
+  const pageId = hasAppId ? resource : undefined;
+  
+  // When appId is available in resolved scope, construct permission strings with page. prefix
+  // This matches the format that rbac_permissions_get returns (e.g., 'create:page.planning')
+  // and ensures consistent permission checking for page-based resources
+  // IMPORTANT: Only use page format when appId is actually resolved, not during loading
+  const isPagePermission = hasAppId && !!pageId;
+  const createPermission = isPagePermission ? `create:page.${resource}` : `create:${resource}`;
+  const updatePermission = isPagePermission ? `update:page.${resource}` : `update:${resource}`;
+  const deletePermission = isPagePermission ? `delete:page.${resource}` : `delete:${resource}`;
+  const readPermission = isPagePermission ? `read:page.${resource}` : `read:${resource}`;
 
   // Permission checks for create, update, delete
-  // Pass null for super admin status (not checked yet - hook will check if needed)
-  // PERFORMANCE: These hooks will each check super admin separately - could be optimized in future
+  // PERFORMANCE OPTIMIZATION: Pass precomputed super admin status to avoid duplicate checks
+  // Each useCan hook would normally check super admin separately (4+ queries), but we check once here
+  // and share the result. Pass null if not checked yet (hooks will check), false/true if checked.
+  // CRITICAL: useCan will wait for appId when pageId is provided (it checks needsAppIdForPageName)
+  // But we must ensure permission strings are correct before calling useCan
   const { can: canCreateResult, isLoading: createLoading, error: createError } = useCan(
     user?.id || '',
     scope,
-    `create:${resource}` as const,
+    createPermission as Permission,
     pageId, // Pass resource name as pageId when appId is available to enable page permission checks
     true, // useCache
-    null, // precomputedSuperAdmin - not checked yet
+    isSuperAdminUser, // precomputedSuperAdmin - null if checking, false/true if checked
     undefined // appName
   );
 
   const { can: canUpdateResult, isLoading: updateLoading, error: updateError } = useCan(
     user?.id || '',
     scope,
-    `update:${resource}` as const,
+    updatePermission as Permission,
     pageId, // Pass resource name as pageId when appId is available to enable page permission checks
     true, // useCache
-    null, // precomputedSuperAdmin - not checked yet
+    isSuperAdminUser, // precomputedSuperAdmin - null if checking, false/true if checked
     undefined // appName
   );
 
   const { can: canDeleteResult, isLoading: deleteLoading, error: deleteError } = useCan(
     user?.id || '',
     scope,
-    `delete:${resource}` as const,
+    deletePermission as Permission,
     pageId, // Pass resource name as pageId when appId is available to enable page permission checks
     true, // useCache
-    null, // precomputedSuperAdmin - not checked yet
+    isSuperAdminUser, // precomputedSuperAdmin - null if checking, false/true if checked
     undefined // appName
   );
 
@@ -207,17 +300,25 @@ export function useResourcePermissions(
   const { can: canReadResult, isLoading: readLoading, error: readError } = useCan(
     user?.id || '',
     scope,
-    `read:${resource}` as const,
+    readPermission as Permission,
     pageId, // Pass resource name as pageId when appId is available to enable page permission checks
     true, // useCache
-    null, // precomputedSuperAdmin - not checked yet
+    isSuperAdminUser, // precomputedSuperAdmin - null if checking, false/true if checked
     undefined // appName
   );
 
   // Aggregate loading states - any permission check or scope resolution loading
+  // CRITICAL: When requireScope is true, we must wait for scope resolution to complete
+  // so we can determine the correct permission format (page vs resource permissions)
+  // This prevents using wrong permission format (delete:planning instead of delete:page.planning)
+  // Also wait for super admin check to complete to ensure accurate permission results
   const isLoading = useMemo(() => {
-    return scopeLoading || createLoading || updateLoading || deleteLoading || (enableRead && readLoading);
-  }, [scopeLoading, createLoading, updateLoading, deleteLoading, readLoading, enableRead]);
+    // If scope resolution is required, wait for it to complete
+    const waitingForScope = requireScope && scopeLoading;
+    // Wait for super admin check to complete (null means still checking)
+    const waitingForSuperAdmin = isSuperAdminUser === null && isCheckingSuperAdmin;
+    return waitingForScope || waitingForSuperAdmin || createLoading || updateLoading || deleteLoading || (enableRead && readLoading);
+  }, [scopeLoading, requireScope, isSuperAdminUser, isCheckingSuperAdmin, createLoading, updateLoading, deleteLoading, readLoading, enableRead]);
 
   // Aggregate errors - prefer scope error, then any permission error
   const error = useMemo(() => {
@@ -232,41 +333,59 @@ export function useResourcePermissions(
   // Return wrapper functions that take resource name and return permission result
   // Note: The resource parameter in the function is for consistency with the API,
   // but we're checking permissions for the resource passed to the hook
-  return useMemo(() => ({
-    canCreate: (res: string) => {
-      // For now, we only check the resource passed to the hook
-      // Future enhancement could support checking different resources
-      if (res !== resource) {
-        return false;
-      }
-      return canCreateResult;
-    },
-    canUpdate: (res: string) => {
-      if (res !== resource) {
-        return false;
-      }
-      return canUpdateResult;
-    },
-    canDelete: (res: string) => {
-      if (res !== resource) {
-        return false;
-      }
-      return canDeleteResult;
-    },
-    canRead: (res: string) => {
-      if (!enableRead) {
-        return true; // If read checking is disabled, allow read
+  // CRITICAL FIX: When isSuperAdminUser is true, immediately grant all permissions without waiting
+  // for useCan results. This ensures super admins can use resource operations immediately.
+  return useMemo(() => {
+    // Helper to create a permission result that bypasses for super admins
+    const createSuperAdminAwarePermission = (result: boolean) => {
+      // CRITICAL: If super admin is confirmed, immediately grant permission
+      // Don't wait for useCan results - super admins bypass all checks
+      if (isSuperAdminUser === true) {
+        return true;
       }
-      if (res !== resource) {
-        return false;
-      }
-      return canReadResult;
-    },
-    scope,
-    isLoading,
-    error
-  }), [
+      
+      // For non-super-admins or while checking, use normal permission results
+      return result;
+    };
+
+    return {
+      canCreate: (res: string) => {
+        // For now, we only check the resource passed to the hook
+        // Future enhancement could support checking different resources
+        if (res !== resource) {
+          return false;
+        }
+        return createSuperAdminAwarePermission(canCreateResult);
+      },
+      canUpdate: (res: string) => {
+        if (res !== resource) {
+          return false;
+        }
+        return createSuperAdminAwarePermission(canUpdateResult);
+      },
+      canDelete: (res: string) => {
+        if (res !== resource) {
+          return false;
+        }
+        return createSuperAdminAwarePermission(canDeleteResult);
+      },
+      canRead: (res: string) => {
+        if (!enableRead) {
+          return true; // If read checking is disabled, allow read
+        }
+        if (res !== resource) {
+          return false;
+        }
+        return createSuperAdminAwarePermission(canReadResult);
+      },
+      scope,
+      isLoading: isCheckingSuperAdmin || isLoading,
+      error
+    };
+  }, [
     resource,
+    isSuperAdminUser,
+    isCheckingSuperAdmin,
     canCreateResult,
     canUpdateResult,
     canDeleteResult,

package/src/rbac/hooks/useRoleManagement.test.ts

@@ -8,7 +8,7 @@
  * Tests focus on behavior: role granting, revoking, loading states, and error handling.
  */
 
-import { renderHook, waitFor } from '@testing-library/react';
+import { renderHook, waitFor, act } from '@testing-library/react';
 import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { useRoleManagement } from './useRoleManagement';
 import type { SupabaseClient } from '@supabase/supabase-js';
@@ -105,7 +105,7 @@ describe('useRoleManagement Hook', () => {
   describe('revokeEventAppRole', () => {
     it('revokes role successfully', async () => {
       (mockSupabase.rpc as any).mockResolvedValue({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });
 
@@ -117,19 +117,18 @@ describe('useRoleManagement Hook', () => {
       expect(revokeResult.message).toBe('Role revoked successfully');
       expect(revokeResult.error).toBeUndefined();
       expect(result.current.error).toBeNull();
-      expect(mockSupabase.rpc).toHaveBeenCalledWith('revoke_event_app_role', {
+      expect(mockSupabase.rpc).toHaveBeenCalledWith('rbac_role_revoke', {
         p_user_id: 'user-456',
-        p_organisation_id: 'org-123',
-        p_event_id: 'event-123',
-        p_app_id: 'app-123',
-        p_role: 'viewer',
+        p_role_type: 'event_app',
+        p_role_name: 'viewer',
+        p_context_id: 'event-123:app-123',
         p_revoked_by: 'user-123',
       });
     });
 
     it('handles case when role not found', async () => {
       (mockSupabase.rpc as any).mockResolvedValue({
-        data: false,
+        data: [{ success: false, message: 'No matching role found', revoked_count: 0, error_code: 'ROLE_NOT_FOUND' }],
         error: null,
       });
 
@@ -138,13 +137,55 @@ describe('useRoleManagement Hook', () => {
       const revokeResult = await result.current.revokeEventAppRole(mockRoleParams);
 
       expect(revokeResult.success).toBe(false);
-      expect(revokeResult.message).toBe('No role found to revoke');
+      expect(revokeResult.message).toBe('No matching role found');
       expect(revokeResult.error).toBe('No matching role found');
     });
 
+    it('handles empty data response', async () => {
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: [],
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeEventAppRole(mockRoleParams);
+
+      expect(revokeResult.success).toBe(false);
+      expect(revokeResult.error).toBe('No response from database - role revocation may have failed');
+    });
+
+    it('handles null data response', async () => {
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: null,
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeEventAppRole(mockRoleParams);
+
+      expect(revokeResult.success).toBe(false);
+      expect(revokeResult.error).toBe('No response from database - role revocation may have failed');
+    });
+
+    it('handles result with success false but no message', async () => {
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: [{ success: false, message: null, revoked_count: 0, error_code: 'ROLE_NOT_FOUND' }],
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeEventAppRole(mockRoleParams);
+
+      expect(revokeResult.success).toBe(false);
+      expect(revokeResult.error).toBe('ROLE_NOT_FOUND');
+    });
+
     it('uses provided revoked_by parameter', async () => {
       (mockSupabase.rpc as any).mockResolvedValue({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });
 
@@ -156,7 +197,7 @@ describe('useRoleManagement Hook', () => {
       });
 
       expect(mockSupabase.rpc).toHaveBeenCalledWith(
-        'revoke_event_app_role',
+        'rbac_role_revoke',
         expect.objectContaining({
           p_revoked_by: 'admin-789',
         })
@@ -165,7 +206,7 @@ describe('useRoleManagement Hook', () => {
 
     it('uses user ID as revoked_by when not provided', async () => {
       (mockSupabase.rpc as any).mockResolvedValue({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });
 
@@ -174,7 +215,7 @@ describe('useRoleManagement Hook', () => {
       await result.current.revokeEventAppRole(mockRoleParams);
 
       expect(mockSupabase.rpc).toHaveBeenCalledWith(
-        'revoke_event_app_role',
+        'rbac_role_revoke',
         expect.objectContaining({
           p_revoked_by: 'user-123',
         })
@@ -262,7 +303,7 @@ describe('useRoleManagement Hook', () => {
       );
 
       resolvePromise!({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });
 
@@ -461,14 +502,16 @@ describe('useRoleManagement Hook', () => {
 
       const { result } = renderHook(() => useRoleManagement());
 
+      // Call grantEventAppRole - loading state is set synchronously, but React state updates are async
       const grantPromise = result.current.grantEventAppRole(mockRoleParams);
 
-      // Loading state is set synchronously, but React state updates are async
+      // Wait for React to process the state update (setIsLoading(true))
+      // Increased timeout to allow React to batch and process state updates
       await waitFor(
         () => {
           expect(result.current.isLoading).toBe(true);
         },
-        { timeout: 100 }
+        { timeout: 1000 }
       );
 
       resolvePromise!({
@@ -797,9 +840,9 @@ describe('useRoleManagement Hook', () => {
         });
 
         expect(mockSupabase.rpc).toHaveBeenCalledWith(
-          'revoke_event_app_role',
+          'rbac_role_revoke',
           expect.objectContaining({
-            p_role: role,
+            p_role_name: role,
           })
         );
       }
@@ -825,7 +868,7 @@ describe('useRoleManagement Hook', () => {
 
       // Second call succeeds
       (mockSupabase.rpc as any).mockResolvedValueOnce({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });
 
@@ -850,7 +893,7 @@ describe('useRoleManagement Hook', () => {
 
       // Second call succeeds
       (mockSupabase.rpc as any).mockResolvedValueOnce({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });
 
@@ -864,7 +907,7 @@ describe('useRoleManagement Hook', () => {
   describe('Concurrent Operations', () => {
     it('handles concurrent role operations', async () => {
       (mockSupabase.rpc as any).mockResolvedValue({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });
 
@@ -885,7 +928,7 @@ describe('useRoleManagement Hook', () => {
 
     it('handles rapid sequential operations', async () => {
       (mockSupabase.rpc as any).mockResolvedValue({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });