@jmruthers/pace-core 0.6.5 → 0.6.7

package/src/rbac/hooks/useResourcePermissions.ts

@@ -40,12 +40,15 @@
  * - Missing user context results in all permissions being denied
  */
 
-import { useMemo } from 'react';
+import { useMemo, useState, useEffect, useRef } from 'react';
 import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
 import { useOrganisations } from '../../hooks/useOrganisations';
 import { useEvents } from '../../hooks/useEvents';
+import type { Event } from '../../types/event';
 import { useResolvedScope } from './useResolvedScope';
 import { useCan } from './usePermissions';
+import { isSuperAdmin } from '../api';
+import { createLogger } from '../../utils/core/logger';
 import type { Scope, Permission } from '../types';
 
 export interface UseResourcePermissionsOptions {
@@ -140,15 +143,80 @@ export function useResourcePermissions(
   options: UseResourcePermissionsOptions = {}
 ): ResourcePermissions {
   const { enableRead = false, requireScope = true } = options;
+  const logger = createLogger('ResourcePermissions');
 
   // Get user and supabase client from UnifiedAuth
   const { user, supabase } = useUnifiedAuth();
+
+  // Super admin status - check if user has super admin privileges
+  // Super admins bypass all permission checks (similar to useDataTablePermissions)
+  // PERFORMANCE OPTIMIZATION: Check super admin once and share with all useCan hooks to avoid duplicate queries
+  // Use null to indicate "not checked yet" vs false which means "checked and not super admin"
+  const [isSuperAdminUser, setIsSuperAdminUser] = useState<boolean | null>(null);
+  const [isCheckingSuperAdmin, setIsCheckingSuperAdmin] = useState<boolean>(() => !!user?.id);
+  const lastCheckedUserIdRef = useRef<string | null>(null);
+  const isCheckingRef = useRef<boolean>(false);
+
+  useEffect(() => {
+    // Skip if already checked for this user ID
+    if (lastCheckedUserIdRef.current === user?.id && isSuperAdminUser !== null) {
+      return;
+    }
+
+    // Skip if already checking
+    if (isCheckingRef.current) {
+      return;
+    }
+
+    const checkSuperAdminStatus = async () => {
+      if (!user?.id) {
+        setIsSuperAdminUser(false); // No user = not super admin
+        setIsCheckingSuperAdmin(false);
+        lastCheckedUserIdRef.current = null;
+        return;
+      }
+
+      // Mark as checking and track user ID
+      isCheckingRef.current = true;
+      lastCheckedUserIdRef.current = user.id;
+
+      const startTime = Date.now();
+      setIsCheckingSuperAdmin(true);
+      
+      // Add timeout to prevent infinite hanging
+      const timeoutId = setTimeout(() => {
+        logger.warn('useResourcePermissions', 'Super admin check taking longer than 5 seconds', {
+          userId: user?.id,
+          elapsedMs: Date.now() - startTime,
+        });
+      }, 5000);
+
+      try {
+        const superAdminStatus = await isSuperAdmin(user.id);
+        setIsSuperAdminUser(superAdminStatus);
+      } catch (error) {
+        const elapsed = Date.now() - startTime;
+        logger.error('useResourcePermissions', 'Error checking super admin status', {
+          userId: user?.id,
+          error,
+          elapsedMs: elapsed,
+        });
+        setIsSuperAdminUser(false); // Error = assume not super admin for security
+      } finally {
+        clearTimeout(timeoutId);
+        setIsCheckingSuperAdmin(false);
+        isCheckingRef.current = false;
+      }
+    };
+
+    checkSuperAdminStatus();
+  }, [user?.id, logger]);
   
   // Get selected organisation
   const { selectedOrganisation } = useOrganisations();
   
   // Get selected event (optional - wrap in try/catch)
-  let selectedEvent: { event_id: string } | null = null;
+  let selectedEvent: Event | null = null;
   try {
     const eventsContext = useEvents();
     selectedEvent = eventsContext.selectedEvent;
@@ -161,7 +229,8 @@ export function useResourcePermissions(
   const { resolvedScope, isLoading: scopeLoading, error: scopeError } = useResolvedScope({
     supabase,
     selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null
+    selectedEventId: selectedEvent?.event_id || null,
+    selectedEventOrganisationId: selectedEvent?.organisation_id || null
   });
 
   // CRITICAL FIX: Only use resolvedScope when it's available (not during loading)
@@ -192,8 +261,9 @@ export function useResourcePermissions(
   const readPermission = isPagePermission ? `read:page.${resource}` : `read:${resource}`;
 
   // Permission checks for create, update, delete
-  // Pass null for super admin status (not checked yet - hook will check if needed)
-  // PERFORMANCE: These hooks will each check super admin separately - could be optimized in future
+  // PERFORMANCE OPTIMIZATION: Pass precomputed super admin status to avoid duplicate checks
+  // Each useCan hook would normally check super admin separately (4+ queries), but we check once here
+  // and share the result. Pass null if not checked yet (hooks will check), false/true if checked.
   // CRITICAL: useCan will wait for appId when pageId is provided (it checks needsAppIdForPageName)
   // But we must ensure permission strings are correct before calling useCan
   const { can: canCreateResult, isLoading: createLoading, error: createError } = useCan(
@@ -202,7 +272,7 @@ export function useResourcePermissions(
     createPermission as Permission,
     pageId, // Pass resource name as pageId when appId is available to enable page permission checks
     true, // useCache
-    null, // precomputedSuperAdmin - not checked yet
+    isSuperAdminUser, // precomputedSuperAdmin - null if checking, false/true if checked
     undefined // appName
   );
 
@@ -212,7 +282,7 @@ export function useResourcePermissions(
     updatePermission as Permission,
     pageId, // Pass resource name as pageId when appId is available to enable page permission checks
     true, // useCache
-    null, // precomputedSuperAdmin - not checked yet
+    isSuperAdminUser, // precomputedSuperAdmin - null if checking, false/true if checked
     undefined // appName
   );
 
@@ -222,7 +292,7 @@ export function useResourcePermissions(
     deletePermission as Permission,
     pageId, // Pass resource name as pageId when appId is available to enable page permission checks
     true, // useCache
-    null, // precomputedSuperAdmin - not checked yet
+    isSuperAdminUser, // precomputedSuperAdmin - null if checking, false/true if checked
     undefined // appName
   );
 
@@ -233,7 +303,7 @@ export function useResourcePermissions(
     readPermission as Permission,
     pageId, // Pass resource name as pageId when appId is available to enable page permission checks
     true, // useCache
-    null, // precomputedSuperAdmin - not checked yet
+    isSuperAdminUser, // precomputedSuperAdmin - null if checking, false/true if checked
     undefined // appName
   );
 
@@ -241,11 +311,14 @@ export function useResourcePermissions(
   // CRITICAL: When requireScope is true, we must wait for scope resolution to complete
   // so we can determine the correct permission format (page vs resource permissions)
   // This prevents using wrong permission format (delete:planning instead of delete:page.planning)
+  // Also wait for super admin check to complete to ensure accurate permission results
   const isLoading = useMemo(() => {
     // If scope resolution is required, wait for it to complete
     const waitingForScope = requireScope && scopeLoading;
-    return waitingForScope || createLoading || updateLoading || deleteLoading || (enableRead && readLoading);
-  }, [scopeLoading, requireScope, createLoading, updateLoading, deleteLoading, readLoading, enableRead]);
+    // Wait for super admin check to complete (null means still checking)
+    const waitingForSuperAdmin = isSuperAdminUser === null && isCheckingSuperAdmin;
+    return waitingForScope || waitingForSuperAdmin || createLoading || updateLoading || deleteLoading || (enableRead && readLoading);
+  }, [scopeLoading, requireScope, isSuperAdminUser, isCheckingSuperAdmin, createLoading, updateLoading, deleteLoading, readLoading, enableRead]);
 
   // Aggregate errors - prefer scope error, then any permission error
   const error = useMemo(() => {
@@ -260,45 +333,63 @@ export function useResourcePermissions(
   // Return wrapper functions that take resource name and return permission result
   // Note: The resource parameter in the function is for consistency with the API,
   // but we're checking permissions for the resource passed to the hook
-  return useMemo(() => ({
-    canCreate: (res: string) => {
-      // For now, we only check the resource passed to the hook
-      // Future enhancement could support checking different resources
-      if (res !== resource) {
-        return false;
-      }
-      return canCreateResult; // canCreateResult is already the boolean 'can' value from useCan
-    },
-    canUpdate: (res: string) => {
-      if (res !== resource) {
-        return false;
-      }
-      return canUpdateResult; // canUpdateResult is already the boolean 'can' value from useCan
-    },
-    canDelete: (res: string) => {
-      if (res !== resource) {
-        return false;
-      }
-      return canDeleteResult; // canDeleteResult is already the boolean 'can' value from useCan
-    },
-    canRead: (res: string) => {
-      if (!enableRead) {
-        return true; // If read checking is disabled, allow read
-      }
-      if (res !== resource) {
-        return false;
+  // CRITICAL FIX: When isSuperAdminUser is true, immediately grant all permissions without waiting
+  // for useCan results. This ensures super admins can use resource operations immediately.
+  return useMemo(() => {
+    // Helper to create a permission result that bypasses for super admins
+    const createSuperAdminAwarePermission = (result: boolean) => {
+      // CRITICAL: If super admin is confirmed, immediately grant permission
+      // Don't wait for useCan results - super admins bypass all checks
+      if (isSuperAdminUser === true) {
+        return true;
       }
-      return canReadResult; // canReadResult is already the boolean 'can' value from useCan
-    },
-    scope,
-    isLoading,
-    error
-  }), [
+      
+      // For non-super-admins or while checking, use normal permission results
+      return result;
+    };
+
+    return {
+      canCreate: (res: string) => {
+        // For now, we only check the resource passed to the hook
+        // Future enhancement could support checking different resources
+        if (res !== resource) {
+          return false;
+        }
+        return createSuperAdminAwarePermission(canCreateResult);
+      },
+      canUpdate: (res: string) => {
+        if (res !== resource) {
+          return false;
+        }
+        return createSuperAdminAwarePermission(canUpdateResult);
+      },
+      canDelete: (res: string) => {
+        if (res !== resource) {
+          return false;
+        }
+        return createSuperAdminAwarePermission(canDeleteResult);
+      },
+      canRead: (res: string) => {
+        if (!enableRead) {
+          return true; // If read checking is disabled, allow read
+        }
+        if (res !== resource) {
+          return false;
+        }
+        return createSuperAdminAwarePermission(canReadResult);
+      },
+      scope,
+      isLoading: isCheckingSuperAdmin || isLoading,
+      error
+    };
+  }, [
     resource,
-    canCreateResult, // This is already the boolean 'can' value
-    canUpdateResult, // This is already the boolean 'can' value
-    canDeleteResult, // This is already the boolean 'can' value
-    canReadResult, // This is already the boolean 'can' value
+    isSuperAdminUser,
+    isCheckingSuperAdmin,
+    canCreateResult,
+    canUpdateResult,
+    canDeleteResult,
+    canReadResult,
     enableRead,
     scope,
     isLoading,

package/src/rbac/hooks/useRoleManagement.test.ts

@@ -8,7 +8,7 @@
  * Tests focus on behavior: role granting, revoking, loading states, and error handling.
  */
 
-import { renderHook, waitFor } from '@testing-library/react';
+import { renderHook, waitFor, act } from '@testing-library/react';
 import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { useRoleManagement } from './useRoleManagement';
 import type { SupabaseClient } from '@supabase/supabase-js';
@@ -105,7 +105,7 @@ describe('useRoleManagement Hook', () => {
   describe('revokeEventAppRole', () => {
     it('revokes role successfully', async () => {
       (mockSupabase.rpc as any).mockResolvedValue({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });
 
@@ -117,19 +117,18 @@ describe('useRoleManagement Hook', () => {
       expect(revokeResult.message).toBe('Role revoked successfully');
       expect(revokeResult.error).toBeUndefined();
       expect(result.current.error).toBeNull();
-      expect(mockSupabase.rpc).toHaveBeenCalledWith('revoke_event_app_role', {
+      expect(mockSupabase.rpc).toHaveBeenCalledWith('rbac_role_revoke', {
         p_user_id: 'user-456',
-        p_organisation_id: 'org-123',
-        p_event_id: 'event-123',
-        p_app_id: 'app-123',
-        p_role: 'viewer',
+        p_role_type: 'event_app',
+        p_role_name: 'viewer',
+        p_context_id: 'event-123:app-123',
         p_revoked_by: 'user-123',
       });
     });
 
     it('handles case when role not found', async () => {
       (mockSupabase.rpc as any).mockResolvedValue({
-        data: false,
+        data: [{ success: false, message: 'No matching role found', revoked_count: 0, error_code: 'ROLE_NOT_FOUND' }],
         error: null,
       });
 
@@ -138,13 +137,55 @@ describe('useRoleManagement Hook', () => {
       const revokeResult = await result.current.revokeEventAppRole(mockRoleParams);
 
       expect(revokeResult.success).toBe(false);
-      expect(revokeResult.message).toBe('No role found to revoke');
+      expect(revokeResult.message).toBe('No matching role found');
       expect(revokeResult.error).toBe('No matching role found');
     });
 
+    it('handles empty data response', async () => {
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: [],
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeEventAppRole(mockRoleParams);
+
+      expect(revokeResult.success).toBe(false);
+      expect(revokeResult.error).toBe('No response from database - role revocation may have failed');
+    });
+
+    it('handles null data response', async () => {
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: null,
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeEventAppRole(mockRoleParams);
+
+      expect(revokeResult.success).toBe(false);
+      expect(revokeResult.error).toBe('No response from database - role revocation may have failed');
+    });
+
+    it('handles result with success false but no message', async () => {
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: [{ success: false, message: null, revoked_count: 0, error_code: 'ROLE_NOT_FOUND' }],
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeEventAppRole(mockRoleParams);
+
+      expect(revokeResult.success).toBe(false);
+      expect(revokeResult.error).toBe('ROLE_NOT_FOUND');
+    });
+
     it('uses provided revoked_by parameter', async () => {
       (mockSupabase.rpc as any).mockResolvedValue({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });
 
@@ -156,7 +197,7 @@ describe('useRoleManagement Hook', () => {
       });
 
       expect(mockSupabase.rpc).toHaveBeenCalledWith(
-        'revoke_event_app_role',
+        'rbac_role_revoke',
         expect.objectContaining({
           p_revoked_by: 'admin-789',
         })
@@ -165,7 +206,7 @@ describe('useRoleManagement Hook', () => {
 
     it('uses user ID as revoked_by when not provided', async () => {
       (mockSupabase.rpc as any).mockResolvedValue({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });
 
@@ -174,7 +215,7 @@ describe('useRoleManagement Hook', () => {
       await result.current.revokeEventAppRole(mockRoleParams);
 
       expect(mockSupabase.rpc).toHaveBeenCalledWith(
-        'revoke_event_app_role',
+        'rbac_role_revoke',
         expect.objectContaining({
           p_revoked_by: 'user-123',
         })
@@ -262,7 +303,7 @@ describe('useRoleManagement Hook', () => {
       );
 
       resolvePromise!({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });
 
@@ -461,14 +502,16 @@ describe('useRoleManagement Hook', () => {
 
       const { result } = renderHook(() => useRoleManagement());
 
+      // Call grantEventAppRole - loading state is set synchronously, but React state updates are async
       const grantPromise = result.current.grantEventAppRole(mockRoleParams);
 
-      // Loading state is set synchronously, but React state updates are async
+      // Wait for React to process the state update (setIsLoading(true))
+      // Increased timeout to allow React to batch and process state updates
       await waitFor(
         () => {
           expect(result.current.isLoading).toBe(true);
         },
-        { timeout: 100 }
+        { timeout: 1000 }
       );
 
       resolvePromise!({
@@ -797,9 +840,9 @@ describe('useRoleManagement Hook', () => {
         });
 
         expect(mockSupabase.rpc).toHaveBeenCalledWith(
-          'revoke_event_app_role',
+          'rbac_role_revoke',
           expect.objectContaining({
-            p_role: role,
+            p_role_name: role,
           })
         );
       }
@@ -825,7 +868,7 @@ describe('useRoleManagement Hook', () => {
 
       // Second call succeeds
       (mockSupabase.rpc as any).mockResolvedValueOnce({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });
 
@@ -850,7 +893,7 @@ describe('useRoleManagement Hook', () => {
 
       // Second call succeeds
       (mockSupabase.rpc as any).mockResolvedValueOnce({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });
 
@@ -864,7 +907,7 @@ describe('useRoleManagement Hook', () => {
   describe('Concurrent Operations', () => {
     it('handles concurrent role operations', async () => {
       (mockSupabase.rpc as any).mockResolvedValue({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });
 
@@ -885,7 +928,7 @@ describe('useRoleManagement Hook', () => {
 
     it('handles rapid sequential operations', async () => {
       (mockSupabase.rpc as any).mockResolvedValue({
-        data: true,
+        data: [{ success: true, message: 'Role revoked successfully', revoked_count: 1 }],
         error: null,
       });