@kyro-cms/core 0.9.4 → 0.9.6

package/dist/{chunk-IPTZM3VE.js → chunk-VLK5SJRI.js}

@@ -3,7 +3,7 @@ import { usersCollection } from './chunk-XEB7PH2E.js';
 import { SQLiteAuthAdapter } from './chunk-Q72BOAPK.js';
 import { createAuditContext } from './chunk-P2YW545G.js';
 import { WEBHOOK_EVENTS } from './chunk-3UK5XBVJ.js';
-import { API_KEY_COLLECTION, generateApiKey, generateApiKeyPrefix, evaluateAccess, hasApiKeyPermission, extractApiKeyFromRequest, validateApiKey, createApiKeyContext } from './chunk-CJONKRHJ.js';
+import { API_KEY_COLLECTION, generateApiKey, generateApiKeyPrefix, checkCollectionAccess, checkGlobalAccess, extractApiKeyFromRequest, validateApiKey, createApiKeyContext } from './chunk-NZEUU7QB.js';
 import { genId, DrizzleAdapter } from './chunk-V7KZQIZ6.js';
 import { PostgresAuthAdapter } from './chunk-CJX74IYK.js';
 import { MongoDBAdapter } from './chunk-PQ72Z6WC.js';
@@ -3535,105 +3535,27 @@ function buildConflictResponse(expectedUpdatedAt, currentDoc) {
     }
   };
 }
-async function checkCollectionAccess(collection, operation, req, ctxUser, ctxTenantID, apiKeyContext, enablePublicAccess = true, defaultCollectionAccess = "none") {
-  const accessRule = collection.access?.[operation];
-  const accessLevels = {
-    none: false,
-    read: operation === "read",
-    create: operation === "read" || operation === "create",
-    update: operation === "read" || operation === "create" || operation === "update",
-    delete: operation === "read" || operation === "create" || operation === "update" || operation === "delete",
-    admin: true
-  };
-  const isDefaultAllowed = accessLevels[defaultCollectionAccess] || false;
-  if (accessRule) {
-    const allowed = await evaluateAccess(accessRule, {
-      req,
-      user: ctxUser,
-      tenantID: ctxTenantID
-    });
-    if (allowed === false) {
-      return { allowed: false, error: "Access denied", status: 403 };
-    }
-  } else if (!ctxUser) {
-    const allowed = enablePublicAccess && isDefaultAllowed;
-    if (!allowed) {
-      return {
-        allowed: false,
-        error: "Authentication required",
-        status: 401
-      };
-    }
-  }
-  if (apiKeyContext?.permissions?.length > 0) {
-    const resource = collection.slug;
-    const action = operation === "read" ? "read" : operation === "create" ? "create" : "update";
-    const permission = `${resource}:${action}`;
-    if (!hasApiKeyPermission(apiKeyContext.permissions, permission) && !hasApiKeyPermission(apiKeyContext.permissions, `${resource}:admin`)) {
-      return {
-        allowed: false,
-        error: `Missing permission: ${permission}`,
-        status: 403
-      };
-    }
-  }
-  if (ctxUser && !(apiKeyContext?.permissions?.length > 0)) {
-    const resource = collection.slug;
-    const action = operation === "read" ? "read" : operation === "create" ? "create" : operation === "update" ? "update" : "delete";
-    const permission = `${resource}:${action}`;
-    let rbacAllowed = false;
-    if (ctxUser.role) {
-      const userHasPermission = hasPermission(
-        { id: ctxUser.id, email: ctxUser.email, role: ctxUser.role },
-        permission
-      );
-      if (userHasPermission) {
-        rbacAllowed = true;
-      } else {
-        const adminPermission = hasPermission(
-          { id: ctxUser.id, email: ctxUser.email, role: ctxUser.role },
-          `${resource}:admin`
-        );
-        if (adminPermission) rbacAllowed = true;
-      }
-    }
-    if (!rbacAllowed && !isDefaultAllowed && !accessRule) {
-      return {
-        allowed: false,
-        error: `Missing RBAC permission: ${permission}`,
-        status: 403
-      };
-    }
-  }
-  return { allowed: true };
+async function checkCollectionAccess2(collection, operation, req, ctxUser, ctxTenantID, apiKeyContext, enablePublicAccess = true, defaultCollectionAccess = "none") {
+  const result = await checkCollectionAccess(collection, operation, {
+    user: ctxUser,
+    req,
+    tenantID: ctxTenantID,
+    apiKey: apiKeyContext
+  }, {
+    enablePublicAccess,
+    defaultAccess: defaultCollectionAccess
+  });
+  return result;
 }
-async function checkGlobalAccess(global, operation, req, ctxUser, ctxTenantID, enablePublicAccess = true) {
-  const accessRule = global.access?.[operation];
-  if (accessRule) {
-    const allowed = await evaluateAccess(accessRule, {
-      req,
-      user: ctxUser,
-      tenantID: ctxTenantID
-    });
-    if (allowed === false) {
-      return { allowed: false, error: "Access denied", status: 403 };
-    }
-  } else if (!ctxUser) {
-    const accessLevels = {
-      none: false,
-      read: operation === "read",
-      update: operation === "read" || operation === "update"
-    };
-    const allowed = enablePublicAccess && accessLevels[operation === "read" ? "read" : "admin"];
-    if (!allowed) {
-      return {
-        allowed: false,
-        error: "Authentication required",
-        status: 401
-      };
-    }
-  }
-  return { allowed: true };
+async function checkGlobalAccess2(global, operation, req, ctxUser, ctxTenantID, enablePublicAccess = true) {
+  const result = await checkGlobalAccess(global, operation, {
+    user: ctxUser,
+    req,
+    tenantID: ctxTenantID
+  }, {
+    enablePublicAccess
+  });
+  return result;
 }
 async function resolveAuthContext(req, authMw, staticUser, staticTenantID) {
   if (staticUser) {
@@ -3805,7 +3727,7 @@ function createHonoApp(options) {
       const globals = {};
       for (const col of registry.getCollections()) {
         const permissions = {
-          read: (await checkCollectionAccess(
+          read: (await checkCollectionAccess2(
             col,
             "read",
             c.req.raw,
@@ -3815,7 +3737,7 @@ function createHonoApp(options) {
             enablePublicAccess,
             defaultCollectionAccess
           )).allowed,
-          create: (await checkCollectionAccess(
+          create: (await checkCollectionAccess2(
             col,
             "create",
             c.req.raw,
@@ -3825,7 +3747,7 @@ function createHonoApp(options) {
             enablePublicAccess,
             defaultCollectionAccess
           )).allowed,
-          update: (await checkCollectionAccess(
+          update: (await checkCollectionAccess2(
             col,
             "update",
             c.req.raw,
@@ -3835,7 +3757,7 @@ function createHonoApp(options) {
             enablePublicAccess,
             defaultCollectionAccess
           )).allowed,
-          delete: (await checkCollectionAccess(
+          delete: (await checkCollectionAccess2(
             col,
             "delete",
             c.req.raw,
@@ -3850,7 +3772,7 @@ function createHonoApp(options) {
       }
       for (const globalConfig of registry.getGlobals()) {
         const permissions = {
-          read: (await checkGlobalAccess(
+          read: (await checkGlobalAccess2(
             globalConfig,
             "read",
             c.req.raw,
@@ -3858,7 +3780,7 @@ function createHonoApp(options) {
             ctxTenantID,
             enablePublicAccess
           )).allowed,
-          update: (await checkGlobalAccess(
+          update: (await checkGlobalAccess2(
             globalConfig,
             "update",
             c.req.raw,
@@ -3889,7 +3811,7 @@ function createHonoApp(options) {
         user,
         tenantID
       );
-      const access = await checkCollectionAccess(
+      const access = await checkCollectionAccess2(
         usersCollection2,
         "read",
         c.req.raw,
@@ -3953,7 +3875,7 @@ function createHonoApp(options) {
         user,
         tenantID
       );
-      const access = await checkCollectionAccess(
+      const access = await checkCollectionAccess2(
         usersCollection2,
         "create",
         c.req.raw,
@@ -4007,7 +3929,7 @@ function createHonoApp(options) {
         user,
         tenantID
       );
-      const access = await checkCollectionAccess(
+      const access = await checkCollectionAccess2(
         usersCollection2,
         "update",
         c.req.raw,
@@ -4076,7 +3998,7 @@ function createHonoApp(options) {
         user,
         tenantID
       );
-      const access = await checkCollectionAccess(
+      const access = await checkCollectionAccess2(
         usersCollection2,
         "delete",
         c.req.raw,
@@ -4125,7 +4047,7 @@ function createHonoApp(options) {
       );
       const auditLogsCollection = registry.getCollection("audit_logs");
       if (auditLogsCollection) {
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           auditLogsCollection,
           "read",
           c.req.raw,
@@ -4800,7 +4722,7 @@ function createHonoApp(options) {
       );
       for (const collection of registry.getCollections()) {
         if (!targetCollections.includes(collection.slug)) continue;
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "read",
           c.req.raw,
@@ -5159,7 +5081,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "read",
           c.req.raw,
@@ -5207,7 +5129,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "read",
           c.req.raw,
@@ -5261,7 +5183,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "update",
           c.req.raw,
@@ -5321,7 +5243,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "update",
           c.req.raw,
@@ -5356,7 +5278,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "read",
           c.req.raw,
@@ -5406,7 +5328,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "create",
           c.req.raw,
@@ -5530,7 +5452,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "update",
           c.req.raw,
@@ -5695,7 +5617,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "delete",
           c.req.raw,
@@ -5785,7 +5707,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "create",
           c.req.raw,
@@ -5833,7 +5755,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "update",
           c.req.raw,
@@ -5877,7 +5799,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "update",
           c.req.raw,
@@ -5924,7 +5846,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "update",
           c.req.raw,
@@ -6009,7 +5931,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "update",
           c.req.raw,
@@ -6059,7 +5981,7 @@ function createHonoApp(options) {
     app.get(basePath, async (c) => {
       try {
         const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(
+        const access = await checkGlobalAccess2(
           globalConfig,
           "read",
           c.req.raw,
@@ -6103,7 +6025,7 @@ function createHonoApp(options) {
     const upsertGlobal = async (c) => {
       try {
         const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(
+        const access = await checkGlobalAccess2(
           globalConfig,
           "update",
           c.req.raw,
@@ -6238,7 +6160,7 @@ function createHonoApp(options) {
     app.post(`${basePath}/publish`, async (c) => {
       try {
         const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(globalConfig, "update", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
+        const access = await checkGlobalAccess2(globalConfig, "update", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
         if (!access.allowed) return c.json({ error: access.error }, 403);
         const collectionSlug = `_globals_${slug}`;
         const originalDoc = await db.findOne({
@@ -6288,7 +6210,7 @@ function createHonoApp(options) {
     app.post(`${basePath}/unpublish`, async (c) => {
       try {
         const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(globalConfig, "update", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
+        const access = await checkGlobalAccess2(globalConfig, "update", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
         if (!access.allowed) return c.json({ error: access.error }, 403);
         const doc = await db.update({
           collection: `_globals_${slug}`,
@@ -6304,7 +6226,7 @@ function createHonoApp(options) {
     app.get(`${basePath}/versions`, async (c) => {
       try {
         const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(globalConfig, "read", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
+        const access = await checkGlobalAccess2(globalConfig, "read", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
         if (!access.allowed) return c.json({ error: access.error }, 403);
         const limit = parseInt(c.req.query("limit") || "10");
         const page = parseInt(c.req.query("page") || "1");
@@ -6324,7 +6246,7 @@ function createHonoApp(options) {
       try {
         const versionId = c.req.param("versionId");
         const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(globalConfig, "read", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
+        const access = await checkGlobalAccess2(globalConfig, "read", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
         if (!access.allowed) return c.json({ error: access.error }, 403);
         const version = await db.findVersionByID({
           collection: `_globals_${slug}`,
@@ -6341,7 +6263,7 @@ function createHonoApp(options) {
       try {
         const versionId = c.req.param("versionId");
         const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(globalConfig, "update", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
+        const access = await checkGlobalAccess2(globalConfig, "update", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
         if (!access.allowed) return c.json({ error: access.error }, 403);
         const collectionSlug = `_globals_${slug}`;
         const version = await db.findVersionByID({
@@ -6369,7 +6291,7 @@ function createHonoApp(options) {
       app.post(`${basePath}/test`, async (c) => {
         try {
           const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-          const access = await checkGlobalAccess(
+          const access = await checkGlobalAccess2(
             globalConfig,
             "update",
             c.req.raw,
@@ -6462,5 +6384,5 @@ function createRESTAPI(registry, db, options) {
 }
 
 export { AuditLogger, AuthRoutes, InMemoryAuditLogger, InMemoryRateLimiter, MediaService, createAuditContext2 as createAuditContext, createCloudinaryStorage, createFtpStorage, createHonoApp, createLocalStorage, createRESTAPI, createS3Storage, getAppSecret, getDefaultRegistry, getEncryptionKey, getSessionConfig, init_secret, loadSecrets, resolveProvider, setDbAdapter };
-//# sourceMappingURL=chunk-IPTZM3VE.js.map
-//# sourceMappingURL=chunk-IPTZM3VE.js.map
+//# sourceMappingURL=chunk-VLK5SJRI.js.map
+//# sourceMappingURL=chunk-VLK5SJRI.js.map