@lightdash/cli 0.1952.0 → 0.1954.0

package/dist/handlers/createProject.js

@@ -56,6 +56,8 @@ const askPermissionToStoreWarehouseCredentials = async () => {
     return savedAnswer;
 };
 const createProject = async (options) => {
+    // Check permissions before proceeding
+    await (0, apiClient_1.checkProjectCreationPermission)(options.type);
     const dbtVersion = await (0, getDbtVersion_1.getDbtVersion)();
     const absoluteProjectPath = path_1.default.resolve(options.projectDir);
     const context = await (0, context_1.getDbtContext)({ projectDir: absoluteProjectPath });

package/dist/handlers/dbt/apiClient.d.ts

@@ -1,4 +1,4 @@
-import { ApiResponse } from '@lightdash/common';
+import { ApiResponse, ProjectType, type LightdashUserWithAbilityRules } from '@lightdash/common';
 import { BodyInit } from 'node-fetch';
 type LightdashApiProps = {
     method: 'GET' | 'POST' | 'PATCH' | 'DELETE' | 'PUT';
@@ -6,5 +6,7 @@ type LightdashApiProps = {
     body: BodyInit | undefined;
 };
 export declare const lightdashApi: <T extends ApiResponse["results"]>({ method, url, body, }: LightdashApiProps) => Promise<T>;
+export declare const getUserContext: () => Promise<LightdashUserWithAbilityRules>;
+export declare const checkProjectCreationPermission: (projectType: ProjectType) => Promise<void>;
 export declare const checkLightdashVersion: () => Promise<void>;
 export {};

package/dist/handlers/dbt/apiClient.js

@@ -1,7 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.checkLightdashVersion = exports.lightdashApi = void 0;
+exports.checkLightdashVersion = exports.checkProjectCreationPermission = exports.getUserContext = exports.lightdashApi = void 0;
 const tslib_1 = require("tslib");
+const ability_1 = require("@casl/ability");
 const common_1 = require("@lightdash/common");
 const node_fetch_1 = tslib_1.__importDefault(require("node-fetch"));
 const url_1 = require("url");
@@ -45,6 +46,37 @@ const lightdashApi = async ({ method, url, body, }) => {
     });
 };
 exports.lightdashApi = lightdashApi;
+const getUserContext = async () => (0, exports.lightdashApi)({
+    method: 'GET',
+    url: `/api/v1/user`,
+    body: undefined,
+});
+exports.getUserContext = getUserContext;
+const checkProjectCreationPermission = async (projectType) => {
+    try {
+        const user = await (0, exports.getUserContext)();
+        // Build CASL ability from user's ability rules (same as backend)
+        const ability = new ability_1.Ability(user.abilityRules);
+        // Check if user has permission to create project of the specified type
+        const canCreate = ability.can('create', (0, ability_1.subject)('Project', {
+            organizationUuid: user.organizationUuid || '',
+            type: projectType,
+        }));
+        if (!canCreate) {
+            const projectTypeText = projectType === common_1.ProjectType.PREVIEW ? 'preview ' : '';
+            throw new common_1.ForbiddenError(`You don't have permission to create ${projectTypeText}projects.`);
+        }
+    }
+    catch (err) {
+        if (err instanceof common_1.ForbiddenError ||
+            err instanceof common_1.AuthorizationError) {
+            throw err;
+        }
+        globalState_1.default.debug(`Failed to check permissions: ${err}`);
+        // If we can't check permissions, we'll let the API call fail with proper error
+    }
+};
+exports.checkProjectCreationPermission = checkProjectCreationPermission;
 const checkLightdashVersion = async () => {
     try {
         const health = await (0, exports.lightdashApi)({

package/dist/index.js

@@ -363,8 +363,18 @@ ${styles.bold('Examples:')}
     .option('--no-defer', 'dbt property. Do not resolve unselected nodes by deferring to the manifest within the --state directory.', undefined)
     .action(diagnostics_1.diagnosticsHandler);
 const errorHandler = (err) => {
-    console.error(styles.error((0, common_1.getErrorMessage)(err)));
-    if (err.name === 'AuthorizationError') {
+    // Use error message with fallback for safety
+    const errorMessage = (0, common_1.getErrorMessage)(err) || 'An unexpected error occurred';
+    console.error(styles.error(errorMessage));
+    if (err.name === 'ForbiddenError' || err instanceof common_1.ForbiddenError) {
+        // For permission errors, show clear message with fallback
+        const permissionMessage = err.message || "You don't have permission to perform this action";
+        if (permissionMessage !== errorMessage) {
+            console.error(styles.error(permissionMessage));
+        }
+        console.error(`\n💡 Contact your Lightdash administrator to request project creation access or if you believe this is incorrect.\n`);
+    }
+    else if (err.name === 'AuthorizationError') {
         console.error(`Looks like you did not authenticate or the personal access token expired.\n\n👀 See https://docs.lightdash.com/guides/cli/cli-authentication for help and examples`);
     }
     else if (!(err instanceof common_1.LightdashError)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lightdash/cli",
-  "version": "0.1952.0",
+  "version": "0.1954.0",
   "license": "MIT",
   "bin": {
     "lightdash": "dist/index.js"
@@ -11,6 +11,7 @@
   ],
   "dependencies": {
     "@actions/core": "^1.11.1",
+    "@casl/ability": "^5.4.3",
     "@types/columnify": "^1.5.1",
     "ajv": "^8.11.0",
     "ajv-formats": "^2.1.1",
@@ -31,8 +32,8 @@
     "parse-node-version": "^2.0.0",
     "unique-names-generator": "^4.7.1",
     "uuid": "^11.0.3",
-    "@lightdash/common": "0.1952.0",
-    "@lightdash/warehouses": "0.1952.0"
+    "@lightdash/warehouses": "0.1954.0",
+    "@lightdash/common": "0.1954.0"
   },
   "description": "Lightdash CLI tool",
   "devDependencies": {