@lightdash/common 0.1930.3 → 0.1932.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (78) hide show
  1. package/dist/cjs/authorization/parseScopes.d.ts +8 -0
  2. package/dist/cjs/authorization/parseScopes.d.ts.map +1 -0
  3. package/dist/cjs/authorization/parseScopes.js +27 -0
  4. package/dist/cjs/authorization/parseScopes.js.map +1 -0
  5. package/dist/cjs/authorization/parseScopes.test.d.ts +2 -0
  6. package/dist/cjs/authorization/parseScopes.test.d.ts.map +1 -0
  7. package/dist/cjs/authorization/parseScopes.test.js +109 -0
  8. package/dist/cjs/authorization/parseScopes.test.js.map +1 -0
  9. package/dist/cjs/authorization/scopeAbilityBuilder.d.ts +23 -0
  10. package/dist/cjs/authorization/scopeAbilityBuilder.d.ts.map +1 -0
  11. package/dist/cjs/authorization/scopeAbilityBuilder.js +58 -0
  12. package/dist/cjs/authorization/scopeAbilityBuilder.js.map +1 -0
  13. package/dist/cjs/authorization/scopeAbilityBuilder.test.d.ts +2 -0
  14. package/dist/cjs/authorization/scopeAbilityBuilder.test.d.ts.map +1 -0
  15. package/dist/cjs/authorization/scopeAbilityBuilder.test.js +955 -0
  16. package/dist/cjs/authorization/scopeAbilityBuilder.test.js.map +1 -0
  17. package/dist/cjs/authorization/scopes.d.ts +8 -0
  18. package/dist/cjs/authorization/scopes.d.ts.map +1 -0
  19. package/dist/cjs/authorization/scopes.js +633 -0
  20. package/dist/cjs/authorization/scopes.js.map +1 -0
  21. package/dist/cjs/types/scopes.d.ts +30 -3
  22. package/dist/cjs/types/scopes.d.ts.map +1 -1
  23. package/dist/cjs/types/scopes.js.map +1 -1
  24. package/dist/cjs/types/search.d.ts +1 -0
  25. package/dist/cjs/types/search.d.ts.map +1 -1
  26. package/dist/cjs/types/search.js.map +1 -1
  27. package/dist/esm/authorization/parseScopes.d.ts +8 -0
  28. package/dist/esm/authorization/parseScopes.d.ts.map +1 -0
  29. package/dist/esm/authorization/parseScopes.js +22 -0
  30. package/dist/esm/authorization/parseScopes.js.map +1 -0
  31. package/dist/esm/authorization/parseScopes.test.d.ts +2 -0
  32. package/dist/esm/authorization/parseScopes.test.d.ts.map +1 -0
  33. package/dist/esm/authorization/parseScopes.test.js +107 -0
  34. package/dist/esm/authorization/parseScopes.test.js.map +1 -0
  35. package/dist/esm/authorization/scopeAbilityBuilder.d.ts +23 -0
  36. package/dist/esm/authorization/scopeAbilityBuilder.d.ts.map +1 -0
  37. package/dist/esm/authorization/scopeAbilityBuilder.js +54 -0
  38. package/dist/esm/authorization/scopeAbilityBuilder.js.map +1 -0
  39. package/dist/esm/authorization/scopeAbilityBuilder.test.d.ts +2 -0
  40. package/dist/esm/authorization/scopeAbilityBuilder.test.d.ts.map +1 -0
  41. package/dist/esm/authorization/scopeAbilityBuilder.test.js +953 -0
  42. package/dist/esm/authorization/scopeAbilityBuilder.test.js.map +1 -0
  43. package/dist/esm/authorization/scopes.d.ts +8 -0
  44. package/dist/esm/authorization/scopes.d.ts.map +1 -0
  45. package/dist/esm/authorization/scopes.js +628 -0
  46. package/dist/esm/authorization/scopes.js.map +1 -0
  47. package/dist/esm/types/scopes.d.ts +30 -3
  48. package/dist/esm/types/scopes.d.ts.map +1 -1
  49. package/dist/esm/types/scopes.js.map +1 -1
  50. package/dist/esm/types/search.d.ts +1 -0
  51. package/dist/esm/types/search.d.ts.map +1 -1
  52. package/dist/esm/types/search.js.map +1 -1
  53. package/dist/tsconfig.types.tsbuildinfo +1 -1
  54. package/dist/types/authorization/parseScopes.d.ts +8 -0
  55. package/dist/types/authorization/parseScopes.d.ts.map +1 -0
  56. package/dist/types/authorization/parseScopes.test.d.ts +2 -0
  57. package/dist/types/authorization/parseScopes.test.d.ts.map +1 -0
  58. package/dist/types/authorization/scopeAbilityBuilder.d.ts +23 -0
  59. package/dist/types/authorization/scopeAbilityBuilder.d.ts.map +1 -0
  60. package/dist/types/authorization/scopeAbilityBuilder.test.d.ts +2 -0
  61. package/dist/types/authorization/scopeAbilityBuilder.test.d.ts.map +1 -0
  62. package/dist/types/authorization/scopes.d.ts +8 -0
  63. package/dist/types/authorization/scopes.d.ts.map +1 -0
  64. package/dist/types/types/scopes.d.ts +30 -3
  65. package/dist/types/types/scopes.d.ts.map +1 -1
  66. package/dist/types/types/search.d.ts +1 -0
  67. package/dist/types/types/search.d.ts.map +1 -1
  68. package/package.json +1 -1
  69. package/dist/cjs/authorization/scopes/index.d.ts +0 -5
  70. package/dist/cjs/authorization/scopes/index.d.ts.map +0 -1
  71. package/dist/cjs/authorization/scopes/index.js +0 -372
  72. package/dist/cjs/authorization/scopes/index.js.map +0 -1
  73. package/dist/esm/authorization/scopes/index.d.ts +0 -5
  74. package/dist/esm/authorization/scopes/index.d.ts.map +0 -1
  75. package/dist/esm/authorization/scopes/index.js +0 -368
  76. package/dist/esm/authorization/scopes/index.js.map +0 -1
  77. package/dist/types/authorization/scopes/index.d.ts +0 -5
  78. package/dist/types/authorization/scopes/index.d.ts.map +0 -1
package/dist/esm/authorization/scopeAbilityBuilder.test.js ADDED
@@ -0,0 +1,953 @@
1
+ import { subject } from '@casl/ability';
2
+ import { ProjectType } from '../types/projects';
3
+ import { SpaceMemberRole } from '../types/space';
4
+ import { buildAbilityFromScopes } from './scopeAbilityBuilder';
5
+ describe('scopeAbilityBuilder', () => {
6
+ describe('buildAbilityFromScopes', () => {
7
+ const baseContext = {
8
+ organizationUuid: 'org-123',
9
+ isEnterprise: false,
10
+ organizationRole: 'admin',
11
+ projectUuid: 'project-123',
12
+ scopes: [],
13
+ };
14
+ it('should build ability with organization view permissions', () => {
15
+ const ability = buildAbilityFromScopes({
16
+ ...baseContext,
17
+ scopes: ['view:organization'],
18
+ });
19
+ expect(ability.can('view', subject('Organization', {
20
+ organizationUuid: 'org-123',
21
+ projectUuid: 'project-123',
22
+ }))).toBe(true);
23
+ expect(ability.can('view', subject('Organization', {
24
+ organizationUuid: 'different-org',
25
+ projectUuid: 'project-123',
26
+ }))).toBe(false);
27
+ });
28
+ it('should build ability with dashboard view permissions', () => {
29
+ const ability = buildAbilityFromScopes({
30
+ ...baseContext,
31
+ scopes: ['view:dashboard'],
32
+ });
33
+ // Should be able to view public dashboards
34
+ expect(ability.can('view', subject('Dashboard', {
35
+ organizationUuid: 'org-123',
36
+ projectUuid: 'project-123',
37
+ isPrivate: false,
38
+ }))).toBe(true);
39
+ // Should not be able to view private dashboards without user context
40
+ expect(ability.can('view', subject('Dashboard', {
41
+ organizationUuid: 'org-123',
42
+ projectUuid: 'project-123',
43
+ isPrivate: true,
44
+ }))).toBe(false);
45
+ });
46
+ it('should build ability with dashboard permissions for user with space access', () => {
47
+ const contextWithUser = {
48
+ ...baseContext,
49
+ userUuid: 'user-456',
50
+ };
51
+ const ability = buildAbilityFromScopes({
52
+ ...contextWithUser,
53
+ scopes: ['view:dashboard'],
54
+ });
55
+ // Can view dashboards with user access
56
+ expect(ability.can('view', subject('Dashboard', {
57
+ organizationUuid: 'org-123',
58
+ projectUuid: 'project-123',
59
+ access: [{ userUuid: 'user-456' }],
60
+ }))).toBe(true);
61
+ });
62
+ it('should build ability with project-scoped permissions', () => {
63
+ const projectContext = {
64
+ ...baseContext,
65
+ projectUuid: 'project-789',
66
+ };
67
+ const ability = buildAbilityFromScopes({
68
+ ...projectContext,
69
+ scopes: ['view:project'],
70
+ });
71
+ expect(ability.can('view', subject('Project', {
72
+ organizationUuid: 'org-123',
73
+ projectUuid: 'project-789',
74
+ }))).toBe(true);
75
+ });
76
+ it('should build ability with project creation permissions and type restrictions', () => {
77
+ const ability = buildAbilityFromScopes({
78
+ ...baseContext,
79
+ scopes: ['create:project'],
80
+ });
81
+ // Can create preview projects
82
+ expect(ability.can('create', subject('Project', {
83
+ organizationUuid: 'org-123',
84
+ type: ProjectType.PREVIEW,
85
+ }))).toBe(true);
86
+ // Cannot create default projects with basic scope
87
+ expect(ability.can('create', subject('Project', {
88
+ organizationUuid: 'org-123',
89
+ type: ProjectType.DEFAULT,
90
+ }))).toBe(false);
91
+ });
92
+ it('should build ability with editor permissions for dashboards', () => {
93
+ const editorContext = {
94
+ ...baseContext,
95
+ userUuid: 'user-456',
96
+ };
97
+ const ability = buildAbilityFromScopes({
98
+ ...editorContext,
99
+ scopes: ['manage:dashboard'],
100
+ });
101
+ // Can manage dashboards where user is editor
102
+ expect(ability.can('manage', subject('Dashboard', {
103
+ organizationUuid: 'org-123',
104
+ access: [
105
+ {
106
+ userUuid: 'user-456',
107
+ role: SpaceMemberRole.EDITOR,
108
+ },
109
+ ],
110
+ }))).toBe(true);
111
+ });
112
+ it('should build ability with admin permissions for spaces', () => {
113
+ const adminContext = {
114
+ ...baseContext,
115
+ userUuid: 'user-456',
116
+ };
117
+ const ability = buildAbilityFromScopes({
118
+ ...adminContext,
119
+ scopes: ['manage:space'],
120
+ });
121
+ // Can manage spaces where user is admin
122
+ expect(ability.can('manage', subject('Space', {
123
+ organizationUuid: 'org-123',
124
+ access: [
125
+ {
126
+ userUuid: 'user-456',
127
+ role: SpaceMemberRole.ADMIN,
128
+ },
129
+ ],
130
+ }))).toBe(true);
131
+ });
132
+ it('should build ability with user-specific job status permissions', () => {
133
+ const userContext = {
134
+ ...baseContext,
135
+ userUuid: 'user-456',
136
+ };
137
+ const ability = buildAbilityFromScopes({
138
+ ...userContext,
139
+ scopes: ['view:job_status'],
140
+ });
141
+ // Can view job status created by the user
142
+ expect(ability.can('view', subject('JobStatus', {
143
+ createdByUserUuid: 'user-456',
144
+ }))).toBe(true);
145
+ // Cannot view job status created by another user
146
+ expect(ability.can('view', subject('JobStatus', {
147
+ createdByUserUuid: 'other-user',
148
+ }))).toBe(false);
149
+ });
150
+ it('should build ability with AI agent thread permissions for enterprise users', () => {
151
+ const userContext = {
152
+ ...baseContext,
153
+ userUuid: 'user-456',
154
+ isEnterprise: true,
155
+ };
156
+ const ability = buildAbilityFromScopes({
157
+ ...userContext,
158
+ scopes: ['manage:ai_agent_thread'],
159
+ });
160
+ // Can manage user's own AI agent threads
161
+ expect(ability.can('manage', subject('AiAgentThread', {
162
+ organizationUuid: 'org-123',
163
+ userUuid: 'user-456',
164
+ }))).toBe(true);
165
+ // Cannot manage another user's threads
166
+ expect(ability.can('manage', subject('AiAgentThread', {
167
+ organizationUuid: 'org-123',
168
+ userUuid: 'other-user',
169
+ }))).toBe(false);
170
+ });
171
+ it('should build ability with basic permissions for scopes without custom logic', () => {
172
+ // These scopes don't have custom applyConditions
173
+ const ability = buildAbilityFromScopes({
174
+ ...baseContext,
175
+ scopes: ['view:analytics', 'manage:tags'],
176
+ });
177
+ expect(ability.can('view', subject('Analytics', {
178
+ organizationUuid: 'org-123',
179
+ projectUuid: 'project-123',
180
+ }))).toBe(true);
181
+ expect(ability.can('manage', subject('Tags', {
182
+ organizationUuid: 'org-123',
183
+ projectUuid: 'project-123',
184
+ }))).toBe(true);
185
+ });
186
+ it('should handle unknown scopes gracefully', () => {
187
+ const ability = buildAbilityFromScopes(baseContext);
188
+ // Unknown scope should not add any abilities
189
+ expect(ability.rules.length).toBe(0);
190
+ });
191
+ it('should handle enterprise scopes when not enterprise', () => {
192
+ const nonEnterpriseContext = {
193
+ ...baseContext,
194
+ isEnterprise: false,
195
+ };
196
+ const ability = buildAbilityFromScopes(nonEnterpriseContext);
197
+ // Enterprise scope should not add abilities in non-enterprise context
198
+ expect(ability.rules.length).toBe(0);
199
+ });
200
+ it('should build a complete ability from multiple scopes', () => {
201
+ const context = {
202
+ organizationUuid: 'org-123',
203
+ userUuid: 'user-456',
204
+ projectUuid: 'project-789',
205
+ isEnterprise: false,
206
+ organizationRole: 'admin',
207
+ scopes: [
208
+ 'view:dashboard',
209
+ 'manage:saved_chart',
210
+ 'view:project',
211
+ ],
212
+ };
213
+ const ability = buildAbilityFromScopes(context);
214
+ // Check that all abilities were applied
215
+ expect(ability.can('view', subject('Dashboard', {
216
+ organizationUuid: 'org-123',
217
+ projectUuid: 'project-789',
218
+ isPrivate: false,
219
+ }))).toBe(true);
220
+ // Should be able to manage saved charts with proper access
221
+ expect(ability.can('manage', subject('SavedChart', {
222
+ organizationUuid: 'org-123',
223
+ access: [
224
+ {
225
+ userUuid: 'user-456',
226
+ role: SpaceMemberRole.EDITOR,
227
+ },
228
+ ],
229
+ }))).toBe(true);
230
+ expect(ability.can('view', subject('Project', {
231
+ organizationUuid: 'org-123',
232
+ projectUuid: 'project-789',
233
+ }))).toBe(true);
234
+ });
235
+ describe('scope dependency checks', () => {
236
+ it('should apply organization-level permissions when manage:organization scope is present', () => {
237
+ const contextWithOrgManage = {
238
+ ...baseContext,
239
+ userUuid: 'user-456',
240
+ scopes: ['manage:organization', 'manage:saved_chart'],
241
+ };
242
+ const ability = buildAbilityFromScopes(contextWithOrgManage);
243
+ // Should have organization-wide permissions for saved charts
244
+ expect(ability.can('manage', subject('SavedChart', {
245
+ organizationUuid: 'org-123',
246
+ projectUuid: 'project-123',
247
+ }))).toBe(true);
248
+ // Should not require user access restrictions
249
+ expect(ability.can('manage', subject('SavedChart', {
250
+ organizationUuid: 'org-123',
251
+ projectUuid: 'project-123',
252
+ access: [{ userUuid: 'other-user' }],
253
+ }))).toBe(true);
254
+ });
255
+ it('should apply user-restricted permissions when manage:organization scope is not present', () => {
256
+ const contextWithoutOrgManage = {
257
+ ...baseContext,
258
+ userUuid: 'user-456',
259
+ scopes: ['manage:saved_chart'],
260
+ };
261
+ const ability = buildAbilityFromScopes(contextWithoutOrgManage);
262
+ // Should require user access restrictions
263
+ expect(ability.can('manage', subject('SavedChart', {
264
+ organizationUuid: 'org-123',
265
+ projectUuid: 'project-123',
266
+ access: [
267
+ {
268
+ userUuid: 'user-456',
269
+ role: SpaceMemberRole.EDITOR,
270
+ },
271
+ ],
272
+ }))).toBe(true);
273
+ // Should not allow access to other users' charts
274
+ expect(ability.can('manage', subject('SavedChart', {
275
+ organizationUuid: 'org-123',
276
+ projectUuid: 'project-123',
277
+ access: [{ userUuid: 'other-user' }],
278
+ }))).toBe(false);
279
+ });
280
+ it('should handle space management with different scope combinations', () => {
281
+ const contextWithProjectManage = {
282
+ ...baseContext,
283
+ userUuid: 'user-456',
284
+ scopes: ['manage:project', 'manage:space'],
285
+ };
286
+ const ability = buildAbilityFromScopes(contextWithProjectManage);
287
+ // Should allow managing public spaces when user has project management
288
+ expect(ability.can('manage', subject('Space', {
289
+ organizationUuid: 'org-123',
290
+ projectUuid: 'project-123',
291
+ isPrivate: false,
292
+ }))).toBe(true);
293
+ // Should still allow managing spaces where user is admin
294
+ expect(ability.can('manage', subject('Space', {
295
+ organizationUuid: 'org-123',
296
+ projectUuid: 'project-123',
297
+ access: [
298
+ {
299
+ userUuid: 'user-456',
300
+ role: SpaceMemberRole.ADMIN,
301
+ },
302
+ ],
303
+ }))).toBe(true);
304
+ });
305
+ it('should handle promotion permissions based on organization scope', () => {
306
+ const contextWithOrgManage = {
307
+ ...baseContext,
308
+ userUuid: 'user-456',
309
+ scopes: ['manage:organization', 'promote:dashboard'],
310
+ };
311
+ const contextWithoutOrgManage = {
312
+ ...baseContext,
313
+ userUuid: 'user-456',
314
+ scopes: ['promote:dashboard'],
315
+ };
316
+ // Test dashboard promotion with organization management
317
+ const abilityWithOrg = buildAbilityFromScopes(contextWithOrgManage);
318
+ expect(abilityWithOrg.can('promote', subject('Dashboard', {
319
+ organizationUuid: 'org-123',
320
+ projectUuid: 'project-123',
321
+ }))).toBe(true);
322
+ // Test dashboard promotion without organization management
323
+ const abilityWithoutOrg = buildAbilityFromScopes(contextWithoutOrgManage);
324
+ expect(abilityWithoutOrg.can('promote', subject('Dashboard', {
325
+ organizationUuid: 'org-123',
326
+ projectUuid: 'project-123',
327
+ access: [
328
+ {
329
+ userUuid: 'user-456',
330
+ role: SpaceMemberRole.EDITOR,
331
+ },
332
+ ],
333
+ }))).toBe(true);
334
+ // Should not allow promotion without proper access
335
+ expect(abilityWithoutOrg.can('promote', subject('Dashboard', {
336
+ organizationUuid: 'org-123',
337
+ projectUuid: 'project-123',
338
+ access: [{ userUuid: 'other-user' }],
339
+ }))).toBe(false);
340
+ });
341
+ });
342
+ describe('edge cases and error handling', () => {
343
+ it('should handle empty scope array', () => {
344
+ const ability = buildAbilityFromScopes(baseContext);
345
+ expect(ability.rules.length).toBe(0);
346
+ });
347
+ it('should handle undefined userUuid in context', () => {
348
+ const contextWithoutUser = {
349
+ ...baseContext,
350
+ userUuid: undefined,
351
+ };
352
+ const ability = buildAbilityFromScopes({
353
+ ...contextWithoutUser,
354
+ scopes: ['view:dashboard'],
355
+ });
356
+ // Should only allow viewing public dashboards
357
+ expect(ability.can('view', subject('Dashboard', {
358
+ organizationUuid: 'org-123',
359
+ projectUuid: 'project-123',
360
+ isPrivate: false,
361
+ }))).toBe(true);
362
+ expect(ability.can('view', subject('Dashboard', {
363
+ organizationUuid: 'org-123',
364
+ projectUuid: 'project-123',
365
+ isPrivate: true,
366
+ }))).toBe(false);
367
+ });
368
+ it('should handle missing projectUuid in context', () => {
369
+ const contextWithoutProject = {
370
+ ...baseContext,
371
+ projectUuid: '',
372
+ };
373
+ const ability = buildAbilityFromScopes({
374
+ ...contextWithoutProject,
375
+ scopes: ['view:dashboard'],
376
+ });
377
+ // Should work with public dashboards without project restriction
378
+ expect(ability.can('view', subject('Dashboard', {
379
+ organizationUuid: 'org-123',
380
+ isPrivate: false,
381
+ }))).toBe(true);
382
+ });
383
+ it('should handle mixed valid and invalid scopes', () => {
384
+ // Should throw error for invalid scopes
385
+ expect(() => {
386
+ buildAbilityFromScopes({
387
+ ...baseContext,
388
+ scopes: [
389
+ 'view:dashboard',
390
+ 'view:project',
391
+ 'invalid:scope',
392
+ ],
393
+ });
394
+ }).toThrow('Invalid scope: invalid:Scope. Please check the scope name and try again.');
395
+ // Should work with only valid scopes
396
+ const ability = buildAbilityFromScopes({
397
+ ...baseContext,
398
+ scopes: ['view:dashboard', 'view:project'],
399
+ });
400
+ // Should apply valid scopes
401
+ expect(ability.can('view', subject('Dashboard', {
402
+ organizationUuid: 'org-123',
403
+ projectUuid: 'project-123',
404
+ isPrivate: false,
405
+ }))).toBe(true);
406
+ expect(ability.can('view', subject('Project', {
407
+ organizationUuid: 'org-123',
408
+ projectUuid: 'project-123',
409
+ }))).toBe(true);
410
+ // Should have rules from valid scopes
411
+ expect(ability.rules.length).toBeGreaterThan(0);
412
+ });
413
+ });
414
+ describe('cross-boundary access tests', () => {
415
+ it('should not allow access to resources from different organizations', () => {
416
+ const ability = buildAbilityFromScopes({
417
+ ...baseContext,
418
+ scopes: [
419
+ 'view:dashboard',
420
+ 'manage:saved_chart',
421
+ 'view:space',
422
+ ],
423
+ });
424
+ // Should not access dashboard from different org
425
+ expect(ability.can('view', subject('Dashboard', {
426
+ organizationUuid: 'different-org',
427
+ isPrivate: false,
428
+ }))).toBe(false);
429
+ // Should not manage saved chart from different org
430
+ expect(ability.can('manage', subject('SavedChart', {
431
+ organizationUuid: 'different-org',
432
+ }))).toBe(false);
433
+ // Should not view space from different org
434
+ expect(ability.can('view', subject('Space', {
435
+ organizationUuid: 'different-org',
436
+ isPrivate: false,
437
+ }))).toBe(false);
438
+ });
439
+ it('should not allow access to resources from different projects', () => {
440
+ const ability = buildAbilityFromScopes({
441
+ ...baseContext,
442
+ scopes: ['view:saved_chart'],
443
+ });
444
+ // Should not access saved chart from different project
445
+ expect(ability.can('view', subject('SavedChart', {
446
+ organizationUuid: 'org-123',
447
+ projectUuid: 'different-project',
448
+ isPrivate: false,
449
+ }))).toBe(false);
450
+ });
451
+ });
452
+ describe('private resource access with space roles', () => {
453
+ it('should handle viewer role access to private resources', () => {
454
+ const contextWithUser = {
455
+ ...baseContext,
456
+ userUuid: 'user-456',
457
+ };
458
+ const ability = buildAbilityFromScopes({
459
+ ...contextWithUser,
460
+ scopes: ['view:dashboard'],
461
+ });
462
+ // Can view private dashboard with viewer access
463
+ expect(ability.can('view', subject('Dashboard', {
464
+ organizationUuid: 'org-123',
465
+ isPrivate: true,
466
+ access: [
467
+ {
468
+ userUuid: 'user-456',
469
+ role: SpaceMemberRole.VIEWER,
470
+ },
471
+ ],
472
+ }))).toBe(true);
473
+ // Cannot view private dashboard without access
474
+ expect(ability.can('view', subject('Dashboard', {
475
+ organizationUuid: 'org-123',
476
+ isPrivate: true,
477
+ access: [],
478
+ }))).toBe(false);
479
+ // Cannot view private dashboard with access for another user
480
+ expect(ability.can('view', subject('Dashboard', {
481
+ organizationUuid: 'org-123',
482
+ isPrivate: true,
483
+ access: [
484
+ {
485
+ userUuid: 'other-user',
486
+ role: SpaceMemberRole.VIEWER,
487
+ },
488
+ ],
489
+ }))).toBe(false);
490
+ });
491
+ it('should handle editor role for managing resources', () => {
492
+ const contextWithUser = {
493
+ ...baseContext,
494
+ userUuid: 'user-456',
495
+ };
496
+ const ability = buildAbilityFromScopes({
497
+ ...contextWithUser,
498
+ scopes: ['manage:dashboard'],
499
+ });
500
+ // Can manage dashboard with editor role
501
+ expect(ability.can('manage', subject('Dashboard', {
502
+ organizationUuid: 'org-123',
503
+ access: [
504
+ {
505
+ userUuid: 'user-456',
506
+ role: SpaceMemberRole.EDITOR,
507
+ },
508
+ ],
509
+ }))).toBe(true);
510
+ // Can manage dashboard with admin role
511
+ expect(ability.can('manage', subject('Dashboard', {
512
+ organizationUuid: 'org-123',
513
+ access: [
514
+ {
515
+ userUuid: 'user-456',
516
+ role: SpaceMemberRole.ADMIN,
517
+ },
518
+ ],
519
+ }))).toBe(true);
520
+ // Cannot manage dashboard with viewer role
521
+ expect(ability.can('manage', subject('Dashboard', {
522
+ organizationUuid: 'org-123',
523
+ access: [
524
+ {
525
+ userUuid: 'user-456',
526
+ role: SpaceMemberRole.VIEWER,
527
+ },
528
+ ],
529
+ }))).toBe(false);
530
+ // Cannot manage dashboard without access
531
+ expect(ability.can('manage', subject('Dashboard', {
532
+ organizationUuid: 'org-123',
533
+ access: [],
534
+ }))).toBe(false);
535
+ });
536
+ it('should handle space admin role for managing spaces', () => {
537
+ const contextWithUser = {
538
+ ...baseContext,
539
+ userUuid: 'user-456',
540
+ };
541
+ const ability = buildAbilityFromScopes({
542
+ ...contextWithUser,
543
+ scopes: ['manage:space'],
544
+ });
545
+ // Can manage space with admin role
546
+ expect(ability.can('manage', subject('Space', {
547
+ organizationUuid: 'org-123',
548
+ access: [
549
+ {
550
+ userUuid: 'user-456',
551
+ role: SpaceMemberRole.ADMIN,
552
+ },
553
+ ],
554
+ }))).toBe(true);
555
+ // Cannot manage space with editor role
556
+ expect(ability.can('manage', subject('Space', {
557
+ organizationUuid: 'org-123',
558
+ isPrivate: true,
559
+ access: [
560
+ {
561
+ userUuid: 'user-456',
562
+ role: SpaceMemberRole.EDITOR,
563
+ },
564
+ ],
565
+ }))).toBe(false);
566
+ // Cannot manage space with viewer role
567
+ expect(ability.can('manage', subject('Space', {
568
+ organizationUuid: 'org-123',
569
+ isPrivate: true,
570
+ access: [
571
+ {
572
+ userUuid: 'user-456',
573
+ role: SpaceMemberRole.VIEWER,
574
+ },
575
+ ],
576
+ }))).toBe(false);
577
+ });
578
+ });
579
+ describe('job and job status permissions', () => {
580
+ it('should handle view:job permissions', () => {
581
+ const contextWithUser = {
582
+ ...baseContext,
583
+ userUuid: 'user-456',
584
+ };
585
+ const ability = buildAbilityFromScopes({
586
+ ...contextWithUser,
587
+ scopes: ['view:job'],
588
+ });
589
+ // Can view own jobs
590
+ expect(ability.can('view', subject('Job', {
591
+ userUuid: 'user-456',
592
+ }))).toBe(true);
593
+ // Cannot view other users' jobs without manage permission
594
+ expect(ability.can('view', subject('Job', {
595
+ userUuid: 'other-user',
596
+ }))).toBe(false);
597
+ });
598
+ it('should handle view:job_status permissions for organization context', () => {
599
+ const contextWithoutUser = {
600
+ ...baseContext,
601
+ userUuid: undefined,
602
+ };
603
+ const ability = buildAbilityFromScopes({
604
+ ...contextWithoutUser,
605
+ scopes: ['view:job_status'],
606
+ });
607
+ // Cannot view job status without user context when no manage:Organization scope
608
+ expect(ability.can('view', subject('JobStatus', {
609
+ organizationUuid: 'org-123',
610
+ }))).toBe(false);
611
+ // Cannot view job status from another organization
612
+ expect(ability.can('view', subject('JobStatus', {
613
+ organizationUuid: 'different-org',
614
+ }))).toBe(false);
615
+ });
616
+ it('should handle view:job_status permissions with manage:Organization scope', () => {
617
+ const contextWithoutUser = {
618
+ ...baseContext,
619
+ userUuid: undefined,
620
+ };
621
+ const ability = buildAbilityFromScopes({
622
+ ...contextWithoutUser,
623
+ scopes: ['view:job_status', 'manage:organization'],
624
+ });
625
+ // Can view all job status in organization when manage:Organization scope is present
626
+ expect(ability.can('view', subject('JobStatus', {
627
+ organizationUuid: 'org-123',
628
+ }))).toBe(true);
629
+ // Cannot view job status from another organization
630
+ expect(ability.can('view', subject('JobStatus', {
631
+ organizationUuid: 'different-org',
632
+ }))).toBe(false);
633
+ });
634
+ it('should handle view:job_status permissions for user context', () => {
635
+ const contextWithUser = {
636
+ ...baseContext,
637
+ userUuid: 'user-456',
638
+ };
639
+ const ability = buildAbilityFromScopes({
640
+ ...contextWithUser,
641
+ scopes: ['view:job_status'],
642
+ });
643
+ // Can view own job status
644
+ expect(ability.can('view', subject('JobStatus', {
645
+ createdByUserUuid: 'user-456',
646
+ }))).toBe(true);
647
+ // Cannot view other users' job status
648
+ expect(ability.can('view', subject('JobStatus', {
649
+ createdByUserUuid: 'other-user',
650
+ }))).toBe(false);
651
+ });
652
+ });
653
+ describe('semantic viewer permissions', () => {
654
+ it('should handle view:semantic_viewer permissions', () => {
655
+ const ability = buildAbilityFromScopes({
656
+ ...baseContext,
657
+ scopes: ['view:semantic_viewer'],
658
+ });
659
+ expect(ability.can('view', subject('SemanticViewer', {
660
+ organizationUuid: 'org-123',
661
+ projectUuid: 'project-123',
662
+ }))).toBe(true);
663
+ });
664
+ it('should handle manage:semantic_viewer with organization scope', () => {
665
+ const contextWithOrgManage = {
666
+ ...baseContext,
667
+ userUuid: 'user-456',
668
+ scopes: ['manage:organization'],
669
+ };
670
+ const ability = buildAbilityFromScopes({
671
+ ...contextWithOrgManage,
672
+ scopes: ['manage:organization', 'manage:semantic_viewer'],
673
+ });
674
+ // Can manage semantic viewer organization-wide
675
+ expect(ability.can('manage', subject('SemanticViewer', {
676
+ organizationUuid: 'org-123',
677
+ }))).toBe(true);
678
+ });
679
+ it('should handle manage:semantic_viewer with editor role', () => {
680
+ const contextWithUser = {
681
+ ...baseContext,
682
+ userUuid: 'user-456',
683
+ };
684
+ const ability = buildAbilityFromScopes({
685
+ ...contextWithUser,
686
+ scopes: ['manage:semantic_viewer'],
687
+ });
688
+ // Can manage semantic viewer with editor role
689
+ expect(ability.can('manage', subject('SemanticViewer', {
690
+ organizationUuid: 'org-123',
691
+ access: [
692
+ {
693
+ userUuid: 'user-456',
694
+ role: SpaceMemberRole.EDITOR,
695
+ },
696
+ ],
697
+ }))).toBe(true);
698
+ // Cannot manage without proper access
699
+ expect(ability.can('manage', subject('SemanticViewer', {
700
+ organizationUuid: 'org-123',
701
+ access: [
702
+ {
703
+ userUuid: 'user-456',
704
+ role: SpaceMemberRole.VIEWER,
705
+ },
706
+ ],
707
+ }))).toBe(false);
708
+ });
709
+ });
710
+ describe('create space permissions', () => {
711
+ it('should handle create:space permissions', () => {
712
+ const ability = buildAbilityFromScopes({
713
+ ...baseContext,
714
+ scopes: ['create:space'],
715
+ });
716
+ expect(ability.can('create', subject('Space', {
717
+ organizationUuid: 'org-123',
718
+ projectUuid: 'project-123',
719
+ }))).toBe(true);
720
+ });
721
+ });
722
+ describe('export permissions', () => {
723
+ it('should handle export csv permissions', () => {
724
+ const ability = buildAbilityFromScopes({
725
+ ...baseContext,
726
+ scopes: ['manage:export_csv'],
727
+ });
728
+ expect(ability.can('manage', subject('ExportCsv', {
729
+ organizationUuid: 'org-123',
730
+ projectUuid: 'project-123',
731
+ }))).toBe(true);
732
+ });
733
+ it('should handle change csv results permissions', () => {
734
+ const ability = buildAbilityFromScopes({
735
+ ...baseContext,
736
+ scopes: ['manage:change_csv_results'],
737
+ });
738
+ expect(ability.can('manage', subject('ChangeCsvResults', {
739
+ organizationUuid: 'org-123',
740
+ projectUuid: 'project-123',
741
+ }))).toBe(true);
742
+ });
743
+ });
744
+ describe('underlying data permissions', () => {
745
+ it('should handle view:underlying_data permissions', () => {
746
+ const ability = buildAbilityFromScopes({
747
+ ...baseContext,
748
+ scopes: ['view:underlying_data'],
749
+ });
750
+ expect(ability.can('view', subject('UnderlyingData', {
751
+ organizationUuid: 'org-123',
752
+ projectUuid: 'project-123',
753
+ }))).toBe(true);
754
+ });
755
+ });
756
+ describe('sql runner and custom sql permissions', () => {
757
+ it('should handle manage:sql_runner permissions', () => {
758
+ const ability = buildAbilityFromScopes({
759
+ ...baseContext,
760
+ scopes: ['manage:sql_runner'],
761
+ });
762
+ expect(ability.can('manage', subject('SqlRunner', {
763
+ organizationUuid: 'org-123',
764
+ projectUuid: 'project-123',
765
+ }))).toBe(true);
766
+ });
767
+ it('should handle manage:custom_sql permissions', () => {
768
+ const ability = buildAbilityFromScopes({
769
+ ...baseContext,
770
+ scopes: ['manage:custom_sql'],
771
+ });
772
+ expect(ability.can('manage', subject('CustomSql', {
773
+ organizationUuid: 'org-123',
774
+ projectUuid: 'project-123',
775
+ }))).toBe(true);
776
+ });
777
+ });
778
+ describe('project delete permissions', () => {
779
+ it('should handle delete:project with projectUuid', () => {
780
+ const contextWithProject = {
781
+ ...baseContext,
782
+ projectUuid: 'project-456',
783
+ };
784
+ const ability = buildAbilityFromScopes({
785
+ ...contextWithProject,
786
+ scopes: ['delete:project'],
787
+ });
788
+ // Can delete specific project
789
+ expect(ability.can('delete', subject('Project', {
790
+ projectUuid: 'project-456',
791
+ }))).toBe(true);
792
+ // Cannot delete different project
793
+ expect(ability.can('delete', subject('Project', {
794
+ projectUuid: 'different-project',
795
+ }))).toBe(false);
796
+ });
797
+ it('should handle delete:project for preview projects', () => {
798
+ const contextWithoutProject = {
799
+ ...baseContext,
800
+ projectUuid: '',
801
+ };
802
+ const ability = buildAbilityFromScopes({
803
+ ...contextWithoutProject,
804
+ scopes: ['delete:project'],
805
+ });
806
+ // Can delete preview projects in organization
807
+ expect(ability.can('delete', subject('Project', {
808
+ organizationUuid: 'org-123',
809
+ type: ProjectType.PREVIEW,
810
+ }))).toBe(true);
811
+ // Cannot delete default projects
812
+ expect(ability.can('delete', subject('Project', {
813
+ organizationUuid: 'org-123',
814
+ type: ProjectType.DEFAULT,
815
+ }))).toBe(false);
816
+ });
817
+ });
818
+ describe('pinned items permissions', () => {
819
+ it('should handle view:pinned_items permissions', () => {
820
+ const ability = buildAbilityFromScopes({
821
+ ...baseContext,
822
+ scopes: ['view:pinned_items'],
823
+ });
824
+ expect(ability.can('view', subject('PinnedItems', {
825
+ organizationUuid: 'org-123',
826
+ projectUuid: 'project-123',
827
+ }))).toBe(true);
828
+ });
829
+ it('should handle manage:pinned_items permissions', () => {
830
+ const ability = buildAbilityFromScopes({
831
+ ...baseContext,
832
+ scopes: ['manage:pinned_items'],
833
+ });
834
+ expect(ability.can('manage', subject('PinnedItems', {
835
+ organizationUuid: 'org-123',
836
+ projectUuid: 'project-123',
837
+ }))).toBe(true);
838
+ });
839
+ });
840
+ describe('explore permissions', () => {
841
+ it('should handle manage:explore permissions', () => {
842
+ const ability = buildAbilityFromScopes({
843
+ ...baseContext,
844
+ scopes: ['manage:explore'],
845
+ });
846
+ expect(ability.can('manage', subject('Explore', {
847
+ organizationUuid: 'org-123',
848
+ projectUuid: 'project-123',
849
+ }))).toBe(true);
850
+ });
851
+ });
852
+ describe('organization member profile permissions', () => {
853
+ it('should handle view:organization_member_profile permissions', () => {
854
+ const ability = buildAbilityFromScopes({
855
+ ...baseContext,
856
+ scopes: ['view:organization_member_profile'],
857
+ });
858
+ expect(ability.can('view', subject('OrganizationMemberProfile', {
859
+ organizationUuid: 'org-123',
860
+ projectUuid: 'project-123',
861
+ }))).toBe(true);
862
+ // Cannot view profiles from different organization
863
+ expect(ability.can('view', subject('OrganizationMemberProfile', {
864
+ organizationUuid: 'different-org',
865
+ projectUuid: 'project-123',
866
+ }))).toBe(false);
867
+ });
868
+ it('should handle manage:organization_member_profile permissions', () => {
869
+ const ability = buildAbilityFromScopes({
870
+ ...baseContext,
871
+ scopes: ['manage:organization_member_profile'],
872
+ });
873
+ expect(ability.can('manage', subject('OrganizationMemberProfile', {
874
+ organizationUuid: 'org-123',
875
+ projectUuid: 'project-123',
876
+ }))).toBe(true);
877
+ });
878
+ });
879
+ describe('personal access token permissions', () => {
880
+ it('should allow managing PAT when enabled and user has allowed role', () => {
881
+ const ability = buildAbilityFromScopes({
882
+ ...baseContext,
883
+ isEnterprise: true,
884
+ organizationRole: 'admin',
885
+ scopes: ['manage:personal_access_token'],
886
+ permissionsConfig: {
887
+ pat: {
888
+ enabled: true,
889
+ allowedOrgRoles: ['admin', 'developer'],
890
+ },
891
+ },
892
+ });
893
+ expect(ability.can('manage', 'PersonalAccessToken')).toBe(true);
894
+ });
895
+ it('should not allow managing PAT when disabled', () => {
896
+ const ability = buildAbilityFromScopes({
897
+ ...baseContext,
898
+ isEnterprise: true,
899
+ organizationRole: 'admin',
900
+ scopes: ['manage:personal_access_token'],
901
+ permissionsConfig: {
902
+ pat: {
903
+ enabled: false,
904
+ allowedOrgRoles: ['admin', 'developer'],
905
+ },
906
+ },
907
+ });
908
+ expect(ability.can('manage', subject('PersonalAccessToken', {}))).toBe(false);
909
+ });
910
+ it('should not allow managing PAT when user role not in allowed roles', () => {
911
+ const ability = buildAbilityFromScopes({
912
+ ...baseContext,
913
+ isEnterprise: true,
914
+ organizationRole: 'developer',
915
+ scopes: ['manage:personal_access_token'],
916
+ permissionsConfig: {
917
+ pat: {
918
+ enabled: true,
919
+ allowedOrgRoles: ['admin'],
920
+ },
921
+ },
922
+ });
923
+ expect(ability.can('manage', subject('PersonalAccessToken', {}))).toBe(false);
924
+ });
925
+ it('should not allow managing PAT when no permissions config provided', () => {
926
+ const ability = buildAbilityFromScopes({
927
+ ...baseContext,
928
+ isEnterprise: true,
929
+ organizationRole: 'admin',
930
+ scopes: ['manage:personal_access_token'],
931
+ // No permissionsConfig provided
932
+ });
933
+ expect(ability.can('manage', subject('PersonalAccessToken', {}))).toBe(false);
934
+ });
935
+ it('should not allow managing PAT when no organization role provided', () => {
936
+ const ability = buildAbilityFromScopes({
937
+ ...baseContext,
938
+ isEnterprise: true,
939
+ organizationRole: '', // Empty organization role
940
+ scopes: ['manage:personal_access_token'],
941
+ permissionsConfig: {
942
+ pat: {
943
+ enabled: true,
944
+ allowedOrgRoles: ['admin', 'developer'],
945
+ },
946
+ },
947
+ });
948
+ expect(ability.can('manage', subject('PersonalAccessToken', {}))).toBe(false);
949
+ });
950
+ });
951
+ });
952
+ });
953
+ //# sourceMappingURL=scopeAbilityBuilder.test.js.map