@lightdash/common 0.2897.0 → 0.2899.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/.tsbuildinfo +1 -1
- package/dist/cjs/authorization/parseScopes.test.js +4 -7
- package/dist/cjs/authorization/parseScopes.test.js.map +1 -1
- package/dist/cjs/authorization/roleToScopeMapping.d.ts.map +1 -1
- package/dist/cjs/authorization/roleToScopeMapping.js +56 -0
- package/dist/cjs/authorization/roleToScopeMapping.js.map +1 -1
- package/dist/cjs/authorization/roleToScopeParity.test.js +169 -97
- package/dist/cjs/authorization/roleToScopeParity.test.js.map +1 -1
- package/dist/cjs/authorization/scopes.d.ts.map +1 -1
- package/dist/cjs/authorization/scopes.js +7 -22
- package/dist/cjs/authorization/scopes.js.map +1 -1
- package/dist/cjs/authorization/types.d.ts +1 -1
- package/dist/cjs/authorization/types.d.ts.map +1 -1
- package/dist/cjs/ee/apps/types.d.ts +3 -0
- package/dist/cjs/ee/apps/types.d.ts.map +1 -1
- package/dist/cjs/types/projects.d.ts +1 -0
- package/dist/cjs/types/projects.d.ts.map +1 -1
- package/dist/cjs/types/projects.js +12 -1
- package/dist/cjs/types/projects.js.map +1 -1
- package/dist/cjs/types/roles.d.ts +12 -0
- package/dist/cjs/types/roles.d.ts.map +1 -1
- package/dist/cjs/utils/timeFrames.d.ts +9 -7
- package/dist/cjs/utils/timeFrames.d.ts.map +1 -1
- package/dist/cjs/utils/timeFrames.js +10 -10
- package/dist/cjs/utils/timeFrames.js.map +1 -1
- package/dist/cjs/utils/timeFrames.test.js +26 -0
- package/dist/cjs/utils/timeFrames.test.js.map +1 -1
- package/dist/esm/.tsbuildinfo +1 -1
- package/dist/esm/authorization/parseScopes.test.js +4 -7
- package/dist/esm/authorization/parseScopes.test.js.map +1 -1
- package/dist/esm/authorization/roleToScopeMapping.d.ts.map +1 -1
- package/dist/esm/authorization/roleToScopeMapping.js +56 -0
- package/dist/esm/authorization/roleToScopeMapping.js.map +1 -1
- package/dist/esm/authorization/roleToScopeParity.test.js +169 -96
- package/dist/esm/authorization/roleToScopeParity.test.js.map +1 -1
- package/dist/esm/authorization/scopes.d.ts.map +1 -1
- package/dist/esm/authorization/scopes.js +7 -22
- package/dist/esm/authorization/scopes.js.map +1 -1
- package/dist/esm/authorization/types.d.ts +1 -1
- package/dist/esm/authorization/types.d.ts.map +1 -1
- package/dist/esm/ee/apps/types.d.ts +3 -0
- package/dist/esm/ee/apps/types.d.ts.map +1 -1
- package/dist/esm/types/projects.d.ts +1 -0
- package/dist/esm/types/projects.d.ts.map +1 -1
- package/dist/esm/types/projects.js +10 -0
- package/dist/esm/types/projects.js.map +1 -1
- package/dist/esm/types/roles.d.ts +12 -0
- package/dist/esm/types/roles.d.ts.map +1 -1
- package/dist/esm/utils/timeFrames.d.ts +9 -7
- package/dist/esm/utils/timeFrames.d.ts.map +1 -1
- package/dist/esm/utils/timeFrames.js +10 -10
- package/dist/esm/utils/timeFrames.js.map +1 -1
- package/dist/esm/utils/timeFrames.test.js +26 -0
- package/dist/esm/utils/timeFrames.test.js.map +1 -1
- package/dist/types/.tsbuildinfo +1 -1
- package/dist/types/authorization/parseScopes.test.js +4 -7
- package/dist/types/authorization/parseScopes.test.js.map +1 -1
- package/dist/types/authorization/roleToScopeMapping.d.ts.map +1 -1
- package/dist/types/authorization/roleToScopeMapping.js +56 -0
- package/dist/types/authorization/roleToScopeMapping.js.map +1 -1
- package/dist/types/authorization/roleToScopeParity.test.js +169 -96
- package/dist/types/authorization/roleToScopeParity.test.js.map +1 -1
- package/dist/types/authorization/scopes.d.ts.map +1 -1
- package/dist/types/authorization/scopes.js +7 -22
- package/dist/types/authorization/scopes.js.map +1 -1
- package/dist/types/authorization/types.d.ts +1 -1
- package/dist/types/authorization/types.d.ts.map +1 -1
- package/dist/types/ee/apps/types.d.ts +3 -0
- package/dist/types/ee/apps/types.d.ts.map +1 -1
- package/dist/types/types/projects.d.ts +1 -0
- package/dist/types/types/projects.d.ts.map +1 -1
- package/dist/types/types/projects.js +10 -0
- package/dist/types/types/projects.js.map +1 -1
- package/dist/types/types/roles.d.ts +12 -0
- package/dist/types/types/roles.d.ts.map +1 -1
- package/dist/types/utils/timeFrames.d.ts +9 -7
- package/dist/types/utils/timeFrames.d.ts.map +1 -1
- package/dist/types/utils/timeFrames.js +10 -10
- package/dist/types/utils/timeFrames.js.map +1 -1
- package/dist/types/utils/timeFrames.test.js +26 -0
- package/dist/types/utils/timeFrames.test.js.map +1 -1
- package/package.json +1 -1
|
@@ -25,14 +25,11 @@ describe('parseScopes', () => {
|
|
|
25
25
|
});
|
|
26
26
|
it('should handle mixed case scope names correctly', () => {
|
|
27
27
|
const result = (0, parseScopes_1.parseScopes)({
|
|
28
|
-
scopes: [
|
|
29
|
-
'export:dashboard_csv',
|
|
30
|
-
'manage:personal_access_token',
|
|
31
|
-
],
|
|
28
|
+
scopes: ['manage:custom_sql', 'manage:personal_access_token'],
|
|
32
29
|
isEnterprise: true,
|
|
33
30
|
});
|
|
34
31
|
expect(result.size).toBe(2);
|
|
35
|
-
expect(result.has('
|
|
32
|
+
expect(result.has('manage:CustomSql')).toBe(true);
|
|
36
33
|
expect(result.has('manage:PersonalAccessToken')).toBe(true);
|
|
37
34
|
});
|
|
38
35
|
it('should handle single scope correctly', () => {
|
|
@@ -74,13 +71,13 @@ describe('parseScopes', () => {
|
|
|
74
71
|
it('should transform snake_case to PascalCase correctly', () => {
|
|
75
72
|
const result = (0, parseScopes_1.parseScopes)({
|
|
76
73
|
scopes: [
|
|
77
|
-
'
|
|
74
|
+
'manage:custom_sql',
|
|
78
75
|
'manage:personal_access_token',
|
|
79
76
|
'view:semantic_viewer',
|
|
80
77
|
],
|
|
81
78
|
isEnterprise: true,
|
|
82
79
|
});
|
|
83
|
-
expect(result.has('
|
|
80
|
+
expect(result.has('manage:CustomSql')).toBe(true);
|
|
84
81
|
expect(result.has('manage:PersonalAccessToken')).toBe(true);
|
|
85
82
|
expect(result.has('view:SemanticViewer')).toBe(true);
|
|
86
83
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"parseScopes.test.js","sourceRoot":"","sources":["../../../src/authorization/parseScopes.test.ts"],"names":[],"mappings":";;AAAA,+CAA4C;AAE5C,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IACzB,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;QAC/B,EAAE,CAAC,6DAA6D,EAAE,GAAG,EAAE;YACnE,MAAM,MAAM,GAAG,IAAA,yBAAW,EAAC;gBACvB,MAAM,EAAE,CAAC,gBAAgB,EAAE,kBAAkB,CAAC;gBAC9C,YAAY,EAAE,KAAK;aACtB,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;YACnC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC5B,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;YAC/D,MAAM,MAAM,GAAG,IAAA,yBAAW,EAAC;gBACvB,MAAM,EAAE,CAAC,eAAe,EAAE,iBAAiB,CAAC;gBAC5C,YAAY,EAAE,IAAI;aACrB,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;YACnC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC5B,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9C,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACtD,MAAM,MAAM,GAAG,IAAA,yBAAW,EAAC;gBACvB,MAAM,EAAE
|
|
1
|
+
{"version":3,"file":"parseScopes.test.js","sourceRoot":"","sources":["../../../src/authorization/parseScopes.test.ts"],"names":[],"mappings":";;AAAA,+CAA4C;AAE5C,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IACzB,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;QAC/B,EAAE,CAAC,6DAA6D,EAAE,GAAG,EAAE;YACnE,MAAM,MAAM,GAAG,IAAA,yBAAW,EAAC;gBACvB,MAAM,EAAE,CAAC,gBAAgB,EAAE,kBAAkB,CAAC;gBAC9C,YAAY,EAAE,KAAK;aACtB,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;YACnC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC5B,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;YAC/D,MAAM,MAAM,GAAG,IAAA,yBAAW,EAAC;gBACvB,MAAM,EAAE,CAAC,eAAe,EAAE,iBAAiB,CAAC;gBAC5C,YAAY,EAAE,IAAI;aACrB,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;YACnC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC5B,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9C,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACtD,MAAM,MAAM,GAAG,IAAA,yBAAW,EAAC;gBACvB,MAAM,EAAE,CAAC,mBAAmB,EAAE,8BAA8B,CAAC;gBAC7D,YAAY,EAAE,IAAI;aACrB,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC5B,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClD,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC5C,MAAM,MAAM,GAAG,IAAA,yBAAW,EAAC;gBACvB,MAAM,EAAE,CAAC,cAAc,CAAC;gBACxB,YAAY,EAAE,KAAK;aACtB,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC5B,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YACxC,MAAM,MAAM,GAAG,IAAA,yBAAW,EAAC;gBACvB,MAAM,EAAE,EAAE;gBACV,YAAY,EAAE,KAAK;aACtB,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;YACnC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAChC,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACjC,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC7C,MAAM,CACF,IAAA,yBAAW,EAAC;gBACR,MAAM,EAAE,CAAC,gBAAgB,EAAE,eAAe,CAAC;gBAC3C,YAAY,EAAE,KAAK;aACtB,CAAC,CACL,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;YAC/D,MAAM,CACF,IAAA,yBAAW,EAAC;gBACR,MAAM,EAAE,CAAC,gBAAgB,EAAE,eAAe,CAAC;gBAC3C,YAAY,EAAE,KAAK;aACtB,CAAC,CACL,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC;YAEvC,MAAM,CACF,IAAA,yBAAW,EAAC;gBACR,MAAM,EAAE,CAAC,gBAAgB,EAAE,eAAe,CAAC;gBAC3C,YAAY,EAAE,IAAI;aACrB,CAAC,CACL,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACjC,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;YAC3D,MAAM,MAAM,GAAG,IAAA,yBAAW,EAAC;gBACvB,MAAM,EAAE;oBACJ,mBAAmB;oBACnB,8BAA8B;oBAC9B,sBAAsB;iBACzB;gBACD,YAAY,EAAE,IAAI;aACrB,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClD,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5D,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;YAC/C,MAAM,MAAM,GAAG,IAAA,yBAAW,EAAC;gBACvB,MAAM,EAAE,CAAC,gBAAgB,EAAE,mBAAmB,CAAC;gBAC/C,YAAY,EAAE,KAAK;aACtB,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;YAChD,MAAM,MAAM,GAAG,IAAA,yBAAW,EAAC;gBACvB,MAAM,EAAE,CAAC,sBAAsB,CAAC;gBAChC,YAAY,EAAE,KAAK;aACtB,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;AACP,CAAC,CAAC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"roleToScopeMapping.d.ts","sourceRoot":"","sources":["../../../src/authorization/roleToScopeMapping.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,iBAAiB,EAEpB,MAAM,4BAA4B,CAAC;AACpC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"roleToScopeMapping.d.ts","sourceRoot":"","sources":["../../../src/authorization/roleToScopeMapping.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,iBAAiB,EAEpB,MAAM,4BAA4B,CAAC;AACpC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AA0LrD;;;GAGG;AACH,eAAO,MAAM,0BAA0B,EAAE,MAAM,CAAC,iBAAiB,EAAE,MAAM,EAAE,CAoBnE,CAAC;AAET;;GAEG;AACH,eAAO,MAAM,mBAAmB,GAAI,MAAM,iBAAiB,KAAG,MAAM,EAEnE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,6BAA6B,GACtC,MAAM,iBAAiB,KACxB,MAAM,EAyBR,CAAC;AAEF,eAAO,MAAM,cAAc,QAAO,cAAc,EAWzC,CAAC;AAER,eAAO,MAAM,YAAY,GAAI,UAAU,MAAM,KAAG,QAAQ,IAAI,iBACF,CAAC"}
|
|
@@ -21,6 +21,11 @@ const BASE_ROLE_SCOPES = {
|
|
|
21
21
|
'view:DashboardComments',
|
|
22
22
|
'view:Tags',
|
|
23
23
|
'manage:ExportCsv',
|
|
24
|
+
// Org-context view scopes — every member-or-above can see the
|
|
25
|
+
// org's own metadata + the list of fellow members. Granted by
|
|
26
|
+
// `applyOrganizationMemberStaticAbilities.member` / `viewer`.
|
|
27
|
+
'view:Organization',
|
|
28
|
+
'view:OrganizationMemberProfile',
|
|
24
29
|
// Enterprise scopes (when available)
|
|
25
30
|
'view:MetricsTree',
|
|
26
31
|
'view:SpotlightTableConfig',
|
|
@@ -37,9 +42,15 @@ const BASE_ROLE_SCOPES = {
|
|
|
37
42
|
'manage:ScheduledDeliveries@self',
|
|
38
43
|
'create:DashboardComments',
|
|
39
44
|
'manage:GoogleSheets',
|
|
45
|
+
// Job tracking — orchestrating queries/exports/etc. Granted at
|
|
46
|
+
// `applyOrganizationMemberStaticAbilities.interactive_viewer`.
|
|
47
|
+
'create:Job',
|
|
48
|
+
'view:Job',
|
|
49
|
+
'view:Job@self',
|
|
40
50
|
// Space-level content management (requires space admin/editor role)
|
|
41
51
|
'manage:Dashboard@space', // Via space access
|
|
42
52
|
'manage:SavedChart@space', // Via space access
|
|
53
|
+
'manage:SemanticViewer@space', // Via space access (paired w/ @space content)
|
|
43
54
|
'manage:DataApp@space', // Via space access
|
|
44
55
|
'manage:Space@assigned', // Via space access (admin role)
|
|
45
56
|
// Enterprise scopes
|
|
@@ -57,6 +68,14 @@ const BASE_ROLE_SCOPES = {
|
|
|
57
68
|
'manage:PinnedItems',
|
|
58
69
|
'manage:DashboardComments',
|
|
59
70
|
'manage:Tags',
|
|
71
|
+
// Broad SemanticViewer mgmt — promoted from the @space variant
|
|
72
|
+
// when the user reaches editor tier. Granted at
|
|
73
|
+
// `applyOrganizationMemberStaticAbilities.editor`.
|
|
74
|
+
'manage:SemanticViewer',
|
|
75
|
+
// View-only access to org warehouse creds — needed before admin
|
|
76
|
+
// tier so editors can see what's already configured. Granted at
|
|
77
|
+
// `applyOrganizationMemberStaticAbilities.editor`.
|
|
78
|
+
'view:OrganizationWarehouseCredentials',
|
|
60
79
|
// Enterprise scopes
|
|
61
80
|
'manage:MetricsTree',
|
|
62
81
|
'manage:AiAgentThread@self', // User's own threads
|
|
@@ -65,6 +84,11 @@ const BASE_ROLE_SCOPES = {
|
|
|
65
84
|
// Developer-specific permissions
|
|
66
85
|
'manage:PreAggregation',
|
|
67
86
|
'manage:VirtualView',
|
|
87
|
+
// Granular create/delete companions to manage:VirtualView. Both
|
|
88
|
+
// covered by the broader manage at runtime, but listed
|
|
89
|
+
// explicitly so the role-builder UI shows them ticked.
|
|
90
|
+
'create:VirtualView',
|
|
91
|
+
'delete:VirtualView',
|
|
68
92
|
'manage:CustomSql',
|
|
69
93
|
'manage:CustomFields',
|
|
70
94
|
'manage:SqlRunner',
|
|
@@ -79,6 +103,12 @@ const BASE_ROLE_SCOPES = {
|
|
|
79
103
|
'view:JobStatus', // All jobs in project
|
|
80
104
|
'view:SourceCode',
|
|
81
105
|
'manage:SourceCode',
|
|
106
|
+
// Promote to upstream project. Both broad + @space variants
|
|
107
|
+
// surface in `applyOrganizationMemberStaticAbilities.developer`.
|
|
108
|
+
'promote:Dashboard',
|
|
109
|
+
'promote:Dashboard@space',
|
|
110
|
+
'promote:SavedChart',
|
|
111
|
+
'promote:SavedChart@space',
|
|
82
112
|
// Enterprise scopes
|
|
83
113
|
'manage:SpotlightTableConfig',
|
|
84
114
|
'manage:ContentAsCode',
|
|
@@ -99,6 +129,32 @@ const BASE_ROLE_SCOPES = {
|
|
|
99
129
|
'manage:AiAgentThread', // All threads in project
|
|
100
130
|
'manage:ScheduledDeliveries',
|
|
101
131
|
'manage:ContentVerification',
|
|
132
|
+
// Organization-management scopes. These are no-ops at project
|
|
133
|
+
// assignment (CASL conditions match `organizationUuid`-keyed
|
|
134
|
+
// subjects only) but are necessary at the role's intended ORG
|
|
135
|
+
// assignment — service accounts with `roleUuid`, or any future
|
|
136
|
+
// org-level human assignment. See `docs/authentication-and-roles.md`
|
|
137
|
+
// → "Project vs organization assignment of custom roles".
|
|
138
|
+
// Granted at `applyOrganizationMemberStaticAbilities.admin`.
|
|
139
|
+
'manage:OrganizationMemberProfile',
|
|
140
|
+
'manage:Group',
|
|
141
|
+
'manage:InviteLink',
|
|
142
|
+
'manage:GitIntegration',
|
|
143
|
+
'manage:OrganizationWarehouseCredentials',
|
|
144
|
+
'manage:Organization',
|
|
145
|
+
'impersonate:User',
|
|
146
|
+
// PAT management. Granted dynamically at runtime via
|
|
147
|
+
// `applyOrganizationMemberDynamicAbilities` based on the
|
|
148
|
+
// deployment-wide `PAT_ALLOWED_ORG_ROLES` env var — that path
|
|
149
|
+
// remains the source of truth for system roles. Listing it
|
|
150
|
+
// here lets admin-clone custom roles surface the toggle in the
|
|
151
|
+
// role builder. **Caveat:** toggling it in a custom role
|
|
152
|
+
// *bypasses* the dynamic gate, since CASL is additive (the
|
|
153
|
+
// static scope-built rule wins regardless of deployment
|
|
154
|
+
// config). Operators who clone admin into a lower-privilege
|
|
155
|
+
// role should untick it manually if their deployment intends
|
|
156
|
+
// to restrict PAT to specific tiers.
|
|
157
|
+
'manage:PersonalAccessToken',
|
|
102
158
|
],
|
|
103
159
|
};
|
|
104
160
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"roleToScopeMapping.js","sourceRoot":"","sources":["../../../src/authorization/roleToScopeMapping.ts"],"names":[],"mappings":";;;AAAA,kEAGoC;AAGpC;;;GAGG;AAEH;;GAEG;AACH,MAAM,gBAAgB,GAAG;IACrB,CAAC,qCAAiB,CAAC,MAAM,CAAC,EAAE;QACxB,4BAA4B;QAC5B,gBAAgB;QAChB,qBAAqB,EAAE,yCAAyC;QAChE,iBAAiB;QACjB,YAAY;QACZ,cAAc;QACd,kBAAkB;QAClB,wBAAwB;QACxB,WAAW;QACX,kBAAkB;QAElB,qCAAqC;QACrC,kBAAkB;QAClB,2BAA2B;QAC3B,yBAAyB;QACzB,cAAc;KACjB;IAED,CAAC,qCAAiB,CAAC,kBAAkB,CAAC,EAAE;QACpC,4CAA4C;QAC5C,qBAAqB;QACrB,qBAAqB;QACrB,gBAAgB;QAChB,yBAAyB;QACzB,4BAA4B;QAC5B,iCAAiC;QACjC,0BAA0B;QAC1B,qBAAqB;QAErB,oEAAoE;QACpE,wBAAwB,EAAE,mBAAmB;QAC7C,yBAAyB,EAAE,mBAAmB;QAC9C,sBAAsB,EAAE,mBAAmB;QAC3C,uBAAuB,EAAE,gCAAgC;QAEzD,oBAAoB;QACpB,cAAc;QACd,sBAAsB;QACtB,gBAAgB,EAAE,qCAAqC;QACvD,mBAAmB,EAAE,oBAAoB;QACzC,qBAAqB,EAAE,oBAAoB;KAC9C;IAED,CAAC,qCAAiB,CAAC,MAAM,CAAC,EAAE;QACxB,8BAA8B;QAC9B,cAAc;QACd,qBAAqB,EAAE,yBAAyB;QAChD,YAAY;QACZ,oBAAoB;QACpB,0BAA0B;QAC1B,aAAa;QAEb,oBAAoB;QACpB,oBAAoB;QACpB,2BAA2B,EAAE,qBAAqB;KACrD;IAED,CAAC,qCAAiB,CAAC,SAAS,CAAC,EAAE;QAC3B,iCAAiC;QACjC,uBAAuB;QACvB,oBAAoB;QACpB,kBAAkB;QAClB,qBAAqB;QACrB,kBAAkB;QAClB,mBAAmB;QACnB,uBAAuB;QACvB,sBAAsB;QACtB,2BAA2B;QAC3B,wBAAwB,EAAE,mBAAmB;QAC7C,qBAAqB,EAAE,mCAAmC;QAC1D,gBAAgB;QAChB,qBAAqB;QACrB,gBAAgB,EAAE,sBAAsB;QACxC,iBAAiB;QACjB,mBAAmB;QAEnB,oBAAoB;QACpB,6BAA6B;QAC7B,sBAAsB;QACtB,gBAAgB;QAChB,2BAA2B,EAAE,qBAAqB;KACrD;IAED,CAAC,qCAAiB,CAAC,KAAK,CAAC,EAAE;QACvB,6BAA6B;QAC7B,gBAAgB;QAChB,gBAAgB,EAAE,cAAc;QAChC,gBAAgB;QAChB,kBAAkB,EAAE,iBAAiB;QACrC,cAAc,EAAE,aAAa;QAC7B,gBAAgB,EAAE,2CAA2C;QAC7D,mBAAmB,EAAE,mBAAmB;QACxC,uBAAuB,EAAE,kCAAkC;QAC3D,oBAAoB,EAAE,yBAAyB;QAC/C,sBAAsB,EAAE,yBAAyB;QACjD,4BAA4B;QAC5B,4BAA4B;KAC/B;CACK,CAAC;AAEX;;GAEG;AACH,MAAM,cAAc,GAAG;IACnB,qCAAiB,CAAC,MAAM;IACxB,qCAAiB,CAAC,kBAAkB;IACpC,qCAAiB,CAAC,MAAM;IACxB,qCAAiB,CAAC,SAAS;IAC3B,qCAAiB,CAAC,KAAK;CACjB,CAAC;AAEX;;;GAGG;AACU,QAAA,0BAA0B,GACnC,CAAC,GAAG,EAAE;IACF,MAAM,MAAM,GAAG,EAAyC,CAAC;IAEzD,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;QAChC,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;QAE1C,wCAAwC;QACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,SAAS,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YACrC,MAAM,WAAW,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;YACtC,gBAAgB,CAAC,WAAW,CAAC,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE,CAC5C,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAC7B,CAAC;QACN,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC/C,CAAC;IAED,OAAO,MAAM,CAAC;AAClB,CAAC,CAAC,EAAE,CAAC;AAET;;GAEG;AACI,MAAM,mBAAmB,GAAG,CAAC,IAAuB,EAAY,EAAE,CAAC;IACtE,GAAG,kCAA0B,CAAC,IAAI,CAAC;CACtC,CAAC;AAFW,QAAA,mBAAmB,uBAE9B;AAEF;;GAEG;AACI,MAAM,6BAA6B,GAAG,CACzC,IAAuB,EACf,EAAE;IACV,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;QAC7B,kBAAkB;QAClB,oBAAoB;QACpB,2BAA2B;QAC3B,6BAA6B;QAC7B,cAAc;QACd,oBAAoB;QACpB,sBAAsB;QACtB,gBAAgB;QAChB,sBAAsB;QACtB,sBAAsB;QACtB,cAAc;QACd,gBAAgB;QAChB,sBAAsB;QACtB,gBAAgB;QAChB,mBAAmB;QACnB,qBAAqB;QACrB,4BAA4B;QAC5B,uBAAuB;KAC1B,CAAC,CAAC;IAEH,OAAO,kCAA0B,CAAC,IAAI,CAAC,CAAC,MAAM,CAC1C,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,CAC1C,CAAC;AACN,CAAC,CAAC;AA3BW,QAAA,6BAA6B,iCA2BxC;AAEK,MAAM,cAAc,GAAG,GAAqB,EAAE,CACjD,cAAc,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC1B,QAAQ,EAAE,IAAI;IACd,IAAI,EAAE,2CAAuB,CAAC,IAAI,CAAC;IACnC,WAAW,EAAE,2CAAuB,CAAC,IAAI,CAAC;IAC1C,SAAS,EAAE,QAAQ;IACnB,MAAM,EAAE,IAAA,2BAAmB,EAAC,IAAI,CAAC;IACjC,gBAAgB,EAAE,IAAI;IACtB,SAAS,EAAE,IAAI;IACf,SAAS,EAAE,IAAI;IACf,SAAS,EAAE,IAAI;CAClB,CAAC,CAAC,CAAC;AAXK,QAAA,cAAc,kBAWnB;AAED,MAAM,YAAY,GAAG,CAAC,QAAgB,EAAiC,EAAE,CAC5E,cAAc,CAAC,QAAQ,CAAC,QAA6B,CAAC,CAAC;AAD9C,QAAA,YAAY,gBACkC"}
|
|
1
|
+
{"version":3,"file":"roleToScopeMapping.js","sourceRoot":"","sources":["../../../src/authorization/roleToScopeMapping.ts"],"names":[],"mappings":";;;AAAA,kEAGoC;AAGpC;;;GAGG;AAEH;;GAEG;AACH,MAAM,gBAAgB,GAAG;IACrB,CAAC,qCAAiB,CAAC,MAAM,CAAC,EAAE;QACxB,4BAA4B;QAC5B,gBAAgB;QAChB,qBAAqB,EAAE,yCAAyC;QAChE,iBAAiB;QACjB,YAAY;QACZ,cAAc;QACd,kBAAkB;QAClB,wBAAwB;QACxB,WAAW;QACX,kBAAkB;QAElB,8DAA8D;QAC9D,8DAA8D;QAC9D,8DAA8D;QAC9D,mBAAmB;QACnB,gCAAgC;QAEhC,qCAAqC;QACrC,kBAAkB;QAClB,2BAA2B;QAC3B,yBAAyB;QACzB,cAAc;KACjB;IAED,CAAC,qCAAiB,CAAC,kBAAkB,CAAC,EAAE;QACpC,4CAA4C;QAC5C,qBAAqB;QACrB,qBAAqB;QACrB,gBAAgB;QAChB,yBAAyB;QACzB,4BAA4B;QAC5B,iCAAiC;QACjC,0BAA0B;QAC1B,qBAAqB;QAErB,+DAA+D;QAC/D,+DAA+D;QAC/D,YAAY;QACZ,UAAU;QACV,eAAe;QAEf,oEAAoE;QACpE,wBAAwB,EAAE,mBAAmB;QAC7C,yBAAyB,EAAE,mBAAmB;QAC9C,6BAA6B,EAAE,8CAA8C;QAC7E,sBAAsB,EAAE,mBAAmB;QAC3C,uBAAuB,EAAE,gCAAgC;QAEzD,oBAAoB;QACpB,cAAc;QACd,sBAAsB;QACtB,gBAAgB,EAAE,qCAAqC;QACvD,mBAAmB,EAAE,oBAAoB;QACzC,qBAAqB,EAAE,oBAAoB;KAC9C;IAED,CAAC,qCAAiB,CAAC,MAAM,CAAC,EAAE;QACxB,8BAA8B;QAC9B,cAAc;QACd,qBAAqB,EAAE,yBAAyB;QAChD,YAAY;QACZ,oBAAoB;QACpB,0BAA0B;QAC1B,aAAa;QAEb,+DAA+D;QAC/D,gDAAgD;QAChD,mDAAmD;QACnD,uBAAuB;QAEvB,gEAAgE;QAChE,gEAAgE;QAChE,mDAAmD;QACnD,uCAAuC;QAEvC,oBAAoB;QACpB,oBAAoB;QACpB,2BAA2B,EAAE,qBAAqB;KACrD;IAED,CAAC,qCAAiB,CAAC,SAAS,CAAC,EAAE;QAC3B,iCAAiC;QACjC,uBAAuB;QACvB,oBAAoB;QACpB,gEAAgE;QAChE,uDAAuD;QACvD,uDAAuD;QACvD,oBAAoB;QACpB,oBAAoB;QACpB,kBAAkB;QAClB,qBAAqB;QACrB,kBAAkB;QAClB,mBAAmB;QACnB,uBAAuB;QACvB,sBAAsB;QACtB,2BAA2B;QAC3B,wBAAwB,EAAE,mBAAmB;QAC7C,qBAAqB,EAAE,mCAAmC;QAC1D,gBAAgB;QAChB,qBAAqB;QACrB,gBAAgB,EAAE,sBAAsB;QACxC,iBAAiB;QACjB,mBAAmB;QAEnB,4DAA4D;QAC5D,iEAAiE;QACjE,mBAAmB;QACnB,yBAAyB;QACzB,oBAAoB;QACpB,0BAA0B;QAE1B,oBAAoB;QACpB,6BAA6B;QAC7B,sBAAsB;QACtB,gBAAgB;QAChB,2BAA2B,EAAE,qBAAqB;KACrD;IAED,CAAC,qCAAiB,CAAC,KAAK,CAAC,EAAE;QACvB,6BAA6B;QAC7B,gBAAgB;QAChB,gBAAgB,EAAE,cAAc;QAChC,gBAAgB;QAChB,kBAAkB,EAAE,iBAAiB;QACrC,cAAc,EAAE,aAAa;QAC7B,gBAAgB,EAAE,2CAA2C;QAC7D,mBAAmB,EAAE,mBAAmB;QACxC,uBAAuB,EAAE,kCAAkC;QAC3D,oBAAoB,EAAE,yBAAyB;QAC/C,sBAAsB,EAAE,yBAAyB;QACjD,4BAA4B;QAC5B,4BAA4B;QAE5B,8DAA8D;QAC9D,6DAA6D;QAC7D,8DAA8D;QAC9D,+DAA+D;QAC/D,qEAAqE;QACrE,0DAA0D;QAC1D,6DAA6D;QAC7D,kCAAkC;QAClC,cAAc;QACd,mBAAmB;QACnB,uBAAuB;QACvB,yCAAyC;QACzC,qBAAqB;QACrB,kBAAkB;QAElB,qDAAqD;QACrD,yDAAyD;QACzD,8DAA8D;QAC9D,2DAA2D;QAC3D,+DAA+D;QAC/D,yDAAyD;QACzD,2DAA2D;QAC3D,wDAAwD;QACxD,4DAA4D;QAC5D,6DAA6D;QAC7D,qCAAqC;QACrC,4BAA4B;KAC/B;CACK,CAAC;AAEX;;GAEG;AACH,MAAM,cAAc,GAAG;IACnB,qCAAiB,CAAC,MAAM;IACxB,qCAAiB,CAAC,kBAAkB;IACpC,qCAAiB,CAAC,MAAM;IACxB,qCAAiB,CAAC,SAAS;IAC3B,qCAAiB,CAAC,KAAK;CACjB,CAAC;AAEX;;;GAGG;AACU,QAAA,0BAA0B,GACnC,CAAC,GAAG,EAAE;IACF,MAAM,MAAM,GAAG,EAAyC,CAAC;IAEzD,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;QAChC,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;QAE1C,wCAAwC;QACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,SAAS,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YACrC,MAAM,WAAW,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;YACtC,gBAAgB,CAAC,WAAW,CAAC,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE,CAC5C,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAC7B,CAAC;QACN,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC/C,CAAC;IAED,OAAO,MAAM,CAAC;AAClB,CAAC,CAAC,EAAE,CAAC;AAET;;GAEG;AACI,MAAM,mBAAmB,GAAG,CAAC,IAAuB,EAAY,EAAE,CAAC;IACtE,GAAG,kCAA0B,CAAC,IAAI,CAAC;CACtC,CAAC;AAFW,QAAA,mBAAmB,uBAE9B;AAEF;;GAEG;AACI,MAAM,6BAA6B,GAAG,CACzC,IAAuB,EACf,EAAE;IACV,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;QAC7B,kBAAkB;QAClB,oBAAoB;QACpB,2BAA2B;QAC3B,6BAA6B;QAC7B,cAAc;QACd,oBAAoB;QACpB,sBAAsB;QACtB,gBAAgB;QAChB,sBAAsB;QACtB,sBAAsB;QACtB,cAAc;QACd,gBAAgB;QAChB,sBAAsB;QACtB,gBAAgB;QAChB,mBAAmB;QACnB,qBAAqB;QACrB,4BAA4B;QAC5B,uBAAuB;KAC1B,CAAC,CAAC;IAEH,OAAO,kCAA0B,CAAC,IAAI,CAAC,CAAC,MAAM,CAC1C,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,CAC1C,CAAC;AACN,CAAC,CAAC;AA3BW,QAAA,6BAA6B,iCA2BxC;AAEK,MAAM,cAAc,GAAG,GAAqB,EAAE,CACjD,cAAc,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC1B,QAAQ,EAAE,IAAI;IACd,IAAI,EAAE,2CAAuB,CAAC,IAAI,CAAC;IACnC,WAAW,EAAE,2CAAuB,CAAC,IAAI,CAAC;IAC1C,SAAS,EAAE,QAAQ;IACnB,MAAM,EAAE,IAAA,2BAAmB,EAAC,IAAI,CAAC;IACjC,gBAAgB,EAAE,IAAI;IACtB,SAAS,EAAE,IAAI;IACf,SAAS,EAAE,IAAI;IACf,SAAS,EAAE,IAAI;CAClB,CAAC,CAAC,CAAC;AAXK,QAAA,cAAc,kBAWnB;AAED,MAAM,YAAY,GAAG,CAAC,QAAgB,EAAiC,EAAE,CAC5E,cAAc,CAAC,QAAQ,CAAC,QAA6B,CAAC,CAAC;AAD9C,QAAA,YAAY,gBACkC"}
|
|
@@ -1,73 +1,38 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
const tslib_1 = require("tslib");
|
|
4
3
|
/* eslint-disable no-console */
|
|
5
4
|
const ability_1 = require("@casl/ability");
|
|
6
|
-
const groupBy_1 = tslib_1.__importDefault(require("lodash/groupBy"));
|
|
7
|
-
const isEqual_1 = tslib_1.__importDefault(require("lodash/isEqual"));
|
|
8
5
|
const projectMemberRole_1 = require("../types/projectMemberRole");
|
|
6
|
+
const organizationMemberAbility_1 = require("./organizationMemberAbility");
|
|
7
|
+
const organizationMemberAbility_mock_1 = require("./organizationMemberAbility.mock");
|
|
9
8
|
const projectMemberAbility_1 = require("./projectMemberAbility");
|
|
10
9
|
const projectMemberAbility_mock_1 = require("./projectMemberAbility.mock");
|
|
11
10
|
const roleToScopeMapping_1 = require("./roleToScopeMapping");
|
|
12
11
|
const scopeAbilityBuilder_1 = require("./scopeAbilityBuilder");
|
|
12
|
+
const scopes_1 = require("./scopes");
|
|
13
13
|
/**
|
|
14
|
-
*
|
|
14
|
+
* Coverage check: every `${action}:${subject}` key that the role-based
|
|
15
|
+
* ability emits must also appear in the scope-based ability. Extras on
|
|
16
|
+
* the scope side are allowed — they represent granular toggles that
|
|
17
|
+
* either subsume into a broader role grant (e.g. `manage:Job` covers
|
|
18
|
+
* `create:Job` + `view:Job`) or unlock org-level abilities the project
|
|
19
|
+
* role doesn't carry. Those extras are validated by the separate
|
|
20
|
+
* scope-vocabulary coverage test.
|
|
21
|
+
*
|
|
22
|
+
* Why not strict equivalence: role-based and scope-based deliberately
|
|
23
|
+
* emit different *condition shapes* for the same action+subject (CASL
|
|
24
|
+
* inheritance, `userUuid` filters, etc.). Comparing rule counts or
|
|
25
|
+
* conditions exactly is brittle and tests architectural detail rather
|
|
26
|
+
* than the property we care about — "no role-granted ability is
|
|
27
|
+
* unreachable through scopes."
|
|
15
28
|
*/
|
|
16
|
-
const
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
/**
|
|
21
|
-
* Compare two sets of CASL rules for functional equivalence
|
|
22
|
-
*/
|
|
23
|
-
const compareRuleSets = (roleBasedRules, scopeBasedRules, roleName) => {
|
|
24
|
-
const normalizedRoleRules = roleBasedRules.map(normalizeRule);
|
|
25
|
-
const normalizedScopeRules = scopeBasedRules.map(normalizeRule);
|
|
26
|
-
const mismatches = [];
|
|
27
|
-
// Check if rule counts match
|
|
28
|
-
if (normalizedRoleRules.length !== normalizedScopeRules.length) {
|
|
29
|
-
mismatches.push(`Rule count mismatch: role-based has ${normalizedRoleRules.length} rules, scope-based has ${normalizedScopeRules.length} rules`);
|
|
30
|
-
}
|
|
31
|
-
// Group rules by action+subject for easier comparison
|
|
32
|
-
const roleRulesGrouped = (0, groupBy_1.default)(normalizedRoleRules, (rule) => `${rule.action}:${rule.subject}`);
|
|
33
|
-
const scopeRulesGrouped = (0, groupBy_1.default)(normalizedScopeRules, (rule) => `${rule.action}:${rule.subject}`);
|
|
34
|
-
// Check for missing or extra rule types
|
|
35
|
-
const roleKeys = new Set(Object.keys(roleRulesGrouped));
|
|
36
|
-
const scopeKeys = new Set(Object.keys(scopeRulesGrouped));
|
|
37
|
-
const missingInScope = [...roleKeys].filter((key) => !scopeKeys.has(key));
|
|
38
|
-
const extraInScope = [...scopeKeys].filter((key) => !roleKeys.has(key));
|
|
39
|
-
missingInScope.forEach((key) => {
|
|
40
|
-
mismatches.push(`Missing in scope-based: ${key}`);
|
|
41
|
-
});
|
|
42
|
-
extraInScope.forEach((key) => {
|
|
43
|
-
mismatches.push(`Extra in scope-based: ${key}`);
|
|
44
|
-
});
|
|
45
|
-
// Compare matching rule groups
|
|
46
|
-
const commonKeys = [...roleKeys].filter((key) => scopeKeys.has(key));
|
|
47
|
-
commonKeys.forEach((key) => {
|
|
48
|
-
const roleRulesForKey = roleRulesGrouped[key];
|
|
49
|
-
const scopeRulesForKey = scopeRulesGrouped[key];
|
|
50
|
-
// For rules with the same action+subject, we need to check if the conditions are equivalent
|
|
51
|
-
// This is more complex because multiple rules might combine to create the same effective permissions
|
|
52
|
-
if (roleRulesForKey.length !== scopeRulesForKey.length) {
|
|
53
|
-
// Different number of rules for same action+subject - this might be OK if conditions are equivalent
|
|
54
|
-
// For now, we'll flag this as a potential issue but continue checking
|
|
55
|
-
mismatches.push(`Different rule count for ${key}: role-based has ${roleRulesForKey.length}, scope-based has ${scopeRulesForKey.length}`);
|
|
56
|
-
}
|
|
57
|
-
// Check if rule sets contain equivalent conditions
|
|
58
|
-
const roleConditions = roleRulesForKey
|
|
59
|
-
.map((r) => r.conditions)
|
|
60
|
-
.filter(Boolean);
|
|
61
|
-
const scopeConditions = scopeRulesForKey
|
|
62
|
-
.map((r) => r.conditions)
|
|
63
|
-
.filter(Boolean);
|
|
64
|
-
if (!(0, isEqual_1.default)(roleConditions, scopeConditions)) {
|
|
65
|
-
mismatches.push(`Condition mismatch on ${roleName} for ${key}:\nRole-based: ${JSON.stringify(roleConditions, null, 2)}\nScope-based: ${JSON.stringify(scopeConditions, null, 2)}`);
|
|
66
|
-
}
|
|
67
|
-
});
|
|
29
|
+
const checkRoleCoveredByScopes = (roleBasedRules, scopeBasedRules, roleName) => {
|
|
30
|
+
const roleKeys = new Set(roleBasedRules.map((r) => `${r.action}:${r.subject}`));
|
|
31
|
+
const scopeKeys = new Set(scopeBasedRules.map((r) => `${r.action}:${r.subject}`));
|
|
32
|
+
const missingInScope = [...roleKeys].filter((k) => !scopeKeys.has(k));
|
|
68
33
|
return {
|
|
69
|
-
isEqual:
|
|
70
|
-
mismatches,
|
|
34
|
+
isEqual: missingInScope.length === 0,
|
|
35
|
+
mismatches: missingInScope.map((k) => `Role ${roleName} grants "${k}" but no scope in BASE_ROLE_SCOPES emits a rule for it`),
|
|
71
36
|
};
|
|
72
37
|
};
|
|
73
38
|
/**
|
|
@@ -80,6 +45,12 @@ const ENTERPRISE_SUBJECTS = new Set([
|
|
|
80
45
|
'AiAgentThread',
|
|
81
46
|
'ContentAsCode',
|
|
82
47
|
'PreAggregation',
|
|
48
|
+
// The matching scopes (`view:` + `manage:OrganizationWarehouseCredentials`)
|
|
49
|
+
// are `isEnterprise: true` in scopes.ts, so the scope-build path
|
|
50
|
+
// strips them in non-enterprise mode. Mirror that filter on the
|
|
51
|
+
// role-based side so non-enterprise parity stays clean — at runtime
|
|
52
|
+
// the feature is gated by license anyway.
|
|
53
|
+
'OrganizationWarehouseCredentials',
|
|
83
54
|
]);
|
|
84
55
|
/**
|
|
85
56
|
* Filter enterprise rules from role-based abilities when testing in non-enterprise mode
|
|
@@ -91,37 +62,118 @@ const filterEnterpriseRules = (rules, isEnterprise) => {
|
|
|
91
62
|
return rules.filter((rule) => !ENTERPRISE_SUBJECTS.has(rule.subject));
|
|
92
63
|
};
|
|
93
64
|
/**
|
|
94
|
-
*
|
|
65
|
+
* `${action}:${subject}` pairs that we expect on the **scope-built** side
|
|
66
|
+
* but NOT on the **project-role-built** side, when comparing project
|
|
67
|
+
* parity. Two reasons something lands here:
|
|
68
|
+
*
|
|
69
|
+
* 1. **Org-only subject** — the subject never appears in any project
|
|
70
|
+
* ability (e.g. `manage:OrganizationMemberProfile`,
|
|
71
|
+
* `manage:Group`, `impersonate:User`). The scope-built rule for
|
|
72
|
+
* these in project context is dead-on-arrival (`{ projectUuid }`
|
|
73
|
+
* conditions never match `{ organizationUuid }`-keyed subjects),
|
|
74
|
+
* but we keep the toggle in `BASE_ROLE_SCOPES` so admin custom
|
|
75
|
+
* roles surface it at org-level assignment. See
|
|
76
|
+
* `docs/authentication-and-roles.md`.
|
|
77
|
+
*
|
|
78
|
+
* 2. **Granular action of a subject covered by `manage:X` at project
|
|
79
|
+
* level** — e.g. project ability grants `manage:Job` (which CASL
|
|
80
|
+
* expands to cover `create`/`view`/`update`/`delete`), while the
|
|
81
|
+
* scope vocabulary lists `create:Job` and `view:Job@self` as
|
|
82
|
+
* separate scopes. The scope-built rules are benign extras — at
|
|
83
|
+
* runtime they're subsumed by the broader `manage:Job` already
|
|
84
|
+
* in role-based.
|
|
85
|
+
*
|
|
86
|
+
* Subjects with `*` mean "all actions on this subject," used for
|
|
87
|
+
* org-only subjects (case 1).
|
|
88
|
+
*/
|
|
89
|
+
const PROJECT_PARITY_IGNORE = new Set([
|
|
90
|
+
// Case 1: org-only subjects.
|
|
91
|
+
'*:OrganizationMemberProfile',
|
|
92
|
+
'*:Organization',
|
|
93
|
+
'*:Group',
|
|
94
|
+
'*:InviteLink',
|
|
95
|
+
'*:GitIntegration',
|
|
96
|
+
'*:OrganizationWarehouseCredentials',
|
|
97
|
+
'*:User', // impersonate:User
|
|
98
|
+
// Case 2: granular actions subsumed by project's broader `manage:X`.
|
|
99
|
+
'create:Job',
|
|
100
|
+
'view:Job',
|
|
101
|
+
'manage:SemanticViewer', // broad org-only; @space variant is project
|
|
102
|
+
'create:VirtualView',
|
|
103
|
+
'delete:VirtualView',
|
|
104
|
+
'promote:Dashboard',
|
|
105
|
+
'promote:SavedChart',
|
|
106
|
+
'promote:Dashboard@space',
|
|
107
|
+
'promote:SavedChart@space',
|
|
108
|
+
]);
|
|
109
|
+
const isProjectParityIgnored = (rule) => {
|
|
110
|
+
const key = `${rule.action}:${rule.subject}`;
|
|
111
|
+
return (PROJECT_PARITY_IGNORE.has(key) ||
|
|
112
|
+
PROJECT_PARITY_IGNORE.has(`*:${rule.subject}`));
|
|
113
|
+
};
|
|
114
|
+
/**
|
|
115
|
+
* Test project-context parity for a role.
|
|
116
|
+
*
|
|
117
|
+
* Compares `projectMemberAbilities[role]` against
|
|
118
|
+
* `buildAbilityFromScopes(scopes, { projectUuid })`. Org-only subjects
|
|
119
|
+
* are filtered out of the scope-built side because their rules at
|
|
120
|
+
* project context are dead-on-arrival (`{ projectUuid }` conditions
|
|
121
|
+
* never match `{ organizationUuid }`-keyed subjects) — the role-builder
|
|
122
|
+
* UI still surfaces them for org-level assignment, but project parity
|
|
123
|
+
* shouldn't fail on them.
|
|
95
124
|
*/
|
|
96
|
-
const
|
|
97
|
-
|
|
98
|
-
const memberProfiles = {
|
|
125
|
+
const testProjectRoleScopeParity = (role, isEnterprise = false) => {
|
|
126
|
+
const member = {
|
|
99
127
|
[projectMemberRole_1.ProjectMemberRole.VIEWER]: projectMemberAbility_mock_1.PROJECT_VIEWER,
|
|
100
128
|
[projectMemberRole_1.ProjectMemberRole.INTERACTIVE_VIEWER]: projectMemberAbility_mock_1.PROJECT_INTERACTIVE_VIEWER,
|
|
101
129
|
[projectMemberRole_1.ProjectMemberRole.EDITOR]: projectMemberAbility_mock_1.PROJECT_EDITOR,
|
|
102
130
|
[projectMemberRole_1.ProjectMemberRole.DEVELOPER]: projectMemberAbility_mock_1.PROJECT_DEVELOPER,
|
|
103
131
|
[projectMemberRole_1.ProjectMemberRole.ADMIN]: projectMemberAbility_mock_1.PROJECT_ADMIN,
|
|
104
|
-
};
|
|
105
|
-
const member = memberProfiles[role];
|
|
106
|
-
// Build abilities using role-based approach
|
|
132
|
+
}[role];
|
|
107
133
|
const roleBuilder = new ability_1.AbilityBuilder(ability_1.Ability);
|
|
108
134
|
projectMemberAbility_1.projectMemberAbilities[role](member, roleBuilder);
|
|
109
|
-
const
|
|
110
|
-
// Filter enterprise rules from role-based abilities if not enterprise
|
|
111
|
-
const filteredRoleRules = filterEnterpriseRules(roleAbility.rules, isEnterprise);
|
|
112
|
-
// Build abilities using scope-based approach
|
|
135
|
+
const filteredRoleRules = filterEnterpriseRules(roleBuilder.build().rules, isEnterprise);
|
|
113
136
|
const scopeBuilder = new ability_1.AbilityBuilder(ability_1.Ability);
|
|
114
|
-
const scopes = (0, roleToScopeMapping_1.getAllScopesForRole)(role);
|
|
115
137
|
(0, scopeAbilityBuilder_1.buildAbilityFromScopes)({
|
|
116
138
|
userUuid: member.userUuid,
|
|
117
139
|
projectUuid: member.projectUuid,
|
|
118
|
-
scopes,
|
|
140
|
+
scopes: (0, roleToScopeMapping_1.getAllScopesForRole)(role),
|
|
141
|
+
isEnterprise,
|
|
142
|
+
}, scopeBuilder);
|
|
143
|
+
const scopeRules = scopeBuilder.build().rules.filter((r) => !isProjectParityIgnored(r));
|
|
144
|
+
return checkRoleCoveredByScopes(filteredRoleRules, scopeRules, `${role} (project)`);
|
|
145
|
+
};
|
|
146
|
+
/**
|
|
147
|
+
* Test org-context parity for a role.
|
|
148
|
+
*
|
|
149
|
+
* Compares `applyOrganizationMemberStaticAbilities[role]` against
|
|
150
|
+
* `buildAbilityFromScopes(scopes, { organizationUuid })`. This is the
|
|
151
|
+
* second leg the project-only test never had — it catches drift on
|
|
152
|
+
* org-management scopes (which is what let `manage:Group`,
|
|
153
|
+
* `manage:InviteLink`, etc. silently fall out of the scope vocabulary
|
|
154
|
+
* before this PR).
|
|
155
|
+
*/
|
|
156
|
+
const testOrgRoleScopeParity = (role, isEnterprise = false) => {
|
|
157
|
+
const member = {
|
|
158
|
+
[projectMemberRole_1.ProjectMemberRole.VIEWER]: organizationMemberAbility_mock_1.ORGANIZATION_VIEWER,
|
|
159
|
+
[projectMemberRole_1.ProjectMemberRole.INTERACTIVE_VIEWER]: organizationMemberAbility_mock_1.ORGANIZATION_INTERACTIVE_VIEWER,
|
|
160
|
+
[projectMemberRole_1.ProjectMemberRole.EDITOR]: organizationMemberAbility_mock_1.ORGANIZATION_EDITOR,
|
|
161
|
+
[projectMemberRole_1.ProjectMemberRole.DEVELOPER]: organizationMemberAbility_mock_1.ORGANIZATION_DEVELOPER,
|
|
162
|
+
[projectMemberRole_1.ProjectMemberRole.ADMIN]: organizationMemberAbility_mock_1.ORGANIZATION_ADMIN,
|
|
163
|
+
}[role];
|
|
164
|
+
const orgRole = role;
|
|
165
|
+
const roleBuilder = new ability_1.AbilityBuilder(ability_1.Ability);
|
|
166
|
+
organizationMemberAbility_1.applyOrganizationMemberStaticAbilities[orgRole](member, roleBuilder);
|
|
167
|
+
const filteredRoleRules = filterEnterpriseRules(roleBuilder.build().rules, isEnterprise);
|
|
168
|
+
const scopeBuilder = new ability_1.AbilityBuilder(ability_1.Ability);
|
|
169
|
+
(0, scopeAbilityBuilder_1.buildAbilityFromScopes)({
|
|
170
|
+
userUuid: member.userUuid,
|
|
171
|
+
organizationUuid: member.organizationUuid,
|
|
172
|
+
scopes: (0, roleToScopeMapping_1.getAllScopesForRole)(role),
|
|
119
173
|
isEnterprise,
|
|
120
174
|
}, scopeBuilder);
|
|
121
|
-
const
|
|
122
|
-
|
|
123
|
-
const result = compareRuleSets(filteredRoleRules, scopeAbility.rules, role);
|
|
124
|
-
return result;
|
|
175
|
+
const scopeRules = scopeBuilder.build().rules;
|
|
176
|
+
return checkRoleCoveredByScopes(filteredRoleRules, scopeRules, `${role} (org)`);
|
|
125
177
|
};
|
|
126
178
|
describe('Role to Scope Parity', () => {
|
|
127
179
|
const systemProjectRoles = [
|
|
@@ -131,30 +183,50 @@ describe('Role to Scope Parity', () => {
|
|
|
131
183
|
projectMemberRole_1.ProjectMemberRole.DEVELOPER,
|
|
132
184
|
projectMemberRole_1.ProjectMemberRole.ADMIN,
|
|
133
185
|
];
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
186
|
+
const reportAndAssert = (label, comparison) => {
|
|
187
|
+
if (!comparison.isEqual) {
|
|
188
|
+
console.error(`\n=== ${label} ===`);
|
|
189
|
+
comparison.mismatches.forEach((m) => console.error(`❌ ${m}`));
|
|
190
|
+
console.error('=== END MISMATCH REPORT ===\n');
|
|
191
|
+
}
|
|
192
|
+
expect(comparison.isEqual).toBe(true);
|
|
193
|
+
};
|
|
194
|
+
describe('Project parity (Non-Enterprise)', () => {
|
|
195
|
+
it.each(systemProjectRoles)('project ability ≡ scope build (project context) for %s', (role) => reportAndAssert(`PROJECT PARITY MISMATCH FOR ${role.toUpperCase()}`, testProjectRoleScopeParity(role, false)));
|
|
196
|
+
});
|
|
197
|
+
describe('Project parity (Enterprise)', () => {
|
|
198
|
+
it.each(systemProjectRoles)('project ability ≡ scope build (project context) for %s [EE]', (role) => reportAndAssert(`ENTERPRISE PROJECT PARITY MISMATCH FOR ${role.toUpperCase()}`, testProjectRoleScopeParity(role, true)));
|
|
146
199
|
});
|
|
147
|
-
describe('Enterprise
|
|
148
|
-
it.each(systemProjectRoles)('
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
200
|
+
describe('Org parity (Non-Enterprise)', () => {
|
|
201
|
+
it.each(systemProjectRoles)('org ability ≡ scope build (org context) for %s', (role) => reportAndAssert(`ORG PARITY MISMATCH FOR ${role.toUpperCase()}`, testOrgRoleScopeParity(role, false)));
|
|
202
|
+
});
|
|
203
|
+
describe('Org parity (Enterprise)', () => {
|
|
204
|
+
it.each(systemProjectRoles)('org ability ≡ scope build (org context) for %s [EE]', (role) => reportAndAssert(`ENTERPRISE ORG PARITY MISMATCH FOR ${role.toUpperCase()}`, testOrgRoleScopeParity(role, true)));
|
|
205
|
+
});
|
|
206
|
+
// Coverage assertion. The parity tests above only catch drift on
|
|
207
|
+
// scopes that ARE in some role tier — they can't see scopes that
|
|
208
|
+
// exist in the vocabulary (`scopes.ts`) but appear in NO tier.
|
|
209
|
+
// Those would silently render as dead toggles in the role-builder
|
|
210
|
+
// UI. This test enforces that every scope in `scopes.ts` is in
|
|
211
|
+
// `BASE_ROLE_SCOPES` for at least one tier — closing the loop on
|
|
212
|
+
// "how did the misc orphans drift in the first place?".
|
|
213
|
+
describe('Scope vocabulary coverage', () => {
|
|
214
|
+
it('every scope in scopes.ts must appear in at least one role tier', () => {
|
|
215
|
+
const allScopeNames = new Set((0, scopes_1.getScopes)({ isEnterprise: true }).map((s) => s.name));
|
|
216
|
+
const tieredScopes = new Set();
|
|
217
|
+
systemProjectRoles.forEach((role) => {
|
|
218
|
+
(0, roleToScopeMapping_1.getAllScopesForRole)(role).forEach((s) => tieredScopes.add(s));
|
|
219
|
+
});
|
|
220
|
+
const missing = [...allScopeNames].filter((s) => !tieredScopes.has(s));
|
|
221
|
+
if (missing.length > 0) {
|
|
222
|
+
console.error('\n=== SCOPES NOT WIRED TO ANY ROLE TIER ===\n' +
|
|
223
|
+
'Each of these is in `scopes.ts` but in no role tier. ' +
|
|
224
|
+
'Add them to `BASE_ROLE_SCOPES[<tier>]` in ' +
|
|
225
|
+
'roleToScopeMapping.ts.\n');
|
|
226
|
+
missing.forEach((s) => console.error(`❌ ${s}`));
|
|
227
|
+
console.error('=== END ===\n');
|
|
156
228
|
}
|
|
157
|
-
expect(
|
|
229
|
+
expect(missing).toEqual([]);
|
|
158
230
|
});
|
|
159
231
|
});
|
|
160
232
|
// This is helpful for debugging, but it's not a test
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"roleToScopeParity.test.js","sourceRoot":"","sources":["../../../src/authorization/roleToScopeParity.test.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"roleToScopeParity.test.js","sourceRoot":"","sources":["../../../src/authorization/roleToScopeParity.test.ts"],"names":[],"mappings":";;AAAA,+BAA+B;AAC/B,2CAAwD;AAExD,kEAA+D;AAC/D,2EAAqF;AACrF,qFAM0C;AAC1C,iEAAgE;AAChE,2EAMqC;AACrC,6DAA2D;AAC3D,+DAA+D;AAC/D,qCAAqC;AAWrC;;;;;;;;;;;;;;;GAeG;AACH,MAAM,wBAAwB,GAAG,CAC7B,cAA0B,EAC1B,eAA2B,EAC3B,QAAgB,EAC0B,EAAE;IAC5C,MAAM,QAAQ,GAAG,IAAI,GAAG,CACpB,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,CACxD,CAAC;IACF,MAAM,SAAS,GAAG,IAAI,GAAG,CACrB,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,CACzD,CAAC;IACF,MAAM,cAAc,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACtE,OAAO;QACH,OAAO,EAAE,cAAc,CAAC,MAAM,KAAK,CAAC;QACpC,UAAU,EAAE,cAAc,CAAC,GAAG,CAC1B,CAAC,CAAC,EAAE,EAAE,CACF,QAAQ,QAAQ,YAAY,CAAC,wDAAwD,CAC5F;KACJ,CAAC;AACN,CAAC,CAAC;AAEF;;GAEG;AACH,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAChC,aAAa;IACb,sBAAsB;IACtB,SAAS;IACT,eAAe;IACf,eAAe;IACf,gBAAgB;IAChB,4EAA4E;IAC5E,iEAAiE;IACjE,gEAAgE;IAChE,oEAAoE;IACpE,0CAA0C;IAC1C,kCAAkC;CACrC,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,qBAAqB,GAAG,CAC1B,KAAiB,EACjB,YAAqB,EACX,EAAE;IACZ,IAAI,YAAY,EAAE,CAAC;QACf,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;AAC1E,CAAC,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IAClC,6BAA6B;IAC7B,6BAA6B;IAC7B,gBAAgB;IAChB,SAAS;IACT,cAAc;IACd,kBAAkB;IAClB,oCAAoC;IACpC,QAAQ,EAAE,mBAAmB;IAE7B,qEAAqE;IACrE,YAAY;IACZ,UAAU;IACV,uBAAuB,EAAE,4CAA4C;IACrE,oBAAoB;IACpB,oBAAoB;IACpB,mBAAmB;IACnB,oBAAoB;IACpB,yBAAyB;IACzB,0BAA0B;CAC7B,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAG,CAAC,IAAc,EAAW,EAAE;IACvD,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;IAC7C,OAAO,CACH,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC;QAC9B,qBAAqB,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC,CACjD,CAAC;AACN,CAAC,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,0BAA0B,GAAG,CAC/B,IAAuB,EACvB,eAAwB,KAAK,EACa,EAAE;IAC5C,MAAM,MAAM,GAAG;QACX,CAAC,qCAAiB,CAAC,MAAM,CAAC,EAAE,0CAAc;QAC1C,CAAC,qCAAiB,CAAC,kBAAkB,CAAC,EAAE,sDAA0B;QAClE,CAAC,qCAAiB,CAAC,MAAM,CAAC,EAAE,0CAAc;QAC1C,CAAC,qCAAiB,CAAC,SAAS,CAAC,EAAE,6CAAiB;QAChD,CAAC,qCAAiB,CAAC,KAAK,CAAC,EAAE,yCAAa;KAC3C,CAAC,IAAI,CAAC,CAAC;IAER,MAAM,WAAW,GAAG,IAAI,wBAAc,CAAgB,iBAAO,CAAC,CAAC;IAC/D,6CAAsB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAClD,MAAM,iBAAiB,GAAG,qBAAqB,CAC3C,WAAW,CAAC,KAAK,EAAE,CAAC,KAAmB,EACvC,YAAY,CACf,CAAC;IAEF,MAAM,YAAY,GAAG,IAAI,wBAAc,CAAgB,iBAAO,CAAC,CAAC;IAChE,IAAA,4CAAsB,EAClB;QACI,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,MAAM,EAAE,IAAA,wCAAmB,EAAC,IAAI,CAAC;QACjC,YAAY;KACf,EACD,YAAY,CACf,CAAC;IACF,MAAM,UAAU,GAAI,YAAY,CAAC,KAAK,EAAE,CAAC,KAAoB,CAAC,MAAM,CAChE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CACpC,CAAC;IAEF,OAAO,wBAAwB,CAC3B,iBAAiB,EACjB,UAAU,EACV,GAAG,IAAI,YAAY,CACtB,CAAC;AACN,CAAC,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,sBAAsB,GAAG,CAC3B,IAAuB,EACvB,eAAwB,KAAK,EACa,EAAE;IAC5C,MAAM,MAAM,GAAG;QACX,CAAC,qCAAiB,CAAC,MAAM,CAAC,EAAE,oDAAmB;QAC/C,CAAC,qCAAiB,CAAC,kBAAkB,CAAC,EAAE,gEAA+B;QACvE,CAAC,qCAAiB,CAAC,MAAM,CAAC,EAAE,oDAAmB;QAC/C,CAAC,qCAAiB,CAAC,SAAS,CAAC,EAAE,uDAAsB;QACrD,CAAC,qCAAiB,CAAC,KAAK,CAAC,EAAE,mDAAkB;KAChD,CAAC,IAAI,CAAC,CAAC;IACR,MAAM,OAAO,GAAG,IAAyC,CAAC;IAE1D,MAAM,WAAW,GAAG,IAAI,wBAAc,CAAgB,iBAAO,CAAC,CAAC;IAC/D,kEAAsC,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACrE,MAAM,iBAAiB,GAAG,qBAAqB,CAC3C,WAAW,CAAC,KAAK,EAAE,CAAC,KAAmB,EACvC,YAAY,CACf,CAAC;IAEF,MAAM,YAAY,GAAG,IAAI,wBAAc,CAAgB,iBAAO,CAAC,CAAC;IAChE,IAAA,4CAAsB,EAClB;QACI,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;QACzC,MAAM,EAAE,IAAA,wCAAmB,EAAC,IAAI,CAAC;QACjC,YAAY;KACf,EACD,YAAY,CACf,CAAC;IACF,MAAM,UAAU,GAAG,YAAY,CAAC,KAAK,EAAE,CAAC,KAAmB,CAAC;IAE5D,OAAO,wBAAwB,CAC3B,iBAAiB,EACjB,UAAU,EACV,GAAG,IAAI,QAAQ,CAClB,CAAC;AACN,CAAC,CAAC;AAEF,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IAClC,MAAM,kBAAkB,GAAG;QACvB,qCAAiB,CAAC,MAAM;QACxB,qCAAiB,CAAC,kBAAkB;QACpC,qCAAiB,CAAC,MAAM;QACxB,qCAAiB,CAAC,SAAS;QAC3B,qCAAiB,CAAC,KAAK;KAC1B,CAAC;IAEF,MAAM,eAAe,GAAG,CACpB,KAAa,EACb,UAAsD,EACxD,EAAE;QACA,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CAAC,SAAS,KAAK,MAAM,CAAC,CAAC;YACpC,UAAU,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;YAC9D,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QACD,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1C,CAAC,CAAC;IAEF,QAAQ,CAAC,iCAAiC,EAAE,GAAG,EAAE;QAC7C,EAAE,CAAC,IAAI,CAAC,kBAAkB,CAAC,CACvB,wDAAwD,EACxD,CAAC,IAAI,EAAE,EAAE,CACL,eAAe,CACX,+BAA+B,IAAI,CAAC,WAAW,EAAE,EAAE,EACnD,0BAA0B,CAAC,IAAI,EAAE,KAAK,CAAC,CAC1C,CACR,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACzC,EAAE,CAAC,IAAI,CAAC,kBAAkB,CAAC,CACvB,6DAA6D,EAC7D,CAAC,IAAI,EAAE,EAAE,CACL,eAAe,CACX,0CAA0C,IAAI,CAAC,WAAW,EAAE,EAAE,EAC9D,0BAA0B,CAAC,IAAI,EAAE,IAAI,CAAC,CACzC,CACR,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACzC,EAAE,CAAC,IAAI,CAAC,kBAAkB,CAAC,CACvB,gDAAgD,EAChD,CAAC,IAAI,EAAE,EAAE,CACL,eAAe,CACX,2BAA2B,IAAI,CAAC,WAAW,EAAE,EAAE,EAC/C,sBAAsB,CAAC,IAAI,EAAE,KAAK,CAAC,CACtC,CACR,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACrC,EAAE,CAAC,IAAI,CAAC,kBAAkB,CAAC,CACvB,qDAAqD,EACrD,CAAC,IAAI,EAAE,EAAE,CACL,eAAe,CACX,sCAAsC,IAAI,CAAC,WAAW,EAAE,EAAE,EAC1D,sBAAsB,CAAC,IAAI,EAAE,IAAI,CAAC,CACrC,CACR,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,iEAAiE;IACjE,iEAAiE;IACjE,+DAA+D;IAC/D,kEAAkE;IAClE,+DAA+D;IAC/D,iEAAiE;IACjE,wDAAwD;IACxD,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACvC,EAAE,CAAC,gEAAgE,EAAE,GAAG,EAAE;YACtE,MAAM,aAAa,GAAG,IAAI,GAAG,CACzB,IAAA,kBAAS,EAAC,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CACvD,CAAC;YACF,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;YACvC,kBAAkB,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;gBAChC,IAAA,wCAAmB,EAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAClE,CAAC,CAAC,CAAC;YAEH,MAAM,OAAO,GAAG,CAAC,GAAG,aAAa,CAAC,CAAC,MAAM,CACrC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAC9B,CAAC;YAEF,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACrB,OAAO,CAAC,KAAK,CACT,+CAA+C;oBAC3C,uDAAuD;oBACvD,4CAA4C;oBAC5C,0BAA0B,CACjC,CAAC;gBACF,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;gBAChD,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;YACnC,CAAC;YAED,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAChC,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,qDAAqD;IACrD,QAAQ,CAAC,IAAI,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACtC,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;YACnD,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;YAErD,kBAAkB,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;gBAChC,MAAM,MAAM,GAAG;oBACX,CAAC,qCAAiB,CAAC,MAAM,CAAC,EAAE,0CAAc;oBAC1C,CAAC,qCAAiB,CAAC,kBAAkB,CAAC,EAClC,sDAA0B;oBAC9B,CAAC,qCAAiB,CAAC,MAAM,CAAC,EAAE,0CAAc;oBAC1C,CAAC,qCAAiB,CAAC,SAAS,CAAC,EAAE,6CAAiB;oBAChD,CAAC,qCAAiB,CAAC,KAAK,CAAC,EAAE,yCAAa;iBAC3C,CAAC,IAAI,CAAC,CAAC;gBAER,yBAAyB;gBACzB,MAAM,WAAW,GAAG,IAAI,wBAAc,CAAgB,iBAAO,CAAC,CAAC;gBAC/D,6CAAsB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;gBAClD,MAAM,aAAa,GAAG,WAAW,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC;gBAEvD,0BAA0B;gBAC1B,MAAM,YAAY,GAAG,IAAI,wBAAc,CAAgB,iBAAO,CAAC,CAAC;gBAChE,MAAM,MAAM,GAAG,IAAA,wCAAmB,EAAC,IAAI,CAAC,CAAC;gBACzC,IAAA,4CAAsB,EAClB;oBACI,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,WAAW,EAAE,MAAM,CAAC,WAAW;oBAC/B,MAAM;oBACN,YAAY,EAAE,KAAK;iBACtB,EACD,YAAY,CACf,CAAC;gBACF,MAAM,cAAc,GAAG,YAAY,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC;gBAEzD,OAAO,CAAC,GAAG,CACP,GAAG,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,iBAAiB,aAAa;qBAC3C,QAAQ,EAAE;qBACV,QAAQ,CAAC,CAAC,CAAC,kBAAkB,cAAc;qBAC3C,QAAQ,EAAE;qBACV,QAAQ,CAAC,CAAC,CAAC,aAAa,MAAM,CAAC,MAAM;qBACrC,QAAQ,EAAE;qBACV,QAAQ,CAAC,CAAC,CAAC,EAAE,CACrB,CAAC;YACN,CAAC,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;AACP,CAAC,CAAC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scopes.d.ts","sourceRoot":"","sources":["../../../src/authorization/scopes.ts"],"names":[],"mappings":"AAEA,OAAO,EAEH,KAAK,KAAK,EAEV,KAAK,SAAS,EACjB,MAAM,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"scopes.d.ts","sourceRoot":"","sources":["../../../src/authorization/scopes.ts"],"names":[],"mappings":"AAEA,OAAO,EAEH,KAAK,KAAK,EAEV,KAAK,SAAS,EACjB,MAAM,iBAAiB,CAAC;AAuwBzB,eAAO,MAAM,SAAS,GAAI;;CAA6B,KAAG,KAAK,EACX,CAAC;AAErD,eAAO,MAAM,cAAc,GAAI;;CAA6B,KAAG,MAAM,CACjE,SAAS,EACT,KAAK,CAQJ,CAAC"}
|
|
@@ -454,6 +454,13 @@ const scopes = [
|
|
|
454
454
|
group: scopes_1.ScopeGroup.ORGANIZATION_MANAGEMENT,
|
|
455
455
|
getConditions: addDefaultUuidCondition,
|
|
456
456
|
},
|
|
457
|
+
{
|
|
458
|
+
name: 'view:OrganizationWarehouseCredentials',
|
|
459
|
+
description: 'View organization warehouse credentials',
|
|
460
|
+
isEnterprise: true,
|
|
461
|
+
group: scopes_1.ScopeGroup.ORGANIZATION_MANAGEMENT,
|
|
462
|
+
getConditions: addDefaultUuidCondition,
|
|
463
|
+
},
|
|
457
464
|
{
|
|
458
465
|
name: 'manage:OrganizationWarehouseCredentials',
|
|
459
466
|
description: 'Manage organization warehouse credentials',
|
|
@@ -599,28 +606,6 @@ const scopes = [
|
|
|
599
606
|
group: scopes_1.ScopeGroup.DATA,
|
|
600
607
|
getConditions: addDefaultUuidCondition,
|
|
601
608
|
},
|
|
602
|
-
// Sharing Scopes
|
|
603
|
-
{
|
|
604
|
-
name: 'export:DashboardCsv',
|
|
605
|
-
description: 'Can export dashboards and charts to CSV',
|
|
606
|
-
isEnterprise: false,
|
|
607
|
-
group: scopes_1.ScopeGroup.SHARING,
|
|
608
|
-
getConditions: () => [],
|
|
609
|
-
},
|
|
610
|
-
{
|
|
611
|
-
name: 'export:DashboardImage',
|
|
612
|
-
description: 'Can export dashboards and charts to images',
|
|
613
|
-
isEnterprise: false,
|
|
614
|
-
group: scopes_1.ScopeGroup.SHARING,
|
|
615
|
-
getConditions: () => [],
|
|
616
|
-
},
|
|
617
|
-
{
|
|
618
|
-
name: 'export:DashboardPdf',
|
|
619
|
-
description: 'Can export dashboards and charts to PDF',
|
|
620
|
-
isEnterprise: false,
|
|
621
|
-
group: scopes_1.ScopeGroup.SHARING,
|
|
622
|
-
getConditions: () => [],
|
|
623
|
-
},
|
|
624
609
|
// AI Agent
|
|
625
610
|
{
|
|
626
611
|
name: 'view:AiAgent',
|