@litusarchieve18/agricore-utils 1.0.5 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.mts CHANGED
@@ -506,7 +506,8 @@ declare function evaluateBaseAccess(resourcePath: string, session: {
506
506
  declare function assertTenantBoundary(db: any, requesterCompanyId: string, targets: {
507
507
  targetUserId?: string;
508
508
  authScopeId?: string;
509
+ expectedScopeType?: 'company' | 'legalEntity' | 'facility';
509
510
  }): Promise<boolean>;
510
- declare function resolveEffectiveAccess(base: AccessLevelType, override?: AccessLevelType): AccessLevelType;
511
+ declare function resolveEffectiveAccess(base: AccessLevelType, override?: AccessLevelType | null): AccessLevelType;
511
512
 
512
513
  export { ACCESS_RANK, ACT, AccessLevel, type AccessLevelType, type AgriCoreSession, AgriLogger, AppError, ApprovalStatus, ApprovalType, AuditStatus, AuditType, type AuthScopeFields, type AvailableScope, CAT, type CompanyConfig, Converter, CropCycleStatus, ERROR_DICTIONARY, EmitterType, EnabledModule, ErrorFactory, FORM_REGISTRY, FacilityType, type FormMeta, HarvestMethod, type InfrastructureFields, LinkedStatus, MOD, MODULE_LABELS, MicroclimateZone, MimeType, type ModCode, NettingType, NotificationMode, OrderStatus, type PermissionLevel, PhysicalState, PlantingMethod, RESOURCE_PATHS, ROLE_SECTIONS_BY_KEY, RelationshipType, type ResolvedError, type ResourceOverrides, RowOrientation, SENTINEL_UUID, type ScopeType, SoilTexture, TASK_TYPE_REGISTRY, type TabConfig, TargetEntityType, TaskStatus, TaskType, type TaskTypeConfig, TransactionType, TrellisType, UserPrivilege, UserRole, type UserRoleType, Validator, VigorRating, WaterSource, assertCanWrite, assertTenantBoundary, buildRlsFilter, canRead, canWrite, evaluateBaseAccess, extractAppCode, generateCanonicalId, generateInfrastructureFields, getAcceptedMimeTypes, getApproveAction, getFormMeta, getFormsGroupedByModule, getTaskTypeOptions, handleAppErrorResponse, isTabVisible, isTabWritable, resolveAccess, resolveAppError, resolveEffectiveAccess, resolveError, resolveMenuVisibility, withAgriLogging };
package/dist/index.d.ts CHANGED
@@ -506,7 +506,8 @@ declare function evaluateBaseAccess(resourcePath: string, session: {
506
506
  declare function assertTenantBoundary(db: any, requesterCompanyId: string, targets: {
507
507
  targetUserId?: string;
508
508
  authScopeId?: string;
509
+ expectedScopeType?: 'company' | 'legalEntity' | 'facility';
509
510
  }): Promise<boolean>;
510
- declare function resolveEffectiveAccess(base: AccessLevelType, override?: AccessLevelType): AccessLevelType;
511
+ declare function resolveEffectiveAccess(base: AccessLevelType, override?: AccessLevelType | null): AccessLevelType;
511
512
 
512
513
  export { ACCESS_RANK, ACT, AccessLevel, type AccessLevelType, type AgriCoreSession, AgriLogger, AppError, ApprovalStatus, ApprovalType, AuditStatus, AuditType, type AuthScopeFields, type AvailableScope, CAT, type CompanyConfig, Converter, CropCycleStatus, ERROR_DICTIONARY, EmitterType, EnabledModule, ErrorFactory, FORM_REGISTRY, FacilityType, type FormMeta, HarvestMethod, type InfrastructureFields, LinkedStatus, MOD, MODULE_LABELS, MicroclimateZone, MimeType, type ModCode, NettingType, NotificationMode, OrderStatus, type PermissionLevel, PhysicalState, PlantingMethod, RESOURCE_PATHS, ROLE_SECTIONS_BY_KEY, RelationshipType, type ResolvedError, type ResourceOverrides, RowOrientation, SENTINEL_UUID, type ScopeType, SoilTexture, TASK_TYPE_REGISTRY, type TabConfig, TargetEntityType, TaskStatus, TaskType, type TaskTypeConfig, TransactionType, TrellisType, UserPrivilege, UserRole, type UserRoleType, Validator, VigorRating, WaterSource, assertCanWrite, assertTenantBoundary, buildRlsFilter, canRead, canWrite, evaluateBaseAccess, extractAppCode, generateCanonicalId, generateInfrastructureFields, getAcceptedMimeTypes, getApproveAction, getFormMeta, getFormsGroupedByModule, getTaskTypeOptions, handleAppErrorResponse, isTabVisible, isTabWritable, resolveAccess, resolveAppError, resolveEffectiveAccess, resolveError, resolveMenuVisibility, withAgriLogging };
package/dist/index.js CHANGED
@@ -887,23 +887,29 @@ async function assertTenantBoundary(db, requesterCompanyId, targets) {
887
887
  }
888
888
  }
889
889
  if (targets.authScopeId) {
890
- const [companyMatch, leMatch, facMatch] = await Promise.all([
891
- db.Company.filter({ canonicalId: targets.authScopeId, id: requesterCompanyId }),
892
- // Base44 id must match requester
893
- db.LegalEntity.filter({ canonicalId: targets.authScopeId, companyId: requesterCompanyId }),
894
- db.Facility.filter({ canonicalId: targets.authScopeId, companyId: requesterCompanyId })
895
- ]);
896
- const isValidScope = companyMatch.length > 0 || leMatch.length > 0 || facMatch.length > 0;
897
- if (!isValidScope) {
898
- console.error(`[SECURITY BREACH ATTEMPT] User tried to assign scope ${targets.authScopeId} outside company ${requesterCompanyId}`);
899
- throw ErrorFactory.forbidden(MOD.ADMIN, ACT.EDIT, "Invalid authorization scope or tenant boundary violation.");
890
+ let matchFound = false;
891
+ if (targets.expectedScopeType === "company" || !targets.expectedScopeType) {
892
+ const c = await db.Company.filter({ canonicalId: targets.authScopeId, id: requesterCompanyId });
893
+ if (c.length > 0) matchFound = true;
894
+ }
895
+ if (!matchFound && (targets.expectedScopeType === "legalEntity" || !targets.expectedScopeType)) {
896
+ const le = await db.LegalEntity.filter({ canonicalId: targets.authScopeId, companyId: requesterCompanyId });
897
+ if (le.length > 0) matchFound = true;
898
+ }
899
+ if (!matchFound && (targets.expectedScopeType === "facility" || !targets.expectedScopeType)) {
900
+ const fac = await db.Facility.filter({ canonicalId: targets.authScopeId, companyId: requesterCompanyId });
901
+ if (fac.length > 0) matchFound = true;
902
+ }
903
+ if (!matchFound) {
904
+ console.error(`[SECURITY BREACH/VALIDATION ERROR] Scope ${targets.authScopeId} not found for type ${targets.expectedScopeType} in company ${requesterCompanyId}`);
905
+ throw ErrorFactory.forbidden(MOD.ADMIN, ACT.EDIT, "Invalid authorization scope level or tenant boundary violation.");
900
906
  }
901
907
  }
902
908
  return true;
903
909
  }
904
910
  function resolveEffectiveAccess(base, override) {
905
- if (!override) return base;
906
- return ACCESS_RANK[override] >= ACCESS_RANK[base] ? override : base;
911
+ if (override === void 0 || override === null) return base;
912
+ return override;
907
913
  }
908
914
  // Annotate the CommonJS export names for ESM import in node:
909
915
  0 && (module.exports = {
package/dist/index.mjs CHANGED
@@ -793,23 +793,29 @@ async function assertTenantBoundary(db, requesterCompanyId, targets) {
793
793
  }
794
794
  }
795
795
  if (targets.authScopeId) {
796
- const [companyMatch, leMatch, facMatch] = await Promise.all([
797
- db.Company.filter({ canonicalId: targets.authScopeId, id: requesterCompanyId }),
798
- // Base44 id must match requester
799
- db.LegalEntity.filter({ canonicalId: targets.authScopeId, companyId: requesterCompanyId }),
800
- db.Facility.filter({ canonicalId: targets.authScopeId, companyId: requesterCompanyId })
801
- ]);
802
- const isValidScope = companyMatch.length > 0 || leMatch.length > 0 || facMatch.length > 0;
803
- if (!isValidScope) {
804
- console.error(`[SECURITY BREACH ATTEMPT] User tried to assign scope ${targets.authScopeId} outside company ${requesterCompanyId}`);
805
- throw ErrorFactory.forbidden(MOD.ADMIN, ACT.EDIT, "Invalid authorization scope or tenant boundary violation.");
796
+ let matchFound = false;
797
+ if (targets.expectedScopeType === "company" || !targets.expectedScopeType) {
798
+ const c = await db.Company.filter({ canonicalId: targets.authScopeId, id: requesterCompanyId });
799
+ if (c.length > 0) matchFound = true;
800
+ }
801
+ if (!matchFound && (targets.expectedScopeType === "legalEntity" || !targets.expectedScopeType)) {
802
+ const le = await db.LegalEntity.filter({ canonicalId: targets.authScopeId, companyId: requesterCompanyId });
803
+ if (le.length > 0) matchFound = true;
804
+ }
805
+ if (!matchFound && (targets.expectedScopeType === "facility" || !targets.expectedScopeType)) {
806
+ const fac = await db.Facility.filter({ canonicalId: targets.authScopeId, companyId: requesterCompanyId });
807
+ if (fac.length > 0) matchFound = true;
808
+ }
809
+ if (!matchFound) {
810
+ console.error(`[SECURITY BREACH/VALIDATION ERROR] Scope ${targets.authScopeId} not found for type ${targets.expectedScopeType} in company ${requesterCompanyId}`);
811
+ throw ErrorFactory.forbidden(MOD.ADMIN, ACT.EDIT, "Invalid authorization scope level or tenant boundary violation.");
806
812
  }
807
813
  }
808
814
  return true;
809
815
  }
810
816
  function resolveEffectiveAccess(base, override) {
811
- if (!override) return base;
812
- return ACCESS_RANK[override] >= ACCESS_RANK[base] ? override : base;
817
+ if (override === void 0 || override === null) return base;
818
+ return override;
813
819
  }
814
820
  export {
815
821
  ACCESS_RANK,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@litusarchieve18/agricore-utils",
3
- "version": "1.0.5",
3
+ "version": "1.0.6",
4
4
  "description": "Canonical Backend Utility Library for AgriCore",
5
5
  "main": "./dist/index.js",
6
6
  "module": "./dist/index.mjs",