@nu-art/permissions-backend 0.400.5

package/_entity/permission-user/ModuleBE_PermissionUserDB.js

@@ -0,0 +1,222 @@
+import { MemKey_ServerApi, ModuleBE_BaseDB, Storm, } from '@nu-art/thunderstorm-backend';
+import { DBDef_PermissionUser } from '@nu-art/permissions-shared';
+import { _keys, ApiException, asOptionalArray, batchActionParallel, dbObjectToId, exists, filterDuplicates, filterInstances, filterKeys, flatArray, JwtTools, merge, Year } from '@nu-art/ts-common';
+import { ModuleBE_PermissionGroupDB } from '../permission-group/ModuleBE_PermissionGroupDB.js';
+import { MemKey_AccountId, ModuleBE_AccountDB, ModuleBE_SessionDB } from '@nu-art/user-account-backend';
+import { MemKey_UserPermissions } from '../../consts.js';
+import { dispatcher_collectServiceAccounts } from '@nu-art/thunderstorm-backend/modules/_tdb/service-accounts';
+export class ModuleBE_PermissionUserDB_Class extends ModuleBE_BaseDB {
+    defaultPermissionGroups;
+    constructor() {
+        super(DBDef_PermissionUser);
+    }
+    __performProjectSetup() {
+        return {
+            priority: 4,
+            processor: async () => {
+                const accounts = await ModuleBE_AccountDB.query.where({});
+                const permissionsUser = await this.query.all(accounts.map(dbObjectToId));
+                const usersToUpsert = [];
+                const usersToDelete = [];
+                permissionsUser.forEach((user, index) => {
+                    if (exists(user)) {
+                        if (!exists(accounts.find(account => account._id === user._id)))
+                            usersToDelete.push(user);
+                        return;
+                    }
+                    usersToUpsert.push({
+                        _id: accounts[index]._id,
+                        groups: [],
+                    });
+                });
+                await this.set.all(usersToUpsert);
+                await this.delete.all(usersToDelete);
+                // This stage updates the rtdb's config- which is why it's last. Changing the rtdb's config kills the server.
+                const serviceAccounts = flatArray(dispatcher_collectServiceAccounts.dispatchModule());
+                await this.createSystemServiceAccount(serviceAccounts);
+            }
+        };
+    }
+    async __onUserLogin(account, transaction) {
+        await this.insertIfNotExist(account, transaction);
+    }
+    async __onNewUserRegistered(account, transaction) {
+        await this.insertIfNotExist(account, transaction);
+    }
+    // protected async canDeleteDocument(transaction: FirestoreTransaction, dbInstances: DB_PermissionUser[]) {
+    // 	const conflicts: DB_PermissionUser[] = [];
+    // 	const accounts = await ModuleBE_AccountDB.query.custom(_EmptyQuery);
+    //
+    // 	for (const item of dbInstances) {
+    // 		const account = accounts.find(acc => acc._id === item.accountId);
+    // 		if (account)
+    // 			conflicts.push(item);
+    // 	}
+    //
+    // 	if (conflicts.length)
+    // 		throw new ApiException<DB_EntityDependency<any>[]>(422, 'permission users are connected to accounts').setErrorBody({
+    // 			type: 'has-dependencies',
+    // 			body: conflicts.map(conflict => ({collectionKey: 'User', conflictingIds: [conflict._id]}))
+    // 		});
+    // }
+    async preWriteProcessing(instance, originalDbInstance, t) {
+        instance._auditorId = MemKey_AccountId.get();
+        instance.__groupIds = filterDuplicates(instance.groups.map(group => group.groupId) || []);
+        if (!instance.__groupIds.length)
+            return;
+        // Get all groups the user has from the collection
+        const dbGroups = filterInstances(await ModuleBE_PermissionGroupDB.query.all(instance.__groupIds, t));
+        // Verify all groups actually existing in the collection
+        if (instance.__groupIds.length !== dbGroups.length) {
+            const dbGroupIds = dbGroups.map(dbObjectToId);
+            throw new ApiException(422, `Trying to assign a user to a permission-group that does not exist: ${instance.__groupIds.filter(groupId => !dbGroupIds.includes(groupId))}`);
+        }
+        //todo check for duplications in data
+    }
+    async postWriteProcessing(data, actionType) {
+        const deleted = asOptionalArray(data.deleted) ?? [];
+        const updated = asOptionalArray(data.updated) ?? [];
+        const beforeIds = (asOptionalArray(data.before) ?? []).map(before => before?._id);
+        const accountIdToInvalidate = filterDuplicates(filterInstances([...deleted, ...updated].map(i => i?._id))).filter(id => beforeIds.includes(id));
+        await this.invalidateSession(accountIdToInvalidate);
+    }
+    insertIfNotExist = async (uiAccount, transaction) => {
+        const create = async (transaction) => {
+            const defaultPermissionGroups = ModuleBE_PermissionUserDB.defaultPermissionGroups ? await ModuleBE_PermissionUserDB.defaultPermissionGroups() : [];
+            const permissionGroups = ModuleBE_PermissionUserDB.defaultPermissionGroups
+                ? filterInstances(await ModuleBE_PermissionGroupDB.query.all(defaultPermissionGroups.map(item => item.groupId)))
+                : [];
+            this.logInfo(`Received ${defaultPermissionGroups.length} groups to assign, ${permissionGroups.length} of which exist`);
+            const permissionsUserToCreate = {
+                _id: uiAccount._id,
+                groups: permissionGroups.map(group => ({ groupId: group._id })),
+                _auditorId: MemKey_AccountId.get()
+            };
+            return ModuleBE_PermissionUserDB.create.item(permissionsUserToCreate, transaction);
+        };
+        return ModuleBE_PermissionUserDB.collection.uniqueGetOrCreate({ _id: uiAccount._id }, create, transaction);
+    };
+    async assignPermissions(body) {
+        if (!body.targetAccountIds.length)
+            throw new ApiException(400, `Asked to modify permissions but provided no users to modify permissions of.`);
+        const usersToGiveTo = filterInstances(await this.query.all(body.targetAccountIds));
+        // console.log('assignPermissions target accounts ');
+        // console.log(await this.query.custom(_EmptyQuery));
+        if (!usersToGiveTo.length || usersToGiveTo.length !== body.targetAccountIds.length) {
+            const dbUserIds = usersToGiveTo.map(dbObjectToId);
+            throw new ApiException(404, `Asked to give permissions to non-existent user accounts: ${body.targetAccountIds.filter(id => !dbUserIds.includes(id))}`);
+        }
+        const dbGroups = filterInstances(await ModuleBE_PermissionGroupDB.query.all(body.permissionGroupIds));
+        if (dbGroups.length !== body.permissionGroupIds.length) {
+            const dbGroupIds = dbGroups.map(dbObjectToId);
+            throw new ApiException(404, `Asked to give users non-existing permission groups: ${body.permissionGroupIds.filter(id => !dbGroupIds.includes(id))}`);
+        }
+        const myUserPermissions = MemKey_UserPermissions.get();
+        const permissionsToGive = dbGroups.reduce((map, group) => {
+            // Gather the highest permissions for each domain, from all groups
+            _keys(group._levelsMap || []).forEach(domainId => {
+                if (map[domainId] === undefined)
+                    map[domainId] = 0;
+                if (map[domainId] < group._levelsMap[domainId])
+                    map[domainId] = group._levelsMap[domainId];
+            });
+            return map;
+        }, {});
+        const failedDomains = _keys(permissionsToGive).filter(domainId => {
+            const tooLowPermission = myUserPermissions[domainId] < permissionsToGive[domainId];
+            this.logError(`${myUserPermissions[domainId]} < ${permissionsToGive[domainId]} === ${tooLowPermission}`);
+            const noPermissionInThisDomain = myUserPermissions[domainId] === undefined;
+            return noPermissionInThisDomain || tooLowPermission;
+        });
+        if (failedDomains.length)
+            throw new ApiException(403, `Attempted to give higher permissions than current user has: ${failedDomains}`);
+        const groupIds = dbGroups.map(group => ({ groupId: group._id }));
+        const usersToUpdate = usersToGiveTo.map(user => {
+            user.groups = groupIds;
+            return user;
+        });
+        await this.set.multi(usersToUpdate);
+    }
+    setDefaultPermissionGroups = (groupsGetter) => {
+        this.defaultPermissionGroups = groupsGetter;
+    };
+    clearDefaultPermissionGroups = () => {
+        delete this.defaultPermissionGroups;
+    };
+    /**
+     * The system requires to perform action, which in other cases can also be done by a human.
+     * This requires system features to identify as a bot user, or "Service Account"
+     *
+     * @param serviceAccounts - List of Accounts to create
+     * @private
+     */
+    async createSystemServiceAccount(serviceAccounts) {
+        this.logInfoBold('Creating Service Accounts: ', serviceAccounts);
+        // @ts-ignore
+        const tokenCreator = ModuleBE_AccountDB.token.create;
+        // @ts-ignore
+        const invalidateAccount = ModuleBE_AccountDB.token.invalidateAll;
+        const envConfigRef = Storm.getInstance().getGlobalEnvConfigRef();
+        const updatedConfig = {};
+        //Run over all service accounts
+        for (const serviceAccount of serviceAccounts) {
+            // Create account if it doesn't already exist
+            const accountsToRequest = filterKeys({
+                type: 'service',
+                email: serviceAccount.email,
+                description: serviceAccount.description
+            });
+            let account;
+            //Get or create service account
+            try {
+                account = await ModuleBE_AccountDB.impl.querySafeAccount({ email: serviceAccount.email });
+            }
+            catch (e) {
+                this.logInfo('NOTICE: querySafeAccount failed, creating accounts');
+                account = await ModuleBE_AccountDB.account.create(accountsToRequest);
+            }
+            // Assign permissions groups to service account
+            const permissionsUser = await ModuleBE_PermissionUserDB.query.uniqueAssert({ _id: account._id });
+            permissionsUser.groups = serviceAccount.groupIds?.map(groupId => ({ groupId })) || [];
+            await ModuleBE_PermissionUserDB.set.item(permissionsUser);
+            //Service accounts are only allowed to have one session... but this isn't the defined place to be a cop about it
+            const sessions = await ModuleBE_AccountDB.account.getSessions(account);
+            //If we have a valid session(not expired) we use its JWT instead of creating a new one
+            let validSession;
+            for (const session of sessions.sessions) {
+                if (await JwtTools.isJwtActive(session.sessionIdJwt)) {
+                    validSession = session;
+                    break;
+                }
+            }
+            this.logError(serviceAccount.ttl);
+            const token = validSession?.sessionIdJwt ? { token: validSession?.sessionIdJwt } : await tokenCreator({
+                accountId: account._id,
+                ttl: serviceAccount.ttl ?? Year
+            });
+            updatedConfig[serviceAccount.moduleName] = {
+                serviceAccount: filterKeys({
+                    token,
+                    description: serviceAccount.description,
+                    accountId: account._id,
+                    email: account.email
+                })
+            };
+        }
+        if (_keys(updatedConfig).length > 0)
+            MemKey_ServerApi.get().addPostCallAction(async () => {
+                const currentConfig = await envConfigRef.get({});
+                await envConfigRef.set(merge(currentConfig, updatedConfig));
+                this.logInfoBold('Created Service Accounts for', _keys(updatedConfig));
+            });
+    }
+    async invalidateSession(accountIds) {
+        if (!accountIds.length)
+            return;
+        const sessions = await batchActionParallel(accountIds, 10, async (ids) => await ModuleBE_SessionDB.query.custom({ where: { accountId: { $in: ids } } }));
+        await this.runTransaction(async (t) => {
+            await Promise.all(sessions.map(session => ModuleBE_SessionDB._session.invalidate.bySession(session, t)));
+        });
+    }
+}
+export const ModuleBE_PermissionUserDB = new ModuleBE_PermissionUserDB_Class();

package/_entity/permission-user/index.d.ts

@@ -0,0 +1,3 @@
+export * from './ModuleBE_PermissionUserDB.js';
+export * from './ModuleBE_PermissionUserAPI.js';
+export * from './module-pack.js';

package/_entity/permission-user/index.js

@@ -0,0 +1,3 @@
+export * from './ModuleBE_PermissionUserDB.js';
+export * from './ModuleBE_PermissionUserAPI.js';
+export * from './module-pack.js';

package/_entity/permission-user/module-pack.d.ts

@@ -0,0 +1,2 @@
+import { Module } from '@nu-art/ts-common';
+export declare const ModulePackBE_PermissionUser: Module[];

package/_entity/permission-user/module-pack.js

@@ -0,0 +1,3 @@
+import { ModuleBE_PermissionUserDB } from './ModuleBE_PermissionUserDB.js';
+import { ModuleBE_PermissionUserAPI } from './ModuleBE_PermissionUserAPI.js';
+export const ModulePackBE_PermissionUser = [ModuleBE_PermissionUserDB, ModuleBE_PermissionUserAPI];

package/_entity.d.ts

@@ -0,0 +1,12 @@
+export * from './_entity/permission-access-level/index.js';
+export * from './_entity/permission-access-level/index.js';
+export * from './_entity/permission-api/index.js';
+export * from './_entity/permission-api/index.js';
+export * from './_entity/permission-project/index.js';
+export * from './_entity/permission-project/index.js';
+export * from './_entity/permission-domain/index.js';
+export * from './_entity/permission-domain/index.js';
+export * from './_entity/permission-group/index.js';
+export * from './_entity/permission-group/index.js';
+export * from './_entity/permission-user/index.js';
+export * from './_entity/permission-user/index.js';

package/_entity.js

@@ -0,0 +1,18 @@
+//Access Level
+export * from './_entity/permission-access-level/index.js';
+export * from './_entity/permission-access-level/index.js';
+//API
+export * from './_entity/permission-api/index.js';
+export * from './_entity/permission-api/index.js';
+//Project
+export * from './_entity/permission-project/index.js';
+export * from './_entity/permission-project/index.js';
+//Domain
+export * from './_entity/permission-domain/index.js';
+export * from './_entity/permission-domain/index.js';
+//Group
+export * from './_entity/permission-group/index.js';
+export * from './_entity/permission-group/index.js';
+//User
+export * from './_entity/permission-user/index.js';
+export * from './_entity/permission-user/index.js';

package/consts.d.ts

@@ -0,0 +1,7 @@
+import { SessionKey_BE } from '@nu-art/user-account-backend';
+import { MemKey } from '@nu-art/ts-common/mem-storage/MemStorage';
+import { TypedMap } from '@nu-art/ts-common';
+import { SessionData_Permissions, SessionData_StrictMode } from '@nu-art/permissions-shared';
+export declare const SessionKey_Permissions_BE: SessionKey_BE<SessionData_Permissions>;
+export declare const SessionKey_StrictMode_BE: SessionKey_BE<SessionData_StrictMode>;
+export declare const MemKey_UserPermissions: MemKey<TypedMap<number>>;

package/consts.js

@@ -0,0 +1,5 @@
+import { SessionKey_BE } from '@nu-art/user-account-backend';
+import { MemKey } from '@nu-art/ts-common/mem-storage/MemStorage';
+export const SessionKey_Permissions_BE = new SessionKey_BE('permissions');
+export const SessionKey_StrictMode_BE = new SessionKey_BE('strictMode');
+export const MemKey_UserPermissions = new MemKey('user-permissions'); //[domainId]: access level numerical value

package/core/module-pack.d.ts

@@ -0,0 +1,3 @@
+import { Module } from '@nu-art/ts-common';
+export declare const ModulePackBE_Permissions: Module[];
+export * from '../modules/ModuleBE_PermissionsAssert.js';

package/core/module-pack.js

@@ -0,0 +1,32 @@
+/*
+ * Permissions management system, define access level for each of
+ * your server apis, and restrict users by giving them access levels
+ *
+ * Copyright (C) 2020 Adam van der Kruk aka TacB0sS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { ModuleBE_PermissionsAssert } from '../modules/ModuleBE_PermissionsAssert.js';
+import { ModuleBE_Permissions } from '../modules/ModuleBE_Permissions.js';
+import { ModulePackBE_PermissionAccessLevel, ModulePackBE_PermissionAPI, ModulePackBE_PermissionDomain, ModulePackBE_PermissionGroup, ModulePackBE_PermissionProject, ModulePackBE_PermissionUser } from '../_entity.js';
+export const ModulePackBE_Permissions = [
+    ...ModulePackBE_PermissionAccessLevel,
+    ...ModulePackBE_PermissionAPI,
+    ...ModulePackBE_PermissionProject,
+    ...ModulePackBE_PermissionDomain,
+    ...ModulePackBE_PermissionGroup,
+    ...ModulePackBE_PermissionUser,
+    ModuleBE_PermissionsAssert,
+    ModuleBE_Permissions,
+];
+export * from '../modules/ModuleBE_PermissionsAssert.js';

package/core/utils.d.ts

@@ -0,0 +1,25 @@
+import { TypedMap, UniqueId } from '@nu-art/ts-common';
+import { DefaultDef_Group, PreDBAccessLevel } from '@nu-art/permissions-shared';
+import { PermissionKey_BE } from '../PermissionKey_BE.js';
+import { DefaultDef_Domain, DefaultDef_Package } from '../types.js';
+export declare const Permissions_abTest: (seed: UniqueId, namespace: string, permutations: string[]) => DefaultDef_Package;
+/**
+ * Generate automatic BE permission keys for a domain
+ * @param accessLevels the relevant access levels to generate keys for
+ * @param keyByLevelMapper the key name mapper by access level name
+ * @param domainId the domain id to apply in the resolver
+ */
+export declare const generatePermissionKeys: <Key extends string | number | symbol>(accessLevels: PreDBAccessLevel[], keyByLevelMapper: TypedMap<string>, domainId: UniqueId) => { [key in Key]: PermissionKey_BE<string>; };
+/**
+ * Automatic generator for domain default definitions,
+ * @param key MUST NEVER CHANGE! the key is the "key" to uniqueness of the entire permission decleration
+ * @param namespace The name space of the current generated domain definitions
+ * @param preDBAccessLevels The access levels to create (can be default or custom)
+ * @param permissionKeysByLevel The permission key name for each access level
+ * @param dbNames List of db names (optional)
+ */
+export declare const generateDomainDefaults: <Key extends string | number | symbol>(key: string, namespace: string, preDBAccessLevels: PreDBAccessLevel[], permissionKeysByLevel: { [key in Key]: string; }, dbNames?: string[]) => {
+    domain: DefaultDef_Domain;
+    groups: DefaultDef_Group[];
+    keys: { [key in Key]: PermissionKey_BE<string>; };
+};

package/core/utils.js

@@ -0,0 +1,85 @@
+import { _values, md5 } from '@nu-art/ts-common';
+import { CreateDefaultAccessLevels, DefaultAccessLevel_NoAccess, DefaultAccessLevel_Read } from '@nu-art/permissions-shared';
+import { defaultValueResolverV2, PermissionKey_BE } from '../PermissionKey_BE.js';
+export const Permissions_abTest = (seed, namespace, permutations) => {
+    const domains = permutations.map(permutation => {
+        const name = `${namespace}/${permutation}`;
+        const domain = {
+            _id: md5(`${seed}${name}`),
+            namespace: name,
+            permissionKeys: permutations.map(permutation => {
+                const initialDataResolver = () => defaultValueResolverV2(domain._id, DefaultAccessLevel_Read.name);
+                return new PermissionKey_BE(`${namespace}/${permutation}`, initialDataResolver);
+            }),
+            levels: CreateDefaultAccessLevels(seed, [DefaultAccessLevel_NoAccess, DefaultAccessLevel_Read]),
+        };
+        return domain;
+    });
+    const groups = permutations.map((permutation, index) => {
+        const name = `${namespace}/${permutation}`;
+        const domain = domains[index];
+        const group = {
+            _id: md5(`${domain._id}/${name}`),
+            name,
+            uiLabel: name,
+            accessLevels: {
+                [domain._id]: DefaultAccessLevel_Read.name,
+            }
+        };
+        return group;
+    });
+    const Permission_Package = {
+        name: namespace,
+        domains: domains,
+        groups: groups
+    };
+    return Permission_Package;
+};
+/**
+ * Generate automatic BE permission keys for a domain
+ * @param accessLevels the relevant access levels to generate keys for
+ * @param keyByLevelMapper the key name mapper by access level name
+ * @param domainId the domain id to apply in the resolver
+ */
+export const generatePermissionKeys = (accessLevels, keyByLevelMapper, domainId) => {
+    return accessLevels.reduce((mapper, currentAccessLevel) => {
+        // declare default
+        const key = keyByLevelMapper[currentAccessLevel.name];
+        // update acc mapper
+        mapper[currentAccessLevel.name] = new PermissionKey_BE(key, () => defaultValueResolverV2(domainId, currentAccessLevel.name));
+        return mapper;
+    }, {});
+};
+/**
+ * Automatic generator for domain default definitions,
+ * @param key MUST NEVER CHANGE! the key is the "key" to uniqueness of the entire permission decleration
+ * @param namespace The name space of the current generated domain definitions
+ * @param preDBAccessLevels The access levels to create (can be default or custom)
+ * @param permissionKeysByLevel The permission key name for each access level
+ * @param dbNames List of db names (optional)
+ */
+export const generateDomainDefaults = (key, namespace, preDBAccessLevels, permissionKeysByLevel, dbNames) => {
+    // Generate the new domain id
+    const newDomainId = md5(`domain/${key}`);
+    // Get all default db ready access levels using the provided ones
+    const accessLevels = CreateDefaultAccessLevels(newDomainId, preDBAccessLevels);
+    const keyDefinitions = generatePermissionKeys(preDBAccessLevels, permissionKeysByLevel, newDomainId);
+    return {
+        domain: {
+            _id: newDomainId,
+            namespace,
+            permissionKeys: _values(keyDefinitions),
+            levels: accessLevels,
+            dbNames
+        },
+        groups: accessLevels.map(accessLevel => ({
+            _id: md5(`${key}/${accessLevel.name}`),
+            name: `${namespace}/${accessLevel.name}`,
+            uiLabel: `${namespace}/${accessLevel.name}`,
+            accessLevels: {
+                [namespace]: accessLevel.name
+            }
+        })),
+        keys: keyDefinitions
+    };
+};

package/index.d.ts

@@ -0,0 +1,4 @@
+export * from './core/module-pack.js';
+export * from './modules/index.js';
+export * from './_entity.js';
+export * from './types.js';

package/index.js

@@ -0,0 +1,22 @@
+/*
+ * Permissions management system, define access level for each of
+ * your server apis, and restrict users by giving them access levels
+ *
+ * Copyright (C) 2020 Adam van der Kruk aka TacB0sS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+export * from './core/module-pack.js';
+export * from './modules/index.js';
+export * from './_entity.js';
+export * from './types.js';

package/modules/ModuleBE_Permissions.d.ts

@@ -0,0 +1,77 @@
+import { Module, TypedMap } from '@nu-art/ts-common';
+import { DB_PermissionGroup, DB_PermissionProject, DefaultDef_Group, SessionData_Permissions } from '@nu-art/permissions-shared';
+import { BaseSessionClaims, CollectSessionData } from '@nu-art/user-account-backend';
+import { PerformProjectSetup } from '@nu-art/thunderstorm-backend/modules/action-processor/Action_SetupProject';
+import { DefaultDef_Project } from '../types.js';
+export interface CollectPermissionsProjects {
+    __collectPermissionsProjects(): DefaultDef_Project;
+}
+export declare const PermissionGroup_Permissions_SuperAdmin: DefaultDef_Group;
+export declare const PermissionGroup_Permissions_Viewer: DefaultDef_Group;
+export declare const PermissionGroup_Permissions_Editor: DefaultDef_Group;
+export declare const PermissionGroup_Account_Manager: DefaultDef_Group;
+export declare const PermissionGroup_Account_Admin: DefaultDef_Group;
+export declare const PermissionGroup_Account_Viewer: DefaultDef_Group;
+export declare const PermissionGroups_Permissions: DefaultDef_Group[];
+export declare const PermissionProject_Permissions: DefaultDef_Project;
+declare class ModuleBE_Permissions_Class extends Module implements CollectSessionData<SessionData_Permissions>, PerformProjectSetup {
+    protected init(): void;
+    __collectSessionData(data: BaseSessionClaims): Promise<SessionData_Permissions>;
+    getUserPermissionMap: (userGroups: DB_PermissionGroup[]) => Promise<TypedMap<number>>;
+    toggleStrictMode: () => Promise<void>;
+    __performProjectSetup(): {
+        priority: number;
+        processor: () => Promise<void>;
+    };
+    createPermissionProjects(projects: DefaultDef_Project[]): Promise<void>;
+    /**
+     * Creates All the DB_PermissionProject
+     *
+     * @param projects - predefined permissions projects
+     */
+    createProjects(projects: DefaultDef_Project[]): Promise<TypedMap<DB_PermissionProject>>;
+    /**
+     * Creates All the DB_PermissionDomains
+     *
+     * @param projects - predefined permissions projects
+     * @param map_nameToDBProject
+     */
+    private createDomains;
+    /**
+     * Creates All the DB_PermissionAccessLevel
+     *
+     * @param projects - predefined permissions projects
+     * @param map_nameToDbDomain
+     */
+    private createAccessLevels;
+    /**
+     * Creates All the DB_PermissionGroup
+     *
+     * @param projects - predefined permissions projects
+     * @param map_nameToDbDomain
+     * @param domainNameToLevelNameToDBAccessLevel
+     */
+    private createGroups;
+    /**
+     * Creates All the DB_PermissionApi
+     *
+     * @param projects - predefined permissions projects
+     * @param domainNameToLevelNameToDBAccessLevel
+     */
+    private createApis;
+    /**
+     * Creates permission keys associated with the given projects.
+     *
+     * @param projects - An array of projects.
+     */
+    private createPermissionsKeys;
+    /**
+     * If no "Super Admin" user is defined in the system!
+     * The first user to press the create project button will become the "Super Admin" of the system
+     *
+     * If a "Super Admin" already exists in the system, a 403 will be thrown
+     */
+    private assignSuperAdmin;
+}
+export declare const ModuleBE_Permissions: ModuleBE_Permissions_Class;
+export {};