@nu-art/permissions-backend 0.500.0 → 0.500.6

package/RequirePermission.d.ts

@@ -1,21 +1,33 @@
 import type { PermissionScope } from '@nu-art/permissions-shared';
 import type { FunctionPermissionDef } from './core/function-permission-registry.js';
+import type { PermissionAsserter } from './assertion-types.js';
 export { type FunctionPermissionDef } from './core/function-permission-registry.js';
+export { type PermissionAssertionContext, type PermissionAsserter } from './assertion-types.js';
+export declare const RequirePermissionDefKey: unique symbol;
+type AsyncMethodDecorator = <This, Args extends any[], Return>(originalMethod: (this: This, ...args: Args) => Promise<Return>, _context: ClassMethodDecoratorContext<This, (this: This, ...args: Args) => Promise<Return>>) => (this: This, ...args: Args) => Promise<Return>;
 /**
- * Symbol key used to attach the function-permission def to a method.
- * PermissionsAssert (or middleware) can read this to assert before invoking the handler.
+ * Simple overload: checks that the caller has at least the required value
+ * for the given scope (position-based in the scope's ordered values array).
  */
-export declare const RequirePermissionDefKey: unique symbol;
+export declare function RequirePermission<P extends PermissionScope>(scope: P, value: P['values'][number]): AsyncMethodDecorator;
 /**
- * Method decorator that registers a function permission (scope + value) and attaches
- * the def to the method. No assert in the decorator; assert runs at request time
- * when the handler is invoked (via PermissionsAssert or module wrapper).
+ * Complex overload: receives a PermissionAssertionContext and the decorated
+ * method's arguments. Return true to allow, false to deny (throws 403).
  *
- * @param scope - Branded permission scope (e.g. definePermissionScope('pathway', ['read','write','delete','admin']))
- * @param value - One of scope.values (e.g. 'write')
+ * @example
+ * @RequirePermission((assert, body: EditArticleRequest) => {
+ *   return assert.or(
+ *     assert.and(
+ *       assert.hasScope(PermissionScope_Articles, 'write'),
+ *       assert.ownsEntity({dbKey: 'articles', id: body.articleId})
+ *     ),
+ *     assert.hasScope(PermissionScope_Articles, 'admin')
+ *   );
+ * })
  */
-export declare function RequirePermission<P extends PermissionScope>(scope: P, value: P['values'][number]): <T extends (this: unknown, ...args: unknown[]) => Promise<unknown>>(originalMethod: T, _context: ClassMethodDecoratorContext<unknown, T>) => T;
+export declare function RequirePermission(asserter: PermissionAsserter): AsyncMethodDecorator;
 /**
  * Returns the function-permission def attached to a handler, or undefined.
+ * Only set for the simple overload (scope + value).
  */
-export declare function getRequirePermissionDef(handler: ((...args: unknown[]) => unknown) | null | undefined): FunctionPermissionDef | undefined;
+export declare function getRequirePermissionDef(handler: ((...args: any[]) => any) | null | undefined): FunctionPermissionDef | undefined;

package/RequirePermission.js

@@ -16,29 +16,38 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+import { ApiException } from '@nu-art/ts-common';
 import { registerFunctionPermission } from './core/function-permission-registry.js';
-/**
- * Symbol key used to attach the function-permission def to a method.
- * PermissionsAssert (or middleware) can read this to assert before invoking the handler.
- */
+import { ModuleBE_PermissionsAssert } from './modules/ModuleBE_PermissionsAssert.js';
 export const RequirePermissionDefKey = Symbol.for('RequirePermissionDef');
-/**
- * Method decorator that registers a function permission (scope + value) and attaches
- * the def to the method. No assert in the decorator; assert runs at request time
- * when the handler is invoked (via PermissionsAssert or module wrapper).
- *
- * @param scope - Branded permission scope (e.g. definePermissionScope('pathway', ['read','write','delete','admin']))
- * @param value - One of scope.values (e.g. 'write')
- */
-export function RequirePermission(scope, value) {
+export function RequirePermission(scopeOrAsserter, value) {
+    if (typeof scopeOrAsserter === 'function') {
+        const asserter = scopeOrAsserter;
+        return function (originalMethod, _context) {
+            const wrapper = async function (...args) {
+                const ctx = ModuleBE_PermissionsAssert.createAssertionContext();
+                const result = await asserter(ctx, ...args);
+                if (!result)
+                    throw new ApiException(403, 'Permission assertion failed');
+                return originalMethod.call(this, ...args);
+            };
+            return wrapper;
+        };
+    }
+    const scope = scopeOrAsserter;
     return function (originalMethod, _context) {
         const def = registerFunctionPermission(scope, value);
-        originalMethod[RequirePermissionDefKey] = def;
-        return originalMethod;
+        const wrapper = async function (...args) {
+            ModuleBE_PermissionsAssert.assertScopePermission(scope, value);
+            return originalMethod.call(this, ...args);
+        };
+        wrapper[RequirePermissionDefKey] = def;
+        return wrapper;
     };
 }
 /**
  * Returns the function-permission def attached to a handler, or undefined.
+ * Only set for the simple overload (scope + value).
  */
 export function getRequirePermissionDef(handler) {
     if (!handler || typeof handler !== 'function')

package/_entity/access-group/ModuleBE_AccessGroupDB.d.ts

@@ -0,0 +1,13 @@
+import { UniqueId } from '@nu-art/ts-common';
+import { ModuleBE_BaseDB, PostWriteProcessingDataShape } from '@nu-art/db-api-backend';
+import type { DatabaseDef_AccessGroup, DB_AccessGroup } from '@nu-art/permissions-shared';
+import { CollectionActionType } from '@nu-art/firebase-backend/firestore/FirestoreCollection';
+export interface OnAccessGroupChanged {
+    __onAccessGroupChanged(changedGroupIds: UniqueId[]): Promise<void>;
+}
+export declare class ModuleBE_AccessGroupDB_Class extends ModuleBE_BaseDB<DatabaseDef_AccessGroup> {
+    constructor();
+    protected preWriteProcessing(instance: DB_AccessGroup, _original: DatabaseDef_AccessGroup['dbType']): Promise<void>;
+    protected postWriteProcessing(data: PostWriteProcessingDataShape<DatabaseDef_AccessGroup['dbType']>, _actionType: CollectionActionType): Promise<void>;
+}
+export declare const ModuleBE_AccessGroupDB: ModuleBE_AccessGroupDB_Class;

package/_entity/access-group/ModuleBE_AccessGroupDB.js

@@ -0,0 +1,36 @@
+import { ApiException, Dispatcher, filterDuplicates } from '@nu-art/ts-common';
+import { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import { DBDef_AccessGroup } from '@nu-art/permissions-shared';
+const dispatcher_accessGroupChanged = new Dispatcher('__onAccessGroupChanged');
+export class ModuleBE_AccessGroupDB_Class extends ModuleBE_BaseDB {
+    constructor() {
+        super(DBDef_AccessGroup);
+    }
+    async preWriteProcessing(instance, _original) {
+        if ((instance.type === 'user' || instance.type === 'service-account') && instance.members.length > 0)
+            throw new ApiException(400, `${instance.type} access groups cannot have members`);
+    }
+    async postWriteProcessing(data, _actionType) {
+        const updated = Array.isArray(data.updated) ? data.updated : data.updated ? [data.updated] : [];
+        const before = Array.isArray(data.before) ? data.before : data.before ? [data.before] : [];
+        const deleted = Array.isArray(data.deleted) ? data.deleted : data.deleted ? [data.deleted] : [];
+        const changedGroupIds = [];
+        for (let i = 0; i < updated.length; i++) {
+            const prev = before[i];
+            if (!prev) {
+                changedGroupIds.push(updated[i]._id);
+                continue;
+            }
+            const membersChanged = JSON.stringify([...updated[i].members].sort()) !== JSON.stringify([...prev.members].sort());
+            const scopesChanged = JSON.stringify([...(updated[i].scopeEntries ?? [])].sort()) !== JSON.stringify([...(prev.scopeEntries ?? [])].sort());
+            if (membersChanged || scopesChanged)
+                changedGroupIds.push(updated[i]._id);
+        }
+        for (const del of deleted)
+            changedGroupIds.push(del._id);
+        if (changedGroupIds.length === 0)
+            return;
+        await dispatcher_accessGroupChanged.dispatchModuleAsync(filterDuplicates(changedGroupIds));
+    }
+}
+export const ModuleBE_AccessGroupDB = new ModuleBE_AccessGroupDB_Class();

package/_entity/access-group/module-pack.d.ts

@@ -0,0 +1 @@
+export declare const ModulePackBE_AccessGroup: (import("./ModuleBE_AccessGroupDB.js").ModuleBE_AccessGroupDB_Class | import("@nu-art/db-api-backend").ModuleBE_BaseApi_Class<import("@nu-art/permissions-shared").DatabaseDef_AccessGroup, any>)[];

package/_entity/access-group/module-pack.js

@@ -0,0 +1,3 @@
+import { createApisForDBModule } from '@nu-art/db-api-backend';
+import { ModuleBE_AccessGroupDB } from './ModuleBE_AccessGroupDB.js';
+export const ModulePackBE_AccessGroup = [ModuleBE_AccessGroupDB, createApisForDBModule(ModuleBE_AccessGroupDB)];

package/_entity/permission-scope/ModuleBE_PermissionScopeDB.d.ts

@@ -0,0 +1,6 @@
+import { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import { DatabaseDef_PermissionScope } from '@nu-art/permissions-shared';
+export declare class ModuleBE_PermissionScopeDB_Class extends ModuleBE_BaseDB<DatabaseDef_PermissionScope> {
+    constructor();
+}
+export declare const ModuleBE_PermissionScopeDB: ModuleBE_PermissionScopeDB_Class;

package/_entity/permission-scope/ModuleBE_PermissionScopeDB.js

@@ -0,0 +1,8 @@
+import { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import { DBDef_PermissionScope } from '@nu-art/permissions-shared';
+export class ModuleBE_PermissionScopeDB_Class extends ModuleBE_BaseDB {
+    constructor() {
+        super(DBDef_PermissionScope);
+    }
+}
+export const ModuleBE_PermissionScopeDB = new ModuleBE_PermissionScopeDB_Class();

package/_entity/permission-scope/module-pack.d.ts

@@ -0,0 +1 @@
+export declare const ModulePackBE_PermissionScope: (import("./ModuleBE_PermissionScopeDB.js").ModuleBE_PermissionScopeDB_Class | import("@nu-art/db-api-backend").ModuleBE_BaseApi_Class<import("@nu-art/permissions-shared").DatabaseDef_PermissionScope, any>)[];

package/_entity/permission-scope/module-pack.js

@@ -0,0 +1,3 @@
+import { createApisForDBModule } from '@nu-art/db-api-backend';
+import { ModuleBE_PermissionScopeDB } from './ModuleBE_PermissionScopeDB.js';
+export const ModulePackBE_PermissionScope = [ModuleBE_PermissionScopeDB, createApisForDBModule(ModuleBE_PermissionScopeDB)];

package/_entity/user-permissions/ModuleBE_UserPermissionsAPI.d.ts

@@ -0,0 +1,9 @@
+import { ModuleBE_BaseApi_Class } from '@nu-art/db-api-backend';
+import type { QueryParams } from '@nu-art/api-types';
+import { DatabaseDef_UserPermissions, Response_MyPermissions } from '@nu-art/permissions-shared';
+declare class ModuleBE_UserPermissionsAPI_Class extends ModuleBE_BaseApi_Class<DatabaseDef_UserPermissions> {
+    constructor();
+    getMyPermissions(_params: QueryParams): Promise<Response_MyPermissions>;
+}
+export declare const ModuleBE_UserPermissionsAPI: ModuleBE_UserPermissionsAPI_Class;
+export {};

package/_entity/{permission-user/ModuleBE_PermissionUserAPI.js → user-permissions/ModuleBE_UserPermissionsAPI.js}

@@ -32,35 +32,36 @@ var __esDecorate = (this && this.__esDecorate) || function (ctor, descriptorIn,
     if (target) Object.defineProperty(target, contextIn.name, descriptor);
     done = true;
 };
-import { CrudApiDef } from '@nu-art/db-api-shared';
 import { ModuleBE_BaseApi_Class } from '@nu-art/db-api-backend';
+import { CrudApiDef, stringToUniqueId } from '@nu-art/db-api-shared';
 import { ApiHandler } from '@nu-art/http-server';
-import { ApiDef_PermissionUser, DBDef_PermissionUser } from '@nu-art/permissions-shared';
-import { ModuleBE_PermissionUserDB } from './ModuleBE_PermissionUserDB.js';
-let ModuleBE_PermissionUserAPI_Class = (() => {
+import { ApiDef_UserPermissions, DBDef_UserPermissions, } from '@nu-art/permissions-shared';
+import { ModuleBE_UserPermissionsDB } from './ModuleBE_UserPermissionsDB.js';
+import { SessionKey_Account_BE } from '@nu-art/user-account-backend';
+let ModuleBE_UserPermissionsAPI_Class = (() => {
     let _classSuper = ModuleBE_BaseApi_Class;
     let _instanceExtraInitializers = [];
-    let _assignPermissions_decorators;
-    return class ModuleBE_PermissionUserAPI_Class extends _classSuper {
+    let _getMyPermissions_decorators;
+    return class ModuleBE_UserPermissionsAPI_Class extends _classSuper {
         static {
             const _metadata = typeof Symbol === "function" && Symbol.metadata ? Object.create(_classSuper[Symbol.metadata] ?? null) : void 0;
-            _assignPermissions_decorators = [ApiHandler(ApiDef_PermissionUser.assignPermissions)];
-            __esDecorate(this, null, _assignPermissions_decorators, { kind: "method", name: "assignPermissions", static: false, private: false, access: { has: obj => "assignPermissions" in obj, get: obj => obj.assignPermissions }, metadata: _metadata }, null, _instanceExtraInitializers);
+            _getMyPermissions_decorators = [ApiHandler(ApiDef_UserPermissions.getMyPermissions)];
+            __esDecorate(this, null, _getMyPermissions_decorators, { kind: "method", name: "getMyPermissions", static: false, private: false, access: { has: obj => "getMyPermissions" in obj, get: obj => obj.getMyPermissions }, metadata: _metadata }, null, _instanceExtraInitializers);
             if (_metadata) Object.defineProperty(this, Symbol.metadata, { enumerable: true, configurable: true, writable: true, value: _metadata });
         }
         constructor() {
             super({
-                dbModule: ModuleBE_PermissionUserDB,
-                crudApiDef: CrudApiDef(DBDef_PermissionUser.dbKey),
+                dbModule: ModuleBE_UserPermissionsDB,
+                crudApiDef: CrudApiDef(DBDef_UserPermissions.dbKey),
             });
             __runInitializers(this, _instanceExtraInitializers);
         }
-        init() {
-            super.init();
-        }
-        async assignPermissions(body) {
-            await ModuleBE_PermissionUserDB.assignPermissions(body);
+        async getMyPermissions(_params) {
+            const account = SessionKey_Account_BE.get();
+            const permissionsId = stringToUniqueId(account._id);
+            const entity = await ModuleBE_UserPermissionsDB.query.unique(permissionsId);
+            return { scopeEntries: entity?.scopeEntries ?? [] };
         }
     };
 })();
-export const ModuleBE_PermissionUserAPI = new ModuleBE_PermissionUserAPI_Class();
+export const ModuleBE_UserPermissionsAPI = new ModuleBE_UserPermissionsAPI_Class();

package/_entity/user-permissions/ModuleBE_UserPermissionsDB.d.ts

@@ -0,0 +1,6 @@
+import { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import { DatabaseDef_UserPermissions } from '@nu-art/permissions-shared';
+export declare class ModuleBE_UserPermissionsDB_Class extends ModuleBE_BaseDB<DatabaseDef_UserPermissions> {
+    constructor();
+}
+export declare const ModuleBE_UserPermissionsDB: ModuleBE_UserPermissionsDB_Class;

package/_entity/user-permissions/ModuleBE_UserPermissionsDB.js

@@ -0,0 +1,8 @@
+import { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import { DBDef_UserPermissions } from '@nu-art/permissions-shared';
+export class ModuleBE_UserPermissionsDB_Class extends ModuleBE_BaseDB {
+    constructor() {
+        super(DBDef_UserPermissions);
+    }
+}
+export const ModuleBE_UserPermissionsDB = new ModuleBE_UserPermissionsDB_Class();

package/_entity/user-permissions/module-pack.d.ts

@@ -0,0 +1,2 @@
+import { Module } from '@nu-art/ts-common';
+export declare const ModulePackBE_UserPermissions: Module[];

package/_entity/user-permissions/module-pack.js

@@ -0,0 +1,3 @@
+import { ModuleBE_UserPermissionsDB } from './ModuleBE_UserPermissionsDB.js';
+import { ModuleBE_UserPermissionsAPI } from './ModuleBE_UserPermissionsAPI.js';
+export const ModulePackBE_UserPermissions = [ModuleBE_UserPermissionsDB, ModuleBE_UserPermissionsAPI];

package/assertion-types.d.ts

@@ -0,0 +1,9 @@
+import type { PermissionScope } from '@nu-art/permissions-shared';
+import type { DBPointer } from '@nu-art/ts-common';
+export type PermissionAssertionContext = {
+    readonly hasScope: (scope: PermissionScope, value: string) => boolean;
+    readonly ownsEntity: (pointer: DBPointer) => Promise<boolean>;
+    readonly and: (...predicates: (boolean | Promise<boolean>)[]) => Promise<boolean>;
+    readonly or: (...predicates: (boolean | Promise<boolean>)[]) => Promise<boolean>;
+};
+export type PermissionAsserter = (assert: PermissionAssertionContext, ...args: any[]) => boolean | Promise<boolean>;

package/consts.d.ts

@@ -1,7 +1,10 @@
 import { SessionKey_BE } from '@nu-art/user-account-backend';
 import { MemKey } from '@nu-art/ts-common/mem-storage/MemStorage';
-import { TypedMap } from '@nu-art/ts-common';
-import { SessionData_Permissions, SessionData_StrictMode } from '@nu-art/permissions-shared';
-export declare const SessionKey_Permissions_BE: SessionKey_BE<SessionData_Permissions>;
+import type { DBPointer } from '@nu-art/ts-common';
+import type { ScopedAccessIds } from '@nu-art/permissions-shared';
+import { SessionData_StrictMode } from '@nu-art/permissions-shared';
 export declare const SessionKey_StrictMode_BE: SessionKey_BE<SessionData_StrictMode>;
-export declare const MemKey_UserPermissions: MemKey<TypedMap<number>>;
+export declare const MemKey_UserScopePermissions: MemKey<string[]>;
+export declare const MemKey_UserEntityContexts: MemKey<DBPointer[]>;
+export declare const MemKey_ServiceAccountId: MemKey<string>;
+export declare const MemKey_UserAccessIds: MemKey<ScopedAccessIds>;

package/consts.js

@@ -1,5 +1,7 @@
 import { SessionKey_BE } from '@nu-art/user-account-backend';
 import { MemKey } from '@nu-art/ts-common/mem-storage/MemStorage';
-export const SessionKey_Permissions_BE = new SessionKey_BE('permissions');
 export const SessionKey_StrictMode_BE = new SessionKey_BE('strictMode');
-export const MemKey_UserPermissions = new MemKey('user-permissions'); //[domainId]: access level numerical value
+export const MemKey_UserScopePermissions = new MemKey('user-scope-permissions');
+export const MemKey_UserEntityContexts = new MemKey('user-entity-contexts');
+export const MemKey_ServiceAccountId = new MemKey('service-account-id');
+export const MemKey_UserAccessIds = new MemKey('user-access-ids');

package/core/function-permission-registry.d.ts

@@ -3,16 +3,11 @@ export type FunctionPermissionDef = {
     id: string;
     scopeKey: string;
     value: string;
-    /** Set on server load when domains/levels are created from registry. */
-    domainId?: string;
-    /** Set on server load when domains/levels are created from registry. */
-    levelId?: string;
-    /** Numeric level value for assert (user level >= required). Set on server load. */
-    levelValue?: number;
 };
 /**
  * Registers a function permission (scope + value). Called from @RequirePermission decorator init.
  * Returns the same def if (scopeKey, value) was already registered (stable id).
+ * Also stores the scope's ordered values array for position-based assertion.
  */
 export declare function registerFunctionPermission(scope: PermissionScope, value: string): FunctionPermissionDef;
 /**
@@ -23,3 +18,7 @@ export declare function getRegisteredFunctionPermissions(): FunctionPermissionDe
  * Returns the def for a given (scopeKey, value), or undefined if not registered.
  */
 export declare function getFunctionPermissionDef(scopeKey: string, value: string): FunctionPermissionDef | undefined;
+/**
+ * Returns the ordered values array for a scope key, or undefined if the scope was never registered.
+ */
+export declare function getScopeValues(scopeKey: string): readonly string[] | undefined;

package/core/function-permission-registry.js

@@ -18,15 +18,19 @@
  */
 import { md5 } from '@nu-art/ts-common';
 const registry = new Map();
+const scopeValuesRegistry = new Map();
 function compositeKey(scopeKey, value) {
     return `${scopeKey}\0${value}`;
 }
 /**
  * Registers a function permission (scope + value). Called from @RequirePermission decorator init.
  * Returns the same def if (scopeKey, value) was already registered (stable id).
+ * Also stores the scope's ordered values array for position-based assertion.
  */
 export function registerFunctionPermission(scope, value) {
     const scopeKey = scope.key;
+    if (!scopeValuesRegistry.has(scopeKey))
+        scopeValuesRegistry.set(scopeKey, scope.values);
     const key = compositeKey(scopeKey, value);
     const existing = registry.get(key);
     if (existing)
@@ -48,3 +52,9 @@ export function getRegisteredFunctionPermissions() {
 export function getFunctionPermissionDef(scopeKey, value) {
     return registry.get(compositeKey(scopeKey, value));
 }
+/**
+ * Returns the ordered values array for a scope key, or undefined if the scope was never registered.
+ */
+export function getScopeValues(scopeKey) {
+    return scopeValuesRegistry.get(scopeKey);
+}

package/core/module-pack.js

@@ -18,14 +18,13 @@
  */
 import { ModuleBE_PermissionsAssert } from '../modules/ModuleBE_PermissionsAssert.js';
 import { ModuleBE_Permissions } from '../modules/ModuleBE_Permissions.js';
-import { ModulePackBE_PermissionAccessLevel, ModulePackBE_PermissionAPI, ModulePackBE_PermissionDomain, ModulePackBE_PermissionGroup, ModulePackBE_PermissionProject, ModulePackBE_PermissionUser } from '../_entity.js';
+import { ModulePackBE_PermissionScope } from '../_entity/permission-scope/module-pack.js';
+import { ModulePackBE_UserPermissions } from '../_entity/user-permissions/module-pack.js';
+import { ModulePackBE_AccessGroup } from '../_entity/access-group/module-pack.js';
 export const ModulePackBE_Permissions = [
-    ...ModulePackBE_PermissionAccessLevel,
-    ...ModulePackBE_PermissionAPI,
-    ...ModulePackBE_PermissionProject,
-    ...ModulePackBE_PermissionDomain,
-    ...ModulePackBE_PermissionGroup,
-    ...ModulePackBE_PermissionUser,
+    ...ModulePackBE_PermissionScope,
+    ...ModulePackBE_UserPermissions,
+    ...ModulePackBE_AccessGroup,
     ModuleBE_PermissionsAssert,
     ModuleBE_Permissions,
 ];

package/document-access-api.d.ts

@@ -0,0 +1,6 @@
+import type { UniqueId } from '@nu-art/ts-common';
+import type { DB_Prototype } from '@nu-art/db-api-shared';
+import type { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import type { DocumentAccessCapabilities } from '@nu-art/permissions-shared';
+export declare function shareDocument<Database extends DB_Prototype>(dbModule: ModuleBE_BaseDB<Database>, documentId: Database['uniqueParam'], principalId: UniqueId, capabilities: DocumentAccessCapabilities): Promise<Database['dbType']>;
+export declare function unshareDocument<Database extends DB_Prototype>(dbModule: ModuleBE_BaseDB<Database>, documentId: Database['uniqueParam'], principalId: UniqueId, capabilities: DocumentAccessCapabilities): Promise<Database['dbType']>;

package/document-access-api.js

@@ -0,0 +1,49 @@
+import { ApiException, filterDuplicates, removeItemFromArray } from '@nu-art/ts-common';
+import { CapabilityToAccessKey } from '@nu-art/permissions-shared';
+import { MemKey_UserAccessIds } from './consts.js';
+function getAllAccessIds() {
+    const dict = MemKey_UserAccessIds.get();
+    return filterDuplicates(Object.values(dict).flat());
+}
+function assertOwnership(access) {
+    const accessIds = getAllAccessIds();
+    const isOwner = access?.owners?.some(id => accessIds.includes(id));
+    if (!isOwner)
+        throw new ApiException(403, 'Only document owners can manage access');
+}
+export async function shareDocument(dbModule, documentId, principalId, capabilities) {
+    const doc = await dbModule.query.unique(documentId);
+    if (!doc)
+        throw new ApiException(404, 'Document not found');
+    const mutable = doc;
+    assertOwnership(mutable.__access);
+    if (!mutable.__access)
+        mutable.__access = {};
+    for (const [cap, enabled] of Object.entries(capabilities)) {
+        if (!enabled)
+            continue;
+        const accessKey = CapabilityToAccessKey[cap];
+        if (!mutable.__access[accessKey])
+            mutable.__access[accessKey] = [];
+        mutable.__access[accessKey] = filterDuplicates([...mutable.__access[accessKey], principalId]);
+    }
+    return dbModule.set.item(mutable);
+}
+export async function unshareDocument(dbModule, documentId, principalId, capabilities) {
+    const doc = await dbModule.query.unique(documentId);
+    if (!doc)
+        throw new ApiException(404, 'Document not found');
+    const mutable = doc;
+    assertOwnership(mutable.__access);
+    if (!mutable.__access)
+        return dbModule.set.item(mutable);
+    for (const [cap, enabled] of Object.entries(capabilities)) {
+        if (!enabled)
+            continue;
+        const accessKey = CapabilityToAccessKey[cap];
+        if (!mutable.__access[accessKey])
+            continue;
+        removeItemFromArray(mutable.__access[accessKey], principalId);
+    }
+    return dbModule.set.item(mutable);
+}

package/document-access-enforcement.d.ts

@@ -0,0 +1,9 @@
+import type { DB_Prototype } from '@nu-art/db-api-shared';
+import type { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import type { DatabaseDef_AccessGroup, DocumentAccessFields, DocumentAccessInner } from '@nu-art/permissions-shared';
+import { UniqueId } from '@nu-art/ts-common';
+export type AccessContextResolver<Database extends DB_Prototype = DB_Prototype> = (item: Database['uiType']) => Promise<DocumentAccessFields> | DocumentAccessFields;
+export declare function copyAccessFields(source: Record<string, unknown>): DocumentAccessFields;
+export declare function deriveEntityGroupId(entityId: UniqueId, accessKey: keyof DocumentAccessInner): DatabaseDef_AccessGroup['id'];
+export declare function deriveEntityAccessFields(entityId: UniqueId): DocumentAccessFields;
+export declare function wireDocumentAccess<Database extends DB_Prototype>(dbModule: ModuleBE_BaseDB<Database>, resolverProvider: () => AccessContextResolver<Database> | undefined, scopeKeysProvider: () => string[] | undefined): void;

package/document-access-enforcement.js

@@ -0,0 +1,137 @@
+import { hashToUniqueId } from '@nu-art/db-api-shared';
+import { AccessScope_Self, AllDocumentAccessKeys } from '@nu-art/permissions-shared';
+import { ApiException, filterDuplicates, tsValidateResult, tsValidator_arrayOfUniqueIds } from '@nu-art/ts-common';
+import { MemKey_UserAccessIds } from './consts.js';
+const documentAccessInnerValidator = {
+    readers: tsValidator_arrayOfUniqueIds,
+    writers: tsValidator_arrayOfUniqueIds,
+    deleters: tsValidator_arrayOfUniqueIds,
+    owners: tsValidator_arrayOfUniqueIds,
+};
+function getCallerScopedAccessIds() {
+    return MemKey_UserAccessIds.peak();
+}
+function resolveAccessIds(scopedDict, scopeKeys) {
+    const selfIds = scopedDict[AccessScope_Self] ?? [];
+    if (!scopeKeys)
+        return filterDuplicates([...selfIds, ...Object.values(scopedDict).flat()]);
+    const scopedIds = scopeKeys.flatMap(key => scopedDict[key] ?? []);
+    return filterDuplicates([...selfIds, ...scopedIds]);
+}
+function defaultAccessFields(callerAccessIds) {
+    const callerId = callerAccessIds[0];
+    return {
+        __access: {
+            readers: [callerId],
+            writers: [callerId],
+            deleters: [callerId],
+            owners: [callerId],
+        }
+    };
+}
+function assertCallerAccess(access, callerIds, ...keys) {
+    if (!keys.some(key => access[key]?.length))
+        return;
+    if (keys.some(key => access[key]?.some(id => callerIds.includes(id))))
+        return;
+    throw new ApiException(403, 'Insufficient document access');
+}
+function createQueryInterceptor(scopeKeysProvider) {
+    return (query) => {
+        const scopedDict = getCallerScopedAccessIds();
+        if (!scopedDict)
+            return query;
+        const accessIds = resolveAccessIds(scopedDict, scopeKeysProvider());
+        const where = (query.where ?? {});
+        where.__access = { readers: { $aca: accessIds } };
+        query.where = where;
+        return query;
+    };
+}
+function createPreWriteInterceptor(resolverProvider, scopeKeysProvider) {
+    return async (dbItem, original) => {
+        const scopedDict = getCallerScopedAccessIds();
+        if (!scopedDict)
+            return;
+        const item = dbItem;
+        delete item.__access;
+        if (!original) {
+            const selfIds = scopedDict[AccessScope_Self] ?? [];
+            const resolver = resolverProvider();
+            const resolved = resolver ? await resolver(dbItem) : defaultAccessFields(selfIds);
+            item.__access = {
+                ...resolved.__access,
+                owners: filterDuplicates([...(resolved.__access.owners ?? []), ...selfIds]),
+            };
+            return;
+        }
+        const existingAccess = original.__access;
+        if (!existingAccess)
+            return;
+        item.__access = { ...existingAccess };
+        assertCallerAccess(existingAccess, resolveAccessIds(scopedDict, scopeKeysProvider()), 'writers', 'owners');
+    };
+}
+function createPreDeleteInterceptor(scopeKeysProvider) {
+    return async (dbItems) => {
+        const scopedDict = getCallerScopedAccessIds();
+        if (!scopedDict)
+            return;
+        const accessIds = resolveAccessIds(scopedDict, scopeKeysProvider());
+        for (const dbItem of dbItems) {
+            const access = dbItem.__access;
+            if (!access)
+                throw new ApiException(403, 'No delete access to this document');
+            assertCallerAccess(access, accessIds, 'deleters', 'owners');
+        }
+    };
+}
+export function copyAccessFields(source) {
+    const access = source.__access;
+    return {
+        __access: {
+            readers: [...(access?.readers ?? [])],
+            writers: [...(access?.writers ?? [])],
+            deleters: [...(access?.deleters ?? [])],
+            owners: [...(access?.owners ?? [])],
+        }
+    };
+}
+export function deriveEntityGroupId(entityId, accessKey) {
+    return hashToUniqueId(`${entityId}:${accessKey}`);
+}
+export function deriveEntityAccessFields(entityId) {
+    const inner = AllDocumentAccessKeys.reduce((fields, key) => {
+        fields[key] = [deriveEntityGroupId(entityId, key)];
+        return fields;
+    }, {});
+    return { __access: inner };
+}
+function patchCollectionValidator(dbModule) {
+    let patched = false;
+    dbModule.registerPreWriteInterceptor(async () => {
+        if (patched)
+            return;
+        patched = true;
+        const collection = dbModule.collection;
+        const originalValidate = collection.validateItem.bind(collection);
+        collection.validateItem = (dbItem) => {
+            const extractedAccess = dbItem.__access;
+            delete dbItem.__access;
+            originalValidate(dbItem);
+            if (extractedAccess) {
+                const results = tsValidateResult(extractedAccess, documentAccessInnerValidator);
+                if (results)
+                    throw new ApiException(400, `Invalid document access fields: ${JSON.stringify(results)}`);
+            }
+            if (extractedAccess)
+                dbItem.__access = extractedAccess;
+        };
+    });
+}
+export function wireDocumentAccess(dbModule, resolverProvider, scopeKeysProvider) {
+    patchCollectionValidator(dbModule);
+    dbModule.registerQueryInterceptor(createQueryInterceptor(scopeKeysProvider));
+    dbModule.registerPreWriteInterceptor(createPreWriteInterceptor(resolverProvider, scopeKeysProvider));
+    dbModule.registerPreDeleteInterceptor(createPreDeleteInterceptor(scopeKeysProvider));
+}

package/index.d.ts

@@ -1,9 +1,15 @@
-export * from './consts.js';
 export * from './core/module-pack.js';
-export * from './permissions-wire.js';
 export * from './core/function-permission-registry.js';
+export * from './assertion-types.js';
 export * from './RequirePermission.js';
-export * from './modules/index.js';
-export * from './permissions.js';
-export * from './_entity.js';
-export * from './types.js';
+export * from './modules/ModuleBE_Permissions.js';
+export * from './modules/ModuleBE_PermissionsAssert.js';
+export * from './_entity/permission-scope/ModuleBE_PermissionScopeDB.js';
+export * from './_entity/permission-scope/module-pack.js';
+export * from './_entity/user-permissions/ModuleBE_UserPermissionsDB.js';
+export * from './_entity/user-permissions/ModuleBE_UserPermissionsAPI.js';
+export * from './_entity/user-permissions/module-pack.js';
+export * from './_entity/access-group/ModuleBE_AccessGroupDB.js';
+export * from './_entity/access-group/module-pack.js';
+export * from './document-access-enforcement.js';
+export * from './document-access-api.js';