@openinc/parse-server-opendash 3.31.26 → 3.32.0

package/dist/features/cloudcode/classes/CloudCodeClass.d.ts

@@ -0,0 +1,10 @@
+import { CloudCodeFunction } from "../types/CloudCodeFunction";
+export declare class CloudCodeClass {
+    private static instance;
+    private registeredFunctions;
+    private constructor();
+    static getInstance(): CloudCodeClass;
+    registerFunction(name: string, fn: CloudCodeFunction): void;
+    getRegisteredFunctions(): Map<string, CloudCodeFunction>;
+    getFunction(name: string): CloudCodeFunction | undefined;
+}

package/dist/features/cloudcode/classes/CloudCodeClass.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CloudCodeClass = void 0;
+class CloudCodeClass {
+    constructor() {
+        this.registeredFunctions = new Map();
+    }
+    static getInstance() {
+        if (!CloudCodeClass.instance) {
+            CloudCodeClass.instance = new CloudCodeClass();
+        }
+        return CloudCodeClass.instance;
+    }
+    registerFunction(name, fn) {
+        this.registeredFunctions.set(name, fn);
+    }
+    getRegisteredFunctions() {
+        return this.registeredFunctions;
+    }
+    getFunction(name) {
+        return this.registeredFunctions.get(name);
+    }
+}
+exports.CloudCodeClass = CloudCodeClass;

package/dist/features/cloudcode/helper/checkCloudCodeFunction.d.ts

@@ -0,0 +1,7 @@
+import { CloudCodeModule } from "..";
+/**
+ * Type guard to validate that a loaded module has a valid init function.
+ * This is required because branded types are compile-time only and cannot
+ * enforce structure on dynamically loaded modules.
+ */
+export declare function isCloudCodeModule(module: unknown): module is CloudCodeModule;

package/dist/features/cloudcode/helper/checkCloudCodeFunction.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isCloudCodeModule = isCloudCodeModule;
+/**
+ * Type guard to validate that a loaded module has a valid init function.
+ * This is required because branded types are compile-time only and cannot
+ * enforce structure on dynamically loaded modules.
+ */
+function isCloudCodeModule(module) {
+    return (typeof module === "object" &&
+        module !== null &&
+        "init" in module &&
+        typeof module.init === "function");
+}

package/dist/features/cloudcode/index.d.ts

@@ -0,0 +1,3 @@
+export { autoloadCloudCode, default as initAutoload, } from "./services/loadCloudCode";
+export { CloudCodeClass } from "./classes/CloudCodeClass";
+export { CloudCodeFunction, CloudCodeModule } from "./types/CloudCodeFunction";

package/dist/features/cloudcode/index.js

@@ -0,0 +1,11 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CloudCodeClass = exports.initAutoload = exports.autoloadCloudCode = void 0;
+var loadCloudCode_1 = require("./services/loadCloudCode");
+Object.defineProperty(exports, "autoloadCloudCode", { enumerable: true, get: function () { return loadCloudCode_1.autoloadCloudCode; } });
+Object.defineProperty(exports, "initAutoload", { enumerable: true, get: function () { return __importDefault(loadCloudCode_1).default; } });
+var CloudCodeClass_1 = require("./classes/CloudCodeClass");
+Object.defineProperty(exports, "CloudCodeClass", { enumerable: true, get: function () { return CloudCodeClass_1.CloudCodeClass; } });

package/dist/features/cloudcode/services/loadCloudCode.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Autoloads cloud code files from the specified path. Each file MUST export an init() function.
+ *
+ * @param path - The path to the directory containing the cloud code files.
+ * @param regex - Optional regular expression to filter the file names. Defaults to /^[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*$/.
+ * @returns A promise that resolves when all the cloud code files have been loaded and initialized.
+ */
+export declare function autoloadCloudCode(path: string, regex?: RegExp): Promise<void>;
+export default function initAutoload(): Promise<void>;

package/dist/features/cloudcode/services/loadCloudCode.js

@@ -0,0 +1,44 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.autoloadCloudCode = autoloadCloudCode;
+exports.default = initAutoload;
+const config_1 = require("../../config");
+const fs_1 = __importDefault(require("fs"));
+const path_1 = require("path");
+const __1 = require("..");
+const checkCloudCodeFunction_1 = require("../helper/checkCloudCodeFunction");
+/**
+ * Autoloads cloud code files from the specified path. Each file MUST export an init() function.
+ *
+ * @param path - The path to the directory containing the cloud code files.
+ * @param regex - Optional regular expression to filter the file names. Defaults to /^[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*$/.
+ * @returns A promise that resolves when all the cloud code files have been loaded and initialized.
+ */
+async function autoloadCloudCode(path, regex = /^[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*$/) {
+    const cloudCodeHandler = __1.CloudCodeClass.getInstance();
+    const fns = fs_1.default
+        .readdirSync(path)
+        .filter((filename) => filename.endsWith(".js"))
+        .map((filename) => filename.replace(".js", ""))
+        .filter((name) => regex.test(name));
+    for (const name of fns) {
+        const module = require((0, path_1.join)(path, name));
+        if (!(0, checkCloudCodeFunction_1.isCloudCodeModule)(module)) {
+            console.warn(`[@openinc/parse-server-opendash] Skipping ${name}.js - missing or invalid init function`);
+            continue;
+        }
+        console.log(`[@openinc/parse-server-opendash] Autoloading ${name}.js`);
+        cloudCodeHandler.registerFunction(name, module.init);
+        await module.init().catch((e) => console.error(e));
+    }
+}
+async function initAutoload() {
+    const config = config_1.ConfigInstance.getInstance();
+    const path = config.get("AUTOLOAD_DIR");
+    if (path) {
+        await autoloadCloudCode((0, path_1.resolve)(process.cwd(), path));
+    }
+}

package/dist/features/cloudcode/types/CloudCodeFunction.d.ts

@@ -0,0 +1,7 @@
+export type CloudCodeFunction = () => Promise<void>;
+/**
+ * Represents a cloud code module that must export an init function.
+ */
+export type CloudCodeModule = {
+    init: CloudCodeFunction;
+};

package/dist/features/cloudcode/types/CloudCodeFunction.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/features/config/helper/getConfig.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Retrieves the value of a configuration key from OD3_Config.
+ * @param key - The key of the configuration to retrieve.
+ * @returns A promise that resolves to the value of the configuration key, or undefined if not found.
+ */
+export declare function getConfig(key: string): Promise<string | undefined>;
+/**
+ * Retrieves the value of a configuration key from OD3_Config as a boolean
+ * Converts the string value to a boolean value using the following rules:
+ * - "true" or "1" -> true
+ * - "false" or "0" -> false
+ * - undefined/null -> false
+ * - Any other value -> true
+ *
+ * @param key - The key of the configuration value.
+ * @returns A boolean value indicating the configuration value.
+ */
+export declare function getConfigBoolean(key: string): Promise<boolean>;

package/dist/features/config/helper/getConfig.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getConfig = getConfig;
+exports.getConfigBoolean = getConfigBoolean;
+const types_1 = require("../../../types");
+/**
+ * Retrieves the value of a configuration key from OD3_Config.
+ * @param key - The key of the configuration to retrieve.
+ * @returns A promise that resolves to the value of the configuration key, or undefined if not found.
+ */
+async function getConfig(key) {
+    const result = await new Parse.Query(types_1.Config).equalTo("key", key).first({
+        useMasterKey: true,
+    });
+    const value = result?.get("value");
+    console.log("[@openinc/parse-server-opendash][Config]", key, value);
+    return value || "";
+}
+/**
+ * Retrieves the value of a configuration key from OD3_Config as a boolean
+ * Converts the string value to a boolean value using the following rules:
+ * - "true" or "1" -> true
+ * - "false" or "0" -> false
+ * - undefined/null -> false
+ * - Any other value -> true
+ *
+ * @param key - The key of the configuration value.
+ * @returns A boolean value indicating the configuration value.
+ */
+async function getConfigBoolean(key) {
+    const value = await getConfig(key);
+    if (!value || value.toLowerCase() === "false" || value === "0") {
+        return false;
+    }
+    return true;
+}

package/dist/features/config/index.d.ts

@@ -5,3 +5,4 @@ export { ConfigKeys } from "./types/ConfigKeys";
 export { baseoptions } from "./helper/baseOptions";
 export { customoptions } from "./helper/customOptions";
 export { isFeatureEnabled } from "./helper/isFeatureEnabled";
+export { getConfig, getConfigBoolean } from "./helper/getConfig";

package/dist/features/config/index.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isFeatureEnabled = exports.customoptions = exports.baseoptions = exports.ConfigKeys = exports.ConfigInstance = exports.ConfigState = void 0;
+exports.getConfigBoolean = exports.getConfig = exports.isFeatureEnabled = exports.customoptions = exports.baseoptions = exports.ConfigKeys = exports.ConfigInstance = exports.ConfigState = void 0;
 var Config_1 = require("./states/Config");
 Object.defineProperty(exports, "ConfigState", { enumerable: true, get: function () { return Config_1.ConfigState; } });
 var ConfigInstance_1 = require("./services/ConfigInstance");
@@ -16,3 +16,6 @@ var customOptions_1 = require("./helper/customOptions");
 Object.defineProperty(exports, "customoptions", { enumerable: true, get: function () { return customOptions_1.customoptions; } });
 var isFeatureEnabled_1 = require("./helper/isFeatureEnabled");
 Object.defineProperty(exports, "isFeatureEnabled", { enumerable: true, get: function () { return isFeatureEnabled_1.isFeatureEnabled; } });
+var getConfig_1 = require("./helper/getConfig");
+Object.defineProperty(exports, "getConfig", { enumerable: true, get: function () { return getConfig_1.getConfig; } });
+Object.defineProperty(exports, "getConfigBoolean", { enumerable: true, get: function () { return getConfig_1.getConfigBoolean; } });

package/dist/features/permissions/helper/ensurePermission.d.ts

@@ -0,0 +1,10 @@
+import { Permission } from "../../../types";
+/**
+ * Ensures that a OD3_Permission with the specified key exists in the database.
+ * If the permission already exists, it updates the ACL if provided.
+ * If the permission does not exist, it creates a new permission with the specified key and ACL.
+ * @param key - The key of the permission.
+ * @param acl - The Parse.ACL to be set for the permission.
+ * @returns The updated or newly created permission.
+ */
+export declare function ensurePermission(key: string, acl?: Parse.ACL): Promise<Permission>;

package/dist/features/permissions/helper/ensurePermission.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensurePermission = ensurePermission;
+const types_1 = require("../../../types");
+/**
+ * Ensures that a OD3_Permission with the specified key exists in the database.
+ * If the permission already exists, it updates the ACL if provided.
+ * If the permission does not exist, it creates a new permission with the specified key and ACL.
+ * @param key - The key of the permission.
+ * @param acl - The Parse.ACL to be set for the permission.
+ * @returns The updated or newly created permission.
+ */
+async function ensurePermission(key, acl) {
+    const permission = await new Parse.Query(types_1.Permission)
+        .equalTo("key", key)
+        .first({ useMasterKey: true });
+    if (permission) {
+        if (acl) {
+            permission.setACL(acl);
+            return await permission.save(null, { useMasterKey: true });
+        }
+        return permission;
+    }
+    else {
+        const newPermission = new types_1.Permission({ key });
+        if (acl) {
+            newPermission.setACL(acl);
+        }
+        else {
+            newPermission.setACL(new Parse.ACL());
+        }
+        return await newPermission.save(null, { useMasterKey: true });
+    }
+}

package/dist/features/permissions/helper/hasPermission.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Checks if a user has a specific permission in OD3_Permission.
+ * @param sessionToken - The session token of the user.
+ * @param key - The key of the permission to check.
+ * @returns A promise that resolves to a boolean indicating whether the user has the permission.
+ */
+export declare function hasPermission(sessionToken: string, key: string): Promise<boolean>;

package/dist/features/permissions/helper/hasPermission.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hasPermission = hasPermission;
+const types_1 = require("../../../types");
+/**
+ * Checks if a user has a specific permission in OD3_Permission.
+ * @param sessionToken - The session token of the user.
+ * @param key - The key of the permission to check.
+ * @returns A promise that resolves to a boolean indicating whether the user has the permission.
+ */
+async function hasPermission(sessionToken, key) {
+    const result = await new Parse.Query(types_1.Permission)
+        .equalTo("key", key)
+        .first({ sessionToken });
+    return !!result;
+}

package/dist/features/permissions/helper/requirePermission.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Checks if the user has the required permission to perform an operation using hasPermission().
+ * If the user does not have the required permission, an error is thrown.
+ *
+ * @param request - The request object containing the user's session token and masterkey status.
+ * @param key - The permission key required for the operation.
+ * @param message - The error message to be thrown if the user does not have the required permission.
+ * @returns A Promise that resolves if the user has the required permission, or throws an error if not.
+ */
+export declare function requirePermission(request: {
+    master?: boolean;
+    sessionToken: string | undefined;
+}, key: string | null, message: string): Promise<void>;

package/dist/features/permissions/helper/requirePermission.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requirePermission = requirePermission;
+const __1 = require("..");
+/**
+ * Checks if the user has the required permission to perform an operation using hasPermission().
+ * If the user does not have the required permission, an error is thrown.
+ *
+ * @param request - The request object containing the user's session token and masterkey status.
+ * @param key - The permission key required for the operation.
+ * @param message - The error message to be thrown if the user does not have the required permission.
+ * @returns A Promise that resolves if the user has the required permission, or throws an error if not.
+ */
+async function requirePermission(request, key, message) {
+    if (request.master) {
+        return;
+    }
+    if (!key) {
+        throw new Parse.Error(119, "Missing Permission (1): " + (message || key || "Master Key Only"));
+    }
+    if (!request.sessionToken) {
+        throw new Parse.Error(119, "Missing Permission (2): " + (message || key || "Master Key Only"));
+    }
+    const p = await (0, __1.hasPermission)(request.sessionToken, key);
+    if (!p) {
+        throw new Parse.Error(119, "Missing Permission (3): " + (message || key || "Master Key Only"));
+    }
+}

package/dist/features/permissions/index.d.ts

@@ -2,3 +2,6 @@ export { FunctionKeys, PermissionInterface, PermissionMap, } from "./types/Permi
 export { Permissions } from "./types/Permissions";
 export { RegisteredPermission } from "./states/PermissionClass";
 export { getAllPermissions, default as initPermissions, } from "./services/registerPermissions";
+export { ensurePermission } from "./helper/ensurePermission";
+export { hasPermission } from "./helper/hasPermission";
+export { requirePermission } from "./helper/requirePermission";

package/dist/features/permissions/index.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.initPermissions = exports.getAllPermissions = exports.RegisteredPermission = exports.Permissions = void 0;
+exports.requirePermission = exports.hasPermission = exports.ensurePermission = exports.initPermissions = exports.getAllPermissions = exports.RegisteredPermission = exports.Permissions = void 0;
 var Permissions_1 = require("./types/Permissions");
 Object.defineProperty(exports, "Permissions", { enumerable: true, get: function () { return Permissions_1.Permissions; } });
 var PermissionClass_1 = require("./states/PermissionClass");
@@ -11,3 +11,9 @@ Object.defineProperty(exports, "RegisteredPermission", { enumerable: true, get:
 var registerPermissions_1 = require("./services/registerPermissions");
 Object.defineProperty(exports, "getAllPermissions", { enumerable: true, get: function () { return registerPermissions_1.getAllPermissions; } });
 Object.defineProperty(exports, "initPermissions", { enumerable: true, get: function () { return __importDefault(registerPermissions_1).default; } });
+var ensurePermission_1 = require("./helper/ensurePermission");
+Object.defineProperty(exports, "ensurePermission", { enumerable: true, get: function () { return ensurePermission_1.ensurePermission; } });
+var hasPermission_1 = require("./helper/hasPermission");
+Object.defineProperty(exports, "hasPermission", { enumerable: true, get: function () { return hasPermission_1.hasPermission; } });
+var requirePermission_1 = require("./helper/requirePermission");
+Object.defineProperty(exports, "requirePermission", { enumerable: true, get: function () { return requirePermission_1.requirePermission; } });

package/dist/features/schema/classes/SchemaClass.d.ts

@@ -0,0 +1,9 @@
+export declare class SchemaClass {
+    private static instance;
+    private schema;
+    private constructor();
+    static getInstance(): SchemaClass;
+    setSchema(schema: Record<string, any>): void;
+    getSchema(): Record<string, any>;
+    getClassSchema(className: string): any | undefined;
+}

package/dist/features/schema/classes/SchemaClass.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SchemaClass = void 0;
+class SchemaClass {
+    constructor() {
+        this.schema = {};
+    }
+    static getInstance() {
+        if (!SchemaClass.instance) {
+            SchemaClass.instance = new SchemaClass();
+        }
+        return SchemaClass.instance;
+    }
+    setSchema(schema) {
+        this.schema = schema;
+    }
+    getSchema() {
+        return this.schema;
+    }
+    getClassSchema(className) {
+        return this.schema[className];
+    }
+}
+exports.SchemaClass = SchemaClass;

package/dist/features/schema/helper/defaultHandler.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Handles the default beforeSave() logic for a Parse.Object.
+ *
+ * This function will check if a user or tenant field is present in the schema and set the value to the current user and/or the tenant of the current user if not provided.
+ * This will also mark the user and tenant fields as immutable, preventing them from being edited in the future.
+ *
+ * @param request - The Parse.Cloud.BeforeSaveRequest object.
+ * @returns - Returns void.
+ * @throws - Throws an error if the user is not provided.
+ */
+export declare function defaultHandler(request: {
+    original?: Parse.Object;
+    object: Parse.Object;
+    user?: Parse.User;
+    master?: boolean;
+    sessionToken: string | undefined;
+}): Promise<void>;
+/**
+ * Handles the default Parse.ACL beforeSave() logic for a Parse.Object.
+ *
+ * This function will set the default ACL for the object based on the user and tenant fields. By default, the object will be readable and writable by the tenant role and readable by tenant users.
+ *
+ * @param request - The Parse.Cloud.BeforeSaveRequest object.
+ * @param options - Optional configuration options.
+ * @param options.allowCustomACL - Whether to allow custom ACL (default: false).
+ * @param options.allowTenantUserWrite - Whether to allow tenant users to write (default: false).
+ * @param options.denyTenantUserRead - Whether to deny tenant users from reading (default: false).
+ */
+export declare function defaultAclHandler(request: Parse.Cloud.BeforeSaveRequest, options?: {
+    allowCustomACL?: boolean;
+    allowTenantUserWrite?: boolean;
+    denyTenantUserRead?: boolean;
+}): Promise<void>;

package/dist/features/schema/helper/defaultHandler.js

@@ -0,0 +1,106 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultHandler = defaultHandler;
+exports.defaultAclHandler = defaultAclHandler;
+const __1 = require("..");
+const permissions_1 = require("../../permissions");
+const SchemaClass_1 = require("../classes/SchemaClass");
+/**
+ * Handles the default beforeSave() logic for a Parse.Object.
+ *
+ * This function will check if a user or tenant field is present in the schema and set the value to the current user and/or the tenant of the current user if not provided.
+ * This will also mark the user and tenant fields as immutable, preventing them from being edited in the future.
+ *
+ * @param request - The Parse.Cloud.BeforeSaveRequest object.
+ * @returns - Returns void.
+ * @throws - Throws an error if the user is not provided.
+ */
+async function defaultHandler(request) {
+    const className = request.object.className;
+    if (request.master) {
+        console.log(`[@openinc/parse-server-opendash] Skipping default beforeSave() handler of ${className} for masterkey`);
+        return;
+    }
+    if (!request.user) {
+        throw new Error();
+    }
+    const currentSchema = SchemaClass_1.SchemaClass.getInstance().getClassSchema(className);
+    if (!currentSchema) {
+        console.warn(`[@openinc/parse-server-opendash] Skipping default beforeSave() handler, no schema found for ${className}`);
+        return;
+    }
+    const userField = !!currentSchema?.fields?.user;
+    const tenantField = !!currentSchema?.fields?.tenant;
+    if (userField) {
+        await (0, __1.immutableField)(request, "user");
+    }
+    if (tenantField) {
+        await (0, __1.immutableField)(request, "tenant");
+    }
+    if (!request.original) {
+        if (userField) {
+            request.object.set("user", request.user);
+        }
+        if (tenantField) {
+            const user = (await request.user?.fetch({
+                useMasterKey: true,
+            }));
+            try {
+                await (0, permissions_1.requirePermission)(request, "opendash:can-admin-tenants", "User is not allowed to use tag which ignores tenant prefix");
+                if (!request.object.get("tenant")) {
+                    request.object.set("tenant", user.get("tenant"));
+                }
+            }
+            catch (error) {
+                request.object.set("tenant", user.get("tenant"));
+            }
+        }
+    }
+}
+/**
+ * Handles the default Parse.ACL beforeSave() logic for a Parse.Object.
+ *
+ * This function will set the default ACL for the object based on the user and tenant fields. By default, the object will be readable and writable by the tenant role and readable by tenant users.
+ *
+ * @param request - The Parse.Cloud.BeforeSaveRequest object.
+ * @param options - Optional configuration options.
+ * @param options.allowCustomACL - Whether to allow custom ACL (default: false).
+ * @param options.allowTenantUserWrite - Whether to allow tenant users to write (default: false).
+ * @param options.denyTenantUserRead - Whether to deny tenant users from reading (default: false).
+ */
+async function defaultAclHandler(request, options) {
+    const className = request.object.className;
+    const currentSchema = SchemaClass_1.SchemaClass.getInstance().getClassSchema(className);
+    if (!currentSchema) {
+        console.warn(`[@openinc/parse-server-opendash] Skipping default beforeSave() ACL handler, no schema found for ${className}`);
+        return;
+    }
+    const userField = !!currentSchema?.fields?.user;
+    const tenantField = !!currentSchema?.fields?.tenant;
+    if (!options?.allowCustomACL || !request.object.getACL()) {
+        request.object.setACL(new Parse.ACL());
+    }
+    const acl = request.object.getACL();
+    acl.setRoleReadAccess("od-admin", true);
+    acl.setRoleWriteAccess("od-admin", true);
+    if (userField) {
+        const user = request.object.get("user");
+        if (user) {
+            acl.setReadAccess(user.id, true);
+            acl.setWriteAccess(user.id, true);
+        }
+    }
+    if (tenantField) {
+        const tenant = request.object.get("tenant");
+        if (tenant) {
+            if (!options?.denyTenantUserRead) {
+                acl.setRoleReadAccess(`od-tenant-user-${tenant.id}`, true);
+            }
+            if (options?.allowTenantUserWrite) {
+                acl.setRoleWriteAccess(`od-tenant-user-${tenant.id}`, true);
+            }
+            acl.setRoleReadAccess(`od-tenant-admin-${tenant.id}`, true);
+            acl.setRoleWriteAccess(`od-tenant-admin-${tenant.id}`, true);
+        }
+    }
+}

package/dist/features/schema/helper/ensureRole.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Ensures the existence of a role with the specified name.
+ * If the role does not exist, it creates a new role with the given name and options.
+ * If the role already exists, it updates the role with the provided options.
+ *
+ * @param name - The name of the role.
+ * @param options - Optional parameters for the role.
+ * @param options.label - The label for the role.
+ * @param options.acl - The Parse.ACL for the role.
+ * @param options.childRoles - An array of child role names to be associated with the role.
+ * @returns A Promise that resolves when the role is successfully created or updated.
+ */
+export declare function ensureRole(name: string, options?: {
+    label?: string;
+    acl?: Parse.ACL;
+    childRoles?: string[];
+}): Promise<void>;

package/dist/features/schema/helper/ensureRole.js

@@ -0,0 +1,68 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureRole = ensureRole;
+const fast_equals_1 = require("fast-equals");
+/**
+ * Ensures the existence of a role with the specified name.
+ * If the role does not exist, it creates a new role with the given name and options.
+ * If the role already exists, it updates the role with the provided options.
+ *
+ * @param name - The name of the role.
+ * @param options - Optional parameters for the role.
+ * @param options.label - The label for the role.
+ * @param options.acl - The Parse.ACL for the role.
+ * @param options.childRoles - An array of child role names to be associated with the role.
+ * @returns A Promise that resolves when the role is successfully created or updated.
+ */
+async function ensureRole(name, options) {
+    const label = options?.label || undefined;
+    const acl = options?.acl || new Parse.ACL();
+    const childRoles = options?.childRoles || undefined;
+    console.log(`[@openinc/parse-server-opendash] ensureRole(${name})`
+    // JSON.stringify({ label, acl, childRoles }, null, 2)
+    );
+    let role = await new Parse.Query(Parse.Role)
+        .equalTo("name", name)
+        .first({ useMasterKey: true });
+    if (!role) {
+        role = new Parse.Role(name, acl);
+        role.set("label", label);
+        try {
+            await role.save(null, {
+                useMasterKey: true,
+            });
+        }
+        catch (error) {
+            console.error("--------> Error creating role", error);
+        }
+    }
+    let changed = false;
+    if (role.get("label") !== label) {
+        role.set("label", label);
+        changed = true;
+    }
+    if (!(0, fast_equals_1.deepEqual)(acl.toJSON(), role.getACL()?.toJSON())) {
+        role.setACL(acl);
+        changed = true;
+    }
+    if (Array.isArray(childRoles) && childRoles.length > 0) {
+        const relation = role.getRoles();
+        const currentChildRoles = await relation
+            .query()
+            .find({ useMasterKey: true });
+        const currentChildRoleNames = currentChildRoles.map((role) => role.get("name"));
+        for (const childRoleName of childRoles) {
+            if (currentChildRoleNames.includes(childRoleName)) {
+                continue;
+            }
+            const childRole = await new Parse.Query(Parse.Role)
+                .equalTo("name", childRoleName)
+                .find({ useMasterKey: true });
+            relation.add(childRole);
+            changed = true;
+        }
+    }
+    if (changed) {
+        await role.save(null, { useMasterKey: true });
+    }
+}

package/dist/features/schema/helper/ensureUserRole.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Ensures that a user has a specific role.
+ * @param user The user to assign the role to.
+ * @param roleName The name of the role.
+ * @param add Specifies whether to add or remove the user from the role. Default is false (remove).
+ */
+export declare function ensureUserRole(user: Parse.User, roleName: string, add?: boolean): Promise<void>;