@rapidrest/service-core 1.0.0-beta.1

package/dist/lib/security/ACLUtils.js

@@ -0,0 +1,457 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+///////////////////////////////////////////////////////////////////////////////
+// Copyright (C) 2020-2026 Jean-Philippe Steinmetz. All rights reserved.
+///////////////////////////////////////////////////////////////////////////////
+import { ObjectDecorators, UserUtils, sleep } from "@rapidrest/core";
+import { AccessControlListSQL } from "./AccessControlListSQL.js";
+import { AccessControlListMongo } from "./AccessControlListMongo.js";
+import { ACLAction } from "./AccessControlList.js";
+import { ConnectionManager } from "../database/ConnectionManager.js";
+import { isSqlDataSource } from "../database/ConnectionKinds.js";
+import { MongoConnection } from "../database/MongoConnection.js";
+import { MongoRepository } from "../database/MongoRepository.js";
+const { Config, Inject } = ObjectDecorators;
+const CACHE_BASE_KEY = "db.cache.AccessControlList";
+/**
+ * Common utility functions for working with `AccessControlList` objects and validating user permissions.
+ */
+export class ACLUtils {
+    constructor() {
+        this.cacheTTL = 30;
+        this.trustedRoles = ["admin"];
+    }
+    get cacheClient() {
+        return this.connMgr?.connections.get("cache");
+    }
+    get repo() {
+        const conn = this.connMgr?.connections.get("acl");
+        if (conn instanceof MongoConnection) {
+            return conn.getRepository(AccessControlListMongo);
+        }
+        else if (isSqlDataSource(conn)) {
+            return conn.getRepository(AccessControlListSQL.name);
+        }
+        return undefined;
+    }
+    /**
+     * Checks to see if the provided user matches the providedUserOrRoleId.
+     * @param user The user to check.
+     * @param userOrRoleId The ACL record id to check against.
+     * @returns `true` if the user contains a `uid` or `role` that matches the `userOrRoleId`, otherwise `false`.
+     */
+    userMatchesId(user, userOrRoleId) {
+        if (!user?.uid) {
+            return userOrRoleId === "anonymous";
+        }
+        // Explicit wildcards — match any authenticated user; no regex engine involved
+        if (userOrRoleId === ".*" || userOrRoleId === "*")
+            return true;
+        if (user.uid === userOrRoleId)
+            return true;
+        if (user.roles) {
+            for (const role of user.roles) {
+                if (role === userOrRoleId)
+                    return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Validates that the user has permission to perform the request operation against the URL path for the
+     * provided request. If ACLUtils has not been initialized or the `acl` datastore has not been configured
+     * then always returns `true`.
+     *
+     * @param uid The uid of the access control list to verify against.
+     * @param user The user to validate.
+     * @param req The request whose URL path and method will be verified.
+     */
+    async checkRequestPerms(uid, user, req) {
+        let result = true;
+        // If no repo is set then ACL support is not configured so just return
+        if (!this.repo) {
+            return result;
+        }
+        let acl = await this.findACL(uid);
+        if (acl) {
+            // Make sure all parents are populated
+            if (!acl.parent) {
+                await this.populateParent(acl);
+            }
+            // First check if the user is trusted. Trusted users always have permission. We pass in the ACL uid as
+            // it may be an organization id in which case we want to also check for organizational trusted users.
+            if (UserUtils.hasRoles(user, this.trustedRoles, acl.uid)) {
+                result = true;
+            }
+            else {
+                // Check for the FULL permission. If granted it will supersede any others. Otherwise, we'll
+                // check individually based on the request method.
+                result = await this.hasPermission(user, acl, ACLAction.FULL);
+                if (!result) {
+                    // Map the request method to an ACLAction and test for permission
+                    switch (req.method.toLowerCase()) {
+                        case "delete":
+                            result = await this.hasPermission(user, acl, ACLAction.DELETE);
+                            break;
+                        case "get":
+                            result = await this.hasPermission(user, acl, ACLAction.READ);
+                            break;
+                        case "post":
+                            result = await this.hasPermission(user, acl, ACLAction.CREATE);
+                            break;
+                        case "put":
+                            result = await this.hasPermission(user, acl, ACLAction.UPDATE);
+                            break;
+                    }
+                }
+            }
+        }
+        return result;
+    }
+    /**
+     * Validates that the user has permission to perform the provided action using the given access control list.
+     *
+     * @param user The user to validate permissions of.
+     * @param acl The ACL or uid of an ACL to validate permissions against.
+     * @param action The action that the user desires permission for.
+     * @returns `true` if the user has at least one of the permissions granted for the given entity, otherwise `false`.
+     */
+    async hasPermission(user, acl, action) {
+        let result = null;
+        // If the repo isn't available, no acl was provided or the ACL string is empty just return, assume always true
+        if (!this.repo || !acl || acl === "") {
+            return true;
+        }
+        // First check if the user is trusted. Trusted users always have permission. We pass in the ACL uid as
+        // it may be an organization id in which case we want to also check for organizational trusted users.
+        if (UserUtils.hasRoles(user, this.trustedRoles, typeof acl === "string" ? acl : acl.uid)) {
+            return true;
+        }
+        // If a uid has been given look up the ACL associated with it and then process
+        if (typeof acl === "string") {
+            const entry = await this.findACL(acl);
+            return entry ? await this.hasPermission(user, entry, action) : false;
+        }
+        // Look for the first available record for the given user
+        const record = this.getRecord(acl, user);
+        // Validate the requested action against the record.
+        if (record) {
+            // A `FULL` permission grant overrides everything else
+            result = record.full;
+            if (!result) {
+                switch (action) {
+                    case ACLAction.CREATE:
+                        result = record.create;
+                        break;
+                    case ACLAction.DELETE:
+                        result = record.delete;
+                        break;
+                    case ACLAction.FULL:
+                        result =
+                            record.full ||
+                                (record.create && record.delete && record.read && record.special && record.update);
+                        break;
+                    case ACLAction.READ:
+                        result = record.read;
+                        break;
+                    case ACLAction.SPECIAL:
+                        result = record.special;
+                        break;
+                    case ACLAction.UPDATE:
+                        result = record.update;
+                        break;
+                }
+            }
+        }
+        // No matching record found — deny by default
+        return result !== null && result !== undefined ? result : false;
+    }
+    /**
+     * Retrieves the access control list with the associated identifier and populates the parent(s).
+     *
+     * @param entityId The unique identifier of the ACL to retrieve.
+     * @param parentUids The list of already found parent UIDs. This is used to break circular dependencies.
+     */
+    async findACL(entityId, parentUids = []) {
+        if (!this.repo) {
+            return null;
+        }
+        let acl = null;
+        // Retrieve the ACL from the cache if present
+        if (this.cacheClient) {
+            const json = await this.cacheClient.get(`${CACHE_BASE_KEY}.${entityId}`);
+            if (json) {
+                try {
+                    acl = JSON.parse(json);
+                }
+                catch (err) {
+                    // We don't care if this fails
+                }
+            }
+        }
+        // If the acl wasn't found in the cache look in the database
+        if (!acl) {
+            if (this.repo instanceof MongoRepository) {
+                acl = await this.repo
+                    .aggregate([{ $match: { uid: entityId } }])
+                    .limit(1)
+                    .next();
+                acl = acl ? new AccessControlListMongo(acl) : null;
+            }
+            else {
+                acl = await this.repo.findOne({ uid: entityId });
+                acl = acl ? new AccessControlListSQL(acl) : null;
+            }
+            // Store a copy in the cache for faster retrieval next time
+            if (acl && this.cacheClient) {
+                await this.cacheClient.setex(`${CACHE_BASE_KEY}.${entityId}`, this.cacheTTL, JSON.stringify(acl));
+            }
+        }
+        // Retrieve the parent ACL and assign it if available. Don't populate parents we've
+        // already found to prevent a circular dependency.
+        if (acl && acl.parentUid && !parentUids.includes(acl.parentUid)) {
+            parentUids.push(acl.parentUid);
+            acl.parent = await this.findACL(acl.parentUid, parentUids);
+        }
+        return acl;
+    }
+    /**
+     * Deletes the ACL with the given identifier from the database.
+     * @param uid The unique identifier of the ACL to remove.
+     */
+    async removeACL(uid) {
+        try {
+            if (this.repo instanceof MongoRepository) {
+                await this.repo.deleteOne({ uid });
+            }
+            else if (this.repo) {
+                await this.repo.delete({ uid });
+            }
+        }
+        catch (err) {
+            // It's okay if this fails because no document exists
+        }
+    }
+    /**
+     * Compares two ACLs to see if they have been modified and returns the total number of changes between them.
+     *
+     * @param aclA The source ACL to compare against.
+     * @param aclB The new ACL to compare with.
+     * @returns The total number of changes between the two ACLs.
+     */
+    diffACL(aclA, aclB) {
+        let result = 0;
+        // Did the parent change?
+        if (aclA.parentUid !== aclB.parentUid) {
+            result++;
+        }
+        // Did any of the records change from A to B?
+        for (const recordA of aclA.records) {
+            let foundRecord = undefined;
+            // Look for the same record in aclA
+            for (const recordB of aclB.records) {
+                if (recordA.userOrRoleId === recordB.userOrRoleId) {
+                    foundRecord = recordB;
+                    break;
+                }
+            }
+            if (foundRecord) {
+                // Check to see if any of the permissions changed for this record
+                result += foundRecord.create !== recordA.create ? 1 : 0;
+                result += foundRecord.delete !== recordA.delete ? 1 : 0;
+                result += foundRecord.full !== recordA.full ? 1 : 0;
+                result += foundRecord.read !== recordA.read ? 1 : 0;
+                result += foundRecord.special !== recordA.special ? 1 : 0;
+                result += foundRecord.update !== recordA.update ? 1 : 0;
+            }
+            else {
+                result++;
+            }
+        }
+        // Did any of the records change from B to A?
+        for (const recordB of aclB.records) {
+            let foundRecord = undefined;
+            // Look for the same record in aclA
+            for (const recordA of aclA.records) {
+                if (recordA.userOrRoleId === recordB.userOrRoleId) {
+                    foundRecord = recordA;
+                    break;
+                }
+            }
+            if (foundRecord) {
+                // Check to see if any of the permissions changed for this record
+                result += foundRecord.create !== recordB.create ? 1 : 0;
+                result += foundRecord.delete !== recordB.delete ? 1 : 0;
+                result += foundRecord.full !== recordB.full ? 1 : 0;
+                result += foundRecord.read !== recordB.read ? 1 : 0;
+                result += foundRecord.special !== recordB.special ? 1 : 0;
+                result += foundRecord.update !== recordB.update ? 1 : 0;
+            }
+            else {
+                result++;
+            }
+        }
+        return result;
+    }
+    /**
+     * Stores the given access control list into the ACL database.
+     *
+     * @param acl The ACL to store.
+     * @return Returns the ACL that was stored in the database.
+     */
+    async saveACL(acl) {
+        let result = null;
+        if (!acl) {
+            return result;
+        }
+        if (this.repo instanceof MongoRepository) {
+            const mACL = new AccessControlListMongo(acl);
+            const existing = await this.repo.findOne({ uid: acl.uid });
+            // If no changes have been made between versions ignore this request
+            if (existing && this.diffACL(existing, acl) === 0) {
+                return existing;
+            }
+            // Make sure that the versions match before we proceed
+            if (existing && existing.version !== mACL.version) {
+                throw new Error(`The acl to save must be of the same version. ACL=${acl.uid}, Expected=${existing.version}, Actual=${mACL.version}`);
+            }
+            const aclMongo = new AccessControlListMongo({
+                ...acl,
+                dateModifed: new Date(),
+                version: existing ? mACL.version + 1 : 0,
+            });
+            result = await this.repo.save(aclMongo);
+        }
+        else if (this.repo) {
+            const sACL = new AccessControlListSQL(acl);
+            const existing = await this.repo.findOne({ uid: acl.uid });
+            // If no changes have been made between versions ignore this request
+            if (existing && this.diffACL(existing, acl) === 0) {
+                return existing;
+            }
+            // Make sure that the versions match before we proceed
+            if (existing && existing.version !== sACL.version) {
+                throw new Error(`The acl to save must be of the same version. ACL=${acl.uid}, Expected=${existing.version}, Actual=${sACL.version}`);
+            }
+            const aclSQL = new AccessControlListSQL({
+                ...acl,
+                dateModifed: new Date(),
+                version: existing ? sACL.version + 1 : 0,
+            });
+            result = await this.repo.save(aclSQL);
+        }
+        // Store a copy in the cache for faster retrieval next time
+        if (this.cacheClient && result) {
+            await this.cacheClient.setex(`${CACHE_BASE_KEY}.${result.uid}`, this.cacheTTL, JSON.stringify(result));
+        }
+        return result;
+    }
+    /**
+     * Stores the given default access control list into the ACL database. A default ACL is a special type of ACL
+     * that is primarily defined and maintained within the code but allows for user-specific overrides. To accomplish
+     * this, the provided ACL is split in two. A new record is automatically created with the `uid` of the form
+     * `default_<uid>` that stores the exact record as provided by code. Then a second ACL record is created
+     * with the `uid` being that of what is passed as the argument. This second ACL is used to store user-defined
+     * overrides. As the `default_<uid>` record is always overwritten with the lastest version of the code, any
+     * user-defined changes made to it are lost on service restart.
+     *
+     * @param defaultAcl
+     * @returns
+     */
+    async saveDefaultACL(acl) {
+        let result = null;
+        if (!acl) {
+            return result;
+        }
+        // Make a copy of `acl` with a new name for our default_ record
+        let defaultAcl = {
+            ...acl,
+            uid: `default_${acl.uid}`,
+        };
+        // Attempt to update the default ACL record. If a version mismatch occurs we will try again.
+        const maxAttempts = 3;
+        let attempts = 0;
+        while (attempts++ < maxAttempts) {
+            try {
+                // Two documents are stored for each default ACL. A record named `default_<NAME>`
+                // and another named `<NAME>`. The `<NAME>` record stores the user-defined
+                // overrides that overlay the `default_<NAME>` document. The `default_<NAME>` is
+                // therefore always updated with whatever is provided as the `defaultAcl` argument.
+                const existing = await this.findACL(defaultAcl.uid);
+                if (existing) {
+                    // Copy over the new records from code
+                    existing.records = defaultAcl.records;
+                    defaultAcl = existing;
+                }
+                else {
+                    // Create the user-defined override record
+                    result = await this.saveACL({
+                        uid: acl.uid,
+                        parentUid: defaultAcl.uid,
+                        records: [],
+                    });
+                }
+                // Always save the ACL into the datastore
+                await this.saveACL(defaultAcl);
+                attempts = maxAttempts;
+            }
+            catch (err) {
+                if (attempts < maxAttempts) {
+                    // Wait a brief moment before we try again. Stagger the time to avoid race conditions.
+                    await sleep(Math.floor(Math.random() * 1000));
+                }
+                else {
+                    // Rethrow if we're out of retries
+                    throw err;
+                }
+            }
+        }
+        return result;
+    }
+    /**
+     * Retrieves the first available record in the provided ACL associated with the provided user.
+     *
+     * @param acl The access control list that will be searched.
+     * @param user The user to find a record for.
+     * @returns The ACL record associated with the given user if found, otherwise `undefined`.
+     */
+    getRecord(acl, user) {
+        if (!acl) {
+            return null;
+        }
+        for (const record of acl.records) {
+            if (this.userMatchesId(user, record.userOrRoleId)) {
+                return record;
+            }
+        }
+        return acl.parent ? this.getRecord(acl.parent, user) : null;
+    }
+    /**
+     * Attempts to retrieve the parent access control list for the given ACL object.
+     *
+     * @param acl The access control list whose parents will be populated.
+     * @param parentUids The list of already found parent UIDs. This is used to break circular dependencies.
+     */
+    async populateParent(acl, parentUids = []) {
+        if (acl && acl.parentUid) {
+            parentUids.push(acl.parentUid);
+            acl.parent = await this.findACL(acl.parentUid, parentUids);
+        }
+    }
+}
+__decorate([
+    Inject(ConnectionManager),
+    __metadata("design:type", ConnectionManager)
+], ACLUtils.prototype, "connMgr", void 0);
+__decorate([
+    Config("trusted_roles", ["admin"]),
+    __metadata("design:type", Array)
+], ACLUtils.prototype, "trustedRoles", void 0);
+//# sourceMappingURL=ACLUtils.js.map

package/dist/lib/security/ACLUtils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ACLUtils.js","sourceRoot":"","sources":["../../../src/security/ACLUtils.ts"],"names":[],"mappings":";;;;;;;;;AAAA,+EAA+E;AAC/E,wEAAwE;AACxE,+EAA+E;AAC/E,OAAO,EAAW,gBAAgB,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AAC9E,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAGrE,OAAO,EAAqB,SAAS,EAAa,MAAM,wBAAwB,CAAC;AAEjF,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AACjE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,gBAAgB,CAAC;AAE5C,MAAM,cAAc,GAAW,4BAA4B,CAAC;AAE5D;;GAEG;AACH,MAAM,OAAO,QAAQ;IAArB;QACY,aAAQ,GAAW,EAAE,CAAC;QAItB,iBAAY,GAAa,CAAC,OAAO,CAAC,CAAC;IA0c/C,CAAC;IAxcG,IAAY,WAAW;QACnB,OAAO,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,GAAG,CAAC,OAAO,CAAsB,CAAC;IACvE,CAAC;IAED,IAAY,IAAI;QACZ,MAAM,IAAI,GAAQ,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACvD,IAAI,IAAI,YAAY,eAAe,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC,aAAa,CAAC,sBAAsB,CAAC,CAAC;QACtD,CAAC;aAAM,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,aAAa,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC;QACzD,CAAC;QACD,OAAO,SAAS,CAAC;IACrB,CAAC;IAED;;;;;OAKG;IACK,aAAa,CAAC,IAAyB,EAAE,YAAoB;QACjE,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC;YACb,OAAO,YAAY,KAAK,WAAW,CAAC;QACxC,CAAC;QACD,8EAA8E;QAC9E,IAAI,YAAY,KAAK,IAAI,IAAI,YAAY,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QAC/D,IAAI,IAAI,CAAC,GAAG,KAAK,YAAY;YAAE,OAAO,IAAI,CAAC;QAC3C,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACb,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBAC5B,IAAI,IAAI,KAAK,YAAY;oBAAE,OAAO,IAAI,CAAC;YAC3C,CAAC;QACL,CAAC;QACD,OAAO,KAAK,CAAC;IACjB,CAAC;IAED;;;;;;;;OAQG;IACI,KAAK,CAAC,iBAAiB,CAAC,GAAW,EAAE,IAAyB,EAAE,GAAY;QAC/E,IAAI,MAAM,GAAY,IAAI,CAAC;QAE3B,sEAAsE;QACtE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACb,OAAO,MAAM,CAAC;QAClB,CAAC;QAED,IAAI,GAAG,GAA6B,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC5D,IAAI,GAAG,EAAE,CAAC;YACN,sCAAsC;YACtC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;gBACd,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;YACnC,CAAC;YAED,sGAAsG;YACtG,qGAAqG;YACrG,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACvD,MAAM,GAAG,IAAI,CAAC;YAClB,CAAC;iBAAM,CAAC;gBACJ,2FAA2F;gBAC3F,kDAAkD;gBAClD,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,GAAG,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;gBAC7D,IAAI,CAAC,MAAM,EAAE,CAAC;oBACV,iEAAiE;oBACjE,QAAQ,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;wBAC/B,KAAK,QAAQ;4BACT,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;4BAC/D,MAAM;wBACV,KAAK,KAAK;4BACN,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,GAAG,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;4BAC7D,MAAM;wBACV,KAAK,MAAM;4BACP,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;4BAC/D,MAAM;wBACV,KAAK,KAAK;4BACN,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;4BAC/D,MAAM;oBACd,CAAC;gBACL,CAAC;YACL,CAAC;QACL,CAAC;QAED,OAAO,MAAM,CAAC;IAClB,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,aAAa,CACtB,IAAyB,EACzB,GAA+B,EAC/B,MAAiB;QAEjB,IAAI,MAAM,GAAmB,IAAI,CAAC;QAElC,8GAA8G;QAC9G,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,EAAE,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,sGAAsG;QACtG,qGAAqG;QACrG,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACvF,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,8EAA8E;QAC9E,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,KAAK,GAA6B,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAChE,OAAO,KAAK,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QACzE,CAAC;QAED,yDAAyD;QACzD,MAAM,MAAM,GAAqB,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAE3D,oDAAoD;QACpD,IAAI,MAAM,EAAE,CAAC;YACT,sDAAsD;YACtD,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC;YAErB,IAAI,CAAC,MAAM,EAAE,CAAC;gBACV,QAAQ,MAAM,EAAE,CAAC;oBACb,KAAK,SAAS,CAAC,MAAM;wBACjB,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;wBACvB,MAAM;oBACV,KAAK,SAAS,CAAC,MAAM;wBACjB,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;wBACvB,MAAM;oBACV,KAAK,SAAS,CAAC,IAAI;wBACf,MAAM;4BACF,MAAM,CAAC,IAAI;gCACX,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,CAAC;wBACvF,MAAM;oBACV,KAAK,SAAS,CAAC,IAAI;wBACf,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC;wBACrB,MAAM;oBACV,KAAK,SAAS,CAAC,OAAO;wBAClB,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC;wBACxB,MAAM;oBACV,KAAK,SAAS,CAAC,MAAM;wBACjB,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;wBACvB,MAAM;gBACd,CAAC;YACL,CAAC;QACL,CAAC;QAED,6CAA6C;QAC7C,OAAO,MAAM,KAAK,IAAI,IAAI,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;IACpE,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,OAAO,CAAC,QAAgB,EAAE,aAAuB,EAAE;QAC5D,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,IAAI,GAAG,GAA6B,IAAI,CAAC;QAEzC,6CAA6C;QAC7C,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACnB,MAAM,IAAI,GAAkB,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,cAAc,IAAI,QAAQ,EAAE,CAAC,CAAC;YACxF,IAAI,IAAI,EAAE,CAAC;gBACP,IAAI,CAAC;oBACD,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC3B,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACX,8BAA8B;gBAClC,CAAC;YACL,CAAC;QACL,CAAC;QAED,4DAA4D;QAC5D,IAAI,CAAC,GAAG,EAAE,CAAC;YACP,IAAI,IAAI,CAAC,IAAI,YAAY,eAAe,EAAE,CAAC;gBACvC,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI;qBAChB,SAAS,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;qBAC1C,KAAK,CAAC,CAAC,CAAC;qBACR,IAAI,EAAE,CAAC;gBACZ,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACvD,CAAC;iBAAM,CAAC;gBACJ,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAS,CAAC,CAAC;gBACxD,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACrD,CAAC;YAED,2DAA2D;YAC3D,IAAI,GAAG,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC1B,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,cAAc,IAAI,QAAQ,EAAE,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;YACtG,CAAC;QACL,CAAC;QAED,mFAAmF;QACnF,kDAAkD;QAClD,IAAI,GAAG,IAAI,GAAG,CAAC,SAAS,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YAC9D,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAC/B,GAAG,CAAC,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAC/D,CAAC;QAED,OAAO,GAAG,CAAC;IACf,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,SAAS,CAAC,GAAW;QAC9B,IAAI,CAAC;YACD,IAAI,IAAI,CAAC,IAAI,YAAY,eAAe,EAAE,CAAC;gBACvC,MAAM,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;YACvC,CAAC;iBAAM,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBACnB,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;YACpC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACX,qDAAqD;QACzD,CAAC;IACL,CAAC;IAED;;;;;;OAMG;IACK,OAAO,CAAC,IAAuB,EAAE,IAAuB;QAC5D,IAAI,MAAM,GAAW,CAAC,CAAC;QAEvB,yBAAyB;QACzB,IAAI,IAAI,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACpC,MAAM,EAAE,CAAC;QACb,CAAC;QAED,6CAA6C;QAC7C,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjC,IAAI,WAAW,GAA0B,SAAS,CAAC;YAEnD,mCAAmC;YACnC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjC,IAAI,OAAO,CAAC,YAAY,KAAK,OAAO,CAAC,YAAY,EAAE,CAAC;oBAChD,WAAW,GAAG,OAAO,CAAC;oBACtB,MAAM;gBACV,CAAC;YACL,CAAC;YAED,IAAI,WAAW,EAAE,CAAC;gBACd,iEAAiE;gBACjE,MAAM,IAAI,WAAW,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACxD,MAAM,IAAI,WAAW,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACxD,MAAM,IAAI,WAAW,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpD,MAAM,IAAI,WAAW,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpD,MAAM,IAAI,WAAW,CAAC,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC1D,MAAM,IAAI,WAAW,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5D,CAAC;iBAAM,CAAC;gBACJ,MAAM,EAAE,CAAC;YACb,CAAC;QACL,CAAC;QAED,6CAA6C;QAC7C,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjC,IAAI,WAAW,GAA0B,SAAS,CAAC;YAEnD,mCAAmC;YACnC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjC,IAAI,OAAO,CAAC,YAAY,KAAK,OAAO,CAAC,YAAY,EAAE,CAAC;oBAChD,WAAW,GAAG,OAAO,CAAC;oBACtB,MAAM;gBACV,CAAC;YACL,CAAC;YAED,IAAI,WAAW,EAAE,CAAC;gBACd,iEAAiE;gBACjE,MAAM,IAAI,WAAW,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACxD,MAAM,IAAI,WAAW,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACxD,MAAM,IAAI,WAAW,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpD,MAAM,IAAI,WAAW,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpD,MAAM,IAAI,WAAW,CAAC,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC1D,MAAM,IAAI,WAAW,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5D,CAAC;iBAAM,CAAC;gBACJ,MAAM,EAAE,CAAC;YACb,CAAC;QACL,CAAC;QAED,OAAO,MAAM,CAAC;IAClB,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,OAAO,CAAC,GAAsB;QACvC,IAAI,MAAM,GAA6B,IAAI,CAAC;QAC5C,IAAI,CAAC,GAAG,EAAE,CAAC;YACP,OAAO,MAAM,CAAC;QAClB,CAAC;QAED,IAAI,IAAI,CAAC,IAAI,YAAY,eAAe,EAAE,CAAC;YACvC,MAAM,IAAI,GAA2B,IAAI,sBAAsB,CAAC,GAAG,CAAC,CAAC;YACrE,MAAM,QAAQ,GAAkC,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAS,CAAC,CAAC;YACjG,oEAAoE;YACpE,IAAI,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChD,OAAO,QAAQ,CAAC;YACpB,CAAC;YACD,sDAAsD;YACtD,IAAI,QAAQ,IAAI,QAAQ,CAAC,OAAO,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC;gBAChD,MAAM,IAAI,KAAK,CACX,oDAAoD,GAAG,CAAC,GAAG,cAAc,QAAQ,CAAC,OAAO,YAAY,IAAI,CAAC,OAAO,EAAE,CACtH,CAAC;YACN,CAAC;YACD,MAAM,QAAQ,GAA2B,IAAI,sBAAsB,CAAC;gBAChE,GAAG,GAAG;gBACN,WAAW,EAAE,IAAI,IAAI,EAAE;gBACvB,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;aAC3C,CAAC,CAAC;YACH,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5C,CAAC;aAAM,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,GAAyB,IAAI,oBAAoB,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,QAAQ,GAAgC,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAS,CAAC,CAAC;YAC/F,oEAAoE;YACpE,IAAI,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChD,OAAO,QAAQ,CAAC;YACpB,CAAC;YACD,sDAAsD;YACtD,IAAI,QAAQ,IAAI,QAAQ,CAAC,OAAO,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC;gBAChD,MAAM,IAAI,KAAK,CACX,oDAAoD,GAAG,CAAC,GAAG,cAAc,QAAQ,CAAC,OAAO,YAAY,IAAI,CAAC,OAAO,EAAE,CACtH,CAAC;YACN,CAAC;YACD,MAAM,MAAM,GAAyB,IAAI,oBAAoB,CAAC;gBAC1D,GAAG,GAAG;gBACN,WAAW,EAAE,IAAI,IAAI,EAAE;gBACvB,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;aAC3C,CAAC,CAAC;YACH,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1C,CAAC;QAED,2DAA2D;QAC3D,IAAI,IAAI,CAAC,WAAW,IAAI,MAAM,EAAE,CAAC;YAC7B,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,cAAc,IAAI,MAAM,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAC3G,CAAC;QAED,OAAO,MAAM,CAAC;IAClB,CAAC;IAED;;;;;;;;;;;OAWG;IACI,KAAK,CAAC,cAAc,CAAC,GAAsB;QAC9C,IAAI,MAAM,GAA6B,IAAI,CAAC;QAC5C,IAAI,CAAC,GAAG,EAAE,CAAC;YACP,OAAO,MAAM,CAAC;QAClB,CAAC;QAED,+DAA+D;QAC/D,IAAI,UAAU,GAAsB;YAChC,GAAG,GAAG;YACN,GAAG,EAAE,WAAW,GAAG,CAAC,GAAG,EAAE;SAC5B,CAAC;QAEF,4FAA4F;QAC5F,MAAM,WAAW,GAAW,CAAC,CAAC;QAC9B,IAAI,QAAQ,GAAW,CAAC,CAAC;QACzB,OAAO,QAAQ,EAAE,GAAG,WAAW,EAAE,CAAC;YAC9B,IAAI,CAAC;gBACD,iFAAiF;gBACjF,0EAA0E;gBAC1E,gFAAgF;gBAChF,mFAAmF;gBACnF,MAAM,QAAQ,GAA6B,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;gBAE9E,IAAI,QAAQ,EAAE,CAAC;oBACX,sCAAsC;oBACtC,QAAQ,CAAC,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC;oBACtC,UAAU,GAAG,QAAQ,CAAC;gBAC1B,CAAC;qBAAM,CAAC;oBACJ,0CAA0C;oBAC1C,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC;wBACxB,GAAG,EAAE,GAAG,CAAC,GAAG;wBACZ,SAAS,EAAE,UAAU,CAAC,GAAG;wBACzB,OAAO,EAAE,EAAE;qBACd,CAAC,CAAC;gBACP,CAAC;gBAED,yCAAyC;gBACzC,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;gBAC/B,QAAQ,GAAG,WAAW,CAAC;YAC3B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACX,IAAI,QAAQ,GAAG,WAAW,EAAE,CAAC;oBACzB,sFAAsF;oBACtF,MAAM,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;gBAClD,CAAC;qBAAM,CAAC;oBACJ,kCAAkC;oBAClC,MAAM,GAAG,CAAC;gBACd,CAAC;YACL,CAAC;QACL,CAAC;QAED,OAAO,MAAM,CAAC;IAClB,CAAC;IAED;;;;;;OAMG;IACI,SAAS,CAAC,GAAsB,EAAE,IAAyB;QAC9D,IAAI,CAAC,GAAG,EAAE,CAAC;YACP,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,KAAK,MAAM,MAAM,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;YAC/B,IAAI,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;gBAChD,OAAO,MAAM,CAAC;YAClB,CAAC;QACL,CAAC;QAED,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChE,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,cAAc,CAAC,GAAsB,EAAE,aAAuB,EAAE;QACzE,IAAI,GAAG,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;YACvB,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAC/B,GAAG,CAAC,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAC/D,CAAC;IACL,CAAC;CACJ;AA5cW;IADP,MAAM,CAAC,iBAAiB,CAAC;8BACR,iBAAiB;yCAAC;AAE5B;IADP,MAAM,CAAC,eAAe,EAAE,CAAC,OAAO,CAAC,CAAC;;8CACQ"}

package/dist/lib/security/AccessControlList.js

@@ -0,0 +1,18 @@
+///////////////////////////////////////////////////////////////////////////////
+// Copyright (C) 2020-2026 Jean-Philippe Steinmetz. All rights reserved.
+///////////////////////////////////////////////////////////////////////////////
+/**
+ * Describes the various permission actions that can be performed against an entity.
+ *
+ * @author Jean-Philippe Steinmetz <rapidrests@gmail.com>
+ */
+export var ACLAction;
+(function (ACLAction) {
+    ACLAction["CREATE"] = "CREATE";
+    ACLAction["DELETE"] = "DELETE";
+    ACLAction["FULL"] = "FULL";
+    ACLAction["READ"] = "READ";
+    ACLAction["SPECIAL"] = "SPECIAL";
+    ACLAction["UPDATE"] = "UPDATE";
+})(ACLAction || (ACLAction = {}));
+//# sourceMappingURL=AccessControlList.js.map

package/dist/lib/security/AccessControlList.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AccessControlList.js","sourceRoot":"","sources":["../../../src/security/AccessControlList.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,wEAAwE;AACxE,+EAA+E;AAE/E;;;;GAIG;AACH,MAAM,CAAN,IAAY,SAOX;AAPD,WAAY,SAAS;IACjB,8BAAiB,CAAA;IACjB,8BAAiB,CAAA;IACjB,0BAAa,CAAA;IACb,0BAAa,CAAA;IACb,gCAAmB,CAAA;IACnB,8BAAiB,CAAA;AACrB,CAAC,EAPW,SAAS,KAAT,SAAS,QAOpB"}

package/dist/lib/security/AccessControlListMongo.js

@@ -0,0 +1,155 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+///////////////////////////////////////////////////////////////////////////////
+// Copyright (C) 2020-2026 Jean-Philippe Steinmetz. All rights reserved.
+///////////////////////////////////////////////////////////////////////////////
+import { DocDecorators, ModelDecorators } from "../decorators/index.js";
+import { BaseMongoEntity } from "../models/index.js";
+import { Column, Entity, Index } from "../decorators/PersistenceDecorators.js";
+const { Description, TypeInfo } = DocDecorators;
+const { Cache, DataStore } = ModelDecorators;
+/**
+ * Implementation of the `ACLRecord` interface for use with MongoDB databases.
+ */
+let ACLRecordMongo = class ACLRecordMongo {
+    constructor(other) {
+        if (other) {
+            this.userOrRoleId = other.userOrRoleId;
+            this.create = "create" in other ? other.create : null;
+            this.read = "read" in other ? other.read : null;
+            this.update = "update" in other ? other.update : null;
+            this.delete = "delete" in other ? other.delete : null;
+            this.special = "special" in other ? other.special : null;
+            this.full = "full" in other ? other.full : null;
+        }
+        else {
+            throw new Error("Argument other cannot be null.");
+        }
+    }
+};
+__decorate([
+    Description("The unique identiifer of the user or role that the record will apply to. This can also be a regular expression to match multiple users or roles."),
+    Column(),
+    Index("userOrRoleId"),
+    __metadata("design:type", String)
+], ACLRecordMongo.prototype, "userOrRoleId", void 0);
+__decorate([
+    Description("The user or role can create a new record or object."),
+    Column(),
+    TypeInfo([Boolean]),
+    __metadata("design:type", Object)
+], ACLRecordMongo.prototype, "create", void 0);
+__decorate([
+    Description("The user or role can read the record or object."),
+    Column(),
+    TypeInfo([Boolean]),
+    __metadata("design:type", Object)
+], ACLRecordMongo.prototype, "read", void 0);
+__decorate([
+    Description("The user or role can modify existing records or objects."),
+    Column(),
+    TypeInfo([Boolean]),
+    __metadata("design:type", Object)
+], ACLRecordMongo.prototype, "update", void 0);
+__decorate([
+    Description("The user or role can delete existing records or objects."),
+    Column(),
+    TypeInfo([Boolean]),
+    __metadata("design:type", Object)
+], ACLRecordMongo.prototype, "delete", void 0);
+__decorate([
+    Description("The user or role has special prilieges to edit the ACL permissions."),
+    Column(),
+    TypeInfo([Boolean]),
+    __metadata("design:type", Object)
+], ACLRecordMongo.prototype, "special", void 0);
+__decorate([
+    Description("The user or role has total control over the record or object and supersedes any of the above."),
+    Column(),
+    TypeInfo([Boolean]),
+    __metadata("design:type", Object)
+], ACLRecordMongo.prototype, "full", void 0);
+ACLRecordMongo = __decorate([
+    Entity(),
+    Description(`
+The \`ACLRecord\` interface describes a single permissions entry in an \`AccessControlList\` that grants or denies a set of permissions to a single user or role.
+
+Each permission can be one of the following actions:
+ - \`Create\` - The user or role can create a new record or object.
+ - \`Read\` - The user or role can read the record or object.
+ - \`Update\` - The user or role can modify existing records or objects.
+ - \`Delete\` - The user or role can delete existing records or objects.
+ - \`Special\` - The user or role has special prilieges to edit the ACL permissions.
+ - \`Full\` - The user or role has total control over the record or object and supersedes any of the above.`),
+    __metadata("design:paramtypes", [Object])
+], ACLRecordMongo);
+export { ACLRecordMongo };
+/**
+ * Implementation of the `AccessControlList` interface for use with MongoDB databases.
+ */
+let AccessControlListMongo = class AccessControlListMongo extends BaseMongoEntity {
+    constructor(other) {
+        super(other);
+        this.records = [];
+        if (other) {
+            this.parent = "parent" in other ? other.parent : this.parent;
+            this.parentUid = "parentUid" in other ? other.parentUid : this.parentUid;
+            if (other.records) {
+                this.records = [];
+                for (const record of other.records) {
+                    const newRecord = new ACLRecordMongo(record);
+                    this.records.push(newRecord);
+                }
+            }
+        }
+    }
+};
+__decorate([
+    Description("The universally unique identifier of the parent `AccessControlList` that this object will inherit permissions from."),
+    Column(),
+    Index("parentUid"),
+    TypeInfo([String]),
+    __metadata("design:type", Object)
+], AccessControlListMongo.prototype, "parentUid", void 0);
+__decorate([
+    Description("The list of all permission records associated with this access control list."),
+    Column(),
+    TypeInfo([[Array, ACLRecordMongo]]),
+    __metadata("design:type", Array)
+], AccessControlListMongo.prototype, "records", void 0);
+AccessControlListMongo = __decorate([
+    DataStore("acl"),
+    Entity(),
+    Cache(3600),
+    Description(`The access control list provides a generic interface for the storage of user and roles permissions. Each ACL object
+ represents the permission set for a single entity within the system. The entity is identified generically by its
+ universally unique identifier (\`uuid\`). Each entry in the ACL records the permissions available to a particular user
+ or role.
+
+ Each permission can be one of the following actions:
+ - \`Create\` - The user or role can create a new record or object.
+ - \`Read\` - The user or role can read the record or object.
+ - \`Update\` - The user or role can modify existing records or objects.
+ - \`Delete\` - The user or role can delete existing records or objects.
+ - \`Special\` - The user or role has special prilieges to edit the ACL permissions.
+ - \`Full\` - The user or role has total control over the record or object and supersedes any of the above.
+
+ For each of the above actions the user or role will be granted either an \`allow\` permission or a \`deny\` permission.
+ If an \`allow\` is granted, the user or role has permission to perform that action. If a \`deny\` is set, then the user
+ or role is denied that action. If no explicit \`allow\` or \`deny\` is set then the user or role will inherit the
+ permission from a parent role or ACL.
+
+ ACLs can be chained via single inheritance through the specification of the \`parentUid\`. This allows the ability to
+ create complex trees of permissions that can easily inherit control schemes to make the definition of permissions
+ easier.`),
+    __metadata("design:paramtypes", [Object])
+], AccessControlListMongo);
+export { AccessControlListMongo };
+//# sourceMappingURL=AccessControlListMongo.js.map