@stamhoofd/structures 2.1.1 → 2.1.3

package/dist/src/Permissions.js

@@ -1,10 +1,13 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.FilledUserPermissions = exports.UserPermissions = exports.Permissions = exports.PermissionsByRole = exports.PermissionRoleDetailed = exports.PermissionRole = exports.getPermissionLevelNumber = exports.PermissionLevel = void 0;
+exports.LoadedPermissions = exports.Permissions = exports.PermissionsByRole = exports.PermissionRoleDetailed = exports.ResourcePermissions = exports.getPermissionResourceTypeName = exports.PermissionsResourceType = exports.PermissionRole = exports.getPermissionLevelName = exports.getPermissionLevelNumber = exports.AccessRightHelper = exports.AccessRight = exports.PermissionLevel = void 0;
 const tslib_1 = require("tslib");
 const simple_encoding_1 = require("@simonbackx/simple-encoding");
 const utility_1 = require("@stamhoofd/utility");
 const uuid_1 = require("uuid");
+/**
+ * PermissionLevels are used to grant permissions to specific resources or system wide
+ */
 var PermissionLevel;
 (function (PermissionLevel) {
     /** No access */
@@ -16,6 +19,96 @@ var PermissionLevel;
     /** Full access */
     PermissionLevel["Full"] = "Full";
 })(PermissionLevel || (exports.PermissionLevel = PermissionLevel = {}));
+/**
+ * More granular access rights to specific things in the system
+ */
+var AccessRight;
+(function (AccessRight) {
+    // Platform level permissions
+    /**
+     * Allows the user to log in as a full-access admin to a specific organization
+     */
+    AccessRight["PlatformLoginAs"] = "PlatformLoginAs";
+    // Organization level permissions
+    AccessRight["OrganizationCreateWebshops"] = "OrganizationCreateWebshops";
+    AccessRight["OrganizationManagePayments"] = "OrganizationManagePayments";
+    AccessRight["OrganizationFinanceDirector"] = "OrganizationFinanceDirector";
+    AccessRight["OrganizationCreateGroups"] = "OrganizationCreateGroups";
+    // Member data access rights
+    // Note: in order to read or write any data at all, a user first needs to have normal resource access to a group, category or organization
+    // So general data (name, birthday, gender, address, email, parents, emergency contacts) access can be controlled in that way (this doesn't have a separate access right).
+    AccessRight["MemberReadFinancialData"] = "MemberReadFinancialData";
+    AccessRight["MemberWriteFinancialData"] = "MemberWriteFinancialData";
+    // Webshop level permissions
+    AccessRight["WebshopScanTickets"] = "WebshopScanTickets";
+})(AccessRight || (exports.AccessRight = AccessRight = {}));
+class AccessRightHelper {
+    static getName(right) {
+        switch (right) {
+            case AccessRight.PlatformLoginAs: return 'Inloggen als hoofdbeheerder';
+            case AccessRight.OrganizationFinanceDirector: return 'Toegang tot volledige boekhouding';
+            case AccessRight.OrganizationManagePayments: return 'Overschrijvingen beheren';
+            case AccessRight.OrganizationCreateWebshops: return 'Webshops maken';
+            case AccessRight.OrganizationCreateGroups: return 'Groepen maken';
+            case AccessRight.WebshopScanTickets: return 'Tickets scannen';
+            // Member data
+            case AccessRight.MemberReadFinancialData: return 'Bekijk rekening leden';
+            case AccessRight.MemberWriteFinancialData: return 'Bewerk rekening leden';
+        }
+    }
+    static getNameShort(right) {
+        switch (right) {
+            case AccessRight.PlatformLoginAs: return 'Inloggen';
+            case AccessRight.OrganizationFinanceDirector: return 'Boekhouding';
+            case AccessRight.OrganizationManagePayments: return 'Overschrijvingen';
+            case AccessRight.OrganizationCreateWebshops: return 'Maken';
+            case AccessRight.OrganizationCreateGroups: return 'Maken';
+            case AccessRight.WebshopScanTickets: return 'Scannen';
+            // Member data
+            case AccessRight.MemberReadFinancialData: return 'Lidgeld bekijken';
+            case AccessRight.MemberWriteFinancialData: return 'Lidgeld bewerken';
+        }
+    }
+    static getDescription(right) {
+        switch (right) {
+            case AccessRight.PlatformLoginAs: return 'inloggen als hoofdbeheerder';
+            case AccessRight.OrganizationFinanceDirector: return 'volledige boekhouding';
+            case AccessRight.OrganizationManagePayments: return 'overschrijvingen';
+            case AccessRight.OrganizationCreateWebshops: return 'webshops maken';
+            case AccessRight.OrganizationCreateGroups: return 'groepen maken';
+            case AccessRight.WebshopScanTickets: return 'scannen van tickets';
+            // Member data
+            case AccessRight.MemberReadFinancialData: return 'Openstaande bedragen bekijken';
+            case AccessRight.MemberWriteFinancialData: return 'Openstaande bedragen bewerken';
+        }
+    }
+    /**
+     * If a user has a certain permission level, automatically grant the specific access right
+     * By default only full permissions gives all access rights, but you can tweak it:
+     * E.g., give webshop scan rights if you also have write access to that webshop
+     */
+    static autoGrantRightForLevel(right) {
+        switch (right) {
+            case AccessRight.WebshopScanTickets: return PermissionLevel.Write;
+            case AccessRight.OrganizationCreateGroups: return null; // Not included in full access
+        }
+        return PermissionLevel.Full;
+    }
+    /**
+     * Automatically grant a user access rights if they have a certain right
+     */
+    static autoInheritFrom(right) {
+        switch (right) {
+            // Finance director also has manage payments permissions automatically
+            case AccessRight.OrganizationManagePayments: return [AccessRight.OrganizationFinanceDirector];
+            // Finance director also can view and edit member financial data
+            case AccessRight.MemberReadFinancialData: return [AccessRight.OrganizationFinanceDirector];
+            case AccessRight.MemberWriteFinancialData: return [AccessRight.OrganizationFinanceDirector];
+        }
+        return [];
+    }
+}
+exports.AccessRightHelper = AccessRightHelper;
 function getPermissionLevelNumber(level) {
     switch (level) {
         case PermissionLevel.None: return 0;
@@ -29,6 +122,19 @@ function getPermissionLevelNumber(level) {
     }
 }
 exports.getPermissionLevelNumber = getPermissionLevelNumber;
+function getPermissionLevelName(level) {
+    switch (level) {
+        case PermissionLevel.None: return 'Geen basistoegang';
+        case PermissionLevel.Read: return 'Lezen';
+        case PermissionLevel.Write: return 'Bewerken';
+        case PermissionLevel.Full: return 'Volledige toegang';
+        default: {
+            const l = level; // will throw compile error if new levels are added without editing this method
+            throw new Error("Unknown permission level " + l);
+        }
+    }
+}
+exports.getPermissionLevelName = getPermissionLevelName;
 class PermissionRole extends simple_encoding_1.AutoEncoder {
     constructor() {
         super(...arguments);
@@ -42,31 +148,110 @@ tslib_1.__decorate([
 tslib_1.__decorate([
     (0, simple_encoding_1.field)({ decoder: simple_encoding_1.StringDecoder })
 ], PermissionRole.prototype, "name", void 0);
-class PermissionRoleDetailed extends PermissionRole {
+/**
+ * More granular access rights to specific things in the system
+ */
+var PermissionsResourceType;
+(function (PermissionsResourceType) {
+    PermissionsResourceType["Webshops"] = "Webshops";
+    PermissionsResourceType["Groups"] = "Groups";
+    PermissionsResourceType["GroupCategories"] = "GroupCategories";
+    PermissionsResourceType["OrganizationTags"] = "OrganizationTags";
+    PermissionsResourceType["RecordCategories"] = "RecordCategory";
+})(PermissionsResourceType || (exports.PermissionsResourceType = PermissionsResourceType = {}));
+function getPermissionResourceTypeName(type, plural = true) {
+    switch (type) {
+        case PermissionsResourceType.Webshops: return plural ? 'webshops' : 'webshop';
+        case PermissionsResourceType.Groups: return plural ? 'inschrijvingsgroepen' : 'inschrijvingsgroep';
+        case PermissionsResourceType.GroupCategories: return plural ? 'categorieën' : 'categorie';
+        case PermissionsResourceType.OrganizationTags: return plural ? 'tags' : 'tag';
+        case PermissionsResourceType.RecordCategories: return plural ? 'vragenlijsten' : 'vragenlijst';
+    }
+}
+exports.getPermissionResourceTypeName = getPermissionResourceTypeName;
+/**
+ * More granular access rights to specific things in the system
+ */
+class ResourcePermissions extends simple_encoding_1.AutoEncoder {
     constructor() {
         super(...arguments);
         /**
-         * Generic access to all resources
+         * This is a cache so we can display the role description without fetching all resources
          */
-        this.level = PermissionLevel.None;
-        // Todo: all these flag based permissions should move to a flag list
-        // so it is easier to add more permission levels in the future.
-        // also, permission flags should be prefixed with either organization or platform (e.g. managing invoices of the platform vs managing finances of all organizations)
+        this.resourceName = "";
         /**
-         * Access to open transfers
+         * Setting it to full gives all possible permissions for the resource
+         * Read/Write depends on resource
          */
-        this.managePayments = false;
+        this.level = PermissionLevel.None;
         /**
-         * Full payments access
+         * More granular permissions related to this resource
          */
-        this.financeDirector = false;
+        this.accessRights = [];
+    }
+    hasAccess(level) {
+        return getPermissionLevelNumber(this.level) >= getPermissionLevelNumber(level);
+    }
+    hasAccessRight(right) {
+        const gl = AccessRightHelper.autoGrantRightForLevel(right);
+        return (gl && this.hasAccess(gl)) || this.accessRights.includes(right);
+    }
+    createInsertPatch(type, resourceId, roleOrPermissions) {
+        const patch = roleOrPermissions.static.patch({});
+        // First check if we need to insert the type
+        if (roleOrPermissions.resources.get(type)) {
+            // We need to patch
+            const p = new simple_encoding_1.PatchMap();
+            p.set(resourceId, this);
+            patch.resources.set(type, p);
+        }
+        else {
+            // No resources with this type yet
+            const p = new Map();
+            p.set(resourceId, this);
+            patch.resources.set(type, p);
+        }
+        return patch;
+    }
+    merge(other) {
+        const p = new ResourcePermissions();
+        p.level = this.level;
+        p.accessRights = this.accessRights.slice();
+        if (getPermissionLevelNumber(other.level) > getPermissionLevelNumber(p.level)) {
+            p.level = other.level;
+        }
+        for (const right of other.accessRights) {
+            if (!p.accessRights.includes(right)) {
+                p.accessRights.push(right);
+            }
+        }
+        return p;
+    }
+}
+exports.ResourcePermissions = ResourcePermissions;
+tslib_1.__decorate([
+    (0, simple_encoding_1.field)({ decoder: simple_encoding_1.StringDecoder, field: 'n' })
+], ResourcePermissions.prototype, "resourceName", void 0);
+tslib_1.__decorate([
+    (0, simple_encoding_1.field)({ decoder: new simple_encoding_1.EnumDecoder(PermissionLevel), field: "l" })
+], ResourcePermissions.prototype, "level", void 0);
+tslib_1.__decorate([
+    (0, simple_encoding_1.field)({ decoder: new simple_encoding_1.ArrayDecoder(new simple_encoding_1.EnumDecoder(AccessRight)), field: "r" })
+], ResourcePermissions.prototype, "accessRights", void 0);
+class PermissionRoleDetailed extends PermissionRole {
+    constructor() {
+        super(...arguments);
         /**
-         * Can create new webshops = write
+         * Generic access to all resources
          */
-        this.createWebshops = false;
+        this.level = PermissionLevel.None;
+        this.accessRights = [];
+        this.resources = new Map();
+        this.legacyManagePayments = false;
+        this.legacyFinanceDirector = false;
+        this.legacyCreateWebshops = false;
     }
-    getDescription(webshops, groups) {
-        var _a;
+    getDescription() {
         const stack = [];
         if (this.level === PermissionLevel.Read) {
             stack.push("alles lezen");
@@ -77,43 +262,87 @@ class PermissionRoleDetailed extends PermissionRole {
         if (this.level === PermissionLevel.Full) {
             stack.push("alles");
         }
-        if (this.financeDirector) {
-            stack.push("volledige boekhouding");
+        for (const right of this.accessRights) {
+            stack.push(AccessRightHelper.getDescription(right));
         }
-        else if (this.managePayments) {
-            stack.push("overschrijvingen");
+        for (const [type, resources] of this.resources) {
+            let count = 0;
+            if (resources.has('')) {
+                stack.push("alle " + getPermissionResourceTypeName(type, true));
+                continue;
+            }
+            for (const resource of resources.values()) {
+                if (resource.hasAccess(PermissionLevel.Read) || resource.accessRights.length > 0) {
+                    count += 1;
+                }
+            }
+            if (count > 0) {
+                stack.push(count + " " + getPermissionResourceTypeName(type, count > 1));
+            }
         }
-        if (this.createWebshops) {
-            stack.push("webshops maken");
+        if (stack.length === 0) {
+            return "geen toegang";
         }
-        let webshopCount = 0;
-        for (const webshop of webshops) {
-            if (webshop.privateMeta.permissions.roleHasAccess(this)) {
-                webshopCount++;
-                continue;
+        return utility_1.Formatter.capitalizeFirstLetter(utility_1.Formatter.joinLast(stack, ', ', ' en '));
+    }
+    hasAccess(level) {
+        return getPermissionLevelNumber(this.level) >= getPermissionLevelNumber(level);
+    }
+    hasAccessRight(right) {
+        const gl = AccessRightHelper.autoGrantRightForLevel(right);
+        if ((gl && this.hasAccess(gl)) || this.accessRights.includes(right)) {
+            return true;
+        }
+        const autoInherit = AccessRightHelper.autoInheritFrom(right);
+        for (const r of autoInherit) {
+            if (this.hasAccessRight(r)) {
+                return true;
             }
-            if (webshop.privateMeta.scanPermissions.roleHasAccess(this)) {
-                webshopCount++;
-                continue;
+        }
+        return false;
+    }
+    getResourcePermissions(type, id) {
+        const resource = this.resources.get(type);
+        if (!resource) {
+            return null;
+        }
+        const rInstance = resource.get(id);
+        const allInstance = resource.get('');
+        if (!rInstance) {
+            if (allInstance) {
+                return allInstance;
             }
+            return null;
         }
-        if (webshopCount > 0) {
-            stack.push(webshopCount + " webshop" + (webshopCount > 1 ? "s" : ""));
+        if (allInstance) {
+            return rInstance.merge(allInstance);
         }
-        let groupCount = 0;
-        for (const group of groups) {
-            if ((_a = group.privateSettings) === null || _a === void 0 ? void 0 : _a.permissions.roleHasAccess(this)) {
-                groupCount++;
-                continue;
+        return rInstance;
+    }
+    getMergedResourcePermissions(type, id) {
+        var _a;
+        let base = this.getResourcePermissions(type, id);
+        if (getPermissionLevelNumber(this.level) > getPermissionLevelNumber((_a = base === null || base === void 0 ? void 0 : base.level) !== null && _a !== void 0 ? _a : PermissionLevel.None)) {
+            if (!base) {
+                base = ResourcePermissions.create({ level: this.level });
             }
+            base.level = this.level;
         }
-        if (groupCount > 0) {
-            stack.push(groupCount + " groep" + (groupCount > 1 ? "en" : ""));
+        return base;
+    }
+    hasResourceAccess(type, id, level) {
+        var _a, _b;
+        if (this.hasAccess(level)) {
+            return true;
         }
-        if (stack.length === 0) {
-            return "geen toegang";
+        return (_b = (_a = this.getResourcePermissions(type, id)) === null || _a === void 0 ? void 0 : _a.hasAccess(level)) !== null && _b !== void 0 ? _b : false;
+    }
+    hasResourceAccessRight(type, id, right) {
+        var _a, _b;
+        if (this.hasAccessRight(right)) {
+            return true;
         }
-        return utility_1.Formatter.capitalizeFirstLetter(utility_1.Formatter.joinLast(stack, ', ', ' en '));
+        return (_b = (_a = this.getResourcePermissions(type, id)) === null || _a === void 0 ? void 0 : _a.hasAccessRight(right)) !== null && _b !== void 0 ? _b : false;
     }
 }
 exports.PermissionRoleDetailed = PermissionRoleDetailed;
@@ -121,15 +350,44 @@ tslib_1.__decorate([
     (0, simple_encoding_1.field)({ decoder: new simple_encoding_1.EnumDecoder(PermissionLevel), version: 201 })
 ], PermissionRoleDetailed.prototype, "level", void 0);
 tslib_1.__decorate([
-    (0, simple_encoding_1.field)({ decoder: simple_encoding_1.BooleanDecoder })
-], PermissionRoleDetailed.prototype, "managePayments", void 0);
+    (0, simple_encoding_1.field)({
+        decoder: new simple_encoding_1.ArrayDecoder(new simple_encoding_1.EnumDecoder(AccessRight)),
+        version: 246,
+        upgrade: function () {
+            const base = [];
+            if (this.legacyManagePayments) {
+                base.push(AccessRight.OrganizationManagePayments);
+            }
+            if (this.legacyFinanceDirector) {
+                base.push(AccessRight.OrganizationFinanceDirector);
+            }
+            if (this.legacyCreateWebshops) {
+                base.push(AccessRight.OrganizationCreateWebshops);
+            }
+            return base;
+        }
+    })
+], PermissionRoleDetailed.prototype, "accessRights", void 0);
 tslib_1.__decorate([
-    (0, simple_encoding_1.field)({ decoder: simple_encoding_1.BooleanDecoder, version: 199 })
-], PermissionRoleDetailed.prototype, "financeDirector", void 0);
+    (0, simple_encoding_1.field)({
+        decoder: new simple_encoding_1.MapDecoder(new simple_encoding_1.EnumDecoder(PermissionsResourceType), new simple_encoding_1.MapDecoder(
+        // ID
+        simple_encoding_1.StringDecoder, ResourcePermissions)),
+        version: 248
+    })
+], PermissionRoleDetailed.prototype, "resources", void 0);
 tslib_1.__decorate([
-    (0, simple_encoding_1.field)({ decoder: simple_encoding_1.BooleanDecoder })
-], PermissionRoleDetailed.prototype, "createWebshops", void 0);
+    (0, simple_encoding_1.field)({ decoder: simple_encoding_1.BooleanDecoder, field: 'managePayments', optional: true })
+], PermissionRoleDetailed.prototype, "legacyManagePayments", void 0);
+tslib_1.__decorate([
+    (0, simple_encoding_1.field)({ decoder: simple_encoding_1.BooleanDecoder, version: 199, field: 'financeDirector', optional: true })
+], PermissionRoleDetailed.prototype, "legacyFinanceDirector", void 0);
+tslib_1.__decorate([
+    (0, simple_encoding_1.field)({ decoder: simple_encoding_1.BooleanDecoder, field: 'createWebshops', optional: true })
+], PermissionRoleDetailed.prototype, "legacyCreateWebshops", void 0);
 /**
+ * @deprecated
+ * Use resource types
  * Give access to a given resouce based by the roles of a user
  */
 class PermissionsByRole extends simple_encoding_1.AutoEncoder {
@@ -139,11 +397,8 @@ class PermissionsByRole extends simple_encoding_1.AutoEncoder {
         this.write = [];
         this.full = [];
     }
-    /**
-     * Whetever a given user has access to the members in this group.
-     */
-    getPermissionLevel(permissions, allRoles) {
-        if (permissions.hasFullAccess(allRoles)) {
+    getPermissionLevel(permissions) {
+        if (permissions.hasFullAccess()) {
             return PermissionLevel.Full;
         }
         for (const role of this.full) {
@@ -151,7 +406,7 @@ class PermissionsByRole extends simple_encoding_1.AutoEncoder {
                 return PermissionLevel.Full;
             }
         }
-        if (permissions.hasWriteAccess(allRoles)) {
+        if (permissions.hasWriteAccess()) {
             return PermissionLevel.Write;
         }
         for (const role of this.write) {
@@ -159,7 +414,7 @@ class PermissionsByRole extends simple_encoding_1.AutoEncoder {
                 return PermissionLevel.Write;
             }
         }
-        if (permissions.hasReadAccess(allRoles)) {
+        if (permissions.hasReadAccess()) {
             return PermissionLevel.Read;
         }
         for (const role of this.read) {
@@ -190,23 +445,23 @@ class PermissionsByRole extends simple_encoding_1.AutoEncoder {
         }
         return PermissionLevel.None;
     }
-    hasAccess(permissions, allRoles, level) {
+    hasAccess(permissions, level) {
         if (!permissions) {
             return false;
         }
-        return getPermissionLevelNumber(this.getPermissionLevel(permissions, allRoles)) >= getPermissionLevelNumber(level);
+        return getPermissionLevelNumber(this.getPermissionLevel(permissions)) >= getPermissionLevelNumber(level);
     }
     roleHasAccess(role, level = PermissionLevel.Read) {
         return getPermissionLevelNumber(this.getRolePermissionLevel(role)) >= getPermissionLevelNumber(level);
     }
-    hasFullAccess(permissions, allRoles) {
-        return this.hasAccess(permissions, allRoles, PermissionLevel.Full);
+    hasFullAccess(permissions) {
+        return this.hasAccess(permissions, PermissionLevel.Full);
     }
-    hasWriteAccess(permissions, allRoles) {
-        return this.hasAccess(permissions, allRoles, PermissionLevel.Write);
+    hasWriteAccess(permissions) {
+        return this.hasAccess(permissions, PermissionLevel.Write);
     }
-    hasReadAccess(permissions, allRoles) {
-        return this.hasAccess(permissions, allRoles, PermissionLevel.Read);
+    hasReadAccess(permissions) {
+        return this.hasAccess(permissions, PermissionLevel.Read);
     }
 }
 exports.PermissionsByRole = PermissionsByRole;
@@ -232,7 +487,18 @@ class Permissions extends simple_encoding_1.AutoEncoder {
          */
         this.groups = [];
         this.roles = [];
+        /**
+         * Mostly for temporary access
+         */
+        this.resources = new Map();
     }
+    hasRole(role) {
+        return this.roles.find(r => r.id === role.id) !== undefined;
+    }
+    /**
+     * @deprecated
+     * Use LoadedPermissions
+     */
     hasAccess(allRoles, level) {
         if (getPermissionLevelNumber(this.level) >= getPermissionLevelNumber(level)) {
             // Someone with read / write access for the whole organization, also the same access for each group
@@ -250,19 +516,32 @@ class Permissions extends simple_encoding_1.AutoEncoder {
         }
         return false;
     }
+    /**
+     * @deprecated
+     * Use LoadedPermissions
+     */
     hasReadAccess(allRoles) {
         return this.hasAccess(allRoles, PermissionLevel.Read);
     }
+    /**
+     * @deprecated
+     * Use LoadedPermissions
+     */
     hasWriteAccess(allRoles) {
         return this.hasAccess(allRoles, PermissionLevel.Write);
     }
+    /**
+     * @deprecated
+     * Use LoadedPermissions
+     */
     hasFullAccess(allRoles) {
         return this.hasAccess(allRoles, PermissionLevel.Full);
     }
     /**
-     * @param roles All available roles of the organizatino (to query)
+     * @deprecated
+     * Use LoadedPermissions
      */
-    canCreateWebshops(allRoles) {
+    hasAccessRight(right, allRoles) {
         if (this.hasFullAccess(allRoles)) {
             return true;
         }
@@ -272,51 +551,31 @@ class Permissions extends simple_encoding_1.AutoEncoder {
                 // Deleted role
                 continue;
             }
-            if (f.createWebshops) {
+            if (f.hasAccessRight(right)) {
                 return true;
             }
         }
         return false;
     }
     /**
+     * @deprecated
+     * @param roles All available roles of the organizatino (to query)
+     */
+    canCreateWebshops(allRoles) {
+        return this.hasAccessRight(AccessRight.OrganizationCreateWebshops, allRoles);
+    }
+    /**
+     * @deprecated
      * @param roles All available roles of the organizatino (to query)
      */
     canManagePayments(allRoles) {
-        if (this.hasFullAccess(allRoles)) {
-            return true;
-        }
-        for (const r of this.roles) {
-            const f = allRoles.find(rr => r.id === rr.id);
-            if (!f) {
-                // Deleted role
-                continue;
-            }
-            if (f.financeDirector) {
-                return true;
-            }
-            if (f.managePayments) {
-                return true;
-            }
-        }
-        return false;
+        return this.hasAccessRight(AccessRight.OrganizationManagePayments, allRoles) || this.hasAccessRight(AccessRight.OrganizationFinanceDirector, allRoles);
     }
     /**
+     * @deprecated
      */
     hasFinanceAccess(allRoles) {
-        if (this.hasFullAccess(allRoles)) {
-            return true;
-        }
-        for (const r of this.roles) {
-            const f = allRoles.find(rr => r.id === rr.id);
-            if (!f) {
-                // Deleted role
-                continue;
-            }
-            if (f.financeDirector) {
-                return true;
-            }
-        }
-        return false;
+        return this.hasAccessRight(AccessRight.OrganizationFinanceDirector, allRoles);
     }
     add(other) {
         if (getPermissionLevelNumber(this.level) < getPermissionLevelNumber(other.level)) {
@@ -339,28 +598,188 @@ tslib_1.__decorate([
 tslib_1.__decorate([
     (0, simple_encoding_1.field)({ decoder: new simple_encoding_1.ArrayDecoder(PermissionRole), version: 60 })
 ], Permissions.prototype, "roles", void 0);
-class UserPermissions extends simple_encoding_1.AutoEncoder {
-    constructor() {
-        super(...arguments);
-        this.globalPermissions = Permissions.create({});
-        this.organizationPermissions = new Map();
-    }
-}
-exports.UserPermissions = UserPermissions;
 tslib_1.__decorate([
-    (0, simple_encoding_1.field)({ decoder: Permissions })
-], UserPermissions.prototype, "globalPermissions", void 0);
-tslib_1.__decorate([
-    (0, simple_encoding_1.field)({ decoder: new simple_encoding_1.MapDecoder(simple_encoding_1.StringDecoder, Permissions) })
-], UserPermissions.prototype, "organizationPermissions", void 0);
+    (0, simple_encoding_1.field)({
+        decoder: new simple_encoding_1.MapDecoder(new simple_encoding_1.EnumDecoder(PermissionsResourceType), new simple_encoding_1.MapDecoder(
+        // ID
+        simple_encoding_1.StringDecoder, ResourcePermissions)),
+        version: 249
+    })
+], Permissions.prototype, "resources", void 0);
 /**
- * Convenience class to combine both roles of an organization, platform and the permissions of a user.
- * This helps with checking permissions.
+ * Identical to Permissions but with detailed roles, loaded from the organization or platform
  */
-class FilledUserPermissions {
-    constructor(userPermissions, allRoles) {
-        // todo
+class LoadedPermissions {
+    constructor(data) {
+        this.level = PermissionLevel.None;
+        this.roles = [];
+        this.resources = new Map();
+        Object.assign(this, data);
+    }
+    static create(data) {
+        return new LoadedPermissions(data);
+    }
+    static from(permissions, allRoles) {
+        return this.create({
+            level: permissions.level,
+            roles: permissions.roles.flatMap(role => {
+                const d = allRoles.find(a => a.id === role.id);
+                if (d) {
+                    return [d];
+                }
+                return [];
+            }),
+            resources: permissions.resources
+        });
+    }
+    getResourcePermissions(type, id) {
+        const resource = this.resources.get(type);
+        if (!resource) {
+            return null;
+        }
+        const rInstance = resource.get(id);
+        const allInstance = resource.get('');
+        if (!rInstance) {
+            if (allInstance) {
+                return allInstance;
+            }
+            return null;
+        }
+        if (allInstance) {
+            return rInstance.merge(allInstance);
+        }
+        return rInstance;
+    }
+    getMergedResourcePermissions(type, id) {
+        var _a;
+        let base = this.getResourcePermissions(type, id);
+        for (const role of this.roles) {
+            const r = role.getMergedResourcePermissions(type, id);
+            if (r) {
+                if (base) {
+                    base.merge(r);
+                }
+                else {
+                    base = r;
+                }
+            }
+        }
+        if (getPermissionLevelNumber(this.level) > getPermissionLevelNumber((_a = base === null || base === void 0 ? void 0 : base.level) !== null && _a !== void 0 ? _a : PermissionLevel.None)) {
+            if (!base) {
+                base = ResourcePermissions.create({ level: this.level });
+            }
+            base.level = this.level;
+        }
+        return base;
+    }
+    hasRole(role) {
+        return this.roles.find(r => r.id === role.id) !== undefined;
+    }
+    hasAccess(level) {
+        if (getPermissionLevelNumber(this.level) >= getPermissionLevelNumber(level)) {
+            // Someone with read / write access for the whole organization, also the same access for each group
+            return true;
+        }
+        for (const f of this.roles) {
+            if (f.hasAccess(level)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    hasResourceAccess(type, id, level) {
+        var _a, _b;
+        if (this.hasAccess(level)) {
+            return true;
+        }
+        if ((_b = (_a = this.getResourcePermissions(type, id)) === null || _a === void 0 ? void 0 : _a.hasAccess(level)) !== null && _b !== void 0 ? _b : false) {
+            return true;
+        }
+        for (const r of this.roles) {
+            if (r.hasResourceAccess(type, id, level)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    hasResourceAccessRight(type, id, right) {
+        var _a, _b;
+        if (this.hasAccessRight(right)) {
+            return true;
+        }
+        if ((_b = (_a = this.getResourcePermissions(type, id)) === null || _a === void 0 ? void 0 : _a.hasAccessRight(right)) !== null && _b !== void 0 ? _b : false) {
+            return true;
+        }
+        for (const r of this.roles) {
+            if (r.hasResourceAccessRight(type, id, right)) {
+                return true;
+            }
+        }
+        const autoInherit = AccessRightHelper.autoInheritFrom(right);
+        for (const r of autoInherit) {
+            if (this.hasResourceAccessRight(type, id, r)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    hasReadAccess() {
+        return this.hasAccess(PermissionLevel.Read);
+    }
+    hasWriteAccess() {
+        return this.hasAccess(PermissionLevel.Write);
+    }
+    hasFullAccess() {
+        return this.hasAccess(PermissionLevel.Full);
+    }
+    hasAccessRight(right) {
+        const gl = AccessRightHelper.autoGrantRightForLevel(right);
+        if (gl && this.hasAccess(gl)) {
+            return true;
+        }
+        for (const f of this.roles) {
+            if (f.hasAccessRight(right)) {
+                return true;
+            }
+        }
+        const autoInherit = AccessRightHelper.autoInheritFrom(right);
+        for (const r of autoInherit) {
+            if (this.hasAccessRight(r)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    merge(other) {
+        const p = LoadedPermissions.create({});
+        p.level = this.level;
+        p.roles = this.roles.slice();
+        p.resources = new Map(this.resources);
+        if (getPermissionLevelNumber(other.level) > getPermissionLevelNumber(p.level)) {
+            p.level = other.level;
+        }
+        for (const [type, r] of other.resources) {
+            for (const [id, resource] of r) {
+                if (!p.resources.has(type)) {
+                    p.resources.set(type, new Map());
+                }
+                const current = p.resources.get(type).get(id);
+                if (!current) {
+                    p.resources.get(type).set(id, resource);
+                }
+                else {
+                    p.resources.get(type).set(id, current.merge(resource));
+                }
+            }
+        }
+        for (const role of other.roles) {
+            const current = p.roles.find(r => r.id === role.id);
+            if (!current) {
+                p.roles.push(role);
+            }
+        }
+        return p;
     }
 }
-exports.FilledUserPermissions = FilledUserPermissions;
+exports.LoadedPermissions = LoadedPermissions;
 //# sourceMappingURL=Permissions.js.map