@stamhoofd/structures 2.1.1 → 2.1.4

package/esm/dist/src/Permissions.js

@@ -1,7 +1,10 @@
 import { __decorate } from "tslib";
-import { AnyDecoder, ArrayDecoder, AutoEncoder, BooleanDecoder, EnumDecoder, field, MapDecoder, StringDecoder } from '@simonbackx/simple-encoding';
+import { AnyDecoder, ArrayDecoder, AutoEncoder, BooleanDecoder, EnumDecoder, field, MapDecoder, PatchMap, StringDecoder } from '@simonbackx/simple-encoding';
 import { Formatter } from '@stamhoofd/utility';
 import { v4 as uuidv4 } from "uuid";
+/**
+ * PermissionLevels are used to grant permissions to specific resources or system wide
+ */
 export var PermissionLevel;
 (function (PermissionLevel) {
     /** No access */
@@ -13,6 +16,95 @@ export var PermissionLevel;
     /** Full access */
     PermissionLevel["Full"] = "Full";
 })(PermissionLevel || (PermissionLevel = {}));
+/**
+ * More granular access rights to specific things in the system
+ */
+export var AccessRight;
+(function (AccessRight) {
+    // Platform level permissions
+    /**
+     * Allows the user to log in as a full-access admin to a specific organization
+     */
+    AccessRight["PlatformLoginAs"] = "PlatformLoginAs";
+    // Organization level permissions
+    AccessRight["OrganizationCreateWebshops"] = "OrganizationCreateWebshops";
+    AccessRight["OrganizationManagePayments"] = "OrganizationManagePayments";
+    AccessRight["OrganizationFinanceDirector"] = "OrganizationFinanceDirector";
+    AccessRight["OrganizationCreateGroups"] = "OrganizationCreateGroups";
+    // Member data access rights
+    // Note: in order to read or write any data at all, a user first needs to have normal resource access to a group, category or organization
+    // So general data (name, birthday, gender, address, email, parents, emergency contacts) access can be controlled in that way (this doesn't have a separate access right).
+    AccessRight["MemberReadFinancialData"] = "MemberReadFinancialData";
+    AccessRight["MemberWriteFinancialData"] = "MemberWriteFinancialData";
+    // Webshop level permissions
+    AccessRight["WebshopScanTickets"] = "WebshopScanTickets";
+})(AccessRight || (AccessRight = {}));
+export class AccessRightHelper {
+    static getName(right) {
+        switch (right) {
+            case AccessRight.PlatformLoginAs: return 'Inloggen als hoofdbeheerder';
+            case AccessRight.OrganizationFinanceDirector: return 'Toegang tot volledige boekhouding';
+            case AccessRight.OrganizationManagePayments: return 'Overschrijvingen beheren';
+            case AccessRight.OrganizationCreateWebshops: return 'Webshops maken';
+            case AccessRight.OrganizationCreateGroups: return 'Groepen maken';
+            case AccessRight.WebshopScanTickets: return 'Tickets scannen';
+            // Member data
+            case AccessRight.MemberReadFinancialData: return 'Bekijk rekening leden';
+            case AccessRight.MemberWriteFinancialData: return 'Bewerk rekening leden';
+        }
+    }
+    static getNameShort(right) {
+        switch (right) {
+            case AccessRight.PlatformLoginAs: return 'Inloggen';
+            case AccessRight.OrganizationFinanceDirector: return 'Boekhouding';
+            case AccessRight.OrganizationManagePayments: return 'Overschrijvingen';
+            case AccessRight.OrganizationCreateWebshops: return 'Maken';
+            case AccessRight.OrganizationCreateGroups: return 'Maken';
+            case AccessRight.WebshopScanTickets: return 'Scannen';
+            // Member data
+            case AccessRight.MemberReadFinancialData: return 'Lidgeld bekijken';
+            case AccessRight.MemberWriteFinancialData: return 'Lidgeld bewerken';
+        }
+    }
+    static getDescription(right) {
+        switch (right) {
+            case AccessRight.PlatformLoginAs: return 'inloggen als hoofdbeheerder';
+            case AccessRight.OrganizationFinanceDirector: return 'volledige boekhouding';
+            case AccessRight.OrganizationManagePayments: return 'overschrijvingen';
+            case AccessRight.OrganizationCreateWebshops: return 'webshops maken';
+            case AccessRight.OrganizationCreateGroups: return 'groepen maken';
+            case AccessRight.WebshopScanTickets: return 'scannen van tickets';
+            // Member data
+            case AccessRight.MemberReadFinancialData: return 'Openstaande bedragen bekijken';
+            case AccessRight.MemberWriteFinancialData: return 'Openstaande bedragen bewerken';
+        }
+    }
+    /**
+     * If a user has a certain permission level, automatically grant the specific access right
+     * By default only full permissions gives all access rights, but you can tweak it:
+     * E.g., give webshop scan rights if you also have write access to that webshop
+     */
+    static autoGrantRightForLevel(right) {
+        switch (right) {
+            case AccessRight.WebshopScanTickets: return PermissionLevel.Write;
+            case AccessRight.OrganizationCreateGroups: return null; // Not included in full access
+        }
+        return PermissionLevel.Full;
+    }
+    /**
+     * Automatically grant a user access rights if they have a certain right
+     */
+    static autoInheritFrom(right) {
+        switch (right) {
+            // Finance director also has manage payments permissions automatically
+            case AccessRight.OrganizationManagePayments: return [AccessRight.OrganizationFinanceDirector];
+            // Finance director also can view and edit member financial data
+            case AccessRight.MemberReadFinancialData: return [AccessRight.OrganizationFinanceDirector];
+            case AccessRight.MemberWriteFinancialData: return [AccessRight.OrganizationFinanceDirector];
+        }
+        return [];
+    }
+}
 export function getPermissionLevelNumber(level) {
     switch (level) {
         case PermissionLevel.None: return 0;
@@ -25,6 +117,18 @@ export function getPermissionLevelNumber(level) {
         }
     }
 }
+export function getPermissionLevelName(level) {
+    switch (level) {
+        case PermissionLevel.None: return 'Geen basistoegang';
+        case PermissionLevel.Read: return 'Lezen';
+        case PermissionLevel.Write: return 'Bewerken';
+        case PermissionLevel.Full: return 'Volledige toegang';
+        default: {
+            const l = level; // will throw compile error if new levels are added without editing this method
+            throw new Error("Unknown permission level " + l);
+        }
+    }
+}
 export class PermissionRole extends AutoEncoder {
     constructor() {
         super(...arguments);
@@ -37,31 +141,108 @@ __decorate([
 __decorate([
     field({ decoder: StringDecoder })
 ], PermissionRole.prototype, "name", void 0);
-export class PermissionRoleDetailed extends PermissionRole {
+/**
+ * More granular access rights to specific things in the system
+ */
+export var PermissionsResourceType;
+(function (PermissionsResourceType) {
+    PermissionsResourceType["Webshops"] = "Webshops";
+    PermissionsResourceType["Groups"] = "Groups";
+    PermissionsResourceType["GroupCategories"] = "GroupCategories";
+    PermissionsResourceType["OrganizationTags"] = "OrganizationTags";
+    PermissionsResourceType["RecordCategories"] = "RecordCategory";
+})(PermissionsResourceType || (PermissionsResourceType = {}));
+export function getPermissionResourceTypeName(type, plural = true) {
+    switch (type) {
+        case PermissionsResourceType.Webshops: return plural ? 'webshops' : 'webshop';
+        case PermissionsResourceType.Groups: return plural ? 'inschrijvingsgroepen' : 'inschrijvingsgroep';
+        case PermissionsResourceType.GroupCategories: return plural ? 'categorieën' : 'categorie';
+        case PermissionsResourceType.OrganizationTags: return plural ? 'tags' : 'tag';
+        case PermissionsResourceType.RecordCategories: return plural ? 'vragenlijsten' : 'vragenlijst';
+    }
+}
+/**
+ * More granular access rights to specific things in the system
+ */
+export class ResourcePermissions extends AutoEncoder {
     constructor() {
         super(...arguments);
         /**
-         * Generic access to all resources
+         * This is a cache so we can display the role description without fetching all resources
          */
-        this.level = PermissionLevel.None;
-        // Todo: all these flag based permissions should move to a flag list
-        // so it is easier to add more permission levels in the future.
-        // also, permission flags should be prefixed with either organization or platform (e.g. managing invoices of the platform vs managing finances of all organizations)
+        this.resourceName = "";
         /**
-         * Access to open transfers
+         * Setting it to full gives all possible permissions for the resource
+         * Read/Write depends on resource
          */
-        this.managePayments = false;
+        this.level = PermissionLevel.None;
         /**
-         * Full payments access
+         * More granular permissions related to this resource
          */
-        this.financeDirector = false;
+        this.accessRights = [];
+    }
+    hasAccess(level) {
+        return getPermissionLevelNumber(this.level) >= getPermissionLevelNumber(level);
+    }
+    hasAccessRight(right) {
+        const gl = AccessRightHelper.autoGrantRightForLevel(right);
+        return (gl && this.hasAccess(gl)) || this.accessRights.includes(right);
+    }
+    createInsertPatch(type, resourceId, roleOrPermissions) {
+        const patch = roleOrPermissions.static.patch({});
+        // First check if we need to insert the type
+        if (roleOrPermissions.resources.get(type)) {
+            // We need to patch
+            const p = new PatchMap();
+            p.set(resourceId, this);
+            patch.resources.set(type, p);
+        }
+        else {
+            // No resources with this type yet
+            const p = new Map();
+            p.set(resourceId, this);
+            patch.resources.set(type, p);
+        }
+        return patch;
+    }
+    merge(other) {
+        const p = new ResourcePermissions();
+        p.level = this.level;
+        p.accessRights = this.accessRights.slice();
+        if (getPermissionLevelNumber(other.level) > getPermissionLevelNumber(p.level)) {
+            p.level = other.level;
+        }
+        for (const right of other.accessRights) {
+            if (!p.accessRights.includes(right)) {
+                p.accessRights.push(right);
+            }
+        }
+        return p;
+    }
+}
+__decorate([
+    field({ decoder: StringDecoder, field: 'n' })
+], ResourcePermissions.prototype, "resourceName", void 0);
+__decorate([
+    field({ decoder: new EnumDecoder(PermissionLevel), field: "l" })
+], ResourcePermissions.prototype, "level", void 0);
+__decorate([
+    field({ decoder: new ArrayDecoder(new EnumDecoder(AccessRight)), field: "r" })
+], ResourcePermissions.prototype, "accessRights", void 0);
+export class PermissionRoleDetailed extends PermissionRole {
+    constructor() {
+        super(...arguments);
         /**
-         * Can create new webshops = write
+         * Generic access to all resources
          */
-        this.createWebshops = false;
+        this.level = PermissionLevel.None;
+        this.accessRights = [];
+        this.resources = new Map();
+        this.legacyManagePayments = false;
+        this.legacyFinanceDirector = false;
+        this.legacyCreateWebshops = false;
     }
-    getDescription(webshops, groups) {
-        var _a;
+    getDescription() {
         const stack = [];
         if (this.level === PermissionLevel.Read) {
             stack.push("alles lezen");
@@ -72,58 +253,131 @@ export class PermissionRoleDetailed extends PermissionRole {
         if (this.level === PermissionLevel.Full) {
             stack.push("alles");
         }
-        if (this.financeDirector) {
-            stack.push("volledige boekhouding");
+        for (const right of this.accessRights) {
+            stack.push(AccessRightHelper.getDescription(right));
         }
-        else if (this.managePayments) {
-            stack.push("overschrijvingen");
+        for (const [type, resources] of this.resources) {
+            let count = 0;
+            if (resources.has('')) {
+                stack.push("alle " + getPermissionResourceTypeName(type, true));
+                continue;
+            }
+            for (const resource of resources.values()) {
+                if (resource.hasAccess(PermissionLevel.Read) || resource.accessRights.length > 0) {
+                    count += 1;
+                }
+            }
+            if (count > 0) {
+                stack.push(count + " " + getPermissionResourceTypeName(type, count > 1));
+            }
         }
-        if (this.createWebshops) {
-            stack.push("webshops maken");
+        if (stack.length === 0) {
+            return "geen toegang";
         }
-        let webshopCount = 0;
-        for (const webshop of webshops) {
-            if (webshop.privateMeta.permissions.roleHasAccess(this)) {
-                webshopCount++;
-                continue;
+        return Formatter.capitalizeFirstLetter(Formatter.joinLast(stack, ', ', ' en '));
+    }
+    hasAccess(level) {
+        return getPermissionLevelNumber(this.level) >= getPermissionLevelNumber(level);
+    }
+    hasAccessRight(right) {
+        const gl = AccessRightHelper.autoGrantRightForLevel(right);
+        if ((gl && this.hasAccess(gl)) || this.accessRights.includes(right)) {
+            return true;
+        }
+        const autoInherit = AccessRightHelper.autoInheritFrom(right);
+        for (const r of autoInherit) {
+            if (this.hasAccessRight(r)) {
+                return true;
             }
-            if (webshop.privateMeta.scanPermissions.roleHasAccess(this)) {
-                webshopCount++;
-                continue;
+        }
+        return false;
+    }
+    getResourcePermissions(type, id) {
+        const resource = this.resources.get(type);
+        if (!resource) {
+            return null;
+        }
+        const rInstance = resource.get(id);
+        const allInstance = resource.get('');
+        if (!rInstance) {
+            if (allInstance) {
+                return allInstance;
             }
+            return null;
         }
-        if (webshopCount > 0) {
-            stack.push(webshopCount + " webshop" + (webshopCount > 1 ? "s" : ""));
+        if (allInstance) {
+            return rInstance.merge(allInstance);
         }
-        let groupCount = 0;
-        for (const group of groups) {
-            if ((_a = group.privateSettings) === null || _a === void 0 ? void 0 : _a.permissions.roleHasAccess(this)) {
-                groupCount++;
-                continue;
+        return rInstance;
+    }
+    getMergedResourcePermissions(type, id) {
+        var _a;
+        let base = this.getResourcePermissions(type, id);
+        if (getPermissionLevelNumber(this.level) > getPermissionLevelNumber((_a = base === null || base === void 0 ? void 0 : base.level) !== null && _a !== void 0 ? _a : PermissionLevel.None)) {
+            if (!base) {
+                base = ResourcePermissions.create({ level: this.level });
             }
+            base.level = this.level;
         }
-        if (groupCount > 0) {
-            stack.push(groupCount + " groep" + (groupCount > 1 ? "en" : ""));
+        return base;
+    }
+    hasResourceAccess(type, id, level) {
+        var _a, _b;
+        if (this.hasAccess(level)) {
+            return true;
         }
-        if (stack.length === 0) {
-            return "geen toegang";
+        return (_b = (_a = this.getResourcePermissions(type, id)) === null || _a === void 0 ? void 0 : _a.hasAccess(level)) !== null && _b !== void 0 ? _b : false;
+    }
+    hasResourceAccessRight(type, id, right) {
+        var _a, _b;
+        if (this.hasAccessRight(right)) {
+            return true;
         }
-        return Formatter.capitalizeFirstLetter(Formatter.joinLast(stack, ', ', ' en '));
+        return (_b = (_a = this.getResourcePermissions(type, id)) === null || _a === void 0 ? void 0 : _a.hasAccessRight(right)) !== null && _b !== void 0 ? _b : false;
     }
 }
 __decorate([
     field({ decoder: new EnumDecoder(PermissionLevel), version: 201 })
 ], PermissionRoleDetailed.prototype, "level", void 0);
 __decorate([
-    field({ decoder: BooleanDecoder })
-], PermissionRoleDetailed.prototype, "managePayments", void 0);
+    field({
+        decoder: new ArrayDecoder(new EnumDecoder(AccessRight)),
+        version: 246,
+        upgrade: function () {
+            const base = [];
+            if (this.legacyManagePayments) {
+                base.push(AccessRight.OrganizationManagePayments);
+            }
+            if (this.legacyFinanceDirector) {
+                base.push(AccessRight.OrganizationFinanceDirector);
+            }
+            if (this.legacyCreateWebshops) {
+                base.push(AccessRight.OrganizationCreateWebshops);
+            }
+            return base;
+        }
+    })
+], PermissionRoleDetailed.prototype, "accessRights", void 0);
 __decorate([
-    field({ decoder: BooleanDecoder, version: 199 })
-], PermissionRoleDetailed.prototype, "financeDirector", void 0);
+    field({
+        decoder: new MapDecoder(new EnumDecoder(PermissionsResourceType), new MapDecoder(
+        // ID
+        StringDecoder, ResourcePermissions)),
+        version: 248
+    })
+], PermissionRoleDetailed.prototype, "resources", void 0);
 __decorate([
-    field({ decoder: BooleanDecoder })
-], PermissionRoleDetailed.prototype, "createWebshops", void 0);
+    field({ decoder: BooleanDecoder, field: 'managePayments', optional: true })
+], PermissionRoleDetailed.prototype, "legacyManagePayments", void 0);
+__decorate([
+    field({ decoder: BooleanDecoder, version: 199, field: 'financeDirector', optional: true })
+], PermissionRoleDetailed.prototype, "legacyFinanceDirector", void 0);
+__decorate([
+    field({ decoder: BooleanDecoder, field: 'createWebshops', optional: true })
+], PermissionRoleDetailed.prototype, "legacyCreateWebshops", void 0);
 /**
+ * @deprecated
+ * Use resource types
  * Give access to a given resouce based by the roles of a user
  */
 export class PermissionsByRole extends AutoEncoder {
@@ -133,11 +387,8 @@ export class PermissionsByRole extends AutoEncoder {
         this.write = [];
         this.full = [];
     }
-    /**
-     * Whetever a given user has access to the members in this group.
-     */
-    getPermissionLevel(permissions, allRoles) {
-        if (permissions.hasFullAccess(allRoles)) {
+    getPermissionLevel(permissions) {
+        if (permissions.hasFullAccess()) {
             return PermissionLevel.Full;
         }
         for (const role of this.full) {
@@ -145,7 +396,7 @@ export class PermissionsByRole extends AutoEncoder {
                 return PermissionLevel.Full;
             }
         }
-        if (permissions.hasWriteAccess(allRoles)) {
+        if (permissions.hasWriteAccess()) {
             return PermissionLevel.Write;
         }
         for (const role of this.write) {
@@ -153,7 +404,7 @@ export class PermissionsByRole extends AutoEncoder {
                 return PermissionLevel.Write;
             }
         }
-        if (permissions.hasReadAccess(allRoles)) {
+        if (permissions.hasReadAccess()) {
             return PermissionLevel.Read;
         }
         for (const role of this.read) {
@@ -184,23 +435,23 @@ export class PermissionsByRole extends AutoEncoder {
         }
         return PermissionLevel.None;
     }
-    hasAccess(permissions, allRoles, level) {
+    hasAccess(permissions, level) {
         if (!permissions) {
             return false;
         }
-        return getPermissionLevelNumber(this.getPermissionLevel(permissions, allRoles)) >= getPermissionLevelNumber(level);
+        return getPermissionLevelNumber(this.getPermissionLevel(permissions)) >= getPermissionLevelNumber(level);
     }
     roleHasAccess(role, level = PermissionLevel.Read) {
         return getPermissionLevelNumber(this.getRolePermissionLevel(role)) >= getPermissionLevelNumber(level);
     }
-    hasFullAccess(permissions, allRoles) {
-        return this.hasAccess(permissions, allRoles, PermissionLevel.Full);
+    hasFullAccess(permissions) {
+        return this.hasAccess(permissions, PermissionLevel.Full);
     }
-    hasWriteAccess(permissions, allRoles) {
-        return this.hasAccess(permissions, allRoles, PermissionLevel.Write);
+    hasWriteAccess(permissions) {
+        return this.hasAccess(permissions, PermissionLevel.Write);
     }
-    hasReadAccess(permissions, allRoles) {
-        return this.hasAccess(permissions, allRoles, PermissionLevel.Read);
+    hasReadAccess(permissions) {
+        return this.hasAccess(permissions, PermissionLevel.Read);
     }
 }
 __decorate([
@@ -225,7 +476,18 @@ export class Permissions extends AutoEncoder {
          */
         this.groups = [];
         this.roles = [];
+        /**
+         * Mostly for temporary access
+         */
+        this.resources = new Map();
     }
+    hasRole(role) {
+        return this.roles.find(r => r.id === role.id) !== undefined;
+    }
+    /**
+     * @deprecated
+     * Use LoadedPermissions
+     */
     hasAccess(allRoles, level) {
         if (getPermissionLevelNumber(this.level) >= getPermissionLevelNumber(level)) {
             // Someone with read / write access for the whole organization, also the same access for each group
@@ -243,19 +505,32 @@ export class Permissions extends AutoEncoder {
         }
         return false;
     }
+    /**
+     * @deprecated
+     * Use LoadedPermissions
+     */
     hasReadAccess(allRoles) {
         return this.hasAccess(allRoles, PermissionLevel.Read);
     }
+    /**
+     * @deprecated
+     * Use LoadedPermissions
+     */
     hasWriteAccess(allRoles) {
         return this.hasAccess(allRoles, PermissionLevel.Write);
     }
+    /**
+     * @deprecated
+     * Use LoadedPermissions
+     */
     hasFullAccess(allRoles) {
         return this.hasAccess(allRoles, PermissionLevel.Full);
     }
     /**
-     * @param roles All available roles of the organizatino (to query)
+     * @deprecated
+     * Use LoadedPermissions
      */
-    canCreateWebshops(allRoles) {
+    hasAccessRight(right, allRoles) {
         if (this.hasFullAccess(allRoles)) {
             return true;
         }
@@ -265,51 +540,31 @@ export class Permissions extends AutoEncoder {
                 // Deleted role
                 continue;
             }
-            if (f.createWebshops) {
+            if (f.hasAccessRight(right)) {
                 return true;
             }
         }
         return false;
     }
     /**
+     * @deprecated
+     * @param roles All available roles of the organizatino (to query)
+     */
+    canCreateWebshops(allRoles) {
+        return this.hasAccessRight(AccessRight.OrganizationCreateWebshops, allRoles);
+    }
+    /**
+     * @deprecated
      * @param roles All available roles of the organizatino (to query)
      */
     canManagePayments(allRoles) {
-        if (this.hasFullAccess(allRoles)) {
-            return true;
-        }
-        for (const r of this.roles) {
-            const f = allRoles.find(rr => r.id === rr.id);
-            if (!f) {
-                // Deleted role
-                continue;
-            }
-            if (f.financeDirector) {
-                return true;
-            }
-            if (f.managePayments) {
-                return true;
-            }
-        }
-        return false;
+        return this.hasAccessRight(AccessRight.OrganizationManagePayments, allRoles) || this.hasAccessRight(AccessRight.OrganizationFinanceDirector, allRoles);
     }
     /**
+     * @deprecated
      */
     hasFinanceAccess(allRoles) {
-        if (this.hasFullAccess(allRoles)) {
-            return true;
-        }
-        for (const r of this.roles) {
-            const f = allRoles.find(rr => r.id === rr.id);
-            if (!f) {
-                // Deleted role
-                continue;
-            }
-            if (f.financeDirector) {
-                return true;
-            }
-        }
-        return false;
+        return this.hasAccessRight(AccessRight.OrganizationFinanceDirector, allRoles);
     }
     add(other) {
         if (getPermissionLevelNumber(this.level) < getPermissionLevelNumber(other.level)) {
@@ -331,26 +586,187 @@ __decorate([
 __decorate([
     field({ decoder: new ArrayDecoder(PermissionRole), version: 60 })
 ], Permissions.prototype, "roles", void 0);
-export class UserPermissions extends AutoEncoder {
-    constructor() {
-        super(...arguments);
-        this.globalPermissions = Permissions.create({});
-        this.organizationPermissions = new Map();
-    }
-}
 __decorate([
-    field({ decoder: Permissions })
-], UserPermissions.prototype, "globalPermissions", void 0);
-__decorate([
-    field({ decoder: new MapDecoder(StringDecoder, Permissions) })
-], UserPermissions.prototype, "organizationPermissions", void 0);
+    field({
+        decoder: new MapDecoder(new EnumDecoder(PermissionsResourceType), new MapDecoder(
+        // ID
+        StringDecoder, ResourcePermissions)),
+        version: 249
+    })
+], Permissions.prototype, "resources", void 0);
 /**
- * Convenience class to combine both roles of an organization, platform and the permissions of a user.
- * This helps with checking permissions.
+ * Identical to Permissions but with detailed roles, loaded from the organization or platform
  */
-export class FilledUserPermissions {
-    constructor(userPermissions, allRoles) {
-        // todo
+export class LoadedPermissions {
+    constructor(data) {
+        this.level = PermissionLevel.None;
+        this.roles = [];
+        this.resources = new Map();
+        Object.assign(this, data);
+    }
+    static create(data) {
+        return new LoadedPermissions(data);
+    }
+    static from(permissions, allRoles) {
+        return this.create({
+            level: permissions.level,
+            roles: permissions.roles.flatMap(role => {
+                const d = allRoles.find(a => a.id === role.id);
+                if (d) {
+                    return [d];
+                }
+                return [];
+            }),
+            resources: permissions.resources
+        });
+    }
+    getResourcePermissions(type, id) {
+        const resource = this.resources.get(type);
+        if (!resource) {
+            return null;
+        }
+        const rInstance = resource.get(id);
+        const allInstance = resource.get('');
+        if (!rInstance) {
+            if (allInstance) {
+                return allInstance;
+            }
+            return null;
+        }
+        if (allInstance) {
+            return rInstance.merge(allInstance);
+        }
+        return rInstance;
+    }
+    getMergedResourcePermissions(type, id) {
+        var _a;
+        let base = this.getResourcePermissions(type, id);
+        for (const role of this.roles) {
+            const r = role.getMergedResourcePermissions(type, id);
+            if (r) {
+                if (base) {
+                    base.merge(r);
+                }
+                else {
+                    base = r;
+                }
+            }
+        }
+        if (getPermissionLevelNumber(this.level) > getPermissionLevelNumber((_a = base === null || base === void 0 ? void 0 : base.level) !== null && _a !== void 0 ? _a : PermissionLevel.None)) {
+            if (!base) {
+                base = ResourcePermissions.create({ level: this.level });
+            }
+            base.level = this.level;
+        }
+        return base;
+    }
+    hasRole(role) {
+        return this.roles.find(r => r.id === role.id) !== undefined;
+    }
+    hasAccess(level) {
+        if (getPermissionLevelNumber(this.level) >= getPermissionLevelNumber(level)) {
+            // Someone with read / write access for the whole organization, also the same access for each group
+            return true;
+        }
+        for (const f of this.roles) {
+            if (f.hasAccess(level)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    hasResourceAccess(type, id, level) {
+        var _a, _b;
+        if (this.hasAccess(level)) {
+            return true;
+        }
+        if ((_b = (_a = this.getResourcePermissions(type, id)) === null || _a === void 0 ? void 0 : _a.hasAccess(level)) !== null && _b !== void 0 ? _b : false) {
+            return true;
+        }
+        for (const r of this.roles) {
+            if (r.hasResourceAccess(type, id, level)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    hasResourceAccessRight(type, id, right) {
+        var _a, _b;
+        if (this.hasAccessRight(right)) {
+            return true;
+        }
+        if ((_b = (_a = this.getResourcePermissions(type, id)) === null || _a === void 0 ? void 0 : _a.hasAccessRight(right)) !== null && _b !== void 0 ? _b : false) {
+            return true;
+        }
+        for (const r of this.roles) {
+            if (r.hasResourceAccessRight(type, id, right)) {
+                return true;
+            }
+        }
+        const autoInherit = AccessRightHelper.autoInheritFrom(right);
+        for (const r of autoInherit) {
+            if (this.hasResourceAccessRight(type, id, r)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    hasReadAccess() {
+        return this.hasAccess(PermissionLevel.Read);
+    }
+    hasWriteAccess() {
+        return this.hasAccess(PermissionLevel.Write);
+    }
+    hasFullAccess() {
+        return this.hasAccess(PermissionLevel.Full);
+    }
+    hasAccessRight(right) {
+        const gl = AccessRightHelper.autoGrantRightForLevel(right);
+        if (gl && this.hasAccess(gl)) {
+            return true;
+        }
+        for (const f of this.roles) {
+            if (f.hasAccessRight(right)) {
+                return true;
+            }
+        }
+        const autoInherit = AccessRightHelper.autoInheritFrom(right);
+        for (const r of autoInherit) {
+            if (this.hasAccessRight(r)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    merge(other) {
+        const p = LoadedPermissions.create({});
+        p.level = this.level;
+        p.roles = this.roles.slice();
+        p.resources = new Map(this.resources);
+        if (getPermissionLevelNumber(other.level) > getPermissionLevelNumber(p.level)) {
+            p.level = other.level;
+        }
+        for (const [type, r] of other.resources) {
+            for (const [id, resource] of r) {
+                if (!p.resources.has(type)) {
+                    p.resources.set(type, new Map());
+                }
+                const current = p.resources.get(type).get(id);
+                if (!current) {
+                    p.resources.get(type).set(id, resource);
+                }
+                else {
+                    p.resources.get(type).set(id, current.merge(resource));
+                }
+            }
+        }
+        for (const role of other.roles) {
+            const current = p.roles.find(r => r.id === role.id);
+            if (!current) {
+                p.roles.push(role);
+            }
+        }
+        return p;
     }
 }
 //# sourceMappingURL=Permissions.js.map