@zealamic/payload-auth-rbac-plugin 1.0.0-beta.1

package/dist/lib/constants/index.js

@@ -0,0 +1,16 @@
+import * as general from "./general.js";
+import * as permission from "./permission.js";
+import * as permissionAction from "./permission-action.js";
+import * as permissionFeature from "./permission-feature.js";
+import * as role from "./role.js";
+import * as user from "./user.js";
+export const CONSTANTS = {
+    GENERAL: general,
+    PERMISSION: permission,
+    PERMISSION_FEATURE: permissionFeature,
+    PERMISSION_ACTION: permissionAction,
+    ROLE: role,
+    USER: user
+};
+
+//# sourceMappingURL=index.js.map

package/dist/lib/constants/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/lib/constants/index.ts"],"sourcesContent":["import * as general from \"./general.js\";\nimport * as permission from \"./permission.js\";\nimport * as permissionAction from \"./permission-action.js\";\nimport * as permissionFeature from \"./permission-feature.js\";\nimport * as role from \"./role.js\";\nimport * as user from \"./user.js\";\n\nexport const CONSTANTS = {\n  GENERAL: general,\n  PERMISSION: permission,\n  PERMISSION_FEATURE: permissionFeature,\n  PERMISSION_ACTION: permissionAction,\n  ROLE: role,\n  USER: user,\n} as const;\n"],"names":["general","permission","permissionAction","permissionFeature","role","user","CONSTANTS","GENERAL","PERMISSION","PERMISSION_FEATURE","PERMISSION_ACTION","ROLE","USER"],"mappings":"AAAA,YAAYA,aAAa,eAAe;AACxC,YAAYC,gBAAgB,kBAAkB;AAC9C,YAAYC,sBAAsB,yBAAyB;AAC3D,YAAYC,uBAAuB,0BAA0B;AAC7D,YAAYC,UAAU,YAAY;AAClC,YAAYC,UAAU,YAAY;AAElC,OAAO,MAAMC,YAAY;IACvBC,SAASP;IACTQ,YAAYP;IACZQ,oBAAoBN;IACpBO,mBAAmBR;IACnBS,MAAMP;IACNQ,MAAMP;AACR,EAAW"}

package/dist/lib/constants/permission-action.js

@@ -0,0 +1,10 @@
+export const STATUS = {
+    ACTIVE: "active",
+    INACTIVE: "inactive"
+};
+export const TYPE = {
+    MAIN: "main",
+    SUB: "sub"
+};
+
+//# sourceMappingURL=permission-action.js.map

package/dist/lib/constants/permission-action.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/lib/constants/permission-action.ts"],"sourcesContent":["export const STATUS = {\n  ACTIVE: \"active\",\n  INACTIVE: \"inactive\",\n} as const\n\nexport const TYPE = {\n  MAIN: \"main\",\n  SUB: \"sub\",\n} as const\n"],"names":["STATUS","ACTIVE","INACTIVE","TYPE","MAIN","SUB"],"mappings":"AAAA,OAAO,MAAMA,SAAS;IACpBC,QAAQ;IACRC,UAAU;AACZ,EAAU;AAEV,OAAO,MAAMC,OAAO;IAClBC,MAAM;IACNC,KAAK;AACP,EAAU"}

package/dist/lib/constants/permission-feature.js

@@ -0,0 +1,6 @@
+export const STATUS = {
+    ACTIVE: "active",
+    INACTIVE: "inactive"
+};
+
+//# sourceMappingURL=permission-feature.js.map

package/dist/lib/constants/permission-feature.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/lib/constants/permission-feature.ts"],"sourcesContent":["export const STATUS = {\n  ACTIVE: \"active\",\n  INACTIVE: \"inactive\",\n} as const\n"],"names":["STATUS","ACTIVE","INACTIVE"],"mappings":"AAAA,OAAO,MAAMA,SAAS;IACpBC,QAAQ;IACRC,UAAU;AACZ,EAAU"}

package/dist/lib/constants/permission.js

@@ -0,0 +1,6 @@
+export const STATUS = {
+    ACTIVE: "active",
+    INACTIVE: "inactive"
+};
+
+//# sourceMappingURL=permission.js.map

package/dist/lib/constants/permission.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/lib/constants/permission.ts"],"sourcesContent":["export const STATUS = {\n  ACTIVE: \"active\",\n  INACTIVE: \"inactive\",\n} as const\n"],"names":["STATUS","ACTIVE","INACTIVE"],"mappings":"AAAA,OAAO,MAAMA,SAAS;IACpBC,QAAQ;IACRC,UAAU;AACZ,EAAU"}

package/dist/lib/constants/role.js

@@ -0,0 +1,11 @@
+export const STATUS = {
+    ACTIVE: "active",
+    INACTIVE: "inactive"
+};
+export const DATA_SCOPE = {
+    ALL: "all",
+    OWN: "own",
+    HIERARCHY: "hierarchy"
+};
+
+//# sourceMappingURL=role.js.map

package/dist/lib/constants/role.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/lib/constants/role.ts"],"sourcesContent":["export const STATUS = {\n  ACTIVE: \"active\",\n  INACTIVE: \"inactive\",\n} as const;\n\nexport const DATA_SCOPE = {\n  ALL: \"all\",\n  OWN: \"own\",\n  HIERARCHY: \"hierarchy\",\n} as const;\n"],"names":["STATUS","ACTIVE","INACTIVE","DATA_SCOPE","ALL","OWN","HIERARCHY"],"mappings":"AAAA,OAAO,MAAMA,SAAS;IACpBC,QAAQ;IACRC,UAAU;AACZ,EAAW;AAEX,OAAO,MAAMC,aAAa;IACxBC,KAAK;IACLC,KAAK;IACLC,WAAW;AACb,EAAW"}

package/dist/lib/constants/user.js

@@ -0,0 +1,3 @@
+export const PARENT_PATH_SEPARATOR = ",";
+
+//# sourceMappingURL=user.js.map

package/dist/lib/constants/user.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/lib/constants/user.ts"],"sourcesContent":["export const PARENT_PATH_SEPARATOR = \",\" as const;"],"names":["PARENT_PATH_SEPARATOR"],"mappings":"AAAA,OAAO,MAAMA,wBAAwB,IAAa"}

package/dist/lib/utils/access.js

@@ -0,0 +1,452 @@
+import { STATUS as PERMISSION_STATUS } from "../constants/permission.js";
+import { DATA_SCOPE, STATUS as ROLE_STATUS } from "../constants/role.js";
+import { PARENT_PATH_SEPARATOR } from "../constants/user.js";
+import { toID } from "./data.js";
+const DEFAULT_CREATED_BY_FIELD = "createdBy";
+const DEFAULT_USERS_COLLECTION = "users";
+const SCOPE_PRIORITY = {
+    [DATA_SCOPE.OWN]: 0,
+    [DATA_SCOPE.HIERARCHY]: 1,
+    [DATA_SCOPE.ALL]: 2
+};
+/** Normalize role refs from `req.user` to an always-iterable array. */ const getRoleRefs = (user)=>user.roles ?? [];
+const getRoleIds = (user)=>getRoleRefs(user).map((ref)=>toID(ref)).filter((id)=>Boolean(id));
+/**
+ * Fast-path super-admin check from session payload (`req.user`).
+ * Avoids a database round-trip when the field is already present.
+ */ const hasInlineSuperAdmin = (user)=>{
+    if (!user) {
+        return false;
+    }
+    return Boolean(user.isSuperAdmin);
+};
+const pickWidestDataScope = (scopes)=>{
+    let widest = DATA_SCOPE.OWN;
+    for (const scope of scopes){
+        if (!scope) {
+            continue;
+        }
+        if (SCOPE_PRIORITY[scope] > SCOPE_PRIORITY[widest]) {
+            widest = scope;
+        }
+    }
+    return widest;
+};
+/**
+ * Fallback super-admin check against persisted users data.
+ * Use when session payload may be stale or missing `isSuperAdmin`.
+ */ const resolveSuperAdminFromUserID = async ({ req, user })=>{
+    if (!user.id) {
+        return false;
+    }
+    const userDocs = await req.payload.find({
+        collection: "users",
+        depth: 0,
+        limit: 1,
+        pagination: false,
+        req,
+        where: {
+            and: [
+                {
+                    id: {
+                        equals: user.id
+                    }
+                },
+                {
+                    isSuperAdmin: {
+                        equals: true
+                    }
+                }
+            ]
+        }
+    });
+    return userDocs.docs.length > 0;
+};
+/**
+ * Resolve RBAC permission from role assignments:
+ * 1) find active `permissions` by feature/action code
+ * 2) check an enabled `roles-permissions` row for any user role
+ */ const resolvePermissionFromRoleID = async ({ req, user, featureCode, actionCode })=>{
+    const roleIDs = getRoleIds(user);
+    if (!roleIDs.length) {
+        return false;
+    }
+    const permissions = await req.payload.find({
+        collection: "permissions",
+        depth: 0,
+        limit: 0,
+        pagination: false,
+        req,
+        where: {
+            and: [
+                {
+                    status: {
+                        equals: PERMISSION_STATUS.ACTIVE
+                    }
+                },
+                {
+                    "permissionFeature.code": {
+                        equals: featureCode
+                    }
+                },
+                {
+                    "permissionAction.code": {
+                        equals: actionCode
+                    }
+                }
+            ]
+        }
+    });
+    if (!permissions.docs.length) {
+        return false;
+    }
+    const permissionIDs = permissions.docs.map((item)=>item.id);
+    const rolePermissions = await req.payload.find({
+        collection: "roles-permissions",
+        depth: 0,
+        limit: 1,
+        pagination: false,
+        req,
+        where: {
+            and: [
+                {
+                    role: {
+                        in: roleIDs
+                    }
+                },
+                {
+                    permission: {
+                        in: permissionIDs
+                    }
+                },
+                {
+                    enabled: {
+                        equals: true
+                    }
+                }
+            ]
+        }
+    });
+    return rolePermissions.docs.length > 0;
+};
+/**
+ * Access helper: allow only super admins.
+ * Check session first, then persisted users data.
+ */ export const getSuperAdminAccess = async ({ req })=>{
+    const user = req.user;
+    if (!user) {
+        return false;
+    }
+    if (hasInlineSuperAdmin(user)) {
+        return true;
+    }
+    return await resolveSuperAdminFromUserID({
+        req,
+        user
+    });
+};
+/**
+ * Access helper: allow current document owner or super admin.
+ */ export const getAuthenticatedOrSuperAdminAccess = async ({ req, id })=>{
+    const user = req.user;
+    if (!user?.id) {
+        return false;
+    }
+    if (String(user.id) === String(id)) {
+        return true;
+    }
+    if (hasInlineSuperAdmin(user)) {
+        return true;
+    }
+    return await resolveSuperAdminFromUserID({
+        req,
+        user
+    });
+};
+/**
+ * Core RBAC access function (permission-only).
+ * Super admins bypass; others are evaluated via roles + `roles-permissions`.
+ */ const getBasePermissionAccess = ({ featureCode, actionCode })=>{
+    return async ({ req })=>{
+        const user = req.user;
+        if (!user) {
+            return false;
+        }
+        if (hasInlineSuperAdmin(user)) {
+            return true;
+        }
+        return await resolvePermissionFromRoleID({
+            req,
+            user,
+            featureCode,
+            actionCode
+        });
+    };
+};
+/**
+ * Resolve effective data scope from active roles.
+ * Widest scope wins: `all` > `hierarchy` > `own`.
+ */ export const resolveEffectiveDataScope = async (req, options = {})=>{
+    const user = req.user;
+    if (!user) {
+        return DATA_SCOPE.OWN;
+    }
+    if (hasInlineSuperAdmin(user)) {
+        return DATA_SCOPE.ALL;
+    }
+    const roleRefs = getRoleRefs(user);
+    const roleIDs = getRoleIds(user);
+    if (!roleIDs.length) {
+        return DATA_SCOPE.OWN;
+    }
+    const inlineScopes = roleRefs.filter((ref)=>typeof ref === "object" && ref !== null).map((ref)=>ref.dataScope).filter((scope)=>Boolean(scope));
+    if (inlineScopes.length === roleRefs.length) {
+        return pickWidestDataScope(inlineScopes);
+    }
+    const roles = await req.payload.find({
+        collection: "roles",
+        depth: 0,
+        limit: 0,
+        pagination: false,
+        req,
+        where: {
+            and: [
+                {
+                    id: {
+                        in: roleIDs
+                    }
+                },
+                {
+                    status: {
+                        equals: ROLE_STATUS.ACTIVE
+                    }
+                }
+            ]
+        }
+    });
+    return pickWidestDataScope(roles.docs.map((role)=>role.dataScope));
+};
+/**
+ * Collect visible user IDs for hierarchy scope:
+ * current user + direct/indirect descendants from `parent` / `parentPath`.
+ */ export const getHierarchyVisibleUserIds = async (req, options = {})=>{
+    const usersCollectionSlug = options.usersCollectionSlug ?? DEFAULT_USERS_COLLECTION;
+    const user = req.user;
+    const userId = user?.id;
+    if (!userId) {
+        return [];
+    }
+    const selfId = String(userId);
+    const descendants = await req.payload.find({
+        collection: usersCollectionSlug,
+        depth: 0,
+        limit: 0,
+        pagination: false,
+        req,
+        where: {
+            or: [
+                {
+                    parent: {
+                        equals: selfId
+                    }
+                },
+                {
+                    parentPath: {
+                        equals: selfId
+                    }
+                },
+                {
+                    parentPath: {
+                        contains: `${selfId}${PARENT_PATH_SEPARATOR}`
+                    }
+                }
+            ]
+        }
+    });
+    const ids = new Set([
+        selfId
+    ]);
+    for (const doc of descendants.docs){
+        const id = toID(doc);
+        if (id) {
+            ids.add(id);
+        }
+    }
+    return [
+        ...ids
+    ];
+};
+/**
+ * Build a read `Where` filter from data scope.
+ * Returns `true` when no extra filtering is required (`all` scope / super admin).
+ */ export const getDataScopeReadWhere = async (req, options = {})=>{
+    const user = req.user;
+    const createdByField = options.createdByField ?? DEFAULT_CREATED_BY_FIELD;
+    if (!user?.id) {
+        return {
+            [createdByField]: {
+                equals: "___none___"
+            }
+        };
+    }
+    if (hasInlineSuperAdmin(user)) {
+        return true;
+    }
+    const scope = await resolveEffectiveDataScope(req, options);
+    if (scope === DATA_SCOPE.ALL) {
+        return true;
+    }
+    const selfId = String(user.id);
+    if (scope === DATA_SCOPE.OWN) {
+        return {
+            [createdByField]: {
+                equals: selfId
+            }
+        };
+    }
+    const visibleUserIds = await getHierarchyVisibleUserIds(req, options);
+    return {
+        [createdByField]: {
+            in: visibleUserIds.length ? visibleUserIds : [
+                selfId
+            ]
+        }
+    };
+};
+const getCreatedById = (doc, createdByField)=>{
+    const value = doc[createdByField];
+    return toID(value) || undefined;
+};
+const isUsersCollection = (collectionSlug, usersCollectionSlug)=>collectionSlug === usersCollectionSlug;
+/**
+ * Guard for privileged user documents.
+ * Non-super-admins cannot mutate users where `isSuperAdmin === true`.
+ */ export const isProtectedSuperAdminUserDoc = (doc)=>Boolean(doc.isSuperAdmin);
+/**
+ * Document-level access check:
+ * RBAC permission (`featureCode` + `actionCode`) + data-scope evaluation.
+ * Super admins bypass.
+ */ export const canAccessDocumentByDataScope = async ({ req, doc, featureCode, actionCode, collectionSlug, options = {} })=>{
+    const user = req.user;
+    const createdByField = options.createdByField ?? DEFAULT_CREATED_BY_FIELD;
+    const usersCollectionSlug = options.usersCollectionSlug ?? DEFAULT_USERS_COLLECTION;
+    if (!user?.id) {
+        return false;
+    }
+    if (hasInlineSuperAdmin(user)) {
+        return true;
+    }
+    const hasPermission = await resolvePermissionFromRoleID({
+        req,
+        user,
+        featureCode,
+        actionCode
+    });
+    if (!hasPermission) {
+        return false;
+    }
+    const scope = await resolveEffectiveDataScope(req, options);
+    const creatorId = getCreatedById(doc, createdByField);
+    if (!creatorId) {
+        return true;
+    }
+    if (scope === DATA_SCOPE.ALL && isUsersCollection(collectionSlug, usersCollectionSlug) && isProtectedSuperAdminUserDoc(doc)) {
+        return false;
+    }
+    if (scope === DATA_SCOPE.ALL) {
+        return true;
+    }
+    const selfId = String(user.id);
+    if (scope === DATA_SCOPE.OWN) {
+        return creatorId === selfId;
+    }
+    const visibleUserIds = await getHierarchyVisibleUserIds(req, options);
+    return visibleUserIds.includes(creatorId);
+};
+/**
+ * Merge an existing `where` with scope-derived constraints.
+ */ export const mergeDataScopeWhere = (base, scopeWhere)=>{
+    if (scopeWhere === true) {
+        return base ?? {};
+    }
+    if (!base || Object.keys(base).length === 0) {
+        return scopeWhere;
+    }
+    return {
+        and: [
+            base,
+            scopeWhere
+        ]
+    };
+};
+/**
+ * Access helper for collection `read`:
+ * RBAC permission check + data-scope `Where` filter.
+ */ const getPermissionAndDataScopeReadAccess = ({ featureCode, actionCode, options = {} })=>{
+    return async ({ req })=>{
+        const hasPermission = await getBasePermissionAccess({
+            featureCode,
+            actionCode
+        })({
+            req
+        });
+        if (!hasPermission) {
+            return false;
+        }
+        return getDataScopeReadWhere(req, options);
+    };
+};
+/**
+ * Access helper for document mutations (`update`/`delete`):
+ * load target document then apply RBAC + data-scope checks.
+ */ const getPermissionAndDataScopeModifyAccess = ({ featureCode, actionCode, collectionSlug, options = {} })=>{
+    return async ({ req, id })=>{
+        if (!id || !collectionSlug) {
+            return false;
+        }
+        const doc = await req.payload.findByID({
+            collection: collectionSlug,
+            id,
+            depth: 0,
+            req
+        });
+        return canAccessDocumentByDataScope({
+            req,
+            doc: doc,
+            featureCode,
+            actionCode,
+            collectionSlug,
+            options
+        });
+    };
+};
+/**
+ * Unified access entrypoint.
+ *
+ * Modes:
+ * - `none`: permission-only (boolean)
+ * - `modify`: per-document mutation check (requires `collectionSlug` + runtime `id`)
+ * - implicit read mode: pass `options` to get a read `Where` filter after permission check
+ */ export const getPermissionAccess = ({ featureCode, actionCode, mode = "none", collectionSlug, options })=>{
+    if (mode === "modify") {
+        return getPermissionAndDataScopeModifyAccess({
+            featureCode,
+            actionCode,
+            collectionSlug,
+            options
+        });
+    }
+    if (options && Object.keys(options).length > 0) {
+        return getPermissionAndDataScopeReadAccess({
+            featureCode,
+            actionCode,
+            options
+        });
+    }
+    return getBasePermissionAccess({
+        featureCode,
+        actionCode
+    });
+};
+
+//# sourceMappingURL=access.js.map

package/dist/lib/utils/access.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/lib/utils/access.ts"],"sourcesContent":["import { Access, type PayloadRequest, type Where } from \"payload\";\nimport type { DataScope } from \"../../collections/roles/types.js\";\nimport { STATUS as PERMISSION_STATUS } from \"../constants/permission.js\";\nimport { DATA_SCOPE, STATUS as ROLE_STATUS } from \"../constants/role.js\";\nimport { PARENT_PATH_SEPARATOR } from \"../constants/user.js\";\nimport { toID } from \"./data.js\";\n\ntype UserRoleRef =\n  | number\n  | string\n  | {\n      id?: number | string;\n      isSuperAdmin?: boolean | null;\n      dataScope?: DataScope;\n    };\n\ntype RequestUser = {\n  id?: number | string;\n  roles?: UserRoleRef[] | null;\n  isSuperAdmin?: boolean | null;\n};\n\nexport type DataScopeOptions = {\n  /** Field on business collections storing the creator user id. Default: `createdBy`. */\n  createdByField?: string;\n  /** Users collection slug. Default: `users`. */\n  usersCollectionSlug?: string;\n};\n\nconst DEFAULT_CREATED_BY_FIELD = \"createdBy\";\nconst DEFAULT_USERS_COLLECTION = \"users\";\n\nconst SCOPE_PRIORITY: Record<DataScope, number> = {\n  [DATA_SCOPE.OWN]: 0,\n  [DATA_SCOPE.HIERARCHY]: 1,\n  [DATA_SCOPE.ALL]: 2,\n};\n\n/** Normalize role refs from `req.user` to an always-iterable array. */\nconst getRoleRefs = (user: RequestUser): UserRoleRef[] => user.roles ?? [];\n\nconst getRoleIds = (user: RequestUser): string[] =>\n  getRoleRefs(user)\n    .map((ref) => toID(ref))\n    .filter((id): id is string => Boolean(id));\n\n/**\n * Fast-path super-admin check from session payload (`req.user`).\n * Avoids a database round-trip when the field is already present.\n */\nconst hasInlineSuperAdmin = (user: RequestUser | null | undefined): boolean => {\n  if (!user) {\n    return false;\n  }\n  return Boolean(user.isSuperAdmin);\n};\n\nconst pickWidestDataScope = (\n  scopes: Array<DataScope | null | undefined>,\n): DataScope => {\n  let widest: DataScope = DATA_SCOPE.OWN;\n\n  for (const scope of scopes) {\n    if (!scope) {\n      continue;\n    }\n    if (SCOPE_PRIORITY[scope] > SCOPE_PRIORITY[widest]) {\n      widest = scope;\n    }\n  }\n\n  return widest;\n};\n\n/**\n * Fallback super-admin check against persisted users data.\n * Use when session payload may be stale or missing `isSuperAdmin`.\n */\nconst resolveSuperAdminFromUserID = async ({\n  req,\n  user,\n}: {\n  req: PayloadRequest;\n  user: RequestUser;\n}): Promise<boolean> => {\n  if (!user.id) {\n    return false;\n  }\n\n  const userDocs = await req.payload.find({\n    collection: \"users\",\n    depth: 0,\n    limit: 1,\n    pagination: false,\n    req,\n    where: {\n      and: [\n        {\n          id: { equals: user.id },\n        },\n        {\n          isSuperAdmin: { equals: true },\n        },\n      ],\n    },\n  });\n\n  return userDocs.docs.length > 0;\n};\n\n/**\n * Resolve RBAC permission from role assignments:\n * 1) find active `permissions` by feature/action code\n * 2) check an enabled `roles-permissions` row for any user role\n */\nconst resolvePermissionFromRoleID = async ({\n  req,\n  user,\n  featureCode,\n  actionCode,\n}: {\n  req: PayloadRequest;\n  user: RequestUser;\n  featureCode: string;\n  actionCode: string;\n}): Promise<boolean> => {\n  const roleIDs = getRoleIds(user);\n  if (!roleIDs.length) {\n    return false;\n  }\n\n  const permissions = await req.payload.find({\n    collection: \"permissions\",\n    depth: 0,\n    limit: 0,\n    pagination: false,\n    req,\n    where: {\n      and: [\n        {\n          status: { equals: PERMISSION_STATUS.ACTIVE },\n        },\n        {\n          \"permissionFeature.code\": { equals: featureCode },\n        },\n        {\n          \"permissionAction.code\": { equals: actionCode },\n        },\n      ],\n    },\n  });\n\n  if (!permissions.docs.length) {\n    return false;\n  }\n  const permissionIDs = permissions.docs.map((item) => item.id);\n  const rolePermissions = await req.payload.find({\n    collection: \"roles-permissions\",\n    depth: 0,\n    limit: 1,\n    pagination: false,\n    req,\n    where: {\n      and: [\n        {\n          role: { in: roleIDs },\n        },\n        {\n          permission: { in: permissionIDs },\n        },\n        {\n          enabled: { equals: true },\n        },\n      ],\n    },\n  });\n\n  return rolePermissions.docs.length > 0;\n};\n\n/**\n * Access helper: allow only super admins.\n * Check session first, then persisted users data.\n */\nexport const getSuperAdminAccess = async ({ req }: { req: PayloadRequest }) => {\n  const user = req.user as RequestUser | undefined;\n  if (!user) {\n    return false;\n  }\n\n  if (hasInlineSuperAdmin(user)) {\n    return true;\n  }\n\n  return await resolveSuperAdminFromUserID({ req, user });\n};\n\n/**\n * Access helper: allow current document owner or super admin.\n */\nexport const getAuthenticatedOrSuperAdminAccess:\n  | Access\n  | Promise<boolean> = async ({ req, id }) => {\n  const user = req.user as RequestUser | undefined;\n  if (!user?.id) {\n    return false;\n  }\n\n  if (String(user.id) === String(id)) {\n    return true;\n  }\n\n  if (hasInlineSuperAdmin(user)) {\n    return true;\n  }\n  return await resolveSuperAdminFromUserID({ req, user });\n};\n\n/**\n * Core RBAC access function (permission-only).\n * Super admins bypass; others are evaluated via roles + `roles-permissions`.\n */\nconst getBasePermissionAccess = ({\n  featureCode,\n  actionCode,\n}: {\n  featureCode: string;\n  actionCode: string;\n}) => {\n  return async ({ req }: { req: PayloadRequest }) => {\n    const user = req.user as RequestUser | undefined;\n    if (!user) {\n      return false;\n    }\n\n    if (hasInlineSuperAdmin(user)) {\n      return true;\n    }\n\n    return await resolvePermissionFromRoleID({\n      req,\n      user,\n      featureCode,\n      actionCode,\n    });\n  };\n};\n\n/**\n * Resolve effective data scope from active roles.\n * Widest scope wins: `all` > `hierarchy` > `own`.\n */\nexport const resolveEffectiveDataScope = async (\n  req: PayloadRequest,\n  options: DataScopeOptions = {},\n): Promise<DataScope> => {\n  const user = req.user as RequestUser | undefined;\n\n  if (!user) {\n    return DATA_SCOPE.OWN;\n  }\n\n  if (hasInlineSuperAdmin(user)) {\n    return DATA_SCOPE.ALL;\n  }\n\n  const roleRefs = getRoleRefs(user);\n  const roleIDs = getRoleIds(user);\n\n  if (!roleIDs.length) {\n    return DATA_SCOPE.OWN;\n  }\n\n  const inlineScopes = roleRefs\n    .filter(\n      (ref): ref is { id?: string | number; dataScope?: DataScope } =>\n        typeof ref === \"object\" && ref !== null,\n    )\n    .map((ref) => ref.dataScope)\n    .filter((scope): scope is DataScope => Boolean(scope));\n\n  if (inlineScopes.length === roleRefs.length) {\n    return pickWidestDataScope(inlineScopes);\n  }\n\n  const roles = await req.payload.find({\n    collection: \"roles\",\n    depth: 0,\n    limit: 0,\n    pagination: false,\n    req,\n    where: {\n      and: [\n        { id: { in: roleIDs } },\n        { status: { equals: ROLE_STATUS.ACTIVE } },\n      ],\n    },\n  });\n\n  return pickWidestDataScope(\n    roles.docs.map((role) => (role as { dataScope?: DataScope }).dataScope),\n  );\n};\n\n/**\n * Collect visible user IDs for hierarchy scope:\n * current user + direct/indirect descendants from `parent` / `parentPath`.\n */\nexport const getHierarchyVisibleUserIds = async (\n  req: PayloadRequest,\n  options: DataScopeOptions = {},\n): Promise<string[]> => {\n  const usersCollectionSlug =\n    options.usersCollectionSlug ?? DEFAULT_USERS_COLLECTION;\n  const user = req.user as RequestUser | undefined;\n  const userId = user?.id;\n\n  if (!userId) {\n    return [];\n  }\n\n  const selfId = String(userId);\n\n  const descendants = await req.payload.find({\n    collection: usersCollectionSlug,\n    depth: 0,\n    limit: 0,\n    pagination: false,\n    req,\n    where: {\n      or: [\n        { parent: { equals: selfId } },\n        { parentPath: { equals: selfId } },\n        { parentPath: { contains: `${selfId}${PARENT_PATH_SEPARATOR}` } },\n      ],\n    },\n  });\n\n  const ids = new Set<string>([selfId]);\n\n  for (const doc of descendants.docs) {\n    const id = toID(doc as UserRoleRef);\n    if (id) {\n      ids.add(id);\n    }\n  }\n\n  return [...ids];\n};\n\n/**\n * Build a read `Where` filter from data scope.\n * Returns `true` when no extra filtering is required (`all` scope / super admin).\n */\nexport const getDataScopeReadWhere = async (\n  req: PayloadRequest,\n  options: DataScopeOptions = {},\n): Promise<Where | true> => {\n  const user = req.user as RequestUser | undefined;\n  const createdByField = options.createdByField ?? DEFAULT_CREATED_BY_FIELD;\n\n  if (!user?.id) {\n    return { [createdByField]: { equals: \"___none___\" } };\n  }\n\n  if (hasInlineSuperAdmin(user)) {\n    return true;\n  }\n\n  const scope = await resolveEffectiveDataScope(req, options);\n\n  if (scope === DATA_SCOPE.ALL) {\n    return true;\n  }\n\n  const selfId = String(user.id);\n\n  if (scope === DATA_SCOPE.OWN) {\n    return { [createdByField]: { equals: selfId } };\n  }\n\n  const visibleUserIds = await getHierarchyVisibleUserIds(req, options);\n\n  return {\n    [createdByField]: {\n      in: visibleUserIds.length ? visibleUserIds : [selfId],\n    },\n  };\n};\n\nconst getCreatedById = (\n  doc: Record<string, unknown>,\n  createdByField: string,\n): string | undefined => {\n  const value = doc[createdByField];\n  return toID(value as UserRoleRef) || undefined;\n};\n\nconst isUsersCollection = (\n  collectionSlug: string,\n  usersCollectionSlug: string,\n) => collectionSlug === usersCollectionSlug;\n\n/**\n * Guard for privileged user documents.\n * Non-super-admins cannot mutate users where `isSuperAdmin === true`.\n */\nexport const isProtectedSuperAdminUserDoc = (\n  doc: Record<string, unknown>,\n): boolean => Boolean(doc.isSuperAdmin);\n\n/**\n * Document-level access check:\n * RBAC permission (`featureCode` + `actionCode`) + data-scope evaluation.\n * Super admins bypass.\n */\nexport const canAccessDocumentByDataScope = async ({\n  req,\n  doc,\n  featureCode,\n  actionCode,\n  collectionSlug,\n  options = {},\n}: {\n  req: PayloadRequest;\n  doc: Record<string, unknown>;\n  featureCode: string;\n  actionCode: string;\n  collectionSlug: string;\n  options?: DataScopeOptions;\n}): Promise<boolean> => {\n  const user = req.user as RequestUser | undefined;\n  const createdByField = options.createdByField ?? DEFAULT_CREATED_BY_FIELD;\n  const usersCollectionSlug =\n    options.usersCollectionSlug ?? DEFAULT_USERS_COLLECTION;\n\n  if (!user?.id) {\n    return false;\n  }\n\n  if (hasInlineSuperAdmin(user)) {\n    return true;\n  }\n\n  const hasPermission = await resolvePermissionFromRoleID({\n    req,\n    user,\n    featureCode,\n    actionCode,\n  });\n\n  if (!hasPermission) {\n    return false;\n  }\n\n  const scope = await resolveEffectiveDataScope(req, options);\n  const creatorId = getCreatedById(doc, createdByField);\n\n  if (!creatorId) {\n    return true;\n  }\n\n  if (\n    scope === DATA_SCOPE.ALL &&\n    isUsersCollection(collectionSlug, usersCollectionSlug) &&\n    isProtectedSuperAdminUserDoc(doc)\n  ) {\n    return false;\n  }\n\n  if (scope === DATA_SCOPE.ALL) {\n    return true;\n  }\n\n  const selfId = String(user.id);\n\n  if (scope === DATA_SCOPE.OWN) {\n    return creatorId === selfId;\n  }\n\n  const visibleUserIds = await getHierarchyVisibleUserIds(req, options);\n  return visibleUserIds.includes(creatorId);\n};\n\n/**\n * Merge an existing `where` with scope-derived constraints.\n */\nexport const mergeDataScopeWhere = (\n  base: Where | undefined,\n  scopeWhere: Where | true,\n): Where => {\n  if (scopeWhere === true) {\n    return base ?? {};\n  }\n\n  if (!base || Object.keys(base).length === 0) {\n    return scopeWhere;\n  }\n\n  return {\n    and: [base, scopeWhere],\n  };\n};\n\n/**\n * Access helper for collection `read`:\n * RBAC permission check + data-scope `Where` filter.\n */\nconst getPermissionAndDataScopeReadAccess = ({\n  featureCode,\n  actionCode,\n  options = {},\n}: {\n  featureCode: string;\n  actionCode: string;\n  options?: DataScopeOptions;\n}) => {\n  return async ({ req }: { req: PayloadRequest }) => {\n    const hasPermission = await getBasePermissionAccess({\n      featureCode,\n      actionCode,\n    })({\n      req,\n    });\n\n    if (!hasPermission) {\n      return false;\n    }\n\n    return getDataScopeReadWhere(req, options);\n  };\n};\n\n/**\n * Access helper for document mutations (`update`/`delete`):\n * load target document then apply RBAC + data-scope checks.\n */\nconst getPermissionAndDataScopeModifyAccess = ({\n  featureCode,\n  actionCode,\n  collectionSlug,\n  options = {},\n}: {\n  featureCode: string;\n  actionCode: string;\n  collectionSlug?: string;\n  options?: DataScopeOptions;\n}) => {\n  return async ({ req, id }: { req: PayloadRequest; id?: string | number }) => {\n    if (!id || !collectionSlug) {\n      return false;\n    }\n\n    const doc = await req.payload.findByID({\n      collection: collectionSlug,\n      id,\n      depth: 0,\n      req,\n    });\n\n    return canAccessDocumentByDataScope({\n      req,\n      doc: doc as Record<string, unknown>,\n      featureCode,\n      actionCode,\n      collectionSlug,\n      options,\n    });\n  };\n};\n\n/**\n * Unified access entrypoint.\n *\n * Modes:\n * - `none`: permission-only (boolean)\n * - `modify`: per-document mutation check (requires `collectionSlug` + runtime `id`)\n * - implicit read mode: pass `options` to get a read `Where` filter after permission check\n */\n\nexport const getPermissionAccess = ({\n  featureCode,\n  actionCode,\n  mode = \"none\",\n  collectionSlug,\n  options,\n}: {\n  featureCode: string;\n  actionCode: string;\n  mode?: \"none\" | \"modify\";\n  collectionSlug?: string;\n  options?: DataScopeOptions;\n}) => {\n  if (mode === \"modify\") {\n    return getPermissionAndDataScopeModifyAccess({\n      featureCode,\n      actionCode,\n      collectionSlug,\n      options,\n    });\n  }\n\n  if (options && Object.keys(options).length > 0) {\n    return getPermissionAndDataScopeReadAccess({\n      featureCode,\n      actionCode,\n      options,\n    });\n  }\n  return getBasePermissionAccess({ featureCode, actionCode });\n};\n"],"names":["STATUS","PERMISSION_STATUS","DATA_SCOPE","ROLE_STATUS","PARENT_PATH_SEPARATOR","toID","DEFAULT_CREATED_BY_FIELD","DEFAULT_USERS_COLLECTION","SCOPE_PRIORITY","OWN","HIERARCHY","ALL","getRoleRefs","user","roles","getRoleIds","map","ref","filter","id","Boolean","hasInlineSuperAdmin","isSuperAdmin","pickWidestDataScope","scopes","widest","scope","resolveSuperAdminFromUserID","req","userDocs","payload","find","collection","depth","limit","pagination","where","and","equals","docs","length","resolvePermissionFromRoleID","featureCode","actionCode","roleIDs","permissions","status","ACTIVE","permissionIDs","item","rolePermissions","role","in","permission","enabled","getSuperAdminAccess","getAuthenticatedOrSuperAdminAccess","String","getBasePermissionAccess","resolveEffectiveDataScope","options","roleRefs","inlineScopes","dataScope","getHierarchyVisibleUserIds","usersCollectionSlug","userId","selfId","descendants","or","parent","parentPath","contains","ids","Set","doc","add","getDataScopeReadWhere","createdByField","visibleUserIds","getCreatedById","value","undefined","isUsersCollection","collectionSlug","isProtectedSuperAdminUserDoc","canAccessDocumentByDataScope","hasPermission","creatorId","includes","mergeDataScopeWhere","base","scopeWhere","Object","keys","getPermissionAndDataScopeReadAccess","getPermissionAndDataScopeModifyAccess","findByID","getPermissionAccess","mode"],"mappings":"AAEA,SAASA,UAAUC,iBAAiB,QAAQ,6BAA6B;AACzE,SAASC,UAAU,EAAEF,UAAUG,WAAW,QAAQ,uBAAuB;AACzE,SAASC,qBAAqB,QAAQ,uBAAuB;AAC7D,SAASC,IAAI,QAAQ,YAAY;AAwBjC,MAAMC,2BAA2B;AACjC,MAAMC,2BAA2B;AAEjC,MAAMC,iBAA4C;IAChD,CAACN,WAAWO,GAAG,CAAC,EAAE;IAClB,CAACP,WAAWQ,SAAS,CAAC,EAAE;IACxB,CAACR,WAAWS,GAAG,CAAC,EAAE;AACpB;AAEA,qEAAqE,GACrE,MAAMC,cAAc,CAACC,OAAqCA,KAAKC,KAAK,IAAI,EAAE;AAE1E,MAAMC,aAAa,CAACF,OAClBD,YAAYC,MACTG,GAAG,CAAC,CAACC,MAAQZ,KAAKY,MAClBC,MAAM,CAAC,CAACC,KAAqBC,QAAQD;AAE1C;;;CAGC,GACD,MAAME,sBAAsB,CAACR;IAC3B,IAAI,CAACA,MAAM;QACT,OAAO;IACT;IACA,OAAOO,QAAQP,KAAKS,YAAY;AAClC;AAEA,MAAMC,sBAAsB,CAC1BC;IAEA,IAAIC,SAAoBvB,WAAWO,GAAG;IAEtC,KAAK,MAAMiB,SAASF,OAAQ;QAC1B,IAAI,CAACE,OAAO;YACV;QACF;QACA,IAAIlB,cAAc,CAACkB,MAAM,GAAGlB,cAAc,CAACiB,OAAO,EAAE;YAClDA,SAASC;QACX;IACF;IAEA,OAAOD;AACT;AAEA;;;CAGC,GACD,MAAME,8BAA8B,OAAO,EACzCC,GAAG,EACHf,IAAI,EAIL;IACC,IAAI,CAACA,KAAKM,EAAE,EAAE;QACZ,OAAO;IACT;IAEA,MAAMU,WAAW,MAAMD,IAAIE,OAAO,CAACC,IAAI,CAAC;QACtCC,YAAY;QACZC,OAAO;QACPC,OAAO;QACPC,YAAY;QACZP;QACAQ,OAAO;YACLC,KAAK;gBACH;oBACElB,IAAI;wBAAEmB,QAAQzB,KAAKM,EAAE;oBAAC;gBACxB;gBACA;oBACEG,cAAc;wBAAEgB,QAAQ;oBAAK;gBAC/B;aACD;QACH;IACF;IAEA,OAAOT,SAASU,IAAI,CAACC,MAAM,GAAG;AAChC;AAEA;;;;CAIC,GACD,MAAMC,8BAA8B,OAAO,EACzCb,GAAG,EACHf,IAAI,EACJ6B,WAAW,EACXC,UAAU,EAMX;IACC,MAAMC,UAAU7B,WAAWF;IAC3B,IAAI,CAAC+B,QAAQJ,MAAM,EAAE;QACnB,OAAO;IACT;IAEA,MAAMK,cAAc,MAAMjB,IAAIE,OAAO,CAACC,IAAI,CAAC;QACzCC,YAAY;QACZC,OAAO;QACPC,OAAO;QACPC,YAAY;QACZP;QACAQ,OAAO;YACLC,KAAK;gBACH;oBACES,QAAQ;wBAAER,QAAQrC,kBAAkB8C,MAAM;oBAAC;gBAC7C;gBACA;oBACE,0BAA0B;wBAAET,QAAQI;oBAAY;gBAClD;gBACA;oBACE,yBAAyB;wBAAEJ,QAAQK;oBAAW;gBAChD;aACD;QACH;IACF;IAEA,IAAI,CAACE,YAAYN,IAAI,CAACC,MAAM,EAAE;QAC5B,OAAO;IACT;IACA,MAAMQ,gBAAgBH,YAAYN,IAAI,CAACvB,GAAG,CAAC,CAACiC,OAASA,KAAK9B,EAAE;IAC5D,MAAM+B,kBAAkB,MAAMtB,IAAIE,OAAO,CAACC,IAAI,CAAC;QAC7CC,YAAY;QACZC,OAAO;QACPC,OAAO;QACPC,YAAY;QACZP;QACAQ,OAAO;YACLC,KAAK;gBACH;oBACEc,MAAM;wBAAEC,IAAIR;oBAAQ;gBACtB;gBACA;oBACES,YAAY;wBAAED,IAAIJ;oBAAc;gBAClC;gBACA;oBACEM,SAAS;wBAAEhB,QAAQ;oBAAK;gBAC1B;aACD;QACH;IACF;IAEA,OAAOY,gBAAgBX,IAAI,CAACC,MAAM,GAAG;AACvC;AAEA;;;CAGC,GACD,OAAO,MAAMe,sBAAsB,OAAO,EAAE3B,GAAG,EAA2B;IACxE,MAAMf,OAAOe,IAAIf,IAAI;IACrB,IAAI,CAACA,MAAM;QACT,OAAO;IACT;IAEA,IAAIQ,oBAAoBR,OAAO;QAC7B,OAAO;IACT;IAEA,OAAO,MAAMc,4BAA4B;QAAEC;QAAKf;IAAK;AACvD,EAAE;AAEF;;CAEC,GACD,OAAO,MAAM2C,qCAEU,OAAO,EAAE5B,GAAG,EAAET,EAAE,EAAE;IACvC,MAAMN,OAAOe,IAAIf,IAAI;IACrB,IAAI,CAACA,MAAMM,IAAI;QACb,OAAO;IACT;IAEA,IAAIsC,OAAO5C,KAAKM,EAAE,MAAMsC,OAAOtC,KAAK;QAClC,OAAO;IACT;IAEA,IAAIE,oBAAoBR,OAAO;QAC7B,OAAO;IACT;IACA,OAAO,MAAMc,4BAA4B;QAAEC;QAAKf;IAAK;AACvD,EAAE;AAEF;;;CAGC,GACD,MAAM6C,0BAA0B,CAAC,EAC/BhB,WAAW,EACXC,UAAU,EAIX;IACC,OAAO,OAAO,EAAEf,GAAG,EAA2B;QAC5C,MAAMf,OAAOe,IAAIf,IAAI;QACrB,IAAI,CAACA,MAAM;YACT,OAAO;QACT;QAEA,IAAIQ,oBAAoBR,OAAO;YAC7B,OAAO;QACT;QAEA,OAAO,MAAM4B,4BAA4B;YACvCb;YACAf;YACA6B;YACAC;QACF;IACF;AACF;AAEA;;;CAGC,GACD,OAAO,MAAMgB,4BAA4B,OACvC/B,KACAgC,UAA4B,CAAC,CAAC;IAE9B,MAAM/C,OAAOe,IAAIf,IAAI;IAErB,IAAI,CAACA,MAAM;QACT,OAAOX,WAAWO,GAAG;IACvB;IAEA,IAAIY,oBAAoBR,OAAO;QAC7B,OAAOX,WAAWS,GAAG;IACvB;IAEA,MAAMkD,WAAWjD,YAAYC;IAC7B,MAAM+B,UAAU7B,WAAWF;IAE3B,IAAI,CAAC+B,QAAQJ,MAAM,EAAE;QACnB,OAAOtC,WAAWO,GAAG;IACvB;IAEA,MAAMqD,eAAeD,SAClB3C,MAAM,CACL,CAACD,MACC,OAAOA,QAAQ,YAAYA,QAAQ,MAEtCD,GAAG,CAAC,CAACC,MAAQA,IAAI8C,SAAS,EAC1B7C,MAAM,CAAC,CAACQ,QAA8BN,QAAQM;IAEjD,IAAIoC,aAAatB,MAAM,KAAKqB,SAASrB,MAAM,EAAE;QAC3C,OAAOjB,oBAAoBuC;IAC7B;IAEA,MAAMhD,QAAQ,MAAMc,IAAIE,OAAO,CAACC,IAAI,CAAC;QACnCC,YAAY;QACZC,OAAO;QACPC,OAAO;QACPC,YAAY;QACZP;QACAQ,OAAO;YACLC,KAAK;gBACH;oBAAElB,IAAI;wBAAEiC,IAAIR;oBAAQ;gBAAE;gBACtB;oBAAEE,QAAQ;wBAAER,QAAQnC,YAAY4C,MAAM;oBAAC;gBAAE;aAC1C;QACH;IACF;IAEA,OAAOxB,oBACLT,MAAMyB,IAAI,CAACvB,GAAG,CAAC,CAACmC,OAAS,AAACA,KAAmCY,SAAS;AAE1E,EAAE;AAEF;;;CAGC,GACD,OAAO,MAAMC,6BAA6B,OACxCpC,KACAgC,UAA4B,CAAC,CAAC;IAE9B,MAAMK,sBACJL,QAAQK,mBAAmB,IAAI1D;IACjC,MAAMM,OAAOe,IAAIf,IAAI;IACrB,MAAMqD,SAASrD,MAAMM;IAErB,IAAI,CAAC+C,QAAQ;QACX,OAAO,EAAE;IACX;IAEA,MAAMC,SAASV,OAAOS;IAEtB,MAAME,cAAc,MAAMxC,IAAIE,OAAO,CAACC,IAAI,CAAC;QACzCC,YAAYiC;QACZhC,OAAO;QACPC,OAAO;QACPC,YAAY;QACZP;QACAQ,OAAO;YACLiC,IAAI;gBACF;oBAAEC,QAAQ;wBAAEhC,QAAQ6B;oBAAO;gBAAE;gBAC7B;oBAAEI,YAAY;wBAAEjC,QAAQ6B;oBAAO;gBAAE;gBACjC;oBAAEI,YAAY;wBAAEC,UAAU,GAAGL,SAAS/D,uBAAuB;oBAAC;gBAAE;aACjE;QACH;IACF;IAEA,MAAMqE,MAAM,IAAIC,IAAY;QAACP;KAAO;IAEpC,KAAK,MAAMQ,OAAOP,YAAY7B,IAAI,CAAE;QAClC,MAAMpB,KAAKd,KAAKsE;QAChB,IAAIxD,IAAI;YACNsD,IAAIG,GAAG,CAACzD;QACV;IACF;IAEA,OAAO;WAAIsD;KAAI;AACjB,EAAE;AAEF;;;CAGC,GACD,OAAO,MAAMI,wBAAwB,OACnCjD,KACAgC,UAA4B,CAAC,CAAC;IAE9B,MAAM/C,OAAOe,IAAIf,IAAI;IACrB,MAAMiE,iBAAiBlB,QAAQkB,cAAc,IAAIxE;IAEjD,IAAI,CAACO,MAAMM,IAAI;QACb,OAAO;YAAE,CAAC2D,eAAe,EAAE;gBAAExC,QAAQ;YAAa;QAAE;IACtD;IAEA,IAAIjB,oBAAoBR,OAAO;QAC7B,OAAO;IACT;IAEA,MAAMa,QAAQ,MAAMiC,0BAA0B/B,KAAKgC;IAEnD,IAAIlC,UAAUxB,WAAWS,GAAG,EAAE;QAC5B,OAAO;IACT;IAEA,MAAMwD,SAASV,OAAO5C,KAAKM,EAAE;IAE7B,IAAIO,UAAUxB,WAAWO,GAAG,EAAE;QAC5B,OAAO;YAAE,CAACqE,eAAe,EAAE;gBAAExC,QAAQ6B;YAAO;QAAE;IAChD;IAEA,MAAMY,iBAAiB,MAAMf,2BAA2BpC,KAAKgC;IAE7D,OAAO;QACL,CAACkB,eAAe,EAAE;YAChB1B,IAAI2B,eAAevC,MAAM,GAAGuC,iBAAiB;gBAACZ;aAAO;QACvD;IACF;AACF,EAAE;AAEF,MAAMa,iBAAiB,CACrBL,KACAG;IAEA,MAAMG,QAAQN,GAAG,CAACG,eAAe;IACjC,OAAOzE,KAAK4E,UAAyBC;AACvC;AAEA,MAAMC,oBAAoB,CACxBC,gBACAnB,sBACGmB,mBAAmBnB;AAExB;;;CAGC,GACD,OAAO,MAAMoB,+BAA+B,CAC1CV,MACYvD,QAAQuD,IAAIrD,YAAY,EAAE;AAExC;;;;CAIC,GACD,OAAO,MAAMgE,+BAA+B,OAAO,EACjD1D,GAAG,EACH+C,GAAG,EACHjC,WAAW,EACXC,UAAU,EACVyC,cAAc,EACdxB,UAAU,CAAC,CAAC,EAQb;IACC,MAAM/C,OAAOe,IAAIf,IAAI;IACrB,MAAMiE,iBAAiBlB,QAAQkB,cAAc,IAAIxE;IACjD,MAAM2D,sBACJL,QAAQK,mBAAmB,IAAI1D;IAEjC,IAAI,CAACM,MAAMM,IAAI;QACb,OAAO;IACT;IAEA,IAAIE,oBAAoBR,OAAO;QAC7B,OAAO;IACT;IAEA,MAAM0E,gBAAgB,MAAM9C,4BAA4B;QACtDb;QACAf;QACA6B;QACAC;IACF;IAEA,IAAI,CAAC4C,eAAe;QAClB,OAAO;IACT;IAEA,MAAM7D,QAAQ,MAAMiC,0BAA0B/B,KAAKgC;IACnD,MAAM4B,YAAYR,eAAeL,KAAKG;IAEtC,IAAI,CAACU,WAAW;QACd,OAAO;IACT;IAEA,IACE9D,UAAUxB,WAAWS,GAAG,IACxBwE,kBAAkBC,gBAAgBnB,wBAClCoB,6BAA6BV,MAC7B;QACA,OAAO;IACT;IAEA,IAAIjD,UAAUxB,WAAWS,GAAG,EAAE;QAC5B,OAAO;IACT;IAEA,MAAMwD,SAASV,OAAO5C,KAAKM,EAAE;IAE7B,IAAIO,UAAUxB,WAAWO,GAAG,EAAE;QAC5B,OAAO+E,cAAcrB;IACvB;IAEA,MAAMY,iBAAiB,MAAMf,2BAA2BpC,KAAKgC;IAC7D,OAAOmB,eAAeU,QAAQ,CAACD;AACjC,EAAE;AAEF;;CAEC,GACD,OAAO,MAAME,sBAAsB,CACjCC,MACAC;IAEA,IAAIA,eAAe,MAAM;QACvB,OAAOD,QAAQ,CAAC;IAClB;IAEA,IAAI,CAACA,QAAQE,OAAOC,IAAI,CAACH,MAAMnD,MAAM,KAAK,GAAG;QAC3C,OAAOoD;IACT;IAEA,OAAO;QACLvD,KAAK;YAACsD;YAAMC;SAAW;IACzB;AACF,EAAE;AAEF;;;CAGC,GACD,MAAMG,sCAAsC,CAAC,EAC3CrD,WAAW,EACXC,UAAU,EACViB,UAAU,CAAC,CAAC,EAKb;IACC,OAAO,OAAO,EAAEhC,GAAG,EAA2B;QAC5C,MAAM2D,gBAAgB,MAAM7B,wBAAwB;YAClDhB;YACAC;QACF,GAAG;YACDf;QACF;QAEA,IAAI,CAAC2D,eAAe;YAClB,OAAO;QACT;QAEA,OAAOV,sBAAsBjD,KAAKgC;IACpC;AACF;AAEA;;;CAGC,GACD,MAAMoC,wCAAwC,CAAC,EAC7CtD,WAAW,EACXC,UAAU,EACVyC,cAAc,EACdxB,UAAU,CAAC,CAAC,EAMb;IACC,OAAO,OAAO,EAAEhC,GAAG,EAAET,EAAE,EAAiD;QACtE,IAAI,CAACA,MAAM,CAACiE,gBAAgB;YAC1B,OAAO;QACT;QAEA,MAAMT,MAAM,MAAM/C,IAAIE,OAAO,CAACmE,QAAQ,CAAC;YACrCjE,YAAYoD;YACZjE;YACAc,OAAO;YACPL;QACF;QAEA,OAAO0D,6BAA6B;YAClC1D;YACA+C,KAAKA;YACLjC;YACAC;YACAyC;YACAxB;QACF;IACF;AACF;AAEA;;;;;;;CAOC,GAED,OAAO,MAAMsC,sBAAsB,CAAC,EAClCxD,WAAW,EACXC,UAAU,EACVwD,OAAO,MAAM,EACbf,cAAc,EACdxB,OAAO,EAOR;IACC,IAAIuC,SAAS,UAAU;QACrB,OAAOH,sCAAsC;YAC3CtD;YACAC;YACAyC;YACAxB;QACF;IACF;IAEA,IAAIA,WAAWiC,OAAOC,IAAI,CAAClC,SAASpB,MAAM,GAAG,GAAG;QAC9C,OAAOuD,oCAAoC;YACzCrD;YACAC;YACAiB;QACF;IACF;IACA,OAAOF,wBAAwB;QAAEhB;QAAaC;IAAW;AAC3D,EAAE"}

package/dist/lib/utils/data.js

@@ -0,0 +1,7 @@
+/**
+ * Converts a value to an ID string.
+ * @param value - The value to convert.
+ * @returns The ID string.
+ */ export const toID = (value)=>value ? typeof value === "object" ? String(value.id) : String(value) : "";
+
+//# sourceMappingURL=data.js.map

package/dist/lib/utils/data.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/lib/utils/data.ts"],"sourcesContent":["/**\n * Converts a value to an ID string.\n * @param value - The value to convert.\n * @returns The ID string.\n */\nexport const toID = (value?: ItemRef) =>\n  value ? (typeof value === \"object\" ? String(value.id) : String(value)) : \"\";\n"],"names":["toID","value","String","id"],"mappings":"AAAA;;;;CAIC,GACD,OAAO,MAAMA,OAAO,CAACC,QACnBA,QAAS,OAAOA,UAAU,WAAWC,OAAOD,MAAME,EAAE,IAAID,OAAOD,SAAU,GAAG"}

package/dist/lib/utils/fields.js

@@ -0,0 +1,41 @@
+import { fieldAffectsData } from "payload/shared";
+/**
+ * Merges one plugin default field with a host override that shares the same `name`.
+ * Custom properties win (`{ ...defaultField, ...customField }`). Non-data fields
+ * (e.g. tabs, unnamed layout fields) are returned unchanged.
+ */ export const getMergedFieldAffectingData = ({ fields, defaultField })=>{
+    if (!defaultField || !fieldAffectsData(defaultField)) {
+        return defaultField;
+    }
+    const defaultName = defaultField.name;
+    const customField = fields.find((field)=>fieldAffectsData(field) && field.name === defaultName);
+    if (customField) {
+        return {
+            ...defaultField,
+            ...customField
+        };
+    }
+    return defaultField;
+};
+/**
+ * Builds the final `fields` array for a collection: each default is merged by name,
+ * then host-only fields are appended (data fields with new names, plus layout fields).
+ */ export const getArrayOfMergedFieldAffectingData = ({ fields, defaultFields })=>{
+    const defaultNames = new Set(defaultFields.filter(fieldAffectsData).map((field)=>field.name));
+    const mergedFromDefaults = defaultFields.map((defaultField)=>getMergedFieldAffectingData({
+            fields,
+            defaultField
+        }));
+    const unMatchedFields = fields.filter((field)=>{
+        if (!fieldAffectsData(field)) {
+            return true;
+        }
+        return !defaultNames.has(field.name);
+    });
+    return [
+        ...mergedFromDefaults,
+        ...unMatchedFields
+    ];
+};
+
+//# sourceMappingURL=fields.js.map

package/dist/lib/utils/fields.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/lib/utils/fields.ts"],"sourcesContent":["import type { Field } from \"payload\";\nimport { fieldAffectsData } from \"payload/shared\";\n\n/**\n * Merges one plugin default field with a host override that shares the same `name`.\n * Custom properties win (`{ ...defaultField, ...customField }`). Non-data fields\n * (e.g. tabs, unnamed layout fields) are returned unchanged.\n */\nexport const getMergedFieldAffectingData = ({\n  fields,\n  defaultField,\n}: {\n  fields: Field[];\n  defaultField: Field;\n}): Field => {\n  if (!defaultField || !fieldAffectsData(defaultField)) {\n    return defaultField;\n  }\n\n  const defaultName = defaultField.name;\n  const customField = fields.find(\n    (field) => fieldAffectsData(field) && field.name === defaultName,\n  );\n\n  if (customField) {\n    return {\n      ...defaultField,\n      ...customField,\n    } as Field;\n  }\n\n  return defaultField;\n};\n\n/**\n * Builds the final `fields` array for a collection: each default is merged by name,\n * then host-only fields are appended (data fields with new names, plus layout fields).\n */\nexport const getArrayOfMergedFieldAffectingData = ({\n  fields,\n  defaultFields,\n}: {\n  fields: Field[];\n  defaultFields: Field[];\n}): Field[] => {\n  const defaultNames = new Set(\n    defaultFields.filter(fieldAffectsData).map((field) => field.name),\n  );\n\n  const mergedFromDefaults = defaultFields.map((defaultField) =>\n    getMergedFieldAffectingData({ fields, defaultField }),\n  );\n\n  const unMatchedFields = fields.filter((field) => {\n    if (!fieldAffectsData(field)) {\n      return true;\n    }\n    return !defaultNames.has(field.name);\n  });\n\n  return [...mergedFromDefaults, ...unMatchedFields];\n};\n"],"names":["fieldAffectsData","getMergedFieldAffectingData","fields","defaultField","defaultName","name","customField","find","field","getArrayOfMergedFieldAffectingData","defaultFields","defaultNames","Set","filter","map","mergedFromDefaults","unMatchedFields","has"],"mappings":"AACA,SAASA,gBAAgB,QAAQ,iBAAiB;AAElD;;;;CAIC,GACD,OAAO,MAAMC,8BAA8B,CAAC,EAC1CC,MAAM,EACNC,YAAY,EAIb;IACC,IAAI,CAACA,gBAAgB,CAACH,iBAAiBG,eAAe;QACpD,OAAOA;IACT;IAEA,MAAMC,cAAcD,aAAaE,IAAI;IACrC,MAAMC,cAAcJ,OAAOK,IAAI,CAC7B,CAACC,QAAUR,iBAAiBQ,UAAUA,MAAMH,IAAI,KAAKD;IAGvD,IAAIE,aAAa;QACf,OAAO;YACL,GAAGH,YAAY;YACf,GAAGG,WAAW;QAChB;IACF;IAEA,OAAOH;AACT,EAAE;AAEF;;;CAGC,GACD,OAAO,MAAMM,qCAAqC,CAAC,EACjDP,MAAM,EACNQ,aAAa,EAId;IACC,MAAMC,eAAe,IAAIC,IACvBF,cAAcG,MAAM,CAACb,kBAAkBc,GAAG,CAAC,CAACN,QAAUA,MAAMH,IAAI;IAGlE,MAAMU,qBAAqBL,cAAcI,GAAG,CAAC,CAACX,eAC5CF,4BAA4B;YAAEC;YAAQC;QAAa;IAGrD,MAAMa,kBAAkBd,OAAOW,MAAM,CAAC,CAACL;QACrC,IAAI,CAACR,iBAAiBQ,QAAQ;YAC5B,OAAO;QACT;QACA,OAAO,CAACG,aAAaM,GAAG,CAACT,MAAMH,IAAI;IACrC;IAEA,OAAO;WAAIU;WAAuBC;KAAgB;AACpD,EAAE"}

package/dist/lib/utils/index.js

@@ -0,0 +1,6 @@
+export * from "./access.js";
+export * from "./data.js";
+export * from "./fields.js";
+export * from "./localization.js";
+
+//# sourceMappingURL=index.js.map

package/dist/lib/utils/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/lib/utils/index.ts"],"sourcesContent":["export * from \"./access.js\"\nexport * from \"./data.js\"\nexport * from \"./fields.js\"\nexport * from \"./localization.js\"\n"],"names":[],"mappings":"AAAA,cAAc,cAAa;AAC3B,cAAc,YAAW;AACzB,cAAc,cAAa;AAC3B,cAAc,oBAAmB"}