hazo_auth 9.1.1 → 10.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +24 -6
- package/SETUP_CHECKLIST.md +6 -16
- package/cli-src/cli/init_users.ts +40 -48
- package/cli-src/lib/auth/auth_types.ts +0 -2
- package/cli-src/lib/auth/hazo_get_auth.server.ts +31 -25
- package/cli-src/lib/auth/hazo_get_tenant_auth.server.ts +9 -13
- package/cli-src/lib/constants.ts +2 -0
- package/cli-src/lib/profile_pic_menu_config.server.ts +4 -3
- package/cli-src/lib/schema/sqlite_schema.ts +0 -4
- package/cli-src/lib/scope_hierarchy_config.server.ts +1 -9
- package/cli-src/lib/services/invitation_service.ts +1 -1
- package/cli-src/lib/services/scope_service.ts +2 -76
- package/cli-src/lib/services/user_scope_service.ts +7 -61
- package/dist/cli/init_users.d.ts.map +1 -1
- package/dist/cli/init_users.js +42 -42
- package/dist/client.d.ts +1 -1
- package/dist/client.d.ts.map +1 -1
- package/dist/client.js +1 -1
- package/dist/components/layouts/shared/components/profile_pic_menu.d.ts.map +1 -1
- package/dist/components/layouts/shared/components/profile_pic_menu.js +7 -1
- package/dist/components/ui/button.d.ts +1 -1
- package/dist/components/ui/input-otp.d.ts +2 -2
- package/dist/index.d.ts +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -1
- package/dist/lib/auth/auth_types.d.ts +0 -2
- package/dist/lib/auth/auth_types.d.ts.map +1 -1
- package/dist/lib/auth/hazo_get_auth.server.d.ts.map +1 -1
- package/dist/lib/auth/hazo_get_auth.server.js +27 -19
- package/dist/lib/auth/hazo_get_tenant_auth.server.d.ts.map +1 -1
- package/dist/lib/auth/hazo_get_tenant_auth.server.js +10 -10
- package/dist/lib/constants.d.ts +1 -0
- package/dist/lib/constants.d.ts.map +1 -1
- package/dist/lib/constants.js +1 -0
- package/dist/lib/profile_pic_menu_config.server.d.ts +2 -1
- package/dist/lib/profile_pic_menu_config.server.d.ts.map +1 -1
- package/dist/lib/profile_pic_menu_config.server.js +1 -1
- package/dist/lib/schema/sqlite_schema.d.ts +1 -1
- package/dist/lib/schema/sqlite_schema.d.ts.map +1 -1
- package/dist/lib/schema/sqlite_schema.js +0 -4
- package/dist/lib/scope_hierarchy_config.server.d.ts +0 -2
- package/dist/lib/scope_hierarchy_config.server.d.ts.map +1 -1
- package/dist/lib/scope_hierarchy_config.server.js +1 -3
- package/dist/lib/services/invitation_service.d.ts +1 -1
- package/dist/lib/services/invitation_service.js +1 -1
- package/dist/lib/services/scope_service.d.ts +1 -14
- package/dist/lib/services/scope_service.d.ts.map +1 -1
- package/dist/lib/services/scope_service.js +2 -67
- package/dist/lib/services/user_scope_service.d.ts +5 -12
- package/dist/lib/services/user_scope_service.d.ts.map +1 -1
- package/dist/lib/services/user_scope_service.js +8 -45
- package/dist/server/routes/invitations.d.ts +1 -1
- package/dist/server/routes/invitations.d.ts.map +1 -1
- package/dist/server/routes/invitations.js +12 -11
- package/package.json +12 -12
|
@@ -8,8 +8,6 @@ import {
|
|
|
8
8
|
get_scope_by_id,
|
|
9
9
|
get_scope_ancestors,
|
|
10
10
|
get_root_scope_id,
|
|
11
|
-
SUPER_ADMIN_SCOPE_ID,
|
|
12
|
-
is_super_admin_scope,
|
|
13
11
|
} from "./scope_service.js";
|
|
14
12
|
|
|
15
13
|
// section: constants
|
|
@@ -48,7 +46,6 @@ export type ScopeAccessCheckResult = {
|
|
|
48
46
|
scope_name?: string;
|
|
49
47
|
};
|
|
50
48
|
user_scopes?: UserScope[];
|
|
51
|
-
is_super_admin?: boolean;
|
|
52
49
|
};
|
|
53
50
|
|
|
54
51
|
export type AssignUserScopeData = {
|
|
@@ -365,27 +362,6 @@ export async function update_user_scopes(
|
|
|
365
362
|
}
|
|
366
363
|
}
|
|
367
364
|
|
|
368
|
-
/**
|
|
369
|
-
* Checks if a user is a super admin (has super admin scope assigned)
|
|
370
|
-
*/
|
|
371
|
-
export async function is_user_super_admin(
|
|
372
|
-
adapter: HazoConnectAdapter,
|
|
373
|
-
user_id: string,
|
|
374
|
-
): Promise<boolean> {
|
|
375
|
-
try {
|
|
376
|
-
const user_scopes_result = await get_user_scopes(adapter, user_id);
|
|
377
|
-
if (!user_scopes_result.success || !user_scopes_result.scopes) {
|
|
378
|
-
return false;
|
|
379
|
-
}
|
|
380
|
-
|
|
381
|
-
return user_scopes_result.scopes.some((scope) =>
|
|
382
|
-
is_super_admin_scope(scope.scope_id),
|
|
383
|
-
);
|
|
384
|
-
} catch {
|
|
385
|
-
return false;
|
|
386
|
-
}
|
|
387
|
-
}
|
|
388
|
-
|
|
389
365
|
/**
|
|
390
366
|
* Checks if a user has any scope assigned
|
|
391
367
|
*/
|
|
@@ -408,9 +384,11 @@ export async function user_has_any_scope(
|
|
|
408
384
|
/**
|
|
409
385
|
* Checks if a user has access to a specific scope
|
|
410
386
|
* Access is granted if:
|
|
411
|
-
* 1. User
|
|
412
|
-
* 2. User has
|
|
413
|
-
*
|
|
387
|
+
* 1. User has the exact scope assigned
|
|
388
|
+
* 2. User has access to an ancestor scope (inherited access)
|
|
389
|
+
*
|
|
390
|
+
* Global admin access (hazo_org_global_admin permission) is handled upstream
|
|
391
|
+
* in hazo_get_auth before this function is called.
|
|
414
392
|
*
|
|
415
393
|
* @param adapter - HazoConnect adapter
|
|
416
394
|
* @param user_id - User ID to check
|
|
@@ -430,24 +408,7 @@ export async function check_user_scope_access(
|
|
|
430
408
|
|
|
431
409
|
const user_scopes = user_scopes_result.scopes;
|
|
432
410
|
|
|
433
|
-
// Check 1:
|
|
434
|
-
const has_super_admin = user_scopes.some((scope) =>
|
|
435
|
-
is_super_admin_scope(scope.scope_id),
|
|
436
|
-
);
|
|
437
|
-
|
|
438
|
-
if (has_super_admin) {
|
|
439
|
-
return {
|
|
440
|
-
has_access: true,
|
|
441
|
-
access_via: {
|
|
442
|
-
scope_id: SUPER_ADMIN_SCOPE_ID,
|
|
443
|
-
scope_name: "Super Admin",
|
|
444
|
-
},
|
|
445
|
-
user_scopes,
|
|
446
|
-
is_super_admin: true,
|
|
447
|
-
};
|
|
448
|
-
}
|
|
449
|
-
|
|
450
|
-
// Check 2: Does user have exact scope assigned?
|
|
411
|
+
// Check 1: Does user have exact scope assigned?
|
|
451
412
|
for (const user_scope of user_scopes) {
|
|
452
413
|
if (user_scope.scope_id === target_scope_id) {
|
|
453
414
|
const scope_result = await get_scope_by_id(adapter, target_scope_id);
|
|
@@ -464,7 +425,7 @@ export async function check_user_scope_access(
|
|
|
464
425
|
}
|
|
465
426
|
}
|
|
466
427
|
|
|
467
|
-
// Check
|
|
428
|
+
// Check 2: Does user have access via an ancestor scope?
|
|
468
429
|
const ancestors_result = await get_scope_ancestors(
|
|
469
430
|
adapter,
|
|
470
431
|
target_scope_id,
|
|
@@ -568,18 +529,3 @@ export async function get_user_direct_scopes(
|
|
|
568
529
|
}
|
|
569
530
|
}
|
|
570
531
|
|
|
571
|
-
/**
|
|
572
|
-
* Assigns super admin scope to a user
|
|
573
|
-
*/
|
|
574
|
-
export async function assign_super_admin_scope(
|
|
575
|
-
adapter: HazoConnectAdapter,
|
|
576
|
-
user_id: string,
|
|
577
|
-
role_id: string,
|
|
578
|
-
): Promise<UserScopeResult> {
|
|
579
|
-
return assign_user_scope(adapter, {
|
|
580
|
-
user_id,
|
|
581
|
-
scope_id: SUPER_ADMIN_SCOPE_ID,
|
|
582
|
-
root_scope_id: SUPER_ADMIN_SCOPE_ID,
|
|
583
|
-
role_id,
|
|
584
|
-
});
|
|
585
|
-
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"init_users.d.ts","sourceRoot":"","sources":["../../src/cli/init_users.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"init_users.d.ts","sourceRoot":"","sources":["../../src/cli/init_users.ts"],"names":[],"mappings":"AA0FA,MAAM,MAAM,gBAAgB,GAAG;IAC7B,6EAA6E;IAC7E,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAGF;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,GAAE,gBAAqB,GAAG,OAAO,CAAC,IAAI,CAAC,CA0RrF;AAGD;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAmC3C"}
|
package/dist/cli/init_users.js
CHANGED
|
@@ -5,7 +5,8 @@ import { createCrudService } from "hazo_connect/server";
|
|
|
5
5
|
import { get_user_management_config } from "../lib/user_management_config.server.js";
|
|
6
6
|
import { get_config_value } from "../lib/config/config_loader.server.js";
|
|
7
7
|
import { create_app_logger } from "../lib/app_logger.js";
|
|
8
|
-
import {
|
|
8
|
+
import { DEFAULT_SYSTEM_SCOPE_ID } from "../lib/services/scope_service.js";
|
|
9
|
+
import { GLOBAL_ADMIN_PERMISSION } from "../lib/constants.js";
|
|
9
10
|
// section: helpers
|
|
10
11
|
/**
|
|
11
12
|
* Prints a summary of what was inserted vs what already existed
|
|
@@ -45,22 +46,13 @@ function print_summary(summary) {
|
|
|
45
46
|
}
|
|
46
47
|
console.log();
|
|
47
48
|
// v5.x: User-Role assignments are now handled via User-Scope assignments (see below)
|
|
48
|
-
// Super admin scope summary
|
|
49
|
-
console.log("Super Admin Scope:");
|
|
50
|
-
if (summary.super_admin_scope.inserted) {
|
|
51
|
-
console.log(` ✓ Inserted: Super Admin scope (ID: ${SUPER_ADMIN_SCOPE_ID})`);
|
|
52
|
-
}
|
|
53
|
-
if (summary.super_admin_scope.existing) {
|
|
54
|
-
console.log(` ⊙ Already existed: Super Admin scope (ID: ${SUPER_ADMIN_SCOPE_ID})`);
|
|
55
|
-
}
|
|
56
|
-
console.log();
|
|
57
49
|
// User scope summary
|
|
58
50
|
console.log("User-Scope Assignment:");
|
|
59
51
|
if (summary.user_scope.inserted) {
|
|
60
|
-
console.log(` ✓ Inserted: User assigned to
|
|
52
|
+
console.log(` ✓ Inserted: User assigned to default system scope`);
|
|
61
53
|
}
|
|
62
54
|
if (summary.user_scope.existing) {
|
|
63
|
-
console.log(` ⊙ Already existed: User already in
|
|
55
|
+
console.log(` ⊙ Already existed: User already in default system scope`);
|
|
64
56
|
}
|
|
65
57
|
console.log();
|
|
66
58
|
console.log("=".repeat(60));
|
|
@@ -91,10 +83,6 @@ export async function handle_init_users(options = {}) {
|
|
|
91
83
|
existing: 0,
|
|
92
84
|
},
|
|
93
85
|
// v5.x: Removed user_role - roles are now assigned via hazo_user_scopes
|
|
94
|
-
super_admin_scope: {
|
|
95
|
-
inserted: false,
|
|
96
|
-
existing: false,
|
|
97
|
-
},
|
|
98
86
|
user_scope: {
|
|
99
87
|
inserted: false,
|
|
100
88
|
existing: false,
|
|
@@ -113,7 +101,6 @@ export async function handle_init_users(options = {}) {
|
|
|
113
101
|
});
|
|
114
102
|
const users_service = createCrudService(hazoConnect, "hazo_users");
|
|
115
103
|
// v5.x: Removed hazo_user_roles - roles are now assigned via hazo_user_scopes
|
|
116
|
-
const scopes_service = createCrudService(hazoConnect, "hazo_scopes");
|
|
117
104
|
// hazo_user_scopes uses composite primary key (user_id, scope_id), no 'id' column
|
|
118
105
|
const user_scopes_service = createCrudService(hazoConnect, "hazo_user_scopes", {
|
|
119
106
|
primaryKeys: ["user_id", "scope_id"],
|
|
@@ -247,49 +234,61 @@ export async function handle_init_users(options = {}) {
|
|
|
247
234
|
const user_id = user.id;
|
|
248
235
|
console.log(`✓ Found user: ${super_user_email} (ID: ${user_id})`);
|
|
249
236
|
console.log();
|
|
250
|
-
//
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
|
|
254
|
-
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
await scopes_service.insert({
|
|
259
|
-
id: SUPER_ADMIN_SCOPE_ID,
|
|
260
|
-
parent_id: null,
|
|
261
|
-
name: "Super Admin",
|
|
262
|
-
level: "system",
|
|
237
|
+
// 7. Ensure hazo_org_global_admin is in the permission catalog
|
|
238
|
+
const global_admin_perms = await permissions_service.findBy({
|
|
239
|
+
permission_name: GLOBAL_ADMIN_PERMISSION,
|
|
240
|
+
});
|
|
241
|
+
if (!Array.isArray(global_admin_perms) || global_admin_perms.length === 0) {
|
|
242
|
+
await permissions_service.insert({
|
|
243
|
+
permission_name: GLOBAL_ADMIN_PERMISSION,
|
|
244
|
+
description: "Global admin — access to all scopes and operations",
|
|
263
245
|
created_at: now,
|
|
264
246
|
changed_at: now,
|
|
265
247
|
});
|
|
266
|
-
|
|
267
|
-
|
|
248
|
+
console.log(`✓ Created permission: ${GLOBAL_ADMIN_PERMISSION}`);
|
|
249
|
+
}
|
|
250
|
+
else {
|
|
251
|
+
console.log(`✓ Permission already exists: ${GLOBAL_ADMIN_PERMISSION}`);
|
|
252
|
+
}
|
|
253
|
+
console.log();
|
|
254
|
+
// 9. Ensure hazo_org_global_admin is assigned to the super user role
|
|
255
|
+
// (The role already has all configured permissions; this ensures the global admin perm is included)
|
|
256
|
+
const perm_row = await permissions_service.findBy({ permission_name: GLOBAL_ADMIN_PERMISSION });
|
|
257
|
+
const perm_id = Array.isArray(perm_row) && perm_row.length > 0 ? perm_row[0].id : null;
|
|
258
|
+
if (perm_id && role_id) {
|
|
259
|
+
const existing_rp = await role_permissions_service.findBy({ role_id, permission_id: perm_id });
|
|
260
|
+
if (!Array.isArray(existing_rp) || existing_rp.length === 0) {
|
|
261
|
+
await role_permissions_service.insert({ role_id, permission_id: perm_id });
|
|
262
|
+
console.log(`✓ Assigned ${GLOBAL_ADMIN_PERMISSION} to super user role`);
|
|
263
|
+
}
|
|
264
|
+
else {
|
|
265
|
+
console.log(`✓ Super user role already has ${GLOBAL_ADMIN_PERMISSION}`);
|
|
266
|
+
}
|
|
268
267
|
}
|
|
269
268
|
console.log();
|
|
270
|
-
//
|
|
269
|
+
// 10. Assign user to DEFAULT_SYSTEM_SCOPE_ID (global access comes from the permission, not the scope)
|
|
271
270
|
const existing_user_scopes = await user_scopes_service.findBy({
|
|
272
271
|
user_id,
|
|
273
|
-
scope_id:
|
|
272
|
+
scope_id: DEFAULT_SYSTEM_SCOPE_ID,
|
|
274
273
|
});
|
|
275
274
|
if (Array.isArray(existing_user_scopes) && existing_user_scopes.length > 0) {
|
|
276
275
|
summary.user_scope.existing = true;
|
|
277
|
-
console.log(`✓ User already assigned to
|
|
276
|
+
console.log(`✓ User already assigned to default system scope`);
|
|
278
277
|
}
|
|
279
278
|
else {
|
|
280
279
|
await user_scopes_service.insert({
|
|
281
280
|
user_id,
|
|
282
|
-
scope_id:
|
|
283
|
-
root_scope_id:
|
|
281
|
+
scope_id: DEFAULT_SYSTEM_SCOPE_ID,
|
|
282
|
+
root_scope_id: DEFAULT_SYSTEM_SCOPE_ID,
|
|
284
283
|
role_id,
|
|
285
284
|
created_at: now,
|
|
286
285
|
changed_at: now,
|
|
287
286
|
});
|
|
288
287
|
summary.user_scope.inserted = true;
|
|
289
|
-
console.log(`✓ Assigned user to
|
|
288
|
+
console.log(`✓ Assigned user to default system scope`);
|
|
290
289
|
}
|
|
291
290
|
console.log();
|
|
292
|
-
//
|
|
291
|
+
// 11. Print summary
|
|
293
292
|
print_summary(summary);
|
|
294
293
|
logger.info("init_users_completed", {
|
|
295
294
|
filename: "init_users.ts",
|
|
@@ -323,15 +322,16 @@ export function show_init_users_help() {
|
|
|
323
322
|
console.log(`
|
|
324
323
|
hazo_auth init-users
|
|
325
324
|
|
|
326
|
-
Initialize users, roles,
|
|
325
|
+
Initialize users, roles, and permissions from configuration.
|
|
327
326
|
|
|
328
327
|
This command reads from hazo_auth_config.ini and:
|
|
329
328
|
1. Creates permissions from [hazo_auth__user_management] application_permission_list_defaults
|
|
330
329
|
2. Creates a 'default_super_user_role' role
|
|
331
330
|
3. Assigns all permissions to the super user role
|
|
332
331
|
4. Finds user by email (from --email parameter or config)
|
|
333
|
-
5.
|
|
334
|
-
6. Assigns the user to the
|
|
332
|
+
5. Ensures the '${GLOBAL_ADMIN_PERMISSION}' permission exists and is assigned to the super user role
|
|
333
|
+
6. Assigns the user to the default system scope (${DEFAULT_SYSTEM_SCOPE_ID})
|
|
334
|
+
Global admin access is granted via the '${GLOBAL_ADMIN_PERMISSION}' permission, not by scope
|
|
335
335
|
(v5.x: Roles are assigned per-scope via hazo_user_scopes table)
|
|
336
336
|
|
|
337
337
|
Options:
|
package/dist/client.d.ts
CHANGED
|
@@ -7,6 +7,6 @@ export { use_hazo_auth, trigger_hazo_auth_refresh } from "./components/layouts/s
|
|
|
7
7
|
export type { UseHazoAuthOptions, UseHazoAuthResult } from "./components/layouts/shared/hooks/use_hazo_auth";
|
|
8
8
|
export { use_firm_branding, use_current_user_branding } from "./components/layouts/shared/hooks/use_firm_branding.js";
|
|
9
9
|
export type { FirmBranding, UseFirmBrandingOptions, UseFirmBrandingResult } from "./components/layouts/shared/hooks/use_firm_branding";
|
|
10
|
-
export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS } from "./lib/constants.js";
|
|
10
|
+
export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS, GLOBAL_ADMIN_PERMISSION } from "./lib/constants.js";
|
|
11
11
|
export * from "./components/layouts/shared/utils/validation.js";
|
|
12
12
|
//# sourceMappingURL=client.d.ts.map
|
package/dist/client.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAYA,cAAc,oBAAoB,CAAC;AAInC,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AAInI,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIpD,cAAc,uBAAuB,CAAC;AAItC,OAAO,EAAE,eAAe,EAAE,2BAA2B,EAAE,MAAM,mDAAmD,CAAC;AACjH,OAAO,EAAE,aAAa,EAAE,yBAAyB,EAAE,MAAM,iDAAiD,CAAC;AAC3G,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,iDAAiD,CAAC;AAC7G,OAAO,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,MAAM,qDAAqD,CAAC;AACnH,YAAY,EAAE,YAAY,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,qDAAqD,CAAC;AAGvI,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAYA,cAAc,oBAAoB,CAAC;AAInC,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AAInI,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIpD,cAAc,uBAAuB,CAAC;AAItC,OAAO,EAAE,eAAe,EAAE,2BAA2B,EAAE,MAAM,mDAAmD,CAAC;AACjH,OAAO,EAAE,aAAa,EAAE,yBAAyB,EAAE,MAAM,iDAAiD,CAAC;AAC3G,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,iDAAiD,CAAC;AAC7G,OAAO,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,MAAM,qDAAqD,CAAC;AACnH,YAAY,EAAE,YAAY,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,qDAAqD,CAAC;AAGvI,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAIxG,cAAc,8CAA8C,CAAC"}
|
package/dist/client.js
CHANGED
|
@@ -25,7 +25,7 @@ export { use_auth_status, trigger_auth_status_refresh } from "./components/layou
|
|
|
25
25
|
export { use_hazo_auth, trigger_hazo_auth_refresh } from "./components/layouts/shared/hooks/use_hazo_auth.js";
|
|
26
26
|
export { use_firm_branding, use_current_user_branding } from "./components/layouts/shared/hooks/use_firm_branding.js";
|
|
27
27
|
// section: constant_exports
|
|
28
|
-
export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS } from "./lib/constants.js";
|
|
28
|
+
export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS, GLOBAL_ADMIN_PERMISSION } from "./lib/constants.js";
|
|
29
29
|
// section: validation_exports
|
|
30
30
|
// Client-side validation utilities
|
|
31
31
|
export * from "./components/layouts/shared/utils/validation.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"profile_pic_menu.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/shared/components/profile_pic_menu.tsx"],"names":[],"mappings":"AAqCA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gDAAgD,CAAC;AAI7F,MAAM,MAAM,mBAAmB,GAAG;IAChC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;;;OAOG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,SAAS,GAAG,IAAI,GAAG,IAAI,CAAC;IACtC,OAAO,CAAC,EAAE,UAAU,GAAG,SAAS,CAAC;IACjC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B,CAAC;AAGF;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,EAC7B,kBAA0B,EAC1B,aAAyB,EACzB,aAAyB,EACzB,aAAqC,EACrC,UAA+B,EAC/B,aAAwC,EACxC,WAAW,EACX,iBAAsB,EACtB,SAAS,EACT,WAAuB,EACvB,OAAoB,EACpB,mBAA+B,GAChC,EAAE,mBAAmB,
|
|
1
|
+
{"version":3,"file":"profile_pic_menu.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/shared/components/profile_pic_menu.tsx"],"names":[],"mappings":"AAqCA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gDAAgD,CAAC;AAI7F,MAAM,MAAM,mBAAmB,GAAG;IAChC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;;;OAOG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,SAAS,GAAG,IAAI,GAAG,IAAI,CAAC;IACtC,OAAO,CAAC,EAAE,UAAU,GAAG,SAAS,CAAC;IACjC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B,CAAC;AAGF;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,EAC7B,kBAA0B,EAC1B,aAAyB,EACzB,aAAyB,EACzB,aAAqC,EACrC,UAA+B,EAC/B,aAAwC,EACxC,WAAW,EACX,iBAAsB,EACtB,SAAS,EACT,WAAuB,EACvB,OAAoB,EACpB,mBAA+B,GAChC,EAAE,mBAAmB,2CA8gBrB"}
|
|
@@ -141,7 +141,7 @@ export function ProfilePicMenu({ show_single_button = false, sign_up_label = "Si
|
|
|
141
141
|
// Order: info items first, then separators, then links
|
|
142
142
|
items.sort((a, b) => {
|
|
143
143
|
// Define type priority: info = 0, separator = 1, link = 2
|
|
144
|
-
const typePriority = { info: 0, separator: 1, link: 2 };
|
|
144
|
+
const typePriority = { info: 0, separator: 1, link: 2, action: 2 };
|
|
145
145
|
const aPriority = typePriority[a.type];
|
|
146
146
|
const bPriority = typePriority[b.type];
|
|
147
147
|
if (aPriority !== bPriority) {
|
|
@@ -195,6 +195,9 @@ export function ProfilePicMenu({ show_single_button = false, sign_up_label = "Si
|
|
|
195
195
|
// Generic link handling
|
|
196
196
|
return (_jsx(DropdownMenuItem, { asChild: true, className: "cls_profile_pic_menu_link cursor-pointer", children: _jsx(Link, { href: item.href || "#", children: item.label }) }, item.id));
|
|
197
197
|
}
|
|
198
|
+
if (item.type === "action") {
|
|
199
|
+
return (_jsx(DropdownMenuItem, { onClick: item.onSelect, className: "cls_profile_pic_menu_action cursor-pointer", children: item.label }, item.id));
|
|
200
|
+
}
|
|
198
201
|
return null;
|
|
199
202
|
}), shiftKeyHeld && (_jsxs(_Fragment, { children: [_jsx(DropdownMenuSeparator, { className: "cls_profile_pic_menu_separator" }), _jsxs(DropdownMenuItem, { onClick: () => setShowPermissionsDialog(true), className: "cls_profile_pic_menu_permissions cursor-pointer", children: [_jsx(Shield, { className: "mr-2 h-4 w-4" }), "My Permissions"] })] }))] })] }), _jsx(Dialog, { open: showPermissionsDialog, onOpenChange: setShowPermissionsDialog, children: _jsxs(DialogContent, { className: "cls_profile_pic_menu_permissions_dialog max-w-2xl max-h-[80vh] flex flex-col", children: [_jsxs(DialogHeader, { children: [_jsx(DialogTitle, { children: "My Permissions" }), _jsx(DialogDescription, { children: "Your assigned roles and their permissions" })] }), _jsx("div", { className: "flex-1 overflow-y-auto", children: _jsx(RolesMatrix, { user_id: authStatus.user_id, add_button_enabled: false, role_name_selection_enabled: false, permissions_read_only: true, show_save_cancel: false }) })] }) })] }) })] }));
|
|
200
203
|
}
|
|
@@ -219,6 +222,9 @@ export function ProfilePicMenu({ show_single_button = false, sign_up_label = "Si
|
|
|
219
222
|
// Generic link handling
|
|
220
223
|
return (_jsx(DropdownMenuItem, { asChild: true, className: "cls_profile_pic_menu_link cursor-pointer", children: _jsx(Link, { href: item.href || "#", children: item.label }) }, item.id));
|
|
221
224
|
}
|
|
225
|
+
if (item.type === "action") {
|
|
226
|
+
return (_jsx(DropdownMenuItem, { onClick: item.onSelect, className: "cls_profile_pic_menu_action cursor-pointer", children: item.label }, item.id));
|
|
227
|
+
}
|
|
222
228
|
return null;
|
|
223
229
|
}), shiftKeyHeld && (_jsxs(_Fragment, { children: [_jsx(DropdownMenuSeparator, { className: "cls_profile_pic_menu_separator" }), _jsxs(DropdownMenuItem, { onClick: () => setShowPermissionsDialog(true), className: "cls_profile_pic_menu_permissions cursor-pointer", children: [_jsx(Shield, { className: "mr-2 h-4 w-4" }), "My Permissions"] })] }))] })] }), _jsx(Dialog, { open: showPermissionsDialog, onOpenChange: setShowPermissionsDialog, children: _jsxs(DialogContent, { className: "cls_profile_pic_menu_permissions_dialog max-w-2xl max-h-[80vh] flex flex-col", children: [_jsxs(DialogHeader, { children: [_jsx(DialogTitle, { children: "My Permissions" }), _jsx(DialogDescription, { children: "Your assigned roles and their permissions" })] }), _jsx("div", { className: "flex-1 overflow-y-auto", children: _jsx(RolesMatrix, { user_id: authStatus.user_id, add_button_enabled: false, role_name_selection_enabled: false, permissions_read_only: true, show_save_cancel: false }) })] }) })] }));
|
|
224
230
|
}
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import * as React from "react";
|
|
2
2
|
import { type VariantProps } from "class-variance-authority";
|
|
3
3
|
declare const buttonVariants: (props?: ({
|
|
4
|
-
variant?: "default" | "destructive" | "outline" | "secondary" | "ghost" |
|
|
4
|
+
variant?: "link" | "default" | "destructive" | "outline" | "secondary" | "ghost" | null | undefined;
|
|
5
5
|
size?: "default" | "sm" | "lg" | "icon" | null | undefined;
|
|
6
6
|
} & import("class-variance-authority/types").ClassProp) | undefined) => string;
|
|
7
7
|
export interface ButtonProps extends React.ButtonHTMLAttributes<HTMLButtonElement>, VariantProps<typeof buttonVariants> {
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import * as React from "react";
|
|
2
|
-
declare const InputOTP: React.ForwardRefExoticComponent<(Omit<Omit<React.InputHTMLAttributes<HTMLInputElement>, "
|
|
2
|
+
declare const InputOTP: React.ForwardRefExoticComponent<(Omit<Omit<React.InputHTMLAttributes<HTMLInputElement>, "onChange" | "value" | "maxLength" | "textAlign" | "onComplete" | "pushPasswordManagerStrategy" | "pasteTransformer" | "containerClassName" | "noScriptCSSFallback"> & {
|
|
3
3
|
value?: string;
|
|
4
4
|
onChange?: (newValue: string) => unknown;
|
|
5
5
|
maxLength: number;
|
|
@@ -12,7 +12,7 @@ declare const InputOTP: React.ForwardRefExoticComponent<(Omit<Omit<React.InputHT
|
|
|
12
12
|
} & {
|
|
13
13
|
render: (props: import("input-otp").RenderProps) => React.ReactNode;
|
|
14
14
|
children?: never;
|
|
15
|
-
} & React.RefAttributes<HTMLInputElement>, "ref"> | Omit<Omit<React.InputHTMLAttributes<HTMLInputElement>, "
|
|
15
|
+
} & React.RefAttributes<HTMLInputElement>, "ref"> | Omit<Omit<React.InputHTMLAttributes<HTMLInputElement>, "onChange" | "value" | "maxLength" | "textAlign" | "onComplete" | "pushPasswordManagerStrategy" | "pasteTransformer" | "containerClassName" | "noScriptCSSFallback"> & {
|
|
16
16
|
value?: string;
|
|
17
17
|
onChange?: (newValue: string) => unknown;
|
|
18
18
|
maxLength: number;
|
package/dist/index.d.ts
CHANGED
|
@@ -5,5 +5,5 @@ export type { HazoAuthUser, HazoAuthResult, HazoAuthError, HazoAuthOptions, Scop
|
|
|
5
5
|
export { AuthenticationRequiredError, TenantRequiredError, TenantAccessDeniedError, } from "./lib/auth/auth_types.js";
|
|
6
6
|
export type { LegalDoc, LegalAcceptanceRecord, LegalAcceptanceMap } from './lib/legal/legal_docs_types';
|
|
7
7
|
export { cn, merge_class_names } from "./lib/utils.js";
|
|
8
|
-
export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS } from "./lib/constants.js";
|
|
8
|
+
export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS, GLOBAL_ADMIN_PERMISSION } from "./lib/constants.js";
|
|
9
9
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAQA,cAAc,+BAA+B,CAAC;AAC9C,cAAc,6BAA6B,CAAC;AAG5C,cAAc,oBAAoB,CAAC;AAGnC,YAAY,EACV,YAAY,EACZ,cAAc,EACd,aAAa,EACb,eAAe,EACf,YAAY,EACZ,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,GACzB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,2BAA2B,EAC3B,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,uBAAuB,CAAC;AAG/B,YAAY,EAAE,QAAQ,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAGxG,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAQA,cAAc,+BAA+B,CAAC;AAC9C,cAAc,6BAA6B,CAAC;AAG5C,cAAc,oBAAoB,CAAC;AAGnC,YAAY,EACV,YAAY,EACZ,cAAc,EACd,aAAa,EACb,eAAe,EACf,YAAY,EACZ,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,GACzB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,2BAA2B,EAC3B,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,uBAAuB,CAAC;AAG/B,YAAY,EAAE,QAAQ,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAGxG,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -13,4 +13,4 @@ export { AuthenticationRequiredError, TenantRequiredError, TenantAccessDeniedErr
|
|
|
13
13
|
// section: utility_exports (client-safe)
|
|
14
14
|
export { cn, merge_class_names } from "./lib/utils.js";
|
|
15
15
|
// section: constant_exports
|
|
16
|
-
export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS } from "./lib/constants.js";
|
|
16
|
+
export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS, GLOBAL_ADMIN_PERMISSION } from "./lib/constants.js";
|
|
@@ -18,7 +18,6 @@ export type HazoAuthUser = {
|
|
|
18
18
|
export type ScopeAccessInfo = {
|
|
19
19
|
scope_id: string;
|
|
20
20
|
scope_name?: string;
|
|
21
|
-
is_super_admin?: boolean;
|
|
22
21
|
};
|
|
23
22
|
/**
|
|
24
23
|
* Result type for hazo_get_auth function
|
|
@@ -114,7 +113,6 @@ export type TenantOrganization = {
|
|
|
114
113
|
slug: string | null;
|
|
115
114
|
level: string;
|
|
116
115
|
role_id: string;
|
|
117
|
-
is_super_admin: boolean;
|
|
118
116
|
branding?: {
|
|
119
117
|
logo_url: string | null;
|
|
120
118
|
primary_color: string | null;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth_types.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth_types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAEpE;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,kBAAkB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAEnC,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAE9C,gBAAgB,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAC7C,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"auth_types.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth_types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAEpE;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,kBAAkB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAEnC,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAE9C,gBAAgB,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAC7C,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,cAAc,GACtB;IACE,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAE/B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,eAAe,CAAC;CACpC,GACD;IACE,aAAa,EAAE,KAAK,CAAC;IACrB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,EAAE,CAAC;IAChB,aAAa,EAAE,KAAK,CAAC;IACrB,QAAQ,CAAC,EAAE,KAAK,CAAC;CAClB,CAAC;AAEN;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;GAIG;AACH,qBAAa,eAAgB,SAAQ,KAAK;IAE/B,mBAAmB,EAAE,MAAM,EAAE;IAC7B,gBAAgB,EAAE,MAAM,EAAE;IAC1B,oBAAoB,EAAE,MAAM,EAAE;IAC9B,qBAAqB,CAAC,EAAE,MAAM;IAC9B,uBAAuB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC;gBAJ7C,mBAAmB,EAAE,MAAM,EAAE,EAC7B,gBAAgB,EAAE,MAAM,EAAE,EAC1B,oBAAoB,EAAE,MAAM,EAAE,EAC9B,qBAAqB,CAAC,EAAE,MAAM,YAAA,EAC9B,uBAAuB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,YAAA;CAKvD;AAED;;;GAGG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;IAEhC,QAAQ,EAAE,MAAM;IAChB,WAAW,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;gBAD7D,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAKvE;AAID;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;IAEhB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE;QACT,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;QAC7B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;KACxB,CAAC;CACH,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,iBAAiB,GAAG,eAAe,GAAG;IAChD;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,gBAAgB,GACxB;IACE,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,YAAY,EAAE,kBAAkB,GAAG,IAAI,CAAC;IACxC,0EAA0E;IAC1E,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,WAAW,EAAE,YAAY,EAAE,CAAC;IAC5B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,eAAe,CAAC;CACpC,GACD;IACE,aAAa,EAAE,KAAK,CAAC;IACrB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,EAAE,CAAC;IAChB,aAAa,EAAE,KAAK,CAAC;IACrB,YAAY,EAAE,IAAI,CAAC;IACnB,0EAA0E;IAC1E,eAAe,EAAE,IAAI,CAAC;IACtB,WAAW,EAAE,EAAE,CAAC;IAChB,QAAQ,CAAC,EAAE,KAAK,CAAC;CAClB,CAAC;AAEN;;;GAGG;AACH,MAAM,MAAM,wBAAwB,GAAG,gBAAgB,GAAG;IACxD,aAAa,EAAE,IAAI,CAAC;IACpB,YAAY,EAAE,kBAAkB,CAAC;CAClC,CAAC;AAIF;;;GAGG;AACH,qBAAa,aAAc,SAAQ,KAAK;aAGpB,IAAI,EAAE,MAAM;aACZ,WAAW,EAAE,MAAM;gBAFnC,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM;CAKtC;AAED;;GAEG;AACH,qBAAa,2BAA4B,SAAQ,aAAa;gBAChD,OAAO,GAAE,MAAkC;CAIxD;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,aAAa;aAGlC,WAAW,EAAE,YAAY,EAAE;gBAD3C,OAAO,GAAE,MAAkC,EAC3B,WAAW,GAAE,YAAY,EAAO;CAKnD;AAED;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,aAAa;aAEtC,QAAQ,EAAE,MAAM;aAChB,WAAW,EAAE,YAAY,EAAE;gBAD3B,QAAQ,EAAE,MAAM,EAChB,WAAW,GAAE,YAAY,EAAO;CAKnD"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"hazo_get_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAM1C,OAAO,KAAK,EACV,cAAc,EAEd,eAAe,EAGhB,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"hazo_get_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAM1C,OAAO,KAAK,EACV,cAAc,EAEd,eAAe,EAGhB,MAAM,cAAc,CAAC;AAgEtB;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,WAAW,GAAG,MAAM,CAU1D;AA4SD;;;;;;;;;GASG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,cAAc,CAAC,CA+NzB"}
|
|
@@ -16,6 +16,7 @@ import { is_hrbac_enabled, get_scope_hierarchy_config } from "../scope_hierarchy
|
|
|
16
16
|
import { check_user_scope_access, get_user_scopes, } from "../services/user_scope_service.js";
|
|
17
17
|
import { get_cookie_name, BASE_COOKIE_NAMES } from "../cookies_config.server.js";
|
|
18
18
|
import { get_app_permission_descriptions } from "../app_permissions_config.server.js";
|
|
19
|
+
import { GLOBAL_ADMIN_PERMISSION } from "../constants.js";
|
|
19
20
|
// section: helpers
|
|
20
21
|
/**
|
|
21
22
|
* Parse JSON string to object, returning null on failure
|
|
@@ -287,7 +288,6 @@ async function check_scope_access_internal(user_id, scope_id) {
|
|
|
287
288
|
scope_access_via: {
|
|
288
289
|
scope_id: result.access_via.scope_id,
|
|
289
290
|
scope_name: result.access_via.scope_name,
|
|
290
|
-
is_super_admin: result.is_super_admin,
|
|
291
291
|
},
|
|
292
292
|
user_scopes,
|
|
293
293
|
};
|
|
@@ -445,25 +445,33 @@ export async function hazo_get_auth(request, options) {
|
|
|
445
445
|
let scope_access_via;
|
|
446
446
|
const hrbac_enabled = is_hrbac_enabled();
|
|
447
447
|
if (hrbac_enabled && (options === null || options === void 0 ? void 0 : options.scope_id)) {
|
|
448
|
-
|
|
449
|
-
|
|
450
|
-
|
|
451
|
-
|
|
452
|
-
|
|
453
|
-
const client_ip = get_client_ip(request);
|
|
454
|
-
logger.warn("auth_utility_scope_access_denied", {
|
|
455
|
-
filename: get_filename(),
|
|
456
|
-
line_number: get_line_number(),
|
|
457
|
-
user_id: user.id,
|
|
458
|
-
scope_id: options.scope_id,
|
|
459
|
-
user_scopes: scope_result.user_scopes,
|
|
460
|
-
ip: client_ip,
|
|
461
|
-
correlation_id: getCorrelationId(),
|
|
462
|
-
});
|
|
448
|
+
// Global admin permission grants access to all scopes
|
|
449
|
+
const has_global_admin = permissions.includes(GLOBAL_ADMIN_PERMISSION);
|
|
450
|
+
if (has_global_admin) {
|
|
451
|
+
scope_ok = true;
|
|
452
|
+
scope_access_via = { scope_id: options.scope_id };
|
|
463
453
|
}
|
|
464
|
-
|
|
465
|
-
|
|
466
|
-
|
|
454
|
+
else {
|
|
455
|
+
const scope_result = await check_scope_access_internal(user.id, options.scope_id);
|
|
456
|
+
scope_ok = scope_result.scope_ok;
|
|
457
|
+
scope_access_via = scope_result.scope_access_via;
|
|
458
|
+
// Log scope denial if permission logging is enabled
|
|
459
|
+
if (!scope_ok && config.log_permission_denials) {
|
|
460
|
+
const client_ip = get_client_ip(request);
|
|
461
|
+
logger.warn("auth_utility_scope_access_denied", {
|
|
462
|
+
filename: get_filename(),
|
|
463
|
+
line_number: get_line_number(),
|
|
464
|
+
user_id: user.id,
|
|
465
|
+
scope_id: options.scope_id,
|
|
466
|
+
user_scopes: scope_result.user_scopes,
|
|
467
|
+
ip: client_ip,
|
|
468
|
+
correlation_id: getCorrelationId(),
|
|
469
|
+
});
|
|
470
|
+
}
|
|
471
|
+
// Throw error if strict mode and scope access denied
|
|
472
|
+
if (!scope_ok && options.strict) {
|
|
473
|
+
throw new ScopeAccessError(options.scope_id, scope_result.user_scopes);
|
|
474
|
+
}
|
|
467
475
|
}
|
|
468
476
|
}
|
|
469
477
|
return {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"hazo_get_tenant_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_tenant_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"hazo_get_tenant_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_tenant_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAQ1C,OAAO,KAAK,EACV,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,EAGzB,MAAM,cAAc,CAAC;AAqBtB;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,WAAW,EACpB,OAAO,EAAE,iBAAiB,GACzB,MAAM,GAAG,SAAS,CAYpB;AA8BD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,WAAW,EACpB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CAwF3B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,WAAW,EACpB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,wBAAwB,CAAC,CA0BnC"}
|
|
@@ -4,6 +4,7 @@ import "server-only";
|
|
|
4
4
|
import { hazo_get_auth } from "./hazo_get_auth.server.js";
|
|
5
5
|
import { get_auth_cache } from "./auth_cache.js";
|
|
6
6
|
import { get_scope_by_id } from "../services/scope_service.js";
|
|
7
|
+
import { GLOBAL_ADMIN_PERMISSION } from "../constants.js";
|
|
7
8
|
import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
|
|
8
9
|
import { get_cookie_name } from "../cookies_config.server.js";
|
|
9
10
|
import { get_auth_utility_config } from "../auth_utility_config.server.js";
|
|
@@ -39,19 +40,17 @@ export function extract_scope_id_from_request(request, options) {
|
|
|
39
40
|
return cookie_value;
|
|
40
41
|
}
|
|
41
42
|
/**
|
|
42
|
-
* Builds TenantOrganization from scope details
|
|
43
|
+
* Builds TenantOrganization from scope details
|
|
43
44
|
* @param scope_details - Full scope details from cache
|
|
44
|
-
* @param is_super_admin - Whether user is accessing as super admin
|
|
45
45
|
* @returns TenantOrganization object
|
|
46
46
|
*/
|
|
47
|
-
function build_tenant_organization(scope_details
|
|
47
|
+
function build_tenant_organization(scope_details) {
|
|
48
48
|
return {
|
|
49
49
|
id: scope_details.id,
|
|
50
50
|
name: scope_details.name,
|
|
51
51
|
slug: scope_details.slug,
|
|
52
52
|
level: scope_details.level,
|
|
53
53
|
role_id: scope_details.role_id,
|
|
54
|
-
is_super_admin,
|
|
55
54
|
branding: scope_details.logo_url || scope_details.primary_color
|
|
56
55
|
? {
|
|
57
56
|
logo_url: scope_details.logo_url,
|
|
@@ -113,13 +112,15 @@ export async function hazo_get_tenant_auth(request, options = {}) {
|
|
|
113
112
|
// Build organization info if scope access was successful
|
|
114
113
|
let organization = null;
|
|
115
114
|
if (scope_id && auth_result.scope_ok && auth_result.scope_access_via) {
|
|
116
|
-
//
|
|
115
|
+
// Try to find the scope in user's cached scope assignments first.
|
|
116
|
+
// For global admins the scope may not be in their cache (they can access any scope),
|
|
117
|
+
// in which case we fall through to the permission-based fetch below.
|
|
117
118
|
const access_scope = user_scopes.find((s) => { var _a; return s.id === ((_a = auth_result.scope_access_via) === null || _a === void 0 ? void 0 : _a.scope_id); });
|
|
118
119
|
if (access_scope) {
|
|
119
|
-
organization = build_tenant_organization(access_scope
|
|
120
|
+
organization = build_tenant_organization(access_scope);
|
|
120
121
|
}
|
|
121
|
-
else if (auth_result.
|
|
122
|
-
//
|
|
122
|
+
else if (auth_result.permissions.includes(GLOBAL_ADMIN_PERMISSION)) {
|
|
123
|
+
// Global admin accessing a scope they aren't directly assigned to — fetch scope details
|
|
123
124
|
const hazoConnect = get_hazo_connect_instance();
|
|
124
125
|
const scope_result = await get_scope_by_id(hazoConnect, scope_id);
|
|
125
126
|
if (scope_result.success && scope_result.scope) {
|
|
@@ -128,8 +129,7 @@ export async function hazo_get_tenant_auth(request, options = {}) {
|
|
|
128
129
|
name: scope_result.scope.name,
|
|
129
130
|
slug: null, // Could fetch from scope if slug column exists
|
|
130
131
|
level: scope_result.scope.level,
|
|
131
|
-
role_id: "", //
|
|
132
|
-
is_super_admin: true,
|
|
132
|
+
role_id: "", // Global admin doesn't have a role assignment in the scope
|
|
133
133
|
branding: scope_result.scope.logo_url
|
|
134
134
|
? {
|
|
135
135
|
logo_url: scope_result.scope.logo_url,
|
package/dist/lib/constants.d.ts
CHANGED
|
@@ -8,4 +8,5 @@ export declare const HAZO_AUTH_PERMISSIONS: {
|
|
|
8
8
|
readonly ADMIN_TEST_ACCESS: "admin_test_access";
|
|
9
9
|
};
|
|
10
10
|
export declare const ALL_ADMIN_PERMISSIONS: string[];
|
|
11
|
+
export declare const GLOBAL_ADMIN_PERMISSION = "hazo_org_global_admin";
|
|
11
12
|
//# sourceMappingURL=constants.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/lib/constants.ts"],"names":[],"mappings":"AAIA,eAAO,MAAM,qBAAqB;;;;;;;;CAQxB,CAAC;AAEX,eAAO,MAAM,qBAAqB,EAAE,MAAM,EAAyC,CAAC"}
|
|
1
|
+
{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/lib/constants.ts"],"names":[],"mappings":"AAIA,eAAO,MAAM,qBAAqB;;;;;;;;CAQxB,CAAC;AAEX,eAAO,MAAM,qBAAqB,EAAE,MAAM,EAAyC,CAAC;AAEpF,eAAO,MAAM,uBAAuB,0BAA0B,CAAC"}
|
package/dist/lib/constants.js
CHANGED
|
@@ -1,10 +1,11 @@
|
|
|
1
1
|
import "server-only";
|
|
2
|
-
export type MenuItemType = "info" | "link" | "separator";
|
|
2
|
+
export type MenuItemType = "info" | "link" | "separator" | "action";
|
|
3
3
|
export type ProfilePicMenuMenuItem = {
|
|
4
4
|
type: MenuItemType;
|
|
5
5
|
label?: string;
|
|
6
6
|
value?: string;
|
|
7
7
|
href?: string;
|
|
8
|
+
onSelect?: () => void;
|
|
8
9
|
order: number;
|
|
9
10
|
id: string;
|
|
10
11
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"profile_pic_menu_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/profile_pic_menu_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAQrB,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,MAAM,GAAG,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"profile_pic_menu_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/profile_pic_menu_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAQrB,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,MAAM,GAAG,WAAW,GAAG,QAAQ,CAAC;AAEpE,MAAM,MAAM,sBAAsB,GAAG;IACnC,IAAI,EAAE,YAAY,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,IAAI,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,CAAC;CACZ,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,kBAAkB,EAAE,OAAO,CAAC;IAC5B,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,sBAAsB,EAAE,CAAC;CAC7C,CAAC;AA4EF;;;;GAIG;AACH,wBAAgB,2BAA2B,IAAI,oBAAoB,CA4BlE"}
|
|
@@ -20,7 +20,7 @@ function parse_custom_menu_items(items_string) {
|
|
|
20
20
|
}
|
|
21
21
|
const type = parts[0];
|
|
22
22
|
if (type !== "info" && type !== "link" && type !== "separator") {
|
|
23
|
-
return; // Invalid type,
|
|
23
|
+
return; // Invalid type or action (action items carry callbacks, not expressible in INI)
|
|
24
24
|
}
|
|
25
25
|
if (type === "separator") {
|
|
26
26
|
const order = parseInt(parts[1] || "1", 10);
|