mnfst 0.5.142 → 0.5.144

package/lib/manifest.appwrite.auth.js

@@ -5382,14 +5382,9 @@ function initializeTeamsConvenience() {
                     const allRoles = this.allTeamRoles({ $id: teamId });
                     const permissions = allRoles && allRoles[roleName] ? [...allRoles[roleName]] : [];
 
-                    // Ensure allAvailablePermissions is populated (for dropdown)
-                    if (!this.allAvailablePermissions || this.allAvailablePermissions.length === 0) {
-                        if (this.getAllAvailablePermissions) {
-                            await this.getAllAvailablePermissions(teamId);
-                        }
-                    }
-
-                    // Set editing state
+                    // Set editing state SYNCHRONOUSLY — before the async dropdown fetch
+                    // below — so a caller that mutates editingRole.permissions immediately
+                    // after this isn't racing (and getting overwritten by) that fetch.
                     this.editingRole = {
                         teamId: teamId,
                         oldRoleName: roleName,
@@ -5397,10 +5392,46 @@ function initializeTeamsConvenience() {
                         permissions: permissions
                     };
 
+                    // Ensure allAvailablePermissions is populated (for dropdown)
+                    if (!this.allAvailablePermissions || this.allAvailablePermissions.length === 0) {
+                        if (this.getAllAvailablePermissions) {
+                            await this.getAllAvailablePermissions(teamId);
+                        }
+                    }
+
                     // Don't modify newRolePermissions when editing existing roles - that's only for new role creation
                     // The UI will use editingRole.permissions or pendingPermissions for existing roles
                 };
 
+                // Reactive-safe role-permission write. Takes a plain array and persists
+                // straight to team prefs via updateUserRole — WITHOUT going through the
+                // reactive editingRole object. Use this for programmatic edits; mutating
+                // $auth.editingRole.permissions directly is fragile under Alpine (the
+                // $auth proxy wraps the already-reactive editingRole and can recurse on
+                // get). updateUserRole refreshes the role cache, so allTeamRoles() re-reads.
+                store.updateRolePermissions = async function (teamId, roleName, permissions) {
+                    if (!this.updateUserRole) {
+                        return { success: false, error: 'Roles module not ready' };
+                    }
+                    const plain = Array.isArray(permissions)
+                        ? permissions.filter(p => p && typeof p === 'string')
+                        : [];
+                    return await this.updateUserRole(teamId, roleName, plain);
+                };
+
+                // Safely set the permissions on the in-progress edit (replaces editingRole
+                // with a fresh object holding a plain array, rather than mutating the
+                // reactive nested array). Pair with saveEditingRole().
+                store.setEditingPermissions = function (permissions) {
+                    if (!this.editingRole) {
+                        return;
+                    }
+                    const plain = Array.isArray(permissions)
+                        ? permissions.filter(p => p && typeof p === 'string')
+                        : [];
+                    this.editingRole = { ...this.editingRole, permissions: plain };
+                };
+
                 store.cancelEditingRole = function () {
                     this.editingRole = null;
                     this.newRolePermissions = [];
@@ -5494,29 +5525,43 @@ function initializeTeamsConvenience() {
                     return userRoles.includes('owner');
                 };
 
-                // Synchronous version for Alpine.js bindings (uses permission cache)
+                // Synchronous version for Alpine.js bindings (x-show / :disabled).
+                // Resolves from the cached role definitions (allTeamRoles) so it matches
+                // the async hasTeamPermission() — including custom permission keys, not
+                // just the six built-ins the permission cache pre-computes.
                 store.hasTeamPermissionSync = function (permission) {
                     if (!this.currentTeam || !this.currentTeamMemberships || !this.user) {
                         return false;
                     }
 
-                    // Use cached permissions if available (updated by updatePermissionCache)
-                    if (this._permissionCache && typeof this._permissionCache[permission] === 'boolean') {
-                        return this._permissionCache[permission];
+                    const userRoles = this.getCurrentTeamRoles();
+                    if (!Array.isArray(userRoles)) {
+                        return false;
+                    }
+
+                    // The merged config + user-generated role map for the current team
+                    // (same map the async path resolves against), available synchronously.
+                    const allRoles = (this.allTeamRoles && this.allTeamRoles(this.currentTeam)) || {};
+
+                    // No custom roles defined → owner has every permission.
+                    if (!allRoles || Object.keys(allRoles).length === 0) {
+                        return userRoles.includes('owner');
                     }
 
-                    // Fallback: check if user has no custom roles (should have all permissions)
-                    // This matches the logic in hasPermission: if customRoles.length === 0, return true
-                    const userRoles = this.getCurrentTeamRoles();
+                    // User holds no custom role (only "owner" / empty) → all permissions.
                     const customRoles = userRoles.filter(role => role !== 'owner');
-
-                    // If user has no custom roles (only "owner" or empty), grant all permissions
-                    // This handles users with "No Role" who should have all owner permissions
                     if (customRoles.length === 0) {
                         return true;
                     }
 
-                    // If user has custom roles but cache is missing, return false (shouldn't happen if cache is working)
+                    // Granted if any of the user's custom roles includes this permission
+                    // (built-in or custom key).
+                    for (const roleName of customRoles) {
+                        const rolePermissions = allRoles[roleName];
+                        if (Array.isArray(rolePermissions) && rolePermissions.includes(permission)) {
+                            return true;
+                        }
+                    }
                     return false;
                 };
 

package/lib/manifest.integrity.json

@@ -1,5 +1,5 @@
 {
-  "manifest.appwrite.auth.js": "sha384-csLm/3JlkttPwGqBckmHytoiYWDSVheBwg/7G8dN2S8ebEhAHAG95W2qDPIGiHYO",
+  "manifest.appwrite.auth.js": "sha384-/IbcczrhhYWlsQFvFmHkulV1JPIBBFvMH513PwsnJo+D0F+YKhGJ1ig/UmJbGSe/",
   "manifest.appwrite.data.js": "sha384-00ulLT+GAIuPHA/rRT9p98vYlsyDzkyKXtg86BDQ6FGQa5vVVN+W6kuforniBAsz",
   "manifest.appwrite.presence.js": "sha384-uxRpx9/Jj0kGtklH5QmUlAzD3zdSvFRfK6bcJQqxl+Bsf5tOo4zgwqJTQgtZoHQP",
   "manifest.charts.js": "sha384-RuV7gWXt3s+JegxWgDieR/P5U99sbOYWiYHdJGe2uCJjDFU1cPp0mJ1QT55ec9uz",

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "mnfst",
-    "version": "0.5.142",
+    "version": "0.5.144",
     "private": false,
     "workspaces": [
         "templates/starter",