npm - snipe-auth-rbac - Versions diffs - 0.4.1 → 0.6.0 - Mend

snipe-auth-rbac 0.4.1 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/admin/index.cjs CHANGED Viewed

@@ -37,6 +37,7 @@ __export(admin_exports, {
   useDeleteRole: () => useDeleteRole,
   useInviteCompanyMember: () => useInviteCompanyMember,
   useRolePermissionGrid: () => useRolePermissionGrid,
+  useRolePermissionOverrides: () => useRolePermissionOverrides,
   useSetRolePermissionCell: () => useSetRolePermissionCell,
   useUpdateRole: () => useUpdateRole
 });
@@ -225,6 +226,32 @@ function createSupabaseAdminClient(opts) {
       }
       return data ?? [];
     },
+    async listRolePermissionOverrides(roleId) {
+      const { data, error } = await rbac.from("role_permission_overrides").select("role_id, resource, action").eq("role_id", roleId);
+      if (error) {
+        if (/role_permission_overrides/i.test(error.message) && /does not exist/i.test(error.message)) {
+          return [];
+        }
+        throw new Error(`listRolePermissionOverrides: ${error.message}`);
+      }
+      return data ?? [];
+    },
+    async setRolePermissionOverride({ role_id, resource, action, suppress }) {
+      if (suppress) {
+        const { error: error2 } = await rbac.from("role_permission_overrides").upsert(
+          { role_id, resource, action },
+          { onConflict: "role_id,resource,action" }
+        );
+        if (error2) {
+          throw new Error(`setRolePermissionOverride(insert): ${error2.message}`);
+        }
+        return;
+      }
+      const { error } = await rbac.from("role_permission_overrides").delete().eq("role_id", role_id).eq("resource", resource).eq("action", action);
+      if (error) {
+        throw new Error(`setRolePermissionOverride(delete): ${error.message}`);
+      }
+    },
     async applyTemplateDefaults({ role_id, only_missing = true }) {
       const { data, error } = await rbac.rpc("apply_template_defaults", {
         p_role_id: role_id,
@@ -408,6 +435,57 @@ function useAdminResourceDependencies() {
     [transport]
   );
 }
+function useRolePermissionOverrides(roleId) {
+  const transport = useAdminTransport();
+  const [overrides, setOverrides] = (0, import_react.useState)(() => /* @__PURE__ */ new Set());
+  const [error, setError] = (0, import_react.useState)(null);
+  const fetchOverrides = (0, import_react.useCallback)(async () => {
+    if (!roleId) {
+      setOverrides(/* @__PURE__ */ new Set());
+      return;
+    }
+    try {
+      const rows = await transport.listRolePermissionOverrides(roleId);
+      setOverrides(new Set(rows.map((r) => `${r.resource}:${r.action}`)));
+      setError(null);
+    } catch (e) {
+      setError(e instanceof Error ? e : new Error(String(e)));
+    }
+  }, [transport, roleId]);
+  (0, import_react.useEffect)(() => {
+    void fetchOverrides();
+  }, [fetchOverrides]);
+  const setOverride = (0, import_react.useCallback)(
+    async (resource, action, suppress) => {
+      if (!roleId) {
+        return;
+      }
+      const key = `${resource}:${action}`;
+      setOverrides((prev) => {
+        const next = new Set(prev);
+        if (suppress) {
+          next.add(key);
+        } else {
+          next.delete(key);
+        }
+        return next;
+      });
+      try {
+        await transport.setRolePermissionOverride({
+          role_id: roleId,
+          resource,
+          action,
+          suppress
+        });
+      } catch (e) {
+        setError(e instanceof Error ? e : new Error(String(e)));
+      }
+      void fetchOverrides();
+    },
+    [transport, roleId, fetchOverrides]
+  );
+  return { overrides, setOverride, error, refresh: fetchOverrides };
+}
 function useCreateCompany() {
   const transport = useAdminTransport();
   return useMutation(transport.createCompany);
@@ -419,10 +497,9 @@ function useInviteCompanyMember() {
 function useRolePermissionGrid(roleId) {
   const { data, isLoading, error, refresh } = useAdminRolePermissions(roleId);
   const dependencies = useAdminResourceDependencies();
+  const overridesHook = useRolePermissionOverrides(roleId);
   const setCell = useSetRolePermissionCell();
   const transport = useAdminTransport();
-  const [isCascading, setCascading] = (0, import_react.useState)(false);
-  const [cascadeError, setCascadeError] = (0, import_react.useState)(null);
   const grid = (0, import_react.useMemo)(() => {
     const out = {};
     for (const row of data ?? []) {
@@ -435,100 +512,90 @@ function useRolePermissionGrid(roleId) {
     }
     return out;
   }, [data]);
-  const originGrid = (0, import_react.useMemo)(() => {
-    const out = {};
-    for (const row of data ?? []) {
-      out[row.resource] = {
-        read: row.read_granted_via ?? null,
-        write: row.write_granted_via ?? null,
-        update: row.update_granted_via ?? null,
-        delete: row.delete_granted_via ?? null
-      };
-    }
-    return out;
-  }, [data]);
-  const edgesByParent = (0, import_react.useMemo)(() => {
+  const parentsByChild = (0, import_react.useMemo)(() => {
     const map = /* @__PURE__ */ new Map();
     for (const edge of dependencies.data ?? []) {
-      const list = map.get(edge.parent_resource) ?? [];
-      map.set(edge.parent_resource, [
+      const list = map.get(edge.child_resource) ?? [];
+      map.set(edge.child_resource, [
         ...list,
-        { child: edge.child_resource, action: edge.action }
+        { parent: edge.parent_resource, action: edge.action }
       ]);
     }
     return map;
   }, [dependencies.data]);
+  const originGrid = (0, import_react.useMemo)(() => {
+    const out = {};
+    const resources = new Set(Object.keys(grid));
+    for (const child of parentsByChild.keys()) {
+      resources.add(child);
+    }
+    const overrides = overridesHook.overrides;
+    for (const resource of resources) {
+      const directs = grid[resource];
+      const cellOrigins = {
+        read: null,
+        write: null,
+        update: null,
+        delete: null
+      };
+      for (const action of ACTIONS) {
+        if (overrides.has(`${resource}:${action}`)) {
+          cellOrigins[action] = "override";
+          continue;
+        }
+        if (directs?.[action]) {
+          cellOrigins[action] = "direct";
+          continue;
+        }
+        const parents = parentsByChild.get(resource) ?? [];
+        const impliedFrom = parents.find(
+          (p) => p.action === action && grid[p.parent]?.[action] === true
+        );
+        cellOrigins[action] = impliedFrom ? impliedFrom.parent : null;
+      }
+      out[resource] = cellOrigins;
+    }
+    return out;
+  }, [grid, parentsByChild, overridesHook.overrides]);
   const updateCell = (0, import_react.useCallback)(
     async (resource, action, value) => {
       if (!roleId) {
         return;
       }
-      const writes = [
-        { role_id: roleId, resource, action, value, grantedVia: null }
-      ];
-      if (value) {
-        const edges = edgesByParent.get(resource) ?? [];
-        for (const edge of edges) {
-          if (edge.action !== action) {
-            continue;
-          }
-          const childRow = (data ?? []).find((r) => r.resource === edge.child);
-          const childValue = childRow?.[ACTION_FIELD[action]] === true;
-          const childOrigin = childRow?.[ORIGIN_FIELD[action]] ?? null;
-          if (childValue && childOrigin == null) {
-            continue;
-          }
-          writes.push({
-            role_id: roleId,
-            resource: edge.child,
-            action,
-            value: true,
-            grantedVia: resource
-          });
-        }
-      }
-      setCascading(true);
-      setCascadeError(null);
-      try {
-        const [first, ...rest] = writes;
-        if (first && rest.length === 0) {
-          await setCell.mutate(first);
-        } else {
-          await transport.batchSetRolePermissionCells(writes);
-        }
-        void refresh();
-      } catch (e) {
-        setCascadeError(e instanceof Error ? e : new Error(String(e)));
-        throw e;
-      } finally {
-        setCascading(false);
-      }
+      await setCell.mutate({
+        role_id: roleId,
+        resource,
+        action,
+        value,
+        grantedVia: null
+      });
+      void refresh();
     },
-    [roleId, setCell, refresh, edgesByParent, data, transport]
+    [roleId, setCell, refresh]
   );
+  void transport;
   return {
     grid,
     originGrid,
+    parentsByChild,
+    /** 0.6.0+. Set of `"<resource>:<action>"` for this role's overrides. */
+    overrides: overridesHook.overrides,
+    /**
+     * 0.6.0+. Suppress (`suppress=true`) or restore (`suppress=false`)
+     * an implied permission for this role. The grid + originGrid
+     * re-render with `'override'` state on the cell as soon as the
+     * optimistic flip lands.
+     */
+    setOverride: overridesHook.setOverride,
     isLoading: isLoading || dependencies.isLoading,
-    error: error ?? dependencies.error,
+    error: error ?? dependencies.error ?? overridesHook.error,
     refresh,
     updateCell,
-    isUpdating: setCell.isPending || isCascading,
-    updateError: setCell.error ?? cascadeError
+    isUpdating: setCell.isPending,
+    updateError: setCell.error
   };
 }
-var ACTION_FIELD = {
-  read: "can_read",
-  write: "can_write",
-  update: "can_update",
-  delete: "can_delete"
-};
-var ORIGIN_FIELD = {
-  read: "read_granted_via",
-  write: "write_granted_via",
-  update: "update_granted_via",
-  delete: "delete_granted_via"
-};
+var ACTIONS = ["read", "write", "update", "delete"];
 // src/admin/PermissionsMatrix.tsx
 var import_react2 = require("react");
@@ -550,15 +617,27 @@ function groupResources(registry) {
 // src/admin/PermissionsMatrix.tsx
 var import_jsx_runtime2 = require("react/jsx-runtime");
-var ACTIONS = ["read", "write", "update", "delete"];
+var ACTIONS2 = ["read", "write", "update", "delete"];
 function PermissionsMatrix(props) {
-  const { grid, originGrid, isLoading, error, updateCell, isUpdating } = useRolePermissionGrid(props.roleId);
+  const {
+    grid,
+    originGrid,
+    isLoading,
+    error,
+    updateCell,
+    isUpdating,
+    setOverride: gridSetOverride
+  } = useRolePermissionGrid(props.roleId);
   const groups = (0, import_react2.useMemo)(
     () => groupResources(props.resources),
     [props.resources]
   );
   const isCellEnabled = (resource, action) => {
-    return grid[resource]?.[action] ?? false;
+    const origin = originGrid[resource]?.[action];
+    if (origin == null || origin === "override") {
+      return false;
+    }
+    return true;
   };
   const cellOrigin = (resource, action) => {
     const origin = originGrid[resource]?.[action];
@@ -567,15 +646,19 @@ function PermissionsMatrix(props) {
   const setCell = async (resource, action, value) => {
     await updateCell(resource, action, value);
   };
+  const setOverride = async (resource, action, suppress) => {
+    await gridSetOverride(resource, action, suppress);
+  };
   return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_jsx_runtime2.Fragment, { children: props.children({
     groups,
     isCellEnabled,
     cellOrigin,
     setCell,
+    setOverride,
     isLoading,
     isUpdating,
     error,
-    actions: ACTIONS
+    actions: ACTIONS2
   }) });
 }
@@ -717,6 +800,7 @@ function InviteMemberForm(props) {
   useDeleteRole,
   useInviteCompanyMember,
   useRolePermissionGrid,
+  useRolePermissionOverrides,
   useSetRolePermissionCell,
   useUpdateRole
 });