test(api): cover shared resource access rules

2026-03-31 22:38:02 +02:00
parent 6d4de85660
commit f3f7bb312b
4 changed files with 635 additions and 1 deletions
@@ -0,0 +1,62 @@
+import { TRPCError } from "@trpc/server";
+import {
+  PermissionKey,
+  SystemRole,
+  resolvePermissions,
+  type PermissionOverrides,
+} from "@capakraken/shared";
+import type { TRPCContext } from "../trpc.js";
+
+export type ResourceReadContext = Pick<TRPCContext, "db" | "dbUser" | "roleDefaults">;
+
+export function resolveResourcePermissions(ctx: Pick<TRPCContext, "dbUser" | "roleDefaults">): Set<PermissionKey> {
+  if (!ctx.dbUser) {
+    return new Set();
+  }
+
+  return resolvePermissions(
+    ctx.dbUser.systemRole as SystemRole,
+    ctx.dbUser.permissionOverrides as PermissionOverrides | null,
+    ctx.roleDefaults ?? undefined,
+  );
+}
+
+export function canReadAllResources(ctx: Pick<TRPCContext, "dbUser" | "roleDefaults">): boolean {
+  const permissions = resolveResourcePermissions(ctx);
+  return permissions.has(PermissionKey.VIEW_ALL_RESOURCES) || permissions.has(PermissionKey.MANAGE_RESOURCES);
+}
+
+export async function findOwnedResourceId(ctx: ResourceReadContext): Promise<string | null> {
+  if (!ctx.dbUser?.id) {
+    return null;
+  }
+
+  if (!ctx.db.resource || typeof ctx.db.resource.findFirst !== "function") {
+    return null;
+  }
+
+  const resource = await ctx.db.resource.findFirst({
+    where: { userId: ctx.dbUser.id },
+    select: { id: true },
+  });
+
+  return resource?.id ?? null;
+}
+
+export async function assertCanReadResource(
+  ctx: ResourceReadContext,
+  resourceId: string,
+  message = "You can only view your own resource data",
+): Promise<void> {
+  if (canReadAllResources(ctx)) {
+    return;
+  }
+
+  const ownedResourceId = await findOwnedResourceId(ctx);
+  if (!ownedResourceId || ownedResourceId !== resourceId) {
+    throw new TRPCError({
+      code: "FORBIDDEN",
+      message,
+    });
+  }
+}