63 lines
1.7 KiB
TypeScript
63 lines
1.7 KiB
TypeScript
import { TRPCError } from "@trpc/server";
|
|
import {
|
|
PermissionKey,
|
|
SystemRole,
|
|
resolvePermissions,
|
|
type PermissionOverrides,
|
|
} from "@capakraken/shared";
|
|
import type { TRPCContext } from "../trpc.js";
|
|
|
|
export type ResourceReadContext = Pick<TRPCContext, "db" | "dbUser" | "roleDefaults">;
|
|
|
|
export function resolveResourcePermissions(ctx: Pick<TRPCContext, "dbUser" | "roleDefaults">): Set<PermissionKey> {
|
|
if (!ctx.dbUser) {
|
|
return new Set();
|
|
}
|
|
|
|
return resolvePermissions(
|
|
ctx.dbUser.systemRole as SystemRole,
|
|
ctx.dbUser.permissionOverrides as PermissionOverrides | null,
|
|
ctx.roleDefaults ?? undefined,
|
|
);
|
|
}
|
|
|
|
export function canReadAllResources(ctx: Pick<TRPCContext, "dbUser" | "roleDefaults">): boolean {
|
|
const permissions = resolveResourcePermissions(ctx);
|
|
return permissions.has(PermissionKey.VIEW_ALL_RESOURCES) || permissions.has(PermissionKey.MANAGE_RESOURCES);
|
|
}
|
|
|
|
export async function findOwnedResourceId(ctx: ResourceReadContext): Promise<string | null> {
|
|
if (!ctx.dbUser?.id) {
|
|
return null;
|
|
}
|
|
|
|
if (!ctx.db.resource || typeof ctx.db.resource.findFirst !== "function") {
|
|
return null;
|
|
}
|
|
|
|
const resource = await ctx.db.resource.findFirst({
|
|
where: { userId: ctx.dbUser.id },
|
|
select: { id: true },
|
|
});
|
|
|
|
return resource?.id ?? null;
|
|
}
|
|
|
|
export async function assertCanReadResource(
|
|
ctx: ResourceReadContext,
|
|
resourceId: string,
|
|
message = "You can only view your own resource data",
|
|
): Promise<void> {
|
|
if (canReadAllResources(ctx)) {
|
|
return;
|
|
}
|
|
|
|
const ownedResourceId = await findOwnedResourceId(ctx);
|
|
if (!ownedResourceId || ownedResourceId !== resourceId) {
|
|
throw new TRPCError({
|
|
code: "FORBIDDEN",
|
|
message,
|
|
});
|
|
}
|
|
}
|