WIP - permissions

backend/prisma/schema.prisma

@@ -24,8 +24,10 @@ model User {
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt
 
-  userRoles UserRole[]
-  accounts  Account[]
+  userRoles      UserRole[]
+  accounts       Account[]
+  sharesGranted  RecordShare[] @relation("GrantedShares")
+  sharesReceived RecordShare[] @relation("ReceivedShares")
 
   @@map("users")
 }
@@ -41,6 +43,7 @@ model Role {
 
   userRoles       UserRole[]
   rolePermissions RolePermission[]
+  roleRules       RoleRule[]
 
   @@unique([name, guardName])
   @@map("roles")
@@ -90,20 +93,42 @@ model RolePermission {
   @@map("role_permissions")
 }
 
+// CASL Rules for Roles
+model RoleRule {
+  id        String   @id @default(uuid())
+  roleId    String
+  rulesJson Json     @map("rules_json")
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  role Role @relation(fields: [roleId], references: [id], onDelete: Cascade)
+
+  @@index([roleId])
+  @@map("role_rules")
+}
+
 // Object Definition (Metadata)
 model ObjectDefinition {
-  id          String   @id @default(uuid())
-  apiName     String   @unique
-  label       String
-  pluralLabel String?
-  description String?  @db.Text
-  isSystem    Boolean  @default(false)
-  isCustom    Boolean  @default(true)
-  createdAt   DateTime @default(now()) @map("created_at")
-  updatedAt   DateTime @updatedAt @map("updated_at")
+  id           String   @id @default(uuid())
+  apiName      String   @unique
+  label        String
+  pluralLabel  String?
+  description  String?  @db.Text
+  isSystem     Boolean  @default(false)
+  isCustom     Boolean  @default(true)
+  // Authorization fields
+  accessModel  String   @default("owner") // 'public' | 'owner' | 'mixed'
+  publicRead   Boolean  @default(false)
+  publicCreate Boolean  @default(false)
+  publicUpdate Boolean  @default(false)
+  publicDelete Boolean  @default(false)
+  ownerField   String   @default("ownerId")
+  createdAt    DateTime @default(now()) @map("created_at")
+  updatedAt    DateTime @updatedAt @map("updated_at")
 
-  fields FieldDefinition[]
-  pages  AppPage[]
+  fields       FieldDefinition[]
+  pages        AppPage[]
+  recordShares RecordShare[]
 
   @@map("object_definitions")
 }
@@ -126,6 +151,9 @@ model FieldDefinition {
   isCustom             Boolean  @default(true)
   displayOrder         Int      @default(0)
   uiMetadata           Json?    @map("ui_metadata")
+  // Field-level permissions
+  defaultReadable      Boolean  @default(true)
+  defaultWritable      Boolean  @default(true)
   createdAt            DateTime @default(now()) @map("created_at")
   updatedAt            DateTime @updatedAt @map("updated_at")
 
@@ -136,6 +164,29 @@ model FieldDefinition {
   @@map("field_definitions")
 }
 
+// Polymorphic per-record sharing
+model RecordShare {
+  id                String    @id @default(uuid())
+  objectDefinitionId String
+  recordId          String
+  granteeUserId     String
+  grantedByUserId   String
+  actions           Json      // Array like ["read"], ["read","update"]
+  fields            Json?     // Optional field scoping
+  expiresAt         DateTime? @map("expires_at")
+  revokedAt         DateTime? @map("revoked_at")
+  createdAt         DateTime  @default(now()) @map("created_at")
+
+  objectDefinition ObjectDefinition @relation(fields: [objectDefinitionId], references: [id], onDelete: Cascade)
+  granteeUser      User             @relation("ReceivedShares", fields: [granteeUserId], references: [id], onDelete: Cascade)
+  grantedByUser    User             @relation("GrantedShares", fields: [grantedByUserId], references: [id], onDelete: Cascade)
+
+  @@unique([objectDefinitionId, recordId, granteeUserId])
+  @@index([granteeUserId, objectDefinitionId])
+  @@index([objectDefinitionId, recordId])
+  @@map("record_shares")
+}
+
 // Example static object: Account
 model Account {
   id        String   @id @default(uuid())