WIP - permissions

backend/src/auth/ability.factory.ts

@@ -0,0 +1,207 @@
+import { Injectable } from '@nestjs/common';
+import { Ability, AbilityBuilder, AbilityClass, ExtractSubjectType, InferSubjects, createMongoAbility } from '@casl/ability';
+import { User } from '../models/user.model';
+import { ObjectDefinition } from '../models/object-definition.model';
+import { FieldDefinition } from '../models/field-definition.model';
+import { RoleRule } from '../models/role-rule.model';
+import { RecordShare } from '../models/record-share.model';
+import { UserRole } from '../models/user-role.model';
+import { Knex } from 'knex';
+
+// Define actions
+export type Action = 'read' | 'create' | 'update' | 'delete' | 'share';
+
+// Define subjects - can be string (object type key) or model class
+export type Subjects = InferSubjects<any> | 'all';
+
+export type AppAbility = Ability<[Action, Subjects]>;
+
+@Injectable()
+export class AbilityFactory {
+  /**
+   * Build CASL Ability for a user
+   * Rules come from 3 layers:
+   * 1. Global object rules (from object_definitions + object_fields)
+   * 2. Role rules (from role_rules)
+   * 3. Share rules (from record_shares for this user)
+   */
+  async buildForUser(user: User, knex: Knex): Promise<AppAbility> {
+    const { can, cannot, build } = new AbilityBuilder<AppAbility>(
+      createMongoAbility as any,
+    );
+
+    // 1. Load global object rules
+    await this.addGlobalRules(user, knex, can, cannot);
+
+    // 2. Load role rules
+    await this.addRoleRules(user, knex, can);
+
+    // 3. Load share rules
+    await this.addShareRules(user, knex, can);
+
+    return build({
+      // Optional: detect subject type from instance
+      detectSubjectType: (item) => {
+        if (typeof item === 'string') return item;
+        return item.constructor?.name || 'unknown';
+      },
+    });
+  }
+
+  /**
+   * Add global rules from object_definitions and object_fields
+   */
+  private async addGlobalRules(
+    user: User,
+    knex: Knex,
+    can: any,
+    cannot: any,
+  ) {
+    const objectDefs = await knex<ObjectDefinition>('object_definitions').select('*');
+
+    for (const objDef of objectDefs) {
+      const subject = objDef.apiName;
+
+      // Handle public access
+      if (objDef.publicRead) {
+        can('read', subject);
+      }
+      if (objDef.publicCreate) {
+        can('create', subject);
+      }
+      if (objDef.publicUpdate) {
+        can('update', subject);
+      }
+      if (objDef.publicDelete) {
+        can('delete', subject);
+      }
+
+      // Handle owner-based access
+      if (objDef.accessModel === 'owner' || objDef.accessModel === 'mixed') {
+        const ownerCondition = { [objDef.ownerField]: user.id };
+        
+        can('read', subject, ownerCondition);
+        can('update', subject, ownerCondition);
+        can('delete', subject, ownerCondition);
+        can('share', subject, ownerCondition); // Owner can share their records
+      }
+
+      // Load field-level permissions for this object
+      const fields = await knex<FieldDefinition>('field_definitions')
+        .where('objectDefinitionId', objDef.id)
+        .select('*');
+
+      // Build field lists
+      const readableFields = fields
+        .filter((f) => f.defaultReadable)
+        .map((f) => f.apiName);
+      const writableFields = fields
+        .filter((f) => f.defaultWritable)
+        .map((f) => f.apiName);
+
+      // Add field-level rules if we have field restrictions
+      if (fields.length > 0) {
+        // For read, limit to readable fields
+        if (readableFields.length > 0) {
+          can('read', subject, readableFields);
+        }
+        // For update/create, limit to writable fields
+        if (writableFields.length > 0) {
+          can(['update', 'create'], subject, writableFields);
+        }
+      }
+    }
+  }
+
+  /**
+   * Add role-based rules from role_rules
+   */
+  private async addRoleRules(user: User, knex: Knex, can: any) {
+    // Get user's roles
+    const userRoles = await knex<UserRole>('user_roles')
+      .where('userId', user.id)
+      .select('roleId');
+
+    if (userRoles.length === 0) return;
+
+    const roleIds = userRoles.map((ur) => ur.roleId);
+
+    // Get all role rules for these roles
+    const roleRules = await knex<RoleRule>('role_rules')
+      .whereIn('roleId', roleIds)
+      .select('*');
+
+    for (const roleRule of roleRules) {
+      // Parse and add each rule from the JSON
+      const rules = roleRule.rulesJson;
+      if (Array.isArray(rules)) {
+        rules.forEach((rule) => {
+          if (rule.inverted) {
+            // Handle "cannot" rules
+            // CASL format: { action, subject, conditions?, fields?, inverted: true }
+            // We'd need to properly parse this - for now, skip inverted rules in factory
+          } else {
+            // Handle "can" rules
+            const { action, subject, conditions, fields } = rule;
+            
+            if (fields && fields.length > 0) {
+              can(action, subject, fields, conditions);
+            } else if (conditions) {
+              can(action, subject, conditions);
+            } else {
+              can(action, subject);
+            }
+          }
+        });
+      }
+    }
+  }
+
+  /**
+   * Add per-record sharing rules from record_shares
+   */
+  private async addShareRules(user: User, knex: Knex, can: any) {
+    const now = new Date();
+
+    // Get all active shares for this user (grantee)
+    const shares = await knex<RecordShare>('record_shares')
+      .where('granteeUserId', user.id)
+      .whereNull('revokedAt')
+      .where(function () {
+        this.whereNull('expiresAt').orWhere('expiresAt', '>', now);
+      })
+      .select('*');
+
+    // Also need to join with object_definitions to get the apiName (subject)
+    const sharesWithObjects = await knex('record_shares')
+      .join('object_definitions', 'record_shares.objectDefinitionId', 'object_definitions.id')
+      .where('record_shares.granteeUserId', user.id)
+      .whereNull('record_shares.revokedAt')
+      .where(function () {
+        this.whereNull('record_shares.expiresAt').orWhere('record_shares.expiresAt', '>', now);
+      })
+      .select(
+        'record_shares.*',
+        'object_definitions.apiName as objectApiName',
+      );
+
+    for (const share of sharesWithObjects) {
+      const subject = share.objectApiName;
+      const actions = Array.isArray(share.actions) ? share.actions : JSON.parse(share.actions);
+      const fields = share.fields ? (Array.isArray(share.fields) ? share.fields : JSON.parse(share.fields)) : null;
+
+      // Create condition: record must match the shared recordId
+      const condition = { id: share.recordId };
+
+      for (const action of actions) {
+        if (fields && fields.length > 0) {
+          // Field-scoped share
+          can(action, subject, fields, condition);
+        } else {
+          // Full record share
+          can(action, subject, condition);
+        }
+      }
+    }
+  }
+}

backend/src/auth/auth.module.ts

@@ -6,6 +6,8 @@ import { AuthService } from './auth.service';
 import { AuthController } from './auth.controller';
 import { JwtStrategy } from './jwt.strategy';
 import { TenantModule } from '../tenant/tenant.module';
+import { AbilityFactory } from './ability.factory';
+import { AbilitiesGuard } from './guards/abilities.guard';
 
 @Module({
   imports: [
@@ -19,8 +21,8 @@ import { TenantModule } from '../tenant/tenant.module';
       }),
     }),
   ],
-  providers: [AuthService, JwtStrategy],
+  providers: [AuthService, JwtStrategy, AbilityFactory, AbilitiesGuard],
   controllers: [AuthController],
-  exports: [AuthService],
+  exports: [AuthService, AbilityFactory, AbilitiesGuard],
 })
 export class AuthModule {}

backend/src/auth/decorators/auth.decorators.ts

@@ -0,0 +1,24 @@
+import { createParamDecorator, ExecutionContext } from '@nestjs/common';
+import { AppAbility } from '../ability.factory';
+
+/**
+ * Decorator to inject the current user's ability into a route handler
+ * Usage: @CurrentAbility() ability: AppAbility
+ */
+export const CurrentAbility = createParamDecorator(
+  (data: unknown, ctx: ExecutionContext): AppAbility => {
+    const request = ctx.switchToHttp().getRequest();
+    return request.ability;
+  },
+);
+
+/**
+ * Decorator to inject the current user into a route handler
+ * Usage: @CurrentUser() user: User
+ */
+export const CurrentUser = createParamDecorator(
+  (data: unknown, ctx: ExecutionContext) => {
+    const request = ctx.switchToHttp().getRequest();
+    return request.user;
+  },
+);

backend/src/auth/decorators/check-ability.decorator.ts

@@ -0,0 +1,10 @@
+import { SetMetadata } from '@nestjs/common';
+import { Action } from '../ability.factory';
+import { CHECK_ABILITY_KEY, RequiredRule } from '../guards/abilities.guard';
+
+/**
+ * Decorator to check abilities
+ * Usage: @CheckAbility({ action: 'read', subject: 'Post' })
+ */
+export const CheckAbility = (...rules: RequiredRule[]) =>
+  SetMetadata(CHECK_ABILITY_KEY, rules);

backend/src/auth/guards/abilities.guard.ts

@@ -0,0 +1,51 @@
+import { Injectable, CanActivate, ExecutionContext, ForbiddenException } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { Action, AppAbility } from '../ability.factory';
+
+export interface RequiredRule {
+  action: Action;
+  subject: string;
+}
+
+/**
+ * Key for metadata
+ */
+export const CHECK_ABILITY_KEY = 'check_ability';
+
+/**
+ * Guard that checks CASL abilities
+ * Use with @CheckAbility() decorator
+ */
+@Injectable()
+export class AbilitiesGuard implements CanActivate {
+  constructor(private reflector: Reflector) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const rules = this.reflector.get<RequiredRule[]>(
+      CHECK_ABILITY_KEY,
+      context.getHandler(),
+    ) || [];
+
+    if (rules.length === 0) {
+      return true; // No rules specified, allow
+    }
+
+    const request = context.switchToHttp().getRequest();
+    const ability: AppAbility = request.ability;
+
+    if (!ability) {
+      throw new ForbiddenException('Ability not found on request');
+    }
+
+    // Check all rules
+    for (const rule of rules) {
+      if (!ability.can(rule.action, rule.subject)) {
+        throw new ForbiddenException(
+          `You don't have permission to ${rule.action} ${rule.subject}`,
+        );
+      }
+    }
+
+    return true;
+  }
+}

backend/src/auth/middleware/ability.middleware.ts

@@ -0,0 +1,24 @@
+import { Injectable, NestMiddleware, Inject } from '@nestjs/common';
+import { Request, Response, NextFunction } from 'express';
+import { AbilityFactory } from '../ability.factory';
+import { Knex } from 'knex';
+
+/**
+ * Middleware to build and attach CASL ability to request
+ * Must run after authentication middleware
+ */
+@Injectable()
+export class AbilityMiddleware implements NestMiddleware {
+  constructor(
+    private readonly abilityFactory: AbilityFactory,
+    @Inject('KnexConnection') private readonly knex: Knex,
+  ) {}
+
+  async use(req: Request & { user?: any; ability?: any }, res: Response, next: NextFunction) {
+    if (req.user) {
+      // Build ability for authenticated user
+      req.ability = await this.abilityFactory.buildForUser(req.user, this.knex);
+    }
+    next();
+  }
+}

backend/src/auth/query-scope.util.ts

@@ -0,0 +1,145 @@
+import { QueryBuilder, Model } from 'objection';
+import { User } from '../models/user.model';
+import { ObjectDefinition } from '../models/object-definition.model';
+import { Knex } from 'knex';
+
+/**
+ * Query scoping utilities for authorization
+ * Apply SQL-level filtering to ensure users only see records they have access to
+ */
+
+export interface AuthScopeOptions {
+  user: User;
+  objectDefinition: ObjectDefinition;
+  action: 'read' | 'update' | 'delete';
+  knex: Knex;
+}
+
+/**
+ * Apply authorization scope to a query builder
+ * This implements the SQL equivalent of the CASL ability checks
+ * 
+ * Rules:
+ * 1. If object is public_{action} => allow all
+ * 2. If object is owner/mixed => allow owned OR shared
+ */
+export function applyAuthScope<M extends Model>(
+  query: QueryBuilder<M, M[]>,
+  options: AuthScopeOptions,
+): QueryBuilder<M, M[]> {
+  const { user, objectDefinition, action, knex } = options;
+
+  // If public access for this action, no restrictions
+  if (
+    (action === 'read' && objectDefinition.publicRead) ||
+    (action === 'update' && objectDefinition.publicUpdate) ||
+    (action === 'delete' && objectDefinition.publicDelete)
+  ) {
+    return query;
+  }
+
+  // Otherwise, apply owner + share logic
+  const ownerField = objectDefinition.ownerField || 'ownerId';
+  const tableName = query.modelClass().tableName;
+
+  return query.where((builder) => {
+    // Owner condition
+    builder.where(`${tableName}.${ownerField}`, user.id);
+
+    // OR shared condition
+    builder.orWhereExists((subquery) => {
+      subquery
+        .from('record_shares')
+        .join('object_definitions', 'record_shares.object_definition_id', 'object_definitions.id')
+        .whereRaw('record_shares.record_id = ??', [`${tableName}.id`])
+        .where('record_shares.grantee_user_id', user.id)
+        .where('object_definitions.id', objectDefinition.id)
+        .whereNull('record_shares.revoked_at')
+        .where(function () {
+          this.whereNull('record_shares.expires_at')
+            .orWhere('record_shares.expires_at', '>', knex.fn.now());
+        })
+        .whereRaw("JSON_CONTAINS(record_shares.actions, ?)", [JSON.stringify(action)]);
+    });
+  });
+}
+
+/**
+ * Apply read scope - most common use case
+ */
+export function applyReadScope<M extends Model>(
+  query: QueryBuilder<M, M[]>,
+  user: User,
+  objectDefinition: ObjectDefinition,
+  knex: Knex,
+): QueryBuilder<M, M[]> {
+  return applyAuthScope(query, { user, objectDefinition, action: 'read', knex });
+}
+
+/**
+ * Apply update scope
+ */
+export function applyUpdateScope<M extends Model>(
+  query: QueryBuilder<M, M[]>,
+  user: User,
+  objectDefinition: ObjectDefinition,
+  knex: Knex,
+): QueryBuilder<M, M[]> {
+  return applyAuthScope(query, { user, objectDefinition, action: 'update', knex });
+}
+
+/**
+ * Apply delete scope
+ */
+export function applyDeleteScope<M extends Model>(
+  query: QueryBuilder<M, M[]>,
+  user: User,
+  objectDefinition: ObjectDefinition,
+  knex: Knex,
+): QueryBuilder<M, M[]> {
+  return applyAuthScope(query, { user, objectDefinition, action: 'delete', knex });
+}
+
+/**
+ * Check if user can access a specific record
+ * This is for single-record operations
+ */
+export async function canAccessRecord(
+  recordId: string,
+  user: User,
+  objectDefinition: ObjectDefinition,
+  action: 'read' | 'update' | 'delete',
+  knex: Knex,
+): Promise<boolean> {
+  // If public access for this action
+  if (
+    (action === 'read' && objectDefinition.publicRead) ||
+    (action === 'update' && objectDefinition.publicUpdate) ||
+    (action === 'delete' && objectDefinition.publicDelete)
+  ) {
+    return true;
+  }
+
+  const ownerField = objectDefinition.ownerField || 'ownerId';
+  
+  // Check if user owns the record (we need the table name, which we can't easily get here)
+  // This function is meant to be used with a fetched record
+  // For now, we'll check shares only
+  
+  // Check if there's a valid share
+  const now = new Date();
+  const share = await knex('record_shares')
+    .where({
+      objectDefinitionId: objectDefinition.id,
+      recordId: recordId,
+      granteeUserId: user.id,
+    })
+    .whereNull('revokedAt')
+    .where(function () {
+      this.whereNull('expiresAt').orWhere('expiresAt', '>', now);
+    })
+    .whereRaw("JSON_CONTAINS(actions, ?)", [JSON.stringify(action)])
+    .first();
+
+  return !!share;
+}

backend/src/migration/custom-migration.service.ts

@@ -1,5 +1,5 @@
 import { Injectable, Logger } from '@nestjs/common';
-import { Knex } from 'knex';
+import type { Knex } from 'knex';
 
 export interface CustomMigrationRecord {
   id: string;

backend/src/models/field-definition.model.ts

@@ -64,6 +64,9 @@ export class FieldDefinition extends BaseModel {
   isCustom!: boolean;
   displayOrder!: number;
   uiMetadata?: UIMetadata;
+  // Field-level permissions
+  defaultReadable!: boolean;
+  defaultWritable!: boolean;
 
   static relationMappings = {
     objectDefinition: {

backend/src/models/object-definition.model.ts

@@ -10,6 +10,13 @@ export class ObjectDefinition extends BaseModel {
   description?: string;
   isSystem: boolean;
   isCustom: boolean;
+  // Authorization fields
+  accessModel: 'public' | 'owner' | 'mixed';
+  publicRead: boolean;
+  publicCreate: boolean;
+  publicUpdate: boolean;
+  publicDelete: boolean;
+  ownerField: string;
   createdAt: Date;
   updatedAt: Date;
 
@@ -25,12 +32,19 @@ export class ObjectDefinition extends BaseModel {
         description: { type: 'string' },
         isSystem: { type: 'boolean' },
         isCustom: { type: 'boolean' },
+        accessModel: { type: 'string', enum: ['public', 'owner', 'mixed'] },
+        publicRead: { type: 'boolean' },
+        publicCreate: { type: 'boolean' },
+        publicUpdate: { type: 'boolean' },
+        publicDelete: { type: 'boolean' },
+        ownerField: { type: 'string' },
       },
     };
   }
 
   static get relationMappings() {
     const { FieldDefinition } = require('./field-definition.model');
+    const { RecordShare } = require('./record-share.model');
 
     return {
       fields: {
@@ -41,6 +55,14 @@ export class ObjectDefinition extends BaseModel {
           to: 'field_definitions.objectDefinitionId',
         },
       },
+      recordShares: {
+        relation: BaseModel.HasManyRelation,
+        modelClass: RecordShare,
+        join: {
+          from: 'object_definitions.id',
+          to: 'record_shares.objectDefinitionId',
+        },
+      },
     };
   }
 }

backend/src/models/record-share.model.ts

@@ -0,0 +1,79 @@
+import { BaseModel } from './base.model';
+
+export class RecordShare extends BaseModel {
+  static tableName = 'record_shares';
+
+  id!: string;
+  objectDefinitionId!: string;
+  recordId!: string;
+  granteeUserId!: string;
+  grantedByUserId!: string;
+  actions!: any; // JSON field - will be string[] when parsed
+  fields?: any; // JSON field - will be string[] when parsed
+  expiresAt?: Date;
+  revokedAt?: Date;
+  createdAt!: Date;
+
+  static get jsonSchema() {
+    return {
+      type: 'object',
+      required: ['objectDefinitionId', 'recordId', 'granteeUserId', 'grantedByUserId', 'actions'],
+      properties: {
+        id: { type: 'string' },
+        objectDefinitionId: { type: 'string' },
+        recordId: { type: 'string' },
+        granteeUserId: { type: 'string' },
+        grantedByUserId: { type: 'string' },
+        actions: { 
+          type: 'array',
+          items: { type: 'string' },
+        },
+        fields: { 
+          type: ['array', 'null'],
+          items: { type: 'string' },
+        },
+        expiresAt: { type: ['string', 'null'], format: 'date-time' },
+        revokedAt: { type: ['string', 'null'], format: 'date-time' },
+      },
+    };
+  }
+
+  static get relationMappings() {
+    const { ObjectDefinition } = require('./object-definition.model');
+    const { User } = require('./user.model');
+
+    return {
+      objectDefinition: {
+        relation: BaseModel.BelongsToOneRelation,
+        modelClass: ObjectDefinition,
+        join: {
+          from: 'record_shares.objectDefinitionId',
+          to: 'object_definitions.id',
+        },
+      },
+      granteeUser: {
+        relation: BaseModel.BelongsToOneRelation,
+        modelClass: User,
+        join: {
+          from: 'record_shares.granteeUserId',
+          to: 'users.id',
+        },
+      },
+      grantedByUser: {
+        relation: BaseModel.BelongsToOneRelation,
+        modelClass: User,
+        join: {
+          from: 'record_shares.grantedByUserId',
+          to: 'users.id',
+        },
+      },
+    };
+  }
+
+  // Check if share is currently valid
+  isValid(): boolean {
+    if (this.revokedAt) return false;
+    if (this.expiresAt && new Date(this.expiresAt) < new Date()) return false;
+    return true;
+  }
+}

backend/src/models/role-rule.model.ts

@@ -0,0 +1,38 @@
+import { BaseModel } from './base.model';
+
+export class RoleRule extends BaseModel {
+  static tableName = 'role_rules';
+
+  id: string;
+  roleId: string;
+  rulesJson: any[]; // Array of CASL rules
+  createdAt: Date;
+  updatedAt: Date;
+
+  static get jsonSchema() {
+    return {
+      type: 'object',
+      required: ['roleId', 'rulesJson'],
+      properties: {
+        id: { type: 'string' },
+        roleId: { type: 'string' },
+        rulesJson: { type: 'array' },
+      },
+    };
+  }
+
+  static get relationMappings() {
+    const { Role } = require('./role.model');
+
+    return {
+      role: {
+        relation: BaseModel.BelongsToOneRelation,
+        modelClass: Role,
+        join: {
+          from: 'role_rules.roleId',
+          to: 'roles.id',
+        },
+      },
+    };
+  }
+}

backend/src/models/role.model.ts

@@ -27,6 +27,7 @@ export class Role extends BaseModel {
     const { RolePermission } = require('./role-permission.model');
     const { Permission } = require('./permission.model');
     const { User } = require('./user.model');
+    const { RoleRule } = require('./role-rule.model');
 
     return {
       rolePermissions: {
@@ -61,6 +62,14 @@ export class Role extends BaseModel {
           to: 'users.id',
         },
       },
+      roleRules: {
+        relation: BaseModel.HasManyRelation,
+        modelClass: RoleRule,
+        join: {
+          from: 'roles.id',
+          to: 'role_rules.roleId',
+        },
+      },
     };
   }
 }

backend/src/models/user.model.ts

@@ -30,6 +30,7 @@ export class User extends BaseModel {
   static get relationMappings() {
     const { UserRole } = require('./user-role.model');
     const { Role } = require('./role.model');
+    const { RecordShare } = require('./record-share.model');
 
     return {
       userRoles: {
@@ -52,6 +53,22 @@ export class User extends BaseModel {
           to: 'roles.id',
         },
       },
+      sharesGranted: {
+        relation: BaseModel.HasManyRelation,
+        modelClass: RecordShare,
+        join: {
+          from: 'users.id',
+          to: 'record_shares.grantedByUserId',
+        },
+      },
+      sharesReceived: {
+        relation: BaseModel.HasManyRelation,
+        modelClass: RecordShare,
+        join: {
+          from: 'users.id',
+          to: 'record_shares.granteeUserId',
+        },
+      },
     };
   }
 }

backend/src/object/models/model.service.ts

@@ -1,5 +1,5 @@
 import { Injectable, Logger } from '@nestjs/common';
-import { Knex } from 'knex';
+import type { Knex } from 'knex';
 import { ModelClass } from 'objection';
 import { BaseModel } from './base.model';
 import { ModelRegistry } from './model.registry';

backend/src/object/object.service.ts

@@ -3,6 +3,9 @@ import { TenantDatabaseService } from '../tenant/tenant-database.service';
 import { CustomMigrationService } from '../migration/custom-migration.service';
 import { ModelService } from './models/model.service';
 import { ObjectMetadata } from './models/dynamic-model.factory';
+import { applyReadScope, applyUpdateScope, applyDeleteScope } from '../auth/query-scope.util';
+import { User } from '../models/user.model';
+import { ObjectDefinition } from '../models/object-definition.model';
 
 @Injectable()
 export class ObjectService {
@@ -421,6 +424,21 @@ export class ObjectService {
     // Verify object exists and get field definitions
     const objectDef = await this.getObjectDefinition(tenantId, objectApiName);
     
+    // Get object definition with authorization settings
+    const objectDefModel = await ObjectDefinition.query(knex)
+      .findOne({ apiName: objectApiName });
+    
+    if (!objectDefModel) {
+      throw new NotFoundException('Object definition not found');
+    }
+    
+    // Get user model for authorization
+    const user = await User.query(knex).findById(userId).withGraphFetched('roles');
+    
+    if (!user) {
+      throw new NotFoundException('User not found');
+    }
+    
     const tableName = this.getTableName(objectApiName);
     
     // Ensure model is registered before attempting to use it
@@ -433,6 +451,9 @@ export class ObjectService {
         const boundModel = await this.modelService.getBoundModel(resolvedTenantId, objectApiName);
         let query = boundModel.query();
         
+        // Apply authorization scoping
+        query = applyReadScope(query, user, objectDefModel, knex);
+        
         // Build graph expression for lookup fields
         const lookupFields = objectDef.fields?.filter(f => 
           f.type === 'LOOKUP' && f.referenceObject
@@ -450,12 +471,6 @@ export class ObjectService {
           }
         }
         
-        // Add ownership filter if ownerId field exists
-        const hasOwner = await knex.schema.hasColumn(tableName, 'ownerId');
-        if (hasOwner) {
-          query = query.where({ ownerId: userId });
-        }
-        
         // Apply additional filters
         if (filters) {
           query = query.where(filters);
@@ -467,10 +482,10 @@ export class ObjectService {
       this.logger.warn(`Could not use Objection model for ${objectApiName}, falling back to manual join: ${error.message}`);
     }
 
-    // Fallback to manual data hydration
+    // Fallback to manual data hydration - Note: This path doesn't support authorization scoping yet
     let query = knex(tableName);
     
-    // Add ownership filter if ownerId field exists
+    // Add ownership filter if ownerId field exists (basic fallback)
     const hasOwner = await knex.schema.hasColumn(tableName, 'ownerId');
     if (hasOwner) {
       query = query.where({ [`${tableName}.ownerId`]: userId });

backend/src/object/schema-management.service.ts

@@ -1,5 +1,5 @@
 import { Injectable, Logger } from '@nestjs/common';
-import { Knex } from 'knex';
+import type { Knex } from 'knex';
 import { ObjectDefinition } from '../models/object-definition.model';
 import { FieldDefinition } from '../models/field-definition.model';
 

backend/src/object/setup-object.controller.ts

@@ -2,14 +2,19 @@ import {
   Controller,
   Get,
   Post,
+  Put,
   Param,
   Body,
   UseGuards,
+  Inject,
 } from '@nestjs/common';
 import { ObjectService } from './object.service';
 import { FieldMapperService } from './field-mapper.service';
 import { JwtAuthGuard } from '../auth/jwt-auth.guard';
 import { TenantId } from '../tenant/tenant.decorator';
+import { ObjectDefinition } from '../models/object-definition.model';
+import { FieldDefinition } from '../models/field-definition.model';
+import { Knex } from 'knex';
 
 @Controller('setup/objects')
 @UseGuards(JwtAuthGuard)
@@ -17,6 +22,7 @@ export class SetupObjectController {
   constructor(
     private objectService: ObjectService,
     private fieldMapperService: FieldMapperService,
+    @Inject('KnexConnection') private readonly knex: Knex,
   ) {}
 
   @Get()
@@ -67,4 +73,122 @@ export class SetupObjectController {
     // Map the created field to frontend format
     return this.fieldMapperService.mapFieldToDTO(field);
   }
+
+  // Access & Permissions endpoints
+
+  /**
+   * Get object access configuration
+   */
+  @Get(':objectApiName/access')
+  async getAccess(
+    @TenantId() tenantId: string,
+    @Param('objectApiName') objectApiName: string,
+  ) {
+    const objectDef = await ObjectDefinition.query(this.knex)
+      .findOne({ apiName: objectApiName })
+      .withGraphFetched('fields');
+
+    if (!objectDef) {
+      throw new Error('Object definition not found');
+    }
+
+    return {
+      accessModel: objectDef.accessModel,
+      publicRead: objectDef.publicRead,
+      publicCreate: objectDef.publicCreate,
+      publicUpdate: objectDef.publicUpdate,
+      publicDelete: objectDef.publicDelete,
+      ownerField: objectDef.ownerField,
+      fields: objectDef['fields'] || [],
+    };
+  }
+
+  /**
+   * Update object access configuration
+   */
+  @Put(':objectApiName/access')
+  async updateAccess(
+    @TenantId() tenantId: string,
+    @Param('objectApiName') objectApiName: string,
+    @Body() dto: any,
+  ) {
+
+    console.log('dto', JSON.stringify(dto));
+
+    const objectDef = await ObjectDefinition.query(this.knex)
+      .findOne({ apiName: objectApiName });
+
+    if (!objectDef) {
+      throw new Error('Object definition not found');
+    }
+
+    return ObjectDefinition.query(this.knex).patchAndFetchById(objectDef.id, dto);
+  }
+
+  /**
+   * Create or update field-level permissions
+   */
+  @Post(':objectApiName/fields/:fieldKey/permissions')
+  async setFieldPermissions(
+    @TenantId() tenantId: string,
+    @Param('objectApiName') objectApiName: string,
+    @Param('fieldKey') fieldKey: string,
+    @Body() dto: any,
+  ) {
+    const objectDef = await ObjectDefinition.query(this.knex)
+      .findOne({ apiName: objectApiName });
+
+    if (!objectDef) {
+      throw new Error('Object definition not found');
+    }
+
+    // Find the field definition
+    const field = await FieldDefinition.query(this.knex)
+      .findOne({
+        objectDefinitionId: objectDef.id,
+        apiName: fieldKey,
+      });
+
+    if (!field) {
+      throw new Error('Field definition not found');
+    }
+
+    // Update field permissions
+    return FieldDefinition.query(this.knex).patchAndFetchById(field.id, {
+      defaultReadable: dto.defaultReadable ?? field.defaultReadable,
+      defaultWritable: dto.defaultWritable ?? field.defaultWritable,
+    });
+  }
+
+  /**
+   * Bulk set field permissions for an object
+   */
+  @Put(':objectApiName/field-permissions')
+  async bulkSetFieldPermissions(
+    @TenantId() tenantId: string,
+    @Param('objectApiName') objectApiName: string,
+    @Body() fields: { fieldKey: string; defaultReadable: boolean; defaultWritable: boolean }[],
+  ) {
+    const objectDef = await ObjectDefinition.query(this.knex)
+      .findOne({ apiName: objectApiName });
+
+    if (!objectDef) {
+      throw new Error('Object definition not found');
+    }
+
+    // Update each field in the field_definitions table
+    for (const fieldUpdate of fields) {
+      await FieldDefinition.query(this.knex)
+        .where({
+          objectDefinitionId: objectDef.id,
+          apiName: fieldUpdate.fieldKey,
+        })
+        .patch({
+          defaultReadable: fieldUpdate.defaultReadable,
+          defaultWritable: fieldUpdate.defaultWritable,
+        });
+    }
+
+    return { success: true };
+  }
 }

backend/src/rbac/rbac.module.ts

@@ -1,8 +1,13 @@
 import { Module } from '@nestjs/common';
 import { RbacService } from './rbac.service';
+import { ShareController } from './share.controller';
+import { RoleController, RoleRuleController } from './role.controller';
+import { TenantModule } from '../tenant/tenant.module';
 
 @Module({
+  imports: [TenantModule],
   providers: [RbacService],
+  controllers: [ShareController, RoleController, RoleRuleController],
   exports: [RbacService],
 })
 export class RbacModule {}

backend/src/rbac/role.controller.ts

@@ -0,0 +1,137 @@
+import {
+  Controller,
+  Get,
+  Post,
+  Put,
+  Delete,
+  Body,
+  Param,
+  UseGuards,
+  Inject,
+} from '@nestjs/common';
+import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+import { Role } from '../models/role.model';
+import { RoleRule } from '../models/role-rule.model';
+import { Knex } from 'knex';
+
+export class CreateRoleDto {
+  name: string;
+  guardName?: string;
+  description?: string;
+}
+
+export class UpdateRoleDto {
+  name?: string;
+  description?: string;
+}
+
+export class CreateRoleRuleDto {
+  roleId: string;
+  rulesJson: any[]; // Array of CASL rules
+}
+
+export class UpdateRoleRuleDto {
+  rulesJson: any[];
+}
+
+@Controller('roles')
+@UseGuards(JwtAuthGuard)
+export class RoleController {
+  constructor(@Inject('KnexConnection') private readonly knex: Knex) {}
+
+  /**
+   * List all roles
+   */
+  @Get()
+  async list() {
+    return Role.query(this.knex).withGraphFetched('[roleRules]');
+  }
+
+  /**
+   * Get a single role by ID
+   */
+  @Get(':id')
+  async get(@Param('id') id: string) {
+    return Role.query(this.knex)
+      .findById(id)
+      .withGraphFetched('[roleRules, permissions]');
+  }
+
+  /**
+   * Create a new role
+   */
+  @Post()
+  async create(@Body() createDto: CreateRoleDto) {
+    return Role.query(this.knex).insert({
+      name: createDto.name,
+      guardName: createDto.guardName || 'api',
+      description: createDto.description,
+    });
+  }
+
+  /**
+   * Update a role
+   */
+  @Put(':id')
+  async update(@Param('id') id: string, @Body() updateDto: UpdateRoleDto) {
+    return Role.query(this.knex).patchAndFetchById(id, updateDto);
+  }
+
+  /**
+   * Delete a role
+   */
+  @Delete(':id')
+  async delete(@Param('id') id: string) {
+    await Role.query(this.knex).deleteById(id);
+    return { success: true };
+  }
+}
+
+@Controller('role-rules')
+@UseGuards(JwtAuthGuard)
+export class RoleRuleController {
+  constructor(@Inject('KnexConnection') private readonly knex: Knex) {}
+
+  /**
+   * Get rules for a role
+   */
+  @Get('role/:roleId')
+  async getForRole(@Param('roleId') roleId: string) {
+    return RoleRule.query(this.knex).where('roleId', roleId);
+  }
+
+  /**
+   * Create or update role rules
+   * This will replace existing rules for the role
+   */
+  @Post()
+  async createOrUpdate(@Body() dto: CreateRoleRuleDto) {
+    // Delete existing rules for this role
+    await RoleRule.query(this.knex).where('roleId', dto.roleId).delete();
+
+    // Insert new rules
+    return RoleRule.query(this.knex).insert({
+      roleId: dto.roleId,
+      rulesJson: dto.rulesJson,
+    });
+  }
+
+  /**
+   * Update role rules by ID
+   */
+  @Put(':id')
+  async update(@Param('id') id: string, @Body() dto: UpdateRoleRuleDto) {
+    return RoleRule.query(this.knex).patchAndFetchById(id, {
+      rulesJson: dto.rulesJson,
+    });
+  }
+
+  /**
+   * Delete role rules
+   */
+  @Delete(':id')
+  async delete(@Param('id') id: string) {
+    await RoleRule.query(this.knex).deleteById(id);
+    return { success: true };
+  }
+}

backend/src/rbac/share.controller.ts

@@ -0,0 +1,199 @@
+import {
+  Controller,
+  Get,
+  Post,
+  Patch,
+  Delete,
+  Body,
+  Param,
+  Query,
+  UseGuards,
+  Inject,
+} from '@nestjs/common';
+import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+import { CurrentUser } from '../auth/decorators/auth.decorators';
+import { User } from '../models/user.model';
+import { RecordShare } from '../models/record-share.model';
+import { ObjectDefinition } from '../models/object-definition.model';
+import { Knex } from 'knex';
+
+export class CreateShareDto {
+  objectDefinitionId: string;
+  recordId: string;
+  granteeUserId: string;
+  actions: string[]; // ["read"], ["read", "update"], etc.
+  fields?: string[]; // Optional field scoping
+  expiresAt?: Date;
+}
+
+export class UpdateShareDto {
+  actions?: string[];
+  fields?: string[];
+  expiresAt?: Date;
+}
+
+@Controller('shares')
+@UseGuards(JwtAuthGuard)
+export class ShareController {
+  constructor(@Inject('KnexConnection') private readonly knex: Knex) {}
+
+  /**
+   * Create a new share
+   * Only the owner (or users with share permission) can share a record
+   */
+  @Post()
+  async create(
+    @CurrentUser() user: User,
+    @Body() createDto: CreateShareDto,
+  ) {
+    // Verify the user owns the record or has permission to share
+    const objectDef = await ObjectDefinition.query(this.knex)
+      .findById(createDto.objectDefinitionId);
+
+    if (!objectDef) {
+      throw new Error('Object definition not found');
+    }
+
+    // TODO: Verify ownership or share permission via CASL
+    // For now, we'll assume authorized
+
+    const share = await RecordShare.query(this.knex).insert({
+      objectDefinitionId: createDto.objectDefinitionId,
+      recordId: createDto.recordId,
+      granteeUserId: createDto.granteeUserId,
+      grantedByUserId: user.id,
+      actions: JSON.stringify(createDto.actions),
+      fields: createDto.fields ? JSON.stringify(createDto.fields) : null,
+      expiresAt: createDto.expiresAt,
+    });
+
+    return share;
+  }
+
+  /**
+   * List shares for a specific record
+   * Only owner or users with access can see shares
+   */
+  @Get('record/:objectDefinitionId/:recordId')
+  async listForRecord(
+    @CurrentUser() user: User,
+    @Param('objectDefinitionId') objectDefinitionId: string,
+    @Param('recordId') recordId: string,
+  ) {
+    // TODO: Verify user has access to this record
+
+    const shares = await RecordShare.query(this.knex)
+      .where({
+        objectDefinitionId,
+        recordId,
+      })
+      .whereNull('revokedAt')
+      .withGraphFetched('[granteeUser, grantedByUser]');
+
+    return shares.map((share) => ({
+      ...share,
+      actions: typeof share.actions === 'string' ? JSON.parse(share.actions) : share.actions,
+      fields: share.fields && typeof share.fields === 'string' ? JSON.parse(share.fields) : share.fields,
+    }));
+  }
+
+  /**
+   * List shares granted by current user
+   */
+  @Get('granted')
+  async listGranted(@CurrentUser() user: User) {
+    const shares = await RecordShare.query(this.knex)
+      .where('grantedByUserId', user.id)
+      .whereNull('revokedAt')
+      .withGraphFetched('[granteeUser, objectDefinition]');
+
+    return shares.map((share) => ({
+      ...share,
+      actions: typeof share.actions === 'string' ? JSON.parse(share.actions) : share.actions,
+      fields: share.fields && typeof share.fields === 'string' ? JSON.parse(share.fields) : share.fields,
+    }));
+  }
+
+  /**
+   * List shares received by current user
+   */
+  @Get('received')
+  async listReceived(@CurrentUser() user: User) {
+    const shares = await RecordShare.query(this.knex)
+      .where('granteeUserId', user.id)
+      .whereNull('revokedAt')
+      .where(function () {
+        this.whereNull('expiresAt').orWhere('expiresAt', '>', new Date());
+      })
+      .withGraphFetched('[grantedByUser, objectDefinition]');
+
+    return shares.map((share) => ({
+      ...share,
+      actions: typeof share.actions === 'string' ? JSON.parse(share.actions) : share.actions,
+      fields: share.fields && typeof share.fields === 'string' ? JSON.parse(share.fields) : share.fields,
+    }));
+  }
+
+  /**
+   * Update a share
+   */
+  @Patch(':id')
+  async update(
+    @CurrentUser() user: User,
+    @Param('id') id: string,
+    @Body() updateDto: UpdateShareDto,
+  ) {
+    const share = await RecordShare.query(this.knex).findById(id);
+
+    if (!share) {
+      throw new Error('Share not found');
+    }
+
+    // Only the grantor can update
+    if (share.grantedByUserId !== user.id) {
+      throw new Error('Unauthorized');
+    }
+
+    const updates: any = {};
+    if (updateDto.actions) {
+      updates.actions = JSON.stringify(updateDto.actions);
+    }
+    if (updateDto.fields !== undefined) {
+      updates.fields = updateDto.fields ? JSON.stringify(updateDto.fields) : null;
+    }
+    if (updateDto.expiresAt !== undefined) {
+      updates.expiresAt = updateDto.expiresAt;
+    }
+
+    const updated = await RecordShare.query(this.knex)
+      .patchAndFetchById(id, updates);
+
+    return {
+      ...updated,
+      actions: typeof updated.actions === 'string' ? JSON.parse(updated.actions) : updated.actions,
+      fields: updated.fields && typeof updated.fields === 'string' ? JSON.parse(updated.fields) : updated.fields,
+    };
+  }
+
+  /**
+   * Revoke a share (soft delete)
+   */
+  @Delete(':id')
+  async revoke(@CurrentUser() user: User, @Param('id') id: string) {
+    const share = await RecordShare.query(this.knex).findById(id);
+
+    if (!share) {
+      throw new Error('Share not found');
+    }
+
+    // Only the grantor can revoke
+    if (share.grantedByUserId !== user.id) {
+      throw new Error('Unauthorized');
+    }
+
+    await RecordShare.query(this.knex)
+      .patchAndFetchById(id, { revokedAt: new Date() });
+
+    return { success: true };
+  }
+}

backend/src/tenant/central-database.service.ts

@@ -1,14 +1,15 @@
 import Knex from 'knex';
+import type { Knex as KnexType } from 'knex';
 import { Model } from 'objection';
 import { CentralTenant, CentralDomain, CentralUser } from '../models/central.model';
 
-let centralKnex: Knex.Knex | null = null;
+let centralKnex: KnexType | null = null;
 
 /**
  * Get or create a Knex instance for the central database
  * This is used for Objection models that work with central entities
  */
-export function getCentralKnex(): Knex.Knex {
+export function getCentralKnex(): KnexType {
   if (!centralKnex) {
     const centralDbUrl = process.env.CENTRAL_DATABASE_URL;
     

backend/src/tenant/tenant.module.ts

@@ -1,4 +1,5 @@
-import { Module, NestModule, MiddlewareConsumer } from '@nestjs/common';
+import { Module, NestModule, MiddlewareConsumer, Scope } from '@nestjs/common';
+import { REQUEST } from '@nestjs/core';
 import { TenantMiddleware } from './tenant.middleware';
 import { TenantDatabaseService } from './tenant-database.service';
 import { TenantProvisioningService } from './tenant-provisioning.service';
@@ -13,8 +14,30 @@ import { PrismaModule } from '../prisma/prisma.module';
     TenantDatabaseService,
     TenantProvisioningService,
     TenantMiddleware,
+    {
+      provide: 'KnexConnection',
+      scope: Scope.REQUEST,
+      inject: [REQUEST, TenantDatabaseService],
+      useFactory: async (request: any, tenantDbService: TenantDatabaseService) => {
+        // Try to get subdomain first (for domain-based routing)
+        const subdomain = request.raw?.subdomain || request.subdomain;
+        const tenantId = request.raw?.tenantId || request.tenantId;
+        
+        if (!subdomain && !tenantId) {
+          throw new Error('Neither subdomain nor tenant ID found in request');
+        }
+        
+        // Prefer subdomain lookup (more reliable for domain-based routing)
+        if (subdomain) {
+          return await tenantDbService.getTenantKnexByDomain(subdomain);
+        }
+        
+        // Fallback to tenant ID lookup
+        return await tenantDbService.getTenantKnexById(tenantId);
+      },
+    },
   ],
-  exports: [TenantDatabaseService, TenantProvisioningService],
+  exports: [TenantDatabaseService, TenantProvisioningService, 'KnexConnection'],
 })
 export class TenantModule implements NestModule {
   configure(consumer: MiddlewareConsumer) {