WIP - permissions progress

backend/src/object/models/dynamic-model.factory.ts

@@ -49,7 +49,8 @@ export class DynamicModelFactory {
       updated_at: { type: 'string', format: 'date-time' },
     };
 
-    const required: string[] = ['id', 'tenantId'];
+    // Don't require id or tenantId - they'll be set automatically
+    const required: string[] = [];
 
     // Add custom fields
     for (const field of fields) {

backend/src/object/object.module.ts

@@ -6,11 +6,12 @@ import { SchemaManagementService } from './schema-management.service';
 import { FieldMapperService } from './field-mapper.service';
 import { TenantModule } from '../tenant/tenant.module';
 import { MigrationModule } from '../migration/migration.module';
+import { RbacModule } from '../rbac/rbac.module';
 import { ModelRegistry } from './models/model.registry';
 import { ModelService } from './models/model.service';
 
 @Module({
-  imports: [TenantModule, MigrationModule],
+  imports: [TenantModule, MigrationModule, RbacModule],
   providers: [
     ObjectService,
     SchemaManagementService,

backend/src/object/object.service.ts

@@ -2,6 +2,10 @@ import { Injectable, NotFoundException, Logger } from '@nestjs/common';
 import { TenantDatabaseService } from '../tenant/tenant-database.service';
 import { CustomMigrationService } from '../migration/custom-migration.service';
 import { ModelService } from './models/model.service';
+import { AuthorizationService } from '../rbac/authorization.service';
+import { ObjectDefinition } from '../models/object-definition.model';
+import { FieldDefinition } from '../models/field-definition.model';
+import { User } from '../models/user.model';
 import { ObjectMetadata } from './models/dynamic-model.factory';
 
 @Injectable()
@@ -12,6 +16,7 @@ export class ObjectService {
     private tenantDbService: TenantDatabaseService,
     private customMigrationService: CustomMigrationService,
     private modelService: ModelService,
+    private authService: AuthorizationService,
   ) {}
 
   // Setup endpoints - Object metadata management
@@ -225,6 +230,31 @@ export class ObjectService {
     return objectDef;
   }
 
+  async updateObjectDefinition(
+    tenantId: string,
+    objectApiName: string,
+    data: Partial<{
+      label: string;
+      pluralLabel: string;
+      description: string;
+      orgWideDefault: 'private' | 'public_read' | 'public_read_write';
+    }>,
+  ) {
+    const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
+    const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
+    
+    // Update the object definition
+    await ObjectDefinition.query(knex)
+      .findOne({ apiName: objectApiName })
+      .patch({
+        ...data,
+        updatedAt: new Date(),
+      });
+    
+    // Return updated object
+    return await ObjectDefinition.query(knex)
+      .findOne({ apiName: objectApiName });
+  }
 
   async createFieldDefinition(
     tenantId: string,
@@ -418,8 +448,23 @@ export class ObjectService {
     const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
     const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
     
-    // Verify object exists and get field definitions
-    const objectDef = await this.getObjectDefinition(tenantId, objectApiName);
+    // Get user with roles and permissions
+    const user = await User.query(knex)
+      .findById(userId)
+      .withGraphFetched('[roles.[objectPermissions, fieldPermissions]]');
+    
+    if (!user) {
+      throw new NotFoundException('User not found');
+    }
+    
+    // Get object definition with authorization settings
+    const objectDefModel = await ObjectDefinition.query(knex)
+      .findOne({ apiName: objectApiName })
+      .withGraphFetched('fields');
+    
+    if (!objectDefModel) {
+      throw new NotFoundException(`Object ${objectApiName} not found`);
+    }
     
     const tableName = this.getTableName(objectApiName);
     
@@ -427,14 +472,24 @@ export class ObjectService {
     await this.ensureModelRegistered(resolvedTenantId, objectApiName);
 
     // Try to use the Objection model if available
+    let records = [];
     try {
       const Model = this.modelService.getModel(resolvedTenantId, objectApiName);
       if (Model) {
         const boundModel = await this.modelService.getBoundModel(resolvedTenantId, objectApiName);
         let query = boundModel.query();
         
+        // Apply authorization scope (modifies query in place)
+        await this.authService.applyScopeToQuery(
+          query,
+          objectDefModel,
+          user,
+          'read',
+          knex,
+        );
+        
         // Build graph expression for lookup fields
-        const lookupFields = objectDef.fields?.filter(f => 
+        const lookupFields = objectDefModel.fields?.filter(f => 
           f.type === 'LOOKUP' && f.referenceObject
         ) || [];
         
@@ -450,80 +505,44 @@ export class ObjectService {
           }
         }
         
-        // Add ownership filter if ownerId field exists
-        const hasOwner = await knex.schema.hasColumn(tableName, 'ownerId');
-        if (hasOwner) {
-          query = query.where({ ownerId: userId });
-        }
-        
         // Apply additional filters
         if (filters) {
           query = query.where(filters);
         }
         
-        return query.select('*');
+        records = await query.select('*');
       }
     } catch (error) {
-      this.logger.warn(`Could not use Objection model for ${objectApiName}, falling back to manual join: ${error.message}`);
-    }
-
-    // Fallback to manual data hydration
-    let query = knex(tableName);
-    
-    // Add ownership filter if ownerId field exists
-    const hasOwner = await knex.schema.hasColumn(tableName, 'ownerId');
-    if (hasOwner) {
-      query = query.where({ [`${tableName}.ownerId`]: userId });
-    }
-    
-    // Apply additional filters
-    if (filters) {
-      query = query.where(filters);
-    }
-    
-    // Get base records
-    const records = await query.select(`${tableName}.*`);
-    
-    // Fetch and attach related records for lookup fields
-    const lookupFields = objectDef.fields?.filter(f => 
-      f.type === 'LOOKUP' && f.referenceObject
-    ) || [];
-    
-    if (lookupFields.length > 0 && records.length > 0) {
-      for (const field of lookupFields) {
-        const relationName = field.apiName.replace(/Id$/, '').toLowerCase();
-        const relatedTable = this.getTableName(field.referenceObject);
-        
-        // Get unique IDs to fetch
-        const relatedIds = [...new Set(
-          records
-            .map(r => r[field.apiName])
-            .filter(Boolean)
-        )];
-        
-        if (relatedIds.length > 0) {
-          // Fetch all related records in one query
-          const relatedRecords = await knex(relatedTable)
-            .whereIn('id', relatedIds)
-            .select('*');
-          
-          // Create a map for quick lookup
-          const relatedMap = new Map(
-            relatedRecords.map(r => [r.id, r])
-          );
-          
-          // Attach related records to main records
-          for (const record of records) {
-            const relatedId = record[field.apiName];
-            if (relatedId && relatedMap.has(relatedId)) {
-              record[relationName] = relatedMap.get(relatedId);
-            }
-          }
-        }
+      this.logger.warn(`Could not use Objection model for ${objectApiName}, falling back to manual query: ${error.message}`);
+      
+      // Fallback to Knex query with authorization
+      let query = knex(tableName);
+      
+      // Apply additional filters before authorization scope
+      if (filters) {
+        query = query.where(filters);
       }
+      
+      // Apply authorization scope (modifies query in place)
+      await this.authService.applyScopeToQuery(
+        query,
+        objectDefModel,
+        user,
+        'read',
+        knex,
+      );
+      
+      records = await query.select('*');
     }
     
-    return records;
+    // Filter fields based on field-level permissions
+    const filteredRecords = await Promise.all(
+      records.map(record => 
+        this.authService.filterReadableFields(record, objectDefModel.fields, user)
+      )
+    );
+    
+    return filteredRecords;
   }
 
   async getRecord(
@@ -634,8 +653,32 @@ export class ObjectService {
     const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
     const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
     
-    // Verify object exists
-    await this.getObjectDefinition(tenantId, objectApiName);
+    // Get user with roles and permissions
+    const user = await User.query(knex)
+      .findById(userId)
+      .withGraphFetched('[roles.[objectPermissions, fieldPermissions]]');
+    
+    if (!user) {
+      throw new NotFoundException('User not found');
+    }
+    
+    // Get object definition with authorization settings
+    const objectDefModel = await ObjectDefinition.query(knex)
+      .findOne({ apiName: objectApiName })
+      .withGraphFetched('fields');
+    
+    if (!objectDefModel) {
+      throw new NotFoundException(`Object ${objectApiName} not found`);
+    }
+    
+    // Check if user has create permission
+    const canCreate = await this.authService.canCreate(objectDefModel, user);
+    if (!canCreate) {
+      throw new NotFoundException('You do not have permission to create records of this object');
+    }
+    
+    // Filter data to only editable fields
+    const editableData = await this.authService.filterEditableFields(data, objectDefModel.fields, user);
     
     // Ensure model is registered before attempting to use it
     await this.ensureModelRegistered(resolvedTenantId, objectApiName);
@@ -646,7 +689,7 @@ export class ObjectService {
       if (Model) {
         const boundModel = await this.modelService.getBoundModel(resolvedTenantId, objectApiName);
         const recordData = {
-          ...data,
+          ...editableData,
           ownerId: userId, // Auto-set owner
         };
         const record = await boundModel.query().insert(recordData);
@@ -660,9 +703,13 @@ export class ObjectService {
     const tableName = this.getTableName(objectApiName);
     const hasOwner = await knex.schema.hasColumn(tableName, 'ownerId');
     
+    // Generate UUID for the record
+    const result = await knex.raw('SELECT UUID() as uuid');
+    const uuid = result[0][0].uuid;
+    
     const recordData: any = {
-      id: knex.raw('(UUID())'),
-      ...data,
+      id: uuid,
+      ...editableData,
       created_at: knex.fn.now(),
       updated_at: knex.fn.now(),
     };
@@ -671,9 +718,9 @@ export class ObjectService {
       recordData.ownerId = userId;
     }
     
-    const [id] = await knex(tableName).insert(recordData);
+    await knex(tableName).insert(recordData);
     
-    return knex(tableName).where({ id }).first();
+    return knex(tableName).where({ id: uuid }).first();
   }
 
   async updateRecord(
@@ -686,10 +733,43 @@ export class ObjectService {
     const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
     const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
     
-    // Verify object exists and user has access
-    await this.getRecord(tenantId, objectApiName, recordId, userId);
+    // Get user with roles and permissions
+    const user = await User.query(knex)
+      .findById(userId)
+      .withGraphFetched('[roles.[objectPermissions, fieldPermissions]]');
+    
+    if (!user) {
+      throw new NotFoundException('User not found');
+    }
+    
+    // Get object definition with authorization settings
+    const objectDefModel = await ObjectDefinition.query(knex)
+      .findOne({ apiName: objectApiName })
+      .withGraphFetched('fields');
+    
+    if (!objectDefModel) {
+      throw new NotFoundException(`Object ${objectApiName} not found`);
+    }
     
     const tableName = this.getTableName(objectApiName);
+    
+    // Get existing record
+    const existingRecord = await knex(tableName).where({ id: recordId }).first();
+    if (!existingRecord) {
+      throw new NotFoundException('Record not found');
+    }
+    
+    // Check if user can update this record
+    await this.authService.assertCanPerformAction('update', objectDefModel, existingRecord, user, knex);
+    
+    // Filter data to only editable fields
+    const editableData = await this.authService.filterEditableFields(data, objectDefModel.fields, user);
+    
+    // Remove system fields
+    delete editableData.id;
+    delete editableData.ownerId;
+    delete editableData.created_at;
+    delete editableData.tenantId;
 
     // Ensure model is registered before attempting to use it
     await this.ensureModelRegistered(resolvedTenantId, objectApiName);
@@ -699,14 +779,7 @@ export class ObjectService {
       const Model = this.modelService.getModel(resolvedTenantId, objectApiName);
       if (Model) {
         const boundModel = await this.modelService.getBoundModel(resolvedTenantId, objectApiName);
-        // Don't allow updating ownerId or system fields
-        const allowedData = { ...data };
-        delete allowedData.ownerId;
-        delete allowedData.id;
-        delete allowedData.created_at;
-        delete allowedData.tenantId;
-        
-        await boundModel.query().where({ id: recordId }).update(allowedData);
+        await boundModel.query().where({ id: recordId }).update(editableData);
         return boundModel.query().where({ id: recordId }).first();
       }
     } catch (error) {
@@ -716,7 +789,7 @@ export class ObjectService {
     // Fallback to raw Knex
     await knex(tableName)
       .where({ id: recordId })
-      .update({ ...data, updated_at: knex.fn.now() });
+      .update({ ...editableData, updated_at: knex.fn.now() });
     
     return knex(tableName).where({ id: recordId }).first();
   }
@@ -730,10 +803,33 @@ export class ObjectService {
     const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
     const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
     
-    // Verify object exists and user has access
-    await this.getRecord(tenantId, objectApiName, recordId, userId);
+    // Get user with roles and permissions
+    const user = await User.query(knex)
+      .findById(userId)
+      .withGraphFetched('[roles.[objectPermissions, fieldPermissions]]');
+    
+    if (!user) {
+      throw new NotFoundException('User not found');
+    }
+    
+    // Get object definition with authorization settings
+    const objectDefModel = await ObjectDefinition.query(knex)
+      .findOne({ apiName: objectApiName });
+    
+    if (!objectDefModel) {
+      throw new NotFoundException(`Object ${objectApiName} not found`);
+    }
     
     const tableName = this.getTableName(objectApiName);
+    
+    // Get existing record
+    const existingRecord = await knex(tableName).where({ id: recordId }).first();
+    if (!existingRecord) {
+      throw new NotFoundException('Record not found');
+    }
+    
+    // Check if user can delete this record
+    await this.authService.assertCanPerformAction('delete', objectDefModel, existingRecord, user, knex);
 
     // Ensure model is registered before attempting to use it
     await this.ensureModelRegistered(resolvedTenantId, objectApiName);

backend/src/object/setup-object.controller.ts

@@ -2,6 +2,7 @@ import {
   Controller,
   Get,
   Post,
+  Patch,
   Param,
   Body,
   UseGuards,
@@ -67,4 +68,13 @@ export class SetupObjectController {
     // Map the created field to frontend format
     return this.fieldMapperService.mapFieldToDTO(field);
   }
+
+  @Patch(':objectApiName')
+  async updateObjectDefinition(
+    @TenantId() tenantId: string,
+    @Param('objectApiName') objectApiName: string,
+    @Body() data: any,
+  ) {
+    return this.objectService.updateObjectDefinition(tenantId, objectApiName, data);
+  }
 }