WIP - permissions progress

backend/src/rbac/ability.factory.ts

@@ -0,0 +1,185 @@
+import { AbilityBuilder, PureAbility, AbilityClass } from '@casl/ability';
+import { Injectable } from '@nestjs/common';
+import { User } from '../models/user.model';
+import { RoleObjectPermission } from '../models/role-object-permission.model';
+import { RoleFieldPermission } from '../models/role-field-permission.model';
+import { RecordShare } from '../models/record-share.model';
+
+// Define action types
+export type Action = 'create' | 'read' | 'update' | 'delete' | 'view_all' | 'modify_all';
+
+// Define subject types - can be string (object API name) or actual object with fields
+export type Subject = string | { objectApiName: string; ownerId?: string; id?: string; [key: string]: any };
+
+// Define field actions
+export type FieldAction = 'read' | 'edit';
+
+export type AppAbility = PureAbility<[Action, Subject], { field?: string }>;
+
+@Injectable()
+export class AbilityFactory {
+  /**
+   * Build CASL ability for a user based on their roles and permissions
+   * This aggregates permissions from all roles the user has
+   */
+  async defineAbilityFor(
+    user: User & { roles?: Array<{ objectPermissions?: RoleObjectPermission[]; fieldPermissions?: RoleFieldPermission[] }> },
+    recordShares?: RecordShare[],
+  ): Promise<AppAbility> {
+    const { can, cannot, build } = new AbilityBuilder<AppAbility>(PureAbility as AbilityClass<AppAbility>);
+
+    if (!user.roles || user.roles.length === 0) {
+      // No roles = no permissions
+      return build();
+    }
+
+    // Aggregate object permissions from all roles
+    const objectPermissionsMap = new Map<string, {
+      canCreate: boolean;
+      canRead: boolean;
+      canEdit: boolean;
+      canDelete: boolean;
+      canViewAll: boolean;
+      canModifyAll: boolean;
+    }>();
+
+    // Aggregate field permissions from all roles
+    const fieldPermissionsMap = new Map<string, {
+      canRead: boolean;
+      canEdit: boolean;
+    }>();
+
+    // Process all roles
+    for (const role of user.roles) {
+      // Aggregate object permissions
+      if (role.objectPermissions) {
+        for (const perm of role.objectPermissions) {
+          const existing = objectPermissionsMap.get(perm.objectDefinitionId) || {
+            canCreate: false,
+            canRead: false,
+            canEdit: false,
+            canDelete: false,
+            canViewAll: false,
+            canModifyAll: false,
+          };
+
+          // Union of permissions (if any role grants it, user has it)
+          objectPermissionsMap.set(perm.objectDefinitionId, {
+            canCreate: existing.canCreate || perm.canCreate,
+            canRead: existing.canRead || perm.canRead,
+            canEdit: existing.canEdit || perm.canEdit,
+            canDelete: existing.canDelete || perm.canDelete,
+            canViewAll: existing.canViewAll || perm.canViewAll,
+            canModifyAll: existing.canModifyAll || perm.canModifyAll,
+          });
+        }
+      }
+
+      // Aggregate field permissions
+      if (role.fieldPermissions) {
+        for (const perm of role.fieldPermissions) {
+          const existing = fieldPermissionsMap.get(perm.fieldDefinitionId) || {
+            canRead: false,
+            canEdit: false,
+          };
+
+          fieldPermissionsMap.set(perm.fieldDefinitionId, {
+            canRead: existing.canRead || perm.canRead,
+            canEdit: existing.canEdit || perm.canEdit,
+          });
+        }
+      }
+    }
+
+    // Convert aggregated permissions to CASL rules
+    for (const [objectId, perms] of objectPermissionsMap) {
+      // Create permission
+      if (perms.canCreate) {
+        can('create', objectId);
+      }
+
+      // Read permission
+      if (perms.canRead) {
+        can('read', objectId);
+      }
+
+      // View all permission (can see all records regardless of ownership)
+      if (perms.canViewAll) {
+        can('view_all', objectId);
+      }
+
+      // Edit permission
+      if (perms.canEdit) {
+        can('update', objectId);
+      }
+
+      // Modify all permission (can edit all records regardless of ownership)
+      if (perms.canModifyAll) {
+        can('modify_all', objectId);
+      }
+
+      // Delete permission
+      if (perms.canDelete) {
+        can('delete', objectId);
+      }
+    }
+
+    // Add record sharing permissions
+    if (recordShares) {
+      for (const share of recordShares) {
+        // Only add if share is active (not expired, not revoked)
+        const now = new Date();
+        const isExpired = share.expiresAt && share.expiresAt < now;
+        const isRevoked = share.revokedAt !== null;
+
+        if (!isExpired && !isRevoked) {
+          // Note: Record-level sharing will be checked in authorization service
+          // CASL abilities are primarily for object-level permissions
+          // Individual record access is validated in applyScopeToQuery
+        }
+      }
+    }
+
+    return build();
+  }
+
+  /**
+   * Check if user can access a specific field
+   * Returns true if user has permission or if no restriction exists
+   */
+  canAccessField(
+    fieldDefinitionId: string,
+    action: FieldAction,
+    user: User & { roles?: Array<{ fieldPermissions?: RoleFieldPermission[] }> },
+  ): boolean {
+    if (!user.roles || user.roles.length === 0) {
+      return false;
+    }
+
+    // Check all roles for field permission
+    for (const role of user.roles) {
+      if (role.fieldPermissions) {
+        const fieldPerm = role.fieldPermissions.find(fp => fp.fieldDefinitionId === fieldDefinitionId);
+        if (fieldPerm) {
+          if (action === 'read' && fieldPerm.canRead) return true;
+          if (action === 'edit' && fieldPerm.canEdit) return true;
+        }
+      }
+    }
+
+    // Default: allow if no explicit restriction
+    return true;
+  }
+
+  /**
+   * Filter fields based on user permissions
+   * Returns array of field IDs the user can access with the specified action
+   */
+  filterFields(
+    fieldDefinitionIds: string[],
+    action: FieldAction,
+    user: User & { roles?: Array<{ fieldPermissions?: RoleFieldPermission[] }> },
+  ): string[] {
+    return fieldDefinitionIds.filter(fieldId => this.canAccessField(fieldId, action, user));
+  }
+}

backend/src/rbac/authorization.service.ts

@@ -0,0 +1,267 @@
+import { Injectable, ForbiddenException } from '@nestjs/common';
+import { Knex } from 'knex';
+import { User } from '../models/user.model';
+import { ObjectDefinition } from '../models/object-definition.model';
+import { FieldDefinition } from '../models/field-definition.model';
+import { RecordShare } from '../models/record-share.model';
+import { AbilityFactory, AppAbility, Action } from './ability.factory';
+import { subject } from '@casl/ability';
+
+@Injectable()
+export class AuthorizationService {
+  constructor(private abilityFactory: AbilityFactory) {}
+
+  /**
+   * Apply authorization scope to a query based on OWD and user permissions
+   * This determines which records the user can see
+   * Modifies the query in place and returns void
+   */
+  async applyScopeToQuery<T = any>(
+    query: any, // Accept both Knex and Objection query builders
+    objectDef: ObjectDefinition,
+    user: User & { roles?: any[] },
+    action: Action,
+    knex: Knex,
+  ): Promise<void> {
+    // Get user's ability
+    const recordShares = await this.getActiveRecordShares(objectDef.id, user.id, knex);
+    const ability = await this.abilityFactory.defineAbilityFor(user, recordShares);
+
+    // Check if user has the base permission for this action
+    // Use object ID, not API name, since permissions are stored by object ID
+    if (!ability.can(action, objectDef.id)) {
+      // No permission at all - return empty result
+      query.where(knex.raw('1 = 0'));
+      return;
+    }
+
+    // Check special permissions
+    const hasViewAll = ability.can('view_all', objectDef.id);
+    const hasModifyAll = ability.can('modify_all', objectDef.id);
+
+    // If user has view_all or modify_all, they can see all records
+    if (hasViewAll || hasModifyAll) {
+      // No filtering needed
+      return;
+    }
+
+    // Apply OWD (Org-Wide Default) restrictions
+    switch (objectDef.orgWideDefault) {
+      case 'public_read_write':
+        // Everyone can see all records
+        return;
+
+      case 'public_read':
+        // Everyone can see all records (write operations checked separately)
+        return;
+
+      case 'private':
+      default:
+        // Only owner and explicitly shared records
+        await this.applyPrivateScope(query, objectDef, user, recordShares, knex);
+        return;
+    }
+  }
+
+  /**
+   * Apply private scope: owner + shared records
+   */
+  private async applyPrivateScope<T = any>(
+    query: any, // Accept both Knex and Objection query builders
+    objectDef: ObjectDefinition,
+    user: User,
+    recordShares: RecordShare[],
+    knex: Knex,
+  ): Promise<void> {
+    const tableName = this.getTableName(objectDef.apiName);
+    
+    // Check if table has ownerId column
+    const hasOwner = await knex.schema.hasColumn(tableName, 'ownerId');
+
+    if (!hasOwner && recordShares.length === 0) {
+      // No ownership and no shares - user can't see anything
+      query.where(knex.raw('1 = 0'));
+      return;
+    }
+
+    // Build conditions: ownerId = user OR record shared with user
+    query.where((builder) => {
+      if (hasOwner) {
+        builder.orWhere(`${tableName}.ownerId`, user.id);
+      }
+
+      if (recordShares.length > 0) {
+        const sharedRecordIds = recordShares.map(share => share.recordId);
+        builder.orWhereIn(`${tableName}.id`, sharedRecordIds);
+      }
+    });
+  }
+
+  /**
+   * Check if user can perform action on a specific record
+   */
+  async canPerformAction(
+    action: Action,
+    objectDef: ObjectDefinition,
+    record: any,
+    user: User & { roles?: any[] },
+    knex: Knex,
+  ): Promise<boolean> {
+    const recordShares = await this.getActiveRecordShares(objectDef.id, user.id, knex);
+    const ability = await this.abilityFactory.defineAbilityFor(user, recordShares);
+
+    // Check base permission - use object ID not API name
+    if (!ability.can(action, objectDef.id)) {
+      return false;
+    }
+
+    // Check special permissions - use object ID not API name
+    const hasViewAll = ability.can('view_all', objectDef.id);
+    const hasModifyAll = ability.can('modify_all', objectDef.id);
+
+    if (hasViewAll || hasModifyAll) {
+      return true;
+    }
+
+    // Check OWD
+    switch (objectDef.orgWideDefault) {
+      case 'public_read_write':
+        return true;
+
+      case 'public_read':
+        if (action === 'read') return true;
+        // For write actions, check ownership
+        return record.ownerId === user.id;
+
+      case 'private':
+      default:
+        // Check ownership
+        if (record.ownerId === user.id) return true;
+
+        // Check if record is shared with user
+        const share = recordShares.find(s => s.recordId === record.id);
+        if (share) {
+          if (action === 'read' && share.accessLevel.canRead) return true;
+          if (action === 'update' && share.accessLevel.canEdit) return true;
+          if (action === 'delete' && share.accessLevel.canDelete) return true;
+        }
+
+        return false;
+    }
+  }
+
+  /**
+   * Filter data based on field-level permissions
+   * Removes fields the user cannot read
+   */
+  async filterReadableFields(
+    data: any,
+    fields: FieldDefinition[],
+    user: User & { roles?: any[] },
+  ): Promise<any> {
+    const filtered: any = {};
+
+    // Always include id - it's required for navigation and record identification
+    if (data.id !== undefined) {
+      filtered.id = data.id;
+    }
+
+    for (const field of fields) {
+      if (this.abilityFactory.canAccessField(field.id, 'read', user)) {
+        if (data[field.apiName] !== undefined) {
+          filtered[field.apiName] = data[field.apiName];
+        }
+      }
+    }
+
+    return filtered;
+  }
+
+  /**
+   * Filter data based on field-level permissions
+   * Removes fields the user cannot edit
+   */
+  async filterEditableFields(
+    data: any,
+    fields: FieldDefinition[],
+    user: User & { roles?: any[] },
+  ): Promise<any> {
+    const filtered: any = {};
+
+    for (const field of fields) {
+      if (this.abilityFactory.canAccessField(field.id, 'edit', user)) {
+        if (data[field.apiName] !== undefined) {
+          filtered[field.apiName] = data[field.apiName];
+        }
+      }
+    }
+
+    return filtered;
+  }
+
+  /**
+   * Get active record shares for a user on an object
+   */
+  private async getActiveRecordShares(
+    objectDefinitionId: string,
+    userId: string,
+    knex: Knex,
+  ): Promise<RecordShare[]> {
+    const now = new Date();
+
+    return await RecordShare.query(knex)
+      .where('objectDefinitionId', objectDefinitionId)
+      .where('granteeUserId', userId)
+      .whereNull('revokedAt')
+      .where((builder) => {
+        builder.whereNull('expiresAt').orWhere('expiresAt', '>', now);
+      });
+  }
+
+  /**
+   * Check if user has permission to create records
+   */
+  async canCreate(
+    objectDef: ObjectDefinition,
+    user: User & { roles?: any[] },
+  ): Promise<boolean> {
+    const ability = await this.abilityFactory.defineAbilityFor(user, []);
+    return ability.can('create', objectDef.id);
+  }
+
+  /**
+   * Throw exception if user cannot perform action
+   */
+  async assertCanPerformAction(
+    action: Action,
+    objectDef: ObjectDefinition,
+    record: any,
+    user: User & { roles?: any[] },
+    knex: Knex,
+  ): Promise<void> {
+    const can = await this.canPerformAction(action, objectDef, record, user, knex);
+    if (!can) {
+      throw new ForbiddenException(`You do not have permission to ${action} this record`);
+    }
+  }
+
+  /**
+   * Get table name from API name
+   */
+  private getTableName(apiName: string): string {
+    // Convert CamelCase to snake_case and pluralize
+    const snakeCase = apiName
+      .replace(/([A-Z])/g, '_$1')
+      .toLowerCase()
+      .replace(/^_/, '');
+    
+    // Simple pluralization
+    if (snakeCase.endsWith('y')) {
+      return snakeCase.slice(0, -1) + 'ies';
+    } else if (snakeCase.endsWith('s')) {
+      return snakeCase;
+    } else {
+      return snakeCase + 's';
+    }
+  }
+}

backend/src/rbac/rbac.module.ts

@@ -1,8 +1,10 @@
 import { Module } from '@nestjs/common';
 import { RbacService } from './rbac.service';
+import { AbilityFactory } from './ability.factory';
+import { AuthorizationService } from './authorization.service';
 
 @Module({
-  providers: [RbacService],
-  exports: [RbacService],
+  providers: [RbacService, AbilityFactory, AuthorizationService],
+  exports: [RbacService, AbilityFactory, AuthorizationService],
 })
 export class RbacModule {}