Compare commits
10 Commits
permission
...
c50098a55c
| Author | SHA1 | Date | |
|---|---|---|---|
|
c50098a55c | ||
|
|
e73126bcb7 | ||
|
|
6c29d18696 | ||
|
|
3fbc019083 | ||
|
|
3086f78d34 | ||
|
|
d15fc918d1 | ||
|
|
56c0c3838d | ||
|
|
9ac69e30d0 | ||
|
|
d37183ba45 | ||
|
|
b4bdeeb9f6 |
@@ -0,0 +1,103 @@
|
||||
exports.up = function (knex) {
|
||||
return knex.schema
|
||||
// Add orgWideDefault to object_definitions
|
||||
.alterTable('object_definitions', (table) => {
|
||||
table
|
||||
.enum('orgWideDefault', ['private', 'public_read', 'public_read_write'])
|
||||
.defaultTo('private')
|
||||
.notNullable();
|
||||
})
|
||||
// Create role_object_permissions table
|
||||
.createTable('role_object_permissions', (table) => {
|
||||
table.uuid('id').primary().defaultTo(knex.raw('(UUID())'));
|
||||
table.uuid('roleId').notNullable();
|
||||
table.uuid('objectDefinitionId').notNullable();
|
||||
table.boolean('canCreate').defaultTo(false);
|
||||
table.boolean('canRead').defaultTo(false);
|
||||
table.boolean('canEdit').defaultTo(false);
|
||||
table.boolean('canDelete').defaultTo(false);
|
||||
table.boolean('canViewAll').defaultTo(false);
|
||||
table.boolean('canModifyAll').defaultTo(false);
|
||||
table.timestamps(true, true);
|
||||
|
||||
table
|
||||
.foreign('roleId')
|
||||
.references('id')
|
||||
.inTable('roles')
|
||||
.onDelete('CASCADE');
|
||||
table
|
||||
.foreign('objectDefinitionId')
|
||||
.references('id')
|
||||
.inTable('object_definitions')
|
||||
.onDelete('CASCADE');
|
||||
table.unique(['roleId', 'objectDefinitionId']);
|
||||
table.index(['roleId']);
|
||||
table.index(['objectDefinitionId']);
|
||||
})
|
||||
// Create role_field_permissions table
|
||||
.createTable('role_field_permissions', (table) => {
|
||||
table.uuid('id').primary().defaultTo(knex.raw('(UUID())'));
|
||||
table.uuid('roleId').notNullable();
|
||||
table.uuid('fieldDefinitionId').notNullable();
|
||||
table.boolean('canRead').defaultTo(true);
|
||||
table.boolean('canEdit').defaultTo(true);
|
||||
table.timestamps(true, true);
|
||||
|
||||
table
|
||||
.foreign('roleId')
|
||||
.references('id')
|
||||
.inTable('roles')
|
||||
.onDelete('CASCADE');
|
||||
table
|
||||
.foreign('fieldDefinitionId')
|
||||
.references('id')
|
||||
.inTable('field_definitions')
|
||||
.onDelete('CASCADE');
|
||||
table.unique(['roleId', 'fieldDefinitionId']);
|
||||
table.index(['roleId']);
|
||||
table.index(['fieldDefinitionId']);
|
||||
})
|
||||
// Create record_shares table for sharing specific records
|
||||
.createTable('record_shares', (table) => {
|
||||
table.uuid('id').primary().defaultTo(knex.raw('(UUID())'));
|
||||
table.uuid('objectDefinitionId').notNullable();
|
||||
table.uuid('recordId').notNullable();
|
||||
table.uuid('granteeUserId').notNullable();
|
||||
table.uuid('grantedByUserId').notNullable();
|
||||
table.json('accessLevel').notNullable(); // { canRead, canEdit, canDelete }
|
||||
table.timestamp('expiresAt').nullable();
|
||||
table.timestamp('revokedAt').nullable();
|
||||
table.timestamp('createdAt').defaultTo(knex.fn.now());
|
||||
table.timestamp('updatedAt').defaultTo(knex.fn.now());
|
||||
|
||||
table
|
||||
.foreign('objectDefinitionId')
|
||||
.references('id')
|
||||
.inTable('object_definitions')
|
||||
.onDelete('CASCADE');
|
||||
table
|
||||
.foreign('granteeUserId')
|
||||
.references('id')
|
||||
.inTable('users')
|
||||
.onDelete('CASCADE');
|
||||
table
|
||||
.foreign('grantedByUserId')
|
||||
.references('id')
|
||||
.inTable('users')
|
||||
.onDelete('CASCADE');
|
||||
table.index(['objectDefinitionId', 'recordId']);
|
||||
table.index(['granteeUserId']);
|
||||
table.index(['expiresAt']);
|
||||
table.index(['revokedAt']);
|
||||
});
|
||||
};
|
||||
|
||||
exports.down = function (knex) {
|
||||
return knex.schema
|
||||
.dropTableIfExists('record_shares')
|
||||
.dropTableIfExists('role_field_permissions')
|
||||
.dropTableIfExists('role_object_permissions')
|
||||
.alterTable('object_definitions', (table) => {
|
||||
table.dropColumn('orgWideDefault');
|
||||
});
|
||||
};
|
||||
@@ -0,0 +1,13 @@
|
||||
exports.up = function (knex) {
|
||||
return knex.schema
|
||||
.table('record_shares', (table) => {
|
||||
table.timestamp('updatedAt').defaultTo(knex.fn.now());
|
||||
});
|
||||
};
|
||||
|
||||
exports.down = function (knex) {
|
||||
return knex.schema
|
||||
.table('record_shares', (table) => {
|
||||
table.dropColumn('updatedAt');
|
||||
});
|
||||
};
|
||||
48
backend/package-lock.json
generated
48
backend/package-lock.json
generated
@@ -9,6 +9,7 @@
|
||||
"version": "0.0.1",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@casl/ability": "^6.7.5",
|
||||
"@nestjs/bullmq": "^10.1.0",
|
||||
"@nestjs/common": "^10.3.0",
|
||||
"@nestjs/config": "^3.1.1",
|
||||
@@ -741,6 +742,18 @@
|
||||
"url": "https://github.com/sponsors/Borewit"
|
||||
}
|
||||
},
|
||||
"node_modules/@casl/ability": {
|
||||
"version": "6.7.5",
|
||||
"resolved": "https://registry.npmjs.org/@casl/ability/-/ability-6.7.5.tgz",
|
||||
"integrity": "sha512-NaOHPi9JMn8Kesh+GRkjNKAYkl4q8qMFAlqw7w2yrE+cBQZSbV9GkBGKvgzs3CdzEc5Yl1cn3JwDxxbBN5gjog==",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@ucast/mongo2js": "^1.3.0"
|
||||
},
|
||||
"funding": {
|
||||
"url": "https://github.com/stalniy/casl/blob/master/BACKERS.md"
|
||||
}
|
||||
},
|
||||
"node_modules/@colors/colors": {
|
||||
"version": "1.5.0",
|
||||
"resolved": "https://registry.npmjs.org/@colors/colors/-/colors-1.5.0.tgz",
|
||||
@@ -2882,6 +2895,41 @@
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
}
|
||||
},
|
||||
"node_modules/@ucast/core": {
|
||||
"version": "1.10.2",
|
||||
"resolved": "https://registry.npmjs.org/@ucast/core/-/core-1.10.2.tgz",
|
||||
"integrity": "sha512-ons5CwXZ/51wrUPfoduC+cO7AS1/wRb0ybpQJ9RrssossDxVy4t49QxWoWgfBDvVKsz9VXzBk9z0wqTdZ+Cq8g==",
|
||||
"license": "Apache-2.0"
|
||||
},
|
||||
"node_modules/@ucast/js": {
|
||||
"version": "3.0.4",
|
||||
"resolved": "https://registry.npmjs.org/@ucast/js/-/js-3.0.4.tgz",
|
||||
"integrity": "sha512-TgG1aIaCMdcaEyckOZKQozn1hazE0w90SVdlpIJ/er8xVumE11gYAtSbw/LBeUnA4fFnFWTcw3t6reqseeH/4Q==",
|
||||
"license": "Apache-2.0",
|
||||
"dependencies": {
|
||||
"@ucast/core": "^1.0.0"
|
||||
}
|
||||
},
|
||||
"node_modules/@ucast/mongo": {
|
||||
"version": "2.4.3",
|
||||
"resolved": "https://registry.npmjs.org/@ucast/mongo/-/mongo-2.4.3.tgz",
|
||||
"integrity": "sha512-XcI8LclrHWP83H+7H2anGCEeDq0n+12FU2mXCTz6/Tva9/9ddK/iacvvhCyW6cijAAOILmt0tWplRyRhVyZLsA==",
|
||||
"license": "Apache-2.0",
|
||||
"dependencies": {
|
||||
"@ucast/core": "^1.4.1"
|
||||
}
|
||||
},
|
||||
"node_modules/@ucast/mongo2js": {
|
||||
"version": "1.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@ucast/mongo2js/-/mongo2js-1.4.0.tgz",
|
||||
"integrity": "sha512-vR9RJ3BHlkI3RfKJIZFdVktxWvBCQRiSTeJSWN9NPxP5YJkpfXvcBWAMLwvyJx4HbB+qib5/AlSDEmQiuQyx2w==",
|
||||
"license": "Apache-2.0",
|
||||
"dependencies": {
|
||||
"@ucast/core": "^1.6.1",
|
||||
"@ucast/js": "^3.0.0",
|
||||
"@ucast/mongo": "^2.4.0"
|
||||
}
|
||||
},
|
||||
"node_modules/@ungap/structured-clone": {
|
||||
"version": "1.3.0",
|
||||
"resolved": "https://registry.npmjs.org/@ungap/structured-clone/-/structured-clone-1.3.0.tgz",
|
||||
|
||||
@@ -26,6 +26,7 @@
|
||||
"migrate:all-tenants": "ts-node -r tsconfig-paths/register scripts/migrate-all-tenants.ts"
|
||||
},
|
||||
"dependencies": {
|
||||
"@casl/ability": "^6.7.5",
|
||||
"@nestjs/bullmq": "^10.1.0",
|
||||
"@nestjs/common": "^10.3.0",
|
||||
"@nestjs/config": "^3.1.1",
|
||||
|
||||
181
backend/scripts/seed-default-roles.ts
Normal file
181
backend/scripts/seed-default-roles.ts
Normal file
@@ -0,0 +1,181 @@
|
||||
import { Knex } from 'knex';
|
||||
import * as knexLib from 'knex';
|
||||
|
||||
/**
|
||||
* Create a Knex connection for tenant database
|
||||
*/
|
||||
function createKnexConnection(database: string): Knex {
|
||||
return knexLib.default({
|
||||
client: 'mysql2',
|
||||
connection: {
|
||||
host: process.env.DB_HOST || 'db',
|
||||
port: parseInt(process.env.DB_PORT || '3306'),
|
||||
user: 'root',
|
||||
password: 'asjdnfqTash37faggT',
|
||||
database: database,
|
||||
},
|
||||
});
|
||||
}
|
||||
|
||||
interface RoleWithPermissions {
|
||||
name: string;
|
||||
description: string;
|
||||
objectPermissions: {
|
||||
[objectApiName: string]: {
|
||||
canCreate: boolean;
|
||||
canRead: boolean;
|
||||
canEdit: boolean;
|
||||
canDelete: boolean;
|
||||
canViewAll: boolean;
|
||||
canModifyAll: boolean;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
const DEFAULT_ROLES: RoleWithPermissions[] = [
|
||||
{
|
||||
name: 'System Administrator',
|
||||
description: 'Full access to all objects and records. Can view and modify all data.',
|
||||
objectPermissions: {
|
||||
'*': {
|
||||
canCreate: true,
|
||||
canRead: true,
|
||||
canEdit: true,
|
||||
canDelete: true,
|
||||
canViewAll: true,
|
||||
canModifyAll: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: 'Standard User',
|
||||
description: 'Can create, read, edit, and delete own records. Respects OWD settings.',
|
||||
objectPermissions: {
|
||||
'*': {
|
||||
canCreate: true,
|
||||
canRead: true,
|
||||
canEdit: true,
|
||||
canDelete: true,
|
||||
canViewAll: false,
|
||||
canModifyAll: false,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: 'Read Only',
|
||||
description: 'Can only read records based on OWD settings. No create, edit, or delete.',
|
||||
objectPermissions: {
|
||||
'*': {
|
||||
canCreate: false,
|
||||
canRead: true,
|
||||
canEdit: false,
|
||||
canDelete: false,
|
||||
canViewAll: false,
|
||||
canModifyAll: false,
|
||||
},
|
||||
},
|
||||
},
|
||||
];
|
||||
|
||||
async function seedRolesForTenant(knex: Knex, tenantName: string) {
|
||||
console.log(`\n🌱 Seeding roles for tenant: ${tenantName}`);
|
||||
|
||||
// Get all object definitions
|
||||
const objectDefinitions = await knex('object_definitions').select('id', 'apiName');
|
||||
|
||||
for (const roleData of DEFAULT_ROLES) {
|
||||
// Check if role already exists
|
||||
const existingRole = await knex('roles')
|
||||
.where({ name: roleData.name })
|
||||
.first();
|
||||
|
||||
let roleId: string;
|
||||
|
||||
if (existingRole) {
|
||||
console.log(` ℹ️ Role "${roleData.name}" already exists, skipping...`);
|
||||
roleId = existingRole.id;
|
||||
} else {
|
||||
// Create role
|
||||
await knex('roles').insert({
|
||||
name: roleData.name,
|
||||
guardName: 'api',
|
||||
description: roleData.description,
|
||||
});
|
||||
|
||||
// Get the inserted role
|
||||
const newRole = await knex('roles')
|
||||
.where({ name: roleData.name })
|
||||
.first();
|
||||
|
||||
roleId = newRole.id;
|
||||
console.log(` ✅ Created role: ${roleData.name}`);
|
||||
}
|
||||
|
||||
// Create object permissions for all objects
|
||||
const wildcardPermissions = roleData.objectPermissions['*'];
|
||||
|
||||
for (const objectDef of objectDefinitions) {
|
||||
// Check if permission already exists
|
||||
const existingPermission = await knex('role_object_permissions')
|
||||
.where({
|
||||
roleId: roleId,
|
||||
objectDefinitionId: objectDef.id,
|
||||
})
|
||||
.first();
|
||||
|
||||
if (!existingPermission) {
|
||||
await knex('role_object_permissions').insert({
|
||||
roleId: roleId,
|
||||
objectDefinitionId: objectDef.id,
|
||||
canCreate: wildcardPermissions.canCreate,
|
||||
canRead: wildcardPermissions.canRead,
|
||||
canEdit: wildcardPermissions.canEdit,
|
||||
canDelete: wildcardPermissions.canDelete,
|
||||
canViewAll: wildcardPermissions.canViewAll,
|
||||
canModifyAll: wildcardPermissions.canModifyAll,
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
console.log(` 📋 Set permissions for ${objectDefinitions.length} objects`);
|
||||
}
|
||||
}
|
||||
|
||||
async function seedAllTenants() {
|
||||
console.log('🚀 Starting role seeding for all tenants...\n');
|
||||
|
||||
// For now, seed the main tenant database
|
||||
const databases = ['tenant_tenant1'];
|
||||
|
||||
let successCount = 0;
|
||||
let errorCount = 0;
|
||||
|
||||
for (const database of databases) {
|
||||
try {
|
||||
const knex = createKnexConnection(database);
|
||||
await seedRolesForTenant(knex, database);
|
||||
await knex.destroy();
|
||||
successCount++;
|
||||
} catch (error) {
|
||||
console.error(`❌ ${database}: Seeding failed:`, error.message);
|
||||
errorCount++;
|
||||
}
|
||||
}
|
||||
|
||||
console.log('\n============================================================');
|
||||
console.log('📊 Seeding Summary');
|
||||
console.log('============================================================');
|
||||
console.log(`✅ Successful: ${successCount}`);
|
||||
console.log(`❌ Failed: ${errorCount}`);
|
||||
|
||||
if (errorCount === 0) {
|
||||
console.log('\n🎉 All tenant roles seeded successfully!');
|
||||
}
|
||||
}
|
||||
|
||||
seedAllTenants()
|
||||
.then(() => process.exit(0))
|
||||
.catch((error) => {
|
||||
console.error('Unhandled error:', error);
|
||||
process.exit(1);
|
||||
});
|
||||
@@ -74,5 +74,13 @@ export class FieldDefinition extends BaseModel {
|
||||
to: 'object_definitions.id',
|
||||
},
|
||||
},
|
||||
rolePermissions: {
|
||||
relation: BaseModel.HasManyRelation,
|
||||
modelClass: () => require('./role-field-permission.model').RoleFieldPermission,
|
||||
join: {
|
||||
from: 'field_definitions.id',
|
||||
to: 'role_field_permissions.fieldDefinitionId',
|
||||
},
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
@@ -10,8 +10,11 @@ export class ObjectDefinition extends BaseModel {
|
||||
description?: string;
|
||||
isSystem: boolean;
|
||||
isCustom: boolean;
|
||||
orgWideDefault: 'private' | 'public_read' | 'public_read_write';
|
||||
createdAt: Date;
|
||||
updatedAt: Date;
|
||||
fields?: any[];
|
||||
rolePermissions?: any[];
|
||||
|
||||
static get jsonSchema() {
|
||||
return {
|
||||
@@ -25,12 +28,14 @@ export class ObjectDefinition extends BaseModel {
|
||||
description: { type: 'string' },
|
||||
isSystem: { type: 'boolean' },
|
||||
isCustom: { type: 'boolean' },
|
||||
orgWideDefault: { type: 'string', enum: ['private', 'public_read', 'public_read_write'] },
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
static get relationMappings() {
|
||||
const { FieldDefinition } = require('./field-definition.model');
|
||||
const { RoleObjectPermission } = require('./role-object-permission.model');
|
||||
|
||||
return {
|
||||
fields: {
|
||||
@@ -41,6 +46,14 @@ export class ObjectDefinition extends BaseModel {
|
||||
to: 'field_definitions.objectDefinitionId',
|
||||
},
|
||||
},
|
||||
rolePermissions: {
|
||||
relation: BaseModel.HasManyRelation,
|
||||
modelClass: RoleObjectPermission,
|
||||
join: {
|
||||
from: 'object_definitions.id',
|
||||
to: 'role_object_permissions.objectDefinitionId',
|
||||
},
|
||||
},
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
113
backend/src/models/record-share.model.ts
Normal file
113
backend/src/models/record-share.model.ts
Normal file
@@ -0,0 +1,113 @@
|
||||
import { BaseModel } from './base.model';
|
||||
|
||||
export interface RecordShareAccessLevel {
|
||||
canRead: boolean;
|
||||
canEdit: boolean;
|
||||
canDelete: boolean;
|
||||
}
|
||||
|
||||
export class RecordShare extends BaseModel {
|
||||
static tableName = 'record_shares';
|
||||
|
||||
// Don't use snake_case mapping since DB columns are already camelCase
|
||||
static get columnNameMappers() {
|
||||
return {
|
||||
parse(obj: any) {
|
||||
return obj;
|
||||
},
|
||||
format(obj: any) {
|
||||
return obj;
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
// Override BaseModel hooks to prevent automatic timestamp handling
|
||||
$beforeInsert(queryContext: any) {
|
||||
// Don't set timestamps - let database defaults handle it
|
||||
}
|
||||
|
||||
$beforeUpdate(opt: any, queryContext: any) {
|
||||
// Don't set timestamps - let database defaults handle it
|
||||
}
|
||||
|
||||
id!: string;
|
||||
objectDefinitionId!: string;
|
||||
recordId!: string;
|
||||
granteeUserId!: string;
|
||||
grantedByUserId!: string;
|
||||
accessLevel!: RecordShareAccessLevel;
|
||||
expiresAt?: Date;
|
||||
revokedAt?: Date;
|
||||
createdAt!: Date;
|
||||
updatedAt!: Date;
|
||||
|
||||
static get jsonSchema() {
|
||||
return {
|
||||
type: 'object',
|
||||
required: ['objectDefinitionId', 'recordId', 'granteeUserId', 'grantedByUserId', 'accessLevel'],
|
||||
properties: {
|
||||
id: { type: 'string' },
|
||||
objectDefinitionId: { type: 'string' },
|
||||
recordId: { type: 'string' },
|
||||
granteeUserId: { type: 'string' },
|
||||
grantedByUserId: { type: 'string' },
|
||||
accessLevel: {
|
||||
type: 'object',
|
||||
properties: {
|
||||
canRead: { type: 'boolean' },
|
||||
canEdit: { type: 'boolean' },
|
||||
canDelete: { type: 'boolean' },
|
||||
},
|
||||
},
|
||||
expiresAt: {
|
||||
anyOf: [
|
||||
{ type: 'string', format: 'date-time' },
|
||||
{ type: 'null' },
|
||||
{ type: 'object' } // Allow Date objects
|
||||
]
|
||||
},
|
||||
revokedAt: {
|
||||
anyOf: [
|
||||
{ type: 'string', format: 'date-time' },
|
||||
{ type: 'null' },
|
||||
{ type: 'object' } // Allow Date objects
|
||||
]
|
||||
},
|
||||
createdAt: { type: ['string', 'object'], format: 'date-time' },
|
||||
updatedAt: { type: ['string', 'object'], format: 'date-time' },
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
static get relationMappings() {
|
||||
const { ObjectDefinition } = require('./object-definition.model');
|
||||
const { User } = require('./user.model');
|
||||
|
||||
return {
|
||||
objectDefinition: {
|
||||
relation: BaseModel.BelongsToOneRelation,
|
||||
modelClass: ObjectDefinition,
|
||||
join: {
|
||||
from: 'record_shares.objectDefinitionId',
|
||||
to: 'object_definitions.id',
|
||||
},
|
||||
},
|
||||
granteeUser: {
|
||||
relation: BaseModel.BelongsToOneRelation,
|
||||
modelClass: User,
|
||||
join: {
|
||||
from: 'record_shares.granteeUserId',
|
||||
to: 'users.id',
|
||||
},
|
||||
},
|
||||
grantedByUser: {
|
||||
relation: BaseModel.BelongsToOneRelation,
|
||||
modelClass: User,
|
||||
join: {
|
||||
from: 'record_shares.grantedByUserId',
|
||||
to: 'users.id',
|
||||
},
|
||||
},
|
||||
};
|
||||
}
|
||||
}
|
||||
51
backend/src/models/role-field-permission.model.ts
Normal file
51
backend/src/models/role-field-permission.model.ts
Normal file
@@ -0,0 +1,51 @@
|
||||
import { BaseModel } from './base.model';
|
||||
|
||||
export class RoleFieldPermission extends BaseModel {
|
||||
static tableName = 'role_field_permissions';
|
||||
|
||||
id!: string;
|
||||
roleId!: string;
|
||||
fieldDefinitionId!: string;
|
||||
canRead!: boolean;
|
||||
canEdit!: boolean;
|
||||
createdAt!: Date;
|
||||
updatedAt!: Date;
|
||||
|
||||
static get jsonSchema() {
|
||||
return {
|
||||
type: 'object',
|
||||
required: ['roleId', 'fieldDefinitionId'],
|
||||
properties: {
|
||||
id: { type: 'string' },
|
||||
roleId: { type: 'string' },
|
||||
fieldDefinitionId: { type: 'string' },
|
||||
canRead: { type: 'boolean' },
|
||||
canEdit: { type: 'boolean' },
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
static get relationMappings() {
|
||||
const { Role } = require('./role.model');
|
||||
const { FieldDefinition } = require('./field-definition.model');
|
||||
|
||||
return {
|
||||
role: {
|
||||
relation: BaseModel.BelongsToOneRelation,
|
||||
modelClass: Role,
|
||||
join: {
|
||||
from: 'role_field_permissions.roleId',
|
||||
to: 'roles.id',
|
||||
},
|
||||
},
|
||||
fieldDefinition: {
|
||||
relation: BaseModel.BelongsToOneRelation,
|
||||
modelClass: FieldDefinition,
|
||||
join: {
|
||||
from: 'role_field_permissions.fieldDefinitionId',
|
||||
to: 'field_definitions.id',
|
||||
},
|
||||
},
|
||||
};
|
||||
}
|
||||
}
|
||||
59
backend/src/models/role-object-permission.model.ts
Normal file
59
backend/src/models/role-object-permission.model.ts
Normal file
@@ -0,0 +1,59 @@
|
||||
import { BaseModel } from './base.model';
|
||||
|
||||
export class RoleObjectPermission extends BaseModel {
|
||||
static tableName = 'role_object_permissions';
|
||||
|
||||
id!: string;
|
||||
roleId!: string;
|
||||
objectDefinitionId!: string;
|
||||
canCreate!: boolean;
|
||||
canRead!: boolean;
|
||||
canEdit!: boolean;
|
||||
canDelete!: boolean;
|
||||
canViewAll!: boolean;
|
||||
canModifyAll!: boolean;
|
||||
createdAt!: Date;
|
||||
updatedAt!: Date;
|
||||
|
||||
static get jsonSchema() {
|
||||
return {
|
||||
type: 'object',
|
||||
required: ['roleId', 'objectDefinitionId'],
|
||||
properties: {
|
||||
id: { type: 'string' },
|
||||
roleId: { type: 'string' },
|
||||
objectDefinitionId: { type: 'string' },
|
||||
canCreate: { type: 'boolean' },
|
||||
canRead: { type: 'boolean' },
|
||||
canEdit: { type: 'boolean' },
|
||||
canDelete: { type: 'boolean' },
|
||||
canViewAll: { type: 'boolean' },
|
||||
canModifyAll: { type: 'boolean' },
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
static get relationMappings() {
|
||||
const { Role } = require('./role.model');
|
||||
const { ObjectDefinition } = require('./object-definition.model');
|
||||
|
||||
return {
|
||||
role: {
|
||||
relation: BaseModel.BelongsToOneRelation,
|
||||
modelClass: Role,
|
||||
join: {
|
||||
from: 'role_object_permissions.roleId',
|
||||
to: 'roles.id',
|
||||
},
|
||||
},
|
||||
objectDefinition: {
|
||||
relation: BaseModel.BelongsToOneRelation,
|
||||
modelClass: ObjectDefinition,
|
||||
join: {
|
||||
from: 'role_object_permissions.objectDefinitionId',
|
||||
to: 'object_definitions.id',
|
||||
},
|
||||
},
|
||||
};
|
||||
}
|
||||
}
|
||||
@@ -27,6 +27,8 @@ export class Role extends BaseModel {
|
||||
const { RolePermission } = require('./role-permission.model');
|
||||
const { Permission } = require('./permission.model');
|
||||
const { User } = require('./user.model');
|
||||
const { RoleObjectPermission } = require('./role-object-permission.model');
|
||||
const { RoleFieldPermission } = require('./role-field-permission.model');
|
||||
|
||||
return {
|
||||
rolePermissions: {
|
||||
@@ -61,6 +63,22 @@ export class Role extends BaseModel {
|
||||
to: 'users.id',
|
||||
},
|
||||
},
|
||||
objectPermissions: {
|
||||
relation: BaseModel.HasManyRelation,
|
||||
modelClass: RoleObjectPermission,
|
||||
join: {
|
||||
from: 'roles.id',
|
||||
to: 'role_object_permissions.roleId',
|
||||
},
|
||||
},
|
||||
fieldPermissions: {
|
||||
relation: BaseModel.HasManyRelation,
|
||||
modelClass: RoleFieldPermission,
|
||||
join: {
|
||||
from: 'roles.id',
|
||||
to: 'role_field_permissions.roleId',
|
||||
},
|
||||
},
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
import { Model } from 'objection';
|
||||
import { randomUUID } from 'crypto';
|
||||
|
||||
/**
|
||||
* Base model for all dynamic and system models
|
||||
@@ -10,26 +11,23 @@ export class BaseModel extends Model {
|
||||
tenantId?: string;
|
||||
ownerId?: string;
|
||||
name?: string;
|
||||
created_at?: Date;
|
||||
updated_at?: Date;
|
||||
created_at?: string;
|
||||
updated_at?: string;
|
||||
|
||||
// Hook to set system-managed fields
|
||||
$beforeInsert() {
|
||||
// created_at and updated_at are handled by the database
|
||||
// ownerId should be set by the controller/service
|
||||
async $beforeInsert() {
|
||||
if (!this.id) {
|
||||
this.id = randomUUID();
|
||||
}
|
||||
if (!this.created_at) {
|
||||
this.created_at = new Date().toISOString().slice(0, 19).replace('T', ' ');
|
||||
}
|
||||
if (!this.updated_at) {
|
||||
this.updated_at = new Date().toISOString().slice(0, 19).replace('T', ' ');
|
||||
}
|
||||
}
|
||||
|
||||
$beforeUpdate() {
|
||||
// updated_at is handled by the database
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Get the API name for this object
|
||||
* Override in subclasses
|
||||
*/
|
||||
static get objectApiName(): string {
|
||||
return 'BaseModel';
|
||||
async $beforeUpdate() {
|
||||
this.updated_at = new Date().toISOString().slice(0, 19).replace('T', ' ');
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
import { randomUUID } from 'crypto';
|
||||
import { ModelClass, JSONSchema, RelationMappings, Model } from 'objection';
|
||||
import { BaseModel } from './base.model';
|
||||
|
||||
@@ -28,6 +27,14 @@ export interface ObjectMetadata {
|
||||
}
|
||||
|
||||
export class DynamicModelFactory {
|
||||
/**
|
||||
* Get relation name from lookup field API name
|
||||
* Converts "ownerId" -> "owner", "customFieldId" -> "customfield"
|
||||
*/
|
||||
static getRelationName(lookupFieldApiName: string): string {
|
||||
return lookupFieldApiName.replace(/Id$/, '').toLowerCase();
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a dynamic model class from object metadata
|
||||
* @param meta Object metadata
|
||||
@@ -49,7 +56,8 @@ export class DynamicModelFactory {
|
||||
updated_at: { type: 'string', format: 'date-time' },
|
||||
};
|
||||
|
||||
const required: string[] = ['id', 'tenantId'];
|
||||
// Don't require id or tenantId - they'll be set automatically
|
||||
const required: string[] = [];
|
||||
|
||||
// Add custom fields
|
||||
for (const field of fields) {
|
||||
@@ -68,20 +76,13 @@ export class DynamicModelFactory {
|
||||
// Store lookup fields metadata for later use
|
||||
const lookupFieldsInfo = lookupFields.map(f => ({
|
||||
apiName: f.apiName,
|
||||
relationName: f.apiName.replace(/Id$/, '').toLowerCase(),
|
||||
relationName: DynamicModelFactory.getRelationName(f.apiName),
|
||||
referenceObject: f.referenceObject,
|
||||
targetTable: this.getTableName(f.referenceObject),
|
||||
}));
|
||||
|
||||
// Create the dynamic model class extending Model directly
|
||||
class DynamicModel extends Model {
|
||||
id?: string;
|
||||
tenantId?: string;
|
||||
ownerId?: string;
|
||||
name?: string;
|
||||
created_at?: string;
|
||||
updated_at?: string;
|
||||
|
||||
// Create the dynamic model class extending BaseModel
|
||||
class DynamicModel extends BaseModel {
|
||||
static tableName = tableName;
|
||||
|
||||
static objectApiName = apiName;
|
||||
@@ -128,22 +129,6 @@ export class DynamicModelFactory {
|
||||
properties,
|
||||
};
|
||||
}
|
||||
|
||||
async $beforeInsert() {
|
||||
if (!this.id) {
|
||||
this.id = randomUUID();
|
||||
}
|
||||
if (!this.created_at) {
|
||||
this.created_at = new Date().toISOString();
|
||||
}
|
||||
if (!this.updated_at) {
|
||||
this.updated_at = new Date().toISOString();
|
||||
}
|
||||
}
|
||||
|
||||
async $beforeUpdate() {
|
||||
this.updated_at = new Date().toISOString();
|
||||
}
|
||||
}
|
||||
|
||||
return DynamicModel as any;
|
||||
|
||||
@@ -6,11 +6,12 @@ import { SchemaManagementService } from './schema-management.service';
|
||||
import { FieldMapperService } from './field-mapper.service';
|
||||
import { TenantModule } from '../tenant/tenant.module';
|
||||
import { MigrationModule } from '../migration/migration.module';
|
||||
import { RbacModule } from '../rbac/rbac.module';
|
||||
import { ModelRegistry } from './models/model.registry';
|
||||
import { ModelService } from './models/model.service';
|
||||
|
||||
@Module({
|
||||
imports: [TenantModule, MigrationModule],
|
||||
imports: [TenantModule, MigrationModule, RbacModule],
|
||||
providers: [
|
||||
ObjectService,
|
||||
SchemaManagementService,
|
||||
|
||||
@@ -2,6 +2,10 @@ import { Injectable, NotFoundException, Logger } from '@nestjs/common';
|
||||
import { TenantDatabaseService } from '../tenant/tenant-database.service';
|
||||
import { CustomMigrationService } from '../migration/custom-migration.service';
|
||||
import { ModelService } from './models/model.service';
|
||||
import { AuthorizationService } from '../rbac/authorization.service';
|
||||
import { ObjectDefinition } from '../models/object-definition.model';
|
||||
import { FieldDefinition } from '../models/field-definition.model';
|
||||
import { User } from '../models/user.model';
|
||||
import { ObjectMetadata } from './models/dynamic-model.factory';
|
||||
|
||||
@Injectable()
|
||||
@@ -12,6 +16,7 @@ export class ObjectService {
|
||||
private tenantDbService: TenantDatabaseService,
|
||||
private customMigrationService: CustomMigrationService,
|
||||
private modelService: ModelService,
|
||||
private authService: AuthorizationService,
|
||||
) {}
|
||||
|
||||
// Setup endpoints - Object metadata management
|
||||
@@ -225,6 +230,31 @@ export class ObjectService {
|
||||
return objectDef;
|
||||
}
|
||||
|
||||
async updateObjectDefinition(
|
||||
tenantId: string,
|
||||
objectApiName: string,
|
||||
data: Partial<{
|
||||
label: string;
|
||||
pluralLabel: string;
|
||||
description: string;
|
||||
orgWideDefault: 'private' | 'public_read' | 'public_read_write';
|
||||
}>,
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Update the object definition
|
||||
await ObjectDefinition.query(knex)
|
||||
.findOne({ apiName: objectApiName })
|
||||
.patch({
|
||||
...data,
|
||||
updatedAt: new Date(),
|
||||
});
|
||||
|
||||
// Return updated object
|
||||
return await ObjectDefinition.query(knex)
|
||||
.findOne({ apiName: objectApiName });
|
||||
}
|
||||
|
||||
async createFieldDefinition(
|
||||
tenantId: string,
|
||||
@@ -418,62 +448,57 @@ export class ObjectService {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Verify object exists and get field definitions
|
||||
const objectDef = await this.getObjectDefinition(tenantId, objectApiName);
|
||||
// Get user with roles and permissions
|
||||
const user = await User.query(knex)
|
||||
.findById(userId)
|
||||
.withGraphFetched('[roles.[objectPermissions, fieldPermissions]]');
|
||||
|
||||
if (!user) {
|
||||
throw new NotFoundException('User not found');
|
||||
}
|
||||
|
||||
// Get object definition with authorization settings
|
||||
const objectDefModel = await ObjectDefinition.query(knex)
|
||||
.findOne({ apiName: objectApiName })
|
||||
.withGraphFetched('fields');
|
||||
|
||||
if (!objectDefModel) {
|
||||
throw new NotFoundException(`Object ${objectApiName} not found`);
|
||||
}
|
||||
|
||||
const tableName = this.getTableName(objectApiName);
|
||||
|
||||
// Ensure model is registered before attempting to use it
|
||||
// Ensure model is registered
|
||||
await this.ensureModelRegistered(resolvedTenantId, objectApiName);
|
||||
|
||||
// Try to use the Objection model if available
|
||||
try {
|
||||
const Model = this.modelService.getModel(resolvedTenantId, objectApiName);
|
||||
if (Model) {
|
||||
const boundModel = await this.modelService.getBoundModel(resolvedTenantId, objectApiName);
|
||||
let query = boundModel.query();
|
||||
|
||||
// Build graph expression for lookup fields
|
||||
const lookupFields = objectDef.fields?.filter(f =>
|
||||
f.type === 'LOOKUP' && f.referenceObject
|
||||
) || [];
|
||||
|
||||
if (lookupFields.length > 0) {
|
||||
// Build relation expression - use singular lowercase for relation name
|
||||
const relationExpression = lookupFields
|
||||
.map(f => f.apiName.replace(/Id$/, '').toLowerCase())
|
||||
.filter(Boolean)
|
||||
.join(', ');
|
||||
|
||||
if (relationExpression) {
|
||||
query = query.withGraphFetched(`[${relationExpression}]`);
|
||||
}
|
||||
}
|
||||
|
||||
// Add ownership filter if ownerId field exists
|
||||
const hasOwner = await knex.schema.hasColumn(tableName, 'ownerId');
|
||||
if (hasOwner) {
|
||||
query = query.where({ ownerId: userId });
|
||||
}
|
||||
|
||||
// Apply additional filters
|
||||
if (filters) {
|
||||
query = query.where(filters);
|
||||
}
|
||||
|
||||
return query.select('*');
|
||||
}
|
||||
} catch (error) {
|
||||
this.logger.warn(`Could not use Objection model for ${objectApiName}, falling back to manual join: ${error.message}`);
|
||||
}
|
||||
|
||||
// Fallback to manual data hydration
|
||||
let query = knex(tableName);
|
||||
// Use Objection model
|
||||
const boundModel = await this.modelService.getBoundModel(resolvedTenantId, objectApiName);
|
||||
let query = boundModel.query();
|
||||
|
||||
// Add ownership filter if ownerId field exists
|
||||
const hasOwner = await knex.schema.hasColumn(tableName, 'ownerId');
|
||||
if (hasOwner) {
|
||||
query = query.where({ [`${tableName}.ownerId`]: userId });
|
||||
// Apply authorization scope (modifies query in place)
|
||||
await this.authService.applyScopeToQuery(
|
||||
query,
|
||||
objectDefModel,
|
||||
user,
|
||||
'read',
|
||||
knex,
|
||||
);
|
||||
|
||||
// Build graph expression for lookup fields
|
||||
const lookupFields = objectDefModel.fields?.filter(f =>
|
||||
f.type === 'LOOKUP' && f.referenceObject
|
||||
) || [];
|
||||
|
||||
if (lookupFields.length > 0) {
|
||||
// Build relation expression - use singular lowercase for relation name
|
||||
const relationExpression = lookupFields
|
||||
.map(f => f.apiName.replace(/Id$/, '').toLowerCase())
|
||||
.filter(Boolean)
|
||||
.join(', ');
|
||||
|
||||
if (relationExpression) {
|
||||
query = query.withGraphFetched(`[${relationExpression}]`);
|
||||
}
|
||||
}
|
||||
|
||||
// Apply additional filters
|
||||
@@ -481,49 +506,16 @@ export class ObjectService {
|
||||
query = query.where(filters);
|
||||
}
|
||||
|
||||
// Get base records
|
||||
const records = await query.select(`${tableName}.*`);
|
||||
const records = await query.select('*');
|
||||
|
||||
// Fetch and attach related records for lookup fields
|
||||
const lookupFields = objectDef.fields?.filter(f =>
|
||||
f.type === 'LOOKUP' && f.referenceObject
|
||||
) || [];
|
||||
// Filter fields based on field-level permissions
|
||||
const filteredRecords = await Promise.all(
|
||||
records.map(record =>
|
||||
this.authService.filterReadableFields(record, objectDefModel.fields, user)
|
||||
)
|
||||
);
|
||||
|
||||
if (lookupFields.length > 0 && records.length > 0) {
|
||||
for (const field of lookupFields) {
|
||||
const relationName = field.apiName.replace(/Id$/, '').toLowerCase();
|
||||
const relatedTable = this.getTableName(field.referenceObject);
|
||||
|
||||
// Get unique IDs to fetch
|
||||
const relatedIds = [...new Set(
|
||||
records
|
||||
.map(r => r[field.apiName])
|
||||
.filter(Boolean)
|
||||
)];
|
||||
|
||||
if (relatedIds.length > 0) {
|
||||
// Fetch all related records in one query
|
||||
const relatedRecords = await knex(relatedTable)
|
||||
.whereIn('id', relatedIds)
|
||||
.select('*');
|
||||
|
||||
// Create a map for quick lookup
|
||||
const relatedMap = new Map(
|
||||
relatedRecords.map(r => [r.id, r])
|
||||
);
|
||||
|
||||
// Attach related records to main records
|
||||
for (const record of records) {
|
||||
const relatedId = record[field.apiName];
|
||||
if (relatedId && relatedMap.has(relatedId)) {
|
||||
record[relationName] = relatedMap.get(relatedId);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return records;
|
||||
return filteredRecords;
|
||||
}
|
||||
|
||||
async getRecord(
|
||||
@@ -535,94 +527,66 @@ export class ObjectService {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Verify object exists and get field definitions
|
||||
const objectDef = await this.getObjectDefinition(tenantId, objectApiName);
|
||||
// Get user with roles and permissions
|
||||
const user = await User.query(knex)
|
||||
.findById(userId)
|
||||
.withGraphFetched('[roles.[objectPermissions, fieldPermissions]]');
|
||||
|
||||
const tableName = this.getTableName(objectApiName);
|
||||
if (!user) {
|
||||
throw new NotFoundException('User not found');
|
||||
}
|
||||
|
||||
// Ensure model is registered before attempting to use it
|
||||
// Get object definition with authorization settings
|
||||
const objectDefModel = await ObjectDefinition.query(knex)
|
||||
.findOne({ apiName: objectApiName })
|
||||
.withGraphFetched('fields');
|
||||
|
||||
if (!objectDefModel) {
|
||||
throw new NotFoundException(`Object ${objectApiName} not found`);
|
||||
}
|
||||
|
||||
// Ensure model is registered
|
||||
await this.ensureModelRegistered(resolvedTenantId, objectApiName);
|
||||
|
||||
// Try to use the Objection model if available
|
||||
try {
|
||||
const Model = this.modelService.getModel(resolvedTenantId, objectApiName);
|
||||
if (Model) {
|
||||
const boundModel = await this.modelService.getBoundModel(resolvedTenantId, objectApiName);
|
||||
let query = boundModel.query().where({ id: recordId });
|
||||
|
||||
// Build graph expression for lookup fields
|
||||
const lookupFields = objectDef.fields?.filter(f =>
|
||||
f.type === 'LOOKUP' && f.referenceObject
|
||||
) || [];
|
||||
|
||||
if (lookupFields.length > 0) {
|
||||
// Build relation expression - use singular lowercase for relation name
|
||||
const relationExpression = lookupFields
|
||||
.map(f => f.apiName.replace(/Id$/, '').toLowerCase())
|
||||
.filter(Boolean)
|
||||
.join(', ');
|
||||
|
||||
if (relationExpression) {
|
||||
query = query.withGraphFetched(`[${relationExpression}]`);
|
||||
}
|
||||
}
|
||||
|
||||
// Add ownership filter if ownerId field exists
|
||||
const hasOwner = await knex.schema.hasColumn(tableName, 'ownerId');
|
||||
if (hasOwner) {
|
||||
query = query.where({ ownerId: userId });
|
||||
}
|
||||
|
||||
const record = await query.first();
|
||||
if (!record) {
|
||||
throw new NotFoundException('Record not found');
|
||||
}
|
||||
return record;
|
||||
}
|
||||
} catch (error) {
|
||||
this.logger.warn(`Could not use Objection model for ${objectApiName}, falling back to manual join: ${error.message}`);
|
||||
}
|
||||
// Use Objection model
|
||||
const boundModel = await this.modelService.getBoundModel(resolvedTenantId, objectApiName);
|
||||
let query = boundModel.query().where({ id: recordId });
|
||||
|
||||
// Fallback to manual data hydration
|
||||
let query = knex(tableName).where({ [`${tableName}.id`]: recordId });
|
||||
// Apply authorization scope (modifies query in place)
|
||||
await this.authService.applyScopeToQuery(
|
||||
query,
|
||||
objectDefModel,
|
||||
user,
|
||||
'read',
|
||||
knex,
|
||||
);
|
||||
|
||||
// Add ownership filter if ownerId field exists
|
||||
const hasOwner = await knex.schema.hasColumn(tableName, 'ownerId');
|
||||
if (hasOwner) {
|
||||
query = query.where({ [`${tableName}.ownerId`]: userId });
|
||||
}
|
||||
|
||||
const record = await query.first();
|
||||
|
||||
if (!record) {
|
||||
throw new NotFoundException('Record not found');
|
||||
}
|
||||
|
||||
// Fetch and attach related records for lookup fields
|
||||
const lookupFields = objectDef.fields?.filter(f =>
|
||||
// Build graph expression for lookup fields
|
||||
const lookupFields = objectDefModel.fields?.filter(f =>
|
||||
f.type === 'LOOKUP' && f.referenceObject
|
||||
) || [];
|
||||
|
||||
if (lookupFields.length > 0) {
|
||||
for (const field of lookupFields) {
|
||||
const relationName = field.apiName.replace(/Id$/, '').toLowerCase();
|
||||
const relatedTable = this.getTableName(field.referenceObject);
|
||||
const relatedId = record[field.apiName];
|
||||
|
||||
if (relatedId) {
|
||||
// Fetch the related record
|
||||
const relatedRecord = await knex(relatedTable)
|
||||
.where({ id: relatedId })
|
||||
.first();
|
||||
|
||||
if (relatedRecord) {
|
||||
record[relationName] = relatedRecord;
|
||||
}
|
||||
}
|
||||
// Build relation expression - use singular lowercase for relation name
|
||||
const relationExpression = lookupFields
|
||||
.map(f => f.apiName.replace(/Id$/, '').toLowerCase())
|
||||
.filter(Boolean)
|
||||
.join(', ');
|
||||
|
||||
if (relationExpression) {
|
||||
query = query.withGraphFetched(`[${relationExpression}]`);
|
||||
}
|
||||
}
|
||||
|
||||
return record;
|
||||
const record = await query.first();
|
||||
if (!record) {
|
||||
throw new NotFoundException('Record not found');
|
||||
}
|
||||
|
||||
// Filter fields based on field-level permissions
|
||||
const filteredRecord = await this.authService.filterReadableFields(record, objectDefModel.fields, user);
|
||||
|
||||
return filteredRecord;
|
||||
}
|
||||
|
||||
async createRecord(
|
||||
@@ -634,46 +598,44 @@ export class ObjectService {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Verify object exists
|
||||
await this.getObjectDefinition(tenantId, objectApiName);
|
||||
// Get user with roles and permissions
|
||||
const user = await User.query(knex)
|
||||
.findById(userId)
|
||||
.withGraphFetched('[roles.[objectPermissions, fieldPermissions]]');
|
||||
|
||||
// Ensure model is registered before attempting to use it
|
||||
if (!user) {
|
||||
throw new NotFoundException('User not found');
|
||||
}
|
||||
|
||||
// Get object definition with authorization settings
|
||||
const objectDefModel = await ObjectDefinition.query(knex)
|
||||
.findOne({ apiName: objectApiName })
|
||||
.withGraphFetched('fields');
|
||||
|
||||
if (!objectDefModel) {
|
||||
throw new NotFoundException(`Object ${objectApiName} not found`);
|
||||
}
|
||||
|
||||
// Check if user has create permission
|
||||
const canCreate = await this.authService.canCreate(objectDefModel, user);
|
||||
if (!canCreate) {
|
||||
throw new NotFoundException('You do not have permission to create records of this object');
|
||||
}
|
||||
|
||||
// Filter data to only editable fields
|
||||
const editableData = await this.authService.filterEditableFields(data, objectDefModel.fields, user);
|
||||
|
||||
// Ensure model is registered
|
||||
await this.ensureModelRegistered(resolvedTenantId, objectApiName);
|
||||
|
||||
// Try to use the Objection model if available
|
||||
try {
|
||||
const Model = this.modelService.getModel(resolvedTenantId, objectApiName);
|
||||
if (Model) {
|
||||
const boundModel = await this.modelService.getBoundModel(resolvedTenantId, objectApiName);
|
||||
const recordData = {
|
||||
...data,
|
||||
ownerId: userId, // Auto-set owner
|
||||
};
|
||||
const record = await boundModel.query().insert(recordData);
|
||||
return record;
|
||||
}
|
||||
} catch (error) {
|
||||
console.warn(`Could not use Objection model for ${objectApiName}:`, error.message);
|
||||
}
|
||||
|
||||
// Fallback to raw Knex if model not available
|
||||
const tableName = this.getTableName(objectApiName);
|
||||
const hasOwner = await knex.schema.hasColumn(tableName, 'ownerId');
|
||||
|
||||
const recordData: any = {
|
||||
id: knex.raw('(UUID())'),
|
||||
...data,
|
||||
created_at: knex.fn.now(),
|
||||
updated_at: knex.fn.now(),
|
||||
// Use Objection model
|
||||
const boundModel = await this.modelService.getBoundModel(resolvedTenantId, objectApiName);
|
||||
const recordData = {
|
||||
...editableData,
|
||||
ownerId: userId, // Auto-set owner
|
||||
};
|
||||
|
||||
if (hasOwner) {
|
||||
recordData.ownerId = userId;
|
||||
}
|
||||
|
||||
const [id] = await knex(tableName).insert(recordData);
|
||||
|
||||
return knex(tableName).where({ id }).first();
|
||||
const record = await boundModel.query().insert(recordData);
|
||||
return record;
|
||||
}
|
||||
|
||||
async updateRecord(
|
||||
@@ -686,39 +648,51 @@ export class ObjectService {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Verify object exists and user has access
|
||||
await this.getRecord(tenantId, objectApiName, recordId, userId);
|
||||
// Get user with roles and permissions
|
||||
const user = await User.query(knex)
|
||||
.findById(userId)
|
||||
.withGraphFetched('[roles.[objectPermissions, fieldPermissions]]');
|
||||
|
||||
const tableName = this.getTableName(objectApiName);
|
||||
|
||||
// Ensure model is registered before attempting to use it
|
||||
await this.ensureModelRegistered(resolvedTenantId, objectApiName);
|
||||
|
||||
// Try to use the Objection model if available
|
||||
try {
|
||||
const Model = this.modelService.getModel(resolvedTenantId, objectApiName);
|
||||
if (Model) {
|
||||
const boundModel = await this.modelService.getBoundModel(resolvedTenantId, objectApiName);
|
||||
// Don't allow updating ownerId or system fields
|
||||
const allowedData = { ...data };
|
||||
delete allowedData.ownerId;
|
||||
delete allowedData.id;
|
||||
delete allowedData.created_at;
|
||||
delete allowedData.tenantId;
|
||||
|
||||
await boundModel.query().where({ id: recordId }).update(allowedData);
|
||||
return boundModel.query().where({ id: recordId }).first();
|
||||
}
|
||||
} catch (error) {
|
||||
console.warn(`Could not use Objection model for ${objectApiName}:`, error.message);
|
||||
if (!user) {
|
||||
throw new NotFoundException('User not found');
|
||||
}
|
||||
|
||||
// Fallback to raw Knex
|
||||
await knex(tableName)
|
||||
.where({ id: recordId })
|
||||
.update({ ...data, updated_at: knex.fn.now() });
|
||||
// Get object definition with authorization settings
|
||||
const objectDefModel = await ObjectDefinition.query(knex)
|
||||
.findOne({ apiName: objectApiName })
|
||||
.withGraphFetched('fields');
|
||||
|
||||
return knex(tableName).where({ id: recordId }).first();
|
||||
if (!objectDefModel) {
|
||||
throw new NotFoundException(`Object ${objectApiName} not found`);
|
||||
}
|
||||
|
||||
const tableName = this.getTableName(objectApiName);
|
||||
|
||||
// Get existing record
|
||||
const existingRecord = await knex(tableName).where({ id: recordId }).first();
|
||||
if (!existingRecord) {
|
||||
throw new NotFoundException('Record not found');
|
||||
}
|
||||
|
||||
// Check if user can update this record
|
||||
await this.authService.assertCanPerformAction('update', objectDefModel, existingRecord, user, knex);
|
||||
|
||||
// Filter data to only editable fields
|
||||
const editableData = await this.authService.filterEditableFields(data, objectDefModel.fields, user);
|
||||
|
||||
// Remove system fields
|
||||
delete editableData.id;
|
||||
delete editableData.ownerId;
|
||||
delete editableData.created_at;
|
||||
delete editableData.tenantId;
|
||||
|
||||
// Ensure model is registered
|
||||
await this.ensureModelRegistered(resolvedTenantId, objectApiName);
|
||||
|
||||
// Use Objection model
|
||||
const boundModel = await this.modelService.getBoundModel(resolvedTenantId, objectApiName);
|
||||
await boundModel.query().where({ id: recordId }).update(editableData);
|
||||
return boundModel.query().where({ id: recordId }).first();
|
||||
}
|
||||
|
||||
async deleteRecord(
|
||||
@@ -730,28 +704,198 @@ export class ObjectService {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Verify object exists and user has access
|
||||
await this.getRecord(tenantId, objectApiName, recordId, userId);
|
||||
// Get user with roles and permissions
|
||||
const user = await User.query(knex)
|
||||
.findById(userId)
|
||||
.withGraphFetched('[roles.[objectPermissions, fieldPermissions]]');
|
||||
|
||||
const tableName = this.getTableName(objectApiName);
|
||||
|
||||
// Ensure model is registered before attempting to use it
|
||||
await this.ensureModelRegistered(resolvedTenantId, objectApiName);
|
||||
|
||||
// Try to use the Objection model if available
|
||||
try {
|
||||
const Model = this.modelService.getModel(resolvedTenantId, objectApiName);
|
||||
if (Model) {
|
||||
const boundModel = await this.modelService.getBoundModel(resolvedTenantId, objectApiName);
|
||||
await boundModel.query().where({ id: recordId }).delete();
|
||||
return { success: true };
|
||||
}
|
||||
} catch (error) {
|
||||
console.warn(`Could not use Objection model for ${objectApiName}:`, error.message);
|
||||
if (!user) {
|
||||
throw new NotFoundException('User not found');
|
||||
}
|
||||
|
||||
// Fallback to raw Knex
|
||||
await knex(tableName).where({ id: recordId }).delete();
|
||||
// Get object definition with authorization settings
|
||||
const objectDefModel = await ObjectDefinition.query(knex)
|
||||
.findOne({ apiName: objectApiName });
|
||||
|
||||
if (!objectDefModel) {
|
||||
throw new NotFoundException(`Object ${objectApiName} not found`);
|
||||
}
|
||||
|
||||
const tableName = this.getTableName(objectApiName);
|
||||
|
||||
// Get existing record
|
||||
const existingRecord = await knex(tableName).where({ id: recordId }).first();
|
||||
if (!existingRecord) {
|
||||
throw new NotFoundException('Record not found');
|
||||
}
|
||||
|
||||
// Check if user can delete this record
|
||||
await this.authService.assertCanPerformAction('delete', objectDefModel, existingRecord, user, knex);
|
||||
|
||||
// Ensure model is registered
|
||||
await this.ensureModelRegistered(resolvedTenantId, objectApiName);
|
||||
|
||||
// Use Objection model
|
||||
const boundModel = await this.modelService.getBoundModel(resolvedTenantId, objectApiName);
|
||||
await boundModel.query().where({ id: recordId }).delete();
|
||||
|
||||
return { success: true };
|
||||
}
|
||||
|
||||
async getFieldPermissions(tenantId: string, objectId: string) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Get all field permissions for this object's fields
|
||||
const permissions = await knex('role_field_permissions as rfp')
|
||||
.join('field_definitions as fd', 'fd.id', 'rfp.fieldDefinitionId')
|
||||
.where('fd.objectDefinitionId', objectId)
|
||||
.select('rfp.*');
|
||||
|
||||
return permissions;
|
||||
}
|
||||
|
||||
async updateFieldPermission(
|
||||
tenantId: string,
|
||||
roleId: string,
|
||||
fieldDefinitionId: string,
|
||||
canRead: boolean,
|
||||
canEdit: boolean,
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Check if permission already exists
|
||||
const existing = await knex('role_field_permissions')
|
||||
.where({ roleId, fieldDefinitionId })
|
||||
.first();
|
||||
|
||||
if (existing) {
|
||||
// Update existing permission
|
||||
await knex('role_field_permissions')
|
||||
.where({ roleId, fieldDefinitionId })
|
||||
.update({
|
||||
canRead,
|
||||
canEdit,
|
||||
updated_at: knex.fn.now(),
|
||||
});
|
||||
} else {
|
||||
// Create new permission
|
||||
await knex('role_field_permissions').insert({
|
||||
id: knex.raw('(UUID())'),
|
||||
roleId,
|
||||
fieldDefinitionId,
|
||||
canRead,
|
||||
canEdit,
|
||||
created_at: knex.fn.now(),
|
||||
updated_at: knex.fn.now(),
|
||||
});
|
||||
}
|
||||
|
||||
return { success: true };
|
||||
}
|
||||
|
||||
async getObjectPermissions(
|
||||
tenantId: string,
|
||||
objectApiName: string,
|
||||
roleId: string,
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Get object definition
|
||||
const objectDef = await ObjectDefinition.query(knex)
|
||||
.findOne({ apiName: objectApiName });
|
||||
|
||||
if (!objectDef) {
|
||||
throw new NotFoundException(`Object ${objectApiName} not found`);
|
||||
}
|
||||
|
||||
// Get role object permissions
|
||||
const permission = await knex('role_object_permissions')
|
||||
.where({ roleId, objectDefinitionId: objectDef.id })
|
||||
.first();
|
||||
|
||||
if (!permission) {
|
||||
// Return default permissions (all false)
|
||||
return {
|
||||
canCreate: false,
|
||||
canRead: false,
|
||||
canEdit: false,
|
||||
canDelete: false,
|
||||
canViewAll: false,
|
||||
canModifyAll: false,
|
||||
};
|
||||
}
|
||||
|
||||
return {
|
||||
canCreate: Boolean(permission.canCreate),
|
||||
canRead: Boolean(permission.canRead),
|
||||
canEdit: Boolean(permission.canEdit),
|
||||
canDelete: Boolean(permission.canDelete),
|
||||
canViewAll: Boolean(permission.canViewAll),
|
||||
canModifyAll: Boolean(permission.canModifyAll),
|
||||
};
|
||||
}
|
||||
|
||||
async updateObjectPermissions(
|
||||
tenantId: string,
|
||||
objectApiName: string,
|
||||
data: {
|
||||
roleId: string;
|
||||
canCreate: boolean;
|
||||
canRead: boolean;
|
||||
canEdit: boolean;
|
||||
canDelete: boolean;
|
||||
canViewAll: boolean;
|
||||
canModifyAll: boolean;
|
||||
},
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Get object definition
|
||||
const objectDef = await ObjectDefinition.query(knex)
|
||||
.findOne({ apiName: objectApiName });
|
||||
|
||||
if (!objectDef) {
|
||||
throw new NotFoundException(`Object ${objectApiName} not found`);
|
||||
}
|
||||
|
||||
// Check if permission already exists
|
||||
const existing = await knex('role_object_permissions')
|
||||
.where({ roleId: data.roleId, objectDefinitionId: objectDef.id })
|
||||
.first();
|
||||
|
||||
if (existing) {
|
||||
// Update existing permission
|
||||
await knex('role_object_permissions')
|
||||
.where({ roleId: data.roleId, objectDefinitionId: objectDef.id })
|
||||
.update({
|
||||
canCreate: data.canCreate,
|
||||
canRead: data.canRead,
|
||||
canEdit: data.canEdit,
|
||||
canDelete: data.canDelete,
|
||||
canViewAll: data.canViewAll,
|
||||
canModifyAll: data.canModifyAll,
|
||||
updated_at: knex.fn.now(),
|
||||
});
|
||||
} else {
|
||||
// Create new permission
|
||||
await knex('role_object_permissions').insert({
|
||||
id: knex.raw('(UUID())'),
|
||||
roleId: data.roleId,
|
||||
objectDefinitionId: objectDef.id,
|
||||
canCreate: data.canCreate,
|
||||
canRead: data.canRead,
|
||||
canEdit: data.canEdit,
|
||||
canDelete: data.canDelete,
|
||||
canViewAll: data.canViewAll,
|
||||
canModifyAll: data.canModifyAll,
|
||||
created_at: knex.fn.now(),
|
||||
updated_at: knex.fn.now(),
|
||||
});
|
||||
}
|
||||
|
||||
return { success: true };
|
||||
}
|
||||
|
||||
@@ -2,6 +2,8 @@ import {
|
||||
Controller,
|
||||
Get,
|
||||
Post,
|
||||
Patch,
|
||||
Put,
|
||||
Param,
|
||||
Body,
|
||||
UseGuards,
|
||||
@@ -10,6 +12,7 @@ import { ObjectService } from './object.service';
|
||||
import { FieldMapperService } from './field-mapper.service';
|
||||
import { JwtAuthGuard } from '../auth/jwt-auth.guard';
|
||||
import { TenantId } from '../tenant/tenant.decorator';
|
||||
import { TenantDatabaseService } from '../tenant/tenant-database.service';
|
||||
|
||||
@Controller('setup/objects')
|
||||
@UseGuards(JwtAuthGuard)
|
||||
@@ -17,6 +20,7 @@ export class SetupObjectController {
|
||||
constructor(
|
||||
private objectService: ObjectService,
|
||||
private fieldMapperService: FieldMapperService,
|
||||
private tenantDbService: TenantDatabaseService,
|
||||
) {}
|
||||
|
||||
@Get()
|
||||
@@ -67,4 +71,56 @@ export class SetupObjectController {
|
||||
// Map the created field to frontend format
|
||||
return this.fieldMapperService.mapFieldToDTO(field);
|
||||
}
|
||||
|
||||
@Patch(':objectApiName')
|
||||
async updateObjectDefinition(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('objectApiName') objectApiName: string,
|
||||
@Body() data: any,
|
||||
) {
|
||||
return this.objectService.updateObjectDefinition(tenantId, objectApiName, data);
|
||||
}
|
||||
|
||||
@Get(':objectId/field-permissions')
|
||||
async getFieldPermissions(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('objectId') objectId: string,
|
||||
) {
|
||||
return this.objectService.getFieldPermissions(tenantId, objectId);
|
||||
}
|
||||
|
||||
@Put(':objectId/field-permissions')
|
||||
async updateFieldPermission(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('objectId') objectId: string,
|
||||
@Body() data: { roleId: string; fieldDefinitionId: string; canRead: boolean; canEdit: boolean },
|
||||
) {
|
||||
return this.objectService.updateFieldPermission(tenantId, data.roleId, data.fieldDefinitionId, data.canRead, data.canEdit);
|
||||
}
|
||||
|
||||
@Get(':objectApiName/permissions/:roleId')
|
||||
async getObjectPermissions(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('objectApiName') objectApiName: string,
|
||||
@Param('roleId') roleId: string,
|
||||
) {
|
||||
return this.objectService.getObjectPermissions(tenantId, objectApiName, roleId);
|
||||
}
|
||||
|
||||
@Put(':objectApiName/permissions')
|
||||
async updateObjectPermissions(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('objectApiName') objectApiName: string,
|
||||
@Body() data: {
|
||||
roleId: string;
|
||||
canCreate: boolean;
|
||||
canRead: boolean;
|
||||
canEdit: boolean;
|
||||
canDelete: boolean;
|
||||
canViewAll: boolean;
|
||||
canModifyAll: boolean;
|
||||
},
|
||||
) {
|
||||
return this.objectService.updateObjectPermissions(tenantId, objectApiName, data);
|
||||
}
|
||||
}
|
||||
|
||||
198
backend/src/rbac/ability.factory.ts
Normal file
198
backend/src/rbac/ability.factory.ts
Normal file
@@ -0,0 +1,198 @@
|
||||
import { AbilityBuilder, PureAbility, AbilityClass } from '@casl/ability';
|
||||
import { Injectable } from '@nestjs/common';
|
||||
import { User } from '../models/user.model';
|
||||
import { RoleObjectPermission } from '../models/role-object-permission.model';
|
||||
import { RoleFieldPermission } from '../models/role-field-permission.model';
|
||||
import { RecordShare } from '../models/record-share.model';
|
||||
|
||||
// Define action types
|
||||
export type Action = 'create' | 'read' | 'update' | 'delete' | 'view_all' | 'modify_all';
|
||||
|
||||
// Define subject types - can be string (object API name) or actual object with fields
|
||||
export type Subject = string | { objectApiName: string; ownerId?: string; id?: string; [key: string]: any };
|
||||
|
||||
// Define field actions
|
||||
export type FieldAction = 'read' | 'edit';
|
||||
|
||||
export type AppAbility = PureAbility<[Action, Subject], { field?: string }>;
|
||||
|
||||
@Injectable()
|
||||
export class AbilityFactory {
|
||||
/**
|
||||
* Build CASL ability for a user based on their roles and permissions
|
||||
* This aggregates permissions from all roles the user has
|
||||
*/
|
||||
async defineAbilityFor(
|
||||
user: User & { roles?: Array<{ objectPermissions?: RoleObjectPermission[]; fieldPermissions?: RoleFieldPermission[] }> },
|
||||
recordShares?: RecordShare[],
|
||||
): Promise<AppAbility> {
|
||||
const { can, cannot, build } = new AbilityBuilder<AppAbility>(PureAbility as AbilityClass<AppAbility>);
|
||||
|
||||
if (!user.roles || user.roles.length === 0) {
|
||||
// No roles = no permissions
|
||||
return build();
|
||||
}
|
||||
|
||||
// Aggregate object permissions from all roles
|
||||
const objectPermissionsMap = new Map<string, {
|
||||
canCreate: boolean;
|
||||
canRead: boolean;
|
||||
canEdit: boolean;
|
||||
canDelete: boolean;
|
||||
canViewAll: boolean;
|
||||
canModifyAll: boolean;
|
||||
}>();
|
||||
|
||||
// Aggregate field permissions from all roles
|
||||
const fieldPermissionsMap = new Map<string, {
|
||||
canRead: boolean;
|
||||
canEdit: boolean;
|
||||
}>();
|
||||
|
||||
// Process all roles
|
||||
for (const role of user.roles) {
|
||||
// Aggregate object permissions
|
||||
if (role.objectPermissions) {
|
||||
for (const perm of role.objectPermissions) {
|
||||
const existing = objectPermissionsMap.get(perm.objectDefinitionId) || {
|
||||
canCreate: false,
|
||||
canRead: false,
|
||||
canEdit: false,
|
||||
canDelete: false,
|
||||
canViewAll: false,
|
||||
canModifyAll: false,
|
||||
};
|
||||
|
||||
// Union of permissions (if any role grants it, user has it)
|
||||
objectPermissionsMap.set(perm.objectDefinitionId, {
|
||||
canCreate: existing.canCreate || perm.canCreate,
|
||||
canRead: existing.canRead || perm.canRead,
|
||||
canEdit: existing.canEdit || perm.canEdit,
|
||||
canDelete: existing.canDelete || perm.canDelete,
|
||||
canViewAll: existing.canViewAll || perm.canViewAll,
|
||||
canModifyAll: existing.canModifyAll || perm.canModifyAll,
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
// Aggregate field permissions
|
||||
if (role.fieldPermissions) {
|
||||
for (const perm of role.fieldPermissions) {
|
||||
const existing = fieldPermissionsMap.get(perm.fieldDefinitionId) || {
|
||||
canRead: false,
|
||||
canEdit: false,
|
||||
};
|
||||
|
||||
fieldPermissionsMap.set(perm.fieldDefinitionId, {
|
||||
canRead: existing.canRead || perm.canRead,
|
||||
canEdit: existing.canEdit || perm.canEdit,
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Convert aggregated permissions to CASL rules
|
||||
for (const [objectId, perms] of objectPermissionsMap) {
|
||||
// Create permission
|
||||
if (perms.canCreate) {
|
||||
can('create', objectId);
|
||||
}
|
||||
|
||||
// Read permission
|
||||
if (perms.canRead) {
|
||||
can('read', objectId);
|
||||
}
|
||||
|
||||
// View all permission (can see all records regardless of ownership)
|
||||
if (perms.canViewAll) {
|
||||
can('view_all', objectId);
|
||||
}
|
||||
|
||||
// Edit permission
|
||||
if (perms.canEdit) {
|
||||
can('update', objectId);
|
||||
}
|
||||
|
||||
// Modify all permission (can edit all records regardless of ownership)
|
||||
if (perms.canModifyAll) {
|
||||
can('modify_all', objectId);
|
||||
}
|
||||
|
||||
// Delete permission
|
||||
if (perms.canDelete) {
|
||||
can('delete', objectId);
|
||||
}
|
||||
}
|
||||
|
||||
// Add record sharing permissions
|
||||
if (recordShares) {
|
||||
for (const share of recordShares) {
|
||||
// Only add if share is active (not expired, not revoked)
|
||||
const now = new Date();
|
||||
const isExpired = share.expiresAt && share.expiresAt < now;
|
||||
const isRevoked = share.revokedAt !== null;
|
||||
|
||||
if (!isExpired && !isRevoked) {
|
||||
// Note: Record-level sharing will be checked in authorization service
|
||||
// CASL abilities are primarily for object-level permissions
|
||||
// Individual record access is validated in applyScopeToQuery
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return build();
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if user can access a specific field
|
||||
* Returns true if user has permission or if no restriction exists
|
||||
*/
|
||||
canAccessField(
|
||||
fieldDefinitionId: string,
|
||||
action: FieldAction,
|
||||
user: User & { roles?: Array<{ fieldPermissions?: RoleFieldPermission[] }> },
|
||||
): boolean {
|
||||
if (!user.roles || user.roles.length === 0) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Collect all field permissions from all roles
|
||||
const allFieldPermissions: RoleFieldPermission[] = [];
|
||||
for (const role of user.roles) {
|
||||
if (role.fieldPermissions) {
|
||||
allFieldPermissions.push(...role.fieldPermissions);
|
||||
}
|
||||
}
|
||||
|
||||
// If there are NO field permissions configured at all, allow by default
|
||||
if (allFieldPermissions.length === 0) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// If field permissions exist, check for explicit grants (union of all roles)
|
||||
for (const role of user.roles) {
|
||||
if (role.fieldPermissions) {
|
||||
const fieldPerm = role.fieldPermissions.find(fp => fp.fieldDefinitionId === fieldDefinitionId);
|
||||
if (fieldPerm) {
|
||||
if (action === 'read' && fieldPerm.canRead) return true;
|
||||
if (action === 'edit' && fieldPerm.canEdit) return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Field permissions exist but this field is not explicitly granted → deny
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Filter fields based on user permissions
|
||||
* Returns array of field IDs the user can access with the specified action
|
||||
*/
|
||||
filterFields(
|
||||
fieldDefinitionIds: string[],
|
||||
action: FieldAction,
|
||||
user: User & { roles?: Array<{ fieldPermissions?: RoleFieldPermission[] }> },
|
||||
): string[] {
|
||||
return fieldDefinitionIds.filter(fieldId => this.canAccessField(fieldId, action, user));
|
||||
}
|
||||
}
|
||||
282
backend/src/rbac/authorization.service.ts
Normal file
282
backend/src/rbac/authorization.service.ts
Normal file
@@ -0,0 +1,282 @@
|
||||
import { Injectable, ForbiddenException } from '@nestjs/common';
|
||||
import { Knex } from 'knex';
|
||||
import { User } from '../models/user.model';
|
||||
import { ObjectDefinition } from '../models/object-definition.model';
|
||||
import { FieldDefinition } from '../models/field-definition.model';
|
||||
import { RecordShare } from '../models/record-share.model';
|
||||
import { AbilityFactory, AppAbility, Action } from './ability.factory';
|
||||
import { DynamicModelFactory } from '../object/models/dynamic-model.factory';
|
||||
import { subject } from '@casl/ability';
|
||||
|
||||
@Injectable()
|
||||
export class AuthorizationService {
|
||||
constructor(private abilityFactory: AbilityFactory) {}
|
||||
|
||||
/**
|
||||
* Apply authorization scope to a query based on OWD and user permissions
|
||||
* This determines which records the user can see
|
||||
* Modifies the query in place and returns void
|
||||
*/
|
||||
async applyScopeToQuery<T = any>(
|
||||
query: any, // Accept both Knex and Objection query builders
|
||||
objectDef: ObjectDefinition,
|
||||
user: User & { roles?: any[] },
|
||||
action: Action,
|
||||
knex: Knex,
|
||||
): Promise<void> {
|
||||
// Get user's ability
|
||||
const recordShares = await this.getActiveRecordShares(objectDef.id, user.id, knex);
|
||||
const ability = await this.abilityFactory.defineAbilityFor(user, recordShares);
|
||||
|
||||
// Check if user has the base permission for this action
|
||||
// Use object ID, not API name, since permissions are stored by object ID
|
||||
if (!ability.can(action, objectDef.id)) {
|
||||
// No permission at all - return empty result
|
||||
query.where(knex.raw('1 = 0'));
|
||||
return;
|
||||
}
|
||||
|
||||
// Check special permissions
|
||||
const hasViewAll = ability.can('view_all', objectDef.id);
|
||||
const hasModifyAll = ability.can('modify_all', objectDef.id);
|
||||
|
||||
// If user has view_all or modify_all, they can see all records
|
||||
if (hasViewAll || hasModifyAll) {
|
||||
// No filtering needed
|
||||
return;
|
||||
}
|
||||
|
||||
// Apply OWD (Org-Wide Default) restrictions
|
||||
switch (objectDef.orgWideDefault) {
|
||||
case 'public_read_write':
|
||||
// Everyone can see all records
|
||||
return;
|
||||
|
||||
case 'public_read':
|
||||
// Everyone can see all records (write operations checked separately)
|
||||
return;
|
||||
|
||||
case 'private':
|
||||
default:
|
||||
// Only owner and explicitly shared records
|
||||
await this.applyPrivateScope(query, objectDef, user, recordShares, knex);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Apply private scope: owner + shared records
|
||||
*/
|
||||
private async applyPrivateScope<T = any>(
|
||||
query: any, // Accept both Knex and Objection query builders
|
||||
objectDef: ObjectDefinition,
|
||||
user: User,
|
||||
recordShares: RecordShare[],
|
||||
knex: Knex,
|
||||
): Promise<void> {
|
||||
const tableName = this.getTableName(objectDef.apiName);
|
||||
|
||||
// Check if table has ownerId column
|
||||
const hasOwner = await knex.schema.hasColumn(tableName, 'ownerId');
|
||||
|
||||
if (!hasOwner && recordShares.length === 0) {
|
||||
// No ownership and no shares - user can't see anything
|
||||
query.where(knex.raw('1 = 0'));
|
||||
return;
|
||||
}
|
||||
|
||||
// Build conditions: ownerId = user OR record shared with user
|
||||
query.where((builder) => {
|
||||
if (hasOwner) {
|
||||
builder.orWhere(`${tableName}.ownerId`, user.id);
|
||||
}
|
||||
|
||||
if (recordShares.length > 0) {
|
||||
const sharedRecordIds = recordShares.map(share => share.recordId);
|
||||
builder.orWhereIn(`${tableName}.id`, sharedRecordIds);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if user can perform action on a specific record
|
||||
*/
|
||||
async canPerformAction(
|
||||
action: Action,
|
||||
objectDef: ObjectDefinition,
|
||||
record: any,
|
||||
user: User & { roles?: any[] },
|
||||
knex: Knex,
|
||||
): Promise<boolean> {
|
||||
const recordShares = await this.getActiveRecordShares(objectDef.id, user.id, knex);
|
||||
const ability = await this.abilityFactory.defineAbilityFor(user, recordShares);
|
||||
|
||||
// Check base permission - use object ID not API name
|
||||
if (!ability.can(action, objectDef.id)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check special permissions - use object ID not API name
|
||||
const hasViewAll = ability.can('view_all', objectDef.id);
|
||||
const hasModifyAll = ability.can('modify_all', objectDef.id);
|
||||
|
||||
// canViewAll only grants read access to all records
|
||||
if (action === 'read' && hasViewAll) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// canModifyAll grants edit/delete access to all records
|
||||
if ((action === 'update' || action === 'delete') && hasModifyAll) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Check OWD
|
||||
switch (objectDef.orgWideDefault) {
|
||||
case 'public_read_write':
|
||||
return true;
|
||||
|
||||
case 'public_read':
|
||||
if (action === 'read') return true;
|
||||
// For write actions, check ownership
|
||||
return record.ownerId === user.id;
|
||||
|
||||
case 'private':
|
||||
default:
|
||||
// Check ownership
|
||||
if (record.ownerId === user.id) return true;
|
||||
|
||||
// Check if record is shared with user
|
||||
const share = recordShares.find(s => s.recordId === record.id);
|
||||
if (share) {
|
||||
if (action === 'read' && share.accessLevel.canRead) return true;
|
||||
if (action === 'update' && share.accessLevel.canEdit) return true;
|
||||
if (action === 'delete' && share.accessLevel.canDelete) return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Filter data based on field-level permissions
|
||||
* Removes fields the user cannot read
|
||||
*/
|
||||
async filterReadableFields(
|
||||
data: any,
|
||||
fields: FieldDefinition[],
|
||||
user: User & { roles?: any[] },
|
||||
): Promise<any> {
|
||||
const filtered: any = {};
|
||||
|
||||
// Always include id - it's required for navigation and record identification
|
||||
if (data.id !== undefined) {
|
||||
filtered.id = data.id;
|
||||
}
|
||||
|
||||
for (const field of fields) {
|
||||
if (this.abilityFactory.canAccessField(field.id, 'read', user)) {
|
||||
if (data[field.apiName] !== undefined) {
|
||||
filtered[field.apiName] = data[field.apiName];
|
||||
}
|
||||
|
||||
// For lookup fields, also include the related object (e.g., ownerId -> owner)
|
||||
if (field.type === 'LOOKUP') {
|
||||
const relationName = DynamicModelFactory.getRelationName(field.apiName);
|
||||
if (data[relationName] !== undefined) {
|
||||
filtered[relationName] = data[relationName];
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return filtered;
|
||||
}
|
||||
|
||||
/**
|
||||
* Filter data based on field-level permissions
|
||||
* Removes fields the user cannot edit
|
||||
*/
|
||||
async filterEditableFields(
|
||||
data: any,
|
||||
fields: FieldDefinition[],
|
||||
user: User & { roles?: any[] },
|
||||
): Promise<any> {
|
||||
const filtered: any = {};
|
||||
|
||||
for (const field of fields) {
|
||||
if (this.abilityFactory.canAccessField(field.id, 'edit', user)) {
|
||||
if (data[field.apiName] !== undefined) {
|
||||
filtered[field.apiName] = data[field.apiName];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return filtered;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get active record shares for a user on an object
|
||||
*/
|
||||
private async getActiveRecordShares(
|
||||
objectDefinitionId: string,
|
||||
userId: string,
|
||||
knex: Knex,
|
||||
): Promise<RecordShare[]> {
|
||||
const now = new Date();
|
||||
|
||||
return await RecordShare.query(knex)
|
||||
.where('objectDefinitionId', objectDefinitionId)
|
||||
.where('granteeUserId', userId)
|
||||
.whereNull('revokedAt')
|
||||
.where((builder) => {
|
||||
builder.whereNull('expiresAt').orWhere('expiresAt', '>', now);
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if user has permission to create records
|
||||
*/
|
||||
async canCreate(
|
||||
objectDef: ObjectDefinition,
|
||||
user: User & { roles?: any[] },
|
||||
): Promise<boolean> {
|
||||
const ability = await this.abilityFactory.defineAbilityFor(user, []);
|
||||
return ability.can('create', objectDef.id);
|
||||
}
|
||||
|
||||
/**
|
||||
* Throw exception if user cannot perform action
|
||||
*/
|
||||
async assertCanPerformAction(
|
||||
action: Action,
|
||||
objectDef: ObjectDefinition,
|
||||
record: any,
|
||||
user: User & { roles?: any[] },
|
||||
knex: Knex,
|
||||
): Promise<void> {
|
||||
const can = await this.canPerformAction(action, objectDef, record, user, knex);
|
||||
if (!can) {
|
||||
throw new ForbiddenException(`You do not have permission to ${action} this record`);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Get table name from API name
|
||||
*/
|
||||
private getTableName(apiName: string): string {
|
||||
// Convert CamelCase to snake_case and pluralize
|
||||
const snakeCase = apiName
|
||||
.replace(/([A-Z])/g, '_$1')
|
||||
.toLowerCase()
|
||||
.replace(/^_/, '');
|
||||
|
||||
// Simple pluralization
|
||||
if (snakeCase.endsWith('y')) {
|
||||
return snakeCase.slice(0, -1) + 'ies';
|
||||
} else if (snakeCase.endsWith('s')) {
|
||||
return snakeCase;
|
||||
} else {
|
||||
return snakeCase + 's';
|
||||
}
|
||||
}
|
||||
}
|
||||
19
backend/src/rbac/dto/create-record-share.dto.ts
Normal file
19
backend/src/rbac/dto/create-record-share.dto.ts
Normal file
@@ -0,0 +1,19 @@
|
||||
import { IsString, IsBoolean, IsOptional, IsDateString } from 'class-validator';
|
||||
|
||||
export class CreateRecordShareDto {
|
||||
@IsString()
|
||||
granteeUserId: string;
|
||||
|
||||
@IsBoolean()
|
||||
canRead: boolean;
|
||||
|
||||
@IsBoolean()
|
||||
canEdit: boolean;
|
||||
|
||||
@IsBoolean()
|
||||
canDelete: boolean;
|
||||
|
||||
@IsOptional()
|
||||
@IsDateString()
|
||||
expiresAt?: string;
|
||||
}
|
||||
@@ -1,8 +1,16 @@
|
||||
import { Module } from '@nestjs/common';
|
||||
import { RbacService } from './rbac.service';
|
||||
import { AbilityFactory } from './ability.factory';
|
||||
import { AuthorizationService } from './authorization.service';
|
||||
import { SetupRolesController } from './setup-roles.controller';
|
||||
import { SetupUsersController } from './setup-users.controller';
|
||||
import { RecordSharingController } from './record-sharing.controller';
|
||||
import { TenantModule } from '../tenant/tenant.module';
|
||||
|
||||
@Module({
|
||||
providers: [RbacService],
|
||||
exports: [RbacService],
|
||||
imports: [TenantModule],
|
||||
controllers: [SetupRolesController, SetupUsersController, RecordSharingController],
|
||||
providers: [RbacService, AbilityFactory, AuthorizationService],
|
||||
exports: [RbacService, AbilityFactory, AuthorizationService],
|
||||
})
|
||||
export class RbacModule {}
|
||||
|
||||
322
backend/src/rbac/record-sharing.controller.ts
Normal file
322
backend/src/rbac/record-sharing.controller.ts
Normal file
@@ -0,0 +1,322 @@
|
||||
import {
|
||||
Controller,
|
||||
Get,
|
||||
Post,
|
||||
Delete,
|
||||
Param,
|
||||
Body,
|
||||
UseGuards,
|
||||
ForbiddenException,
|
||||
} from '@nestjs/common';
|
||||
import { JwtAuthGuard } from '../auth/jwt-auth.guard';
|
||||
import { TenantId } from '../tenant/tenant.decorator';
|
||||
import { CurrentUser } from '../auth/current-user.decorator';
|
||||
import { TenantDatabaseService } from '../tenant/tenant-database.service';
|
||||
import { RecordShare } from '../models/record-share.model';
|
||||
import { ObjectDefinition } from '../models/object-definition.model';
|
||||
import { User } from '../models/user.model';
|
||||
import { AuthorizationService } from './authorization.service';
|
||||
import { CreateRecordShareDto } from './dto/create-record-share.dto';
|
||||
|
||||
@Controller('runtime/objects/:objectApiName/records/:recordId/shares')
|
||||
@UseGuards(JwtAuthGuard)
|
||||
export class RecordSharingController {
|
||||
constructor(
|
||||
private tenantDbService: TenantDatabaseService,
|
||||
private authService: AuthorizationService,
|
||||
) {}
|
||||
|
||||
@Get()
|
||||
async getRecordShares(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('objectApiName') objectApiName: string,
|
||||
@Param('recordId') recordId: string,
|
||||
@CurrentUser() currentUser: any,
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Get object definition
|
||||
const objectDef = await ObjectDefinition.query(knex)
|
||||
.findOne({ apiName: objectApiName });
|
||||
|
||||
if (!objectDef) {
|
||||
throw new Error('Object not found');
|
||||
}
|
||||
|
||||
// Get the record to check ownership
|
||||
const tableName = this.getTableName(objectDef.apiName);
|
||||
const record = await knex(tableName)
|
||||
.where({ id: recordId })
|
||||
.first();
|
||||
|
||||
if (!record) {
|
||||
throw new Error('Record not found');
|
||||
}
|
||||
|
||||
// Only owner can view shares
|
||||
if (record.ownerId !== currentUser.userId) {
|
||||
// Check if user has modify all permission
|
||||
const user: any = await User.query(knex)
|
||||
.findById(currentUser.userId)
|
||||
.withGraphFetched('roles.objectPermissions');
|
||||
|
||||
if (!user) {
|
||||
throw new ForbiddenException('User not found');
|
||||
}
|
||||
|
||||
const hasModifyAll = user.roles?.some(role =>
|
||||
role.objectPermissions?.some(
|
||||
perm => perm.objectDefinitionId === objectDef.id && perm.canModifyAll
|
||||
)
|
||||
);
|
||||
|
||||
if (!hasModifyAll) {
|
||||
throw new ForbiddenException('Only the record owner or users with Modify All permission can view shares');
|
||||
}
|
||||
}
|
||||
|
||||
// Get all active shares for this record
|
||||
const shares = await RecordShare.query(knex)
|
||||
.where({ objectDefinitionId: objectDef.id, recordId })
|
||||
.whereNull('revokedAt')
|
||||
.where(builder => {
|
||||
builder.whereNull('expiresAt').orWhere('expiresAt', '>', new Date());
|
||||
})
|
||||
.withGraphFetched('[granteeUser]')
|
||||
.orderBy('createdAt', 'desc');
|
||||
|
||||
return shares;
|
||||
}
|
||||
|
||||
@Post()
|
||||
async createRecordShare(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('objectApiName') objectApiName: string,
|
||||
@Param('recordId') recordId: string,
|
||||
@CurrentUser() currentUser: any,
|
||||
@Body() data: CreateRecordShareDto,
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Get object definition
|
||||
const objectDef = await ObjectDefinition.query(knex)
|
||||
.findOne({ apiName: objectApiName });
|
||||
|
||||
if (!objectDef) {
|
||||
throw new Error('Object not found');
|
||||
}
|
||||
|
||||
// Get the record to check ownership
|
||||
const tableName = this.getTableName(objectDef.apiName);
|
||||
const record = await knex(tableName)
|
||||
.where({ id: recordId })
|
||||
.first();
|
||||
|
||||
if (!record) {
|
||||
throw new Error('Record not found');
|
||||
}
|
||||
|
||||
// Check if user can share - either owner or has modify permissions
|
||||
const canShare = await this.canUserShareRecord(
|
||||
currentUser.userId,
|
||||
record,
|
||||
objectDef,
|
||||
knex,
|
||||
);
|
||||
|
||||
if (!canShare) {
|
||||
throw new ForbiddenException('You do not have permission to share this record');
|
||||
}
|
||||
|
||||
// Cannot share with self
|
||||
if (data.granteeUserId === currentUser.userId) {
|
||||
throw new Error('Cannot share record with yourself');
|
||||
}
|
||||
|
||||
// Check if share already exists
|
||||
const existingShare = await RecordShare.query(knex)
|
||||
.where({
|
||||
objectDefinitionId: objectDef.id,
|
||||
recordId,
|
||||
granteeUserId: data.granteeUserId,
|
||||
})
|
||||
.whereNull('revokedAt')
|
||||
.first();
|
||||
|
||||
if (existingShare) {
|
||||
// Update existing share
|
||||
await knex('record_shares')
|
||||
.where({ id: existingShare.id })
|
||||
.update({
|
||||
accessLevel: JSON.stringify({
|
||||
canRead: data.canRead,
|
||||
canEdit: data.canEdit,
|
||||
canDelete: data.canDelete,
|
||||
}),
|
||||
expiresAt: data.expiresAt ? data.expiresAt : null,
|
||||
updatedAt: knex.fn.now(),
|
||||
});
|
||||
|
||||
return RecordShare.query(knex)
|
||||
.findById(existingShare.id)
|
||||
.withGraphFetched('[granteeUser]');
|
||||
}
|
||||
|
||||
// Create new share
|
||||
const [shareId] = await knex('record_shares').insert({
|
||||
objectDefinitionId: objectDef.id,
|
||||
recordId,
|
||||
granteeUserId: data.granteeUserId,
|
||||
grantedByUserId: currentUser.userId,
|
||||
accessLevel: JSON.stringify({
|
||||
canRead: data.canRead,
|
||||
canEdit: data.canEdit,
|
||||
canDelete: data.canDelete,
|
||||
}),
|
||||
expiresAt: data.expiresAt ? data.expiresAt : null,
|
||||
});
|
||||
|
||||
return RecordShare.query(knex)
|
||||
.findById(shareId)
|
||||
.withGraphFetched('[granteeUser]');
|
||||
}
|
||||
|
||||
@Delete(':shareId')
|
||||
async deleteRecordShare(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('objectApiName') objectApiName: string,
|
||||
@Param('recordId') recordId: string,
|
||||
@Param('shareId') shareId: string,
|
||||
@CurrentUser() currentUser: any,
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Get object definition
|
||||
const objectDef = await ObjectDefinition.query(knex)
|
||||
.findOne({ apiName: objectApiName });
|
||||
|
||||
if (!objectDef) {
|
||||
throw new Error('Object not found');
|
||||
}
|
||||
|
||||
// Get the record to check ownership
|
||||
const tableName = this.getTableName(objectDef.apiName);
|
||||
const record = await knex(tableName)
|
||||
.where({ id: recordId })
|
||||
.first();
|
||||
|
||||
if (!record) {
|
||||
throw new Error('Record not found');
|
||||
}
|
||||
|
||||
// Only owner can revoke shares
|
||||
if (record.ownerId !== currentUser.userId) {
|
||||
// Check if user has modify all permission
|
||||
const user: any = await User.query(knex)
|
||||
.findById(currentUser.userId)
|
||||
.withGraphFetched('roles.objectPermissions');
|
||||
|
||||
if (!user) {
|
||||
throw new ForbiddenException('User not found');
|
||||
}
|
||||
|
||||
const hasModifyAll = user.roles?.some(role =>
|
||||
role.objectPermissions?.some(
|
||||
perm => perm.objectDefinitionId === objectDef.id && perm.canModifyAll
|
||||
)
|
||||
);
|
||||
|
||||
if (!hasModifyAll) {
|
||||
throw new ForbiddenException('Only the record owner or users with Modify All permission can revoke shares');
|
||||
}
|
||||
}
|
||||
|
||||
// Revoke the share (soft delete)
|
||||
await knex('record_shares')
|
||||
.where({ id: shareId })
|
||||
.update({
|
||||
revokedAt: knex.fn.now(),
|
||||
updatedAt: knex.fn.now(),
|
||||
});
|
||||
|
||||
return { success: true };
|
||||
}
|
||||
|
||||
private async canUserShareRecord(
|
||||
userId: string,
|
||||
record: any,
|
||||
objectDef: ObjectDefinition,
|
||||
knex: any,
|
||||
): Promise<boolean> {
|
||||
// Owner can always share
|
||||
if (record.ownerId === userId) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Check if user has modify all or edit permissions
|
||||
const user: any = await User.query(knex)
|
||||
.findById(userId)
|
||||
.withGraphFetched('roles.objectPermissions');
|
||||
|
||||
if (!user) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check for canModifyAll permission
|
||||
const hasModifyAll = user.roles?.some(role =>
|
||||
role.objectPermissions?.some(
|
||||
perm => perm.objectDefinitionId === objectDef.id && perm.canModifyAll
|
||||
)
|
||||
);
|
||||
|
||||
if (hasModifyAll) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Check for canEdit permission (user needs edit to share)
|
||||
const hasEdit = user.roles?.some(role =>
|
||||
role.objectPermissions?.some(
|
||||
perm => perm.objectDefinitionId === objectDef.id && perm.canEdit
|
||||
)
|
||||
);
|
||||
|
||||
// If user has edit permission, check if they can actually edit this record
|
||||
// by using the authorization service
|
||||
if (hasEdit) {
|
||||
try {
|
||||
await this.authService.assertCanPerformAction(
|
||||
'update',
|
||||
objectDef,
|
||||
record,
|
||||
user,
|
||||
knex,
|
||||
);
|
||||
return true;
|
||||
} catch {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
private getTableName(apiName: string): string {
|
||||
// Convert CamelCase to snake_case and pluralize
|
||||
const snakeCase = apiName
|
||||
.replace(/([A-Z])/g, '_$1')
|
||||
.toLowerCase()
|
||||
.replace(/^_/, '');
|
||||
|
||||
// Simple pluralization
|
||||
if (snakeCase.endsWith('y')) {
|
||||
return snakeCase.slice(0, -1) + 'ies';
|
||||
} else if (snakeCase.endsWith('s')) {
|
||||
return snakeCase + 'es';
|
||||
} else {
|
||||
return snakeCase + 's';
|
||||
}
|
||||
}
|
||||
}
|
||||
141
backend/src/rbac/setup-roles.controller.ts
Normal file
141
backend/src/rbac/setup-roles.controller.ts
Normal file
@@ -0,0 +1,141 @@
|
||||
import {
|
||||
Controller,
|
||||
Get,
|
||||
Post,
|
||||
Patch,
|
||||
Delete,
|
||||
Param,
|
||||
Body,
|
||||
UseGuards,
|
||||
} from '@nestjs/common';
|
||||
import { JwtAuthGuard } from '../auth/jwt-auth.guard';
|
||||
import { TenantId } from '../tenant/tenant.decorator';
|
||||
import { TenantDatabaseService } from '../tenant/tenant-database.service';
|
||||
import { Role } from '../models/role.model';
|
||||
|
||||
@Controller('setup/roles')
|
||||
@UseGuards(JwtAuthGuard)
|
||||
export class SetupRolesController {
|
||||
constructor(private tenantDbService: TenantDatabaseService) {}
|
||||
|
||||
@Get()
|
||||
async getRoles(@TenantId() tenantId: string) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
return await Role.query(knex).select('*').orderBy('name', 'asc');
|
||||
}
|
||||
|
||||
@Get(':id')
|
||||
async getRole(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('id') id: string,
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
return await Role.query(knex).findById(id).withGraphFetched('users');
|
||||
}
|
||||
|
||||
@Post()
|
||||
async createRole(
|
||||
@TenantId() tenantId: string,
|
||||
@Body() data: { name: string; description?: string; guardName?: string },
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
const role = await Role.query(knex).insert({
|
||||
name: data.name,
|
||||
description: data.description,
|
||||
guardName: data.guardName || 'tenant',
|
||||
});
|
||||
|
||||
return role;
|
||||
}
|
||||
|
||||
@Patch(':id')
|
||||
async updateRole(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('id') id: string,
|
||||
@Body() data: { name?: string; description?: string; guardName?: string },
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
const updateData: any = {};
|
||||
|
||||
if (data.name) updateData.name = data.name;
|
||||
if (data.description !== undefined) updateData.description = data.description;
|
||||
if (data.guardName) updateData.guardName = data.guardName;
|
||||
|
||||
const role = await Role.query(knex).patchAndFetchById(id, updateData);
|
||||
return role;
|
||||
}
|
||||
|
||||
@Delete(':id')
|
||||
async deleteRole(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('id') id: string,
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Delete role user assignments first
|
||||
await knex('user_roles').where({ roleId: id }).delete();
|
||||
|
||||
// Delete role permissions
|
||||
await knex('role_permissions').where({ roleId: id }).delete();
|
||||
await knex('role_object_permissions').where({ roleId: id }).delete();
|
||||
|
||||
// Delete the role
|
||||
await Role.query(knex).deleteById(id);
|
||||
|
||||
return { success: true };
|
||||
}
|
||||
|
||||
@Post(':roleId/users')
|
||||
async addUserToRole(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('roleId') roleId: string,
|
||||
@Body() data: { userId: string },
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Check if assignment already exists
|
||||
const existing = await knex('user_roles')
|
||||
.where({ userId: data.userId, roleId })
|
||||
.first();
|
||||
|
||||
if (existing) {
|
||||
return { success: true, message: 'User already assigned' };
|
||||
}
|
||||
|
||||
await knex('user_roles').insert({
|
||||
id: knex.raw('(UUID())'),
|
||||
userId: data.userId,
|
||||
roleId,
|
||||
created_at: knex.fn.now(),
|
||||
updated_at: knex.fn.now(),
|
||||
});
|
||||
|
||||
return { success: true };
|
||||
}
|
||||
|
||||
@Delete(':roleId/users/:userId')
|
||||
async removeUserFromRole(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('roleId') roleId: string,
|
||||
@Param('userId') userId: string,
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
await knex('user_roles')
|
||||
.where({ userId, roleId })
|
||||
.delete();
|
||||
|
||||
return { success: true };
|
||||
}
|
||||
}
|
||||
146
backend/src/rbac/setup-users.controller.ts
Normal file
146
backend/src/rbac/setup-users.controller.ts
Normal file
@@ -0,0 +1,146 @@
|
||||
import {
|
||||
Controller,
|
||||
Get,
|
||||
Post,
|
||||
Patch,
|
||||
Delete,
|
||||
Param,
|
||||
Body,
|
||||
UseGuards,
|
||||
} from '@nestjs/common';
|
||||
import { JwtAuthGuard } from '../auth/jwt-auth.guard';
|
||||
import { TenantId } from '../tenant/tenant.decorator';
|
||||
import { TenantDatabaseService } from '../tenant/tenant-database.service';
|
||||
import { User } from '../models/user.model';
|
||||
import * as bcrypt from 'bcrypt';
|
||||
|
||||
@Controller('setup/users')
|
||||
@UseGuards(JwtAuthGuard)
|
||||
export class SetupUsersController {
|
||||
constructor(private tenantDbService: TenantDatabaseService) {}
|
||||
|
||||
@Get()
|
||||
async getUsers(@TenantId() tenantId: string) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
return await User.query(knex).withGraphFetched('roles');
|
||||
}
|
||||
|
||||
@Get(':id')
|
||||
async getUser(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('id') id: string,
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
return await User.query(knex).findById(id).withGraphFetched('roles');
|
||||
}
|
||||
|
||||
@Post()
|
||||
async createUser(
|
||||
@TenantId() tenantId: string,
|
||||
@Body() data: { email: string; password: string; firstName?: string; lastName?: string },
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Hash password
|
||||
const hashedPassword = await bcrypt.hash(data.password, 10);
|
||||
|
||||
const user = await User.query(knex).insert({
|
||||
email: data.email,
|
||||
password: hashedPassword,
|
||||
firstName: data.firstName,
|
||||
lastName: data.lastName,
|
||||
isActive: true,
|
||||
});
|
||||
|
||||
return user;
|
||||
}
|
||||
|
||||
@Patch(':id')
|
||||
async updateUser(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('id') id: string,
|
||||
@Body() data: { email?: string; password?: string; firstName?: string; lastName?: string },
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
const updateData: any = {};
|
||||
|
||||
if (data.email) updateData.email = data.email;
|
||||
if (data.firstName !== undefined) updateData.firstName = data.firstName;
|
||||
if (data.lastName !== undefined) updateData.lastName = data.lastName;
|
||||
|
||||
// Hash password if provided
|
||||
if (data.password) {
|
||||
updateData.password = await bcrypt.hash(data.password, 10);
|
||||
}
|
||||
|
||||
const user = await User.query(knex).patchAndFetchById(id, updateData);
|
||||
return user;
|
||||
}
|
||||
|
||||
@Delete(':id')
|
||||
async deleteUser(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('id') id: string,
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Delete user role assignments first
|
||||
await knex('user_roles').where({ userId: id }).delete();
|
||||
|
||||
// Delete the user
|
||||
await User.query(knex).deleteById(id);
|
||||
|
||||
return { success: true };
|
||||
}
|
||||
|
||||
@Post(':userId/roles')
|
||||
async addRoleToUser(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('userId') userId: string,
|
||||
@Body() data: { roleId: string },
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
// Check if assignment already exists
|
||||
const existing = await knex('user_roles')
|
||||
.where({ userId, roleId: data.roleId })
|
||||
.first();
|
||||
|
||||
if (existing) {
|
||||
return { success: true, message: 'Role already assigned' };
|
||||
}
|
||||
|
||||
await knex('user_roles').insert({
|
||||
id: knex.raw('(UUID())'),
|
||||
userId,
|
||||
roleId: data.roleId,
|
||||
created_at: knex.fn.now(),
|
||||
updated_at: knex.fn.now(),
|
||||
});
|
||||
|
||||
return { success: true };
|
||||
}
|
||||
|
||||
@Delete(':userId/roles/:roleId')
|
||||
async removeRoleFromUser(
|
||||
@TenantId() tenantId: string,
|
||||
@Param('userId') userId: string,
|
||||
@Param('roleId') roleId: string,
|
||||
) {
|
||||
const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
|
||||
const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
|
||||
|
||||
await knex('user_roles')
|
||||
.where({ userId, roleId })
|
||||
.delete();
|
||||
|
||||
return { success: true };
|
||||
}
|
||||
}
|
||||
211
docs/SALESFORCE_AUTHORIZATION.md
Normal file
211
docs/SALESFORCE_AUTHORIZATION.md
Normal file
@@ -0,0 +1,211 @@
|
||||
# Salesforce-Style Authorization System
|
||||
|
||||
## Overview
|
||||
Implemented a comprehensive authorization system based on Salesforce's model with:
|
||||
- **Org-Wide Defaults (OWD)** for record visibility
|
||||
- **Role-based permissions** for object and field access
|
||||
- **Record sharing** for granular access control
|
||||
- **CASL** for flexible permission evaluation
|
||||
|
||||
## Architecture
|
||||
|
||||
### 1. Org-Wide Defaults (OWD)
|
||||
Controls baseline record visibility for each object:
|
||||
- `private`: Only owner can see records
|
||||
- `public_read`: Everyone can see, only owner can edit/delete
|
||||
- `public_read_write`: Everyone can see and modify all records
|
||||
|
||||
### 2. Role-Based Object Permissions
|
||||
Table: `role_object_permissions`
|
||||
- `canCreate`: Can create new records
|
||||
- `canRead`: Can read records (subject to OWD)
|
||||
- `canEdit`: Can edit records (subject to OWD)
|
||||
- `canDelete`: Can delete records (subject to OWD)
|
||||
- `canViewAll`: Override OWD to see ALL records
|
||||
- `canModifyAll`: Override OWD to edit ALL records
|
||||
|
||||
### 3. Field-Level Security
|
||||
Table: `role_field_permissions`
|
||||
- `canRead`: Can view field value
|
||||
- `canEdit`: Can modify field value
|
||||
|
||||
### 4. Record Sharing
|
||||
Table: `record_shares`
|
||||
Grants specific users access to individual records with:
|
||||
```json
|
||||
{
|
||||
"canRead": boolean,
|
||||
"canEdit": boolean,
|
||||
"canDelete": boolean
|
||||
}
|
||||
```
|
||||
|
||||
## Permission Evaluation Flow
|
||||
|
||||
```
|
||||
1. Check role_object_permissions
|
||||
├─ Does user have canCreate/Read/Edit/Delete?
|
||||
│ └─ NO → Deny
|
||||
│ └─ YES → Continue
|
||||
│
|
||||
2. Check canViewAll / canModifyAll
|
||||
├─ Does user have special "all" permissions?
|
||||
│ └─ YES → Grant access
|
||||
│ └─ NO → Continue
|
||||
│
|
||||
3. Check OWD (orgWideDefault)
|
||||
├─ public_read_write → Grant access
|
||||
├─ public_read → Grant read, check ownership for write
|
||||
└─ private → Check ownership or sharing
|
||||
|
||||
4. Check Ownership
|
||||
├─ Is user the record owner?
|
||||
│ └─ YES → Grant access
|
||||
│ └─ NO → Continue
|
||||
│
|
||||
5. Check Record Shares
|
||||
└─ Is record explicitly shared with user?
|
||||
└─ Check accessLevel permissions
|
||||
```
|
||||
|
||||
## Field-Level Security
|
||||
|
||||
Fields are filtered after record access is granted:
|
||||
1. User queries records → Apply record-level scope
|
||||
2. System filters readable fields based on `role_field_permissions`
|
||||
3. User updates records → System filters editable fields
|
||||
|
||||
## Key Features
|
||||
|
||||
### Multiple Role Support
|
||||
- Users can have multiple roles
|
||||
- Permissions are **unioned** (any role grants = user has it)
|
||||
- More flexible than Salesforce's single profile model
|
||||
|
||||
### Active Share Detection
|
||||
- Shares can expire (`expiresAt`)
|
||||
- Shares can be revoked (`revokedAt`)
|
||||
- Only active shares are evaluated
|
||||
|
||||
### CASL Integration
|
||||
- Dynamic ability building per request
|
||||
- Condition-based rules
|
||||
- Field-level permission support
|
||||
|
||||
## Usage Example
|
||||
|
||||
```typescript
|
||||
// In a controller/service
|
||||
constructor(
|
||||
private authService: AuthorizationService,
|
||||
private tenantDbService: TenantDatabaseService,
|
||||
) {}
|
||||
|
||||
async getRecords(tenantId: string, objectApiName: string, userId: string) {
|
||||
const knex = await this.tenantDbService.getTenantKnex(tenantId);
|
||||
|
||||
// Get user with roles
|
||||
const user = await User.query(knex)
|
||||
.findById(userId)
|
||||
.withGraphFetched('[roles.[objectPermissions, fieldPermissions]]');
|
||||
|
||||
// Get object definition
|
||||
const objectDef = await ObjectDefinition.query(knex)
|
||||
.findOne({ apiName: objectApiName });
|
||||
|
||||
// Build query with authorization scope
|
||||
let query = knex(objectApiName.toLowerCase());
|
||||
query = await this.authService.applyScopeToQuery(
|
||||
query,
|
||||
objectDef,
|
||||
user,
|
||||
'read',
|
||||
knex,
|
||||
);
|
||||
|
||||
const records = await query;
|
||||
|
||||
// Get field definitions
|
||||
const fields = await FieldDefinition.query(knex)
|
||||
.where('objectDefinitionId', objectDef.id);
|
||||
|
||||
// Filter fields user can read
|
||||
const filteredRecords = await Promise.all(
|
||||
records.map(record =>
|
||||
this.authService.filterReadableFields(record, fields, user)
|
||||
)
|
||||
);
|
||||
|
||||
return filteredRecords;
|
||||
}
|
||||
|
||||
async updateRecord(tenantId: string, objectApiName: string, recordId: string, data: any, userId: string) {
|
||||
const knex = await this.tenantDbService.getTenantKnex(tenantId);
|
||||
|
||||
const user = await User.query(knex)
|
||||
.findById(userId)
|
||||
.withGraphFetched('[roles.[objectPermissions, fieldPermissions]]');
|
||||
|
||||
const objectDef = await ObjectDefinition.query(knex)
|
||||
.findOne({ apiName: objectApiName });
|
||||
|
||||
// Get existing record
|
||||
const record = await knex(objectApiName.toLowerCase())
|
||||
.where({ id: recordId })
|
||||
.first();
|
||||
|
||||
if (!record) {
|
||||
throw new NotFoundException('Record not found');
|
||||
}
|
||||
|
||||
// Check if user can update this record
|
||||
await this.authService.assertCanPerformAction(
|
||||
'update',
|
||||
objectDef,
|
||||
record,
|
||||
user,
|
||||
knex,
|
||||
);
|
||||
|
||||
// Get field definitions
|
||||
const fields = await FieldDefinition.query(knex)
|
||||
.where('objectDefinitionId', objectDef.id);
|
||||
|
||||
// Filter to only editable fields
|
||||
const editableData = await this.authService.filterEditableFields(
|
||||
data,
|
||||
fields,
|
||||
user,
|
||||
);
|
||||
|
||||
// Perform update
|
||||
await knex(objectApiName.toLowerCase())
|
||||
.where({ id: recordId })
|
||||
.update(editableData);
|
||||
|
||||
return knex(objectApiName.toLowerCase())
|
||||
.where({ id: recordId })
|
||||
.first();
|
||||
}
|
||||
```
|
||||
|
||||
## Migration
|
||||
|
||||
Run the migration to add authorization tables:
|
||||
```bash
|
||||
npm run knex migrate:latest
|
||||
```
|
||||
|
||||
The migration creates:
|
||||
- `orgWideDefault` column in `object_definitions`
|
||||
- `role_object_permissions` table
|
||||
- `role_field_permissions` table
|
||||
- `record_shares` table
|
||||
|
||||
## Next Steps
|
||||
|
||||
1. **Migrate existing data**: Set default `orgWideDefault` values for existing objects
|
||||
2. **Create default roles**: Create Admin, Standard User, etc. with appropriate permissions
|
||||
3. **Update API endpoints**: Integrate authorization service into all CRUD operations
|
||||
4. **UI for permission management**: Build admin interface to manage role permissions
|
||||
5. **Sharing UI**: Build interface for users to share records with others
|
||||
@@ -105,6 +105,16 @@ const staticMenuItems = [
|
||||
url: '/setup/objects',
|
||||
icon: Boxes,
|
||||
},
|
||||
{
|
||||
title: 'Users',
|
||||
url: '/setup/users',
|
||||
icon: Users,
|
||||
},
|
||||
{
|
||||
title: 'Roles',
|
||||
url: '/setup/roles',
|
||||
icon: Layers,
|
||||
},
|
||||
],
|
||||
},
|
||||
]
|
||||
|
||||
344
frontend/components/FieldLevelSecurity.vue
Normal file
344
frontend/components/FieldLevelSecurity.vue
Normal file
@@ -0,0 +1,344 @@
|
||||
<template>
|
||||
<Card>
|
||||
<CardHeader>
|
||||
<CardTitle>Field-Level Security</CardTitle>
|
||||
<CardDescription>
|
||||
Control which fields each role can read and edit
|
||||
</CardDescription>
|
||||
</CardHeader>
|
||||
<CardContent>
|
||||
<div v-if="loading" class="flex items-center justify-center py-8">
|
||||
<div class="animate-spin rounded-full h-8 w-8 border-b-2 border-primary"></div>
|
||||
</div>
|
||||
|
||||
<div v-else-if="roles.length === 0" class="text-sm text-muted-foreground py-4">
|
||||
No roles available. Create roles first to manage field-level permissions.
|
||||
</div>
|
||||
|
||||
<div v-else class="space-y-6">
|
||||
<!-- Role Selector -->
|
||||
<div class="space-y-2">
|
||||
<Label>Select Role</Label>
|
||||
<Select v-model="selectedRoleId" @update:model-value="(value) => selectedRoleId = value">
|
||||
<SelectTrigger class="w-full">
|
||||
<SelectValue placeholder="Choose a role to configure permissions" />
|
||||
</SelectTrigger>
|
||||
<SelectContent>
|
||||
<SelectItem v-for="role in roles" :key="role.id" :value="role.id">
|
||||
{{ role.name }}
|
||||
</SelectItem>
|
||||
</SelectContent>
|
||||
</Select>
|
||||
</div>
|
||||
|
||||
<!-- Object-Level Permissions -->
|
||||
<div v-if="selectedRoleId" class="space-y-2">
|
||||
<h3 class="text-sm font-medium">Object-Level Permissions</h3>
|
||||
<div class="rounded-md border">
|
||||
<table class="w-full">
|
||||
<thead>
|
||||
<tr class="border-b bg-muted/50">
|
||||
<th class="p-3 text-left font-medium">Permission</th>
|
||||
<th class="p-3 text-center font-medium">Enabled</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="border-b hover:bg-muted/30">
|
||||
<td class="p-3">Create</td>
|
||||
<td class="p-3 text-center">
|
||||
<Checkbox
|
||||
:model-value="objectPermissions.canCreate"
|
||||
@update:model-value="(checked: boolean) => updateObjectPermission('canCreate', checked)"
|
||||
/>
|
||||
</td>
|
||||
</tr>
|
||||
<tr class="border-b hover:bg-muted/30">
|
||||
<td class="p-3">Read</td>
|
||||
<td class="p-3 text-center">
|
||||
<Checkbox
|
||||
:model-value="objectPermissions.canRead"
|
||||
@update:model-value="(checked: boolean) => updateObjectPermission('canRead', checked)"
|
||||
/>
|
||||
</td>
|
||||
</tr>
|
||||
<tr class="border-b hover:bg-muted/30">
|
||||
<td class="p-3">Edit</td>
|
||||
<td class="p-3 text-center">
|
||||
<Checkbox
|
||||
:model-value="objectPermissions.canEdit"
|
||||
@update:model-value="(checked: boolean) => updateObjectPermission('canEdit', checked)"
|
||||
/>
|
||||
</td>
|
||||
</tr>
|
||||
<tr class="border-b hover:bg-muted/30">
|
||||
<td class="p-3">Delete</td>
|
||||
<td class="p-3 text-center">
|
||||
<Checkbox
|
||||
:model-value="objectPermissions.canDelete"
|
||||
@update:model-value="(checked: boolean) => updateObjectPermission('canDelete', checked)"
|
||||
/>
|
||||
</td>
|
||||
</tr>
|
||||
<tr class="border-b hover:bg-muted/30">
|
||||
<td class="p-3">View All</td>
|
||||
<td class="p-3 text-center">
|
||||
<Checkbox
|
||||
:model-value="objectPermissions.canViewAll"
|
||||
@update:model-value="(checked: boolean) => updateObjectPermission('canViewAll', checked)"
|
||||
/>
|
||||
</td>
|
||||
</tr>
|
||||
<tr class="hover:bg-muted/30">
|
||||
<td class="p-3">Modify All</td>
|
||||
<td class="p-3 text-center">
|
||||
<Checkbox
|
||||
:model-value="objectPermissions.canModifyAll"
|
||||
@update:model-value="(checked: boolean) => updateObjectPermission('canModifyAll', checked)"
|
||||
/>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- Field-Level Permissions -->
|
||||
<div v-if="selectedRoleId" class="space-y-2">
|
||||
<h3 class="text-sm font-medium">Field-Level Permissions</h3>
|
||||
<div class="rounded-md border">
|
||||
<table class="w-full">
|
||||
<thead>
|
||||
<tr class="border-b bg-muted/50">
|
||||
<th class="p-3 text-left font-medium">Field</th>
|
||||
<th class="p-3 text-center font-medium">Read</th>
|
||||
<th class="p-3 text-center font-medium">Edit</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr
|
||||
v-for="field in fields"
|
||||
:key="field.id"
|
||||
class="border-b hover:bg-muted/30"
|
||||
>
|
||||
<td class="p-3">
|
||||
<div>
|
||||
<div class="font-medium">{{ field.label }}</div>
|
||||
<div class="text-xs text-muted-foreground">{{ field.apiName }}</div>
|
||||
</div>
|
||||
</td>
|
||||
<td class="p-3 text-center">
|
||||
<Checkbox
|
||||
:model-value="hasPermission(field.id, selectedRoleId, 'read')"
|
||||
@update:model-value="(checked: boolean) => updatePermission(field.id, selectedRoleId, 'read', checked)"
|
||||
:disabled="field.isSystem"
|
||||
/>
|
||||
</td>
|
||||
<td class="p-3 text-center">
|
||||
<Checkbox
|
||||
:model-value="hasPermission(field.id, selectedRoleId, 'edit')"
|
||||
@update:model-value="(checked: boolean) => updatePermission(field.id, selectedRoleId, 'edit', checked)"
|
||||
:disabled="field.isSystem || !hasPermission(field.id, selectedRoleId, 'read')"
|
||||
/>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="flex items-center gap-2 text-sm text-muted-foreground">
|
||||
<Info class="h-4 w-4" />
|
||||
<span>System fields are always readable. Edit permissions require read permission first. Changes save automatically.</span>
|
||||
</div>
|
||||
|
||||
<div v-if="saving" class="flex items-center gap-2 text-sm text-primary">
|
||||
<div class="animate-spin rounded-full h-4 w-4 border-b-2 border-primary"></div>
|
||||
<span>Saving...</span>
|
||||
</div>
|
||||
</div>
|
||||
</CardContent>
|
||||
</Card>
|
||||
</template>
|
||||
|
||||
<script setup lang="ts">
|
||||
import { ref, onMounted, computed, watch } from 'vue';
|
||||
import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '~/components/ui/card';
|
||||
import { Checkbox } from '~/components/ui/checkbox';
|
||||
import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '~/components/ui/select';
|
||||
import { Label } from '~/components/ui/label';
|
||||
import { Info } from 'lucide-vue-next';
|
||||
|
||||
const props = defineProps<{
|
||||
objectId: string;
|
||||
objectApiName: string;
|
||||
fields: any[];
|
||||
}>();
|
||||
|
||||
const { api } = useApi();
|
||||
const { toast } = useToast();
|
||||
|
||||
const loading = ref(true);
|
||||
const saving = ref(false);
|
||||
const roles = ref<any[]>([]);
|
||||
const selectedRoleId = ref<string>('');
|
||||
const permissions = ref<Map<string, Map<string, { canRead: boolean; canEdit: boolean }>>>(new Map());
|
||||
const objectPermissions = ref({
|
||||
canCreate: false,
|
||||
canRead: false,
|
||||
canEdit: false,
|
||||
canDelete: false,
|
||||
canViewAll: false,
|
||||
canModifyAll: false,
|
||||
});
|
||||
|
||||
// Load roles and permissions
|
||||
onMounted(async () => {
|
||||
try {
|
||||
loading.value = true;
|
||||
|
||||
// Load roles
|
||||
const rolesResponse = await api.get('/setup/roles');
|
||||
roles.value = rolesResponse || [];
|
||||
|
||||
// Load existing permissions for this object
|
||||
const permsResponse = await api.get(`/setup/objects/${props.objectId}/field-permissions`);
|
||||
|
||||
// Build permissions map: fieldId -> roleId -> {canRead, canEdit}
|
||||
const permsMap = new Map();
|
||||
if (permsResponse && Array.isArray(permsResponse)) {
|
||||
for (const perm of permsResponse) {
|
||||
if (!permsMap.has(perm.fieldDefinitionId)) {
|
||||
permsMap.set(perm.fieldDefinitionId, new Map());
|
||||
}
|
||||
permsMap.get(perm.fieldDefinitionId).set(perm.roleId, {
|
||||
canRead: Boolean(perm.canRead),
|
||||
canEdit: Boolean(perm.canEdit),
|
||||
});
|
||||
}
|
||||
}
|
||||
permissions.value = permsMap;
|
||||
|
||||
} catch (error: any) {
|
||||
console.error('Failed to load field permissions:', error);
|
||||
toast.error('Failed to load field permissions');
|
||||
} finally {
|
||||
loading.value = false;
|
||||
}
|
||||
});
|
||||
|
||||
const hasPermission = (fieldId: string, roleId: string, type: 'read' | 'edit'): boolean => {
|
||||
const fieldPerms = permissions.value.get(fieldId);
|
||||
if (!fieldPerms) return true; // Default to true if no permissions set
|
||||
const rolePerm = fieldPerms.get(roleId);
|
||||
if (!rolePerm) return true; // Default to true if no permissions set
|
||||
const value = type === 'read' ? rolePerm.canRead : rolePerm.canEdit;
|
||||
return Boolean(value); // Convert 1/0 to true/false
|
||||
};
|
||||
|
||||
const updatePermission = async (fieldId: string, roleId: string, type: 'read' | 'edit', checked: boolean) => {
|
||||
try {
|
||||
saving.value = true;
|
||||
|
||||
// Get current permissions
|
||||
if (!permissions.value.has(fieldId)) {
|
||||
permissions.value.set(fieldId, new Map());
|
||||
}
|
||||
const fieldPerms = permissions.value.get(fieldId)!;
|
||||
|
||||
if (!fieldPerms.has(roleId)) {
|
||||
fieldPerms.set(roleId, { canRead: true, canEdit: true });
|
||||
}
|
||||
const perm = fieldPerms.get(roleId)!;
|
||||
|
||||
// Update permission
|
||||
if (type === 'read') {
|
||||
perm.canRead = checked;
|
||||
// If disabling read, also disable edit
|
||||
if (!checked) {
|
||||
perm.canEdit = false;
|
||||
}
|
||||
} else {
|
||||
perm.canEdit = checked;
|
||||
// If enabling edit, also enable read
|
||||
if (checked) {
|
||||
perm.canRead = true;
|
||||
}
|
||||
}
|
||||
|
||||
// Save to backend
|
||||
await api.put(`/setup/objects/${props.objectId}/field-permissions`, {
|
||||
roleId,
|
||||
fieldDefinitionId: fieldId,
|
||||
canRead: perm.canRead,
|
||||
canEdit: perm.canEdit,
|
||||
});
|
||||
|
||||
toast.success('Permission updated');
|
||||
|
||||
} catch (error: any) {
|
||||
console.error('Failed to update field permission:', error);
|
||||
toast.error(error.message || 'Failed to update permission');
|
||||
|
||||
// Revert change
|
||||
if (!permissions.value.has(fieldId)) return;
|
||||
const fieldPerms = permissions.value.get(fieldId)!;
|
||||
if (!fieldPerms.has(roleId)) return;
|
||||
const perm = fieldPerms.get(roleId)!;
|
||||
if (type === 'read') {
|
||||
perm.canRead = !checked;
|
||||
} else {
|
||||
perm.canEdit = !checked;
|
||||
}
|
||||
} finally {
|
||||
saving.value = false;
|
||||
}
|
||||
};
|
||||
|
||||
const updateObjectPermission = async (permission: string, checked: boolean) => {
|
||||
if (!selectedRoleId.value) return;
|
||||
|
||||
try {
|
||||
saving.value = true;
|
||||
|
||||
// Update local state
|
||||
(objectPermissions.value as any)[permission] = checked;
|
||||
|
||||
// Save to backend
|
||||
await api.put(`/setup/objects/${props.objectApiName}/permissions`, {
|
||||
roleId: selectedRoleId.value,
|
||||
...objectPermissions.value,
|
||||
});
|
||||
|
||||
toast.success('Object permission updated');
|
||||
} catch (error: any) {
|
||||
console.error('Failed to update object permission:', error);
|
||||
toast.error(error.message || 'Failed to update permission');
|
||||
|
||||
// Revert change
|
||||
(objectPermissions.value as any)[permission] = !checked;
|
||||
} finally {
|
||||
saving.value = false;
|
||||
}
|
||||
};
|
||||
|
||||
// Load object permissions when role changes
|
||||
watch(selectedRoleId, async (roleId) => {
|
||||
if (!roleId) return;
|
||||
|
||||
try {
|
||||
const response = await api.get(`/setup/objects/${props.objectApiName}/permissions/${roleId}`);
|
||||
if (response) {
|
||||
objectPermissions.value = {
|
||||
canCreate: Boolean(response.canCreate),
|
||||
canRead: Boolean(response.canRead),
|
||||
canEdit: Boolean(response.canEdit),
|
||||
canDelete: Boolean(response.canDelete),
|
||||
canViewAll: Boolean(response.canViewAll),
|
||||
canModifyAll: Boolean(response.canModifyAll),
|
||||
};
|
||||
}
|
||||
} catch (error: any) {
|
||||
console.error('Failed to load object permissions:', error);
|
||||
}
|
||||
});
|
||||
</script>
|
||||
119
frontend/components/ObjectAccessSettings.vue
Normal file
119
frontend/components/ObjectAccessSettings.vue
Normal file
@@ -0,0 +1,119 @@
|
||||
<template>
|
||||
<div class="space-y-6">
|
||||
<Card>
|
||||
<CardHeader>
|
||||
<CardTitle>Org-Wide Default</CardTitle>
|
||||
<CardDescription>
|
||||
Control the baseline visibility for records of this object
|
||||
</CardDescription>
|
||||
</CardHeader>
|
||||
<CardContent class="space-y-4">
|
||||
<div class="space-y-2">
|
||||
<Label for="orgWideDefault">Record Visibility</Label>
|
||||
<Select v-model="localOrgWideDefault" @update:model-value="handleOrgWideDefaultChange">
|
||||
<SelectTrigger id="orgWideDefault">
|
||||
<SelectValue placeholder="Select visibility level" />
|
||||
</SelectTrigger>
|
||||
<SelectContent>
|
||||
<SelectItem value="private">
|
||||
<div>
|
||||
<div class="font-semibold">Private</div>
|
||||
<div class="text-xs text-muted-foreground">Only record owner can see</div>
|
||||
</div>
|
||||
</SelectItem>
|
||||
<SelectItem value="public_read">
|
||||
<div>
|
||||
<div class="font-semibold">Public Read Only</div>
|
||||
<div class="text-xs text-muted-foreground">Everyone can read, only owner can edit/delete</div>
|
||||
</div>
|
||||
</SelectItem>
|
||||
<SelectItem value="public_read_write">
|
||||
<div>
|
||||
<div class="font-semibold">Public Read/Write</div>
|
||||
<div class="text-xs text-muted-foreground">Everyone can read, edit, and delete all records</div>
|
||||
</div>
|
||||
</SelectItem>
|
||||
</SelectContent>
|
||||
</Select>
|
||||
<p class="text-sm text-muted-foreground">
|
||||
This setting controls who can see records by default. Individual user permissions are granted through roles.
|
||||
</p>
|
||||
</div>
|
||||
|
||||
</CardContent>
|
||||
</Card>
|
||||
|
||||
<FieldLevelSecurity
|
||||
v-if="objectId && objectApiName && fields && fields.length > 0"
|
||||
:object-id="objectId"
|
||||
:object-api-name="objectApiName"
|
||||
:fields="fields"
|
||||
/>
|
||||
|
||||
<div v-else-if="!objectId" class="text-sm text-muted-foreground">
|
||||
Object ID not available
|
||||
</div>
|
||||
|
||||
<div v-else-if="!fields || fields.length === 0" class="text-sm text-muted-foreground">
|
||||
No fields available
|
||||
</div>
|
||||
</div>
|
||||
</template>
|
||||
|
||||
<script setup lang="ts">
|
||||
import { ref, watch } from 'vue';
|
||||
import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '~/components/ui/card';
|
||||
import { Label } from '~/components/ui/label';
|
||||
import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '~/components/ui/select';
|
||||
import FieldLevelSecurity from '~/components/FieldLevelSecurity.vue';
|
||||
|
||||
const props = defineProps<{
|
||||
objectApiName: string;
|
||||
objectId?: string;
|
||||
orgWideDefault?: string;
|
||||
fields?: any[];
|
||||
}>();
|
||||
|
||||
const emit = defineEmits<{
|
||||
update: [orgWideDefault: string];
|
||||
}>();
|
||||
|
||||
const { $api } = useNuxtApp();
|
||||
const { showToast } = useToast();
|
||||
|
||||
const localOrgWideDefault = ref(props.orgWideDefault || 'private');
|
||||
|
||||
// Watch for prop changes
|
||||
watch(() => props.orgWideDefault, (newValue) => {
|
||||
if (newValue) {
|
||||
localOrgWideDefault.value = newValue;
|
||||
}
|
||||
});
|
||||
|
||||
const handleOrgWideDefaultChange = async (value: string) => {
|
||||
try {
|
||||
// Update object definition
|
||||
await $api(`/api/setup/objects/${props.objectApiName}`, {
|
||||
method: 'PATCH',
|
||||
body: {
|
||||
orgWideDefault: value
|
||||
}
|
||||
});
|
||||
|
||||
showToast({
|
||||
title: 'Success',
|
||||
description: 'Org-Wide Default saved successfully',
|
||||
variant: 'default'
|
||||
});
|
||||
|
||||
emit('update', value);
|
||||
} catch (error: any) {
|
||||
console.error('Failed to update org-wide default:', error);
|
||||
showToast({
|
||||
title: 'Error',
|
||||
description: error.data?.message || 'Failed to save changes',
|
||||
variant: 'destructive'
|
||||
});
|
||||
}
|
||||
};
|
||||
</script>
|
||||
317
frontend/components/RecordSharing.vue
Normal file
317
frontend/components/RecordSharing.vue
Normal file
@@ -0,0 +1,317 @@
|
||||
<template>
|
||||
<div class="record-sharing space-y-4">
|
||||
<div class="flex items-center justify-between">
|
||||
<div>
|
||||
<h3 class="text-lg font-semibold">Sharing</h3>
|
||||
<p class="text-sm text-muted-foreground">
|
||||
Grant access to specific users for this record
|
||||
</p>
|
||||
</div>
|
||||
<Button @click="showShareDialog = true" size="sm">
|
||||
<UserPlus class="h-4 w-4 mr-2" />
|
||||
Share
|
||||
</Button>
|
||||
</div>
|
||||
|
||||
<!-- Loading State -->
|
||||
<div v-if="loading" class="flex items-center justify-center py-8">
|
||||
<div class="animate-spin rounded-full h-8 w-8 border-b-2 border-primary"></div>
|
||||
</div>
|
||||
|
||||
<!-- Error State -->
|
||||
<div v-else-if="error" class="text-sm text-destructive">
|
||||
{{ error }}
|
||||
</div>
|
||||
|
||||
<!-- Shares List -->
|
||||
<div v-else-if="shares.length > 0" class="border rounded-lg">
|
||||
<Table>
|
||||
<TableHeader>
|
||||
<TableRow>
|
||||
<TableHead>User</TableHead>
|
||||
<TableHead>Email</TableHead>
|
||||
<TableHead>Access</TableHead>
|
||||
<TableHead>Shared</TableHead>
|
||||
<TableHead class="text-right">Actions</TableHead>
|
||||
</TableRow>
|
||||
</TableHeader>
|
||||
<TableBody>
|
||||
<TableRow v-for="share in shares" :key="share.id">
|
||||
<TableCell class="font-medium">
|
||||
{{ getUserName(share.granteeUser) }}
|
||||
</TableCell>
|
||||
<TableCell>{{ share.granteeUser.email }}</TableCell>
|
||||
<TableCell>
|
||||
<div class="flex gap-1">
|
||||
<Badge v-if="share.accessLevel.canRead" variant="secondary">Read</Badge>
|
||||
<Badge v-if="share.accessLevel.canEdit" variant="secondary">Edit</Badge>
|
||||
<Badge v-if="share.accessLevel.canDelete" variant="secondary">Delete</Badge>
|
||||
</div>
|
||||
</TableCell>
|
||||
<TableCell>{{ formatDate(share.createdAt) }}</TableCell>
|
||||
<TableCell class="text-right">
|
||||
<Button
|
||||
variant="ghost"
|
||||
size="icon"
|
||||
@click="removeShare(share.id)"
|
||||
:disabled="removing === share.id"
|
||||
>
|
||||
<Trash2 class="h-4 w-4" />
|
||||
</Button>
|
||||
</TableCell>
|
||||
</TableRow>
|
||||
</TableBody>
|
||||
</Table>
|
||||
</div>
|
||||
|
||||
<!-- Empty State -->
|
||||
<div v-else class="text-center py-8 text-muted-foreground border rounded-lg">
|
||||
<Users class="h-12 w-12 mx-auto mb-2 opacity-50" />
|
||||
<p>This record is not shared with anyone</p>
|
||||
<p class="text-sm">Click "Share" to grant access to other users</p>
|
||||
</div>
|
||||
|
||||
<!-- Share Dialog -->
|
||||
<Dialog v-model:open="showShareDialog">
|
||||
<DialogContent>
|
||||
<DialogHeader>
|
||||
<DialogTitle>Share Record</DialogTitle>
|
||||
<DialogDescription>
|
||||
Grant access to this record to specific users
|
||||
</DialogDescription>
|
||||
</DialogHeader>
|
||||
<div class="space-y-4">
|
||||
<div class="space-y-2">
|
||||
<Label for="user">User</Label>
|
||||
<Select v-model="newShare.userId" @update:model-value="(value) => newShare.userId = value">
|
||||
<SelectTrigger>
|
||||
<SelectValue placeholder="Select user" />
|
||||
</SelectTrigger>
|
||||
<SelectContent>
|
||||
<SelectItem
|
||||
v-for="user in availableUsers"
|
||||
:key="user.id"
|
||||
:value="user.id"
|
||||
>
|
||||
{{ getUserName(user) }} ({{ user.email }})
|
||||
</SelectItem>
|
||||
</SelectContent>
|
||||
</Select>
|
||||
</div>
|
||||
|
||||
<div class="space-y-3">
|
||||
<Label>Permissions</Label>
|
||||
<div class="space-y-2">
|
||||
<div class="flex items-center space-x-2">
|
||||
<Checkbox
|
||||
id="canRead"
|
||||
v-model:checked="newShare.canRead"
|
||||
@update:checked="(value) => newShare.canRead = value"
|
||||
/>
|
||||
<label
|
||||
for="canRead"
|
||||
class="text-sm font-medium leading-none peer-disabled:cursor-not-allowed peer-disabled:opacity-70"
|
||||
>
|
||||
Can Read
|
||||
</label>
|
||||
</div>
|
||||
<div class="flex items-center space-x-2">
|
||||
<Checkbox
|
||||
id="canEdit"
|
||||
v-model:checked="newShare.canEdit"
|
||||
@update:checked="(value) => newShare.canEdit = value"
|
||||
/>
|
||||
<label
|
||||
for="canEdit"
|
||||
class="text-sm font-medium leading-none peer-disabled:cursor-not-allowed peer-disabled:opacity-70"
|
||||
>
|
||||
Can Edit
|
||||
</label>
|
||||
</div>
|
||||
<div class="flex items-center space-x-2">
|
||||
<Checkbox
|
||||
id="canDelete"
|
||||
v-model:checked="newShare.canDelete"
|
||||
@update:checked="(value) => newShare.canDelete = value"
|
||||
/>
|
||||
<label
|
||||
for="canDelete"
|
||||
class="text-sm font-medium leading-none peer-disabled:cursor-not-allowed peer-disabled:opacity-70"
|
||||
>
|
||||
Can Delete
|
||||
</label>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="space-y-2">
|
||||
<Label for="expiresAt">Expires At (Optional)</Label>
|
||||
<Input
|
||||
id="expiresAt"
|
||||
v-model="newShare.expiresAt"
|
||||
type="datetime-local"
|
||||
placeholder="Never"
|
||||
/>
|
||||
</div>
|
||||
</div>
|
||||
<DialogFooter>
|
||||
<Button variant="outline" @click="showShareDialog = false">Cancel</Button>
|
||||
<Button
|
||||
@click="createShare"
|
||||
:disabled="!newShare.userId || (!newShare.canRead && !newShare.canEdit && !newShare.canDelete) || sharing"
|
||||
>
|
||||
{{ sharing ? 'Sharing...' : 'Share' }}
|
||||
</Button>
|
||||
</DialogFooter>
|
||||
</DialogContent>
|
||||
</Dialog>
|
||||
</div>
|
||||
</template>
|
||||
|
||||
<script setup lang="ts">
|
||||
import { ref, onMounted, computed } from 'vue';
|
||||
import { Button } from '~/components/ui/button';
|
||||
import { Table, TableBody, TableCell, TableHead, TableHeader, TableRow } from '~/components/ui/table';
|
||||
import { Dialog, DialogContent, DialogDescription, DialogFooter, DialogHeader, DialogTitle } from '~/components/ui/dialog';
|
||||
import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '~/components/ui/select';
|
||||
import { Input } from '~/components/ui/input';
|
||||
import { Label } from '~/components/ui/label';
|
||||
import { Badge } from '~/components/ui/badge';
|
||||
import Checkbox from '~/components/ui/checkbox.vue';
|
||||
import { UserPlus, Trash2, Users } from 'lucide-vue-next';
|
||||
|
||||
interface Props {
|
||||
objectApiName: string;
|
||||
recordId: string;
|
||||
ownerId?: string;
|
||||
}
|
||||
|
||||
const props = defineProps<Props>();
|
||||
|
||||
const { api } = useApi();
|
||||
const { toast } = useToast();
|
||||
|
||||
const loading = ref(true);
|
||||
const sharing = ref(false);
|
||||
const removing = ref<string | null>(null);
|
||||
const error = ref<string | null>(null);
|
||||
const shares = ref<any[]>([]);
|
||||
const allUsers = ref<any[]>([]);
|
||||
const showShareDialog = ref(false);
|
||||
const newShare = ref({
|
||||
userId: '',
|
||||
canRead: true,
|
||||
canEdit: false,
|
||||
canDelete: false,
|
||||
expiresAt: '',
|
||||
});
|
||||
|
||||
// Filter out users who already have shares
|
||||
const availableUsers = computed(() => {
|
||||
const sharedUserIds = new Set(shares.value.map(s => s.granteeUserId));
|
||||
return allUsers.value.filter(u => !sharedUserIds.has(u.id));
|
||||
});
|
||||
|
||||
const loadShares = async () => {
|
||||
try {
|
||||
loading.value = true;
|
||||
error.value = null;
|
||||
const response = await api.get(
|
||||
`/runtime/objects/${props.objectApiName}/records/${props.recordId}/shares`
|
||||
);
|
||||
shares.value = response || [];
|
||||
} catch (e: any) {
|
||||
console.error('Failed to load shares:', e);
|
||||
error.value = e.message || 'Failed to load shares';
|
||||
// If user is not owner, they can't see shares
|
||||
if (e.message?.includes('owner')) {
|
||||
error.value = 'Only the record owner can manage sharing';
|
||||
}
|
||||
} finally {
|
||||
loading.value = false;
|
||||
}
|
||||
};
|
||||
|
||||
const loadUsers = async () => {
|
||||
try {
|
||||
const response = await api.get('/setup/users');
|
||||
allUsers.value = response || [];
|
||||
} catch (e: any) {
|
||||
console.error('Failed to load users:', e);
|
||||
}
|
||||
};
|
||||
|
||||
const createShare = async () => {
|
||||
try {
|
||||
sharing.value = true;
|
||||
const payload: any = {
|
||||
granteeUserId: newShare.value.userId,
|
||||
canRead: newShare.value.canRead,
|
||||
canEdit: newShare.value.canEdit,
|
||||
canDelete: newShare.value.canDelete,
|
||||
};
|
||||
|
||||
// Only include expiresAt if it has a value
|
||||
if (newShare.value.expiresAt && newShare.value.expiresAt.trim()) {
|
||||
payload.expiresAt = newShare.value.expiresAt;
|
||||
}
|
||||
|
||||
await api.post(
|
||||
`/runtime/objects/${props.objectApiName}/records/${props.recordId}/shares`,
|
||||
payload
|
||||
);
|
||||
toast.success('Record shared successfully');
|
||||
showShareDialog.value = false;
|
||||
newShare.value = {
|
||||
userId: '',
|
||||
canRead: true,
|
||||
canEdit: false,
|
||||
canDelete: false,
|
||||
expiresAt: '',
|
||||
};
|
||||
await loadShares();
|
||||
} catch (e: any) {
|
||||
console.error('Failed to share record:', e);
|
||||
toast.error(e.message || 'Failed to share record');
|
||||
} finally {
|
||||
sharing.value = false;
|
||||
}
|
||||
};
|
||||
|
||||
const removeShare = async (shareId: string) => {
|
||||
try {
|
||||
removing.value = shareId;
|
||||
await api.delete(
|
||||
`/runtime/objects/${props.objectApiName}/records/${props.recordId}/shares/${shareId}`
|
||||
);
|
||||
toast.success('Share removed successfully');
|
||||
await loadShares();
|
||||
} catch (e: any) {
|
||||
console.error('Failed to remove share:', e);
|
||||
toast.error(e.message || 'Failed to remove share');
|
||||
} finally {
|
||||
removing.value = null;
|
||||
}
|
||||
};
|
||||
|
||||
const getUserName = (user: any) => {
|
||||
if (!user) return 'Unknown';
|
||||
if (user.firstName || user.lastName) {
|
||||
return [user.firstName, user.lastName].filter(Boolean).join(' ');
|
||||
}
|
||||
return user.email;
|
||||
};
|
||||
|
||||
const formatDate = (date: string) => {
|
||||
if (!date) return 'N/A';
|
||||
return new Date(date).toLocaleDateString();
|
||||
};
|
||||
|
||||
onMounted(async () => {
|
||||
await Promise.all([loadShares(), loadUsers()]);
|
||||
});
|
||||
|
||||
definePageMeta({
|
||||
layout: 'default',
|
||||
});
|
||||
</script>
|
||||
33
frontend/components/ui/checkbox.vue
Normal file
33
frontend/components/ui/checkbox.vue
Normal file
@@ -0,0 +1,33 @@
|
||||
<script setup lang="ts">
|
||||
import { Check } from 'lucide-vue-next'
|
||||
import { CheckboxIndicator, CheckboxRoot, type CheckboxRootEmits, type CheckboxRootProps, useForwardPropsEmits } from 'radix-vue'
|
||||
import { computed, type HTMLAttributes } from 'vue'
|
||||
import { cn } from '@/lib/utils'
|
||||
|
||||
const props = defineProps<CheckboxRootProps & { class?: HTMLAttributes['class'] }>()
|
||||
const emits = defineEmits<CheckboxRootEmits>()
|
||||
|
||||
const delegatedProps = computed(() => {
|
||||
const { class: _, ...delegated } = props
|
||||
|
||||
return delegated
|
||||
})
|
||||
|
||||
const forwarded = useForwardPropsEmits(delegatedProps, emits)
|
||||
</script>
|
||||
|
||||
<template>
|
||||
<CheckboxRoot
|
||||
v-bind="forwarded"
|
||||
:class="
|
||||
cn(
|
||||
'peer h-4 w-4 shrink-0 rounded-sm border border-primary shadow focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:cursor-not-allowed disabled:opacity-50 data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground',
|
||||
props.class,
|
||||
)
|
||||
"
|
||||
>
|
||||
<CheckboxIndicator class="flex h-full w-full items-center justify-center text-current">
|
||||
<Check class="h-4 w-4" />
|
||||
</CheckboxIndicator>
|
||||
</CheckboxRoot>
|
||||
</template>
|
||||
@@ -2,9 +2,11 @@
|
||||
import { computed, ref, onMounted } from 'vue'
|
||||
import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/components/ui/card'
|
||||
import { Button } from '@/components/ui/button'
|
||||
import { Tabs, TabsContent, TabsList, TabsTrigger } from '@/components/ui/tabs'
|
||||
import FieldRenderer from '@/components/fields/FieldRenderer.vue'
|
||||
import PageLayoutRenderer from '@/components/PageLayoutRenderer.vue'
|
||||
import RelatedList from '@/components/RelatedList.vue'
|
||||
import RecordSharing from '@/components/RecordSharing.vue'
|
||||
import { DetailViewConfig, ViewMode, FieldSection, FieldConfig, RelatedListConfig } from '@/types/field-types'
|
||||
import { Edit, Trash2, ArrowLeft } from 'lucide-vue-next'
|
||||
import {
|
||||
@@ -20,11 +22,13 @@ interface Props {
|
||||
loading?: boolean
|
||||
objectId?: string // For fetching page layout
|
||||
baseUrl?: string
|
||||
showSharing?: boolean
|
||||
}
|
||||
|
||||
const props = withDefaults(defineProps<Props>(), {
|
||||
loading: false,
|
||||
baseUrl: '/runtime/objects',
|
||||
showSharing: true,
|
||||
})
|
||||
|
||||
const emit = defineEmits<{
|
||||
@@ -130,91 +134,123 @@ const usePageLayout = computed(() => {
|
||||
<div class="animate-spin rounded-full h-12 w-12 border-b-2 border-primary"></div>
|
||||
</div>
|
||||
|
||||
<!-- Content with Page Layout -->
|
||||
<Card v-else-if="usePageLayout">
|
||||
<CardHeader>
|
||||
<CardTitle>Details</CardTitle>
|
||||
</CardHeader>
|
||||
<CardContent>
|
||||
<PageLayoutRenderer
|
||||
:fields="config.fields"
|
||||
:layout="pageLayout"
|
||||
:model-value="data"
|
||||
:readonly="true"
|
||||
/>
|
||||
</CardContent>
|
||||
</Card>
|
||||
<!-- Tabs for Details, Related, and Sharing -->
|
||||
<Tabs v-else default-value="details" class="space-y-6">
|
||||
<TabsList>
|
||||
<TabsTrigger value="details">Details</TabsTrigger>
|
||||
<TabsTrigger v-if="config.relatedLists && config.relatedLists.length > 0" value="related">
|
||||
Related
|
||||
</TabsTrigger>
|
||||
<TabsTrigger v-if="showSharing && data.id" value="sharing">
|
||||
Sharing
|
||||
</TabsTrigger>
|
||||
</TabsList>
|
||||
|
||||
<!-- Traditional Section-based Layout -->
|
||||
<div v-else class="space-y-6">
|
||||
<Card v-for="(section, idx) in sections" :key="idx">
|
||||
<Collapsible
|
||||
v-if="section.collapsible"
|
||||
:default-open="!section.defaultCollapsed"
|
||||
>
|
||||
<!-- Details Tab -->
|
||||
<TabsContent value="details" class="space-y-6">
|
||||
<!-- Content with Page Layout -->
|
||||
<Card v-if="usePageLayout">
|
||||
<CardHeader>
|
||||
<CollapsibleTrigger class="flex items-center justify-between w-full hover:bg-muted/50 -m-2 p-2 rounded">
|
||||
<div>
|
||||
<CardTitle>Details</CardTitle>
|
||||
</CardHeader>
|
||||
<CardContent>
|
||||
<PageLayoutRenderer
|
||||
:fields="config.fields"
|
||||
:layout="pageLayout"
|
||||
:model-value="data"
|
||||
:readonly="true"
|
||||
/>
|
||||
</CardContent>
|
||||
</Card>
|
||||
|
||||
<!-- Traditional Section-based Layout -->
|
||||
<div v-else class="space-y-6">
|
||||
<Card v-for="(section, idx) in sections" :key="idx">
|
||||
<Collapsible
|
||||
v-if="section.collapsible"
|
||||
:default-open="!section.defaultCollapsed"
|
||||
>
|
||||
<CardHeader>
|
||||
<CollapsibleTrigger class="flex items-center justify-between w-full hover:bg-muted/50 -m-2 p-2 rounded">
|
||||
<div>
|
||||
<CardTitle v-if="section.title">{{ section.title }}</CardTitle>
|
||||
<CardDescription v-if="section.description">
|
||||
{{ section.description }}
|
||||
</CardDescription>
|
||||
</div>
|
||||
</CollapsibleTrigger>
|
||||
</CardHeader>
|
||||
<CollapsibleContent>
|
||||
<CardContent>
|
||||
<div class="grid gap-6 md:grid-cols-2">
|
||||
<FieldRenderer
|
||||
v-for="field in getFieldsBySection(section)"
|
||||
:key="field.id"
|
||||
:field="field"
|
||||
:model-value="data[field.apiName]"
|
||||
:record-data="data"
|
||||
:mode="ViewMode.DETAIL"
|
||||
:base-url="baseUrl"
|
||||
/>
|
||||
</div>
|
||||
</CardContent>
|
||||
</CollapsibleContent>
|
||||
</Collapsible>
|
||||
|
||||
<template v-else>
|
||||
<CardHeader v-if="section.title || section.description">
|
||||
<CardTitle v-if="section.title">{{ section.title }}</CardTitle>
|
||||
<CardDescription v-if="section.description">
|
||||
{{ section.description }}
|
||||
</CardDescription>
|
||||
</div>
|
||||
</CollapsibleTrigger>
|
||||
</CardHeader>
|
||||
<CollapsibleContent>
|
||||
<CardContent>
|
||||
<div class="grid gap-6 md:grid-cols-2">
|
||||
<FieldRenderer
|
||||
v-for="field in getFieldsBySection(section)"
|
||||
:key="field.id"
|
||||
:field="field"
|
||||
:model-value="data[field.apiName]"
|
||||
:record-data="data"
|
||||
:mode="ViewMode.DETAIL"
|
||||
:base-url="baseUrl"
|
||||
/>
|
||||
</div>
|
||||
</CardContent>
|
||||
</CollapsibleContent>
|
||||
</Collapsible>
|
||||
</CardHeader>
|
||||
<CardContent>
|
||||
<div class="grid gap-6 md:grid-cols-2">
|
||||
<FieldRenderer
|
||||
v-for="field in getFieldsBySection(section)"
|
||||
:key="field?.id"
|
||||
:field="field"
|
||||
:model-value="data[field.apiName]"
|
||||
:record-data="data"
|
||||
:mode="ViewMode.DETAIL"
|
||||
:base-url="baseUrl"
|
||||
/>
|
||||
</div>
|
||||
</CardContent>
|
||||
</template>
|
||||
</Card>
|
||||
</div>
|
||||
</TabsContent>
|
||||
|
||||
<template v-else>
|
||||
<CardHeader v-if="section.title || section.description">
|
||||
<CardTitle v-if="section.title">{{ section.title }}</CardTitle>
|
||||
<CardDescription v-if="section.description">
|
||||
{{ section.description }}
|
||||
</CardDescription>
|
||||
</CardHeader>
|
||||
<CardContent>
|
||||
<div class="grid gap-6 md:grid-cols-2">
|
||||
<FieldRenderer
|
||||
v-for="field in getFieldsBySection(section)"
|
||||
:key="field?.id"
|
||||
:field="field"
|
||||
:model-value="data[field.apiName]"
|
||||
:record-data="data"
|
||||
:mode="ViewMode.DETAIL"
|
||||
:base-url="baseUrl"
|
||||
/>
|
||||
</div>
|
||||
<!-- Related Lists Tab -->
|
||||
<TabsContent value="related" class="space-y-6">
|
||||
<div v-if="config.relatedLists && config.relatedLists.length > 0">
|
||||
<RelatedList
|
||||
v-for="relatedList in config.relatedLists"
|
||||
:key="relatedList.relationName"
|
||||
:config="relatedList"
|
||||
:parent-id="data.id"
|
||||
:related-records="data[relatedList.relationName]"
|
||||
@navigate="(objectApiName, recordId) => emit('navigate', objectApiName, recordId)"
|
||||
@create="(objectApiName, parentId) => emit('createRelated', objectApiName, parentId)"
|
||||
/>
|
||||
</div>
|
||||
</TabsContent>
|
||||
|
||||
<!-- Sharing Tab -->
|
||||
<TabsContent value="sharing">
|
||||
<Card>
|
||||
<CardContent class="pt-6">
|
||||
<RecordSharing
|
||||
v-if="data.id && config.objectApiName"
|
||||
:object-api-name="config.objectApiName"
|
||||
:record-id="data.id"
|
||||
:owner-id="data.ownerId"
|
||||
/>
|
||||
</CardContent>
|
||||
</template>
|
||||
</Card>
|
||||
</div>
|
||||
|
||||
<!-- Related Lists -->
|
||||
<div v-if="config.relatedLists && config.relatedLists.length > 0" class="space-y-6">
|
||||
<RelatedList
|
||||
v-for="relatedList in config.relatedLists"
|
||||
:key="relatedList.relationName"
|
||||
:config="relatedList"
|
||||
:parent-id="data.id"
|
||||
:related-records="data[relatedList.relationName]"
|
||||
@navigate="(objectApiName, recordId) => emit('navigate', objectApiName, recordId)"
|
||||
@create="(objectApiName, parentId) => emit('createRelated', objectApiName, parentId)"
|
||||
/>
|
||||
</div>
|
||||
</Card>
|
||||
</TabsContent>
|
||||
</Tabs>
|
||||
</div>
|
||||
</template>
|
||||
|
||||
|
||||
@@ -137,7 +137,12 @@ const validateForm = (): boolean => {
|
||||
|
||||
const handleSave = () => {
|
||||
if (validateForm()) {
|
||||
emit('save', { ...formData.value })
|
||||
// Start with props.data to preserve system fields like id, then override with user edits
|
||||
const dataToSave = {
|
||||
...props.data,
|
||||
...formData.value,
|
||||
}
|
||||
emit('save', dataToSave)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -160,11 +160,10 @@ const validateForm = (): boolean => {
|
||||
|
||||
const handleSave = () => {
|
||||
if (validateForm()) {
|
||||
// Filter out system fields from save data
|
||||
const saveData = { ...formData.value }
|
||||
const systemFields = ['id', 'tenantId', 'ownerId', 'created_at', 'updated_at', 'createdAt', 'updatedAt', 'createdBy', 'updatedBy']
|
||||
for (const field of systemFields) {
|
||||
delete saveData[field]
|
||||
// Start with props.data to preserve system fields like id, then override with user edits
|
||||
const saveData = {
|
||||
...props.data,
|
||||
...formData.value,
|
||||
}
|
||||
emit('save', saveData)
|
||||
}
|
||||
|
||||
@@ -16,8 +16,9 @@
|
||||
<!-- Tabs -->
|
||||
<div class="mb-8">
|
||||
<Tabs v-model="activeTab" default-value="fields" class="w-full">
|
||||
<TabsList class="grid w-full grid-cols-2 max-w-md">
|
||||
<TabsList class="grid w-full grid-cols-3 max-w-2xl">
|
||||
<TabsTrigger value="fields">Fields</TabsTrigger>
|
||||
<TabsTrigger value="access">Access</TabsTrigger>
|
||||
<TabsTrigger value="layouts">Page Layouts</TabsTrigger>
|
||||
</TabsList>
|
||||
|
||||
@@ -55,6 +56,17 @@
|
||||
</div>
|
||||
</TabsContent>
|
||||
|
||||
<!-- Access Tab -->
|
||||
<TabsContent value="access" class="mt-6">
|
||||
<ObjectAccessSettings
|
||||
:object-api-name="object.apiName"
|
||||
:object-id="object.id"
|
||||
:org-wide-default="object.orgWideDefault"
|
||||
:fields="object.fields"
|
||||
@update="handleAccessUpdate"
|
||||
/>
|
||||
</TabsContent>
|
||||
|
||||
<!-- Page Layouts Tab -->
|
||||
<TabsContent value="layouts" class="mt-6">
|
||||
<div v-if="!selectedLayout" class="space-y-4">
|
||||
@@ -138,6 +150,7 @@ import { Plus, Trash2, ArrowLeft } from 'lucide-vue-next'
|
||||
import { Button } from '@/components/ui/button'
|
||||
import { Tabs, TabsContent, TabsList, TabsTrigger } from '@/components/ui/tabs'
|
||||
import PageLayoutEditor from '@/components/PageLayoutEditor.vue'
|
||||
import ObjectAccessSettings from '@/components/ObjectAccessSettings.vue'
|
||||
import type { PageLayout, FieldLayoutItem } from '~/types/page-layout'
|
||||
|
||||
const route = useRoute()
|
||||
@@ -247,7 +260,11 @@ watch(activeTab, (newTab) => {
|
||||
fetchLayouts()
|
||||
}
|
||||
})
|
||||
|
||||
const handleAccessUpdate = (orgWideDefault: string) => {
|
||||
if (object.value) {
|
||||
object.value.orgWideDefault = orgWideDefault
|
||||
}
|
||||
}
|
||||
onMounted(async () => {
|
||||
await fetchObject()
|
||||
// If we start on layouts tab, load them
|
||||
|
||||
231
frontend/pages/setup/roles/[id].vue
Normal file
231
frontend/pages/setup/roles/[id].vue
Normal file
@@ -0,0 +1,231 @@
|
||||
<template>
|
||||
<div class="min-h-screen bg-background">
|
||||
<NuxtLayout name="default">
|
||||
<main class="container mx-auto px-4 py-8">
|
||||
<div class="flex items-center justify-between">
|
||||
<div>
|
||||
<Button variant="ghost" size="sm" @click="navigateTo('/setup/roles')" class="mb-2">
|
||||
← Back to Roles
|
||||
</Button>
|
||||
<h1 class="text-3xl font-bold">{{ role?.name || 'Role' }}</h1>
|
||||
<p class="text-muted-foreground">{{ role?.description || 'No description' }}</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div v-if="loading" class="flex items-center justify-center py-12">
|
||||
<div class="animate-spin rounded-full h-8 w-8 border-b-2 border-primary"></div>
|
||||
</div>
|
||||
|
||||
<Tabs v-else default-value="details" class="w-full">
|
||||
<TabsList>
|
||||
<TabsTrigger value="details">Details</TabsTrigger>
|
||||
<TabsTrigger value="users">Users</TabsTrigger>
|
||||
</TabsList>
|
||||
|
||||
<TabsContent value="details" class="mt-6">
|
||||
<Card>
|
||||
<CardHeader>
|
||||
<CardTitle>Role Information</CardTitle>
|
||||
</CardHeader>
|
||||
<CardContent class="space-y-4">
|
||||
<div class="grid grid-cols-2 gap-4">
|
||||
<div>
|
||||
<Label class="text-muted-foreground">Name</Label>
|
||||
<p class="font-medium">{{ role?.name }}</p>
|
||||
</div>
|
||||
<div>
|
||||
<Label class="text-muted-foreground">Guard</Label>
|
||||
<Badge variant="outline">{{ role?.guardName || 'tenant' }}</Badge>
|
||||
</div>
|
||||
<div class="col-span-2">
|
||||
<Label class="text-muted-foreground">Description</Label>
|
||||
<p class="font-medium">{{ role?.description || 'No description' }}</p>
|
||||
</div>
|
||||
<div>
|
||||
<Label class="text-muted-foreground">Created At</Label>
|
||||
<p class="font-medium">{{ formatDate(role?.createdAt) }}</p>
|
||||
</div>
|
||||
<div>
|
||||
<Label class="text-muted-foreground">Updated At</Label>
|
||||
<p class="font-medium">{{ formatDate(role?.updatedAt) }}</p>
|
||||
</div>
|
||||
</div>
|
||||
</CardContent>
|
||||
</Card>
|
||||
</TabsContent>
|
||||
|
||||
<TabsContent value="users" class="mt-6">
|
||||
<Card>
|
||||
<CardHeader>
|
||||
<div class="flex items-center justify-between">
|
||||
<div>
|
||||
<CardTitle>Assigned Users</CardTitle>
|
||||
<CardDescription>Manage user assignments for this role</CardDescription>
|
||||
</div>
|
||||
<Button @click="showAddUserDialog = true" size="sm">
|
||||
<Plus class="mr-2 h-4 w-4" />
|
||||
Add User
|
||||
</Button>
|
||||
</div>
|
||||
</CardHeader>
|
||||
<CardContent>
|
||||
<div v-if="roleUsers.length === 0" class="text-center py-8 text-muted-foreground">
|
||||
No users assigned. Add users to grant them this role.
|
||||
</div>
|
||||
<div v-else class="space-y-2">
|
||||
<div
|
||||
v-for="user in roleUsers"
|
||||
:key="user.id"
|
||||
class="flex items-center justify-between p-3 border rounded-lg"
|
||||
>
|
||||
<div>
|
||||
<p class="font-medium">{{ getUserName(user) }}</p>
|
||||
<p class="text-sm text-muted-foreground">{{ user.email }}</p>
|
||||
</div>
|
||||
<Button variant="ghost" size="sm" @click="removeUser(user.id)">
|
||||
<X class="h-4 w-4" />
|
||||
</Button>
|
||||
</div>
|
||||
</div>
|
||||
</CardContent>
|
||||
</Card>
|
||||
</TabsContent>
|
||||
</Tabs>
|
||||
|
||||
<!-- Add User Dialog -->
|
||||
<Dialog v-model:open="showAddUserDialog">
|
||||
<DialogContent>
|
||||
<DialogHeader>
|
||||
<DialogTitle>Add User</DialogTitle>
|
||||
<DialogDescription>
|
||||
Select a user to assign this role
|
||||
</DialogDescription>
|
||||
</DialogHeader>
|
||||
<div class="space-y-4">
|
||||
<div class="space-y-2">
|
||||
<Label>Available Users</Label>
|
||||
<Select v-model="selectedUserId" @update:model-value="(value) => selectedUserId = value">
|
||||
<SelectTrigger>
|
||||
<SelectValue placeholder="Choose a user" />
|
||||
</SelectTrigger>
|
||||
<SelectContent>
|
||||
<SelectItem v-for="user in availableUsers" :key="user.id" :value="user.id">
|
||||
{{ getUserName(user) }} ({{ user.email }})
|
||||
</SelectItem>
|
||||
</SelectContent>
|
||||
</Select>
|
||||
</div>
|
||||
</div>
|
||||
<DialogFooter>
|
||||
<Button variant="outline" @click="showAddUserDialog = false">Cancel</Button>
|
||||
<Button @click="addUser" :disabled="!selectedUserId">
|
||||
Add User
|
||||
</Button>
|
||||
</DialogFooter>
|
||||
</DialogContent>
|
||||
</Dialog>
|
||||
</main>
|
||||
</NuxtLayout>
|
||||
</div>
|
||||
</template>
|
||||
|
||||
<script setup lang="ts">
|
||||
import { ref, onMounted, computed } from 'vue';
|
||||
import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '~/components/ui/card';
|
||||
import { Button } from '~/components/ui/button';
|
||||
import { Tabs, TabsContent, TabsList, TabsTrigger } from '~/components/ui/tabs';
|
||||
import { Dialog, DialogContent, DialogDescription, DialogFooter, DialogHeader, DialogTitle } from '~/components/ui/dialog';
|
||||
import { Label } from '~/components/ui/label';
|
||||
import { Badge } from '~/components/ui/badge';
|
||||
import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '~/components/ui/select';
|
||||
import { Plus, X } from 'lucide-vue-next';
|
||||
|
||||
definePageMeta({
|
||||
layout: 'default',
|
||||
});
|
||||
|
||||
const route = useRoute();
|
||||
const { api } = useApi();
|
||||
const { toast } = useToast();
|
||||
|
||||
const loading = ref(true);
|
||||
const role = ref<any>(null);
|
||||
const roleUsers = ref<any[]>([]);
|
||||
const allUsers = ref<any[]>([]);
|
||||
const showAddUserDialog = ref(false);
|
||||
const selectedUserId = ref('');
|
||||
|
||||
const availableUsers = computed(() => {
|
||||
const assignedIds = new Set(roleUsers.value.map(u => u.id));
|
||||
return allUsers.value.filter(u => !assignedIds.has(u.id));
|
||||
});
|
||||
|
||||
const loadRole = async () => {
|
||||
try {
|
||||
loading.value = true;
|
||||
const roleId = route.params.id;
|
||||
const response = await api.get(`/setup/roles/${roleId}`);
|
||||
role.value = response;
|
||||
roleUsers.value = response.users || [];
|
||||
} catch (error: any) {
|
||||
console.error('Failed to load role:', error);
|
||||
toast.error('Failed to load role');
|
||||
} finally {
|
||||
loading.value = false;
|
||||
}
|
||||
};
|
||||
|
||||
const loadAllUsers = async () => {
|
||||
try {
|
||||
const response = await api.get('/setup/users');
|
||||
allUsers.value = response || [];
|
||||
} catch (error: any) {
|
||||
console.error('Failed to load users:', error);
|
||||
}
|
||||
};
|
||||
|
||||
const addUser = async () => {
|
||||
if (!selectedUserId.value) return;
|
||||
|
||||
try {
|
||||
await api.post(`/setup/roles/${route.params.id}/users`, {
|
||||
userId: selectedUserId.value,
|
||||
});
|
||||
toast.success('User added successfully');
|
||||
showAddUserDialog.value = false;
|
||||
selectedUserId.value = '';
|
||||
await loadRole();
|
||||
} catch (error: any) {
|
||||
console.error('Failed to add user:', error);
|
||||
toast.error(error.message || 'Failed to add user');
|
||||
}
|
||||
};
|
||||
|
||||
const removeUser = async (userId: string) => {
|
||||
try {
|
||||
await api.delete(`/setup/roles/${route.params.id}/users/${userId}`);
|
||||
toast.success('User removed successfully');
|
||||
await loadRole();
|
||||
} catch (error: any) {
|
||||
console.error('Failed to remove user:', error);
|
||||
toast.error(error.message || 'Failed to remove user');
|
||||
}
|
||||
};
|
||||
|
||||
const getUserName = (user: any) => {
|
||||
if (!user) return 'Unknown';
|
||||
if (user.firstName || user.lastName) {
|
||||
return [user.firstName, user.lastName].filter(Boolean).join(' ');
|
||||
}
|
||||
return user.email || 'Unknown';
|
||||
};
|
||||
|
||||
const formatDate = (date: string) => {
|
||||
if (!date) return 'N/A';
|
||||
return new Date(date).toLocaleDateString();
|
||||
};
|
||||
|
||||
onMounted(async () => {
|
||||
await Promise.all([loadRole(), loadAllUsers()]);
|
||||
});
|
||||
</script>
|
||||
285
frontend/pages/setup/roles/index.vue
Normal file
285
frontend/pages/setup/roles/index.vue
Normal file
@@ -0,0 +1,285 @@
|
||||
<template>
|
||||
<div class="min-h-screen bg-background">
|
||||
<NuxtLayout name="default">
|
||||
<main class="container mx-auto px-4 py-8">
|
||||
<div class="flex items-center justify-between">
|
||||
<div>
|
||||
<h1 class="text-3xl font-bold">Roles</h1>
|
||||
<p class="text-muted-foreground">Manage roles and permissions</p>
|
||||
</div>
|
||||
<Button @click="showCreateDialog = true">
|
||||
<Plus class="mr-2 h-4 w-4" />
|
||||
New Role
|
||||
</Button>
|
||||
</div>
|
||||
|
||||
<div class="border rounded-lg">
|
||||
<Table>
|
||||
<TableHeader>
|
||||
<TableRow>
|
||||
<TableHead>Name</TableHead>
|
||||
<TableHead>Description</TableHead>
|
||||
<TableHead>Guard</TableHead>
|
||||
<TableHead>Users</TableHead>
|
||||
<TableHead>Created</TableHead>
|
||||
<TableHead class="text-right">Actions</TableHead>
|
||||
</TableRow>
|
||||
</TableHeader>
|
||||
<TableBody>
|
||||
<TableRow v-if="loading">
|
||||
<TableCell :colspan="6" class="text-center py-8">
|
||||
<div class="flex items-center justify-center">
|
||||
<div class="animate-spin rounded-full h-8 w-8 border-b-2 border-primary"></div>
|
||||
</div>
|
||||
</TableCell>
|
||||
</TableRow>
|
||||
<TableRow v-else-if="roles.length === 0">
|
||||
<TableCell :colspan="6" class="text-center py-8 text-muted-foreground">
|
||||
No roles found. Create your first role to get started.
|
||||
</TableCell>
|
||||
</TableRow>
|
||||
<TableRow v-else v-for="role in roles" :key="role.id" class="cursor-pointer hover:bg-muted/50" @click="navigateTo(`/setup/roles/${role.id}`)">
|
||||
<TableCell class="font-medium">{{ role.name }}</TableCell>
|
||||
<TableCell>{{ role.description || 'No description' }}</TableCell>
|
||||
<TableCell>
|
||||
<Badge variant="outline">{{ role.guardName || 'tenant' }}</Badge>
|
||||
</TableCell>
|
||||
<TableCell>
|
||||
{{ role.userCount || 0 }} users
|
||||
</TableCell>
|
||||
<TableCell>{{ formatDate(role.createdAt) }}</TableCell>
|
||||
<TableCell class="text-right" @click.stop>
|
||||
<div class="flex items-center justify-end gap-1">
|
||||
<Button variant="ghost" size="icon" @click="navigateTo(`/setup/roles/${role.id}`)">
|
||||
<Eye class="h-4 w-4" />
|
||||
</Button>
|
||||
<Button variant="ghost" size="icon" @click="openEditDialog(role)">
|
||||
<Edit class="h-4 w-4" />
|
||||
</Button>
|
||||
<Button variant="ghost" size="icon" @click="openDeleteDialog(role)">
|
||||
<Trash2 class="h-4 w-4" />
|
||||
</Button>
|
||||
</div>
|
||||
</TableCell>
|
||||
</TableRow>
|
||||
</TableBody>
|
||||
</Table>
|
||||
</div>
|
||||
|
||||
<!-- Create Role Dialog -->
|
||||
<Dialog v-model:open="showCreateDialog">
|
||||
<DialogContent>
|
||||
<DialogHeader>
|
||||
<DialogTitle>Create New Role</DialogTitle>
|
||||
<DialogDescription>
|
||||
Add a new role to the system
|
||||
</DialogDescription>
|
||||
</DialogHeader>
|
||||
<div class="space-y-4">
|
||||
<div class="space-y-2">
|
||||
<Label for="name">Name</Label>
|
||||
<Input id="name" v-model="newRole.name" placeholder="Sales Manager" />
|
||||
</div>
|
||||
<div class="space-y-2">
|
||||
<Label for="description">Description (Optional)</Label>
|
||||
<Input id="description" v-model="newRole.description" placeholder="Manages sales team and deals" />
|
||||
</div>
|
||||
<div class="space-y-2">
|
||||
<Label for="guardName">Guard Name</Label>
|
||||
<Select v-model="newRole.guardName" @update:model-value="(value) => newRole.guardName = value">
|
||||
<SelectTrigger>
|
||||
<SelectValue placeholder="Select guard" />
|
||||
</SelectTrigger>
|
||||
<SelectContent>
|
||||
<SelectItem value="tenant">Tenant</SelectItem>
|
||||
<SelectItem value="central">Central</SelectItem>
|
||||
</SelectContent>
|
||||
</Select>
|
||||
</div>
|
||||
</div>
|
||||
<DialogFooter>
|
||||
<Button variant="outline" @click="showCreateDialog = false">Cancel</Button>
|
||||
<Button @click="createRole" :disabled="!newRole.name">
|
||||
Create Role
|
||||
</Button>
|
||||
</DialogFooter>
|
||||
</DialogContent>
|
||||
</Dialog>
|
||||
|
||||
<!-- Edit Role Dialog -->
|
||||
<Dialog v-model:open="showEditDialog">
|
||||
<DialogContent>
|
||||
<DialogHeader>
|
||||
<DialogTitle>Edit Role</DialogTitle>
|
||||
<DialogDescription>
|
||||
Update role information
|
||||
</DialogDescription>
|
||||
</DialogHeader>
|
||||
<div class="space-y-4">
|
||||
<div class="space-y-2">
|
||||
<Label for="edit-name">Name</Label>
|
||||
<Input id="edit-name" v-model="editRole.name" placeholder="Role name" />
|
||||
</div>
|
||||
<div class="space-y-2">
|
||||
<Label for="edit-description">Description</Label>
|
||||
<Input id="edit-description" v-model="editRole.description" placeholder="Role description" />
|
||||
</div>
|
||||
<div class="space-y-2">
|
||||
<Label for="edit-guardName">Guard Name</Label>
|
||||
<Select v-model="editRole.guardName" @update:model-value="(value) => editRole.guardName = value">
|
||||
<SelectTrigger>
|
||||
<SelectValue placeholder="Select guard" />
|
||||
</SelectTrigger>
|
||||
<SelectContent>
|
||||
<SelectItem value="tenant">Tenant</SelectItem>
|
||||
<SelectItem value="central">Central</SelectItem>
|
||||
</SelectContent>
|
||||
</Select>
|
||||
</div>
|
||||
</div>
|
||||
<DialogFooter>
|
||||
<Button variant="outline" @click="showEditDialog = false">Cancel</Button>
|
||||
<Button @click="updateRole" :disabled="!editRole.name">
|
||||
Update Role
|
||||
</Button>
|
||||
</DialogFooter>
|
||||
</DialogContent>
|
||||
</Dialog>
|
||||
|
||||
<!-- Delete Confirmation Dialog -->
|
||||
<Dialog v-model:open="showDeleteDialog">
|
||||
<DialogContent>
|
||||
<DialogHeader>
|
||||
<DialogTitle>Delete Role</DialogTitle>
|
||||
<DialogDescription>
|
||||
Are you sure you want to delete this role? This action cannot be undone.
|
||||
</DialogDescription>
|
||||
</DialogHeader>
|
||||
<DialogFooter>
|
||||
<Button variant="outline" @click="showDeleteDialog = false">Cancel</Button>
|
||||
<Button variant="destructive" @click="deleteRole">
|
||||
Delete Role
|
||||
</Button>
|
||||
</DialogFooter>
|
||||
</DialogContent>
|
||||
</Dialog>
|
||||
</main>
|
||||
</NuxtLayout>
|
||||
</div>
|
||||
</template>
|
||||
|
||||
<script setup lang="ts">
|
||||
import { ref, onMounted } from 'vue';
|
||||
import { Button } from '~/components/ui/button';
|
||||
import { Table, TableBody, TableCell, TableHead, TableHeader, TableRow } from '~/components/ui/table';
|
||||
import { Dialog, DialogContent, DialogDescription, DialogFooter, DialogHeader, DialogTitle } from '~/components/ui/dialog';
|
||||
import { Input } from '~/components/ui/input';
|
||||
import { Label } from '~/components/ui/label';
|
||||
import { Badge } from '~/components/ui/badge';
|
||||
import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '~/components/ui/select';
|
||||
import { Plus, Eye, Edit, Trash2 } from 'lucide-vue-next';
|
||||
|
||||
definePageMeta({
|
||||
layout: 'default',
|
||||
});
|
||||
|
||||
const { api } = useApi();
|
||||
const { toast } = useToast();
|
||||
|
||||
const loading = ref(true);
|
||||
const roles = ref<any[]>([]);
|
||||
const showCreateDialog = ref(false);
|
||||
const showEditDialog = ref(false);
|
||||
const showDeleteDialog = ref(false);
|
||||
const newRole = ref({
|
||||
name: '',
|
||||
description: '',
|
||||
guardName: 'tenant',
|
||||
});
|
||||
const editRole = ref({
|
||||
id: '',
|
||||
name: '',
|
||||
description: '',
|
||||
guardName: 'tenant',
|
||||
});
|
||||
const roleToDelete = ref<any>(null);
|
||||
|
||||
const loadRoles = async () => {
|
||||
try {
|
||||
loading.value = true;
|
||||
const response = await api.get('/setup/roles');
|
||||
roles.value = response || [];
|
||||
} catch (error: any) {
|
||||
console.error('Failed to load roles:', error);
|
||||
toast.error('Failed to load roles');
|
||||
} finally {
|
||||
loading.value = false;
|
||||
}
|
||||
};
|
||||
|
||||
const createRole = async () => {
|
||||
try {
|
||||
await api.post('/setup/roles', newRole.value);
|
||||
toast.success('Role created successfully');
|
||||
showCreateDialog.value = false;
|
||||
newRole.value = { name: '', description: '', guardName: 'tenant' };
|
||||
await loadRoles();
|
||||
} catch (error: any) {
|
||||
console.error('Failed to create role:', error);
|
||||
toast.error(error.message || 'Failed to create role');
|
||||
}
|
||||
};
|
||||
|
||||
const openEditDialog = (role: any) => {
|
||||
editRole.value = {
|
||||
id: role.id,
|
||||
name: role.name,
|
||||
description: role.description || '',
|
||||
guardName: role.guardName || 'tenant',
|
||||
};
|
||||
showEditDialog.value = true;
|
||||
};
|
||||
|
||||
const updateRole = async () => {
|
||||
try {
|
||||
await api.patch(`/setup/roles/${editRole.value.id}`, {
|
||||
name: editRole.value.name,
|
||||
description: editRole.value.description,
|
||||
guardName: editRole.value.guardName,
|
||||
});
|
||||
toast.success('Role updated successfully');
|
||||
showEditDialog.value = false;
|
||||
await loadRoles();
|
||||
} catch (error: any) {
|
||||
console.error('Failed to update role:', error);
|
||||
toast.error(error.message || 'Failed to update role');
|
||||
}
|
||||
};
|
||||
|
||||
const openDeleteDialog = (role: any) => {
|
||||
roleToDelete.value = role;
|
||||
showDeleteDialog.value = true;
|
||||
};
|
||||
|
||||
const deleteRole = async () => {
|
||||
try {
|
||||
await api.delete(`/setup/roles/${roleToDelete.value.id}`);
|
||||
toast.success('Role deleted successfully');
|
||||
showDeleteDialog.value = false;
|
||||
roleToDelete.value = null;
|
||||
await loadRoles();
|
||||
} catch (error: any) {
|
||||
console.error('Failed to delete role:', error);
|
||||
toast.error(error.message || 'Failed to delete role');
|
||||
}
|
||||
};
|
||||
|
||||
const formatDate = (date: string) => {
|
||||
if (!date) return 'N/A';
|
||||
return new Date(date).toLocaleDateString();
|
||||
};
|
||||
|
||||
onMounted(() => {
|
||||
loadRoles();
|
||||
});
|
||||
</script>
|
||||
227
frontend/pages/setup/users/[id].vue
Normal file
227
frontend/pages/setup/users/[id].vue
Normal file
@@ -0,0 +1,227 @@
|
||||
<template>
|
||||
<div class="min-h-screen bg-background">
|
||||
<NuxtLayout name="default">
|
||||
<main class="container mx-auto px-4 py-8">
|
||||
<div class="flex items-center justify-between">
|
||||
<div>
|
||||
<Button variant="ghost" size="sm" @click="navigateTo('/setup/users')" class="mb-2">
|
||||
← Back to Users
|
||||
</Button>
|
||||
<h1 class="text-3xl font-bold">{{ getUserName(user) }}</h1>
|
||||
<p class="text-muted-foreground">{{ user?.email }}</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div v-if="loading" class="flex items-center justify-center py-12">
|
||||
<div class="animate-spin rounded-full h-8 w-8 border-b-2 border-primary"></div>
|
||||
</div>
|
||||
|
||||
<Tabs v-else default-value="details" class="w-full">
|
||||
<TabsList>
|
||||
<TabsTrigger value="details">Details</TabsTrigger>
|
||||
<TabsTrigger value="roles">Roles</TabsTrigger>
|
||||
</TabsList>
|
||||
|
||||
<TabsContent value="details" class="mt-6">
|
||||
<Card>
|
||||
<CardHeader>
|
||||
<CardTitle>User Information</CardTitle>
|
||||
</CardHeader>
|
||||
<CardContent class="space-y-4">
|
||||
<div class="grid grid-cols-2 gap-4">
|
||||
<div>
|
||||
<Label class="text-muted-foreground">Email</Label>
|
||||
<p class="font-medium">{{ user?.email }}</p>
|
||||
</div>
|
||||
<div>
|
||||
<Label class="text-muted-foreground">First Name</Label>
|
||||
<p class="font-medium">{{ user?.firstName || 'N/A' }}</p>
|
||||
</div>
|
||||
<div>
|
||||
<Label class="text-muted-foreground">Last Name</Label>
|
||||
<p class="font-medium">{{ user?.lastName || 'N/A' }}</p>
|
||||
</div>
|
||||
<div>
|
||||
<Label class="text-muted-foreground">Created At</Label>
|
||||
<p class="font-medium">{{ formatDate(user?.createdAt) }}</p>
|
||||
</div>
|
||||
<div>
|
||||
<Label class="text-muted-foreground">Updated At</Label>
|
||||
<p class="font-medium">{{ formatDate(user?.updatedAt) }}</p>
|
||||
</div>
|
||||
</div>
|
||||
</CardContent>
|
||||
</Card>
|
||||
</TabsContent>
|
||||
|
||||
<TabsContent value="roles" class="mt-6">
|
||||
<Card>
|
||||
<CardHeader>
|
||||
<div class="flex items-center justify-between">
|
||||
<div>
|
||||
<CardTitle>Assigned Roles</CardTitle>
|
||||
<CardDescription>Manage role assignments for this user</CardDescription>
|
||||
</div>
|
||||
<Button @click="showAddRoleDialog = true" size="sm">
|
||||
<Plus class="mr-2 h-4 w-4" />
|
||||
Add Role
|
||||
</Button>
|
||||
</div>
|
||||
</CardHeader>
|
||||
<CardContent>
|
||||
<div v-if="userRoles.length === 0" class="text-center py-8 text-muted-foreground">
|
||||
No roles assigned. Add roles to grant permissions.
|
||||
</div>
|
||||
<div v-else class="space-y-2">
|
||||
<div
|
||||
v-for="role in userRoles"
|
||||
:key="role.id"
|
||||
class="flex items-center justify-between p-3 border rounded-lg"
|
||||
>
|
||||
<div>
|
||||
<p class="font-medium">{{ role.name }}</p>
|
||||
<p class="text-sm text-muted-foreground">{{ role.description || 'No description' }}</p>
|
||||
</div>
|
||||
<Button variant="ghost" size="sm" @click="removeRole(role.id)">
|
||||
<X class="h-4 w-4" />
|
||||
</Button>
|
||||
</div>
|
||||
</div>
|
||||
</CardContent>
|
||||
</Card>
|
||||
</TabsContent>
|
||||
</Tabs>
|
||||
|
||||
<!-- Add Role Dialog -->
|
||||
<Dialog v-model:open="showAddRoleDialog">
|
||||
<DialogContent>
|
||||
<DialogHeader>
|
||||
<DialogTitle>Add Role</DialogTitle>
|
||||
<DialogDescription>
|
||||
Select a role to assign to this user
|
||||
</DialogDescription>
|
||||
</DialogHeader>
|
||||
<div class="space-y-4">
|
||||
<div class="space-y-2">
|
||||
<Label>Available Roles</Label>
|
||||
<Select v-model="selectedRoleId" @update:model-value="(value) => selectedRoleId = value">
|
||||
<SelectTrigger>
|
||||
<SelectValue placeholder="Choose a role" />
|
||||
</SelectTrigger>
|
||||
<SelectContent>
|
||||
<SelectItem v-for="role in availableRoles" :key="role.id" :value="role.id">
|
||||
{{ role.name }}
|
||||
</SelectItem>
|
||||
</SelectContent>
|
||||
</Select>
|
||||
</div>
|
||||
</div>
|
||||
<DialogFooter>
|
||||
<Button variant="outline" @click="showAddRoleDialog = false">Cancel</Button>
|
||||
<Button @click="addRole" :disabled="!selectedRoleId">
|
||||
Add Role
|
||||
</Button>
|
||||
</DialogFooter>
|
||||
</DialogContent>
|
||||
</Dialog>
|
||||
</main>
|
||||
</NuxtLayout>
|
||||
</div>
|
||||
</template>
|
||||
|
||||
<script setup lang="ts">
|
||||
import { ref, onMounted, computed } from 'vue';
|
||||
import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '~/components/ui/card';
|
||||
import { Button } from '~/components/ui/button';
|
||||
import { Tabs, TabsContent, TabsList, TabsTrigger } from '~/components/ui/tabs';
|
||||
import { Dialog, DialogContent, DialogDescription, DialogFooter, DialogHeader, DialogTitle } from '~/components/ui/dialog';
|
||||
import { Label } from '~/components/ui/label';
|
||||
import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '~/components/ui/select';
|
||||
import { Plus, X } from 'lucide-vue-next';
|
||||
|
||||
|
||||
const route = useRoute();
|
||||
const { api } = useApi();
|
||||
const { toast } = useToast();
|
||||
|
||||
const loading = ref(true);
|
||||
const user = ref<any>(null);
|
||||
const userRoles = ref<any[]>([]);
|
||||
const allRoles = ref<any[]>([]);
|
||||
const showAddRoleDialog = ref(false);
|
||||
const selectedRoleId = ref('');
|
||||
|
||||
const availableRoles = computed(() => {
|
||||
const assignedIds = new Set(userRoles.value.map(r => r.id));
|
||||
return allRoles.value.filter(r => !assignedIds.has(r.id));
|
||||
});
|
||||
|
||||
const loadUser = async () => {
|
||||
try {
|
||||
loading.value = true;
|
||||
const userId = route.params.id;
|
||||
const response = await api.get(`/setup/users/${userId}`);
|
||||
user.value = response;
|
||||
userRoles.value = response.roles || [];
|
||||
} catch (error: any) {
|
||||
console.error('Failed to load user:', error);
|
||||
toast.error('Failed to load user');
|
||||
} finally {
|
||||
loading.value = false;
|
||||
}
|
||||
};
|
||||
|
||||
const loadAllRoles = async () => {
|
||||
try {
|
||||
const response = await api.get('/setup/roles');
|
||||
allRoles.value = response || [];
|
||||
} catch (error: any) {
|
||||
console.error('Failed to load roles:', error);
|
||||
}
|
||||
};
|
||||
|
||||
const addRole = async () => {
|
||||
if (!selectedRoleId.value) return;
|
||||
|
||||
try {
|
||||
await api.post(`/setup/users/${route.params.id}/roles`, {
|
||||
roleId: selectedRoleId.value,
|
||||
});
|
||||
toast.success('Role added successfully');
|
||||
showAddRoleDialog.value = false;
|
||||
selectedRoleId.value = '';
|
||||
await loadUser();
|
||||
} catch (error: any) {
|
||||
console.error('Failed to add role:', error);
|
||||
toast.error(error.message || 'Failed to add role');
|
||||
}
|
||||
};
|
||||
|
||||
const removeRole = async (roleId: string) => {
|
||||
try {
|
||||
await api.delete(`/setup/users/${route.params.id}/roles/${roleId}`);
|
||||
toast.success('Role removed successfully');
|
||||
await loadUser();
|
||||
} catch (error: any) {
|
||||
console.error('Failed to remove role:', error);
|
||||
toast.error(error.message || 'Failed to remove role');
|
||||
}
|
||||
};
|
||||
|
||||
const getUserName = (user: any) => {
|
||||
if (!user) return 'User';
|
||||
if (user.firstName || user.lastName) {
|
||||
return [user.firstName, user.lastName].filter(Boolean).join(' ');
|
||||
}
|
||||
return user.email || 'User';
|
||||
};
|
||||
|
||||
const formatDate = (date: string) => {
|
||||
if (!date) return 'N/A';
|
||||
return new Date(date).toLocaleDateString();
|
||||
};
|
||||
|
||||
onMounted(async () => {
|
||||
await Promise.all([loadUser(), loadAllRoles()]);
|
||||
});
|
||||
</script>
|
||||
290
frontend/pages/setup/users/index.vue
Normal file
290
frontend/pages/setup/users/index.vue
Normal file
@@ -0,0 +1,290 @@
|
||||
<template>
|
||||
<div class="min-h-screen bg-background">
|
||||
<NuxtLayout name="default">
|
||||
<main class="container mx-auto px-4 py-8">
|
||||
<div class="flex items-center justify-between">
|
||||
<div>
|
||||
<h1 class="text-3xl font-bold">Users</h1>
|
||||
<p class="text-muted-foreground">Manage user accounts and access</p>
|
||||
</div>
|
||||
<Button @click="showCreateDialog = true">
|
||||
<UserPlus class="mr-2 h-4 w-4" />
|
||||
New User
|
||||
</Button>
|
||||
</div>
|
||||
|
||||
<div class="border rounded-lg">
|
||||
<Table>
|
||||
<TableHeader>
|
||||
<TableRow>
|
||||
<TableHead>Name</TableHead>
|
||||
<TableHead>Email</TableHead>
|
||||
<TableHead>Roles</TableHead>
|
||||
<TableHead>Created</TableHead>
|
||||
<TableHead class="text-right">Actions</TableHead>
|
||||
</TableRow>
|
||||
</TableHeader>
|
||||
<TableBody>
|
||||
<TableRow v-if="loading">
|
||||
<TableCell :colspan="5" class="text-center py-8">
|
||||
<div class="flex items-center justify-center">
|
||||
<div class="animate-spin rounded-full h-8 w-8 border-b-2 border-primary"></div>
|
||||
</div>
|
||||
</TableCell>
|
||||
</TableRow>
|
||||
<TableRow v-else-if="users.length === 0">
|
||||
<TableCell :colspan="5" class="text-center py-8 text-muted-foreground">
|
||||
No users found. Create your first user to get started.
|
||||
</TableCell>
|
||||
</TableRow>
|
||||
<TableRow v-else v-for="user in users" :key="user.id" class="cursor-pointer hover:bg-muted/50" @click="navigateTo(`/setup/users/${user.id}`)">
|
||||
<TableCell class="font-medium">{{ getUserName(user) }}</TableCell>
|
||||
<TableCell>{{ user.email }}</TableCell>
|
||||
<TableCell>
|
||||
<div class="flex gap-1 flex-wrap">
|
||||
<Badge v-for="role in user.roles" :key="role.id" variant="secondary">
|
||||
{{ role.name }}
|
||||
</Badge>
|
||||
<span v-if="!user.roles || user.roles.length === 0" class="text-muted-foreground text-sm">
|
||||
No roles
|
||||
</span>
|
||||
</div>
|
||||
</TableCell>
|
||||
<TableCell>{{ formatDate(user.createdAt) }}</TableCell>
|
||||
<TableCell class="text-right" @click.stop>
|
||||
<div class="flex items-center justify-end gap-1">
|
||||
<Button variant="ghost" size="icon" @click="navigateTo(`/setup/users/${user.id}`)">
|
||||
<Eye class="h-4 w-4" />
|
||||
</Button>
|
||||
<Button variant="ghost" size="icon" @click="openEditDialog(user)">
|
||||
<Edit class="h-4 w-4" />
|
||||
</Button>
|
||||
<Button variant="ghost" size="icon" @click="openDeleteDialog(user)">
|
||||
<Trash2 class="h-4 w-4" />
|
||||
</Button>
|
||||
</div>
|
||||
</TableCell>
|
||||
</TableRow>
|
||||
</TableBody>
|
||||
</Table>
|
||||
</div>
|
||||
|
||||
<!-- Create User Dialog -->
|
||||
<Dialog v-model:open="showCreateDialog">
|
||||
<DialogContent>
|
||||
<DialogHeader>
|
||||
<DialogTitle>Create New User</DialogTitle>
|
||||
<DialogDescription>
|
||||
Add a new user to the system
|
||||
</DialogDescription>
|
||||
</DialogHeader>
|
||||
<div class="space-y-4">
|
||||
<div class="space-y-2">
|
||||
<Label for="email">Email</Label>
|
||||
<Input id="email" v-model="newUser.email" type="email" placeholder="user@example.com" />
|
||||
</div>
|
||||
<div class="space-y-2">
|
||||
<Label for="password">Password</Label>
|
||||
<Input id="password" v-model="newUser.password" type="password" placeholder="••••••••" />
|
||||
</div>
|
||||
<div class="space-y-2">
|
||||
<Label for="firstName">First Name (Optional)</Label>
|
||||
<Input id="firstName" v-model="newUser.firstName" placeholder="John" />
|
||||
</div>
|
||||
<div class="space-y-2">
|
||||
<Label for="lastName">Last Name (Optional)</Label>
|
||||
<Input id="lastName" v-model="newUser.lastName" placeholder="Doe" />
|
||||
</div>
|
||||
</div>
|
||||
<DialogFooter>
|
||||
<Button variant="outline" @click="showCreateDialog = false">Cancel</Button>
|
||||
<Button @click="createUser" :disabled="!newUser.email || !newUser.password">
|
||||
Create User
|
||||
</Button>
|
||||
</DialogFooter>
|
||||
</DialogContent>
|
||||
</Dialog>
|
||||
|
||||
<!-- Edit User Dialog -->
|
||||
<Dialog v-model:open="showEditDialog">
|
||||
<DialogContent>
|
||||
<DialogHeader>
|
||||
<DialogTitle>Edit User</DialogTitle>
|
||||
<DialogDescription>
|
||||
Update user information
|
||||
</DialogDescription>
|
||||
</DialogHeader>
|
||||
<div class="space-y-4">
|
||||
<div class="space-y-2">
|
||||
<Label for="edit-email">Email</Label>
|
||||
<Input id="edit-email" v-model="editUser.email" type="email" placeholder="user@example.com" />
|
||||
</div>
|
||||
<div class="space-y-2">
|
||||
<Label for="edit-password">Password (leave blank to keep current)</Label>
|
||||
<Input id="edit-password" v-model="editUser.password" type="password" placeholder="••••••••" />
|
||||
</div>
|
||||
<div class="space-y-2">
|
||||
<Label for="edit-firstName">First Name</Label>
|
||||
<Input id="edit-firstName" v-model="editUser.firstName" placeholder="John" />
|
||||
</div>
|
||||
<div class="space-y-2">
|
||||
<Label for="edit-lastName">Last Name</Label>
|
||||
<Input id="edit-lastName" v-model="editUser.lastName" placeholder="Doe" />
|
||||
</div>
|
||||
</div>
|
||||
<DialogFooter>
|
||||
<Button variant="outline" @click="showEditDialog = false">Cancel</Button>
|
||||
<Button @click="updateUser" :disabled="!editUser.email">
|
||||
Update User
|
||||
</Button>
|
||||
</DialogFooter>
|
||||
</DialogContent>
|
||||
</Dialog>
|
||||
|
||||
<!-- Delete Confirmation Dialog -->
|
||||
<Dialog v-model:open="showDeleteDialog">
|
||||
<DialogContent>
|
||||
<DialogHeader>
|
||||
<DialogTitle>Delete User</DialogTitle>
|
||||
<DialogDescription>
|
||||
Are you sure you want to delete this user? This action cannot be undone.
|
||||
</DialogDescription>
|
||||
</DialogHeader>
|
||||
<DialogFooter>
|
||||
<Button variant="outline" @click="showDeleteDialog = false">Cancel</Button>
|
||||
<Button variant="destructive" @click="deleteUser">
|
||||
Delete User
|
||||
</Button>
|
||||
</DialogFooter>
|
||||
</DialogContent>
|
||||
</Dialog>
|
||||
</main>
|
||||
</NuxtLayout>
|
||||
</div>
|
||||
</template>
|
||||
|
||||
<script setup lang="ts">
|
||||
import { ref, onMounted } from 'vue';
|
||||
import { Button } from '~/components/ui/button';
|
||||
import { Table, TableBody, TableCell, TableHead, TableHeader, TableRow } from '~/components/ui/table';
|
||||
import { Dialog, DialogContent, DialogDescription, DialogFooter, DialogHeader, DialogTitle } from '~/components/ui/dialog';
|
||||
import { Input } from '~/components/ui/input';
|
||||
import { Label } from '~/components/ui/label';
|
||||
import { Badge } from '~/components/ui/badge';
|
||||
import { UserPlus, Eye, Edit, Trash2 } from 'lucide-vue-next';
|
||||
|
||||
|
||||
const { api } = useApi();
|
||||
const { toast } = useToast();
|
||||
|
||||
const loading = ref(true);
|
||||
const users = ref<any[]>([]);
|
||||
const showCreateDialog = ref(false);
|
||||
const showEditDialog = ref(false);
|
||||
const showDeleteDialog = ref(false);
|
||||
const newUser = ref({
|
||||
email: '',
|
||||
password: '',
|
||||
firstName: '',
|
||||
lastName: '',
|
||||
});
|
||||
const editUser = ref({
|
||||
id: '',
|
||||
email: '',
|
||||
password: '',
|
||||
firstName: '',
|
||||
lastName: '',
|
||||
});
|
||||
const userToDelete = ref<any>(null);
|
||||
|
||||
const loadUsers = async () => {
|
||||
try {
|
||||
loading.value = true;
|
||||
const response = await api.get('/setup/users');
|
||||
users.value = response || [];
|
||||
} catch (error: any) {
|
||||
console.error('Failed to load users:', error);
|
||||
toast.error('Failed to load users');
|
||||
} finally {
|
||||
loading.value = false;
|
||||
}
|
||||
};
|
||||
|
||||
const createUser = async () => {
|
||||
try {
|
||||
await api.post('/setup/users', newUser.value);
|
||||
toast.success('User created successfully');
|
||||
showCreateDialog.value = false;
|
||||
newUser.value = { email: '', password: '', firstName: '', lastName: '' };
|
||||
await loadUsers();
|
||||
} catch (error: any) {
|
||||
console.error('Failed to create user:', error);
|
||||
toast.error(error.message || 'Failed to create user');
|
||||
}
|
||||
};
|
||||
|
||||
const openEditDialog = (user: any) => {
|
||||
editUser.value = {
|
||||
id: user.id,
|
||||
email: user.email,
|
||||
password: '',
|
||||
firstName: user.firstName || '',
|
||||
lastName: user.lastName || '',
|
||||
};
|
||||
showEditDialog.value = true;
|
||||
};
|
||||
|
||||
const updateUser = async () => {
|
||||
try {
|
||||
const payload: any = {
|
||||
email: editUser.value.email,
|
||||
firstName: editUser.value.firstName,
|
||||
lastName: editUser.value.lastName,
|
||||
};
|
||||
if (editUser.value.password) {
|
||||
payload.password = editUser.value.password;
|
||||
}
|
||||
await api.patch(`/setup/users/${editUser.value.id}`, payload);
|
||||
toast.success('User updated successfully');
|
||||
showEditDialog.value = false;
|
||||
await loadUsers();
|
||||
} catch (error: any) {
|
||||
console.error('Failed to update user:', error);
|
||||
toast.error(error.message || 'Failed to update user');
|
||||
}
|
||||
};
|
||||
|
||||
const openDeleteDialog = (user: any) => {
|
||||
userToDelete.value = user;
|
||||
showDeleteDialog.value = true;
|
||||
};
|
||||
|
||||
const deleteUser = async () => {
|
||||
try {
|
||||
await api.delete(`/setup/users/${userToDelete.value.id}`);
|
||||
toast.success('User deleted successfully');
|
||||
showDeleteDialog.value = false;
|
||||
userToDelete.value = null;
|
||||
await loadUsers();
|
||||
} catch (error: any) {
|
||||
console.error('Failed to delete user:', error);
|
||||
toast.error(error.message || 'Failed to delete user');
|
||||
}
|
||||
};
|
||||
|
||||
const getUserName = (user: any) => {
|
||||
if (user.firstName || user.lastName) {
|
||||
return [user.firstName, user.lastName].filter(Boolean).join(' ');
|
||||
}
|
||||
return user.email;
|
||||
};
|
||||
|
||||
const formatDate = (date: string) => {
|
||||
if (!date) return 'N/A';
|
||||
return new Date(date).toLocaleDateString();
|
||||
};
|
||||
|
||||
onMounted(() => {
|
||||
loadUsers();
|
||||
});
|
||||
</script>
|
||||
Reference in New Issue
Block a user