admin/PolyMPR
1
0
Fork 0
Code Issues 14 Pull Requests 1 Actions Packages Projects 1 Releases Wiki Activity
Files
9368e686223439f55290d166a5b2e3322f53c223
PolyMPR/defaults/withRules.ts
T

109 lines
3.6 KiB
TypeScript
Raw Blame History

import { FreshContext } from "$fresh/server.ts";
import { db } from "$root/databases/db.ts";
import {
enseignements,
rolePermissions,
users,
} from "$root/databases/schema.ts";
import { AuthenticatedState } from "$root/defaults/interfaces.ts";
import { and, eq } from "npm:drizzle-orm@0.45.2";
type RuleFn = (
req: Request,
ctx: FreshContext<AuthenticatedState>,
) => Promise<boolean> | boolean;
async function hasPermission(
uid: string,
permission: string,
): Promise<boolean> {
const [user] = await db.select().from(users).where(eq(users.id, uid));
if (!user || user.idRole === null) return false;
const [rp] = await db.select().from(rolePermissions).where(
and(
eq(rolePermissions.idRole, user.idRole!),
eq(rolePermissions.idPermission, permission),
),
);
return !!rp;
}
function parseNumEtud(uid: string): number {
return parseInt(uid.slice(1));
}
const rules = {
student_read: (_req: Request, ctx: FreshContext<AuthenticatedState>) =>
hasPermission(ctx.state.session.uid, "student_read"),
student_write: (_req: Request, ctx: FreshContext<AuthenticatedState>) =>
hasPermission(ctx.state.session.uid, "student_write"),
note_read: (_req: Request, ctx: FreshContext<AuthenticatedState>) =>
hasPermission(ctx.state.session.uid, "note_read"),
note_write: (_req: Request, ctx: FreshContext<AuthenticatedState>) =>
hasPermission(ctx.state.session.uid, "note_write"),
module_read: (_req: Request, ctx: FreshContext<AuthenticatedState>) =>
hasPermission(ctx.state.session.uid, "module_read"),
module_write: (_req: Request, ctx: FreshContext<AuthenticatedState>) =>
hasPermission(ctx.state.session.uid, "module_write"),
user_read: (_req: Request, ctx: FreshContext<AuthenticatedState>) =>
hasPermission(ctx.state.session.uid, "user_read"),
user_write: (_req: Request, ctx: FreshContext<AuthenticatedState>) =>
hasPermission(ctx.state.session.uid, "user_write"),
role_write: (_req: Request, ctx: FreshContext<AuthenticatedState>) =>
hasPermission(ctx.state.session.uid, "role_write"),
// Contextual rules — student accessing their own data
own_student: (_req: Request, ctx: FreshContext<AuthenticatedState>) =>
parseNumEtud(ctx.state.session.uid) === Number(ctx.params.numEtud),
own_note: (_req: Request, ctx: FreshContext<AuthenticatedState>) =>
parseNumEtud(ctx.state.session.uid) === Number(ctx.params.numEtud),
// Contextual rule — teacher accessing notes for a module they teach
own_teaching_note: async (
_req: Request,
ctx: FreshContext<AuthenticatedState>,
) => {
const [row] = await db.select().from(enseignements).where(
and(
eq(enseignements.idProf, ctx.state.session.uid),
eq(enseignements.idModule, ctx.params.idModule),
),
);
return !!row;
},
};
export type RuleName = keyof typeof rules;
type HandlerFn = (
req: Request,
ctx: FreshContext<AuthenticatedState>,
) => Promise<Response>;
/**
* Wraps a route handler with permission checks.
* Access is granted if ANY of the provided rules passes (OR logic).
* Returns 403 if none pass.
*
* @example
* export const handler: Handlers<null, AuthenticatedState> = {
* GET: withRules(["note_read", "own_note"])(async (req, ctx) => {
* // ...
* }),
* };
*/
export function withRules(ruleNames: RuleName[]) {
return (handler: HandlerFn): HandlerFn => {
return async (req, ctx) => {
const results = await Promise.all(
ruleNames.map((name) => rules[name](req, ctx)),
);
if (!results.some(Boolean)) {
return new Response(null, { status: 403 });
}
return handler(req, ctx);
};
};
}
Reference in New Issue View Git Blame Copy Permalink