fix: import of user permissions API

cmd/hspguard/main.go

@@ -45,6 +45,7 @@ func main() {
 	cache := cache.NewClient(&cfg)
 
 	user.EnsureAdminUser(ctx, &cfg, repo)
+	user.EnsureSystemPermissions(ctx, repo)
 
 	server := api.NewAPIServer(fmt.Sprintf("%s:%s", cfg.Host, cfg.Port), repo, fStorage, cache, &cfg)
 	if err := server.Run(); err != nil {

internal/admin/permissions.go

@@ -6,18 +6,62 @@ import (
 	"net/http"
 
 	"gitea.local/admin/hspguard/internal/repository"
-	"gitea.local/admin/hspguard/internal/util"
 	"gitea.local/admin/hspguard/internal/web"
+	"github.com/go-chi/chi/v5"
 	"github.com/google/uuid"
 )
 
-func (h *AdminHandler) GetPermissions(w http.ResponseWriter, r *http.Request) {
+func (h *AdminHandler) GetAllPermissions(w http.ResponseWriter, r *http.Request) {
-	userId, ok := util.GetRequestUserId(r.Context())
+	rows, err := h.repo.GetGroupedPermissions(r.Context())
-	if !ok {
+	if err != nil {
-		web.Error(w, "failed to get user id from auth session", http.StatusInternalServerError)
+		log.Println("ERR: Failed to list permissions from db:", err)
+		web.Error(w, "failed to get all permissions", http.StatusInternalServerError)
 		return
 	}
 
+	type RowDTO struct {
+		Scope       string                  `json:"scope"`
+		Permissions []repository.Permission `json:"permissions"`
+	}
+
+	if len(rows) == 0 {
+		rows = make([]repository.GetGroupedPermissionsRow, 0)
+	}
+
+	var mapped []RowDTO
+
+	for _, row := range rows {
+		var permissions []repository.Permission
+
+		if err := json.Unmarshal(row.Permissions, &permissions); err != nil {
+			log.Println("ERR: Failed to extract permissions from byte array:", err)
+			web.Error(w, "failed to get permissions", http.StatusInternalServerError)
+			return
+		}
+
+		log.Println("DEBUG: Appending row dto:", RowDTO{
+			Scope:       row.Scope,
+			Permissions: permissions,
+		})
+
+		mapped = append(mapped, RowDTO{
+			Scope:       row.Scope,
+			Permissions: permissions,
+		})
+	}
+
+	encoder := json.NewEncoder(w)
+
+	w.Header().Set("Content-Type", "application/json")
+
+	if err := encoder.Encode(mapped); err != nil {
+		web.Error(w, "failed to encode response", http.StatusInternalServerError)
+	}
+}
+
+func (h *AdminHandler) GetUserPermissions(w http.ResponseWriter, r *http.Request) {
+	userId := chi.URLParam(r, "user_id")
+
 	permissions, err := h.repo.GetUserPermissions(r.Context(), uuid.MustParse(userId))
 	if err != nil {
 		log.Println("ERR: Failed to list permissions from db:", err)

internal/admin/routes.go

@@ -42,7 +42,8 @@ func (h *AdminHandler) RegisterRoutes(router chi.Router) {
 		r.Get("/service-sessions", h.GetServiceSessions)
 		r.Patch("/service-sessions/revoke/{id}", h.RevokeUserSession)
 
-		r.Get("/permissions", h.GetPermissions)
+		r.Get("/permissions", h.GetAllPermissions)
+		r.Get("/permissions/{user_id}", h.GetUserPermissions)
 	})
 
 	router.Get("/api-services/client/{client_id}", h.GetApiServiceCID)

internal/repository/permissions.sql.go

@@ -11,28 +11,133 @@ import (
 	"github.com/google/uuid"
 )
 
+const createPermission = `-- name: CreatePermission :one
+INSERT into permissions (
+    name, scope, description
+) VALUES (
+    $1, $2, $3
+) RETURNING id, name, scope, description
+`
+
+type CreatePermissionParams struct {
+	Name        string  `json:"name"`
+	Scope       string  `json:"scope"`
+	Description *string `json:"description"`
+}
+
+func (q *Queries) CreatePermission(ctx context.Context, arg CreatePermissionParams) (Permission, error) {
+	row := q.db.QueryRow(ctx, createPermission, arg.Name, arg.Scope, arg.Description)
+	var i Permission
+	err := row.Scan(
+		&i.ID,
+		&i.Name,
+		&i.Scope,
+		&i.Description,
+	)
+	return i, err
+}
+
+const findPermission = `-- name: FindPermission :one
+SELECT id, name, scope, description FROM permissions
+WHERE name = $1 AND scope = $2
+`
+
+type FindPermissionParams struct {
+	Name  string `json:"name"`
+	Scope string `json:"scope"`
+}
+
+func (q *Queries) FindPermission(ctx context.Context, arg FindPermissionParams) (Permission, error) {
+	row := q.db.QueryRow(ctx, findPermission, arg.Name, arg.Scope)
+	var i Permission
+	err := row.Scan(
+		&i.ID,
+		&i.Name,
+		&i.Scope,
+		&i.Description,
+	)
+	return i, err
+}
+
+const getAllPermissions = `-- name: GetAllPermissions :many
+SELECT id, name, scope, description
+FROM permissions p
+ORDER BY p.scope
+`
+
+func (q *Queries) GetAllPermissions(ctx context.Context) ([]Permission, error) {
+	rows, err := q.db.Query(ctx, getAllPermissions)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []Permission
+	for rows.Next() {
+		var i Permission
+		if err := rows.Scan(
+			&i.ID,
+			&i.Name,
+			&i.Scope,
+			&i.Description,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const getGroupedPermissions = `-- name: GetGroupedPermissions :many
+SELECT scope, json_agg(to_jsonb(permissions.*) ORDER BY name) as permissions
+FROM permissions
+GROUP BY scope
+`
+
+type GetGroupedPermissionsRow struct {
+	Scope       string `json:"scope"`
+	Permissions []byte `json:"permissions"`
+}
+
+func (q *Queries) GetGroupedPermissions(ctx context.Context) ([]GetGroupedPermissionsRow, error) {
+	rows, err := q.db.Query(ctx, getGroupedPermissions)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []GetGroupedPermissionsRow
+	for rows.Next() {
+		var i GetGroupedPermissionsRow
+		if err := rows.Scan(&i.Scope, &i.Permissions); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
 const getUserPermissions = `-- name: GetUserPermissions :many
 SELECT DISTINCT p.id,p.name,p.scope,p.description
 FROM permissions p
-
 LEFT JOIN role_permissions rp_user
     ON p.id = rp_user.permission_id
 LEFT JOIN user_roles ur
     ON rp_user.role_id = ur.role_id AND ur.user_id = $1
-
 LEFT JOIN user_groups ug
     ON ug.user_id = $1
 LEFT JOIN group_roles gr
     ON ug.group_id = gr.group_id
 LEFT JOIN role_permissions rp_group
     ON gr.role_id = rp_group.role_id AND rp_group.permission_id = p.id
-
 LEFT JOIN user_permissions up
     ON up.user_id = $1 AND up.permission_id = p.id
-
 LEFT JOIN group_permissions gp
     ON gp.group_id = ug.group_id AND gp.permission_id = p.id
-
 WHERE ur.user_id IS NOT NULL
    OR gr.group_id IS NOT NULL
    OR up.user_id IS NOT NULL

internal/user/permissions.go

@@ -0,0 +1,70 @@
+package user
+
+import (
+	"context"
+	"log"
+
+	"gitea.local/admin/hspguard/internal/repository"
+)
+
+func String(s string) *string {
+	return &s
+}
+
+var (
+	SYSTEM_SCOPE       string                  = "system"
+	SYSTEM_PERMISSIONS []repository.Permission = []repository.Permission{
+		{
+			Name:        "log_into_guard",
+			Description: String("Allow users to log into their accounts"),
+		},
+		{
+			Name:        "register",
+			Description: String("Allow users to register new accounts"),
+		},
+		{
+			Name:        "edit_profile",
+			Description: String("Allow users to edit their profiles"),
+		},
+		{
+			Name:        "recover_credentials",
+			Description: String("Allow users to recover their password/email"),
+		},
+		{
+			Name:        "verify_profile",
+			Description: String("Allow users to verify their accounts"),
+		},
+		{
+			Name:        "access_home_services",
+			Description: String("Allow users to access home services and tools"),
+		},
+		{
+			Name:        "view_sessions",
+			Description: String("Allow users to view their active sessions"),
+		},
+		{
+			Name:        "revoke_sessions",
+			Description: String("Allow users to revoke their active sessions"),
+		},
+	}
+)
+
+func EnsureSystemPermissions(ctx context.Context, repo *repository.Queries) {
+	for _, permission := range SYSTEM_PERMISSIONS {
+		_, err := repo.FindPermission(ctx, repository.FindPermissionParams{
+			Name:  permission.Name,
+			Scope: SYSTEM_SCOPE,
+		})
+		if err != nil {
+			log.Printf("INFO: Creating SYSTEM permission: '%s'\n", permission.Name)
+			_, err = repo.CreatePermission(ctx, repository.CreatePermissionParams{
+				Name:        permission.Name,
+				Scope:       SYSTEM_SCOPE,
+				Description: permission.Description,
+			})
+			if err != nil {
+				log.Fatalf("ERR: Failed to create SYSTEM permission: '%s'\n", permission.Name)
+			}
+		}
+	}
+}

queries/permissions.sql

@@ -1,14 +1,33 @@
 
+-- name: GetAllPermissions :many
+SELECT *
+FROM permissions p
+ORDER BY p.scope;
+
+-- name: GetGroupedPermissions :many
+SELECT scope, json_agg(to_jsonb(permissions.*) ORDER BY name) as permissions
+FROM permissions
+GROUP BY scope;
+
+-- name: CreatePermission :one
+INSERT into permissions (
+    name, scope, description
+) VALUES (
+    $1, $2, $3
+) RETURNING *;
+
+-- name: FindPermission :one
+SELECT * FROM permissions
+WHERE name = $1 AND scope = $2;
+
 -- name: GetUserPermissions :many
 SELECT DISTINCT p.id,p.name,p.scope,p.description
 FROM permissions p
-
 -- From roles assigned directly to the user
 LEFT JOIN role_permissions rp_user
     ON p.id = rp_user.permission_id
 LEFT JOIN user_roles ur
     ON rp_user.role_id = ur.role_id AND ur.user_id = $1
-
 -- From roles assigned to user's groups
 LEFT JOIN user_groups ug
     ON ug.user_id = $1
@@ -16,15 +35,12 @@ LEFT JOIN group_roles gr
     ON ug.group_id = gr.group_id
 LEFT JOIN role_permissions rp_group
     ON gr.role_id = rp_group.role_id AND rp_group.permission_id = p.id
-
 -- Direct permissions to user
 LEFT JOIN user_permissions up
     ON up.user_id = $1 AND up.permission_id = p.id
-
 -- Direct permissions to user's groups
 LEFT JOIN group_permissions gp
     ON gp.group_id = ug.group_id AND gp.permission_id = p.id
-
 WHERE ur.user_id IS NOT NULL
    OR gr.group_id IS NOT NULL
    OR up.user_id IS NOT NULL

web/src/App.tsx

@@ -27,6 +27,7 @@ import VerifyAvatarPage from "./pages/Verify/Avatar";
 import VerifyReviewPage from "./pages/Verify/Review";
 import AdminUserSessionsPage from "./pages/Admin/UserSessions";
 import AdminServiceSessionsPage from "./pages/Admin/ServiceSessions";
+import AdminAppPermissionsPage from "./pages/Admin/AppPermissions";
 
 const router = createBrowserRouter([
   {
@@ -93,6 +94,12 @@ const router = createBrowserRouter([
                   { index: true, element: <AdminServiceSessionsPage /> },
                 ],
               },
+              {
+                path: "app-permissions",
+                children: [
+                  { index: true, element: <AdminAppPermissionsPage /> },
+                ],
+              },
             ],
           },
         ],

web/src/api/admin/permissions.ts

@@ -3,9 +3,27 @@ import { axios, handleApiError } from "..";
 
 export type FetchPermissionsResponse = AppPermission[];
 
+export const getUserPermissionsApi = async (
+  userId: string,
+): Promise<FetchPermissionsResponse> => {
+  const response = await axios.get<FetchPermissionsResponse>(
+    `/api/v1/admin/permissions/${userId}`,
+  );
+
+  if (response.status !== 200 && response.status !== 201)
+    throw await handleApiError(response);
+
+  return response.data;
+};
+
+export type FetchGroupedPermissionsResponse = {
+  scope: string;
+  permissions: AppPermission[];
+}[];
+
 export const getPermissionsApi =
-  async (): Promise<FetchPermissionsResponse> => {
+  async (): Promise<FetchGroupedPermissionsResponse> => {
-    const response = await axios.get<FetchPermissionsResponse>(
+    const response = await axios.get<FetchGroupedPermissionsResponse>(
       "/api/v1/admin/permissions",
     );
 

web/src/hooks/barItems.tsx

@@ -1,5 +1,13 @@
 import { useAuth } from "@/store/auth";
-import { Blocks, EarthLock, Home, User, UserLock, Users } from "lucide-react";
+import {
+  Blocks,
+  EarthLock,
+  Home,
+  KeyRound,
+  User,
+  UserLock,
+  Users,
+} from "lucide-react";
 import { useCallback, type ReactNode } from "react";
 import { useLocation } from "react-router";
 
@@ -93,6 +101,12 @@ export const useBarItems = (): [Item[], (item: Item) => boolean] => {
               tab: "admin.service-sessions",
               pathname: "/admin/service-sessions",
             },
+            {
+              icon: <KeyRound />,
+              title: "App Permissions",
+              tab: "admin.app-permissions",
+              pathname: "/admin/app-permissions",
+            },
           ]
         : []),
     ],

web/src/pages/Admin/AppPermissions/index.tsx

@@ -0,0 +1,130 @@
+import { useEffect, type FC } from "react";
+import Breadcrumbs from "@/components/ui/breadcrumbs";
+import { usePermissions } from "@/store/admin/permissions";
+
+interface DisplayPermission {
+  name: string;
+  description: string;
+}
+
+interface IPermissionGroupProps {
+  scope: string;
+  permissions?: DisplayPermission[] | null | undefined;
+  generatedPermissions?: DisplayPermission[] | null | undefined;
+}
+
+const PermissionGroup: FC<IPermissionGroupProps> = ({
+  scope,
+  permissions,
+  generatedPermissions,
+}) => {
+  return (
+    <div className="border dark:border-gray-800 border-gray-300 p-4 rounded mb-4">
+      <h2 className="dark:text-gray-300 text-gray-800 text-lg font-semibold">
+        {scope}
+      </h2>
+
+      {(generatedPermissions?.length ?? 0) > 0 && (
+        <>
+          <p className="text-gray-500 text-sm mt-2 mb-4">Generated by Guard</p>
+
+          <ol
+            className={`grid gap-4 gap-y-3 grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium mb-${permissions && permissions.length > 0 ? "6" : "2"}`}
+          >
+            {generatedPermissions!.map(({ name, description }) => (
+              <li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
+                <div className="flex flex-col gap-1">
+                  <label>{name}</label>
+                  <p className="text-xs text-gray-400 dark:text-gray-500">
+                    {description}
+                  </p>
+                </div>
+              </li>
+            ))}
+          </ol>
+        </>
+      )}
+
+      {(permissions?.length ?? 0) > 0 && (
+        <>
+          <p className="text-gray-500 text-sm mt-2 mb-4">Manually Created</p>
+
+          <ol className="grid gap-4 gap-y-3 grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium">
+            {permissions!.map(({ name, description }) => (
+              <li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
+                <div className="flex flex-col gap-1">
+                  <label>{name}</label>
+                  <p className="text-xs text-gray-400 dark:text-gray-500">
+                    {description}
+                  </p>
+                </div>
+              </li>
+            ))}
+          </ol>
+        </>
+      )}
+    </div>
+  );
+};
+
+const AdminAppPermissionsPage: FC = () => {
+  const permissions = usePermissions((s) => s.permissions);
+  const fetch = usePermissions((s) => s.fetch);
+
+  useEffect(() => {
+    fetch();
+  }, [fetch]);
+
+  return (
+    <div className="relative flex flex-col items-stretch w-full">
+      <div className="p-4">
+        <Breadcrumbs
+          className="pb-2"
+          items={[
+            {
+              href: "/admin",
+              label: "Admin",
+            },
+            {
+              label: "App Permissions",
+            },
+          ]}
+        />
+      </div>
+      <div className="px-7">
+        {Object.keys(permissions).map((scope) => (
+          <PermissionGroup
+            scope={scope.toUpperCase()}
+            generatedPermissions={permissions[scope].map((p) => ({
+              name: p.name
+                .split("_")
+                .map((s) => s[0].toUpperCase() + s.slice(1))
+                .join(" "),
+              description: p.description,
+            }))}
+          />
+        ))}
+        {/* <PermissionGroup
+          scope="Open Chat"
+          generatedPermissions={["Access Open Chat"].map((name) => ({
+            name,
+            description: `You can ${name.toLowerCase()}`,
+          }))}
+          permissions={[
+            "Receive Messages",
+            "Send Messages",
+            "View Status",
+            "Post Status",
+            "Use Ghost Mode",
+            "Send Large Media",
+          ].map((name) => ({
+            name,
+            description: `You can ${name.toLowerCase()}`,
+          }))}
+        /> */}
+      </div>
+    </div>
+  );
+};
+
+export default AdminAppPermissionsPage;

web/src/pages/Admin/Users/View/index.tsx

@@ -25,6 +25,7 @@ const InfoCard = ({
 const AdminViewUserPage: FC = () => {
   const { userId } = useParams();
   const user = useUsers((state) => state.current);
+  const userPermissions = useUsers((s) => s.userPermissions);
   // const loading = useApiServices((state) => state.fetchingApiService);
 
   const loadUser = useUsers((state) => state.fetchUser);
@@ -117,6 +118,10 @@ const AdminViewUserPage: FC = () => {
           </div>
         </InfoCard>
 
+        <InfoCard title="Roles & Permissions">
+          <pre>{JSON.stringify(userPermissions, null, 2)}</pre>
+        </InfoCard>
+
         {/* 🚀 Actions */}
         <div className="flex flex-wrap gap-4 mt-6 justify-between items-center">
           <Link to="/admin/users">

web/src/pages/Admin/Users/index.tsx

@@ -1,4 +1,3 @@
-import { getPermissionsApi } from "@/api/admin/permissions";
 import Breadcrumbs from "@/components/ui/breadcrumbs";
 import { Button } from "@/components/ui/button";
 import Avatar from "@/feature/Avatar";
@@ -16,12 +15,6 @@ const AdminUsersPage: FC = () => {
     fetchUsers();
   }, [fetchUsers]);
 
-  useEffect(() => {
-    getPermissionsApi().then((res) => {
-      console.log("permissions response:", res);
-    });
-  }, []);
-
   return (
     <div className="relative flex flex-col items-stretch w-full">
       <div className="p-4">

web/src/pages/Authorize/index.tsx

@@ -76,21 +76,21 @@ const AuthorizePage: FC = () => {
                 <div className="text-gray-400 dark:text-gray-600">
                   <ArrowLeftRight />
                 </div>
-                <div className="w-12 h-12 rounded-full flex items-center justify-center overflow-hidden bg-gray-900 ring ring-gray-400 dark:ring dark:ring-gray-500">
+                {/* <div className="w-12 h-12 rounded-full flex items-center justify-center overflow-hidden bg-gray-900 ring ring-gray-400 dark:ring dark:ring-gray-500"> */}
-                  {/* <img
+                {/* <img
                     src="https://lucide.dev/logo.dark.svg"
                     className="w-8 h-8"
                   /> */}
-                  {apiService?.icon_url ? (
+                {apiService?.icon_url ? (
-                    <img
+                  <img
-                      src={apiService.icon_url}
+                    src={apiService.icon_url}
-                      className="w-full h-full"
+                    className="w-12 h-12"
-                      alt="service_icon"
+                    alt="service_icon"
-                    />
+                  />
-                  ) : (
+                ) : (
-                    <LayoutDashboard size={32} color="#fefefe" />
+                  <LayoutDashboard size={32} color="#fefefe" />
-                  )}
+                )}
-                </div>
+                {/* </div> */}
               </div>
 
               <div className="px-4 sm:mt-4 mt-8">

web/src/store/admin/permissions.ts

@@ -0,0 +1,32 @@
+import { getPermissionsApi } from "@/api/admin/permissions";
+import type { AppPermission } from "@/types";
+import { create } from "zustand";
+
+export interface IAdminPermissionsState {
+  permissions: Record<string, AppPermission[]>;
+  fetching: boolean;
+
+  fetch: () => Promise<void>;
+}
+
+export const usePermissions = create<IAdminPermissionsState>((set) => ({
+  permissions: {},
+  fetching: false,
+
+  fetch: async () => {
+    set({ fetching: true });
+
+    try {
+      const response = await getPermissionsApi();
+      set({
+        permissions: Object.fromEntries(
+          response.map(({ scope, permissions }) => [scope, permissions]),
+        ),
+      });
+    } catch (err) {
+      console.log("ERR: Failed to fetch admin permissions:", err);
+    } finally {
+      set({ fetching: false });
+    }
+  },
+}));

web/src/store/admin/users.ts

@@ -1,10 +1,11 @@
+import { getUserPermissionsApi } from "@/api/admin/permissions";
 import {
   adminGetUserApi,
   adminGetUsersApi,
   postUser,
   type CreateUserRequest,
 } from "@/api/admin/users";
-import type { UserProfile } from "@/types";
+import type { AppPermission, UserProfile } from "@/types";
 import { create } from "zustand";
 
 export interface IUsersState {
@@ -14,14 +15,18 @@ export interface IUsersState {
   current: UserProfile | null;
   fetchingCurrent: boolean;
 
+  userPermissions: AppPermission[];
+  fetchingPermissions: boolean;
+
   creating: boolean;
   createUser: (req: CreateUserRequest) => Promise<boolean>;
 
   fetchUsers: () => Promise<void>;
   fetchUser: (id: string) => Promise<void>;
+  fetchUserPermissions: () => Promise<void>;
 }
 
-export const useUsers = create<IUsersState>((set) => ({
+export const useUsers = create<IUsersState>((set, get) => ({
   users: [],
   fetching: false,
 
@@ -30,6 +35,9 @@ export const useUsers = create<IUsersState>((set) => ({
   current: null,
   fetchingCurrent: false,
 
+  userPermissions: [],
+  fetchingPermissions: false,
+
   createUser: async (req: CreateUserRequest) => {
     set({ creating: true });
 
@@ -70,4 +78,23 @@ export const useUsers = create<IUsersState>((set) => ({
       set({ fetchingCurrent: false });
     }
   },
+
+  fetchUserPermissions: async () => {
+    const user = get().current;
+    if (!user) {
+      console.warn("Trying to fetch user permissions without selected user");
+      return;
+    }
+
+    set({ fetchingPermissions: true });
+
+    try {
+      const response = await getUserPermissionsApi(user.id);
+      set({ userPermissions: response });
+    } catch (err) {
+      console.log("ERR: Failed to fetch single user for admin:", err);
+    } finally {
+      set({ fetchingPermissions: false });
+    }
+  },
 }));