Compare commits
29 Commits
main
...
533e6ea6af
| Author | SHA1 | Date | |
|---|---|---|---|
| 533e6ea6af | |||
| 0c24ed9382 | |||
| f5c61bb6a0 | |||
| eb05f830fe | |||
| d86a9de388 | |||
| d80caac81b | |||
| 5d49a661ed | |||
| 635a2d6058 | |||
| 1eb96e906d | |||
| 58974d9789 | |||
| 329fac415f | |||
| a83ec61fae | |||
| d5e86acacf | |||
| 221ef192bc | |||
| 18664dbd8b | |||
| d097735965 | |||
| 992776b8a6 | |||
| 3f260b9029 | |||
| 65f40d0897 | |||
| 6d482c784f | |||
| dc07868d15 | |||
| 09a2f05ee5 | |||
| 5cec1cf561 | |||
| 3281764eff | |||
| 868337134d | |||
| 9372673bf1 | |||
| 0eea81b42f | |||
| 7468303e41 | |||
| 8745e7d8bc |
@ -45,6 +45,7 @@ func main() {
|
||||
cache := cache.NewClient(&cfg)
|
||||
|
||||
user.EnsureAdminUser(ctx, &cfg, repo)
|
||||
user.EnsureSystemPermissions(ctx, repo)
|
||||
|
||||
server := api.NewAPIServer(fmt.Sprintf("%s:%s", cfg.Host, cfg.Port), repo, fStorage, cache, &cfg)
|
||||
if err := server.Run(); err != nil {
|
||||
|
||||
82
internal/admin/permissions.go
Normal file
82
internal/admin/permissions.go
Normal file
@ -0,0 +1,82 @@
|
||||
package admin
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"log"
|
||||
"net/http"
|
||||
|
||||
"gitea.local/admin/hspguard/internal/repository"
|
||||
"gitea.local/admin/hspguard/internal/web"
|
||||
"github.com/go-chi/chi/v5"
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
func (h *AdminHandler) GetAllPermissions(w http.ResponseWriter, r *http.Request) {
|
||||
rows, err := h.repo.GetGroupedPermissions(r.Context())
|
||||
if err != nil {
|
||||
log.Println("ERR: Failed to list permissions from db:", err)
|
||||
web.Error(w, "failed to get all permissions", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
type RowDTO struct {
|
||||
Scope string `json:"scope"`
|
||||
Permissions []repository.Permission `json:"permissions"`
|
||||
}
|
||||
|
||||
if len(rows) == 0 {
|
||||
rows = make([]repository.GetGroupedPermissionsRow, 0)
|
||||
}
|
||||
|
||||
var mapped []RowDTO
|
||||
|
||||
for _, row := range rows {
|
||||
var permissions []repository.Permission
|
||||
|
||||
if err := json.Unmarshal(row.Permissions, &permissions); err != nil {
|
||||
log.Println("ERR: Failed to extract permissions from byte array:", err)
|
||||
web.Error(w, "failed to get permissions", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
mapped = append(mapped, RowDTO{
|
||||
Scope: row.Scope,
|
||||
Permissions: permissions,
|
||||
})
|
||||
}
|
||||
|
||||
if len(mapped) == 0 {
|
||||
mapped = make([]RowDTO, 0)
|
||||
}
|
||||
|
||||
encoder := json.NewEncoder(w)
|
||||
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
|
||||
if err := encoder.Encode(mapped); err != nil {
|
||||
web.Error(w, "failed to encode response", http.StatusInternalServerError)
|
||||
}
|
||||
}
|
||||
|
||||
func (h *AdminHandler) GetUserPermissions(w http.ResponseWriter, r *http.Request) {
|
||||
userId := chi.URLParam(r, "user_id")
|
||||
|
||||
permissions, err := h.repo.GetUserPermissions(r.Context(), uuid.MustParse(userId))
|
||||
if err != nil {
|
||||
log.Println("ERR: Failed to list permissions from db:", err)
|
||||
web.Error(w, "failed to get user permissions", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
if len(permissions) == 0 {
|
||||
permissions = make([]repository.Permission, 0)
|
||||
}
|
||||
|
||||
encoder := json.NewEncoder(w)
|
||||
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
|
||||
if err := encoder.Encode(permissions); err != nil {
|
||||
web.Error(w, "failed to encode response", http.StatusInternalServerError)
|
||||
}
|
||||
}
|
||||
61
internal/admin/roles.go
Normal file
61
internal/admin/roles.go
Normal file
@ -0,0 +1,61 @@
|
||||
package admin
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"log"
|
||||
"net/http"
|
||||
|
||||
"gitea.local/admin/hspguard/internal/repository"
|
||||
"gitea.local/admin/hspguard/internal/web"
|
||||
)
|
||||
|
||||
func (h *AdminHandler) GetAllRoles(w http.ResponseWriter, r *http.Request) {
|
||||
rows, err := h.repo.GetRolesGroupedWithPermissions(r.Context())
|
||||
if err != nil {
|
||||
log.Println("ERR: Failed to list roles from db:", err)
|
||||
web.Error(w, "failed to get all roles", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
type RolePermissions struct {
|
||||
Permissions []repository.Permission `json:"permissions"`
|
||||
repository.Role
|
||||
}
|
||||
|
||||
type RowDTO struct {
|
||||
Scope string `json:"scope"`
|
||||
Roles []RolePermissions `json:"roles"`
|
||||
}
|
||||
|
||||
if len(rows) == 0 {
|
||||
rows = make([]repository.GetRolesGroupedWithPermissionsRow, 0)
|
||||
}
|
||||
|
||||
var mapped []RowDTO
|
||||
|
||||
for _, row := range rows {
|
||||
var mappedRow RowDTO
|
||||
|
||||
mappedRow.Scope = row.Scope
|
||||
|
||||
if err := json.Unmarshal(row.Roles, &mappedRow.Roles); err != nil {
|
||||
log.Println("ERR: Failed to extract roles from byte array:", err)
|
||||
web.Error(w, "failed to get roles", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
mapped = append(mapped, mappedRow)
|
||||
}
|
||||
|
||||
if len(mapped) == 0 {
|
||||
mapped = make([]RowDTO, 0)
|
||||
}
|
||||
|
||||
encoder := json.NewEncoder(w)
|
||||
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
|
||||
if err := encoder.Encode(mapped); err != nil {
|
||||
web.Error(w, "failed to encode response", http.StatusInternalServerError)
|
||||
}
|
||||
}
|
||||
@ -41,6 +41,11 @@ func (h *AdminHandler) RegisterRoutes(router chi.Router) {
|
||||
|
||||
r.Get("/service-sessions", h.GetServiceSessions)
|
||||
r.Patch("/service-sessions/revoke/{id}", h.RevokeUserSession)
|
||||
|
||||
r.Get("/permissions", h.GetAllPermissions)
|
||||
r.Get("/permissions/{user_id}", h.GetUserPermissions)
|
||||
|
||||
r.Get("/roles", h.GetAllRoles)
|
||||
})
|
||||
|
||||
router.Get("/api-services/client/{client_id}", h.GetApiServiceCID)
|
||||
|
||||
@ -25,6 +25,41 @@ type ApiService struct {
|
||||
IconUrl *string `json:"icon_url"`
|
||||
}
|
||||
|
||||
type Group struct {
|
||||
ID uuid.UUID `json:"id"`
|
||||
Name string `json:"name"`
|
||||
Description *string `json:"description"`
|
||||
}
|
||||
|
||||
type GroupPermission struct {
|
||||
GroupID uuid.UUID `json:"group_id"`
|
||||
PermissionID uuid.UUID `json:"permission_id"`
|
||||
}
|
||||
|
||||
type GroupRole struct {
|
||||
GroupID uuid.UUID `json:"group_id"`
|
||||
RoleID uuid.UUID `json:"role_id"`
|
||||
}
|
||||
|
||||
type Permission struct {
|
||||
ID uuid.UUID `json:"id"`
|
||||
Name string `json:"name"`
|
||||
Scope string `json:"scope"`
|
||||
Description *string `json:"description"`
|
||||
}
|
||||
|
||||
type Role struct {
|
||||
ID uuid.UUID `json:"id"`
|
||||
Name string `json:"name"`
|
||||
Scope string `json:"scope"`
|
||||
Description *string `json:"description"`
|
||||
}
|
||||
|
||||
type RolePermission struct {
|
||||
RoleID uuid.UUID `json:"role_id"`
|
||||
PermissionID uuid.UUID `json:"permission_id"`
|
||||
}
|
||||
|
||||
type ServiceSession struct {
|
||||
ID uuid.UUID `json:"id"`
|
||||
ServiceID uuid.UUID `json:"service_id"`
|
||||
@ -60,6 +95,21 @@ type User struct {
|
||||
Verified bool `json:"verified"`
|
||||
}
|
||||
|
||||
type UserGroup struct {
|
||||
UserID uuid.UUID `json:"user_id"`
|
||||
GroupID uuid.UUID `json:"group_id"`
|
||||
}
|
||||
|
||||
type UserPermission struct {
|
||||
UserID uuid.UUID `json:"user_id"`
|
||||
PermissionID uuid.UUID `json:"permission_id"`
|
||||
}
|
||||
|
||||
type UserRole struct {
|
||||
UserID uuid.UUID `json:"user_id"`
|
||||
RoleID uuid.UUID `json:"role_id"`
|
||||
}
|
||||
|
||||
type UserSession struct {
|
||||
ID uuid.UUID `json:"id"`
|
||||
UserID uuid.UUID `json:"user_id"`
|
||||
|
||||
175
internal/repository/permissions.sql.go
Normal file
175
internal/repository/permissions.sql.go
Normal file
@ -0,0 +1,175 @@
|
||||
// Code generated by sqlc. DO NOT EDIT.
|
||||
// versions:
|
||||
// sqlc v1.29.0
|
||||
// source: permissions.sql
|
||||
|
||||
package repository
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
const createPermission = `-- name: CreatePermission :one
|
||||
INSERT into permissions (
|
||||
name, scope, description
|
||||
) VALUES (
|
||||
$1, $2, $3
|
||||
) RETURNING id, name, scope, description
|
||||
`
|
||||
|
||||
type CreatePermissionParams struct {
|
||||
Name string `json:"name"`
|
||||
Scope string `json:"scope"`
|
||||
Description *string `json:"description"`
|
||||
}
|
||||
|
||||
func (q *Queries) CreatePermission(ctx context.Context, arg CreatePermissionParams) (Permission, error) {
|
||||
row := q.db.QueryRow(ctx, createPermission, arg.Name, arg.Scope, arg.Description)
|
||||
var i Permission
|
||||
err := row.Scan(
|
||||
&i.ID,
|
||||
&i.Name,
|
||||
&i.Scope,
|
||||
&i.Description,
|
||||
)
|
||||
return i, err
|
||||
}
|
||||
|
||||
const findPermission = `-- name: FindPermission :one
|
||||
SELECT id, name, scope, description FROM permissions
|
||||
WHERE name = $1 AND scope = $2
|
||||
`
|
||||
|
||||
type FindPermissionParams struct {
|
||||
Name string `json:"name"`
|
||||
Scope string `json:"scope"`
|
||||
}
|
||||
|
||||
func (q *Queries) FindPermission(ctx context.Context, arg FindPermissionParams) (Permission, error) {
|
||||
row := q.db.QueryRow(ctx, findPermission, arg.Name, arg.Scope)
|
||||
var i Permission
|
||||
err := row.Scan(
|
||||
&i.ID,
|
||||
&i.Name,
|
||||
&i.Scope,
|
||||
&i.Description,
|
||||
)
|
||||
return i, err
|
||||
}
|
||||
|
||||
const getAllPermissions = `-- name: GetAllPermissions :many
|
||||
SELECT id, name, scope, description
|
||||
FROM permissions p
|
||||
ORDER BY p.scope
|
||||
`
|
||||
|
||||
func (q *Queries) GetAllPermissions(ctx context.Context) ([]Permission, error) {
|
||||
rows, err := q.db.Query(ctx, getAllPermissions)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
var items []Permission
|
||||
for rows.Next() {
|
||||
var i Permission
|
||||
if err := rows.Scan(
|
||||
&i.ID,
|
||||
&i.Name,
|
||||
&i.Scope,
|
||||
&i.Description,
|
||||
); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
items = append(items, i)
|
||||
}
|
||||
if err := rows.Err(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return items, nil
|
||||
}
|
||||
|
||||
const getGroupedPermissions = `-- name: GetGroupedPermissions :many
|
||||
SELECT scope, json_agg(to_jsonb(permissions.*) ORDER BY name) as permissions
|
||||
FROM permissions
|
||||
GROUP BY scope
|
||||
`
|
||||
|
||||
type GetGroupedPermissionsRow struct {
|
||||
Scope string `json:"scope"`
|
||||
Permissions []byte `json:"permissions"`
|
||||
}
|
||||
|
||||
func (q *Queries) GetGroupedPermissions(ctx context.Context) ([]GetGroupedPermissionsRow, error) {
|
||||
rows, err := q.db.Query(ctx, getGroupedPermissions)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
var items []GetGroupedPermissionsRow
|
||||
for rows.Next() {
|
||||
var i GetGroupedPermissionsRow
|
||||
if err := rows.Scan(&i.Scope, &i.Permissions); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
items = append(items, i)
|
||||
}
|
||||
if err := rows.Err(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return items, nil
|
||||
}
|
||||
|
||||
const getUserPermissions = `-- name: GetUserPermissions :many
|
||||
SELECT DISTINCT p.id,p.name,p.scope,p.description
|
||||
FROM permissions p
|
||||
LEFT JOIN role_permissions rp_user
|
||||
ON p.id = rp_user.permission_id
|
||||
LEFT JOIN user_roles ur
|
||||
ON rp_user.role_id = ur.role_id AND ur.user_id = $1
|
||||
LEFT JOIN user_groups ug
|
||||
ON ug.user_id = $1
|
||||
LEFT JOIN group_roles gr
|
||||
ON ug.group_id = gr.group_id
|
||||
LEFT JOIN role_permissions rp_group
|
||||
ON gr.role_id = rp_group.role_id AND rp_group.permission_id = p.id
|
||||
LEFT JOIN user_permissions up
|
||||
ON up.user_id = $1 AND up.permission_id = p.id
|
||||
LEFT JOIN group_permissions gp
|
||||
ON gp.group_id = ug.group_id AND gp.permission_id = p.id
|
||||
WHERE ur.user_id IS NOT NULL
|
||||
OR gr.group_id IS NOT NULL
|
||||
OR up.user_id IS NOT NULL
|
||||
OR gp.group_id IS NOT NULL
|
||||
ORDER BY p.scope
|
||||
`
|
||||
|
||||
// From roles assigned directly to the user
|
||||
// From roles assigned to user's groups
|
||||
// Direct permissions to user
|
||||
// Direct permissions to user's groups
|
||||
func (q *Queries) GetUserPermissions(ctx context.Context, userID uuid.UUID) ([]Permission, error) {
|
||||
rows, err := q.db.Query(ctx, getUserPermissions, userID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
var items []Permission
|
||||
for rows.Next() {
|
||||
var i Permission
|
||||
if err := rows.Scan(
|
||||
&i.ID,
|
||||
&i.Name,
|
||||
&i.Scope,
|
||||
&i.Description,
|
||||
); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
items = append(items, i)
|
||||
}
|
||||
if err := rows.Err(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return items, nil
|
||||
}
|
||||
193
internal/repository/roles.sql.go
Normal file
193
internal/repository/roles.sql.go
Normal file
@ -0,0 +1,193 @@
|
||||
// Code generated by sqlc. DO NOT EDIT.
|
||||
// versions:
|
||||
// sqlc v1.29.0
|
||||
// source: roles.sql
|
||||
|
||||
package repository
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
const addPermissionsToRoleByKey = `-- name: AddPermissionsToRoleByKey :exec
|
||||
INSERT INTO role_permissions (role_id, permission_id)
|
||||
SELECT
|
||||
$1,
|
||||
p.id
|
||||
FROM
|
||||
permissions p
|
||||
JOIN
|
||||
unnest($2::text[]) AS key_str
|
||||
ON key_str = p.scope || '_' || p.name
|
||||
`
|
||||
|
||||
type AddPermissionsToRoleByKeyParams struct {
|
||||
RoleID uuid.UUID `json:"role_id"`
|
||||
PermissionKeys []string `json:"permission_keys"`
|
||||
}
|
||||
|
||||
func (q *Queries) AddPermissionsToRoleByKey(ctx context.Context, arg AddPermissionsToRoleByKeyParams) error {
|
||||
_, err := q.db.Exec(ctx, addPermissionsToRoleByKey, arg.RoleID, arg.PermissionKeys)
|
||||
return err
|
||||
}
|
||||
|
||||
const assignRolePermission = `-- name: AssignRolePermission :exec
|
||||
INSERT INTO role_permissions (role_id, permission_id)
|
||||
VALUES (
|
||||
$1,
|
||||
(
|
||||
SELECT id
|
||||
FROM permissions p
|
||||
WHERE p.scope = split_part($2, '_', 1)
|
||||
AND p.name = right($2, length($2) - position('_' IN $2))
|
||||
)
|
||||
)
|
||||
`
|
||||
|
||||
type AssignRolePermissionParams struct {
|
||||
RoleID uuid.UUID `json:"role_id"`
|
||||
Key string `json:"key"`
|
||||
}
|
||||
|
||||
func (q *Queries) AssignRolePermission(ctx context.Context, arg AssignRolePermissionParams) error {
|
||||
_, err := q.db.Exec(ctx, assignRolePermission, arg.RoleID, arg.Key)
|
||||
return err
|
||||
}
|
||||
|
||||
const createRole = `-- name: CreateRole :one
|
||||
INSERT INTO roles (name, scope, description)
|
||||
VALUES ($1, $2, $3)
|
||||
RETURNING id, name, scope, description
|
||||
`
|
||||
|
||||
type CreateRoleParams struct {
|
||||
Name string `json:"name"`
|
||||
Scope string `json:"scope"`
|
||||
Description *string `json:"description"`
|
||||
}
|
||||
|
||||
func (q *Queries) CreateRole(ctx context.Context, arg CreateRoleParams) (Role, error) {
|
||||
row := q.db.QueryRow(ctx, createRole, arg.Name, arg.Scope, arg.Description)
|
||||
var i Role
|
||||
err := row.Scan(
|
||||
&i.ID,
|
||||
&i.Name,
|
||||
&i.Scope,
|
||||
&i.Description,
|
||||
)
|
||||
return i, err
|
||||
}
|
||||
|
||||
const findRole = `-- name: FindRole :one
|
||||
SELECT id, name, scope, description
|
||||
FROM roles
|
||||
WHERE scope = $1 AND name = $2
|
||||
`
|
||||
|
||||
type FindRoleParams struct {
|
||||
Scope string `json:"scope"`
|
||||
Name string `json:"name"`
|
||||
}
|
||||
|
||||
func (q *Queries) FindRole(ctx context.Context, arg FindRoleParams) (Role, error) {
|
||||
row := q.db.QueryRow(ctx, findRole, arg.Scope, arg.Name)
|
||||
var i Role
|
||||
err := row.Scan(
|
||||
&i.ID,
|
||||
&i.Name,
|
||||
&i.Scope,
|
||||
&i.Description,
|
||||
)
|
||||
return i, err
|
||||
}
|
||||
|
||||
const getRoleAssignment = `-- name: GetRoleAssignment :one
|
||||
SELECT role_id, permission_id FROM role_permissions
|
||||
WHERE role_id = $1 AND permission_id = (SELECT id FROM permissions p WHERE p.scope = split_part($2, '_', 1) AND p.name = right($2, length($2) - position('_' IN $2)))
|
||||
LIMIT 1
|
||||
`
|
||||
|
||||
type GetRoleAssignmentParams struct {
|
||||
RoleID uuid.UUID `json:"role_id"`
|
||||
Key string `json:"key"`
|
||||
}
|
||||
|
||||
func (q *Queries) GetRoleAssignment(ctx context.Context, arg GetRoleAssignmentParams) (RolePermission, error) {
|
||||
row := q.db.QueryRow(ctx, getRoleAssignment, arg.RoleID, arg.Key)
|
||||
var i RolePermission
|
||||
err := row.Scan(&i.RoleID, &i.PermissionID)
|
||||
return i, err
|
||||
}
|
||||
|
||||
const getRolesGroupedWithPermissions = `-- name: GetRolesGroupedWithPermissions :many
|
||||
SELECT
|
||||
r.scope,
|
||||
json_agg (
|
||||
json_build_object (
|
||||
'id',
|
||||
r.id,
|
||||
'name',
|
||||
r.name,
|
||||
'description',
|
||||
r.description,
|
||||
'permissions',
|
||||
COALESCE(p_list.permissions, '[]')
|
||||
)
|
||||
ORDER BY
|
||||
r.name
|
||||
) AS roles
|
||||
FROM
|
||||
roles r
|
||||
LEFT JOIN (
|
||||
SELECT
|
||||
rp.role_id,
|
||||
json_agg (
|
||||
json_build_object (
|
||||
'id',
|
||||
p.id,
|
||||
'name',
|
||||
p.name,
|
||||
'scope',
|
||||
p.scope,
|
||||
'description',
|
||||
p.description
|
||||
)
|
||||
ORDER BY
|
||||
p.name
|
||||
) AS permissions
|
||||
FROM
|
||||
role_permissions rp
|
||||
JOIN permissions p ON p.id = rp.permission_id
|
||||
GROUP BY
|
||||
rp.role_id
|
||||
) p_list ON p_list.role_id = r.id
|
||||
GROUP BY
|
||||
r.scope
|
||||
`
|
||||
|
||||
type GetRolesGroupedWithPermissionsRow struct {
|
||||
Scope string `json:"scope"`
|
||||
Roles []byte `json:"roles"`
|
||||
}
|
||||
|
||||
func (q *Queries) GetRolesGroupedWithPermissions(ctx context.Context) ([]GetRolesGroupedWithPermissionsRow, error) {
|
||||
rows, err := q.db.Query(ctx, getRolesGroupedWithPermissions)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
var items []GetRolesGroupedWithPermissionsRow
|
||||
for rows.Next() {
|
||||
var i GetRolesGroupedWithPermissionsRow
|
||||
if err := rows.Scan(&i.Scope, &i.Roles); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
items = append(items, i)
|
||||
}
|
||||
if err := rows.Err(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return items, nil
|
||||
}
|
||||
215
internal/user/permissions.go
Normal file
215
internal/user/permissions.go
Normal file
@ -0,0 +1,215 @@
|
||||
package user
|
||||
|
||||
import (
|
||||
"context"
|
||||
"log"
|
||||
|
||||
"gitea.local/admin/hspguard/internal/repository"
|
||||
)
|
||||
|
||||
func String(s string) *string {
|
||||
return &s
|
||||
}
|
||||
|
||||
type RolePermissions struct {
|
||||
Permissions []string `json:"permissions"`
|
||||
repository.Role
|
||||
}
|
||||
|
||||
var (
|
||||
SYSTEM_SCOPE string = "system"
|
||||
SYSTEM_PERMISSIONS []repository.Permission = []repository.Permission{
|
||||
{
|
||||
Name: "log_into_guard",
|
||||
Description: String("Allow users to log into their accounts"),
|
||||
},
|
||||
{
|
||||
Name: "register",
|
||||
Description: String("Allow users to register new accounts"),
|
||||
},
|
||||
{
|
||||
Name: "edit_profile",
|
||||
Description: String("Allow users to edit their profiles"),
|
||||
},
|
||||
{
|
||||
Name: "recover_credentials",
|
||||
Description: String("Allow users to recover their password/email"),
|
||||
},
|
||||
{
|
||||
Name: "verify_profile",
|
||||
Description: String("Allow users to verify their accounts"),
|
||||
},
|
||||
{
|
||||
Name: "access_home_services",
|
||||
Description: String("Allow users to access home services and tools"),
|
||||
},
|
||||
{
|
||||
Name: "view_sessions",
|
||||
Description: String("Allow users to view their active sessions"),
|
||||
},
|
||||
{
|
||||
Name: "revoke_sessions",
|
||||
Description: String("Allow users to revoke their active sessions"),
|
||||
},
|
||||
{
|
||||
Name: "view_api_services",
|
||||
Description: String("Allow users to view API Services (for admin)"),
|
||||
},
|
||||
{
|
||||
Name: "add_api_services",
|
||||
Description: String("Allow users to register new API Services (for admin)"),
|
||||
},
|
||||
{
|
||||
Name: "edit_api_services",
|
||||
Description: String("Allow users to edit API Services (for admin)"),
|
||||
},
|
||||
{
|
||||
Name: "remove_api_services",
|
||||
Description: String("Allow users to remove API Services (for admin)"),
|
||||
},
|
||||
{
|
||||
Name: "view_users",
|
||||
Description: String("Allow users to view other users (for admin)"),
|
||||
},
|
||||
{
|
||||
Name: "add_users",
|
||||
Description: String("Allow users to create new users (for admin)"),
|
||||
},
|
||||
// TODO: block, delete users
|
||||
{
|
||||
Name: "view_user_sessions",
|
||||
Description: String("Allow users to view user sessions (for admin)"),
|
||||
},
|
||||
{
|
||||
Name: "revoke_user_sessions",
|
||||
Description: String("Allow users to revoke user sessions (for admin)"),
|
||||
},
|
||||
{
|
||||
Name: "view_service_sessions",
|
||||
Description: String("Allow users to view service sessions (for admin)"),
|
||||
},
|
||||
{
|
||||
Name: "revoke_service_sessions",
|
||||
Description: String("Allow users to revoke service sessions (for admin)"),
|
||||
},
|
||||
{
|
||||
Name: "view_permissions",
|
||||
Description: String("Allow users to view all permissions (for admin)"),
|
||||
},
|
||||
{
|
||||
Name: "view_roles_groups",
|
||||
Description: String("Allow users to view roles & groups (for admin)"),
|
||||
},
|
||||
}
|
||||
SYSTEM_ROLES []RolePermissions = []RolePermissions{
|
||||
{
|
||||
Permissions: []string{
|
||||
"system_log_into_guard",
|
||||
"system_register",
|
||||
"system_edit_profile",
|
||||
"system_recover_credentials",
|
||||
"system_verify_profile",
|
||||
"system_access_home_services",
|
||||
"system_view_sessions",
|
||||
"system_revoke_sessions",
|
||||
"system_view_api_services",
|
||||
"system_add_api_services",
|
||||
"system_edit_api_services",
|
||||
"system_remove_api_services",
|
||||
"system_view_users",
|
||||
"system_add_users",
|
||||
"system_view_user_sessions",
|
||||
"system_revoke_user_sessions",
|
||||
"system_view_service_sessions",
|
||||
"system_revoke_service_sessions",
|
||||
"system_view_permissions",
|
||||
"system_view_roles_groups",
|
||||
},
|
||||
Role: repository.Role{
|
||||
Name: "admin",
|
||||
Description: String("User with full power"),
|
||||
},
|
||||
},
|
||||
{
|
||||
Permissions: []string{
|
||||
"system_log_into_guard",
|
||||
"system_register",
|
||||
"system_edit_profile",
|
||||
"system_recover_credentials",
|
||||
"system_verify_profile",
|
||||
"system_access_home_services",
|
||||
"system_view_sessions",
|
||||
"system_revoke_sessions",
|
||||
},
|
||||
Role: repository.Role{
|
||||
Name: "member",
|
||||
Description: String("User that is able to use home services"),
|
||||
},
|
||||
},
|
||||
{
|
||||
Permissions: []string{
|
||||
"system_log_into_guard",
|
||||
"system_register",
|
||||
},
|
||||
Role: repository.Role{
|
||||
Name: "guest",
|
||||
Description: String("New user that needs approve for everything from admin"),
|
||||
},
|
||||
},
|
||||
}
|
||||
)
|
||||
|
||||
func EnsureSystemPermissions(ctx context.Context, repo *repository.Queries) {
|
||||
for _, permission := range SYSTEM_PERMISSIONS {
|
||||
_, err := repo.FindPermission(ctx, repository.FindPermissionParams{
|
||||
Name: permission.Name,
|
||||
Scope: SYSTEM_SCOPE,
|
||||
})
|
||||
if err != nil {
|
||||
log.Printf("INFO: Creating SYSTEM permission: '%s'\n", permission.Name)
|
||||
_, err = repo.CreatePermission(ctx, repository.CreatePermissionParams{
|
||||
Name: permission.Name,
|
||||
Scope: SYSTEM_SCOPE,
|
||||
Description: permission.Description,
|
||||
})
|
||||
if err != nil {
|
||||
log.Fatalf("ERR: Failed to create SYSTEM permission: '%s'\n", permission.Name)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for _, role := range SYSTEM_ROLES {
|
||||
var found repository.Role
|
||||
var err error
|
||||
|
||||
found, err = repo.FindRole(ctx, repository.FindRoleParams{
|
||||
Scope: SYSTEM_SCOPE,
|
||||
Name: role.Name,
|
||||
})
|
||||
if err != nil {
|
||||
log.Printf("INFO: Create new SYSTEM role '%s'\n", role.Name)
|
||||
found, err = repo.CreateRole(ctx, repository.CreateRoleParams{
|
||||
Name: role.Name,
|
||||
Scope: SYSTEM_SCOPE,
|
||||
Description: role.Description,
|
||||
})
|
||||
if err != nil {
|
||||
log.Fatalf("ERR: Failed to create SYSTEM role '%s': %v\n", role.Name, err)
|
||||
}
|
||||
}
|
||||
|
||||
for _, perm := range role.Permissions {
|
||||
if _, exists := repo.GetRoleAssignment(ctx, repository.GetRoleAssignmentParams{
|
||||
RoleID: found.ID,
|
||||
Key: perm,
|
||||
}); exists != nil {
|
||||
if err := repo.AssignRolePermission(ctx, repository.AssignRolePermissionParams{
|
||||
RoleID: found.ID,
|
||||
Key: perm,
|
||||
}); err != nil {
|
||||
log.Fatalf("ERR: Failed to assign permission '%s' to SYSTEM role %s: %v\n", perm, found.Name, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
91
migrations/00013_add_group_role_permission.sql
Normal file
91
migrations/00013_add_group_role_permission.sql
Normal file
@ -0,0 +1,91 @@
|
||||
-- +goose Up
|
||||
-- +goose StatementBegin
|
||||
-- GROUPS
|
||||
CREATE TABLE groups (
|
||||
id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
|
||||
name TEXT NOT NULL UNIQUE,
|
||||
description TEXT
|
||||
);
|
||||
|
||||
-- ROLES
|
||||
CREATE TABLE roles (
|
||||
id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
|
||||
name TEXT NOT NULL,
|
||||
scope TEXT NOT NULL,
|
||||
description TEXT,
|
||||
UNIQUE (name, scope)
|
||||
);
|
||||
|
||||
-- PERMISSIONS
|
||||
CREATE TABLE permissions (
|
||||
id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
|
||||
name TEXT NOT NULL,
|
||||
scope TEXT NOT NULL,
|
||||
description TEXT,
|
||||
UNIQUE (name, scope)
|
||||
);
|
||||
|
||||
-- USER-GROUPS (many-to-many)
|
||||
CREATE TABLE user_groups (
|
||||
user_id UUID REFERENCES users (id) ON DELETE CASCADE,
|
||||
group_id UUID REFERENCES groups (id) ON DELETE CASCADE,
|
||||
PRIMARY KEY (user_id, group_id)
|
||||
);
|
||||
|
||||
-- GROUP-ROLES (many-to-many)
|
||||
CREATE TABLE group_roles (
|
||||
group_id UUID REFERENCES groups (id) ON DELETE CASCADE,
|
||||
role_id UUID REFERENCES roles (id) ON DELETE CASCADE,
|
||||
PRIMARY KEY (group_id, role_id)
|
||||
);
|
||||
|
||||
-- ROLE-PERMISSIONS (many-to-many)
|
||||
CREATE TABLE role_permissions (
|
||||
role_id UUID REFERENCES roles (id) ON DELETE CASCADE,
|
||||
permission_id UUID REFERENCES permissions (id) ON DELETE CASCADE,
|
||||
PRIMARY KEY (role_id, permission_id)
|
||||
);
|
||||
|
||||
-- USER-ROLES (direct assignment, optional)
|
||||
CREATE TABLE user_roles (
|
||||
user_id UUID REFERENCES users (id) ON DELETE CASCADE,
|
||||
role_id UUID REFERENCES roles (id) ON DELETE CASCADE,
|
||||
PRIMARY KEY (user_id, role_id)
|
||||
);
|
||||
|
||||
-- USER-PERMISSIONS (direct assignment, optional)
|
||||
CREATE TABLE user_permissions (
|
||||
user_id UUID REFERENCES users (id) ON DELETE CASCADE,
|
||||
permission_id UUID REFERENCES permissions (id) ON DELETE CASCADE,
|
||||
PRIMARY KEY (user_id, permission_id)
|
||||
);
|
||||
|
||||
-- GROUP-PERMISSIONS (direct on group, optional)
|
||||
CREATE TABLE group_permissions (
|
||||
group_id UUID REFERENCES groups (id) ON DELETE CASCADE,
|
||||
permission_id UUID REFERENCES permissions (id) ON DELETE CASCADE,
|
||||
PRIMARY KEY (group_id, permission_id)
|
||||
);
|
||||
|
||||
-- +goose StatementEnd
|
||||
-- +goose Down
|
||||
-- +goose StatementBegin
|
||||
DROP TABLE IF EXISTS group_permissions;
|
||||
|
||||
DROP TABLE IF EXISTS user_permissions;
|
||||
|
||||
DROP TABLE IF EXISTS user_roles;
|
||||
|
||||
DROP TABLE IF EXISTS role_permissions;
|
||||
|
||||
DROP TABLE IF EXISTS group_roles;
|
||||
|
||||
DROP TABLE IF EXISTS user_groups;
|
||||
|
||||
DROP TABLE IF EXISTS permissions;
|
||||
|
||||
DROP TABLE IF EXISTS roles;
|
||||
|
||||
DROP TABLE IF EXISTS groups;
|
||||
|
||||
-- +goose StatementEnd
|
||||
48
queries/permissions.sql
Normal file
48
queries/permissions.sql
Normal file
@ -0,0 +1,48 @@
|
||||
|
||||
-- name: GetAllPermissions :many
|
||||
SELECT *
|
||||
FROM permissions p
|
||||
ORDER BY p.scope;
|
||||
|
||||
-- name: GetGroupedPermissions :many
|
||||
SELECT scope, json_agg(to_jsonb(permissions.*) ORDER BY name) as permissions
|
||||
FROM permissions
|
||||
GROUP BY scope;
|
||||
|
||||
-- name: CreatePermission :one
|
||||
INSERT into permissions (
|
||||
name, scope, description
|
||||
) VALUES (
|
||||
$1, $2, $3
|
||||
) RETURNING *;
|
||||
|
||||
-- name: FindPermission :one
|
||||
SELECT * FROM permissions
|
||||
WHERE name = $1 AND scope = $2;
|
||||
|
||||
-- name: GetUserPermissions :many
|
||||
SELECT DISTINCT p.id,p.name,p.scope,p.description
|
||||
FROM permissions p
|
||||
-- From roles assigned directly to the user
|
||||
LEFT JOIN role_permissions rp_user
|
||||
ON p.id = rp_user.permission_id
|
||||
LEFT JOIN user_roles ur
|
||||
ON rp_user.role_id = ur.role_id AND ur.user_id = $1
|
||||
-- From roles assigned to user's groups
|
||||
LEFT JOIN user_groups ug
|
||||
ON ug.user_id = $1
|
||||
LEFT JOIN group_roles gr
|
||||
ON ug.group_id = gr.group_id
|
||||
LEFT JOIN role_permissions rp_group
|
||||
ON gr.role_id = rp_group.role_id AND rp_group.permission_id = p.id
|
||||
-- Direct permissions to user
|
||||
LEFT JOIN user_permissions up
|
||||
ON up.user_id = $1 AND up.permission_id = p.id
|
||||
-- Direct permissions to user's groups
|
||||
LEFT JOIN group_permissions gp
|
||||
ON gp.group_id = ug.group_id AND gp.permission_id = p.id
|
||||
WHERE ur.user_id IS NOT NULL
|
||||
OR gr.group_id IS NOT NULL
|
||||
OR up.user_id IS NOT NULL
|
||||
OR gp.group_id IS NOT NULL
|
||||
ORDER BY p.scope;
|
||||
81
queries/roles.sql
Normal file
81
queries/roles.sql
Normal file
@ -0,0 +1,81 @@
|
||||
-- name: FindRole :one
|
||||
SELECT *
|
||||
FROM roles
|
||||
WHERE scope = $1 AND name = $2;
|
||||
|
||||
-- name: GetRolesGroupedWithPermissions :many
|
||||
SELECT
|
||||
r.scope,
|
||||
json_agg (
|
||||
json_build_object (
|
||||
'id',
|
||||
r.id,
|
||||
'name',
|
||||
r.name,
|
||||
'description',
|
||||
r.description,
|
||||
'permissions',
|
||||
COALESCE(p_list.permissions, '[]')
|
||||
)
|
||||
ORDER BY
|
||||
r.name
|
||||
) AS roles
|
||||
FROM
|
||||
roles r
|
||||
LEFT JOIN (
|
||||
SELECT
|
||||
rp.role_id,
|
||||
json_agg (
|
||||
json_build_object (
|
||||
'id',
|
||||
p.id,
|
||||
'name',
|
||||
p.name,
|
||||
'scope',
|
||||
p.scope,
|
||||
'description',
|
||||
p.description
|
||||
)
|
||||
ORDER BY
|
||||
p.name
|
||||
) AS permissions
|
||||
FROM
|
||||
role_permissions rp
|
||||
JOIN permissions p ON p.id = rp.permission_id
|
||||
GROUP BY
|
||||
rp.role_id
|
||||
) p_list ON p_list.role_id = r.id
|
||||
GROUP BY
|
||||
r.scope;
|
||||
|
||||
-- name: CreateRole :one
|
||||
INSERT INTO roles (name, scope, description)
|
||||
VALUES ($1, $2, $3)
|
||||
RETURNING *;
|
||||
|
||||
-- name: GetRoleAssignment :one
|
||||
SELECT * FROM role_permissions
|
||||
WHERE role_id = $1 AND permission_id = (SELECT id FROM permissions p WHERE p.scope = split_part(sqlc.arg('key'), '_', 1) AND p.name = right(sqlc.arg('key'), length(sqlc.arg('key')) - position('_' IN sqlc.arg('key'))))
|
||||
LIMIT 1;
|
||||
|
||||
-- name: AssignRolePermission :exec
|
||||
INSERT INTO role_permissions (role_id, permission_id)
|
||||
VALUES (
|
||||
$1,
|
||||
(
|
||||
SELECT id
|
||||
FROM permissions p
|
||||
WHERE p.scope = split_part(sqlc.arg('key'), '_', 1)
|
||||
AND p.name = right(sqlc.arg('key'), length(sqlc.arg('key')) - position('_' IN sqlc.arg('key')))
|
||||
)
|
||||
);
|
||||
-- name: AddPermissionsToRoleByKey :exec
|
||||
INSERT INTO role_permissions (role_id, permission_id)
|
||||
SELECT
|
||||
sqlc.arg(role_id),
|
||||
p.id
|
||||
FROM
|
||||
permissions p
|
||||
JOIN
|
||||
unnest(sqlc.arg(permission_keys)::text[]) AS key_str
|
||||
ON key_str = p.scope || '_' || p.name;
|
||||
@ -27,6 +27,8 @@ import VerifyAvatarPage from "./pages/Verify/Avatar";
|
||||
import VerifyReviewPage from "./pages/Verify/Review";
|
||||
import AdminUserSessionsPage from "./pages/Admin/UserSessions";
|
||||
import AdminServiceSessionsPage from "./pages/Admin/ServiceSessions";
|
||||
import AdminAppPermissionsPage from "./pages/Admin/AppPermissions";
|
||||
import AdminRolesGroupsPage from "./pages/Admin/RolesGroups";
|
||||
|
||||
const router = createBrowserRouter([
|
||||
{
|
||||
@ -93,6 +95,16 @@ const router = createBrowserRouter([
|
||||
{ index: true, element: <AdminServiceSessionsPage /> },
|
||||
],
|
||||
},
|
||||
{
|
||||
path: "app-permissions",
|
||||
children: [
|
||||
{ index: true, element: <AdminAppPermissionsPage /> },
|
||||
],
|
||||
},
|
||||
{
|
||||
path: "roles-groups",
|
||||
children: [{ index: true, element: <AdminRolesGroupsPage /> }],
|
||||
},
|
||||
],
|
||||
},
|
||||
],
|
||||
|
||||
34
web/src/api/admin/permissions.ts
Normal file
34
web/src/api/admin/permissions.ts
Normal file
@ -0,0 +1,34 @@
|
||||
import type { AppPermission } from "@/types";
|
||||
import { axios, handleApiError } from "..";
|
||||
|
||||
export type FetchPermissionsResponse = AppPermission[];
|
||||
|
||||
export const getUserPermissionsApi = async (
|
||||
userId: string,
|
||||
): Promise<FetchPermissionsResponse> => {
|
||||
const response = await axios.get<FetchPermissionsResponse>(
|
||||
`/api/v1/admin/permissions/${userId}`,
|
||||
);
|
||||
|
||||
if (response.status !== 200 && response.status !== 201)
|
||||
throw await handleApiError(response);
|
||||
|
||||
return response.data;
|
||||
};
|
||||
|
||||
export type FetchGroupedPermissionsResponse = {
|
||||
scope: string;
|
||||
permissions: AppPermission[];
|
||||
}[];
|
||||
|
||||
export const getPermissionsApi =
|
||||
async (): Promise<FetchGroupedPermissionsResponse> => {
|
||||
const response = await axios.get<FetchGroupedPermissionsResponse>(
|
||||
"/api/v1/admin/permissions",
|
||||
);
|
||||
|
||||
if (response.status !== 200 && response.status !== 201)
|
||||
throw await handleApiError(response);
|
||||
|
||||
return response.data;
|
||||
};
|
||||
20
web/src/api/admin/roles.ts
Normal file
20
web/src/api/admin/roles.ts
Normal file
@ -0,0 +1,20 @@
|
||||
import type { AppPermission, AppRole } from "@/types";
|
||||
import { axios, handleApiError } from "..";
|
||||
|
||||
export type FetchGroupedRolesResponse = {
|
||||
scope: string;
|
||||
roles: (AppRole & {
|
||||
permissions: AppPermission[];
|
||||
})[];
|
||||
}[];
|
||||
|
||||
export const getRolesApi = async (): Promise<FetchGroupedRolesResponse> => {
|
||||
const response = await axios.get<FetchGroupedRolesResponse>(
|
||||
"/api/v1/admin/roles",
|
||||
);
|
||||
|
||||
if (response.status !== 200 && response.status !== 201)
|
||||
throw await handleApiError(response);
|
||||
|
||||
return response.data;
|
||||
};
|
||||
@ -5,7 +5,7 @@ import { useMemo, type FC } from "react";
|
||||
export interface AvatarProps {
|
||||
iconSize?: number;
|
||||
className?: string;
|
||||
avatarId?: string;
|
||||
avatarId?: string | null;
|
||||
}
|
||||
|
||||
const Avatar: FC<AvatarProps> = ({ iconSize = 32, className, avatarId }) => {
|
||||
|
||||
@ -1,5 +1,14 @@
|
||||
import { useAuth } from "@/store/auth";
|
||||
import { Blocks, EarthLock, Home, User, UserLock, Users } from "lucide-react";
|
||||
import {
|
||||
Blocks,
|
||||
ContactRound,
|
||||
EarthLock,
|
||||
Home,
|
||||
KeyRound,
|
||||
User,
|
||||
UserLock,
|
||||
Users,
|
||||
} from "lucide-react";
|
||||
import { useCallback, type ReactNode } from "react";
|
||||
import { useLocation } from "react-router";
|
||||
|
||||
@ -93,6 +102,18 @@ export const useBarItems = (): [Item[], (item: Item) => boolean] => {
|
||||
tab: "admin.service-sessions",
|
||||
pathname: "/admin/service-sessions",
|
||||
},
|
||||
{
|
||||
icon: <KeyRound />,
|
||||
title: "App Permissions",
|
||||
tab: "admin.app-permissions",
|
||||
pathname: "/admin/app-permissions",
|
||||
},
|
||||
{
|
||||
icon: <ContactRound />,
|
||||
title: "Roles & Groups",
|
||||
tab: "admin.roles-groups",
|
||||
pathname: "/admin/roles-groups",
|
||||
},
|
||||
]
|
||||
: []),
|
||||
],
|
||||
|
||||
130
web/src/pages/Admin/AppPermissions/index.tsx
Normal file
130
web/src/pages/Admin/AppPermissions/index.tsx
Normal file
@ -0,0 +1,130 @@
|
||||
import { useEffect, type FC } from "react";
|
||||
import Breadcrumbs from "@/components/ui/breadcrumbs";
|
||||
import { usePermissions } from "@/store/admin/permissions";
|
||||
|
||||
interface DisplayPermission {
|
||||
name: string;
|
||||
description: string;
|
||||
}
|
||||
|
||||
interface IPermissionGroupProps {
|
||||
scope: string;
|
||||
permissions?: DisplayPermission[] | null | undefined;
|
||||
generatedPermissions?: DisplayPermission[] | null | undefined;
|
||||
}
|
||||
|
||||
const PermissionGroup: FC<IPermissionGroupProps> = ({
|
||||
scope,
|
||||
permissions,
|
||||
generatedPermissions,
|
||||
}) => {
|
||||
return (
|
||||
<div className="border dark:border-gray-800 border-gray-300 p-4 rounded mb-4">
|
||||
<h2 className="dark:text-gray-300 text-gray-800 text-lg font-semibold">
|
||||
{scope}
|
||||
</h2>
|
||||
|
||||
{(generatedPermissions?.length ?? 0) > 0 && (
|
||||
<>
|
||||
<p className="text-gray-500 text-sm mt-2 mb-4">Generated by Guard</p>
|
||||
|
||||
<ol
|
||||
className={`grid gap-4 gap-y-3 grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium mb-${permissions && permissions.length > 0 ? "6" : "2"}`}
|
||||
>
|
||||
{generatedPermissions!.map(({ name, description }) => (
|
||||
<li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
|
||||
<div className="flex flex-col gap-1">
|
||||
<label>{name}</label>
|
||||
<p className="text-xs text-gray-400 dark:text-gray-500">
|
||||
{description}
|
||||
</p>
|
||||
</div>
|
||||
</li>
|
||||
))}
|
||||
</ol>
|
||||
</>
|
||||
)}
|
||||
|
||||
{(permissions?.length ?? 0) > 0 && (
|
||||
<>
|
||||
<p className="text-gray-500 text-sm mt-2 mb-4">Manually Created</p>
|
||||
|
||||
<ol className="grid gap-4 gap-y-3 grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium">
|
||||
{permissions!.map(({ name, description }) => (
|
||||
<li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
|
||||
<div className="flex flex-col gap-1">
|
||||
<label>{name}</label>
|
||||
<p className="text-xs text-gray-400 dark:text-gray-500">
|
||||
{description}
|
||||
</p>
|
||||
</div>
|
||||
</li>
|
||||
))}
|
||||
</ol>
|
||||
</>
|
||||
)}
|
||||
</div>
|
||||
);
|
||||
};
|
||||
|
||||
const AdminAppPermissionsPage: FC = () => {
|
||||
const permissions = usePermissions((s) => s.permissions);
|
||||
const fetch = usePermissions((s) => s.fetch);
|
||||
|
||||
useEffect(() => {
|
||||
fetch();
|
||||
}, [fetch]);
|
||||
|
||||
return (
|
||||
<div className="relative flex flex-col items-stretch w-full">
|
||||
<div className="p-4">
|
||||
<Breadcrumbs
|
||||
className="pb-2"
|
||||
items={[
|
||||
{
|
||||
href: "/admin",
|
||||
label: "Admin",
|
||||
},
|
||||
{
|
||||
label: "App Permissions",
|
||||
},
|
||||
]}
|
||||
/>
|
||||
</div>
|
||||
<div className="px-7">
|
||||
{Object.keys(permissions).map((scope) => (
|
||||
<PermissionGroup
|
||||
scope={scope.toUpperCase()}
|
||||
generatedPermissions={permissions[scope].map((p) => ({
|
||||
name: p.name
|
||||
.split("_")
|
||||
.map((s) => s[0].toUpperCase() + s.slice(1))
|
||||
.join(" "),
|
||||
description: p.description,
|
||||
}))}
|
||||
/>
|
||||
))}
|
||||
{/* <PermissionGroup
|
||||
scope="Open Chat"
|
||||
generatedPermissions={["Access Open Chat"].map((name) => ({
|
||||
name,
|
||||
description: `You can ${name.toLowerCase()}`,
|
||||
}))}
|
||||
permissions={[
|
||||
"Receive Messages",
|
||||
"Send Messages",
|
||||
"View Status",
|
||||
"Post Status",
|
||||
"Use Ghost Mode",
|
||||
"Send Large Media",
|
||||
].map((name) => ({
|
||||
name,
|
||||
description: `You can ${name.toLowerCase()}`,
|
||||
}))}
|
||||
/> */}
|
||||
</div>
|
||||
</div>
|
||||
);
|
||||
};
|
||||
|
||||
export default AdminAppPermissionsPage;
|
||||
91
web/src/pages/Admin/RolesGroups/index.tsx
Normal file
91
web/src/pages/Admin/RolesGroups/index.tsx
Normal file
@ -0,0 +1,91 @@
|
||||
import { useEffect, type FC } from "react";
|
||||
import Breadcrumbs from "@/components/ui/breadcrumbs";
|
||||
import { useRoles } from "@/store/admin/rolesGroups";
|
||||
import type { AppPermission } from "@/types";
|
||||
|
||||
interface DisplayRole {
|
||||
name: string;
|
||||
description: string;
|
||||
permissions: AppPermission[];
|
||||
}
|
||||
|
||||
interface IPermissionGroupProps {
|
||||
scope: string;
|
||||
roles?: DisplayRole[] | null | undefined;
|
||||
}
|
||||
|
||||
const RolesGroup: FC<IPermissionGroupProps> = ({ scope, roles }) => {
|
||||
return (
|
||||
<div className="border dark:border-gray-800 border-gray-300 p-4 rounded mb-4">
|
||||
<h2 className="dark:text-gray-300 text-gray-800 text-lg font-semibold mb-4">
|
||||
{scope.toUpperCase()} <span className="opacity-45">(scope)</span>
|
||||
</h2>
|
||||
|
||||
{roles?.map((role, index) => (
|
||||
<div>
|
||||
<h2 className="dark:text-gray-300 text-gray-800 text-md font-semibold">
|
||||
{role.name.toUpperCase()} <span className="opacity-45">(role)</span>
|
||||
</h2>
|
||||
|
||||
<p className="text-sm text-gray-400 dark:text-gray-500">
|
||||
{role.description}
|
||||
</p>
|
||||
|
||||
<ol className="grid gap-4 gap-y-3 grid-cols-1 my-4 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium">
|
||||
{role.permissions.map(({ name, description }) => (
|
||||
<li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
|
||||
<div className="flex flex-col gap-1">
|
||||
<label>{name}</label>
|
||||
<p className="text-xs text-gray-400 dark:text-gray-500">
|
||||
{description}
|
||||
</p>
|
||||
</div>
|
||||
</li>
|
||||
))}
|
||||
</ol>
|
||||
|
||||
{index + 1 < roles.length && (
|
||||
<div className="h-[1px] bg-gray-700 w-full rounded my-6"></div>
|
||||
)}
|
||||
</div>
|
||||
))}
|
||||
</div>
|
||||
);
|
||||
};
|
||||
|
||||
const AdminRolesGroupsPage: FC = () => {
|
||||
const roles = useRoles((s) => s.roles);
|
||||
const fetch = useRoles((s) => s.fetch);
|
||||
|
||||
useEffect(() => {
|
||||
fetch();
|
||||
}, [fetch]);
|
||||
|
||||
console.log("roles:", roles);
|
||||
|
||||
return (
|
||||
<div className="relative flex flex-col items-stretch w-full">
|
||||
<div className="p-4">
|
||||
<Breadcrumbs
|
||||
className="pb-2"
|
||||
items={[
|
||||
{
|
||||
href: "/admin",
|
||||
label: "Admin",
|
||||
},
|
||||
{
|
||||
label: "Roles & Groups",
|
||||
},
|
||||
]}
|
||||
/>
|
||||
</div>
|
||||
<div className="px-7">
|
||||
{Object.keys(roles).map((scope) => (
|
||||
<RolesGroup scope={scope} roles={roles[scope]} />
|
||||
))}
|
||||
</div>
|
||||
</div>
|
||||
);
|
||||
};
|
||||
|
||||
export default AdminRolesGroupsPage;
|
||||
@ -113,7 +113,7 @@ const AdminServiceSessionsPage: FC = () => {
|
||||
{/* <SessionSource deviceInfo={session.} /> */}
|
||||
{typeof session.api_service?.icon_url === "string" && (
|
||||
<Avatar
|
||||
avatarId={session.api_service.icon_url}
|
||||
avatarId={session.api_service.icon_url ?? null}
|
||||
className="w-7 h-7 min-w-7"
|
||||
/>
|
||||
)}
|
||||
@ -129,7 +129,7 @@ const AdminServiceSessionsPage: FC = () => {
|
||||
<div className="flex flex-row items-center gap-2 justify-start">
|
||||
{typeof session.user?.profile_picture === "string" && (
|
||||
<Avatar
|
||||
avatarId={session.user.profile_picture}
|
||||
avatarId={session.user.profile_picture ?? null}
|
||||
className="w-7 h-7 min-w-7"
|
||||
/>
|
||||
)}
|
||||
|
||||
@ -127,7 +127,7 @@ const AdminUserSessionsPage: FC = () => {
|
||||
<div className="flex flex-row items-center gap-2 justify-start">
|
||||
{typeof session.user?.profile_picture === "string" && (
|
||||
<Avatar
|
||||
avatarId={session.user.profile_picture}
|
||||
avatarId={session.user.profile_picture ?? null}
|
||||
className="w-7 h-7 min-w-7"
|
||||
/>
|
||||
)}
|
||||
|
||||
@ -25,6 +25,7 @@ const InfoCard = ({
|
||||
const AdminViewUserPage: FC = () => {
|
||||
const { userId } = useParams();
|
||||
const user = useUsers((state) => state.current);
|
||||
const userPermissions = useUsers((s) => s.userPermissions);
|
||||
// const loading = useApiServices((state) => state.fetchingApiService);
|
||||
|
||||
const loadUser = useUsers((state) => state.fetchUser);
|
||||
@ -63,7 +64,7 @@ const AdminViewUserPage: FC = () => {
|
||||
Avatar:
|
||||
</span>
|
||||
<Avatar
|
||||
avatarId={user.profile_picture ?? undefined}
|
||||
avatarId={user.profile_picture ?? null}
|
||||
className="w-16 h-16"
|
||||
iconSize={28}
|
||||
/>
|
||||
@ -117,6 +118,10 @@ const AdminViewUserPage: FC = () => {
|
||||
</div>
|
||||
</InfoCard>
|
||||
|
||||
<InfoCard title="Roles & Permissions">
|
||||
<pre>{JSON.stringify(userPermissions, null, 2)}</pre>
|
||||
</InfoCard>
|
||||
|
||||
{/* 🚀 Actions */}
|
||||
<div className="flex flex-wrap gap-4 mt-6 justify-between items-center">
|
||||
<Link to="/admin/users">
|
||||
|
||||
@ -94,7 +94,7 @@ const AdminUsersPage: FC = () => {
|
||||
<Avatar
|
||||
iconSize={21}
|
||||
className="w-8 h-8"
|
||||
avatarId={user.profile_picture ?? undefined}
|
||||
avatarId={user.profile_picture ?? null}
|
||||
/>
|
||||
<p>{user.full_name}</p>
|
||||
</div>
|
||||
|
||||
@ -76,21 +76,21 @@ const AuthorizePage: FC = () => {
|
||||
<div className="text-gray-400 dark:text-gray-600">
|
||||
<ArrowLeftRight />
|
||||
</div>
|
||||
<div className="w-12 h-12 rounded-full flex items-center justify-center overflow-hidden bg-gray-900 ring ring-gray-400 dark:ring dark:ring-gray-500">
|
||||
{/* <img
|
||||
{/* <div className="w-12 h-12 rounded-full flex items-center justify-center overflow-hidden bg-gray-900 ring ring-gray-400 dark:ring dark:ring-gray-500"> */}
|
||||
{/* <img
|
||||
src="https://lucide.dev/logo.dark.svg"
|
||||
className="w-8 h-8"
|
||||
/> */}
|
||||
{apiService?.icon_url ? (
|
||||
<img
|
||||
src={apiService.icon_url}
|
||||
className="w-full h-full"
|
||||
alt="service_icon"
|
||||
/>
|
||||
) : (
|
||||
<LayoutDashboard size={32} color="#fefefe" />
|
||||
)}
|
||||
</div>
|
||||
{apiService?.icon_url ? (
|
||||
<img
|
||||
src={apiService.icon_url}
|
||||
className="w-12 h-12"
|
||||
alt="service_icon"
|
||||
/>
|
||||
) : (
|
||||
<LayoutDashboard size={32} color="#fefefe" />
|
||||
)}
|
||||
{/* </div> */}
|
||||
</div>
|
||||
|
||||
<div className="px-4 sm:mt-4 mt-8">
|
||||
|
||||
@ -21,7 +21,7 @@ const VerifyReviewPage: FC = () => {
|
||||
</p>
|
||||
|
||||
<Avatar
|
||||
avatarId={profile?.profile_picture ?? undefined}
|
||||
avatarId={profile?.profile_picture ?? null}
|
||||
iconSize={64}
|
||||
className="w-48 h-48 min-w-48 mx-auto mt-4"
|
||||
/>
|
||||
|
||||
32
web/src/store/admin/permissions.ts
Normal file
32
web/src/store/admin/permissions.ts
Normal file
@ -0,0 +1,32 @@
|
||||
import { getPermissionsApi } from "@/api/admin/permissions";
|
||||
import type { AppPermission } from "@/types";
|
||||
import { create } from "zustand";
|
||||
|
||||
export interface IAdminPermissionsState {
|
||||
permissions: Record<string, AppPermission[]>;
|
||||
fetching: boolean;
|
||||
|
||||
fetch: () => Promise<void>;
|
||||
}
|
||||
|
||||
export const usePermissions = create<IAdminPermissionsState>((set) => ({
|
||||
permissions: {},
|
||||
fetching: false,
|
||||
|
||||
fetch: async () => {
|
||||
set({ fetching: true });
|
||||
|
||||
try {
|
||||
const response = await getPermissionsApi();
|
||||
set({
|
||||
permissions: Object.fromEntries(
|
||||
response.map(({ scope, permissions }) => [scope, permissions]),
|
||||
),
|
||||
});
|
||||
} catch (err) {
|
||||
console.log("ERR: Failed to fetch admin permissions:", err);
|
||||
} finally {
|
||||
set({ fetching: false });
|
||||
}
|
||||
},
|
||||
}));
|
||||
36
web/src/store/admin/rolesGroups.ts
Normal file
36
web/src/store/admin/rolesGroups.ts
Normal file
@ -0,0 +1,36 @@
|
||||
import { getRolesApi } from "@/api/admin/roles";
|
||||
import type { AppPermission, AppRole } from "@/types";
|
||||
import { create } from "zustand";
|
||||
|
||||
export type RolesMap = Record<
|
||||
string,
|
||||
(AppRole & { permissions: AppPermission[] })[]
|
||||
>;
|
||||
|
||||
export interface IRolesGroups {
|
||||
roles: RolesMap;
|
||||
|
||||
fetching: boolean;
|
||||
|
||||
fetch: () => Promise<void>;
|
||||
}
|
||||
|
||||
export const useRoles = create<IRolesGroups>((set) => ({
|
||||
roles: {},
|
||||
fetching: false,
|
||||
|
||||
fetch: async () => {
|
||||
set({ fetching: true });
|
||||
|
||||
try {
|
||||
const response = await getRolesApi();
|
||||
set({
|
||||
roles: Object.fromEntries(response.map((r) => [r.scope, r.roles])),
|
||||
});
|
||||
} catch (err) {
|
||||
console.log("ERR: Failed to fetch admin roles:", err);
|
||||
} finally {
|
||||
set({ fetching: false });
|
||||
}
|
||||
},
|
||||
}));
|
||||
@ -1,10 +1,11 @@
|
||||
import { getUserPermissionsApi } from "@/api/admin/permissions";
|
||||
import {
|
||||
adminGetUserApi,
|
||||
adminGetUsersApi,
|
||||
postUser,
|
||||
type CreateUserRequest,
|
||||
} from "@/api/admin/users";
|
||||
import type { UserProfile } from "@/types";
|
||||
import type { AppPermission, UserProfile } from "@/types";
|
||||
import { create } from "zustand";
|
||||
|
||||
export interface IUsersState {
|
||||
@ -14,14 +15,18 @@ export interface IUsersState {
|
||||
current: UserProfile | null;
|
||||
fetchingCurrent: boolean;
|
||||
|
||||
userPermissions: AppPermission[];
|
||||
fetchingPermissions: boolean;
|
||||
|
||||
creating: boolean;
|
||||
createUser: (req: CreateUserRequest) => Promise<boolean>;
|
||||
|
||||
fetchUsers: () => Promise<void>;
|
||||
fetchUser: (id: string) => Promise<void>;
|
||||
fetchUserPermissions: () => Promise<void>;
|
||||
}
|
||||
|
||||
export const useUsers = create<IUsersState>((set) => ({
|
||||
export const useUsers = create<IUsersState>((set, get) => ({
|
||||
users: [],
|
||||
fetching: false,
|
||||
|
||||
@ -30,6 +35,9 @@ export const useUsers = create<IUsersState>((set) => ({
|
||||
current: null,
|
||||
fetchingCurrent: false,
|
||||
|
||||
userPermissions: [],
|
||||
fetchingPermissions: false,
|
||||
|
||||
createUser: async (req: CreateUserRequest) => {
|
||||
set({ creating: true });
|
||||
|
||||
@ -70,4 +78,23 @@ export const useUsers = create<IUsersState>((set) => ({
|
||||
set({ fetchingCurrent: false });
|
||||
}
|
||||
},
|
||||
|
||||
fetchUserPermissions: async () => {
|
||||
const user = get().current;
|
||||
if (!user) {
|
||||
console.warn("Trying to fetch user permissions without selected user");
|
||||
return;
|
||||
}
|
||||
|
||||
set({ fetchingPermissions: true });
|
||||
|
||||
try {
|
||||
const response = await getUserPermissionsApi(user.id);
|
||||
set({ userPermissions: response });
|
||||
} catch (err) {
|
||||
console.log("ERR: Failed to fetch single user for admin:", err);
|
||||
} finally {
|
||||
set({ fetchingPermissions: false });
|
||||
}
|
||||
},
|
||||
}));
|
||||
|
||||
@ -78,3 +78,17 @@ export interface DeviceInfo {
|
||||
browser: string;
|
||||
browser_version: string;
|
||||
}
|
||||
|
||||
export interface AppPermission {
|
||||
id: string;
|
||||
name: string;
|
||||
scope: string;
|
||||
description: string;
|
||||
}
|
||||
|
||||
export interface AppRole {
|
||||
id: string;
|
||||
name: string;
|
||||
scope: string;
|
||||
description: string;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user