feat(auth): add user and role management

packages/backend/package.json

@@ -4,7 +4,7 @@
   "license": "See LICENSE file",
   "description": "The open source Zapier alternative. Build workflow automation without spending time and money.",
   "scripts": {
-    "dev": "ts-node-dev --exit-child src/server.ts",
+    "dev": "ts-node-dev --watch 'src/graphql/schema.graphql' --exit-child src/server.ts",
     "worker": "nodemon --watch 'src/**/*.ts' --exec 'ts-node' src/worker.ts",
     "build": "tsc && yarn copy-statics",
     "build:watch": "nodemon --watch 'src/**/*.ts' --watch 'bin/**/*.ts' --exec yarn build --ext ts",

packages/backend/src/db/migrations/20230715214424_make_user_password_nullable.ts

@@ -6,9 +6,6 @@ export async function up(knex: Knex): Promise<void> {
   });
 }
 
-export async function down(knex: Knex): Promise<void> {
-  return await knex.schema.alterTable('users', table => {
-    // what do we do? passwords cannot be left empty
-    // table.string('password').notNullable().alter();
-  });
+export async function down(): Promise<void> {
+  // void
 }

packages/backend/src/db/migrations/20230720143341_add_conditions_in_permissions.ts

@@ -0,0 +1,13 @@
+import { Knex } from 'knex';
+
+export async function up(knex: Knex): Promise<void> {
+  return knex.schema.alterTable('permissions', (table) => {
+    table.jsonb('conditions').notNullable().defaultTo([]);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  return knex.schema.alterTable('permissions', (table) => {
+    table.dropColumn('conditions');
+  });
+}

packages/backend/src/graphql/mutation-resolvers.ts

@@ -1,47 +1,59 @@
 import createConnection from './mutations/create-connection';
-import generateAuthUrl from './mutations/generate-auth-url';
-import updateConnection from './mutations/update-connection';
-import resetConnection from './mutations/reset-connection';
-import verifyConnection from './mutations/verify-connection';
-import deleteConnection from './mutations/delete-connection';
 import createFlow from './mutations/create-flow';
+import createRole from './mutations/create-role.ee';
+import createStep from './mutations/create-step';
+import createUser from './mutations/create-user.ee';
+import deleteConnection from './mutations/delete-connection';
+import deleteCurrentUser from './mutations/delete-current-user.ee';
+import deleteFlow from './mutations/delete-flow';
+import deleteRole from './mutations/delete-role.ee';
+import deleteStep from './mutations/delete-step';
+import deleteUser from './mutations/delete-user.ee';
+import duplicateFlow from './mutations/duplicate-flow';
+import executeFlow from './mutations/execute-flow';
+import forgotPassword from './mutations/forgot-password.ee';
+import generateAuthUrl from './mutations/generate-auth-url';
+import login from './mutations/login';
+import registerUser from './mutations/register-user.ee';
+import resetConnection from './mutations/reset-connection';
+import resetPassword from './mutations/reset-password.ee';
+import updateConnection from './mutations/update-connection';
+import updateCurrentUser from './mutations/update-current-user';
 import updateFlow from './mutations/update-flow';
 import updateFlowStatus from './mutations/update-flow-status';
-import executeFlow from './mutations/execute-flow';
-import deleteFlow from './mutations/delete-flow';
-import duplicateFlow from './mutations/duplicate-flow';
-import createStep from './mutations/create-step';
+import updateRole from './mutations/update-role.ee';
 import updateStep from './mutations/update-step';
-import deleteStep from './mutations/delete-step';
-import createUser from './mutations/create-user.ee';
-import deleteUser from './mutations/delete-user.ee';
-import updateUser from './mutations/update-user';
-import forgotPassword from './mutations/forgot-password.ee';
-import resetPassword from './mutations/reset-password.ee';
-import login from './mutations/login';
+import updateUser from './mutations/update-user.ee';
+import verifyConnection from './mutations/verify-connection';
 
 const mutationResolvers = {
   createConnection,
-  generateAuthUrl,
-  updateConnection,
-  resetConnection,
-  verifyConnection,
-  deleteConnection,
   createFlow,
+  createRole,
+  createStep,
+  createUser,
+  deleteConnection,
+  deleteCurrentUser,
+  deleteFlow,
+  deleteRole,
+  deleteStep,
+  deleteUser,
+  duplicateFlow,
+  executeFlow,
+  forgotPassword,
+  generateAuthUrl,
+  login,
+  registerUser,
+  resetConnection,
+  resetPassword,
+  updateConnection,
+  updateCurrentUser,
+  updateUser,
   updateFlow,
   updateFlowStatus,
-  executeFlow,
-  deleteFlow,
-  duplicateFlow,
-  createStep,
+  updateRole,
   updateStep,
-  deleteStep,
-  createUser,
-  deleteUser,
-  updateUser,
-  forgotPassword,
-  resetPassword,
-  login,
+  verifyConnection,
 };
 
 export default mutationResolvers;

packages/backend/src/graphql/mutations/create-role.ee.ts

@@ -0,0 +1,32 @@
+import kebabCase from 'lodash/kebabCase';
+import Role from '../../models/role';
+import Permission from '../../models/permission';
+
+type Params = {
+  input: {
+    name: string;
+    description: string;
+    permissions: Permission[];
+  };
+};
+
+// TODO: access
+const createRole = async (_parent: unknown, params: Params) => {
+  const { name, description, permissions } = params.input;
+  const key = kebabCase(name);
+
+  const existingRole = await Role.query().findOne({ key });
+
+  if (existingRole) {
+    throw new Error('Role already exists!');
+  }
+
+  return await Role.query().insertGraph({
+    key,
+    name,
+    description,
+    permissions,
+  }, { relate: ['permissions'] }).returning('*');
+};
+
+export default createRole;

packages/backend/src/graphql/mutations/create-user.ee.ts

@@ -1,16 +1,17 @@
 import User from '../../models/user';
-import Role from '../../models/role';
 
 type Params = {
   input: {
     fullName: string;
     email: string;
     password: string;
+    roleId: string;
   };
 };
 
+// TODO: access
 const createUser = async (_parent: unknown, params: Params) => {
-  const { fullName, email, password } = params.input;
+  const { fullName, email, password, roleId } = params.input;
 
   const existingUser = await User.query().findOne({ email });
 
@@ -18,13 +19,11 @@ const createUser = async (_parent: unknown, params: Params) => {
     throw new Error('User already exists!');
   }
 
-  const role = await Role.query().findOne({ key: 'user' });
-
   const user = await User.query().insert({
     fullName,
     email,
     password,
-    roleId: role.id,
+    roleId,
   });
 
   return user;

packages/backend/src/graphql/mutations/delete-current-user.ee.ts

@@ -0,0 +1,23 @@
+import { Duration } from 'luxon';
+import Context from '../../types/express/context';
+import deleteUserQueue from '../../queues/delete-user.ee';
+
+// TODO: access
+const deleteUser = async (_parent: unknown, params: never, context: Context) => {
+  const id = context.currentUser.id;
+
+  await context.currentUser.$query().delete();
+
+  const jobName = `Delete user - ${id}`;
+  const jobPayload = { id };
+  const millisecondsFor30Days = Duration.fromObject({ days: 30 }).toMillis();
+  const jobOptions = {
+    delay: millisecondsFor30Days
+  };
+
+  await deleteUserQueue.add(jobName, jobPayload, jobOptions);
+
+  return true;
+};
+
+export default deleteUser;

packages/backend/src/graphql/mutations/delete-role.ee.ts

@@ -0,0 +1,31 @@
+import Role from '../../models/role';
+import Context from '../../types/express/context';
+
+type Params = {
+  input: {
+    id: string;
+  };
+};
+
+// TODO: access
+const deleteRole = async (
+  _parent: unknown,
+  params: Params,
+  context: Context
+) => {
+  const role = await Role.query().findById(params.input.id).throwIfNotFound();
+
+  if (role.isAdmin) {
+    throw new Error('Admin role cannot be deleted!');
+  }
+
+  /**
+   * TODO: consider migrations for users that still have the role or
+   * do not let the role get deleted if there are still associated users
+   */
+  await role.$query().delete();
+
+  return true;
+};
+
+export default deleteRole;

packages/backend/src/graphql/mutations/delete-user.ee.ts

@@ -1,11 +1,23 @@
-import Context from '../../types/express/context';
-import deleteUserQueue from '../../queues/delete-user.ee';
 import { Duration } from 'luxon';
+import Context from '../../types/express/context';
+import User from '../../models/user';
+import deleteUserQueue from '../../queues/delete-user.ee';
 
-const deleteUser = async (_parent: unknown, params: never, context: Context) => {
-  const id = context.currentUser.id;
+type Params = {
+  input: {
+    id: string;
+  };
+};
 
-  await context.currentUser.$query().delete();
+// TODO: access
+const deleteUser = async (
+  _parent: unknown,
+  params: Params,
+  context: Context
+) => {
+  const id = params.input.id;
+
+  await User.query().deleteById(id);
 
   const jobName = `Delete user - ${id}`;
   const jobPayload = { id };

packages/backend/src/graphql/mutations/register-user.ee.ts

@@ -0,0 +1,33 @@
+import User from '../../models/user';
+import Role from '../../models/role';
+
+type Params = {
+  input: {
+    fullName: string;
+    email: string;
+    password: string;
+  };
+};
+
+const registerUser = async (_parent: unknown, params: Params) => {
+  const { fullName, email, password } = params.input;
+
+  const existingUser = await User.query().findOne({ email });
+
+  if (existingUser) {
+    throw new Error('User already exists!');
+  }
+
+  const role = await Role.query().findOne({ key: 'user' });
+
+  const user = await User.query().insert({
+    fullName,
+    email,
+    password,
+    roleId: role.id,
+  });
+
+  return user;
+};
+
+export default registerUser;

packages/backend/src/graphql/mutations/update-current-user.ts

@@ -8,7 +8,7 @@ type Params = {
   };
 };
 
-const updateUser = async (
+const updateCurrentUser = async (
   _parent: unknown,
   params: Params,
   context: Context
@@ -22,4 +22,4 @@ const updateUser = async (
   return user;
 };
 
-export default updateUser;
+export default updateCurrentUser;

packages/backend/src/graphql/mutations/update-role.ee.ts

@@ -0,0 +1,44 @@
+import Context from '../../types/express/context';
+import Role from '../../models/role';
+import Permission from '../../models/permission';
+
+type Params = {
+  input: {
+    id: string;
+    name: string;
+    description: string;
+    permissions: Permission[];
+  };
+};
+
+// TODO: access
+const updateUser = async (
+  _parent: unknown,
+  params: Params,
+  context: Context
+) => {
+  const {
+    id,
+    name,
+    description,
+    permissions,
+  } = params.input;
+
+  const role = await Role.query().findById(id).throwIfNotFound();
+
+  // TODO: delete the unrelated items!
+  await role.$relatedQuery('permissions').unrelate();
+
+  // TODO: possibly assert that given permissions do actually exist in catalog
+  // TODO: possibly optimize it with patching the different permissions compared to current ones
+  return await role.$query()
+    .patchAndFetch(
+      {
+        name,
+        description,
+        permissions,
+      }
+    );
+};
+
+export default updateUser;

packages/backend/src/graphql/mutations/update-user.ee.ts

@@ -0,0 +1,34 @@
+import Context from '../../types/express/context';
+import User from '../../models/user';
+
+type Params = {
+  input: {
+    id: string;
+    email: string;
+    fullName: string;
+    role: {
+      id: string;
+    };
+  };
+};
+
+// TODO: access
+const updateUser = async (
+  _parent: unknown,
+  params: Params,
+  context: Context
+) => {
+  const user = await User.query()
+    .patchAndFetchById(
+      params.input.id,
+      {
+        email: params.input.email,
+        fullName: params.input.fullName,
+        roleId: params.input.role.id,
+      }
+    );
+
+  return user;
+};
+
+export default updateUser;

packages/backend/src/graphql/queries/get-permissions.ee.ts

@@ -0,0 +1,76 @@
+const getPermissions = async () => {
+  const Connection = {
+    label: 'Connection',
+    key: 'Connection',
+  };
+
+  const Flow = {
+    label: 'Flow',
+    key: 'Flow',
+  };
+
+  const Execution = {
+    label: 'Execution',
+    key: 'Execution',
+  };
+
+  const permissions = {
+    conditions: [
+      {
+        key: 'isCreator',
+        label: 'Is creator'
+      }
+    ],
+    actions: [
+      {
+        label: 'Create',
+        action: 'create',
+        subjects: [
+          Connection.key,
+          Flow.key,
+        ]
+      },
+      {
+        label: 'Read',
+        action: 'read',
+        subjects: [
+          Connection.key,
+          Execution.key,
+          Flow.key,
+        ]
+      },
+      {
+        label: 'Update',
+        action: 'update',
+        subjects: [
+          Connection.key,
+          Flow.key,
+        ]
+      },
+      {
+        label: 'Delete',
+        action: 'delete',
+        subjects: [
+          Connection.key,
+          Flow.key,
+        ]
+      },
+      {
+        label: 'Publish',
+        action: 'publish',
+        subjects: [
+          Flow.key,
+        ]
+      }
+    ],
+    subjects: [
+      Connection,
+      Flow,
+      Execution
+    ]
+  };
+
+  return permissions;
+};
+
+export default getPermissions;

packages/backend/src/graphql/queries/get-role.ee.ts

@@ -0,0 +1,13 @@
+import Context from '../../types/express/context';
+import Role from '../../models/role';
+
+type Params = {
+  id: string
+};
+
+// TODO: access
+const getRole = async (_parent: unknown, params: Params, context: Context) => {
+  return await Role.query().findById(params.id).throwIfNotFound();
+};
+
+export default getRole;

packages/backend/src/graphql/queries/get-roles.ee.ts

@@ -0,0 +1,9 @@
+import Context from '../../types/express/context';
+import Role from '../../models/role';
+
+// TODO: access
+const getRoles = async (_parent: unknown, params: unknown, context: Context) => {
+  return await Role.query();
+};
+
+export default getRoles;

packages/backend/src/graphql/queries/get-user.ts

@@ -0,0 +1,22 @@
+import Context from '../../types/express/context';
+import User from '../../models/user';
+
+type Params = {
+  id: string
+};
+
+// TODO: access
+const getUser = async (_parent: unknown, params: Params, context: Context) => {
+  return await User
+    .query()
+    .leftJoinRelated({
+      role: true
+    })
+    .withGraphFetched({
+      role: true
+    })
+    .findById(params.id)
+    .throwIfNotFound();
+};
+
+export default getUser;

packages/backend/src/graphql/queries/get-users.ts

@@ -0,0 +1,25 @@
+import Context from '../../types/express/context';
+import paginate from '../../helpers/pagination';
+import User from '../../models/user';
+
+type Params = {
+  limit: number;
+  offset: number;
+};
+
+// TODO: access
+const getUsers = async (_parent: unknown, params: Params, context: Context) => {
+  const usersQuery = User
+    .query()
+    .leftJoinRelated({
+      role: true
+    })
+    .withGraphFetched({
+      role: true
+    })
+    .orderBy('full_name', 'desc');
+
+  return paginate(usersQuery, params.limit, params.offset);
+};
+
+export default getUsers;

packages/backend/src/graphql/query-resolvers.ts

@@ -1,49 +1,59 @@
-import getApps from './queries/get-apps';
 import getApp from './queries/get-app';
+import getApps from './queries/get-apps';
+import getAutomatischInfo from './queries/get-automatisch-info';
+import getBillingAndUsage from './queries/get-billing-and-usage.ee';
 import getConnectedApps from './queries/get-connected-apps';
-import testConnection from './queries/test-connection';
-import getFlow from './queries/get-flow';
-import getFlows from './queries/get-flows';
-import getStepWithTestExecutions from './queries/get-step-with-test-executions';
-import getExecution from './queries/get-execution';
-import getExecutions from './queries/get-executions';
-import getExecutionSteps from './queries/get-execution-steps';
+import getCurrentUser from './queries/get-current-user';
 import getDynamicData from './queries/get-dynamic-data';
 import getDynamicFields from './queries/get-dynamic-fields';
-import getCurrentUser from './queries/get-current-user';
-import getPaymentPlans from './queries/get-payment-plans.ee';
-import getPaddleInfo from './queries/get-paddle-info.ee';
-import getBillingAndUsage from './queries/get-billing-and-usage.ee';
+import getExecution from './queries/get-execution';
+import getExecutionSteps from './queries/get-execution-steps';
+import getExecutions from './queries/get-executions';
+import getFlow from './queries/get-flow';
+import getFlows from './queries/get-flows';
+import getUser from './queries/get-user';
+import getUsers from './queries/get-users';
 import getInvoices from './queries/get-invoices.ee';
-import getAutomatischInfo from './queries/get-automatisch-info';
-import getTrialStatus from './queries/get-trial-status.ee';
-import getSubscriptionStatus from './queries/get-subscription-status.ee';
+import getPaddleInfo from './queries/get-paddle-info.ee';
+import getPaymentPlans from './queries/get-payment-plans.ee';
+import getPermissions from './queries/get-permissions.ee';
+import getRole from './queries/get-role.ee';
+import getRoles from './queries/get-roles.ee';
 import getSamlAuthProviders from './queries/get-saml-auth-providers.ee';
+import getStepWithTestExecutions from './queries/get-step-with-test-executions';
+import getSubscriptionStatus from './queries/get-subscription-status.ee';
+import getTrialStatus from './queries/get-trial-status.ee';
 import healthcheck from './queries/healthcheck';
+import testConnection from './queries/test-connection';
 
 const queryResolvers = {
-  getApps,
   getApp,
+  getApps,
+  getAutomatischInfo,
+  getBillingAndUsage,
   getConnectedApps,
-  testConnection,
-  getFlow,
-  getFlows,
-  getStepWithTestExecutions,
+  getCurrentUser,
+  getDynamicData,
+  getDynamicFields,
   getExecution,
   getExecutions,
   getExecutionSteps,
-  getDynamicData,
-  getDynamicFields,
-  getCurrentUser,
-  getPaymentPlans,
-  getPaddleInfo,
-  getBillingAndUsage,
+  getFlow,
+  getFlows,
   getInvoices,
-  getAutomatischInfo,
-  getTrialStatus,
-  getSubscriptionStatus,
+  getPaddleInfo,
+  getPaymentPlans,
+  getPermissions,
+  getRole,
+  getRoles,
   getSamlAuthProviders,
+  getStepWithTestExecutions,
+  getSubscriptionStatus,
+  getTrialStatus,
+  getUser,
+  getUsers,
   healthcheck,
+  testConnection,
 };
 
 export default queryResolvers;

packages/backend/src/graphql/schema.graphql

@@ -42,31 +42,45 @@ type Query {
   getTrialStatus: GetTrialStatus
   getSubscriptionStatus: GetSubscriptionStatus
   getSamlAuthProviders: [GetSamlAuthProviders]
+  getUsers(
+    limit: Int!
+    offset: Int!
+  ): UserConnection
+  getUser(id: String!): User
+  getRoles: [Role]
+  getRole(id: String!): Role
+  getPermissions: Permissions
   healthcheck: AppHealth
 }
 
 type Mutation {
   createConnection(input: CreateConnectionInput): Connection
-  generateAuthUrl(input: GenerateAuthUrlInput): AuthLink
-  updateConnection(input: UpdateConnectionInput): Connection
-  resetConnection(input: ResetConnectionInput): Connection
-  verifyConnection(input: VerifyConnectionInput): Connection
-  deleteConnection(input: DeleteConnectionInput): Boolean
   createFlow(input: CreateFlowInput): Flow
+  createRole(input: CreateRoleInput): Role
+  createStep(input: CreateStepInput): Step
+  createUser(input: CreateUserInput): User
+  deleteConnection(input: DeleteConnectionInput): Boolean
+  deleteCurrentUser: Boolean
+  deleteFlow(input: DeleteFlowInput): Boolean
+  deleteRole(input: DeleteRoleInput): Boolean
+  deleteStep(input: DeleteStepInput): Step
+  deleteUser(input: DeleteUserInput): Boolean
+  duplicateFlow(input: DuplicateFlowInput): Flow
+  executeFlow(input: ExecuteFlowInput): executeFlowType
+  forgotPassword(input: ForgotPasswordInput): Boolean
+  generateAuthUrl(input: GenerateAuthUrlInput): AuthLink
+  login(input: LoginInput): Auth
+  registerUser(input: RegisterUserInput): User
+  resetConnection(input: ResetConnectionInput): Connection
+  resetPassword(input: ResetPasswordInput): Boolean
+  updateConnection(input: UpdateConnectionInput): Connection
+  updateCurrentUser(input: UpdateCurrentUserInput): User
   updateFlow(input: UpdateFlowInput): Flow
   updateFlowStatus(input: UpdateFlowStatusInput): Flow
-  executeFlow(input: ExecuteFlowInput): executeFlowType
-  deleteFlow(input: DeleteFlowInput): Boolean
-  duplicateFlow(input: DuplicateFlowInput): Flow
-  createStep(input: CreateStepInput): Step
+  updateRole(input: UpdateRoleInput): Role
   updateStep(input: UpdateStepInput): Step
-  deleteStep(input: DeleteStepInput): Step
-  createUser(input: CreateUserInput): User
-  deleteUser: Boolean
   updateUser(input: UpdateUserInput): User
-  forgotPassword(input: ForgotPasswordInput): Boolean
-  resetPassword(input: ResetPasswordInput): Boolean
-  login(input: LoginInput): Auth
+  verifyConnection(input: VerifyConnectionInput): Connection
 }
 
 """
@@ -278,6 +292,15 @@ type Execution {
   flow: Flow
 }
 
+type UserConnection {
+  edges: [UserEdge]
+  pageInfo: PageInfo
+}
+
+type UserEdge {
+  node: User
+}
+
 input CreateConnectionInput {
   key: String!
   formattedData: JSONObject!
@@ -361,9 +384,31 @@ input CreateUserInput {
   fullName: String!
   email: String!
   password: String!
+  role: UserRoleInput!
+}
+
+input UserRoleInput {
+  id: String
 }
 
 input UpdateUserInput {
+  id: String!
+  fullName: String
+  email: String
+  role: UserRoleInput
+}
+
+input DeleteUserInput {
+  id: String!
+}
+
+input RegisterUserInput {
+  fullName: String!
+  email: String!
+  password: String!
+}
+
+input UpdateCurrentUserInput {
   email: String
   password: String
   fullName: String
@@ -383,6 +428,29 @@ input LoginInput {
   password: String!
 }
 
+input PermissionInput {
+  action: String!
+  subject: String!
+  conditions: [String]
+}
+
+input CreateRoleInput {
+  name: String!
+  description: String
+  permissions: [PermissionInput]
+}
+
+input UpdateRoleInput {
+  id: String!
+  name: String!
+  description: String
+  permissions: [PermissionInput]
+}
+
+input DeleteRoleInput {
+  id: String!
+}
+
 """
 The `JSONObject` scalar type represents JSON objects as specified by [ECMA-404](http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf).
 """
@@ -454,11 +522,21 @@ type User {
   id: String
   fullName: String
   email: String
-  role: String
+  role: Role
+  permissions: [Permission]
   createdAt: String
   updatedAt: String
 }
 
+type Role {
+  id: String
+  name: String
+  key: String
+  description: String
+  isAdmin: Boolean
+  permissions: [Permission]
+}
+
 type PageInfo {
   currentPage: Int!
   totalPages: Int!
@@ -561,6 +639,35 @@ type GetSamlAuthProviders {
   issuer: String
 }
 
+type Permission {
+  action: String
+  subject: String
+  conditions: [String]
+}
+
+# TODO: emphasize it's a catalog item
+type Permissions {
+  actions: [Action]
+  subjects: [Subject]
+  conditions: [Condition]
+}
+
+type Action {
+  label: String
+  action: String
+  subjects: [String]
+}
+
+type Condition {
+  key: String
+  label: String
+}
+
+type Subject {
+  label: String
+  key: String
+}
+
 schema {
   query: Query
   mutation: Mutation

packages/backend/src/helpers/authentication.ts

@@ -15,10 +15,12 @@ const isAuthenticated = rule()(async (_parent, _args, req) => {
     req.currentUser = await User
       .query()
       .findById(userId)
-      .joinRelated({
+      .leftJoinRelated({
+        role: true,
         permissions: true,
       })
       .withGraphFetched({
+        role: true,
         permissions: true,
       });
 
@@ -38,9 +40,9 @@ const authentication = shield(
     },
     Mutation: {
       '*': isAuthenticated,
-      login: allow,
-      createUser: allow,
+      registerUser: allow,
       forgotPassword: allow,
+      login: allow,
       resetPassword: allow,
     },
   },

packages/backend/src/helpers/find-or-create-user-by-saml-identity.ee.ts

@@ -22,7 +22,7 @@ const findOrCreateUserBySamlIdentity = async (userIdentity: Record<string, unkno
     return user;
   }
 
-  const createdUser = await User.query().insertGraphAndFetch({
+  const createdUser = await User.query().insertGraph({
     fullName: [
       mappedUser.name,
       mappedUser.surname
@@ -40,7 +40,7 @@ const findOrCreateUserBySamlIdentity = async (userIdentity: Record<string, unkno
     ]
   }, {
     relate: ['identities']
-  });
+  }).returning('*');
 
   return createdUser;
 };

packages/backend/src/models/permission.ts

@@ -4,6 +4,7 @@ class Permission extends Base {
   id: string;
   action: string;
   subject: string;
+  conditions: string[];
 
   static tableName = 'permissions';
 
@@ -15,6 +16,7 @@ class Permission extends Base {
       id: { type: 'string', format: 'uuid' },
       action: { type: 'string', minLength: 1 },
       subject: { type: 'string', minLength: 1 },
+      conditions: { type: 'array', items: { type: 'string' } },
       createdAt: { type: 'string' },
       updatedAt: { type: 'string' },
     },

packages/backend/src/models/query-builder.ts

@@ -1,6 +1,7 @@
 import {
   Model,
   Page,
+  ModelClass,
   PartialModelObject,
   ForClassMethod,
   AnyQueryBuilder,
@@ -8,6 +9,10 @@ import {
 
 const DELETED_COLUMN_NAME = 'deleted_at';
 
+const supportsSoftDeletion = (modelClass: ModelClass<any>) => {
+  return modelClass.jsonSchema.properties.deletedAt;
+}
+
 const buildQueryBuidlerForClass = (): ForClassMethod => {
   return (modelClass) => {
     const qb: AnyQueryBuilder = Model.QueryBuilder.forClass.call(
@@ -15,7 +20,7 @@ const buildQueryBuidlerForClass = (): ForClassMethod => {
       modelClass
     );
     qb.onBuild((builder) => {
-      if (!builder.context().withSoftDeleted && qb.modelClass().jsonSchema.properties.deletedAt) {
+      if (!builder.context().withSoftDeleted && supportsSoftDeletion(qb.modelClass())) {
         builder.whereNull(
           `${qb.modelClass().tableName}.${DELETED_COLUMN_NAME}`
         );
@@ -38,9 +43,13 @@ class ExtendedQueryBuilder<M extends Model, R = M[]> extends Model.QueryBuilder<
   static forClass: ForClassMethod = buildQueryBuidlerForClass();
 
   delete() {
-    return this.patch({
-      [DELETED_COLUMN_NAME]: new Date().toISOString(),
-    } as unknown as PartialModelObject<M>);
+    if (supportsSoftDeletion(this.modelClass())) {
+      return this.patch({
+        [DELETED_COLUMN_NAME]: new Date().toISOString(),
+      } as unknown as PartialModelObject<M>);
+    }
+
+    return super.delete();
   }
 
   hardDelete() {

packages/backend/src/models/role.ts

@@ -1,4 +1,5 @@
 import Base from './base';
+import Permission from './permission';
 import User from './user';
 
 class Role extends Base {
@@ -7,6 +8,7 @@ class Role extends Base {
   key: string;
   description: string;
   users?: User[];
+  permissions?: Permission[];
 
   static tableName = 'roles';
 
@@ -24,6 +26,10 @@ class Role extends Base {
     },
   };
 
+  static get virtualAttributes() {
+    return ['isAdmin'];
+  }
+
   static relationMappings = () => ({
     users: {
       relation: Base.HasManyRelation,
@@ -33,7 +39,23 @@ class Role extends Base {
         to: 'users.role_id',
       },
     },
+    permissions: {
+      relation: Base.ManyToManyRelation,
+      modelClass: Permission,
+      join: {
+        from: 'roles.id',
+        through: {
+          from: 'roles_permissions.role_id',
+          to: 'roles_permissions.permission_id',
+        },
+        to: 'permissions.id',
+      },
+    },
   });
+
+  get isAdmin() {
+    return this.key === 'admin';
+  }
 }
 
 export default Role;

packages/backend/src/models/user.ts

@@ -2,7 +2,7 @@ import crypto from 'node:crypto';
 import { QueryContext, ModelOptions } from 'objection';
 import bcrypt from 'bcrypt';
 import { DateTime } from 'luxon';
-import { Ability } from '@casl/ability';
+import { PureAbility, fieldPatternMatcher, mongoQueryMatcher } from '@casl/ability';
 import type { Subject } from '@casl/ability';
 
 import appConfig from '../config/app';
@@ -297,7 +297,11 @@ class User extends Base {
       throw new Error('User.permissions must be fetched!');
     }
 
-    return new Ability(this.permissions);
+    // We're not using mongo, but our fields, conditions match
+    return new PureAbility(this.permissions, {
+      conditionsMatcher: mongoQueryMatcher,
+      fieldMatcher: fieldPatternMatcher
+    });
   }
 
   can(action: string, subject: Subject) {