feat: board access group permissions (#422)

* fix: cache is not exportet from react * fix: format issue * wip: add usage of group permissions * feat: show inherited groups and add manage group * refactor: improve board access management * chore: address pull request feedback * fix: type issues * fix: migrations * test: add unit tests for board permissions, permissions and board router * test: add unit tests for board router and get current user permissions method * fix: format issues * fix: deepsource issue
2024-05-04 18:34:41 +02:00
parent ca49a01352
commit b1e065f1da
42 changed files with 2375 additions and 423 deletions
--- a/packages/api/src/trpc.ts
+++ b/packages/api/src/trpc.ts
@@ -11,6 +11,7 @@ import superjson from "superjson";

 import type { Session } from "@homarr/auth";
 import { db } from "@homarr/db";
+import type { GroupPermissionKey } from "@homarr/definitions";
 import { logger } from "@homarr/log";
 import { ZodError } from "@homarr/validation";

@@ -115,3 +116,25 @@ const enforceUserIsAuthed = t.middleware(({ ctx, next }) => {
 * @see https://trpc.io/docs/procedures
 */
 export const protectedProcedure = t.procedure.use(enforceUserIsAuthed);
+
+/**
+ * Procedure that requires a specific permission
+ *
+ * If you want a query or mutation to ONLY be accessible to users with a specific permission, use
+ * this. It verifies that the user has the required permission
+ *
+ * @see https://trpc.io/docs/procedures
+ */
+export const permissionRequiredProcedure = {
+  requiresPermission: (permission: GroupPermissionKey) => {
+    return protectedProcedure.use(({ ctx, input, next }) => {
+      if (!ctx.session?.user.permissions.includes(permission)) {
+        throw new TRPCError({
+          code: "FORBIDDEN",
+          message: "Permission denied",
+        });
+      }
+      return next({ input, ctx });
+    });
+  },
+};