feat: Adjust project permissions gf-351 (#401)

* feat: add the migrations gf-351

* feat: add possibility to processa a project permissions gf-351

* feat: add protected access to backend gf-351

* feat: add protected access to the frontend gf-351

* feat: modify permission access gf-351

* fix: improve access by manage and edit project gf-351

* fix: update access to analytic button gf-351

* fix: update access to key generation gf-351

* fix: improve consistency gf-351

* fix: update frontend routes gf-351

* fix: updated project Id check for permissions gf-351

* feat: add permision protection on backend routes gf-351

* fix: improve consistency gf-351

* fix: create a separate helper for project permissions gf-351

* fix: update permissions for selector on analitic page gf-351

* fix: improve consistency gf-351

* fix: update check user permissions hook gf-351

* fix: improve consistency gf-351

* fix: apdate project permission key type gf-351

* fix: update project permission key type gf-351

* fix: improve consistency gf-351

* fix: move method to project service gf-351

* fix: improve consistency gf-351

* fix: refactored projectdetailsmenu to take permissions as props gf-351

* fix: adjusted projectID mapping to number  gf-351

* fix: adjusted projectID mapping tor  gf-351

* fix: adjusted getpermittednavigationitem to use single filter gf-351

* fix: getpermittednavigationitemshelper bug with pageprojectpermission adjustment gf-351

* fix: getpermittednavigationitemshelper bug with pageprojectpermission adjustment gf-351

* fix: refactored getpermittednavigationitem to make use of both dtos gf-351

* fix: adjusted projects prop sent to projectdetailsmenu to fix all functionality gf-351

* fix: improve consistency gf-351

* fix: improve project details menu permissions gf-351

* fix: improve project details menu root permissions gf-351

* fix: update get all contributors gf-351

* fix: bug with search gf-351

* fix: improve consistency gf-351

* fix: bug with setup analitic button gf-351

* fix: improve consistency gf-351

---------

Co-authored-by: Anna Kasian <[email protected]>
Co-authored-by: Joel Strid <[email protected]>

Author: 3 people

apps/backend/src/db/migrations/20240917124634_add_edit_project_permission.ts

@@ -0,0 +1,24 @@
+import { type Knex } from "knex";
+
+const TABLE_NAME = "project_permissions";
+
+const PermissionKey = {
+	EDIT_PROJECT: "edit_project",
+} as const;
+
+function up(knex: Knex): Promise<void> {
+	return knex(TABLE_NAME).insert({
+		key: PermissionKey.EDIT_PROJECT,
+		name: "Edit Project",
+	});
+}
+
+function down(knex: Knex): Promise<void> {
+	return knex(TABLE_NAME)
+		.where({
+			key: PermissionKey.EDIT_PROJECT,
+		})
+		.del();
+}
+
+export { down, up };

apps/backend/src/db/migrations/20240917124830_add_manage_project_permission.ts

@@ -0,0 +1,24 @@
+import { type Knex } from "knex";
+
+const TABLE_NAME = "project_permissions";
+
+const PermissionKey = {
+	MANAGE_PROJECT: "manage_project",
+} as const;
+
+function up(knex: Knex): Promise<void> {
+	return knex(TABLE_NAME).insert({
+		key: PermissionKey.MANAGE_PROJECT,
+		name: "Manage Project",
+	});
+}
+
+function down(knex: Knex): Promise<void> {
+	return knex(TABLE_NAME)
+		.where({
+			key: PermissionKey.MANAGE_PROJECT,
+		})
+		.del();
+}
+
+export { down, up };

apps/backend/src/libs/hooks/check-user-permissions.hook.ts

@@ -1,27 +1,45 @@
-import { type FastifyRequest } from "fastify";
-
-import { ExceptionMessage } from "~/libs/enums/enums.js";
+import {
+	ExceptionMessage,
+	type PermissionKey,
+	type ProjectPermissionKey,
+} from "~/libs/enums/enums.js";
 import { checkHasPermission } from "~/libs/helpers/helpers.js";
-import { type APIPreHandler } from "~/libs/modules/controller/controller.js";
+import {
+	type APIHandlerOptions,
+	type APIPreHandler,
+} from "~/libs/modules/controller/controller.js";
 import { HTTPCode, HTTPError } from "~/libs/modules/http/http.js";
+import { type UserAuthResponseDto } from "~/modules/users/users.js";
 
-const checkUserPermissions = (routePermissions: string[]): APIPreHandler => {
-	return (request: FastifyRequest, _, done): void => {
-		const { user } = request;
+import { type ValueOf } from "../types/types.js";
 
-		if (!user) {
-			throw new HTTPError({
-				message: ExceptionMessage.USER_NOT_FOUND,
-				status: HTTPCode.UNAUTHORIZED,
-			});
-		}
+const checkUserPermissions = (
+	permissions: ValueOf<typeof PermissionKey>[],
+	projectsPermissions?: ValueOf<typeof ProjectPermissionKey>[],
+	getProjectId?: (options: APIHandlerOptions) => number | undefined,
+): APIPreHandler => {
+	return (options, done): void => {
+		const user = options.user as UserAuthResponseDto;
+		const projectId = getProjectId?.(options);
+
+		const userPermissions = user.groups.flatMap((group) => group.permissions);
+		const projectPermissions = user.projectGroups
+			.filter((group) => projectId && group.projectId === projectId)
+			.flatMap((projectGroup) => projectGroup.permissions);
 
-		const hasPermission = checkHasPermission(
-			routePermissions,
-			user.groups.flatMap((group) => group.permissions),
+		const hasGlobalPermission = checkHasPermission(
+			permissions,
+			userPermissions,
 		);
 
-		if (!hasPermission) {
+		const hasProjectPermission = projectId
+			? checkHasPermission(
+					projectsPermissions as ValueOf<typeof ProjectPermissionKey>[],
+					projectPermissions,
+				)
+			: true;
+
+		if (!hasGlobalPermission && !hasProjectPermission) {
 			throw new HTTPError({
 				message: ExceptionMessage.NO_PERMISSION,
 				status: HTTPCode.FORBIDDEN,

apps/backend/src/libs/modules/controller/base-controller.module.ts

@@ -4,6 +4,7 @@ import { type ServerApplicationRouteParameters } from "~/libs/modules/server-app
 import {
 	type APIHandler,
 	type APIHandlerOptions,
+	type APIPreHandler,
 	type Controller,
 	type ControllerRouteParameters,
 } from "./libs/types/types.js";
@@ -34,6 +35,20 @@ class BaseController implements Controller {
 		return await reply.status(status).send(payload);
 	}
 
+	private mapPreHandler(
+		preHandler: APIPreHandler,
+		request: Parameters<
+			NonNullable<ServerApplicationRouteParameters["preHandlers"]>[number]
+		>[0],
+		done: Parameters<
+			NonNullable<ServerApplicationRouteParameters["preHandlers"]>[number]
+		>[2],
+	): void {
+		const handlerOptions = this.mapRequest(request);
+
+		preHandler(handlerOptions, done);
+	}
+
 	private mapRequest(
 		request: Parameters<ServerApplicationRouteParameters["handler"]>[0],
 	): APIHandlerOptions {
@@ -49,13 +64,18 @@ class BaseController implements Controller {
 	}
 
 	public addRoute(options: ControllerRouteParameters): void {
-		const { handler, path } = options;
+		const { handler, path, preHandlers = [] } = options;
 		const fullPath = this.apiUrl + path;
 
 		this.routes.push({
 			...options,
 			handler: (request, reply) => this.mapHandler(handler, request, reply),
 			path: fullPath,
+			preHandlers: preHandlers.map((preHandler) => {
+				return (request, _, done): void => {
+					this.mapPreHandler(preHandler, request, done);
+				};
+			}),
 		});
 	}
 }

apps/backend/src/libs/modules/controller/libs/types/api-pre-handler.type.ts

@@ -1,9 +1,5 @@
-import { type FastifyReply, type FastifyRequest } from "fastify";
+import { type APIHandlerOptions } from "./api-handler-options.type.js";
 
-type APIPreHandler = (
-	request: FastifyRequest,
-	reply: FastifyReply,
-	done: () => void,
-) => void;
+type APIPreHandler = (options: APIHandlerOptions, done: () => void) => void;
 
 export { type APIPreHandler };

apps/backend/src/libs/modules/server-application/libs/types/server-application-route-parameters.type.ts

@@ -1,6 +1,5 @@
 import { type FastifyReply, type FastifyRequest } from "fastify";
 
-import { type APIPreHandler } from "~/libs/modules/controller/controller.js";
 import { type HTTPMethod } from "~/libs/modules/http/http.js";
 import { type ValidationSchema } from "~/libs/types/types.js";
 
@@ -11,7 +10,11 @@ type ServerApplicationRouteParameters = {
 	) => Promise<void> | void;
 	method: HTTPMethod;
 	path: string;
-	preHandlers?: APIPreHandler[];
+	preHandlers?: ((
+		request: FastifyRequest,
+		reply: FastifyReply,
+		done: () => void,
+	) => void)[];
 	validation?: {
 		body?: ValidationSchema;
 		query?: ValidationSchema;

apps/backend/src/modules/activity-logs/activity-log.controller.ts

@@ -1,12 +1,21 @@
-import { APIPath } from "~/libs/enums/enums.js";
+import {
+	APIPath,
+	PermissionKey,
+	ProjectPermissionKey,
+} from "~/libs/enums/enums.js";
+import { checkHasPermission } from "~/libs/helpers/helpers.js";
+import { checkUserPermissions } from "~/libs/hooks/hooks.js";
 import {
 	type APIHandlerOptions,
 	type APIHandlerResponse,
 	BaseController,
 } from "~/libs/modules/controller/controller.js";
 import { HTTPCode } from "~/libs/modules/http/http.js";
 import { type Logger } from "~/libs/modules/logger/logger.js";
+import { type ProjectGroupService } from "~/modules/project-groups/project-groups.js";
+import { type UserAuthResponseDto } from "~/modules/users/users.js";
 
+import { type PermissionGetAllItemResponseDto } from "../permissions/libs/types/types.js";
 import { type ActivityLogService } from "./activity-log.service.js";
 import { ActivityLogsApiPath } from "./libs/enums/enums.js";
 import {
@@ -53,11 +62,17 @@ import {
 
 class ActivityLogController extends BaseController {
 	private activityLogService: ActivityLogService;
+	private projectGroupService: ProjectGroupService;
 
-	public constructor(logger: Logger, activityLogService: ActivityLogService) {
+	public constructor(
+		logger: Logger,
+		activityLogService: ActivityLogService,
+		projectGroupService: ProjectGroupService,
+	) {
 		super(logger, APIPath.ACTIVITY_LOGS);
 
 		this.activityLogService = activityLogService;
+		this.projectGroupService = projectGroupService;
 
 		this.addRoute({
 			handler: (options) =>
@@ -79,10 +94,21 @@ class ActivityLogController extends BaseController {
 				this.findAll(
 					options as APIHandlerOptions<{
 						query: ActivityLogQueryParameters;
+						user: UserAuthResponseDto;
 					}>,
 				),
 			method: "GET",
 			path: ActivityLogsApiPath.ROOT,
+			preHandlers: [
+				checkUserPermissions(
+					[PermissionKey.VIEW_ALL_PROJECTS, PermissionKey.MANAGE_ALL_PROJECTS],
+					[
+						ProjectPermissionKey.VIEW_PROJECT,
+						ProjectPermissionKey.EDIT_PROJECT,
+						ProjectPermissionKey.MANAGE_PROJECT,
+					],
+				),
+			],
 			validation: {
 				query: activityLogGetValidationSchema,
 			},
@@ -166,10 +192,37 @@ class ActivityLogController extends BaseController {
 	private async findAll(
 		options: APIHandlerOptions<{
 			query: ActivityLogQueryParameters;
+			user: UserAuthResponseDto;
 		}>,
 	): Promise<APIHandlerResponse> {
+		const { contributorName, endDate, projectId, startDate } = options.query;
+		const { user } = options;
+
+		const groups = await this.projectGroupService.findAllByUserId(user.id);
+		const rootPermissions: PermissionGetAllItemResponseDto[] =
+			user.groups.flatMap((group) =>
+				group.permissions.map((permission) => ({
+					id: permission.id,
+					key: permission.key,
+					name: permission.name,
+				})),
+			);
+
+		const hasRootPermission = checkHasPermission(
+			[PermissionKey.MANAGE_ALL_PROJECTS, PermissionKey.VIEW_ALL_PROJECTS],
+			rootPermissions,
+		);
+		const userProjectIds = groups.map(({ projectId }) => projectId.id);
+
 		return {
-			payload: await this.activityLogService.findAll(options.query),
+			payload: await this.activityLogService.findAll({
+				contributorName,
+				endDate,
+				hasRootPermission,
+				projectId,
+				startDate,
+				userProjectIds,
+			}),
 			status: HTTPCode.OK,
 		};
 	}

apps/backend/src/modules/activity-logs/activity-log.repository.ts

@@ -1,3 +1,4 @@
+import { EMPTY_LENGTH } from "~/libs/constants/constants.js";
 import { type Repository } from "~/libs/types/types.js";
 
 import { ActivityLogEntity } from "./activity-log.entity.js";
@@ -43,9 +44,12 @@ class ActivityLogRepository implements Repository {
 	public async findAll({
 		contributorName,
 		endDate,
+		permittedProjectIds,
 		projectId,
 		startDate,
-	}: ActivityLogQueryParameters): Promise<{ items: ActivityLogEntity[] }> {
+	}: {
+		permittedProjectIds: number[] | undefined;
+	} & ActivityLogQueryParameters): Promise<{ items: ActivityLogEntity[] }> {
 		const query = this.activityLogModel
 			.query()
 			.withGraphFetched("[project, createdByUser]")
@@ -61,11 +65,16 @@ class ActivityLogRepository implements Repository {
 			query.whereILike("gitEmail:contributor.name", `%${contributorName}%`);
 		}
 
+		const hasPermissionedProjects =
+			permittedProjectIds && permittedProjectIds.length !== EMPTY_LENGTH;
+
 		if (projectId) {
 			query.where("project_id", projectId);
+		} else if (hasPermissionedProjects) {
+			query.whereIn("project_id", permittedProjectIds);
 		}
 
-		const activityLogs = await query.execute();
+		const activityLogs = await query.orderBy("date");
 
 		return {
 			items: activityLogs.map((activityLog) =>

apps/backend/src/modules/activity-logs/activity-log.service.ts

@@ -139,9 +139,33 @@ class ActivityLogService implements Service {
 	public async findAll({
 		contributorName,
 		endDate,
+		hasRootPermission,
 		projectId,
 		startDate,
-	}: ActivityLogQueryParameters): Promise<ActivityLogGetAllAnalyticsResponseDto> {
+		userProjectIds,
+	}: {
+		hasRootPermission: boolean;
+		userProjectIds: number[];
+	} & ActivityLogQueryParameters): Promise<ActivityLogGetAllAnalyticsResponseDto> {
+		const projectIdParsed = projectId ? Number(projectId) : undefined;
+
+		let permittedProjectIds: number[];
+
+		if (projectIdParsed) {
+			if (!hasRootPermission && !userProjectIds.includes(projectIdParsed)) {
+				throw new ActivityLogError({
+					message: ExceptionMessage.NO_PERMISSION,
+					status: HTTPCode.FORBIDDEN,
+				});
+			}
+
+			permittedProjectIds = [projectIdParsed];
+		} else if (hasRootPermission) {
+			permittedProjectIds = [];
+		} else {
+			permittedProjectIds = userProjectIds;
+		}
+
 		const formattedStartDate = formatDate(
 			getStartOfDay(new Date(startDate)),
 			"yyyy-MM-dd",
@@ -155,6 +179,7 @@ class ActivityLogService implements Service {
 		const activityLogsEntities = await this.activityLogRepository.findAll({
 			contributorName,
 			endDate: formattedEndDate,
+			permittedProjectIds,
 			projectId,
 			startDate: formattedStartDate,
 		});
@@ -167,11 +192,13 @@ class ActivityLogService implements Service {
 			? this.contributorService.findAllByProjectId({
 					contributorName: contributorName ?? "",
 					hasHidden: false,
+					permittedProjectIds,
 					projectId: Number(projectId),
 				})
 			: this.contributorService.findAllWithoutPagination({
 					contributorName: contributorName ?? "",
 					hasHidden: false,
+					permittedProjectIds,
 				}));
 
 		const dateRange = getDateRange(formattedStartDate, formattedEndDate);