refactor(authentication): team permissions

ConduitPlatform · Jun 13, 2023 · bd65692 · bd65692
1 parent b9d7fdc
commit bd65692
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 9 deletions.
diff --git a/modules/authentication/src/authz/index.ts b/modules/authentication/src/authz/index.ts
@@ -7,11 +7,39 @@ export const Team = new ConduitAuthorizedResource(
   {
     member: 'User',
     owner: ['User', 'Team'],
+    readAll: ['User', 'Team'],
+    editAll: ['User', 'Team'],
   },
   {
-    read: ['member', 'owner->read', 'owner'],
-    edit: ['owner', 'owner->edit'],
-    delete: ['owner', 'owner->delete'],
-    invite: ['owner'],
+    read: [
+      'owner->manageSubTeams',
+      'owner',
+      'owner->viewSubTeams',
+      'readAll',
+      'owner->readAll',
+      'editAll',
+      'owner->editAll',
+    ],
+    edit: ['owner', 'owner->manageSubTeams', 'editAll', 'owner->editAll'],
+    delete: ['owner', 'owner->manageSubTeams'],
+    invite: ['owner', 'editAll', 'owner->editAll'],
+    viewMembers: [
+      'member',
+      'owner',
+      'owner->viewMembers',
+      'readAll',
+      'owner->readAll',
+      'editAll',
+      'owner->editAll',
+    ],
+    viewSubTeams: [
+      'owner->manageSubTeams',
+      'owner',
+      'readAll',
+      'owner->readAll',
+      'editAll',
+      'owner->editAll',
+    ],
+    manageSubTeams: ['owner->manageSubTeams', 'owner', 'editAll', 'owner->editAll'],
   },
 );
diff --git a/modules/authentication/src/handlers/team.ts b/modules/authentication/src/handlers/team.ts
@@ -299,7 +299,7 @@ export class TeamsHandler implements IAuthenticationStrategy {
 
     const allowed = await this.grpcSdk.authorization!.can({
       subject: 'User:' + user._id,
-      actions: ['read'],
+      actions: ['viewMembers'],
       resource: 'Team:' + teamId,
     });
     if (!allowed.allow) {
@@ -330,12 +330,13 @@ export class TeamsHandler implements IAuthenticationStrategy {
   async getTeam(call: ParsedRouterRequest): Promise<UnparsedRouterResponse> {
     const { user } = call.request.context;
     const { teamId, populate } = call.request.params;
-    const allowed = await this.grpcSdk.authorization!.can({
+    const relations = await this.grpcSdk.authorization!.findRelation({
       subject: 'User:' + user._id,
-      actions: ['read'],
       resource: 'Team:' + teamId,
+      skip: 0,
+      limit: 1,
     });
-    if (!allowed.allow) {
+    if (!relations || relations.relations.length === 0) {
       throw new GrpcError(
         status.PERMISSION_DENIED,
         'User does not have permission to view team',
@@ -383,7 +384,7 @@ export class TeamsHandler implements IAuthenticationStrategy {
 
     const allowed = await this.grpcSdk.authorization!.can({
       subject: 'User:' + user._id,
-      actions: ['read'],
+      actions: ['viewSubTeams'],
       resource: 'Team:' + teamId,
     });
     if (!allowed.allow) {