-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
access.ts
90 lines (78 loc) · 2.63 KB
/
access.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
export type Session = {
itemId: string
listKey: string
data: {
name: string
role: {
id: string
name: string
canCreateTodos: boolean
canManageAllTodos: boolean
canSeeOtherPeople: boolean
canEditOtherPeople: boolean
canManagePeople: boolean
canManageRoles: boolean
canUseAdminUI: boolean
}
}
}
type AccessArgs = {
session?: Session
}
// this function checks only that a session actually exists, nothing else
export function isSignedIn ({ session }: AccessArgs) {
return Boolean(session)
}
/*
Permissions are shorthand functions for checking that the current user's role has the specified
permission boolean set to true
*/
export const permissions = {
canCreateTodos: ({ session }: AccessArgs) => session?.data.role?.canCreateTodos ?? false,
canManageAllTodos: ({ session }: AccessArgs) => session?.data.role?.canManageAllTodos ?? false,
canManagePeople: ({ session }: AccessArgs) => session?.data.role?.canManagePeople ?? false,
canManageRoles: ({ session }: AccessArgs) => session?.data.role?.canManageRoles ?? false,
// TODO: add canViewAdminUI
}
/*
Rules are logical functions that can be used for list access, and may return a boolean (meaning
all or no items are available) or a set of filters that limit the available items
*/
export const rules = {
canReadTodos: ({ session }: AccessArgs) => {
if (!session) return false
if (session.data.role?.canManageAllTodos) {
// can see all todos that are: assigned to them, or not private
return {
OR: [
{ assignedTo: { id: { equals: session.itemId } } },
{ assignedTo: null, isPrivate: { equals: true } },
{ NOT: { isPrivate: { equals: true } } },
],
}
}
// default to only seeing your own todos
return { assignedTo: { id: { equals: session.itemId } } }
},
canManageTodos: ({ session }: AccessArgs) => {
if (!session) return false
// can manage every todo?
if (session.data.role?.canManageAllTodos) return true
// default to only managing your own todos
return { assignedTo: { id: { equals: session.itemId } } }
},
canReadPeople: ({ session }: AccessArgs) => {
if (!session) return false
// can see everyone?
if (session.data.role?.canSeeOtherPeople) return true
// default to only seeing yourself
return { id: { equals: session.itemId } }
},
canUpdatePeople: ({ session }: AccessArgs) => {
if (!session) return false
// can update everyone?
if (session.data.role?.canEditOtherPeople) return true
// default to only updating yourself
return { id: { equals: session.itemId } }
},
}