Home Explore Help
Register Sign In
Code_Uwe
/
rhl-lieferscheine
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 29b684626d
Branches Tags
rhl-lieferschei...
/
lib
/
auth
/
permissions.js

permissions.js 2.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101 
  1. import { forbidden } from "@/lib/api/errors";
    2. 

  2. 

  3. /**
    4. 

  4.  * Role-Based Access Control (RBAC) helpers.
    5. 

  5.  *
    6. 

  6.  * @typedef {Object} Session
    7. 

  7.  * @property {"branch"|"admin"|"superadmin"|"dev"|string} role
    8. 

  8.  * @property {string=} branchId
    9. 

  9.  */
    10. 

  10. 

  11. /**
    12. 

  12.  * Returns true if the given session is allowed to access the requested branch.
    13. 

  13.  *
    14. 

  14.  * Rules:
    15. 

  15.  * - No session => not allowed (caller should return 401)
    16. 

  16.  * - role "branch" => allowed only for session.branchId === branchId
    17. 

  17.  * - role "admin" / "superadmin" / "dev" => allowed for any branch
    18. 

  18.  *
    19. 

  19.  * @param {Session|null} session
    20. 

  20.  * @param {string} branchId
    21. 

  21.  * @returns {boolean}
    22. 

  22.  */
    23. 

  23. export function canAccessBranch(session, branchId) {
    24. 

  24. 	if (!session) return false;
    25. 

  25. 	if (!branchId) return false;
    26. 

  26. 

  27. 	if (session.role === "branch") {
    28. 

  28. 		return session.branchId === branchId;
    29. 

  29. 	}
    30. 

  30. 

  31. 	if (
    32. 

  32. 		session.role === "admin" ||
    33. 

  33. 		session.role === "superadmin" ||
    34. 

  34. 		session.role === "dev"
    35. 

  35. 	) {
    36. 

  36. 		return true;
    37. 

  37. 	}
    38. 

  38. 

  39. 	return false;
    40. 

  40. }
    41. 

  41. 

  42. /**
    43. 

  43.  * Filters a list of branch IDs for a session.
    44. 

  44.  *
    45. 

  45.  * - No session => []
    46. 

  46.  * - role "branch" => [session.branchId] if present in branchIds, else []
    47. 

  47.  * - role "admin" / "superadmin" / "dev" => all branchIds
    48. 

  48.  *
    49. 

  49.  * @param {Session|null} session
    50. 

  50.  * @param {string[]} branchIds
    51. 

  51.  * @returns {string[]}
    52. 

  52.  */
    53. 

  53. export function filterBranchesForSession(session, branchIds) {
    54. 

  54. 	if (!session) return [];
    55. 

  55. 	if (!Array.isArray(branchIds)) return [];
    56. 

  56. 

  57. 	if (session.role === "branch") {
    58. 

  58. 		const own = session.branchId;
    59. 

  59. 		if (!own) return [];
    60. 

  60. 		return branchIds.includes(own) ? [own] : [];
    61. 

  61. 	}
    62. 

  62. 

  63. 	if (
    64. 

  64. 		session.role === "admin" ||
    65. 

  65. 		session.role === "superadmin" ||
    66. 

  66. 		session.role === "dev"
    67. 

  67. 	) {
    68. 

  68. 		return branchIds;
    69. 

  69. 	}
    70. 

  70. 

  71. 	return [];
    72. 

  72. }
    73. 

  73. 

  74. /**
    75. 

  75.  * Returns true if the given session can manage users (RHL-012 capability).
    76. 

  76.  *
    77. 

  77.  * Rules:
    78. 

  78.  * - dev / superadmin => true
    79. 

  79.  * - admin / branch / unknown => false
    80. 

  80.  *
    81. 

  81.  * @param {Session|null} session
    82. 

  82.  * @returns {boolean}
    83. 

  83.  */
    84. 

  84. export function canManageUsers(session) {
    85. 

  85. 	if (!session) return false;
    86. 

  86. 	return session.role === "dev" || session.role === "superadmin";
    87. 

  87. }
    88. 

  88. 

  89. /**
    90. 

  90.  * Guard helper for user-management endpoints (to be used in RHL-012).
    91. 

  91.  *
    92. 

  92.  * Throws a standardized 403 error when the session lacks user-management permission.
    93. 

  93.  *
    94. 

  94.  * @param {Session|null} session
    95. 

  95.  * @returns {void}
    96. 

  96.  */
    97. 

  97. export function requireUserManagement(session) {
    98. 

  98. 	if (!canManageUsers(session)) {
    99. 

  99. 		throw forbidden("AUTH_FORBIDDEN_USER_MANAGEMENT", "Forbidden");
    100. 

  100. 	}
    101. 

  101. }
    102.