| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162 |
- /**
- * Role-Based Access Control (RBAC) helpers.
- *
- * @typedef {Object} Session
- * @property {"branch"|"admin"|"dev"|string} role
- * @property {string=} branchId
- */
- /**
- * Returns true if the given session is allowed to access the requested branch.
- *
- * Rules:
- * - No session => not allowed (caller should return 401)
- * - role "branch" => allowed only for session.branchId === branchId
- * - role "admin" / "dev" => allowed for any branch
- *
- * @param {Session|null} session
- * @param {string} branchId
- * @returns {boolean}
- */
- export function canAccessBranch(session, branchId) {
- if (!session) return false;
- if (!branchId) return false;
- if (session.role === "branch") {
- return session.branchId === branchId;
- }
- if (session.role === "admin" || session.role === "dev") {
- return true;
- }
- return false;
- }
- /**
- * Filters a list of branch IDs for a session.
- *
- * - No session => []
- * - role "branch" => [session.branchId] if present in branchIds, else []
- * - role "admin" / "dev" => all branchIds
- *
- * @param {Session|null} session
- * @param {string[]} branchIds
- * @returns {string[]}
- */
- export function filterBranchesForSession(session, branchIds) {
- if (!session) return [];
- if (!Array.isArray(branchIds)) return [];
- if (session.role === "branch") {
- const own = session.branchId;
- if (!own) return [];
- return branchIds.includes(own) ? [own] : [];
- }
- if (session.role === "admin" || session.role === "dev") {
- return branchIds;
- }
- return [];
- }
|
