initial commit after split
This commit is contained in:
130
webui/src/utils/permissions.ts
Normal file
130
webui/src/utils/permissions.ts
Normal file
@@ -0,0 +1,130 @@
|
||||
import type { AuthInfo } from "../types";
|
||||
|
||||
const legacyTenantScopes = [
|
||||
"campaign:read", "campaign:create", "campaign:update", "campaign:copy", "campaign:archive", "campaign:delete", "campaign:share",
|
||||
"campaign:validate", "campaign:build", "campaign:review", "campaign:send_test", "campaign:queue", "campaign:control", "campaign:send", "campaign:retry", "campaign:reconcile",
|
||||
"recipients:read", "recipients:write", "recipients:import", "recipients:export",
|
||||
"files:read", "files:download", "files:upload", "files:organize", "files:share", "files:delete", "files:admin",
|
||||
"reports:read", "reports:export", "reports:send", "audit:read",
|
||||
"mail_servers:read", "mail_servers:use", "mail_servers:test", "mail_servers:write", "mail_servers:manage_credentials",
|
||||
"admin:users:read", "admin:users:create", "admin:users:update", "admin:users:suspend",
|
||||
"admin:groups:read", "admin:groups:write", "admin:groups:manage_members",
|
||||
"admin:roles:read", "admin:roles:write", "admin:roles:assign",
|
||||
"admin:api_keys:read", "admin:api_keys:create", "admin:api_keys:revoke",
|
||||
"admin:settings:read", "admin:settings:write", "admin:policies:read", "admin:policies:write"
|
||||
];
|
||||
|
||||
const legacyToModuleScopes: Record<string, string> = {
|
||||
"campaign:read": "campaigns:campaign:read",
|
||||
"campaign:create": "campaigns:campaign:create",
|
||||
"campaign:update": "campaigns:campaign:update",
|
||||
"campaign:copy": "campaigns:campaign:copy",
|
||||
"campaign:archive": "campaigns:campaign:archive",
|
||||
"campaign:delete": "campaigns:campaign:delete",
|
||||
"campaign:share": "campaigns:campaign:share",
|
||||
"campaign:validate": "campaigns:campaign:validate",
|
||||
"campaign:build": "campaigns:campaign:build",
|
||||
"campaign:review": "campaigns:campaign:review",
|
||||
"campaign:send_test": "campaigns:campaign:send_test",
|
||||
"campaign:queue": "campaigns:campaign:queue",
|
||||
"campaign:control": "campaigns:campaign:control",
|
||||
"campaign:send": "campaigns:campaign:send",
|
||||
"campaign:retry": "campaigns:campaign:retry",
|
||||
"campaign:reconcile": "campaigns:campaign:reconcile",
|
||||
"recipients:read": "campaigns:recipient:read",
|
||||
"recipients:write": "campaigns:recipient:write",
|
||||
"recipients:import": "campaigns:recipient:import",
|
||||
"recipients:export": "campaigns:recipient:export",
|
||||
"reports:read": "campaigns:report:read",
|
||||
"reports:export": "campaigns:report:export",
|
||||
"reports:send": "campaigns:report:send",
|
||||
"files:read": "files:file:read",
|
||||
"files:download": "files:file:download",
|
||||
"files:upload": "files:file:upload",
|
||||
"files:organize": "files:file:organize",
|
||||
"files:share": "files:file:share",
|
||||
"files:delete": "files:file:delete",
|
||||
"files:admin": "files:file:admin",
|
||||
"mail_servers:read": "mail:profile:read",
|
||||
"mail_servers:use": "mail:profile:use",
|
||||
"mail_servers:test": "mail:profile:test",
|
||||
"mail_servers:write": "mail:profile:write",
|
||||
"mail_servers:manage_credentials": "mail:secret:manage"
|
||||
};
|
||||
|
||||
const moduleToLegacyScopes = Object.fromEntries(Object.entries(legacyToModuleScopes).map(([legacy, module]) => [module, legacy]));
|
||||
const moduleTenantScopes = new Set(Object.values(legacyToModuleScopes));
|
||||
const tenantScopes = new Set([...legacyTenantScopes, ...moduleTenantScopes]);
|
||||
const tenantWildcardLegacyScopes = new Set(["attachments:read", "attachments:write"]);
|
||||
|
||||
const legacyAliases: Record<string, string[]> = {
|
||||
"campaign:write": ["campaign:create", "campaign:update", "campaign:copy", "campaign:archive", "campaign:delete", "campaign:share", "recipients:read", "recipients:write", "recipients:import"],
|
||||
"attachments:read": ["files:read", "files:download"],
|
||||
"attachments:write": ["files:upload", "files:organize", "files:share", "files:delete"],
|
||||
"admin:users": ["admin:users:read", "admin:users:create", "admin:users:update", "admin:users:suspend", "admin:groups:read", "admin:groups:write", "admin:groups:manage_members", "admin:roles:read", "admin:roles:write", "admin:roles:assign"],
|
||||
"admin:users:write": ["admin:users:create", "admin:users:update", "admin:users:suspend", "admin:roles:assign", "admin:groups:manage_members"],
|
||||
"admin:api_keys:write": ["admin:api_keys:create", "admin:api_keys:revoke"],
|
||||
"admin:settings": ["admin:settings:read", "admin:settings:write", "admin:api_keys:read", "admin:api_keys:create", "admin:api_keys:revoke"],
|
||||
"system:tenants:write": ["system:tenants:create", "system:tenants:update", "system:tenants:suspend"],
|
||||
"system:access:write": ["system:access:assign", "system:roles:assign", "system:accounts:create", "system:accounts:update", "system:accounts:suspend"]
|
||||
};
|
||||
|
||||
function compatibleScopes(scope: string): string[] {
|
||||
const mapped = legacyToModuleScopes[scope] ?? moduleToLegacyScopes[scope];
|
||||
return mapped ? [scope, mapped] : [scope];
|
||||
}
|
||||
|
||||
function primitiveScopeGrants(granted: string, required: string): boolean {
|
||||
if (granted === required) return true;
|
||||
if (legacyAliases[granted]?.some((alias) => primitiveScopeGrants(alias, required))) return true;
|
||||
if (granted === "*" || granted === "tenant:*") {
|
||||
return required === "*" || required === "tenant:*" || tenantScopes.has(required) || tenantWildcardLegacyScopes.has(required);
|
||||
}
|
||||
if (granted === "system:*") return required.startsWith("system:") || required.startsWith("access:");
|
||||
if (granted.endsWith(":*") && required.startsWith(granted.slice(0, -1))) return true;
|
||||
return false;
|
||||
}
|
||||
|
||||
export function scopeGrants(granted: string, required: string): boolean {
|
||||
for (const grantedCandidate of compatibleScopes(granted)) {
|
||||
for (const requiredCandidate of compatibleScopes(required)) {
|
||||
if (primitiveScopeGrants(grantedCandidate, requiredCandidate)) return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
export function hasTenantWildcard(scopes: string[]): boolean {
|
||||
return scopes.includes("*") || scopes.includes("tenant:*");
|
||||
}
|
||||
|
||||
export function hasScope(auth: AuthInfo | null | undefined, required: string): boolean {
|
||||
return Boolean(auth?.scopes?.some((scope) => scopeGrants(scope, required)));
|
||||
}
|
||||
|
||||
export function hasAnyScope(auth: AuthInfo | null | undefined, required: string[]): boolean {
|
||||
return required.some((scope) => hasScope(auth, scope));
|
||||
}
|
||||
|
||||
export const adminReadScopes = [
|
||||
"admin:users:read",
|
||||
"admin:groups:read",
|
||||
"admin:roles:read",
|
||||
"admin:api_keys:read",
|
||||
"admin:settings:read",
|
||||
"admin:policies:read",
|
||||
"mail:profile:read",
|
||||
"mail_servers:read",
|
||||
"audit:read",
|
||||
"system:tenants:read",
|
||||
"system:accounts:read",
|
||||
"system:access:read",
|
||||
"system:roles:read",
|
||||
"system:audit:read",
|
||||
"system:settings:read",
|
||||
"system:governance:read",
|
||||
"access:tenant:read",
|
||||
"access:account:read",
|
||||
"access:governance:read"
|
||||
];
|
||||
Reference in New Issue
Block a user