feat(backend): Add checking permissions admin while using AdminAuthGu…

…ards

apps/backend/schema.gql

@@ -291,28 +291,28 @@ type PageInfo {
 }
 
 type PermissionsStaff {
-  children: [String!]!
   id: String!
+  permissions: [String!]!
 }
 
 input PermissionsStaffArgs {
-  permissions: [PermissionsStaffInput!]!
+  groups: [PermissionsStaffInput!]!
   plugin_code: String!
 }
 
 input PermissionsStaffInput {
-  children: [String!]!
   id: String!
+  permissions: [String!]!
 }
 
 type PermissionsStaffObj {
-  permissions: [PermissionsStaff!]!
+  groups: [PermissionsStaff!]!
   plugin: String!
   plugin_code: String!
 }
 
 type PermissionsStaffObjWithoutPluginName {
-  permissions: [PermissionsStaff!]!
+  groups: [PermissionsStaff!]!
   plugin_code: String!
 }
 

packages/backend/src/core/admin/plugins/permissions-admin/create-edit/create-edit.service.ts

@@ -40,7 +40,7 @@ export class CreateEditAdminPermissionsAdminPluginsService {
     // Check if the id already exists
     if (old_id !== id) {
       const existsPermission = parent
-        ? parent.children.find(child => child === id)
+        ? parent.permissions.find(child => child === id)
         : config.permissions_admin?.find(permission => permission.id === id);
 
       if (existsPermission) {
@@ -54,7 +54,7 @@ export class CreateEditAdminPermissionsAdminPluginsService {
     // Edit
     if (old_id) {
       const oldPermission = parent
-        ? parent.children.find(child => child === old_id)
+        ? parent.permissions.find(child => child === old_id)
         : config.permissions_admin?.find(
             permission => permission.id === old_id,
           );
@@ -72,7 +72,7 @@ export class CreateEditAdminPermissionsAdminPluginsService {
             if (permission.id === parent.id) {
               return {
                 ...permission,
-                children: permission.children.map(child => {
+                children: permission.permissions.map(child => {
                   if (child === old_id) {
                     return id;
                   }
@@ -92,7 +92,7 @@ export class CreateEditAdminPermissionsAdminPluginsService {
             if (permission.id === old_id) {
               return {
                 id,
-                children: permission.children,
+                permissions: permission.permissions,
               };
             }
 
@@ -115,7 +115,7 @@ export class CreateEditAdminPermissionsAdminPluginsService {
 
       return {
         id,
-        children: [],
+        permissions: [],
       };
     }
 
@@ -127,7 +127,7 @@ export class CreateEditAdminPermissionsAdminPluginsService {
           if (permission.id === parent.id) {
             return {
               ...permission,
-              children: [...permission.children, id],
+              permissions: [...permission.permissions, id],
             };
           }
 
@@ -141,7 +141,7 @@ export class CreateEditAdminPermissionsAdminPluginsService {
           ...(config.permissions_admin ?? []),
           {
             id,
-            children: [],
+            permissions: [],
           },
         ],
       };

packages/backend/src/core/admin/plugins/permissions-admin/delete/delete.service.ts

@@ -30,7 +30,7 @@ export class DeleteAdminPermissionsAdminPluginsService {
     }
 
     const existsPermission = parent
-      ? parent.children.find(child => child === id)
+      ? parent.permissions.find(child => child === id)
       : config.permissions_admin?.find(permission => permission.id === id);
 
     if (!existsPermission) {
@@ -40,7 +40,7 @@ export class DeleteAdminPermissionsAdminPluginsService {
     if (parent) {
       config.permissions_admin = config.permissions_admin?.map(permission => {
         if (permission.id === parent_id) {
-          permission.children = permission.children.filter(
+          permission.permissions = permission.permissions.filter(
             child => child !== id,
           );
         }

packages/backend/src/core/admin/settings/authorization/show/show.resolver.ts

@@ -13,7 +13,11 @@ export class ShowAdminAuthorizationSettingsResolver {
 
   @Query(() => ShowAdminAuthorizationSettingsObj)
   @UseGuards(AdminAuthGuards)
-  @AdminPermission('can_manage_authorization_settings')
+  @AdminPermission({
+    plugin_code: 'core',
+    group: 'settings',
+    permission: 'can_manage_settings_authorization',
+  })
   admin__core_authorization_settings__show(): ShowAdminAuthorizationSettingsObj {
     return this.service.show();
   }

packages/backend/src/core/admin/staff/administrators/permissions/core-admin-permisisons.ts → packages/backend/src/core/admin/staff/administrators/permissions/core-admin-permissions.ts

@@ -5,14 +5,14 @@ export const coreAdminPermissions: ShowAdminStaffAdministratorsObj['permissions'
     {
       plugin: 'Core',
       plugin_code: 'core',
-      permissions: [
+      groups: [
         {
           id: 'dashboard',
-          children: ['can_manage_diagnostic_tools'],
+          permissions: ['can_manage_diagnostic_tools'],
         },
         {
           id: 'settings',
-          children: [
+          permissions: [
             'can_manage_settings_main',
             'can_manage_settings_security',
             'can_manage_settings_metadata',
@@ -27,10 +27,10 @@ export const coreAdminPermissions: ShowAdminStaffAdministratorsObj['permissions'
     {
       plugin: 'Members',
       plugin_code: 'members',
-      permissions: [
+      groups: [
         {
           id: 'staff',
-          children: ['can_view_staff'],
+          permissions: ['can_view_staff'],
         },
       ],
     },

packages/backend/src/core/admin/staff/administrators/permissions/dto.ts

@@ -2,35 +2,35 @@ import { Field, InputType, ObjectType, OmitType } from '@nestjs/graphql';
 
 @InputType()
 class PermissionsStaffInput {
-  @Field(() => [String])
-  children: string[];
-
   @Field(() => String)
   id: string;
+
+  @Field(() => [String])
+  permissions: string[];
 }
 
 @InputType()
 export class PermissionsStaffArgs {
   @Field(() => [PermissionsStaffInput])
-  permissions: PermissionsStaffInput[];
+  groups: PermissionsStaffInput[];
 
   @Field(() => String)
   plugin_code: string;
 }
 
 @ObjectType()
 export class PermissionsStaff {
-  @Field(() => [String])
-  children: string[];
-
   @Field(() => String)
   id: string;
+
+  @Field(() => [String])
+  permissions: string[];
 }
 
 @ObjectType()
 export class PermissionsStaffObj {
   @Field(() => [PermissionsStaff])
-  permissions: PermissionsStaff[];
+  groups: PermissionsStaff[];
 
   @Field(() => String)
   plugin: string;

packages/backend/src/core/admin/staff/administrators/permissions/permissions.service.ts

@@ -2,7 +2,7 @@ import { InternalDatabaseService } from '@/utils';
 import { Injectable } from '@nestjs/common';
 
 import { ShowAdminStaffAdministratorsObj } from '../show/show.dto';
-import { coreAdminPermissions } from './core-admin-permisisons';
+import { coreAdminPermissions } from './core-admin-permissions';
 
 @Injectable()
 export class PermissionsAdminStaffAdministratorsService {
@@ -18,7 +18,7 @@ export class PermissionsAdminStaffAdministratorsService {
       ...plugins.map(plugin => ({
         plugin_code: plugin.code,
         plugin: plugin.name,
-        permissions: [],
+        groups: [],
       })),
     ];
   }

packages/backend/src/providers/plugins.type.ts

@@ -16,8 +16,8 @@ export interface PluginInfoJSONType extends CreateAdminPluginsArgs {
   allow_default: boolean;
   nav: NavPluginInfoJSONTypeWithChildren[];
   permissions_admin?: {
-    children: string[];
     id: string;
+    permissions: string[];
   }[];
   version: string;
   version_code: number;

packages/backend/src/utils/guards/admin-auth.guard.ts

@@ -1,3 +1,4 @@
+import { AccessDeniedError } from '@/errors';
 import {
   CanActivate,
   ExecutionContext,
@@ -10,7 +11,14 @@ import { GqlExecutionContext } from '@nestjs/graphql';
 import { AuthorizationAdminSessionsObj } from '../../core/admin/sessions/authorization/authorization.dto';
 import { GqlContext } from '../context';
 
-export const AdminPermission = Reflector.createDecorator<string>();
+interface AdminPermissionDecorator {
+  group: string;
+  permission: string;
+  plugin_code: string;
+}
+
+export const AdminPermission =
+  Reflector.createDecorator<AdminPermissionDecorator>();
 
 @Injectable()
 export class AdminAuthGuards implements CanActivate {
@@ -38,15 +46,25 @@ export class AdminAuthGuards implements CanActivate {
   async canActivate(context: ExecutionContext): Promise<boolean> {
     const ctx: GqlContext = GqlExecutionContext.create(context).getContext();
     const authorization = await this.getAuth(ctx);
-    const permission: string | undefined = this.reflector.get(
+    const permission: AdminPermissionDecorator | undefined = this.reflector.get(
       AdminPermission,
       context.getHandler(),
     );
-
-    if (!permission) {
+    if (!permission || authorization.permissions.length === 0) {
       return !!authorization;
     }
 
+    const plugin = authorization.permissions.find(
+      plugin => plugin.plugin_code === permission.plugin_code,
+    );
+    if (!plugin) throw new AccessDeniedError();
+    const group = plugin.groups.find(group => group.id === permission.group);
+    if (!group) throw new AccessDeniedError();
+    const permissionObj = group.permissions.find(
+      item => item === permission.permission,
+    );
+    if (!permissionObj) throw new AccessDeniedError();
+
     return !!authorization;
   }
 }

packages/frontend/src/graphql/queries/admin/members/staff/admin__core_staff_administrators__show.generated.ts

@@ -9,7 +9,7 @@ export type Admin__Core_Staff_Administrators__ShowQueryVariables = Types.Exact<{
 }>;
 
 
-export type Admin__Core_Staff_Administrators__ShowQuery = { __typename?: 'Query', admin__core_staff_administrators__show: { __typename?: 'ShowAdminStaffAdministratorsObj', edges: Array<{ __typename?: 'ShowAdminStaffAdministrators', created: Date, id: number, updated: Date, protected: boolean, user_or_group: { __typename: 'StaffGroupUser', color?: string, id: number, group_name: Array<{ __typename?: 'StringLanguage', language_code: string, value: string }> } | { __typename: 'User', avatar_color: string, language: string, name_seo: string, id: number, name: string, avatar?: { __typename?: 'AvatarUser', id: number, dir_folder: string, file_name: string }, group: { __typename?: 'GroupUser', id: number, color?: string, name: Array<{ __typename?: 'StringLanguage', language_code: string, value: string }> } }, permissions: Array<{ __typename?: 'PermissionsStaffObjWithoutPluginName', plugin_code: string, permissions: Array<{ __typename?: 'PermissionsStaff', children: Array<string>, id: string }> }> }>, pageInfo: { __typename?: 'PageInfo', count: number, endCursor?: number, hasNextPage: boolean, hasPreviousPage: boolean, startCursor?: number, totalCount: number }, permissions: Array<{ __typename?: 'PermissionsStaffObj', plugin: string, plugin_code: string, permissions: Array<{ __typename?: 'PermissionsStaff', id: string, children: Array<string> }> }> } };
+export type Admin__Core_Staff_Administrators__ShowQuery = { __typename?: 'Query', admin__core_staff_administrators__show: { __typename?: 'ShowAdminStaffAdministratorsObj', edges: Array<{ __typename?: 'ShowAdminStaffAdministrators', created: Date, id: number, updated: Date, protected: boolean, user_or_group: { __typename: 'StaffGroupUser', color?: string, id: number, group_name: Array<{ __typename?: 'StringLanguage', language_code: string, value: string }> } | { __typename: 'User', avatar_color: string, language: string, name_seo: string, id: number, name: string, avatar?: { __typename?: 'AvatarUser', id: number, dir_folder: string, file_name: string }, group: { __typename?: 'GroupUser', id: number, color?: string, name: Array<{ __typename?: 'StringLanguage', language_code: string, value: string }> } }, permissions: Array<{ __typename?: 'PermissionsStaffObjWithoutPluginName', plugin_code: string, groups: Array<{ __typename?: 'PermissionsStaff', permissions: Array<string>, id: string }> }> }>, pageInfo: { __typename?: 'PageInfo', count: number, endCursor?: number, hasNextPage: boolean, hasPreviousPage: boolean, startCursor?: number, totalCount: number }, permissions: Array<{ __typename?: 'PermissionsStaffObj', plugin: string, plugin_code: string, groups: Array<{ __typename?: 'PermissionsStaff', id: string, permissions: Array<string> }> }> } };
 
 
 export const Admin__Core_Staff_Administrators__Show = gql`
@@ -57,8 +57,8 @@ export const Admin__Core_Staff_Administrators__Show = gql`
       updated
       protected
       permissions {
-        permissions {
-          children
+        groups {
+          permissions
           id
         }
         plugin_code
@@ -73,9 +73,9 @@ export const Admin__Core_Staff_Administrators__Show = gql`
       totalCount
     }
     permissions {
-      permissions {
+      groups {
         id
-        children
+        permissions
       }
       plugin
       plugin_code

packages/frontend/src/graphql/queries/admin/members/staff/admin__core_staff_administrators__show.gql

@@ -47,8 +47,8 @@ query Admin__core_staff_administrators__show(
       updated
       protected
       permissions {
-        permissions {
-          children
+        groups {
+          permissions
           id
         }
         plugin_code
@@ -63,9 +63,9 @@ query Admin__core_staff_administrators__show(
       totalCount
     }
     permissions {
-      permissions {
+      groups {
         id
-        children
+        permissions
       }
       plugin
       plugin_code

packages/frontend/src/graphql/queries/admin/plugins/dev/permissions-admin/admin__core_plugins__permissions_admin__show.generated.ts

@@ -6,13 +6,13 @@ export type Admin__Core_Plugins__Permissions_Admin__ShowQueryVariables = Types.E
 }>;
 
 
-export type Admin__Core_Plugins__Permissions_Admin__ShowQuery = { __typename?: 'Query', admin__core_plugins__permissions_admin__show: Array<{ __typename?: 'PermissionsStaff', children: Array<string>, id: string }> };
+export type Admin__Core_Plugins__Permissions_Admin__ShowQuery = { __typename?: 'Query', admin__core_plugins__permissions_admin__show: Array<{ __typename?: 'PermissionsStaff', permissions: Array<string>, id: string }> };
 
 
 export const Admin__Core_Plugins__Permissions_Admin__Show = gql`
     query Admin__core_plugins__permissions_admin__show($pluginCode: String!) {
   admin__core_plugins__permissions_admin__show(plugin_code: $pluginCode) {
-    children
+    permissions
     id
   }
 }

packages/frontend/src/graphql/queries/admin/plugins/dev/permissions-admin/admin__core_plugins__permissions_admin__show.gql

@@ -1,6 +1,6 @@
 query Admin__core_plugins__permissions_admin__show($pluginCode: String!) {
   admin__core_plugins__permissions_admin__show(plugin_code: $pluginCode) {
-    children
+    permissions
     id
   }
 }

packages/frontend/src/graphql/types.ts

@@ -675,30 +675,30 @@ export type PageInfo = {
 
 export type PermissionsStaff = {
   __typename?: 'PermissionsStaff';
-  children: Array<Scalars['String']['output']>;
   id: Scalars['String']['output'];
+  permissions: Array<Scalars['String']['output']>;
 };
 
 export type PermissionsStaffArgs = {
-  permissions: Array<PermissionsStaffInput>;
+  groups: Array<PermissionsStaffInput>;
   plugin_code: Scalars['String']['input'];
 };
 
 export type PermissionsStaffInput = {
-  children: Array<Scalars['String']['input']>;
   id: Scalars['String']['input'];
+  permissions: Array<Scalars['String']['input']>;
 };
 
 export type PermissionsStaffObj = {
   __typename?: 'PermissionsStaffObj';
-  permissions: Array<PermissionsStaff>;
+  groups: Array<PermissionsStaff>;
   plugin: Scalars['String']['output'];
   plugin_code: Scalars['String']['output'];
 };
 
 export type PermissionsStaffObjWithoutPluginName = {
   __typename?: 'PermissionsStaffObjWithoutPluginName';
-  permissions: Array<PermissionsStaff>;
+  groups: Array<PermissionsStaff>;
   plugin_code: Scalars['String']['output'];
 };