feat: Decorator for checking if admin has a specific permissions

VitNode · Jun 17, 2024 · 853d33e · 853d33e
1 parent 475592e
commit 853d33e
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 1 deletion.
diff --git a/backend/src/plugins/core/admin/database/schema/admins.ts b/backend/src/plugins/core/admin/database/schema/admins.ts
@@ -2,6 +2,7 @@ import {
   boolean,
   index,
   integer,
+  jsonb,
   pgTable,
   serial,
   timestamp,
@@ -26,7 +27,8 @@ export const core_admin_permissions = pgTable(
     unrestricted: boolean("unrestricted").notNull().default(false),
     created: timestamp("created").notNull().defaultNow(),
     updated: timestamp("updated").notNull().defaultNow(),
-    protected: boolean("protected").notNull().default(false)
+    protected: boolean("protected").notNull().default(false),
+    permissions: jsonb("permissions").default("{}")
   },
   table => ({
     group_id_idx: index("core_admin_permissions_group_id_idx").on(

diff --git a/backend/src/plugins/core/members/delete/delete.resolver.ts b/backend/src/plugins/core/members/delete/delete.resolver.ts
@@ -3,6 +3,7 @@ import { UseGuards } from "@nestjs/common";
 
 import { DeleteCoreMembersService } from "./delete.service";
 import { DeleteCoreMembersArgs } from "./dto/delete.args";
+
 import { AdminAuthGuards } from "@/utils/guards/admin-auth.guard";
 
 @Resolver()

diff --git a/backend/src/utils/guards/admin-permission.guard.ts b/backend/src/utils/guards/admin-permission.guard.ts
@@ -0,0 +1,48 @@
+import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common";
+import { GqlExecutionContext } from "@nestjs/graphql";
+import { AuthorizationAdminSessionsService } from "@/plugins/core/admin/sessions/authorization/authorization.service";
+import { DatabaseService } from "@/database/database.service";
+import { eq } from "drizzle-orm";
+import { core_users } from "@/plugins/core/admin/database/schema/users";
+import { Reflector } from "@nestjs/core";
+
+@Injectable()
+export class AdminPermissionGuards implements CanActivate {
+  constructor(
+    private readonly reflector: Reflector,
+    private readonly service: AuthorizationAdminSessionsService,
+    private readonly databaseService: DatabaseService
+  ) {}
+
+  protected async getAuth(ctx: any) {
+    const { req, res } = ctx;
+    const data = await this.service.authorization({ req, res });
+    return data.user.id;
+  }
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const ctx = GqlExecutionContext.create(context).getContext();
+    const permission = this.reflector.get<string>(
+      "permission",
+      context.getHandler()
+    );
+    const userId = await this.getAuth(ctx);
+
+    const user = await this.databaseService.db.query.core_users.findFirst({
+      where: eq(core_users.id, userId)
+    });
+
+    if (!user) return false;
+
+    const admin =
+      await this.databaseService.db.query.core_admin_permissions.findFirst({
+        where: (table, { or, eq }) =>
+          or(eq(table.user_id, user.id), eq(table.group_id, user.group_id))
+      });
+
+    if (!admin || !admin.permissions) return false;
+    const permissions = admin.permissions;
+    if (permissions[permission] === true) return true;
+    return false;
+  }
+}