Dockery/Homarr
1
0
Fork 0
mirror of https://github.com/ajnart/homarr.git synced 2026-02-26 16:30:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: add integration access settings (#725)

Browse Source 
* feat: add integration access settings

* fix: typecheck and test issues

* fix: test timeout

* chore: address pull request feedback

* chore: add throw if action forbidden for integration permissions

* fix: unable to create new migrations because of duplicate prevId in sqlite snapshots

* chore: add sqlite migration for integration permissions

* test: add unit tests for integration access

* test: add permission checks to integration router tests

* test: add unit test for integration permissions

* chore: add mysql migration

* fix: format issues
This commit is contained in:
Meier Lukas
2024-07-08 00:00:37 +02:00
committed by GitHub
parent be711149f7
commit 408cdeb5c3
50 changed files with 4392 additions and 615 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
apps/nextjs/src/app/[locale]/boards/[name]/settings/_access.tsx
View File

@@ -1,101 +0,0 @@
"use client";
import { useState } from "react";
import { Group, Stack, Tabs } from "@mantine/core";
import { IconUser, IconUserDown, IconUsersGroup } from "@tabler/icons-react";
import type { RouterOutputs } from "@homarr/api";
import { clientApi } from "@homarr/api/client";
import { useScopedI18n } from "@homarr/translation/client";
import type { TablerIcon } from "@homarr/ui";
import { CountBadge } from "@homarr/ui";
import type { Board } from "../../_types";
import { GroupsForm } from "./_access/group-access";
import { InheritTable } from "./_access/inherit-access";
import { UsersForm } from "./_access/user-access";
interface Props {
board: Board;
initialPermissions: RouterOutputs["board"]["getBoardPermissions"];
}
export const AccessSettingsContent = ({ board, initialPermissions }: Props) => {
const { data: permissions } = clientApi.board.getBoardPermissions.useQuery(
{
id: board.id,
},
{
initialData: initialPermissions,
refetchOnMount: false,
refetchOnWindowFocus: false,
refetchOnReconnect: false,
},
);
const [counts, setCounts] = useState({
user: initialPermissions.userPermissions.length + (board.creator ? 1 : 0),
group: initialPermissions.groupPermissions.length,
});
return (
<Stack>
<Tabs color="red" defaultValue="user">
<Tabs.List grow>
<TabItem value="user" count={counts.user} icon={IconUser} />
<TabItem value="group" count={counts.group} icon={IconUsersGroup} />
<TabItem value="inherited" count={initialPermissions.inherited.length} icon={IconUserDown} />
</Tabs.List>
<Tabs.Panel value="user">
<UsersForm
board={board}
initialPermissions={permissions}
onCountChange={(callback) =>
setCounts(({ user, ...others }) => ({
user: callback(user),
...others,
}))
}
/>
</Tabs.Panel>
<Tabs.Panel value="group">
<GroupsForm
board={board}
initialPermissions={permissions}
onCountChange={(callback) =>
setCounts(({ group, ...others }) => ({
group: callback(group),
...others,
}))
}
/>
</Tabs.Panel>
<Tabs.Panel value="inherited">
<InheritTable initialPermissions={permissions} />
</Tabs.Panel>
</Tabs>
</Stack>
);
};
interface TabItemProps {
value: "user" | "group" | "inherited";
count: number;
icon: TablerIcon;
}
const TabItem = ({ value, icon: Icon, count }: TabItemProps) => {
const t = useScopedI18n("board.setting.section.access.permission");
return (
<Tabs.Tab value={value} leftSection={<Icon stroke={1.5} size={16} />}>
<Group gap="sm">
{t(`tab.${value}`)}
<CountBadge count={count} />
</Group>
</Tabs.Tab>
);
};

13
apps/nextjs/src/app/[locale]/boards/[name]/settings/_access/form.ts
View File

@@ -1,13 +0,0 @@
import type { BoardPermission } from "@homarr/definitions";
import { createFormContext } from "@homarr/form";
export interface BoardAccessFormType {
items: {
itemId: string;
permission: BoardPermission;
}[];
}
export const [FormProvider, useFormContext, useForm] = createFormContext<BoardAccessFormType>();
export type OnCountChange = (callback: (prev: number) => number) => void;

57
apps/nextjs/src/app/[locale]/boards/[name]/settings/_access/inherit-access.tsx
View File

@@ -1,57 +0,0 @@
import { Stack, Table, TableTbody, TableTh, TableThead, TableTr } from "@mantine/core";
import type { RouterOutputs } from "@homarr/api";
import { getPermissionsWithChildren } from "@homarr/definitions";
import type { BoardPermission, GroupPermissionKey } from "@homarr/definitions";
import { useScopedI18n } from "@homarr/translation/client";
import { BoardAccessDisplayRow } from "./board-access-table-rows";
import { GroupItemContent } from "./group-access";
export interface InheritTableProps {
initialPermissions: RouterOutputs["board"]["getBoardPermissions"];
}
const mapPermissions = {
"board-full-access": "board-full",
"board-modify-all": "board-change",
"board-view-all": "board-view",
} satisfies Partial<Record<GroupPermissionKey, BoardPermission | "board-full">>;
export const InheritTable = ({ initialPermissions }: InheritTableProps) => {
const tPermissions = useScopedI18n("board.setting.section.access.permission");
return (
<Stack pt="sm">
<Table>
<TableThead>
<TableTr>
<TableTh>{tPermissions("field.user.label")}</TableTh>
<TableTh>{tPermissions("field.permission.label")}</TableTh>
</TableTr>
</TableThead>
<TableTbody>
{initialPermissions.inherited.map(({ group, permission }) => {
const boardPermission =
permission in mapPermissions
? mapPermissions[permission as keyof typeof mapPermissions]
: getPermissionsWithChildren([permission]).includes("board-full-access")
? "board-full"
: null;
if (!boardPermission) {
return null;
}
return (
<BoardAccessDisplayRow
key={group.id}
itemContent={<GroupItemContent group={group} />}
permission={boardPermission}
/>
);
})}
</TableTbody>
</Table>
</Stack>
);
};

137
apps/nextjs/src/app/[locale]/boards/[name]/settings/_access/user-access.tsx
View File

@@ -1,137 +0,0 @@
import { useCallback, useState } from "react";
import Link from "next/link";
import { Anchor, Box, Button, Group, Stack, Table, TableTbody, TableTh, TableThead, TableTr } from "@mantine/core";
import { IconPlus } from "@tabler/icons-react";
import type { RouterOutputs } from "@homarr/api";
import { clientApi } from "@homarr/api/client";
import { useModalAction } from "@homarr/modals";
import { useI18n, useScopedI18n } from "@homarr/translation/client";
import { UserAvatar } from "@homarr/ui";
import type { Board } from "../../../_types";
import { BoardAccessDisplayRow, BoardAccessSelectRow } from "./board-access-table-rows";
import type { BoardAccessFormType, OnCountChange } from "./form";
import { FormProvider, useForm } from "./form";
import { UserSelectModal } from "./user-select-modal";
export interface FormProps {
board: Pick<Board, "id" | "creatorId" | "creator">;
initialPermissions: RouterOutputs["board"]["getBoardPermissions"];
onCountChange: OnCountChange;
}
export const UsersForm = ({ board, initialPermissions, onCountChange }: FormProps) => {
const { mutate, isPending } = clientApi.board.saveUserBoardPermissions.useMutation();
const utils = clientApi.useUtils();
const [users, setUsers] = useState<Map<string, User>>(
new Map(initialPermissions.userPermissions.map(({ user }) => [user.id, user])),
);
const { openModal } = useModalAction(UserSelectModal);
const t = useI18n();
const tPermissions = useScopedI18n("board.setting.section.access.permission");
const form = useForm({
initialValues: {
items: initialPermissions.userPermissions.map(({ user, permission }) => ({
itemId: user.id,
permission,
})),
},
});
const handleSubmit = useCallback(
(values: BoardAccessFormType) => {
mutate(
{
id: board.id,
permissions: values.items,
},
{
onSuccess: () => {
void utils.board.getBoardPermissions.invalidate();
},
},
);
},
[board.id, mutate, utils.board.getBoardPermissions],
);
const handleAddUser = useCallback(() => {
const presentUserIds = form.values.items.map(({ itemId: id }) => id);
openModal({
presentUserIds: board.creatorId ? presentUserIds.concat(board.creatorId) : presentUserIds,
onSelect: (user) => {
setUsers((prev) => new Map(prev).set(user.id, user));
form.setFieldValue("items", [
{
itemId: user.id,
permission: "board-view",
},
...form.values.items,
]);
onCountChange((prev) => prev + 1);
},
});
}, [form, openModal, board.creatorId, onCountChange]);
return (
<form onSubmit={form.onSubmit(handleSubmit)}>
<FormProvider form={form}>
<Stack pt="sm">
<Table>
<TableThead>
<TableTr>
<TableTh>{tPermissions("field.user.label")}</TableTh>
<TableTh>{tPermissions("field.permission.label")}</TableTh>
</TableTr>
</TableThead>
<TableTbody>
{board.creator && (
<BoardAccessDisplayRow itemContent={<UserItemContent user={board.creator} />} permission="board-full" />
)}
{form.values.items.map((row, index) => (
<BoardAccessSelectRow
key={row.itemId}
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
itemContent={<UserItemContent user={users.get(row.itemId)!} />}
permission={row.permission}
index={index}
onCountChange={onCountChange}
/>
))}
</TableTbody>
</Table>
<Group justify="space-between">
<Button rightSection={<IconPlus size="1rem" />} variant="light" onClick={handleAddUser}>
{t("common.action.add")}
</Button>
<Button type="submit" loading={isPending} color="teal">
{t("common.action.saveChanges")}
</Button>
</Group>
</Stack>
</FormProvider>
</form>
);
};
const UserItemContent = ({ user }: { user: User }) => {
return (
<Group wrap="nowrap">
<Box visibleFrom="xs">
<UserAvatar user={user} size="sm" />
</Box>
<Anchor component={Link} href={`/manage/users/${user.id}`} size="sm" style={{ whiteSpace: "nowrap" }}>
{user.name}
</Anchor>
</Group>
);
};
interface User {
id: string;
name: string | null;
image: string | null;
}

69
apps/nextjs/src/app/[locale]/boards/[name]/settings/_board-access.tsx Normal file
View File

@@ -0,0 +1,69 @@
"use client";
import { IconEye, IconPencil, IconSettings } from "@tabler/icons-react";
import type { RouterOutputs } from "@homarr/api";
import { clientApi } from "@homarr/api/client";
import { boardPermissions, boardPermissionsMap } from "@homarr/definitions";
import { useI18n } from "@homarr/translation/client";
import { AccessSettings } from "~/components/access/access-settings";
import type { Board } from "../../_types";
interface Props {
board: Board;
initialPermissions: RouterOutputs["board"]["getBoardPermissions"];
}
export const BoardAccessSettings = ({ board, initialPermissions }: Props) => {
const groupMutation = clientApi.board.saveGroupBoardPermissions.useMutation();
const userMutation = clientApi.board.saveUserBoardPermissions.useMutation();
const utils = clientApi.useUtils();
const t = useI18n();
const { data: permissions } = clientApi.board.getBoardPermissions.useQuery(
{
id: board.id,
},
{
initialData: initialPermissions,
refetchOnMount: false,
refetchOnWindowFocus: false,
refetchOnReconnect: false,
},
);
return (
<AccessSettings
entity={{
id: board.id,
ownerId: board.creatorId,
owner: board.creator,
}}
query={{
invalidate: () => utils.board.getBoardPermissions.invalidate(),
data: permissions,
}}
groupsMutation={{
mutate: groupMutation.mutate,
isPending: groupMutation.isPending,
}}
usersMutation={{
mutate: userMutation.mutate,
isPending: userMutation.isPending,
}}
translate={(key) => t(`board.setting.section.access.permission.item.${key}.label`)}
permission={{
items: boardPermissions,
default: "view",
fullAccessGroupPermission: "board-full-all",
groupPermissionMapping: boardPermissionsMap,
icons: {
modify: IconPencil,
view: IconEye,
full: IconSettings,
},
}}
/>
);
};

8
apps/nextjs/src/app/[locale]/boards/[name]/settings/page.tsx
View File

@@ -20,8 +20,8 @@ import type { TablerIcon } from "@homarr/ui";
import { getBoardPermissionsAsync } from "~/components/board/permissions/server";
import { ActiveTabAccordion } from "../../../../../components/active-tab-accordion";
import { AccessSettingsContent } from "./_access";
import { BackgroundSettingsContent } from "./_background";
import { BoardAccessSettings } from "./_board-access";
import { ColorSettingsContent } from "./_colors";
import { CustomCssSettingsContent } from "./_customCss";
import { DangerZoneSettingsContent } from "./_danger";
@@ -44,8 +44,8 @@ const getBoardAndPermissionsAsync = async (params: Props["params"]) => {
const permissions = hasFullAccess
? await api.board.getBoardPermissions({ id: board.id })
: {
userPermissions: [],
groupPermissions: [],
users: [],
groups: [],
inherited: [],
};
@@ -89,7 +89,7 @@ export default async function BoardSettingsPage({ params, searchParams }: Props)
{hasFullAccess && (
<>
<AccordionItemFor value="access" icon={IconUser}>
<AccessSettingsContent board={board} initialPermissions={permissions} />
<BoardAccessSettings board={board} initialPermissions={permissions} />
</AccordionItemFor>
<AccordionItemFor value="dangerZone" icon={IconAlertTriangle} danger noPadding>
<DangerZoneSettingsContent />

61
apps/nextjs/src/app/[locale]/manage/integrations/_components/integration-access-settings.tsx Normal file
View File

@@ -0,0 +1,61 @@
"use client";
import { IconPlayerPlay, IconSelector, IconSettings } from "@tabler/icons-react";
import type { RouterOutputs } from "@homarr/api";
import { clientApi } from "@homarr/api/client";
import { integrationPermissions, integrationPermissionsMap } from "@homarr/definitions";
import { useI18n } from "@homarr/translation/client";
import { AccessSettings } from "~/components/access/access-settings";
interface Props {
integration: RouterOutputs["integration"]["byId"];
initialPermissions: RouterOutputs["integration"]["getIntegrationPermissions"];
}
export const IntegrationAccessSettings = ({ integration, initialPermissions }: Props) => {
const t = useI18n();
const utils = clientApi.useUtils();
const { data } = clientApi.integration.getIntegrationPermissions.useQuery(
{
id: integration.id,
},
{
refetchOnMount: false,
refetchOnWindowFocus: false,
refetchOnReconnect: false,
initialData: initialPermissions,
},
);
const usersMutation = clientApi.integration.saveUserIntegrationPermissions.useMutation();
const groupsMutation = clientApi.integration.saveGroupIntegrationPermissions.useMutation();
return (
<AccessSettings
entity={{
id: integration.id,
ownerId: null,
owner: null,
}}
permission={{
items: integrationPermissions,
default: "use",
fullAccessGroupPermission: "integration-full-all",
icons: {
use: IconSelector,
interact: IconPlayerPlay,
full: IconSettings,
},
groupPermissionMapping: integrationPermissionsMap,
}}
translate={(key) => t(`integration.permission.${key}`)}
query={{
data,
invalidate: () => utils.integration.getIntegrationPermissions.invalidate(),
}}
groupsMutation={groupsMutation}
usersMutation={usersMutation}
/>
);
};

16
apps/nextjs/src/app/[locale]/manage/integrations/edit/[id]/page.tsx
View File

@@ -1,10 +1,11 @@
import { Container, Group, Stack, Title } from "@mantine/core";
import { Container, Fieldset, Group, Stack, Title } from "@mantine/core";
import { api } from "@homarr/api/server";
import { getIntegrationName } from "@homarr/definitions";
import { getScopedI18n } from "@homarr/translation/server";
import { getI18n, getScopedI18n } from "@homarr/translation/server";
import { DynamicBreadcrumb } from "~/components/navigation/dynamic-breadcrumb";
import { IntegrationAccessSettings } from "../../_components/integration-access-settings";
import { IntegrationAvatar } from "../../_integration-avatar";
import { EditIntegrationForm } from "./_integration-edit-form";
@@ -13,8 +14,10 @@ interface EditIntegrationPageProps {
}
export default async function EditIntegrationPage({ params }: EditIntegrationPageProps) {
const t = await getScopedI18n("integration.page.edit");
const editT = await getScopedI18n("integration.page.edit");
const t = await getI18n();
const integration = await api.integration.byId({ id: params.id });
const integrationPermissions = await api.integration.getIntegrationPermissions({ id: integration.id });
return (
<>
@@ -23,9 +26,14 @@ export default async function EditIntegrationPage({ params }: EditIntegrationPag
<Stack>
<Group align="center">
<IntegrationAvatar kind={integration.kind} size="md" />
<Title>{t("title", { name: getIntegrationName(integration.kind) })}</Title>
<Title>{editT("title", { name: getIntegrationName(integration.kind) })}</Title>
</Group>
<EditIntegrationForm integration={integration} />
<Title order={2}>{t("permission.title")}</Title>
<Fieldset>
<IntegrationAccessSettings integration={integration} initialPermissions={integrationPermissions} />
</Fieldset>
</Stack>
</Container>
</>

4
apps/nextjs/src/app/[locale]/manage/integrations/new/page.tsx
View File

@@ -24,7 +24,7 @@ export default async function IntegrationsNewPage({ searchParams }: NewIntegrati
notFound();
}
const t = await getScopedI18n("integration.page.create");
const tCreate = await getScopedI18n("integration.page.create");
const currentKind = result.data;
@@ -35,7 +35,7 @@ export default async function IntegrationsNewPage({ searchParams }: NewIntegrati
<Stack>
<Group align="center">
<IntegrationAvatar kind={currentKind} size="md" />
<Title>{t("title", { name: getIntegrationName(currentKind) })}</Title>
<Title>{tCreate("title", { name: getIntegrationName(currentKind) })}</Title>
</Group>
<NewIntegrationForm searchParams={searchParams} />
</Stack>

2
apps/nextjs/src/app/[locale]/manage/users/groups/[id]/_transfer-group-ownership.tsx
View File

@@ -8,7 +8,7 @@ import { useConfirmModal, useModalAction } from "@homarr/modals";
import { showErrorNotification, showSuccessNotification } from "@homarr/notifications";
import { useI18n, useScopedI18n } from "@homarr/translation/client";
import { UserSelectModal } from "~/app/[locale]/boards/[name]/settings/_access/user-select-modal";
import { UserSelectModal } from "~/components/access/user-select-modal";
interface TransferGroupOwnershipProps {
group: {

2
apps/nextjs/src/app/[locale]/manage/users/groups/[id]/members/_add-group-member.tsx
View File

@@ -6,8 +6,8 @@ import { clientApi } from "@homarr/api/client";
import { useModalAction } from "@homarr/modals";
import { useScopedI18n } from "@homarr/translation/client";
import { UserSelectModal } from "~/app/[locale]/boards/[name]/settings/_access/user-select-modal";
import { revalidatePathActionAsync } from "~/app/revalidatePathAction";
import { UserSelectModal } from "~/components/access/user-select-modal";
import { MobileAffixButton } from "~/components/manage/mobile-affix-button";
interface AddGroupMemberProps {

189
apps/nextjs/src/components/access/access-settings.tsx Normal file
View File

@@ -0,0 +1,189 @@
import { useState } from "react";
import { Group, Stack, Tabs } from "@mantine/core";
import { IconUser, IconUserDown, IconUsersGroup } from "@tabler/icons-react";
import type { GroupPermissionKey } from "@homarr/definitions";
import { useScopedI18n } from "@homarr/translation/client";
import type { TablerIcon } from "@homarr/ui";
import { CountBadge } from "@homarr/ui";
import { AccessProvider } from "./context";
import type { AccessFormType } from "./form";
import { GroupAccessForm } from "./group-access-form";
import { InheritAccessTable } from "./inherit-access-table";
import { UsersAccessForm } from "./user-access-form";
interface GroupAccessPermission<TPermission extends string> {
permission: TPermission;
group: {
id: string;
name: string;
};
}
interface UserAccessPermission<TPermission extends string> {
permission: TPermission;
user: {
name: string | null;
image: string | null;
id: string;
};
}
interface SimpleMutation<TPermission extends string> {
mutate: (
props: { entityId: string; permissions: { principalId: string; permission: TPermission }[] },
options: { onSuccess: () => void },
) => void;
isPending: boolean;
}
export interface AccessQueryData<TPermission extends string> {
inherited: GroupAccessPermission<GroupPermissionKey>[];
groups: GroupAccessPermission<TPermission>[];
users: UserAccessPermission<TPermission>[];
}
interface Props<TPermission extends string> {
permission: {
items: readonly TPermission[];
default: TPermission;
icons: Record<TPermission, TablerIcon>;
groupPermissionMapping: Record<TPermission, GroupPermissionKey>;
fullAccessGroupPermission: GroupPermissionKey;
};
query: {
data: AccessQueryData<TPermission>;
invalidate: () => Promise<void>;
};
groupsMutation: SimpleMutation<TPermission>;
usersMutation: SimpleMutation<TPermission>;
entity: {
id: string;
ownerId: string | null;
owner: {
id: string;
name: string | null;
image: string | null;
} | null;
};
translate: (key: TPermission) => string;
}
export const AccessSettings = <TPermission extends string>({
permission,
query,
groupsMutation,
usersMutation,
entity,
translate,
}: Props<TPermission>) => {
const [counts, setCounts] = useState({
user: query.data.users.length + (entity.owner ? 1 : 0),
group: query.data.groups.length,
});
const handleGroupSubmit = (values: AccessFormType<TPermission>) => {
groupsMutation.mutate(
{
entityId: entity.id,
permissions: values.items,
},
{
onSuccess() {
void query.invalidate();
},
},
);
};
const handleUserSubmit = (values: AccessFormType<TPermission>) => {
usersMutation.mutate(
{
entityId: entity.id,
permissions: values.items,
},
{
onSuccess() {
void query.invalidate();
},
},
);
};
return (
<AccessProvider<TPermission>
defaultPermission={permission.default}
icons={permission.icons}
permissions={permission.items}
translate={translate}
>
<Stack>
<Tabs color="red" defaultValue="user">
<Tabs.List grow>
<TabItem value="user" count={counts.user} icon={IconUser} />
<TabItem value="group" count={counts.group} icon={IconUsersGroup} />
<TabItem value="inherited" count={query.data.inherited.length} icon={IconUserDown} />
</Tabs.List>
<Tabs.Panel value="user">
<UsersAccessForm<TPermission>
entity={entity}
accessQueryData={query.data}
handleCountChange={(callback) =>
setCounts(({ user, ...others }) => ({
user: callback(user),
...others,
}))
}
handleSubmit={handleUserSubmit}
isPending={usersMutation.isPending}
/>
</Tabs.Panel>
<Tabs.Panel value="group">
<GroupAccessForm<TPermission>
accessQueryData={query.data}
handleCountChange={(callback) =>
setCounts(({ group, ...others }) => ({
group: callback(group),
...others,
}))
}
handleSubmit={handleGroupSubmit}
isPending={groupsMutation.isPending}
/>
</Tabs.Panel>
<Tabs.Panel value="inherited">
<InheritAccessTable<TPermission>
accessQueryData={query.data}
fullAccessGroupPermission={permission.fullAccessGroupPermission}
mapPermissions={permission.groupPermissionMapping}
/>
</Tabs.Panel>
</Tabs>
</Stack>
</AccessProvider>
);
};
interface TabItemProps {
value: "user" | "group" | "inherited";
count: number;
icon: TablerIcon;
}
const TabItem = ({ value, icon: Icon, count }: TabItemProps) => {
const t = useScopedI18n("permission");
return (
<Tabs.Tab value={value} leftSection={<Icon stroke={1.5} size={16} />}>
<Group gap="sm">
{t(`tab.${value}`)}
<CountBadge count={count} />
</Group>
</Tabs.Tab>
);
};

92
apps/nextjs/src/app/[locale]/boards/[name]/settings/_access/board-access-table-rows.tsx → apps/nextjs/src/components/access/access-table-rows.tsx
View File

@@ -1,43 +1,36 @@
import { useCallback } from "react";
import type { ReactNode } from "react";
import { useCallback } from "react";
import type { SelectProps } from "@mantine/core";
import { Button, Flex, Group, Select, TableTd, TableTr, Text } from "@mantine/core";
import { IconCheck, IconEye, IconPencil, IconSettings } from "@tabler/icons-react";
import { Icon123, IconCheck } from "@tabler/icons-react";
import type { BoardPermission } from "@homarr/definitions";
import { boardPermissions } from "@homarr/definitions";
import { useI18n, useScopedI18n } from "@homarr/translation/client";
import type { TablerIcon } from "@homarr/ui";
import { useI18n } from "@homarr/translation/client";
import type { OnCountChange } from "./form";
import { useAccessContext } from "./context";
import type { HandleCountChange } from "./form";
import { useFormContext } from "./form";
const icons = {
"board-change": IconPencil,
"board-view": IconEye,
"board-full": IconSettings,
} satisfies Record<BoardPermission | "board-full", TablerIcon>;
interface BoardAccessSelectRowProps {
interface AccessSelectRowProps {
itemContent: ReactNode;
permission: BoardPermission;
permission: string;
index: number;
onCountChange: OnCountChange;
handleCountChange: HandleCountChange;
}
export const BoardAccessSelectRow = ({ itemContent, permission, index, onCountChange }: BoardAccessSelectRowProps) => {
export const AccessSelectRow = ({ itemContent, permission, index, handleCountChange }: AccessSelectRowProps) => {
const tRoot = useI18n();
const tPermissions = useScopedI18n("board.setting.section.access.permission");
const { icons, getSelectData } = useAccessContext();
const form = useFormContext();
const Icon = icons[permission];
const handleRemove = useCallback(() => {
form.setFieldValue(
"items",
form.values.items.filter((_, i) => i !== index),
);
onCountChange((prev) => prev - 1);
}, [form, index, onCountChange]);
handleCountChange((prev) => prev - 1);
}, [form, index, handleCountChange]);
const Icon = icons[permission] ?? Icon123;
return (
<TableTr>
@@ -50,10 +43,7 @@ export const BoardAccessSelectRow = ({ itemContent, permission, index, onCountCh
leftSection={<Icon size="1rem" />}
renderOption={RenderOption}
variant="unstyled"
data={boardPermissions.map((permission) => ({
value: permission,
label: tPermissions(`item.${permission}.label`),
}))}
data={getSelectData()}
{...form.getInputProps(`items.${index}.permission`)}
/>
@@ -66,30 +56,6 @@ export const BoardAccessSelectRow = ({ itemContent, permission, index, onCountCh
);
};
interface BoardAccessDisplayRowProps {
itemContent: ReactNode;
permission: BoardPermission | "board-full";
}
export const BoardAccessDisplayRow = ({ itemContent, permission }: BoardAccessDisplayRowProps) => {
const tPermissions = useScopedI18n("board.setting.section.access.permission");
const Icon = icons[permission];
return (
<TableTr>
<TableTd w={{ sm: 128, lg: 256 }}>{itemContent}</TableTd>
<TableTd>
<Group gap={0}>
<Flex w={34} h={34} align="center" justify="center">
<Icon size="1rem" color="var(--input-section-color, var(--mantine-color-dimmed))" />
</Flex>
<Text size="sm">{tPermissions(`item.${permission}.label`)}</Text>
</Group>
</TableTd>
</TableTr>
);
};
const iconProps = {
stroke: 1.5,
color: "currentColor",
@@ -98,7 +64,9 @@ const iconProps = {
};
const RenderOption: SelectProps["renderOption"] = ({ option, checked }) => {
const Icon = icons[option.value as BoardPermission];
const { icons } = useAccessContext();
const Icon = icons[option.value] ?? Icon123;
return (
<Group flex="1" gap="xs" wrap="nowrap">
<Icon {...iconProps} />
@@ -107,3 +75,27 @@ const RenderOption: SelectProps["renderOption"] = ({ option, checked }) => {
</Group>
);
};
interface AccessDisplayRowProps {
itemContent: ReactNode;
permission: string;
}
export const AccessDisplayRow = ({ itemContent, permission }: AccessDisplayRowProps) => {
const { icons, translate } = useAccessContext();
const Icon = icons[permission] ?? Icon123;
return (
<TableTr>
<TableTd w={{ sm: 128, lg: 256 }}>{itemContent}</TableTd>
<TableTd>
<Group gap={0}>
<Flex w={34} h={34} align="center" justify="center">
<Icon size="1rem" color="var(--input-section-color, var(--mantine-color-dimmed))" />
</Flex>
<Text size="sm">{translate(permission)}</Text>
</Group>
</TableTd>
</TableTr>
);
};

53
apps/nextjs/src/components/access/context.tsx Normal file
View File

@@ -0,0 +1,53 @@
import { createContext, useContext } from "react";
import type { TablerIcon } from "@tabler/icons-react";
const AccessContext = createContext<{
permissions: readonly string[];
icons: Record<string, TablerIcon>;
translate: (key: string) => string;
defaultPermission: string;
} | null>(null);
export const useAccessContext = <TPermission extends string>() => {
const context = useContext(AccessContext);
if (!context) {
throw new Error("useAccessContext must be used within a AccessProvider");
}
return {
icons: context.icons as Record<TPermission, TablerIcon>,
getSelectData: () =>
context.permissions.map((permission) => ({ value: permission, label: context.translate(permission) })),
permissions: context.permissions as readonly TPermission[],
translate: context.translate as (key: TPermission) => string,
defaultPermission: context.defaultPermission as TPermission,
};
};
export const AccessProvider = <TPermission extends string>({
defaultPermission,
permissions,
icons,
translate,
children,
}: {
defaultPermission: TPermission;
permissions: readonly TPermission[];
icons: Record<TPermission, TablerIcon>;
translate: (key: TPermission) => string;
children: React.ReactNode;
}) => {
return (
<AccessContext.Provider
value={{
defaultPermission,
permissions,
icons,
translate: translate as (key: string) => string,
}}
>
{children}
</AccessContext.Provider>
);
};

12
apps/nextjs/src/components/access/form.ts Normal file
View File

@@ -0,0 +1,12 @@
import { createFormContext } from "@homarr/form";
export interface AccessFormType<TPermission extends string> {
items: {
principalId: string;
permission: TPermission;
}[];
}
export const [FormProvider, useFormContext, useForm] = createFormContext<AccessFormType<string>>();
export type HandleCountChange = (callback: (prev: number) => number) => void;

77
apps/nextjs/src/app/[locale]/boards/[name]/settings/_access/group-access.tsx → apps/nextjs/src/components/access/group-access-form.tsx
View File

@@ -1,73 +1,60 @@
import { useCallback, useState } from "react";
import { useState } from "react";
import Link from "next/link";
import { Anchor, Button, Group, Stack, Table, TableTbody, TableTh, TableThead, TableTr } from "@mantine/core";
import { IconPlus } from "@tabler/icons-react";
import type { RouterOutputs } from "@homarr/api";
import { clientApi } from "@homarr/api/client";
import { useModalAction } from "@homarr/modals";
import { useI18n, useScopedI18n } from "@homarr/translation/client";
import { BoardAccessSelectRow } from "./board-access-table-rows";
import type { BoardAccessFormType } from "./form";
import type { AccessQueryData } from "./access-settings";
import { AccessSelectRow } from "./access-table-rows";
import { useAccessContext } from "./context";
import type { AccessFormType } from "./form";
import { FormProvider, useForm } from "./form";
import { GroupSelectModal } from "./group-select-modal";
import type { FormProps } from "./user-access";
import type { FormProps } from "./user-access-form";
export const GroupsForm = ({ board, initialPermissions, onCountChange }: FormProps) => {
const { mutate, isPending } = clientApi.board.saveGroupBoardPermissions.useMutation();
const utils = clientApi.useUtils();
const [groups, setGroups] = useState<Map<string, Group>>(
new Map(initialPermissions.groupPermissions.map(({ group }) => [group.id, group])),
export const GroupAccessForm = <TPermission extends string>({
accessQueryData,
handleCountChange,
handleSubmit,
isPending,
}: Omit<FormProps<TPermission>, "entity">) => {
const { defaultPermission } = useAccessContext();
const [groups, setGroups] = useState<Map<string, AccessQueryData<string>["groups"][number]["group"]>>(
new Map(accessQueryData.groups.map(({ group }) => [group.id, group])),
);
const { openModal } = useModalAction(GroupSelectModal);
const t = useI18n();
const tPermissions = useScopedI18n("board.setting.section.access.permission");
const tPermissions = useScopedI18n("permission");
const form = useForm({
initialValues: {
items: initialPermissions.groupPermissions.map(({ group, permission }) => ({
itemId: group.id,
items: accessQueryData.groups.map(({ group, permission }) => ({
principalId: group.id,
permission,
})),
},
});
const handleSubmit = useCallback(
(values: BoardAccessFormType) => {
mutate(
{
id: board.id,
permissions: values.items,
},
{
onSuccess: () => {
void utils.board.getBoardPermissions.invalidate();
},
},
);
},
[board.id, mutate, utils.board.getBoardPermissions],
);
const handleAddUser = useCallback(() => {
const handleAddUser = () => {
openModal({
presentGroupIds: form.values.items.map(({ itemId: id }) => id),
presentGroupIds: form.values.items.map(({ principalId: id }) => id),
onSelect: (group) => {
setGroups((prev) => new Map(prev).set(group.id, group));
form.setFieldValue("items", [
{
itemId: group.id,
permission: "board-view",
principalId: group.id,
permission: defaultPermission,
},
...form.values.items,
]);
onCountChange((prev) => prev + 1);
handleCountChange((prev) => prev + 1);
},
});
}, [form, openModal, onCountChange]);
};
return (
<form onSubmit={form.onSubmit(handleSubmit)}>
<form onSubmit={form.onSubmit((values) => handleSubmit(values as AccessFormType<TPermission>))}>
<FormProvider form={form}>
<Stack pt="sm">
<Table>
@@ -79,13 +66,13 @@ export const GroupsForm = ({ board, initialPermissions, onCountChange }: FormPro
</TableThead>
<TableTbody>
{form.values.items.map((row, index) => (
<BoardAccessSelectRow
key={row.itemId}
<AccessSelectRow
key={row.principalId}
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
itemContent={<GroupItemContent group={groups.get(row.itemId)!} />}
itemContent={<GroupItemContent group={groups.get(row.principalId)!} />}
permission={row.permission}
index={index}
onCountChange={onCountChange}
handleCountChange={handleCountChange}
/>
))}
</TableTbody>
@@ -96,7 +83,7 @@ export const GroupsForm = ({ board, initialPermissions, onCountChange }: FormPro
{t("common.action.add")}
</Button>
<Button type="submit" loading={isPending} color="teal">
{t("common.action.saveChanges")}
{t("permission.action.saveGroup")}
</Button>
</Group>
</Stack>
@@ -105,12 +92,10 @@ export const GroupsForm = ({ board, initialPermissions, onCountChange }: FormPro
);
};
export const GroupItemContent = ({ group }: { group: Group }) => {
export const GroupItemContent = ({ group }: { group: AccessQueryData<string>["groups"][number]["group"] }) => {
return (
<Anchor component={Link} href={`/manage/users/groups/${group.id}`} size="sm" style={{ whiteSpace: "nowrap" }}>
{group.name}
</Anchor>
);
};
type Group = RouterOutputs["board"]["getBoardPermissions"]["groupPermissions"][0]["group"];

2
apps/nextjs/src/app/[locale]/boards/[name]/settings/_access/group-select-modal.tsx → apps/nextjs/src/components/access/group-select-modal.tsx
View File

@@ -63,5 +63,5 @@ export const GroupSelectModal = createModal<InnerProps>(({ actions, innerProps }
</form>
);
}).withOptions({
defaultTitle: (t) => t("board.setting.section.access.permission.groupSelect.title"),
defaultTitle: (t) => t("permission.groupSelect.title"),
});

57
apps/nextjs/src/components/access/inherit-access-table.tsx Normal file
View File

@@ -0,0 +1,57 @@
import { Stack, Table, TableTbody, TableTh, TableThead, TableTr } from "@mantine/core";
import type { GroupPermissionKey } from "@homarr/definitions";
import { getPermissionsWithChildren } from "@homarr/definitions";
import { useScopedI18n } from "@homarr/translation/client";
import type { AccessQueryData } from "./access-settings";
import { AccessDisplayRow } from "./access-table-rows";
import { GroupItemContent } from "./group-access-form";
export interface InheritTableProps<TPermission extends string> {
accessQueryData: AccessQueryData<TPermission>;
mapPermissions: Partial<Record<GroupPermissionKey, TPermission>>;
fullAccessGroupPermission: GroupPermissionKey;
}
export const InheritAccessTable = <TPermission extends string>({
accessQueryData,
mapPermissions,
fullAccessGroupPermission,
}: InheritTableProps<TPermission>) => {
const tPermissions = useScopedI18n("permission");
return (
<Stack pt="sm">
<Table>
<TableThead>
<TableTr>
<TableTh>{tPermissions("field.user.label")}</TableTh>
<TableTh>{tPermissions("field.permission.label")}</TableTh>
</TableTr>
</TableThead>
<TableTbody>
{accessQueryData.inherited.map(({ group, permission }) => {
const entityPermission =
permission in mapPermissions
? mapPermissions[permission]
: getPermissionsWithChildren([permission]).includes(fullAccessGroupPermission)
? "full"
: null;
if (!entityPermission) {
return null;
}
return (
<AccessDisplayRow
key={group.id}
itemContent={<GroupItemContent group={group} />}
permission={entityPermission}
/>
);
})}
</TableTbody>
</Table>
</Stack>
);
};

136
apps/nextjs/src/components/access/user-access-form.tsx Normal file
View File

@@ -0,0 +1,136 @@
import { useState } from "react";
import Link from "next/link";
import { Anchor, Box, Button, Group, Stack, Table, TableTbody, TableTh, TableThead, TableTr } from "@mantine/core";
import { IconPlus } from "@tabler/icons-react";
import { useModalAction } from "@homarr/modals";
import { useI18n, useScopedI18n } from "@homarr/translation/client";
import { UserAvatar } from "@homarr/ui";
import type { AccessQueryData } from "./access-settings";
import { AccessDisplayRow, AccessSelectRow } from "./access-table-rows";
import { useAccessContext } from "./context";
import type { AccessFormType, HandleCountChange } from "./form";
import { FormProvider, useForm } from "./form";
import { UserSelectModal } from "./user-select-modal";
export interface FormProps<TPermission extends string> {
entity: {
id: string;
ownerId: string | null;
owner: {
id: string;
name: string | null;
image: string | null;
} | null;
};
accessQueryData: AccessQueryData<TPermission>;
handleCountChange: HandleCountChange;
handleSubmit: (values: AccessFormType<TPermission>) => void;
isPending: boolean;
}
export const UsersAccessForm = <TPermission extends string>({
entity,
accessQueryData,
handleCountChange,
handleSubmit,
isPending,
}: FormProps<TPermission>) => {
const { defaultPermission } = useAccessContext();
const [users, setUsers] = useState<Map<string, UserItemContentProps["user"]>>(
new Map(accessQueryData.users.map(({ user }) => [user.id, user])),
);
const { openModal } = useModalAction(UserSelectModal);
const t = useI18n();
const tPermissions = useScopedI18n("permission");
const form = useForm({
initialValues: {
items: accessQueryData.users.map(({ user, permission }) => ({
principalId: user.id,
permission,
})),
},
});
const handleAddUser = () => {
const presentUserIds = form.values.items.map(({ principalId: id }) => id);
openModal({
presentUserIds: entity.ownerId ? presentUserIds.concat(entity.ownerId) : presentUserIds,
onSelect: (user) => {
setUsers((prev) => new Map(prev).set(user.id, user));
form.setFieldValue("items", [
{
principalId: user.id,
permission: defaultPermission,
},
...form.values.items,
]);
handleCountChange((prev) => prev + 1);
},
});
};
return (
<form onSubmit={form.onSubmit((values) => handleSubmit(values as AccessFormType<TPermission>))}>
<FormProvider form={form}>
<Stack pt="sm">
<Table>
<TableThead>
<TableTr>
<TableTh>{tPermissions("field.user.label")}</TableTh>
<TableTh>{tPermissions("field.permission.label")}</TableTh>
</TableTr>
</TableThead>
<TableTbody>
{entity.owner && (
<AccessDisplayRow itemContent={<UserItemContent user={entity.owner} />} permission="full" />
)}
{form.values.items.map((row, index) => (
<AccessSelectRow
key={row.principalId}
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
itemContent={<UserItemContent user={users.get(row.principalId)!} />}
permission={row.permission}
index={index}
handleCountChange={handleCountChange}
/>
))}
</TableTbody>
</Table>
<Group justify="space-between">
<Button rightSection={<IconPlus size="1rem" />} variant="light" onClick={handleAddUser}>
{t("common.action.add")}
</Button>
<Button type="submit" loading={isPending} color="teal">
{t("permission.action.saveUser")}
</Button>
</Group>
</Stack>
</FormProvider>
</form>
);
};
interface UserItemContentProps {
user: {
id: string;
name: string | null;
image: string | null;
};
}
const UserItemContent = ({ user }: UserItemContentProps) => {
return (
<Group wrap="nowrap">
<Box visibleFrom="xs">
<UserAvatar user={user} size="sm" />
</Box>
<Anchor component={Link} href={`/manage/users/${user.id}`} size="sm" style={{ whiteSpace: "nowrap" }}>
{user.name}
</Anchor>
</Group>
);
};

2
apps/nextjs/src/app/[locale]/boards/[name]/settings/_access/user-select-modal.tsx → apps/nextjs/src/components/access/user-select-modal.tsx
View File

@@ -72,7 +72,7 @@ export const UserSelectModal = createModal<InnerProps>(({ actions, innerProps })
</form>
);
}).withOptions({
defaultTitle: (t) => t("board.setting.section.access.permission.userSelect.title"),
defaultTitle: (t) => t("permission.userSelect.title"),
});
const iconProps = {

40
packages/api/src/router/board.ts
View File

@@ -113,7 +113,7 @@ export const boardRouter = createTRPCRouter({
});
}),
renameBoard: protectedProcedure.input(validation.board.rename).mutation(async ({ ctx, input }) => {
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "full-access");
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "full");
await noBoardWithSimilarNameAsync(ctx.db, input.name, [input.id]);
@@ -122,7 +122,7 @@ export const boardRouter = createTRPCRouter({
changeBoardVisibility: protectedProcedure
.input(validation.board.changeVisibility)
.mutation(async ({ ctx, input }) => {
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "full-access");
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "full");
await ctx.db
.update(boards)
@@ -130,12 +130,12 @@ export const boardRouter = createTRPCRouter({
.where(eq(boards.id, input.id));
}),
deleteBoard: protectedProcedure.input(z.object({ id: z.string() })).mutation(async ({ ctx, input }) => {
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "full-access");
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "full");
await ctx.db.delete(boards).where(eq(boards.id, input.id));
}),
setHomeBoard: protectedProcedure.input(z.object({ id: z.string() })).mutation(async ({ ctx, input }) => {
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "board-view");
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "view");
await ctx.db.update(users).set({ homeBoardId: input.id }).where(eq(users.id, ctx.session.user.id));
}),
@@ -148,20 +148,20 @@ export const boardRouter = createTRPCRouter({
: null;
const boardWhere = user?.homeBoardId ? eq(boards.id, user.homeBoardId) : eq(boards.name, "home");
await throwIfActionForbiddenAsync(ctx, boardWhere, "board-view");
await throwIfActionForbiddenAsync(ctx, boardWhere, "view");
return await getFullBoardWithWhereAsync(ctx.db, boardWhere, ctx.session?.user.id ?? null);
}),
getBoardByName: publicProcedure.input(validation.board.byName).query(async ({ input, ctx }) => {
const boardWhere = eq(boards.name, input.name);
await throwIfActionForbiddenAsync(ctx, boardWhere, "board-view");
await throwIfActionForbiddenAsync(ctx, boardWhere, "view");
return await getFullBoardWithWhereAsync(ctx.db, boardWhere, ctx.session?.user.id ?? null);
}),
savePartialBoardSettings: protectedProcedure
.input(validation.board.savePartialSettings.and(z.object({ id: z.string() })))
.mutation(async ({ ctx, input }) => {
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "board-change");
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "modify");
await ctx.db
.update(boards)
@@ -192,7 +192,7 @@ export const boardRouter = createTRPCRouter({
.where(eq(boards.id, input.id));
}),
saveBoard: protectedProcedure.input(validation.board.save).mutation(async ({ input, ctx }) => {
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "board-change");
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "modify");
await ctx.db.transaction(async (transaction) => {
const dbBoard = await getFullBoardWithWhereAsync(transaction, eq(boards.id, input.id), ctx.session.user.id);
@@ -332,12 +332,12 @@ export const boardRouter = createTRPCRouter({
}),
getBoardPermissions: protectedProcedure.input(validation.board.permissions).query(async ({ input, ctx }) => {
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "full-access");
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "full");
const dbGroupPermissions = await ctx.db.query.groupPermissions.findMany({
where: inArray(
groupPermissions.permission,
getPermissionsWithParents(["board-view-all", "board-modify-all", "board-full-access"]),
getPermissionsWithParents(["board-view-all", "board-modify-all", "board-full-all"]),
),
columns: {
groupId: false,
@@ -381,7 +381,7 @@ export const boardRouter = createTRPCRouter({
inherited: dbGroupPermissions.sort((permissionA, permissionB) => {
return permissionA.group.name.localeCompare(permissionB.group.name);
}),
userPermissions: userPermissions
users: userPermissions
.map(({ user, permission }) => ({
user,
permission,
@@ -389,7 +389,7 @@ export const boardRouter = createTRPCRouter({
.sort((permissionA, permissionB) => {
return (permissionA.user.name ?? "").localeCompare(permissionB.user.name ?? "");
}),
groupPermissions: dbGroupBoardPermission
groups: dbGroupBoardPermission
.map(({ group, permission }) => ({
group: {
id: group.id,
@@ -405,18 +405,18 @@ export const boardRouter = createTRPCRouter({
saveUserBoardPermissions: protectedProcedure
.input(validation.board.savePermissions)
.mutation(async ({ input, ctx }) => {
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "full-access");
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.entityId), "full");
await ctx.db.transaction(async (transaction) => {
await transaction.delete(boardUserPermissions).where(eq(boardUserPermissions.boardId, input.id));
await transaction.delete(boardUserPermissions).where(eq(boardUserPermissions.boardId, input.entityId));
if (input.permissions.length === 0) {
return;
}
await transaction.insert(boardUserPermissions).values(
input.permissions.map((permission) => ({
userId: permission.itemId,
userId: permission.principalId,
permission: permission.permission,
boardId: input.id,
boardId: input.entityId,
})),
);
});
@@ -424,18 +424,18 @@ export const boardRouter = createTRPCRouter({
saveGroupBoardPermissions: protectedProcedure
.input(validation.board.savePermissions)
.mutation(async ({ input, ctx }) => {
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.id), "full-access");
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.entityId), "full");
await ctx.db.transaction(async (transaction) => {
await transaction.delete(boardGroupPermissions).where(eq(boardGroupPermissions.boardId, input.id));
await transaction.delete(boardGroupPermissions).where(eq(boardGroupPermissions.boardId, input.entityId));
if (input.permissions.length === 0) {
return;
}
await transaction.insert(boardGroupPermissions).values(
input.permissions.map((permission) => ({
groupId: permission.itemId,
groupId: permission.principalId,
permission: permission.permission,
boardId: input.id,
boardId: input.entityId,
})),
);
});

6
packages/api/src/router/board/board-access.ts
View File

@@ -16,7 +16,7 @@ import type { BoardPermission } from "@homarr/definitions";
export const throwIfActionForbiddenAsync = async (
ctx: { db: Database; session: Session | null },
boardWhere: SQL<unknown>,
permission: "full-access" | BoardPermission,
permission: BoardPermission,
) => {
const { db, session } = ctx;
const groupsOfCurrentUser = await db.query.groupMembers.findMany({
@@ -49,11 +49,11 @@ export const throwIfActionForbiddenAsync = async (
return; // As full access is required and user has full access, allow
}
if (["board-change", "board-view"].includes(permission) && hasChangeAccess) {
if (["modify", "view"].includes(permission) && hasChangeAccess) {
return; // As change access is required and user has change access, allow
}
if (permission === "board-view" && hasViewAccess) {
if (permission === "view" && hasViewAccess) {
return; // As view access is required and user has view access, allow
}

73
packages/api/src/router/integration/integration-access.ts Normal file
View File

@@ -0,0 +1,73 @@
import { TRPCError } from "@trpc/server";
import type { Session } from "@homarr/auth";
import { constructIntegrationPermissions } from "@homarr/auth/shared";
import type { Database, SQL } from "@homarr/db";
import { eq, inArray } from "@homarr/db";
import { groupMembers, integrationGroupPermissions, integrationUserPermissions } from "@homarr/db/schema/sqlite";
import type { IntegrationPermission } from "@homarr/definitions";
/**
* Throws NOT_FOUND if user is not allowed to perform action on integration
* @param ctx trpc router context
* @param integrationWhere where clause for the integration
* @param permission permission required to perform action on integration
*/
export const throwIfActionForbiddenAsync = async (
ctx: { db: Database; session: Session | null },
integrationWhere: SQL<unknown>,
permission: IntegrationPermission,
) => {
const { db, session } = ctx;
const groupsOfCurrentUser = await db.query.groupMembers.findMany({
where: eq(groupMembers.userId, session?.user.id ?? ""),
});
const integration = await db.query.integrations.findFirst({
where: integrationWhere,
columns: {
id: true,
},
with: {
userPermissions: {
where: eq(integrationUserPermissions.userId, session?.user.id ?? ""),
},
groupPermissions: {
where: inArray(
integrationGroupPermissions.groupId,
groupsOfCurrentUser.map((group) => group.groupId).concat(""),
),
},
},
});
if (!integration) {
notAllowed();
}
const { hasUseAccess, hasInteractAccess, hasFullAccess } = constructIntegrationPermissions(integration, session);
if (hasFullAccess) {
return; // As full access is required and user has full access, allow
}
if (["interact", "use"].includes(permission) && hasInteractAccess) {
return; // As interact access is required and user has interact access, allow
}
if (permission === "use" && hasUseAccess) {
return; // As use access is required and user has use access, allow
}
notAllowed();
};
/**
* This method returns NOT_FOUND to prevent snooping on board existence
* A function is used to use the method without return statement
*/
function notAllowed(): never {
throw new TRPCError({
code: "NOT_FOUND",
message: "Integration not found",
});
}

194
packages/api/src/router/integration/integration-router.ts
View File

@@ -2,17 +2,24 @@ import { TRPCError } from "@trpc/server";
import { decryptSecret, encryptSecret } from "@homarr/common";
import type { Database } from "@homarr/db";
import { and, createId, eq } from "@homarr/db";
import { integrations, integrationSecrets } from "@homarr/db/schema/sqlite";
import { and, createId, eq, inArray } from "@homarr/db";
import {
groupPermissions,
integrationGroupPermissions,
integrations,
integrationSecrets,
integrationUserPermissions,
} from "@homarr/db/schema/sqlite";
import type { IntegrationSecretKind } from "@homarr/definitions";
import { integrationKinds, integrationSecretKindObject } from "@homarr/definitions";
import { getPermissionsWithParents, integrationKinds, integrationSecretKindObject } from "@homarr/definitions";
import { validation } from "@homarr/validation";
import { createTRPCRouter, publicProcedure } from "../../trpc";
import { createTRPCRouter, permissionRequiredProcedure, protectedProcedure } from "../../trpc";
import { throwIfActionForbiddenAsync } from "./integration-access";
import { testConnectionAsync } from "./integration-test-connection";
export const integrationRouter = createTRPCRouter({
all: publicProcedure.query(async ({ ctx }) => {
all: protectedProcedure.query(async ({ ctx }) => {
const integrations = await ctx.db.query.integrations.findMany();
return integrations
.map((integration) => ({
@@ -26,7 +33,8 @@ export const integrationRouter = createTRPCRouter({
integrationKinds.indexOf(integrationA.kind) - integrationKinds.indexOf(integrationB.kind),
);
}),
byId: publicProcedure.input(validation.integration.byId).query(async ({ ctx, input }) => {
byId: protectedProcedure.input(validation.integration.byId).query(async ({ ctx, input }) => {
await throwIfActionForbiddenAsync(ctx, eq(integrations.id, input.id), "full");
const integration = await ctx.db.query.integrations.findFirst({
where: eq(integrations.id, input.id),
with: {
@@ -60,34 +68,39 @@ export const integrationRouter = createTRPCRouter({
})),
};
}),
create: publicProcedure.input(validation.integration.create).mutation(async ({ ctx, input }) => {
await testConnectionAsync({
id: "new",
name: input.name,
url: input.url,
kind: input.kind,
secrets: input.secrets,
});
create: permissionRequiredProcedure
.requiresPermission("integration-create")
.input(validation.integration.create)
.mutation(async ({ ctx, input }) => {
await testConnectionAsync({
id: "new",
name: input.name,
url: input.url,
kind: input.kind,
secrets: input.secrets,
});
const integrationId = createId();
await ctx.db.insert(integrations).values({
id: integrationId,
name: input.name,
url: input.url,
kind: input.kind,
});
const integrationId = createId();
await ctx.db.insert(integrations).values({
id: integrationId,
name: input.name,
url: input.url,
kind: input.kind,
});
if (input.secrets.length >= 1) {
await ctx.db.insert(integrationSecrets).values(
input.secrets.map((secret) => ({
kind: secret.kind,
value: encryptSecret(secret.value),
integrationId,
})),
);
}
}),
update: protectedProcedure.input(validation.integration.update).mutation(async ({ ctx, input }) => {
await throwIfActionForbiddenAsync(ctx, eq(integrations.id, input.id), "full");
if (input.secrets.length >= 1) {
await ctx.db.insert(integrationSecrets).values(
input.secrets.map((secret) => ({
kind: secret.kind,
value: encryptSecret(secret.value),
integrationId,
})),
);
}
}),
update: publicProcedure.input(validation.integration.update).mutation(async ({ ctx, input }) => {
const integration = await ctx.db.query.integrations.findFirst({
where: eq(integrations.id, input.id),
with: {
@@ -146,7 +159,9 @@ export const integrationRouter = createTRPCRouter({
}
}
}),
delete: publicProcedure.input(validation.integration.delete).mutation(async ({ ctx, input }) => {
delete: protectedProcedure.input(validation.integration.delete).mutation(async ({ ctx, input }) => {
await throwIfActionForbiddenAsync(ctx, eq(integrations.id, input.id), "full");
const integration = await ctx.db.query.integrations.findFirst({
where: eq(integrations.id, input.id),
});
@@ -160,6 +175,119 @@ export const integrationRouter = createTRPCRouter({
await ctx.db.delete(integrations).where(eq(integrations.id, input.id));
}),
getIntegrationPermissions: protectedProcedure.input(validation.board.permissions).query(async ({ input, ctx }) => {
await throwIfActionForbiddenAsync(ctx, eq(integrations.id, input.id), "full");
const dbGroupPermissions = await ctx.db.query.groupPermissions.findMany({
where: inArray(
groupPermissions.permission,
getPermissionsWithParents(["integration-use-all", "integration-interact-all", "integration-full-all"]),
),
columns: {
groupId: false,
},
with: {
group: {
columns: {
id: true,
name: true,
},
},
},
});
const userPermissions = await ctx.db.query.integrationUserPermissions.findMany({
where: eq(integrationUserPermissions.integrationId, input.id),
with: {
user: {
columns: {
id: true,
name: true,
image: true,
},
},
},
});
const dbGroupIntegrationPermission = await ctx.db.query.integrationGroupPermissions.findMany({
where: eq(integrationGroupPermissions.integrationId, input.id),
with: {
group: {
columns: {
id: true,
name: true,
},
},
},
});
return {
inherited: dbGroupPermissions.sort((permissionA, permissionB) => {
return permissionA.group.name.localeCompare(permissionB.group.name);
}),
users: userPermissions
.map(({ user, permission }) => ({
user,
permission,
}))
.sort((permissionA, permissionB) => {
return (permissionA.user.name ?? "").localeCompare(permissionB.user.name ?? "");
}),
groups: dbGroupIntegrationPermission
.map(({ group, permission }) => ({
group: {
id: group.id,
name: group.name,
},
permission,
}))
.sort((permissionA, permissionB) => {
return permissionA.group.name.localeCompare(permissionB.group.name);
}),
};
}),
saveUserIntegrationPermissions: protectedProcedure
.input(validation.integration.savePermissions)
.mutation(async ({ input, ctx }) => {
await throwIfActionForbiddenAsync(ctx, eq(integrations.id, input.entityId), "full");
await ctx.db.transaction(async (transaction) => {
await transaction
.delete(integrationUserPermissions)
.where(eq(integrationUserPermissions.integrationId, input.entityId));
if (input.permissions.length === 0) {
return;
}
await transaction.insert(integrationUserPermissions).values(
input.permissions.map((permission) => ({
userId: permission.principalId,
permission: permission.permission,
integrationId: input.entityId,
})),
);
});
}),
saveGroupIntegrationPermissions: protectedProcedure
.input(validation.integration.savePermissions)
.mutation(async ({ input, ctx }) => {
await throwIfActionForbiddenAsync(ctx, eq(integrations.id, input.entityId), "full");
await ctx.db.transaction(async (transaction) => {
await transaction
.delete(integrationGroupPermissions)
.where(eq(integrationGroupPermissions.integrationId, input.entityId));
if (input.permissions.length === 0) {
return;
}
await transaction.insert(integrationGroupPermissions).values(
input.permissions.map((permission) => ({
groupId: permission.principalId,
permission: permission.permission,
integrationId: input.entityId,
})),
);
});
}),
});
interface UpdateSecretInput {

62
packages/api/src/router/test/board.spec.ts
View File

@@ -158,7 +158,7 @@ describe("getAllBoards should return all boards accessable to the current user",
expect(result.map(({ name }) => name)).toStrictEqual(["public", "private2"]);
});
test.each([["board-view"], ["board-change"]] satisfies [BoardPermission][])(
test.each([["view"], ["modify"]] satisfies [BoardPermission][])(
"with %s group board permission it should show board",
async (permission) => {
// Arrange
@@ -222,7 +222,7 @@ describe("getAllBoards should return all boards accessable to the current user",
},
);
test.each([["board-view"], ["board-change"]] satisfies [BoardPermission][])(
test.each([["view"], ["modify"]] satisfies [BoardPermission][])(
"with %s user board permission it should show board",
async (permission) => {
// Arrange
@@ -347,7 +347,7 @@ describe("rename board should rename board", () => {
});
expect(dbBoard).toBeDefined();
expect(dbBoard?.name).toBe("newName");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "full-access");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "full");
});
test("should throw error when similar board name exists", async () => {
@@ -422,7 +422,7 @@ describe("changeBoardVisibility should change board visibility", () => {
});
expect(dbBoard).toBeDefined();
expect(dbBoard?.isPublic).toBe(visibility === "public");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "full-access");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "full");
},
);
});
@@ -452,7 +452,7 @@ describe("deleteBoard should delete board", () => {
where: eq(boards.id, boardId),
});
expect(dbBoard).toBeUndefined();
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "full-access");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "full");
});
test("should throw error when board not found", async () => {
@@ -485,7 +485,7 @@ describe("getHomeBoard should return home board", () => {
name: "home",
...fullBoardProps,
});
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "board-view");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "view");
});
});
@@ -506,7 +506,7 @@ describe("getBoardByName should return board by name", () => {
name,
...fullBoardProps,
});
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "board-view");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "view");
});
it("should throw error when not present", async () => {
@@ -583,7 +583,7 @@ describe("savePartialBoardSettings should save general settings", () => {
expect(dbBoard?.primaryColor).toBe(newPrimaryColor);
expect(dbBoard?.secondaryColor).toBe(newSecondaryColor);
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "board-change");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "modify");
});
it("should throw error when board not found", async () => {
@@ -638,7 +638,7 @@ describe("saveBoard should save full board", () => {
expect(definedBoard.sections.length).toBe(1);
expect(definedBoard.sections[0]?.id).not.toBe(sectionId);
expect(section).toBeUndefined();
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "board-change");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "modify");
});
it("should remove item when not present in input", async () => {
const spy = vi.spyOn(boardAccess, "throwIfActionForbiddenAsync");
@@ -692,7 +692,7 @@ describe("saveBoard should save full board", () => {
expect(firstSection.items.length).toBe(1);
expect(firstSection.items[0]?.id).not.toBe(itemId);
expect(item).toBeUndefined();
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "board-change");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "modify");
});
it("should remove integration reference when not present in input", async () => {
const spy = vi.spyOn(boardAccess, "throwIfActionForbiddenAsync");
@@ -759,7 +759,7 @@ describe("saveBoard should save full board", () => {
expect(firstItem.integrations.length).toBe(1);
expect(firstItem.integrations[0]?.integrationId).not.toBe(integrationId);
expect(integration).toBeUndefined();
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "board-change");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "modify");
});
it.each([[{ kind: "empty" as const }], [{ kind: "category" as const, name: "My first category" }]])(
"should add section when present in input",
@@ -811,7 +811,7 @@ describe("saveBoard should save full board", () => {
expect(addedSection.name).toBe(partialSection.name);
}
expect(section).toBeDefined();
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "board-change");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "modify");
},
);
it("should add item when present in input", async () => {
@@ -875,7 +875,7 @@ describe("saveBoard should save full board", () => {
expect(addedItem.xOffset).toBe(3);
expect(addedItem.yOffset).toBe(2);
expect(item).toBeDefined();
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "board-change");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "modify");
});
it("should add integration reference when present in input", async () => {
const spy = vi.spyOn(boardAccess, "throwIfActionForbiddenAsync");
@@ -942,7 +942,7 @@ describe("saveBoard should save full board", () => {
expect(firstItem.integrations.length).toBe(1);
expect(firstItem.integrations[0]?.integrationId).toBe(integration.id);
expect(integrationItem).toBeDefined();
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "board-change");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "modify");
});
it("should update section when present in input", async () => {
const db = createDb();
@@ -1052,7 +1052,7 @@ describe("saveBoard should save full board", () => {
expect(firstItem.width).toBe(2);
expect(firstItem.xOffset).toBe(7);
expect(firstItem.yOffset).toBe(5);
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "board-change");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "modify");
});
it("should fail when board not found", async () => {
const db = createDb();
@@ -1091,12 +1091,12 @@ describe("getBoardPermissions should return board permissions", () => {
await db.insert(boardUserPermissions).values([
{
userId: user1,
permission: "board-view",
permission: "view",
boardId,
},
{
userId: user2,
permission: "board-change",
permission: "modify",
boardId,
},
]);
@@ -1109,7 +1109,7 @@ describe("getBoardPermissions should return board permissions", () => {
await db.insert(boardGroupPermissions).values({
groupId,
permission: "board-view",
permission: "view",
boardId,
});
@@ -1122,26 +1122,26 @@ describe("getBoardPermissions should return board permissions", () => {
const result = await caller.getBoardPermissions({ id: boardId });
// Assert
expect(result.groupPermissions).toEqual([{ group: { id: groupId, name: "group1" }, permission: "board-view" }]);
expect(result.userPermissions).toEqual(
expect(result.groups).toEqual([{ group: { id: groupId, name: "group1" }, permission: "view" }]);
expect(result.users).toEqual(
expect.arrayContaining([
{
user: { id: user1, name: null, image: null },
permission: "board-view",
permission: "view",
},
{
user: { id: user2, name: null, image: null },
permission: "board-change",
permission: "modify",
},
]),
);
expect(result.inherited).toEqual([{ group: { id: groupId, name: "group1" }, permission: "admin" }]);
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "full-access");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "full");
});
});
describe("saveUserBoardPermissions should save user board permissions", () => {
test.each([["board-view"], ["board-change"]] satisfies [BoardPermission][])(
test.each([["view"], ["modify"]] satisfies [BoardPermission][])(
"should save user board permissions",
async (permission) => {
// Arrange
@@ -1163,10 +1163,10 @@ describe("saveUserBoardPermissions should save user board permissions", () => {
// Act
await caller.saveUserBoardPermissions({
id: boardId,
entityId: boardId,
permissions: [
{
itemId: user1,
principalId: user1,
permission,
},
],
@@ -1177,13 +1177,13 @@ describe("saveUserBoardPermissions should save user board permissions", () => {
where: eq(boardUserPermissions.userId, user1),
});
expect(dbUserPermission).toBeDefined();
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "full-access");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "full");
},
);
});
describe("saveGroupBoardPermissions should save group board permissions", () => {
test.each([["board-view"], ["board-change"]] satisfies [BoardPermission][])(
test.each([["view"], ["modify"]] satisfies [BoardPermission][])(
"should save group board permissions",
async (permission) => {
// Arrange
@@ -1210,10 +1210,10 @@ describe("saveGroupBoardPermissions should save group board permissions", () =>
// Act
await caller.saveGroupBoardPermissions({
id: boardId,
entityId: boardId,
permissions: [
{
itemId: groupId,
principalId: groupId,
permission,
},
],
@@ -1224,7 +1224,7 @@ describe("saveGroupBoardPermissions should save group board permissions", () =>
where: eq(boardGroupPermissions.groupId, groupId),
});
expect(dbGroupPermission).toBeDefined();
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "full-access");
expect(spy).toHaveBeenCalledWith(expect.anything(), expect.anything(), "full");
},
);
});

29
packages/api/src/router/test/board/board-access.spec.ts
View File

@@ -18,14 +18,11 @@ const expectActToBeAsync = async (act: () => Promise<void>, success: boolean) =>
await expect(act()).resolves.toBeUndefined();
};
// TODO: most of this test can be used for constructBoardPermissions
// TODO: the tests for the board-access can be reduced to about 4 tests (as the unit has shrunk)
describe("throwIfActionForbiddenAsync should check access to board and return boolean", () => {
test.each([
["full-access" as const, true],
["board-change" as const, true],
["board-view" as const, true],
["full" as const, true],
["modify" as const, true],
["view" as const, true],
])("with permission %s should return %s when hasFullAccess is true", async (permission, expectedResult) => {
// Arrange
const db = createDb();
@@ -52,9 +49,9 @@ describe("throwIfActionForbiddenAsync should check access to board and return bo
});
test.each([
["full-access" as const, false],
["board-change" as const, true],
["board-view" as const, true],
["full" as const, false],
["modify" as const, true],
["view" as const, true],
])("with permission %s should return %s when hasChangeAccess is true", async (permission, expectedResult) => {
// Arrange
const db = createDb();
@@ -81,9 +78,9 @@ describe("throwIfActionForbiddenAsync should check access to board and return bo
});
test.each([
["full-access" as const, false],
["board-change" as const, false],
["board-view" as const, true],
["full" as const, false],
["modify" as const, false],
["view" as const, true],
])("with permission %s should return %s when hasViewAccess is true", async (permission, expectedResult) => {
// Arrange
const db = createDb();
@@ -110,9 +107,9 @@ describe("throwIfActionForbiddenAsync should check access to board and return bo
});
test.each([
["full-access" as const, false],
["board-change" as const, false],
["board-view" as const, false],
["full" as const, false],
["modify" as const, false],
["view" as const, false],
])("with permission %s should return %s when hasViewAccess is false", async (permission, expectedResult) => {
// Arrange
const db = createDb();
@@ -143,7 +140,7 @@ describe("throwIfActionForbiddenAsync should check access to board and return bo
const db = createDb();
// Act
const act = () => throwIfActionForbiddenAsync({ db, session: null }, eq(boards.id, createId()), "full-access");
const act = () => throwIfActionForbiddenAsync({ db, session: null }, eq(boards.id, createId()), "full");
// Assert
await expect(act()).rejects.toThrow("Board not found");

6
packages/api/src/router/test/group.spec.ts
View File

@@ -364,7 +364,7 @@ describe("savePermissions should save permissions for group", () => {
// Act
await caller.savePermissions({
groupId,
permissions: ["integration-use-all", "board-full-access"],
permissions: ["integration-use-all", "board-full-all"],
});
// Assert
@@ -373,7 +373,7 @@ describe("savePermissions should save permissions for group", () => {
});
expect(permissions.length).toBe(2);
expect(permissions.map(({ permission }) => permission)).toEqual(["integration-use-all", "board-full-access"]);
expect(permissions.map(({ permission }) => permission)).toEqual(["integration-use-all", "board-full-all"]);
});
test("with non existing group it should throw not found error", async () => {
@@ -390,7 +390,7 @@ describe("savePermissions should save permissions for group", () => {
const actAsync = async () =>
await caller.savePermissions({
groupId: createId(),
permissions: ["integration-create", "board-full-access"],
permissions: ["integration-create", "board-full-all"],
});
// Assert

155
packages/api/src/router/test/integration/integration-access.spec.ts Normal file
View File

@@ -0,0 +1,155 @@
import { describe, expect, test, vi } from "vitest";
import * as authShared from "@homarr/auth/shared";
import { createId, eq } from "@homarr/db";
import { integrations, users } from "@homarr/db/schema/sqlite";
import { createDb } from "@homarr/db/test";
import { throwIfActionForbiddenAsync } from "../../integration/integration-access";
const defaultCreatorId = createId();
const expectActToBeAsync = async (act: () => Promise<void>, success: boolean) => {
if (!success) {
await expect(act()).rejects.toThrow("Integration not found");
return;
}
await expect(act()).resolves.toBeUndefined();
};
describe("throwIfActionForbiddenAsync should check access to integration and return boolean", () => {
test.each([
["full" as const, true],
["interact" as const, true],
["use" as const, true],
])("with permission %s should return %s when hasFullAccess is true", async (permission, expectedResult) => {
// Arrange
const db = createDb();
const spy = vi.spyOn(authShared, "constructIntegrationPermissions");
spy.mockReturnValue({
hasFullAccess: true,
hasInteractAccess: false,
hasUseAccess: false,
});
const integrationId = createId();
await db.insert(integrations).values({
id: integrationId,
name: "test",
kind: "adGuardHome",
url: "http://localhost:3000",
});
// Act
const act = () =>
throwIfActionForbiddenAsync({ db, session: null }, eq(integrations.id, integrationId), permission);
// Assert
await expectActToBeAsync(act, expectedResult);
});
test.each([
["full" as const, false],
["interact" as const, true],
["use" as const, true],
])("with permission %s should return %s when hasInteractAccess is true", async (permission, expectedResult) => {
// Arrange
const db = createDb();
const spy = vi.spyOn(authShared, "constructIntegrationPermissions");
spy.mockReturnValue({
hasFullAccess: false,
hasInteractAccess: true,
hasUseAccess: false,
});
await db.insert(users).values({ id: defaultCreatorId });
const integrationId = createId();
await db.insert(integrations).values({
id: integrationId,
name: "test",
kind: "adGuardHome",
url: "http://localhost:3000",
});
// Act
const act = () =>
throwIfActionForbiddenAsync({ db, session: null }, eq(integrations.id, integrationId), permission);
// Assert
await expectActToBeAsync(act, expectedResult);
});
test.each([
["full" as const, false],
["interact" as const, false],
["use" as const, true],
])("with permission %s should return %s when hasUseAccess is true", async (permission, expectedResult) => {
// Arrange
const db = createDb();
const spy = vi.spyOn(authShared, "constructIntegrationPermissions");
spy.mockReturnValue({
hasFullAccess: false,
hasInteractAccess: false,
hasUseAccess: true,
});
await db.insert(users).values({ id: defaultCreatorId });
const integrationId = createId();
await db.insert(integrations).values({
id: integrationId,
name: "test",
kind: "adGuardHome",
url: "http://localhost:3000",
});
// Act
const act = () =>
throwIfActionForbiddenAsync({ db, session: null }, eq(integrations.id, integrationId), permission);
// Assert
await expectActToBeAsync(act, expectedResult);
});
test.each([
["full" as const, false],
["interact" as const, false],
["use" as const, false],
])("with permission %s should return %s when hasUseAccess is false", async (permission, expectedResult) => {
// Arrange
const db = createDb();
const spy = vi.spyOn(authShared, "constructIntegrationPermissions");
spy.mockReturnValue({
hasFullAccess: false,
hasInteractAccess: false,
hasUseAccess: false,
});
await db.insert(users).values({ id: defaultCreatorId });
const integrationId = createId();
await db.insert(integrations).values({
id: integrationId,
name: "test",
kind: "adGuardHome",
url: "http://localhost:3000",
});
// Act
const act = () =>
throwIfActionForbiddenAsync({ db, session: null }, eq(integrations.id, integrationId), permission);
// Assert
await expectActToBeAsync(act, expectedResult);
});
test("should throw when integration is not found", async () => {
// Arrange
const db = createDb();
// Act
const act = () => throwIfActionForbiddenAsync({ db, session: null }, eq(integrations.id, createId()), "full");
// Assert
await expect(act()).rejects.toThrow("Integration not found");
});
});

138
packages/api/src/router/test/integration/integration-router.spec.ts
View File

@@ -1,15 +1,26 @@
/* eslint-disable @typescript-eslint/no-non-null-assertion */
import { describe, expect, it, vi } from "vitest";
import { describe, expect, test, vi } from "vitest";
import type { Session } from "@homarr/auth";
import { encryptSecret } from "@homarr/common";
import { createId } from "@homarr/db";
import { integrations, integrationSecrets } from "@homarr/db/schema/sqlite";
import { createDb } from "@homarr/db/test";
import type { GroupPermissionKey } from "@homarr/definitions";
import { integrationRouter } from "../../integration/integration-router";
import { expectToBeDefined } from "../helper";
const defaultUserId = createId();
const defaultSessionWithPermissions = (permissions: GroupPermissionKey[] = []) =>
({
user: {
id: defaultUserId,
permissions,
},
expires: new Date().toISOString(),
}) satisfies Session;
// Mock the auth module to return an empty session
vi.mock("@homarr/auth", () => ({ auth: () => ({}) as Session }));
vi.mock("../../integration/integration-test-connection", () => ({
@@ -17,11 +28,11 @@ vi.mock("../../integration/integration-test-connection", () => ({
}));
describe("all should return all integrations", () => {
it("should return all integrations", async () => {
test("with any session should return all integrations", async () => {
const db = createDb();
const caller = integrationRouter.createCaller({
db,
session: null,
session: defaultSessionWithPermissions(),
});
await db.insert(integrations).values([
@@ -47,11 +58,11 @@ describe("all should return all integrations", () => {
});
describe("byId should return an integration by id", () => {
it("should return an integration by id", async () => {
test("with full access should return an integration by id", async () => {
const db = createDb();
const caller = integrationRouter.createCaller({
db,
session: null,
session: defaultSessionWithPermissions(["integration-full-all"]),
});
await db.insert(integrations).values([
@@ -73,22 +84,22 @@ describe("byId should return an integration by id", () => {
expect(result.kind).toBe("plex");
});
it("should throw an error if the integration does not exist", async () => {
test("with full access should throw an error if the integration does not exist", async () => {
const db = createDb();
const caller = integrationRouter.createCaller({
db,
session: null,
session: defaultSessionWithPermissions(["integration-full-all"]),
});
const actAsync = async () => await caller.byId({ id: "2" });
await expect(actAsync()).rejects.toThrow("Integration not found");
});
it("should only return the public secret values", async () => {
test("with full access should only return the public secret values", async () => {
const db = createDb();
const caller = integrationRouter.createCaller({
db,
session: null,
session: defaultSessionWithPermissions(["integration-full-all"]),
});
await db.insert(integrations).values([
@@ -129,14 +140,38 @@ describe("byId should return an integration by id", () => {
const apiKey = expectToBeDefined(result.secrets.find((secret) => secret.kind === "apiKey"));
expect(apiKey.value).toBeNull();
});
});
describe("create should create a new integration", () => {
it("should create a new integration", async () => {
test("without full access should throw integration not found error", async () => {
// Arrange
const db = createDb();
const caller = integrationRouter.createCaller({
db,
session: null,
session: defaultSessionWithPermissions(["integration-interact-all"]),
});
await db.insert(integrations).values([
{
id: "1",
name: "Home assistant",
kind: "homeAssistant",
url: "http://homeassist.local",
},
]);
// Act
const actAsync = async () => await caller.byId({ id: "1" });
// Assert
await expect(actAsync()).rejects.toThrow("Integration not found");
});
});
describe("create should create a new integration", () => {
test("with create integration access should create a new integration", async () => {
const db = createDb();
const caller = integrationRouter.createCaller({
db,
session: defaultSessionWithPermissions(["integration-create"]),
});
const input = {
name: "Jellyfin",
@@ -164,14 +199,35 @@ describe("create should create a new integration", () => {
expect(dbSecret!.value).toMatch(/^[a-f0-9]+.[a-f0-9]+$/);
expect(dbSecret!.updatedAt).toEqual(fakeNow);
});
});
describe("update should update an integration", () => {
it("should update an integration", async () => {
test("without create integration access should throw permission error", async () => {
// Arrange
const db = createDb();
const caller = integrationRouter.createCaller({
db,
session: null,
session: defaultSessionWithPermissions(["integration-interact-all"]),
});
const input = {
name: "Jellyfin",
kind: "jellyfin" as const,
url: "http://jellyfin.local",
secrets: [{ kind: "apiKey" as const, value: "1234567890" }],
};
// Act
const actAsync = async () => await caller.create(input);
// Assert
await expect(actAsync()).rejects.toThrow("Permission denied");
});
});
describe("update should update an integration", () => {
test("with full access should update an integration", async () => {
const db = createDb();
const caller = integrationRouter.createCaller({
db,
session: defaultSessionWithPermissions(["integration-full-all"]),
});
const lastWeek = new Date("2023-06-24T00:00:00Z");
@@ -241,11 +297,11 @@ describe("update should update an integration", () => {
expect(apiKey.value).not.toEqual(input.secrets[2]!.value);
});
it("should throw an error if the integration does not exist", async () => {
test("with full access should throw an error if the integration does not exist", async () => {
const db = createDb();
const caller = integrationRouter.createCaller({
db,
session: null,
session: defaultSessionWithPermissions(["integration-full-all"]),
});
const actAsync = async () =>
@@ -257,14 +313,35 @@ describe("update should update an integration", () => {
});
await expect(actAsync()).rejects.toThrow("Integration not found");
});
});
describe("delete should delete an integration", () => {
it("should delete an integration", async () => {
test("without full access should throw permission error", async () => {
// Arrange
const db = createDb();
const caller = integrationRouter.createCaller({
db,
session: null,
session: defaultSessionWithPermissions(["integration-interact-all"]),
});
// Act
const actAsync = async () =>
await caller.update({
id: createId(),
name: "Pi Hole",
url: "http://hole.local",
secrets: [],
});
// Assert
await expect(actAsync()).rejects.toThrow("Integration not found");
});
});
describe("delete should delete an integration", () => {
test("with full access should delete an integration", async () => {
const db = createDb();
const caller = integrationRouter.createCaller({
db,
session: defaultSessionWithPermissions(["integration-full-all"]),
});
const integrationId = createId();
@@ -291,4 +368,19 @@ describe("delete should delete an integration", () => {
const dbSecrets = await db.query.integrationSecrets.findMany();
expect(dbSecrets.length).toBe(0);
});
test("without full access should throw permission error", async () => {
// Arrange
const db = createDb();
const caller = integrationRouter.createCaller({
db,
session: defaultSessionWithPermissions(["integration-interact-all"]),
});
// Act
const actAsync = async () => await caller.delete({ id: createId() });
// Assert
await expect(actAsync()).rejects.toThrow("Integration not found");
});
});

12
packages/auth/permissions/board-permissions.ts
View File

@@ -1,5 +1,7 @@
import type { Session } from "next-auth";
import type { BoardPermission } from "@homarr/definitions";
export type BoardPermissionsProps = (
| {
creator: {
@@ -11,10 +13,10 @@ export type BoardPermissionsProps = (
}
) & {
userPermissions: {
permission: string;
permission: BoardPermission;
}[];
groupPermissions: {
permission: string;
permission: BoardPermission;
}[];
isPublic: boolean;
};
@@ -23,11 +25,11 @@ export const constructBoardPermissions = (board: BoardPermissionsProps, session:
const creatorId = "creator" in board ? board.creator?.id : board.creatorId;
return {
hasFullAccess: session?.user.id === creatorId || session?.user.permissions.includes("board-full-access"),
hasFullAccess: session?.user.id === creatorId || session?.user.permissions.includes("board-full-all"),
hasChangeAccess:
session?.user.id === creatorId ||
board.userPermissions.some(({ permission }) => permission === "board-change") ||
board.groupPermissions.some(({ permission }) => permission === "board-change") ||
board.userPermissions.some(({ permission }) => permission === "modify") ||
board.groupPermissions.some(({ permission }) => permission === "modify") ||
session?.user.permissions.includes("board-modify-all"),
hasViewAccess:
session?.user.id === creatorId ||

1
packages/auth/permissions/index.ts
View File

@@ -1 +1,2 @@
export * from "./board-permissions";
export * from "./integration-permissions";

26
packages/auth/permissions/integration-permissions.ts Normal file
View File

@@ -0,0 +1,26 @@
import type { Session } from "next-auth";
import type { IntegrationPermission } from "@homarr/definitions";
export interface IntegrationPermissionsProps {
userPermissions: {
permission: IntegrationPermission;
}[];
groupPermissions: {
permission: IntegrationPermission;
}[];
}
export const constructIntegrationPermissions = (integration: IntegrationPermissionsProps, session: Session | null) => {
return {
hasFullAccess: session?.user.permissions.includes("integration-full-all"),
hasInteractAccess:
integration.userPermissions.some(({ permission }) => permission === "interact") ||
integration.groupPermissions.some(({ permission }) => permission === "interact") ||
session?.user.permissions.includes("integration-interact-all"),
hasUseAccess:
integration.userPermissions.length >= 1 ||
integration.groupPermissions.length >= 1 ||
session?.user.permissions.includes("integration-use-all"),
};
};

16
packages/auth/permissions/test/board-permissions.spec.ts
View File

@@ -33,7 +33,7 @@ describe("constructBoardPermissions", () => {
expect(result.hasViewAccess).toBe(true);
});
test("should return hasFullAccess as true when session permissions include board-full-access", () => {
test("should return hasFullAccess as true when session permissions include board-full-all", () => {
// Arrange
const board = {
creator: {
@@ -46,7 +46,7 @@ describe("constructBoardPermissions", () => {
const session = {
user: {
id: "2",
permissions: getPermissionsWithChildren(["board-full-access"]),
permissions: getPermissionsWithChildren(["board-full-all"]),
},
expires: new Date().toISOString(),
} satisfies Session;
@@ -87,14 +87,14 @@ describe("constructBoardPermissions", () => {
expect(result.hasViewAccess).toBe(true);
});
test('should return hasChangeAccess as true when board user permissions include "board-change"', () => {
test('should return hasChangeAccess as true when board user permissions include "modify"', () => {
// Arrange
const board = {
creator: {
id: "1",
},
userPermissions: [{ permission: "board-change" }],
userPermissions: [{ permission: "modify" as const }],
groupPermissions: [],
isPublic: false,
};
@@ -115,14 +115,14 @@ describe("constructBoardPermissions", () => {
expect(result.hasViewAccess).toBe(true);
});
test("should return hasChangeAccess as true when board group permissions include board-change", () => {
test("should return hasChangeAccess as true when board group permissions include modify", () => {
// Arrange
const board = {
creator: {
id: "1",
},
userPermissions: [],
groupPermissions: [{ permission: "board-change" }],
groupPermissions: [{ permission: "modify" as const }],
isPublic: false,
};
const session = {
@@ -175,7 +175,7 @@ describe("constructBoardPermissions", () => {
creator: {
id: "1",
},
userPermissions: [{ permission: "board-view" }],
userPermissions: [{ permission: "view" as const }],
groupPermissions: [],
isPublic: false,
};
@@ -203,7 +203,7 @@ describe("constructBoardPermissions", () => {
id: "1",
},
userPermissions: [],
groupPermissions: [{ permission: "board-view" }],
groupPermissions: [{ permission: "view" as const }],
isPublic: false,
};
const session = {

229
packages/auth/permissions/test/integration-permissions.spec.ts Normal file
View File

@@ -0,0 +1,229 @@
import type { Session } from "next-auth";
import { describe, expect, test } from "vitest";
import { getPermissionsWithChildren } from "@homarr/definitions";
import { constructIntegrationPermissions } from "../integration-permissions";
describe("constructIntegrationPermissions", () => {
test("should return hasFullAccess as true when session permissions include integration-full-all", () => {
// Arrange
const integration = {
userPermissions: [],
groupPermissions: [],
};
const session = {
user: {
id: "2",
permissions: getPermissionsWithChildren(["integration-full-all"]),
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(true);
expect(result.hasInteractAccess).toBe(true);
expect(result.hasUseAccess).toBe(true);
});
test("should return hasInteractAccess as true when session permissions include integration-interact-all", () => {
// Arrange
const integration = {
userPermissions: [],
groupPermissions: [],
};
const session = {
user: {
id: "2",
permissions: getPermissionsWithChildren(["integration-interact-all"]),
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasInteractAccess).toBe(true);
expect(result.hasUseAccess).toBe(true);
});
test('should return hasInteractAccess as true when integration user permissions include "interact"', () => {
// Arrange
const integration = {
userPermissions: [{ permission: "interact" as const }],
groupPermissions: [],
};
const session = {
user: {
id: "2",
permissions: [],
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasInteractAccess).toBe(true);
expect(result.hasUseAccess).toBe(true);
});
test("should return hasInteractAccess as true when integration group permissions include interact", () => {
// Arrange
const integration = {
userPermissions: [],
groupPermissions: [{ permission: "interact" as const }],
};
const session = {
user: {
id: "2",
permissions: [],
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasInteractAccess).toBe(true);
expect(result.hasUseAccess).toBe(true);
});
test("should return hasUseAccess as true when session permissions include integration-use-all", () => {
// Arrange
const integration = {
userPermissions: [],
groupPermissions: [],
};
const session = {
user: {
id: "2",
permissions: getPermissionsWithChildren(["integration-use-all"]),
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasInteractAccess).toBe(false);
expect(result.hasUseAccess).toBe(true);
});
test("should return hasUseAccess as true when integration user permissions length is greater than or equal to 1", () => {
// Arrange
const integration = {
userPermissions: [{ permission: "use" as const }],
groupPermissions: [],
};
const session = {
user: {
id: "2",
permissions: [],
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasInteractAccess).toBe(false);
expect(result.hasUseAccess).toBe(true);
});
test("should return hasUseAccess as true when integration group permissions length is greater than or equal to 1", () => {
// Arrange
const integration = {
userPermissions: [],
groupPermissions: [{ permission: "use" as const }],
};
const session = {
user: {
id: "2",
permissions: [],
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasInteractAccess).toBe(false);
expect(result.hasUseAccess).toBe(true);
});
test("should return all false when integration no permissions", () => {
// Arrange
const integration = {
userPermissions: [],
groupPermissions: [],
};
const session = {
user: {
id: "2",
permissions: [],
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasInteractAccess).toBe(false);
expect(result.hasUseAccess).toBe(false);
});
});
/*
test("should return hasViewAccess as true when board is public", () => {
// Arrange
const board = {
creator: {
id: "1",
},
userPermissions: [],
groupPermissions: [],
isPublic: true,
};
const session = {
user: {
id: "2",
permissions: [],
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructBoardPermissions(board, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasChangeAccess).toBe(false);
expect(result.hasViewAccess).toBe(true);
});
});
*/

18
packages/db/migrations/mysql/0004_noisy_giant_girl.sql Normal file
View File

@@ -0,0 +1,18 @@
CREATE TABLE `integrationGroupPermissions` (
`integration_id` varchar(64) NOT NULL,
`group_id` varchar(64) NOT NULL,
`permission` text NOT NULL,
CONSTRAINT `integrationGroupPermissions_integration_id_group_id_permission_pk` PRIMARY KEY(`integration_id`,`group_id`,`permission`)
);
--> statement-breakpoint
CREATE TABLE `integrationUserPermission` (
`integration_id` varchar(64) NOT NULL,
`user_id` varchar(64) NOT NULL,
`permission` text NOT NULL,
CONSTRAINT `integrationUserPermission_integration_id_user_id_permission_pk` PRIMARY KEY(`integration_id`,`user_id`,`permission`)
);
--> statement-breakpoint
ALTER TABLE `integrationGroupPermissions` ADD CONSTRAINT `integrationGroupPermissions_integration_id_integration_id_fk` FOREIGN KEY (`integration_id`) REFERENCES `integration`(`id`) ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
ALTER TABLE `integrationGroupPermissions` ADD CONSTRAINT `integrationGroupPermissions_group_id_group_id_fk` FOREIGN KEY (`group_id`) REFERENCES `group`(`id`) ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
ALTER TABLE `integrationUserPermission` ADD CONSTRAINT `integrationUserPermission_integration_id_integration_id_fk` FOREIGN KEY (`integration_id`) REFERENCES `integration`(`id`) ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
ALTER TABLE `integrationUserPermission` ADD CONSTRAINT `integrationUserPermission_user_id_user_id_fk` FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON DELETE cascade ON UPDATE no action;

2
packages/db/migrations/mysql/meta/0002_snapshot.json
View File

@@ -2,7 +2,7 @@
"version": "5",
"dialect": "mysql",
"id": "4e382d0d-a432-4953-bd5e-04f3f33e26a4",
"prevId": "fdeaf6eb-cd62-4fa5-9b38-d7f80a60db9f",
"prevId": "ba2dd885-4e7f-4a45-99a0-7b45cbd0a5c2",
"tables": {
"account": {
"name": "account",

1320
packages/db/migrations/mysql/meta/0004_snapshot.json Normal file
View File

File diff suppressed because it is too large Load Diff

7
packages/db/migrations/mysql/meta/_journal.json
View File

@@ -29,6 +29,13 @@
"when": 1716148439439,
"tag": "0003_freezing_black_panther",
"breakpoints": true
},
{
"idx": 4,
"version": "5",
"when": 1720113913876,
"tag": "0004_noisy_giant_girl",
"breakpoints": true
}
]
}

17
packages/db/migrations/sqlite/0004_peaceful_red_ghost.sql Normal file
View File

@@ -0,0 +1,17 @@
CREATE TABLE `integrationGroupPermissions` (
`integration_id` text NOT NULL,
`group_id` text NOT NULL,
`permission` text NOT NULL,
PRIMARY KEY(`group_id`, `integration_id`, `permission`),
FOREIGN KEY (`integration_id`) REFERENCES `integration`(`id`) ON UPDATE no action ON DELETE cascade,
FOREIGN KEY (`group_id`) REFERENCES `group`(`id`) ON UPDATE no action ON DELETE cascade
);
--> statement-breakpoint
CREATE TABLE `integrationUserPermission` (
`integration_id` text NOT NULL,
`user_id` text NOT NULL,
`permission` text NOT NULL,
PRIMARY KEY(`integration_id`, `permission`, `user_id`),
FOREIGN KEY (`integration_id`) REFERENCES `integration`(`id`) ON UPDATE no action ON DELETE cascade,
FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON UPDATE no action ON DELETE cascade
);

2
packages/db/migrations/sqlite/meta/0002_snapshot.json
View File

@@ -2,7 +2,7 @@
"version": "6",
"dialect": "sqlite",
"id": "5ad60251-8450-437d-9081-a456884120d2",
"prevId": "0575873a-9e10-4480-8d7d-c47198622c22",
"prevId": "2ed0ffc3-8612-42e7-bd8e-f5f8f3338a39",
"tables": {
"account": {
"name": "account",

1263
packages/db/migrations/sqlite/meta/0004_snapshot.json Normal file
View File

File diff suppressed because it is too large Load Diff

7
packages/db/migrations/sqlite/meta/_journal.json
View File

@@ -29,6 +29,13 @@
"when": 1716148434186,
"tag": "0003_adorable_raider",
"breakpoints": true
},
{
"idx": 4,
"version": "6",
"when": 1720036615408,
"tag": "0004_peaceful_red_ghost",
"breakpoints": true
}
]
}

61
packages/db/schema/mysql.ts
View File

@@ -10,6 +10,7 @@ import type {
BoardPermission,
GroupPermissionKey,
IntegrationKind,
IntegrationPermission,
IntegrationSecretKind,
SectionKind,
WidgetKind,
@@ -157,6 +158,42 @@ export const integrationSecrets = mysqlTable(
}),
);
export const integrationUserPermissions = mysqlTable(
"integrationUserPermission",
{
integrationId: varchar("integration_id", { length: 64 })
.notNull()
.references(() => integrations.id, { onDelete: "cascade" }),
userId: varchar("user_id", { length: 64 })
.notNull()
.references(() => users.id, { onDelete: "cascade" }),
permission: text("permission").$type<IntegrationPermission>().notNull(),
},
(table) => ({
compoundKey: primaryKey({
columns: [table.integrationId, table.userId, table.permission],
}),
}),
);
export const integrationGroupPermissions = mysqlTable(
"integrationGroupPermissions",
{
integrationId: varchar("integration_id", { length: 64 })
.notNull()
.references(() => integrations.id, { onDelete: "cascade" }),
groupId: varchar("group_id", { length: 64 })
.notNull()
.references(() => groups.id, { onDelete: "cascade" }),
permission: text("permission").$type<IntegrationPermission>().notNull(),
},
(table) => ({
compoundKey: primaryKey({
columns: [table.integrationId, table.groupId, table.permission],
}),
}),
);
export const boards = mysqlTable("board", {
id: varchar("id", { length: 64 }).notNull().primaryKey(),
name: varchar("name", { length: 256 }).unique().notNull(),
@@ -387,6 +424,30 @@ export const boardGroupPermissionRelations = relations(boardGroupPermissions, ({
export const integrationRelations = relations(integrations, ({ many }) => ({
secrets: many(integrationSecrets),
items: many(integrationItems),
userPermissions: many(integrationUserPermissions),
groupPermissions: many(integrationGroupPermissions),
}));
export const integrationUserPermissionRelations = relations(integrationUserPermissions, ({ one }) => ({
user: one(users, {
fields: [integrationUserPermissions.userId],
references: [users.id],
}),
integration: one(integrations, {
fields: [integrationUserPermissions.integrationId],
references: [integrations.id],
}),
}));
export const integrationGroupPermissionRelations = relations(integrationGroupPermissions, ({ one }) => ({
group: one(groups, {
fields: [integrationGroupPermissions.groupId],
references: [groups.id],
}),
integration: one(integrations, {
fields: [integrationGroupPermissions.integrationId],
references: [integrations.id],
}),
}));
export const integrationSecretRelations = relations(integrationSecrets, ({ one }) => ({

61
packages/db/schema/sqlite.ts
View File

@@ -12,6 +12,7 @@ import type {
BoardPermission,
GroupPermissionKey,
IntegrationKind,
IntegrationPermission,
IntegrationSecretKind,
SectionKind,
WidgetKind,
@@ -160,6 +161,42 @@ export const integrationSecrets = sqliteTable(
}),
);
export const integrationUserPermissions = sqliteTable(
"integrationUserPermission",
{
integrationId: text("integration_id")
.notNull()
.references(() => integrations.id, { onDelete: "cascade" }),
userId: text("user_id")
.notNull()
.references(() => users.id, { onDelete: "cascade" }),
permission: text("permission").$type<IntegrationPermission>().notNull(),
},
(table) => ({
compoundKey: primaryKey({
columns: [table.integrationId, table.userId, table.permission],
}),
}),
);
export const integrationGroupPermissions = sqliteTable(
"integrationGroupPermissions",
{
integrationId: text("integration_id")
.notNull()
.references(() => integrations.id, { onDelete: "cascade" }),
groupId: text("group_id")
.notNull()
.references(() => groups.id, { onDelete: "cascade" }),
permission: text("permission").$type<IntegrationPermission>().notNull(),
},
(table) => ({
compoundKey: primaryKey({
columns: [table.integrationId, table.groupId, table.permission],
}),
}),
);
export const boards = sqliteTable("board", {
id: text("id").notNull().primaryKey(),
name: text("name").unique().notNull(),
@@ -390,6 +427,30 @@ export const boardGroupPermissionRelations = relations(boardGroupPermissions, ({
export const integrationRelations = relations(integrations, ({ many }) => ({
secrets: many(integrationSecrets),
items: many(integrationItems),
userPermissions: many(integrationUserPermissions),
groupPermissions: many(integrationGroupPermissions),
}));
export const integrationUserPermissionRelations = relations(integrationUserPermissions, ({ one }) => ({
user: one(users, {
fields: [integrationUserPermissions.userId],
references: [users.id],
}),
integration: one(integrations, {
fields: [integrationUserPermissions.integrationId],
references: [integrations.id],
}),
}));
export const integrationGroupPermissionRelations = relations(integrationGroupPermissions, ({ one }) => ({
group: one(groups, {
fields: [integrationGroupPermissions.groupId],
references: [groups.id],
}),
integration: one(integrations, {
fields: [integrationGroupPermissions.integrationId],
references: [integrations.id],
}),
}));
export const integrationSecretRelations = relations(integrationSecrets, ({ one }) => ({

50
packages/definitions/src/permissions.ts
View File

@@ -1,23 +1,57 @@
import { objectEntries, objectKeys } from "@homarr/common";
export const boardPermissions = ["board-view", "board-change"] as const;
/**
* Permissions for boards.
* view: Can view the board and its content. (e.g. see all items on the board, but not modify them)
* modify: Can modify the board, its content and visual settings. (e.g. move items, change the background)
* full: Can modify the board, its content, visual settings, access settings, delete, change the visibility and rename. (e.g. change the board name, delete the board, give access to other users)
*/
export const boardPermissions = ["view", "modify", "full"] as const;
export const boardPermissionsMap = {
view: "board-view-all",
modify: "board-modify-all",
full: "board-full-all",
} satisfies Record<BoardPermission, GroupPermissionKey>;
export type BoardPermission = (typeof boardPermissions)[number];
/**
* Permissions for integrations.
* use: Can select the integration for an item on the board. (e.g. select pi-hole for a widget)
* interact: Can interact with the integration. (e.g. enable / disable pi-hole)
* full: Can modify the integration. (e.g. change the pi-hole url, secrets and access settings)
*/
export const integrationPermissions = ["use", "interact", "full"] as const;
export const integrationPermissionsMap = {
use: "integration-use-all",
interact: "integration-interact-all",
full: "integration-full-all",
} satisfies Record<IntegrationPermission, GroupPermissionKey>;
export type IntegrationPermission = (typeof integrationPermissions)[number];
/**
* Global permissions that can be assigned to groups.
* The keys are generated through combining the key and all array items.
* For example "board-create" is a generated key
*/
export const groupPermissions = {
board: ["create", "view-all", "modify-all", "full-access"],
integration: ["create", "use-all", "interact-all", "full-access"],
board: ["create", "view-all", "modify-all", "full-all"],
integration: ["create", "use-all", "interact-all", "full-all"],
admin: true,
} as const;
/**
* In the following object is described how the permissions are related to each other.
* For example everybody with the permission "board-modify-all" also has the permission "board-view-all".
* Or admin has all permissions (board-full-access and integration-full-access which will resolve in an array of every permission).
* Or admin has all permissions (board-full-all and integration-full-all which will resolve in an array of every permission).
*/
const groupPermissionParents = {
"board-modify-all": ["board-view-all"],
"board-full-access": ["board-modify-all", "board-create"],
"board-full-all": ["board-modify-all", "board-create"],
"integration-interact-all": ["integration-use-all"],
"integration-full-access": ["integration-interact-all", "integration-create"],
admin: ["board-full-access", "integration-full-access"],
"integration-full-all": ["integration-interact-all", "integration-create"],
admin: ["board-full-all", "integration-full-all"],
} satisfies Partial<Record<GroupPermissionKey, GroupPermissionKey[]>>;
export const getPermissionsWithParents = (permissions: GroupPermissionKey[]): GroupPermissionKey[] => {
@@ -66,5 +100,3 @@ export const groupPermissionKeys = objectKeys(groupPermissions).reduce((acc, key
}
return acc;
}, [] as GroupPermissionKey[]);
export type BoardPermission = (typeof boardPermissions)[number];

24
packages/definitions/src/test/permissions.spec.ts
View File

@@ -5,14 +5,14 @@ import { getPermissionsWithChildren, getPermissionsWithParents } from "../permis
describe("getPermissionsWithParents should return the correct permissions", () => {
test.each([
[["board-view-all"], ["board-view-all", "board-modify-all", "board-full-access", "admin"]],
[["board-modify-all"], ["board-modify-all", "board-full-access", "admin"]],
[["board-create"], ["board-create", "board-full-access", "admin"]],
[["board-full-access"], ["board-full-access", "admin"]],
[["integration-use-all"], ["integration-use-all", "integration-interact-all", "integration-full-access", "admin"]],
[["integration-create"], ["integration-create", "integration-full-access", "admin"]],
[["integration-interact-all"], ["integration-interact-all", "integration-full-access", "admin"]],
[["integration-full-access"], ["integration-full-access", "admin"]],
[["board-view-all"], ["board-view-all", "board-modify-all", "board-full-all", "admin"]],
[["board-modify-all"], ["board-modify-all", "board-full-all", "admin"]],
[["board-create"], ["board-create", "board-full-all", "admin"]],
[["board-full-all"], ["board-full-all", "admin"]],
[["integration-use-all"], ["integration-use-all", "integration-interact-all", "integration-full-all", "admin"]],
[["integration-create"], ["integration-create", "integration-full-all", "admin"]],
[["integration-interact-all"], ["integration-interact-all", "integration-full-all", "admin"]],
[["integration-full-all"], ["integration-full-all", "admin"]],
[["admin"], ["admin"]],
] satisfies [GroupPermissionKey[], GroupPermissionKey[]][])("expect %s to return %s", (input, expectedOutput) => {
expect(getPermissionsWithParents(input)).toEqual(expect.arrayContaining(expectedOutput));
@@ -24,19 +24,19 @@ describe("getPermissionsWithChildren should return the correct permissions", ()
[["board-view-all"], ["board-view-all"]],
[["board-modify-all"], ["board-view-all", "board-modify-all"]],
[["board-create"], ["board-create"]],
[["board-full-access"], ["board-full-access", "board-modify-all", "board-view-all"]],
[["board-full-all"], ["board-full-all", "board-modify-all", "board-view-all"]],
[["integration-use-all"], ["integration-use-all"]],
[["integration-create"], ["integration-create"]],
[["integration-interact-all"], ["integration-interact-all", "integration-use-all"]],
[["integration-full-access"], ["integration-full-access", "integration-interact-all", "integration-use-all"]],
[["integration-full-all"], ["integration-full-all", "integration-interact-all", "integration-use-all"]],
[
["admin"],
[
"admin",
"board-full-access",
"board-full-all",
"board-modify-all",
"board-view-all",
"integration-full-access",
"integration-full-all",
"integration-interact-all",
"integration-use-all",
],

68
packages/translation/src/lang/en.ts
View File

@@ -165,7 +165,7 @@ export default {
label: "Modify all boards",
description: "Allow members to modify all boards (Does not include access control and danger zone)",
},
"full-access": {
"full-all": {
label: "Full board access",
description:
"Allow members to view, modify, and delete all boards (Including access control and danger zone)",
@@ -187,7 +187,7 @@ export default {
label: "Interact with any integration",
description: "Allow members to interact with any integration",
},
"full-access": {
"full-all": {
label: "Full integration access",
description: "Allow members to manage, use and interact with any integration",
},
@@ -484,6 +484,11 @@ export default {
},
},
},
permission: {
use: "Select integrations in items",
interact: "Interact with integrations",
full: "Full integration access",
},
},
common: {
rtl: "{value}{symbol}",
@@ -1156,36 +1161,14 @@ export default {
access: {
title: "Access control",
permission: {
userSelect: {
title: "Add user permission",
},
groupSelect: {
title: "Add group permission",
},
tab: {
user: "Users",
group: "Groups",
inherited: "Inherited groups",
},
field: {
user: {
label: "User",
},
group: {
label: "Group",
},
permission: {
label: "Permission",
},
},
item: {
"board-view": {
view: {
label: "View board",
},
"board-change": {
label: "Change board",
modify: {
label: "Modify board",
},
"board-full": {
full: {
label: "Full access",
},
},
@@ -1605,6 +1588,35 @@ export default {
},
},
},
permission: {
title: "Permissions",
userSelect: {
title: "Add user permission",
},
groupSelect: {
title: "Add group permission",
},
tab: {
user: "Users",
group: "Groups",
inherited: "Inherited groups",
},
field: {
user: {
label: "User",
},
group: {
label: "Group",
},
permission: {
label: "Permission",
},
},
action: {
saveUser: "Save user permission",
saveGroup: "Save group permission",
},
},
navigationStructure: {
manage: {
label: "Manage",

9
packages/validation/src/board.ts
View File

@@ -8,6 +8,7 @@ import {
} from "@homarr/definitions";
import { zodEnumFromArray } from "./enums";
import { createSavePermissionsSchema } from "./permissions";
import { commonItemSchema, createSectionSchema } from "./shared";
const hexColorSchema = z.string().regex(/^#[0-9A-Fa-f]{6}$/);
@@ -66,11 +67,13 @@ const permissionsSchema = z.object({
id: z.string(),
});
const savePermissionsSchema = z.object({
id: z.string(),
const savePermissionsSchema = createSavePermissionsSchema(zodEnumFromArray(boardPermissions));
z.object({
entityId: z.string(),
permissions: z.array(
z.object({
itemId: z.string(),
principalId: z.string(),
permission: zodEnumFromArray(boardPermissions),
}),
),

6
packages/validation/src/integration.ts
View File

@@ -1,8 +1,9 @@
import { z } from "zod";
import { integrationKinds, integrationSecretKinds } from "@homarr/definitions";
import { integrationKinds, integrationPermissions, integrationSecretKinds } from "@homarr/definitions";
import { zodEnumFromArray } from "./enums";
import { createSavePermissionsSchema } from "./permissions";
const integrationCreateSchema = z.object({
name: z.string().nonempty().max(127),
@@ -44,10 +45,13 @@ const testConnectionSchema = z.object({
),
});
const savePermissionsSchema = createSavePermissionsSchema(zodEnumFromArray(integrationPermissions));
export const integrationSchemas = {
create: integrationCreateSchema,
update: integrationUpdateSchema,
delete: idSchema,
byId: idSchema,
testConnection: testConnectionSchema,
savePermissions: savePermissionsSchema,
};

15
packages/validation/src/permissions.ts Normal file
View File

@@ -0,0 +1,15 @@
import { z } from "zod";
export const createSavePermissionsSchema = <const TPermissionSchema extends z.ZodEnum<[string, ...string[]]>>(
permissionSchema: TPermissionSchema,
) => {
return z.object({
entityId: z.string(),
permissions: z.array(
z.object({
principalId: z.string(),
permission: permissionSchema,
}),
),
});
};