nocodb/packages/nc-gui/lib/acl.ts

import { OrgUserRoles, ProjectRoles } from 'nocodb-sdk'

const roleScopes = {
  org: [OrgUserRoles.VIEWER, OrgUserRoles.CREATOR],
  base: [
    ProjectRoles.NO_ACCESS,
    ProjectRoles.VIEWER,
    ProjectRoles.COMMENTER,
    ProjectRoles.EDITOR,
    ProjectRoles.CREATOR,
    ProjectRoles.OWNER,
  ],
}

interface Perm {
  include?: Record<string, boolean>
}

/**
 * Each permission value means the following
 * `*` - which is wildcard, means all permissions are allowed
 *  `include` - which is an object, means only the permissions listed in the object are allowed
 *  `undefined` or `{}` - which is the default value, means no permissions are allowed
 * */
const rolePermissions = {
  // org level role permissions
  [OrgUserRoles.SUPER_ADMIN]: '*',
  [OrgUserRoles.CREATOR]: {
    include: {
      workspaceSettings: true,
      superAdminUserManagement: true,
      baseCreate: true,
      baseMove: true,
      baseDelete: true,
      baseDuplicate: true,
      newUser: true,
      viewCreateOrEdit: true,
      baseReorder: true,
      orgAdminPanel: true,
    },
  },
  [OrgUserRoles.VIEWER]: {
    include: {
      importRequest: true,
    },
  },

  // Base role permissions
  [ProjectRoles.OWNER]: {
    include: {
      baseDelete: true,
    },
  },
  [ProjectRoles.CREATOR]: {
    include: {
      baseCreate: true,
      fieldUpdate: true,
      hookList: true,
      tableCreate: true,
      tableRename: true,
      tableDelete: true,
      tableDuplicate: true,
      tableSort: true,
      layoutRename: true,
      layoutDelete: true,
      airtableImport: true,
      jsonImport: true,
      excelImport: true,
      settingsPage: true,
      newUser: true,
      webhook: true,
      fieldEdit: true,
      fieldAdd: true,
      tableIconEdit: true,
      viewCreateOrEdit: true,
      viewShare: true,
      baseShare: true,
      baseMiscSettings: true,
      csvImport: true,
      baseRename: true,
      baseDuplicate: true,
      sourceCreate: true,
    },
  },
  [ProjectRoles.EDITOR]: {
    include: {
      dataInsert: true,
      dataEdit: true,
      sortSync: true,
      filterSync: true,
      filterChildrenRead: true,
      viewFieldEdit: true,
      csvTableImport: true,
      excelTableImport: true,
    },
  },
  [ProjectRoles.COMMENTER]: {
    include: {
      commentEdit: true,
      commentList: true,
      commentCount: true,
    },
  },
  [ProjectRoles.VIEWER]: {
    include: {
      baseSettings: true,
      expandedForm: true,
      apiDocs: true,
    },
  },
  [ProjectRoles.NO_ACCESS]: {
    include: {},
  },
} as Record<OrgUserRoles | ProjectRoles, Perm | '*'>

/*
  We inherit include permissions from previous roles in the same scope (role order)
  To determine role order, we use `roleScopes` object

  So for example ProjectRoles.COMMENTER has `commentEdit` permission,
    which means ProjectRoles.EDITOR, ProjectRoles.CREATOR, ProjectRoles.OWNER will also have `commentEdit` permission
    where as ProjectRoles.VIEWER, ProjectRoles.NO_ACCESS will not have `commentEdit` permission.

  This is why we are validating that there are no duplicate permissions within the same scope
    even though it is not required for the code to work. It is to keep the code clean and easy to understand.
*/

// validate no duplicate permissions within same scope
Object.values(roleScopes).forEach((roles) => {
  const scopePermissions: Record<string, boolean> = {}
  const duplicates: string[] = []
  roles.forEach((role) => {
    const perms = (rolePermissions[role] as Perm).include || {}
    Object.keys(perms).forEach((perm) => {
      if (scopePermissions[perm]) {
        duplicates.push(perm)
      }
      scopePermissions[perm] = true
    })
  })
  if (duplicates.length) {
    throw new Error(
      `Duplicate permissions found in roles ${roles.join(', ')}. Please remove duplicate permissions: ${duplicates.join(', ')}`,
    )
  }
})

// inherit include permissions within scope (role order)
Object.values(roleScopes).forEach((roles) => {
  let roleIndex = 0
  for (const role of roles) {
    if (roleIndex === 0) {
      roleIndex++
      continue
    }

    if (rolePermissions[role] === '*') continue
    if ((rolePermissions[role] as Perm).include && (rolePermissions[roles[roleIndex - 1]] as Perm).include) {
      Object.assign((rolePermissions[role] as Perm).include!, (rolePermissions[roles[roleIndex - 1]] as Perm).include)
    }

    roleIndex++
  }
})

export { rolePermissions }
fix: refactor isUIAllowed and move to useRoles composable 10 months ago			`import { OrgUserRoles, ProjectRoles } from 'nocodb-sdk'`

			`const roleScopes = {`
			`org: [OrgUserRoles.VIEWER, OrgUserRoles.CREATOR],`
fix: base acl 4 months ago			`base: [`
			`ProjectRoles.NO_ACCESS,`
			`ProjectRoles.VIEWER,`
			`ProjectRoles.COMMENTER,`
			`ProjectRoles.EDITOR,`
			`ProjectRoles.CREATOR,`
			`ProjectRoles.OWNER,`
			`],`
fix: refactor isUIAllowed and move to useRoles composable 10 months ago			`}`

			`interface Perm {`
			`include?: Record<string, boolean>`
			`}`

			`/**`
			`* Each permission value means the following`
			* `*` - which is wildcard, means all permissions are allowed
			* `include` - which is an object, means only the permissions listed in the object are allowed
			* `undefined` or `{}` - which is the default value, means no permissions are allowed
			`* */`
			`const rolePermissions = {`
			`// org level role permissions`
			`[OrgUserRoles.SUPER_ADMIN]: '*',`
			`[OrgUserRoles.CREATOR]: {`
			`include: {`
fix: Added user management to org creator and user cannot delete themselves 9 months ago			`workspaceSettings: true,`
			`superAdminUserManagement: true,`
refactor: rename project and base - Rename `Project` => `Base` - Rename `Base` => `Source` - Remove `db` from data/meta api endpoints - Add backward compatibility for old apis - Migrations for renaming table and columns Signed-off-by: Pranav C <pranavxc@gmail.com> 9 months ago			`baseCreate: true,`
			`baseMove: true,`
			`baseDelete: true,`
			`baseDuplicate: true,`
fix: refactor isUIAllowed and move to useRoles composable 10 months ago			`newUser: true,`
fix: Integrated view sidebar removal to tests 10 months ago			`viewCreateOrEdit: true,`
fix(nc-gui): handle duplicate base order case and use permission `baseReorder` instead of `baseMove` 5 months ago			`baseReorder: true,`
Nc feat/user management (#8369) * fix: source filter Signed-off-by: mertmit <mertmit99@gmail.com> * feat: sso cloud apis - WIP * feat: admin panel menu option * feat: UI integration - WIP * feat: UI integration - SSO * feat: domain verification * feat: workspace upgrade and sso page - WIP * feat: domain adding and verification - WIP * feat: domain adding and verification * fix: domain validation corrections * chore: lint * feat(nc-gui): organization settings page * feat(nc-gui): organization members page * fix(nc-gui): some more changes * fix(nc-gui): refactor collaborators ui * feat(nc-gui): dashboard ui * feat(nc-gui): bases page * feat(nocodb): wired up ui and apis. wip * fix(nc-gui): some more fixes * fix(nc-gui): move ws to org immediately after creation * fix(nc-gui): some more bug fixes * feat(nocodb): transfer workspace ownership * fix(nc-gui): load roles if baseId is provided in prop * fix(nc-gui): show only org workspaces * fix(nc-gui): some more fixes * fix(nc-gui): rename base * fix(nc-gui): invite fixes * feat: restrict access to org level user(SSO login) * fix: include org and client info in token * fix: include org and client info in refresh token * refactor: minor ui corrections * refactor: add a generic component for copying * refactor: ui correction and cleanup * fix: refresh token update * fix: ui corrections * fix: if user signin using unverified domain show error in sso page rather than showing the json with error * fix: for all sso related exceptions redirect to sso ui page with error * chore: lint * fix: show admin panel option only for user who have permission * fix: redirect to sso login page on logout based on current user info * test: sso - playwright test * fix: duplicate attribute * test: playwright * fix: missing import * test: playwright - WIP * test: playwright - Cloud sso login flow * fix: error handling * test: playwright - sso auth flow tests * fix: show upgrade option only for workspace owner * test: user invite tests corrections * test: user invite tests corrections * test: user management correction * test: playwright - use regex for path match * fix: delete existing provider if any * test: combine sso tests to run serially * test: playwright - title name correction * test: playwright - reset sso client from sso tests only * test: playwright - page navigation correction * refactor: by default navigate to org settings page on org creation and disable org image upload * refactor: reverify domain after 7 days and update role names to avoid confusion between org and cloud org roles * fix: corrections * fix: show org level roles in members section * refactor: disable org update by default * test: unit tests for org admin apis * chore: lint * fix: review comments * chore: lint and cleanup --------- Signed-off-by: mertmit <mertmit99@gmail.com> Co-authored-by: mertmit <mertmit99@gmail.com> Co-authored-by: DarkPhoenix2704 <anbarasun123@gmail.com> 2 months ago			`orgAdminPanel: true,`
fix: refactor isUIAllowed and move to useRoles composable 10 months ago			`},`
			`},`
			`[OrgUserRoles.VIEWER]: {`
			`include: {`
			`importRequest: true,`
			`},`
			`},`

refactor: rename project and base - Rename `Project` => `Base` - Rename `Base` => `Source` - Remove `db` from data/meta api endpoints - Add backward compatibility for old apis - Migrations for renaming table and columns Signed-off-by: Pranav C <pranavxc@gmail.com> 9 months ago			`// Base role permissions`
fix: refactor isUIAllowed and move to useRoles composable 10 months ago			`[ProjectRoles.OWNER]: {`
			`include: {`
refactor: rename project and base - Rename `Project` => `Base` - Rename `Base` => `Source` - Remove `db` from data/meta api endpoints - Add backward compatibility for old apis - Migrations for renaming table and columns Signed-off-by: Pranav C <pranavxc@gmail.com> 9 months ago			`baseDelete: true,`
fix: refactor isUIAllowed and move to useRoles composable 10 months ago			`},`
			`},`
			`[ProjectRoles.CREATOR]: {`
			`include: {`
			`baseCreate: true,`
			`fieldUpdate: true,`
			`hookList: true,`
			`tableCreate: true,`
			`tableRename: true,`
			`tableDelete: true,`
			`tableDuplicate: true,`
			`tableSort: true,`
			`layoutRename: true,`
			`layoutDelete: true,`
			`airtableImport: true,`
			`jsonImport: true,`
			`excelImport: true,`
			`settingsPage: true,`
			`newUser: true,`
			`webhook: true,`
			`fieldEdit: true,`
			`fieldAdd: true,`
			`tableIconEdit: true,`
			`viewCreateOrEdit: true,`
			`viewShare: true,`
refactor: rename project and base - Rename `Project` => `Base` - Rename `Base` => `Source` - Remove `db` from data/meta api endpoints - Add backward compatibility for old apis - Migrations for renaming table and columns Signed-off-by: Pranav C <pranavxc@gmail.com> 9 months ago			`baseShare: true,`
			`baseMiscSettings: true,`
fix: Fixed sidebar node context menu based on ACL and added tests for it based on roles 10 months ago			`csvImport: true,`
refactor: rename project and base - Rename `Project` => `Base` - Rename `Base` => `Source` - Remove `db` from data/meta api endpoints - Add backward compatibility for old apis - Migrations for renaming table and columns Signed-off-by: Pranav C <pranavxc@gmail.com> 9 months ago			`baseRename: true,`
			`baseDuplicate: true,`
fix(nc-gui): Fixed issue with create data source btn issue 9 months ago			`sourceCreate: true,`
fix: refactor isUIAllowed and move to useRoles composable 10 months ago			`},`
			`},`
			`[ProjectRoles.EDITOR]: {`
			`include: {`
			`dataInsert: true,`
			`dataEdit: true,`
			`sortSync: true,`
			`filterSync: true,`
			`filterChildrenRead: true,`
			`viewFieldEdit: true,`
fix: Fixed sidebar node context menu based on ACL and added tests for it based on roles 10 months ago			`csvTableImport: true,`
Update acl.ts to allow editor to import excel files Allow editors to import excel files via the top menu. 8 months ago			`excelTableImport: true,`
fix: refactor isUIAllowed and move to useRoles composable 10 months ago			`},`
			`},`
			`[ProjectRoles.COMMENTER]: {`
			`include: {`
			`commentEdit: true,`
			`commentList: true,`
			`commentCount: true,`
			`},`
			`},`
			`[ProjectRoles.VIEWER]: {`
			`include: {`
refactor: rename project and base - Rename `Project` => `Base` - Rename `Base` => `Source` - Remove `db` from data/meta api endpoints - Add backward compatibility for old apis - Migrations for renaming table and columns Signed-off-by: Pranav C <pranavxc@gmail.com> 9 months ago			`baseSettings: true,`
fix: refactor isUIAllowed and move to useRoles composable 10 months ago			`expandedForm: true,`
fix: Fixed sidebar node context menu based on ACL and added tests for it based on roles 10 months ago			`apiDocs: true,`
fix: refactor isUIAllowed and move to useRoles composable 10 months ago			`},`
			`},`
			`[ProjectRoles.NO_ACCESS]: {`
			`include: {},`
			`},`
			`} as Record<OrgUserRoles \| ProjectRoles, Perm \| '*'>`

			`/*`
			`We inherit include permissions from previous roles in the same scope (role order)`
			To determine role order, we use `roleScopes` object

			So for example ProjectRoles.COMMENTER has `commentEdit` permission,
			which means ProjectRoles.EDITOR, ProjectRoles.CREATOR, ProjectRoles.OWNER will also have `commentEdit` permission
			where as ProjectRoles.VIEWER, ProjectRoles.NO_ACCESS will not have `commentEdit` permission.

			`This is why we are validating that there are no duplicate permissions within the same scope`
			`even though it is not required for the code to work. It is to keep the code clean and easy to understand.`
			`*/`

			`// validate no duplicate permissions within same scope`
			`Object.values(roleScopes).forEach((roles) => {`
			`const scopePermissions: Record<string, boolean> = {}`
			`const duplicates: string[] = []`
			`roles.forEach((role) => {`
			`const perms = (rolePermissions[role] as Perm).include \|\| {}`
			`Object.keys(perms).forEach((perm) => {`
			`if (scopePermissions[perm]) {`
			`duplicates.push(perm)`
			`}`
			`scopePermissions[perm] = true`
			`})`
			`})`
			`if (duplicates.length) {`
			`throw new Error(`
			`Duplicate permissions found in roles ${roles.join(', ')}. Please remove duplicate permissions: ${duplicates.join(', ')}`,
			`)`
			`}`
			`})`

			`// inherit include permissions within scope (role order)`
			`Object.values(roleScopes).forEach((roles) => {`
			`let roleIndex = 0`
			`for (const role of roles) {`
			`if (roleIndex === 0) {`
			`roleIndex++`
			`continue`
			`}`

			`if (rolePermissions[role] === '*') continue`
			`if ((rolePermissions[role] as Perm).include && (rolePermissions[roles[roleIndex - 1]] as Perm).include) {`
			`Object.assign((rolePermissions[role] as Perm).include!, (rolePermissions[roles[roleIndex - 1]] as Perm).include)`
			`}`

			`roleIndex++`
			`}`
			`})`

			`export { rolePermissions }`