panel/lib/accessPermissions.ts

import { getServerSession } from "next-auth";

type Permission =
  | "authifier"
  | `accounts${"" | `/fetch${"" | "/by-id"}`}`
  | `bots${"" | `/fetch${"" | "/by-id" | "/by-user"}`}`
  | `channels${"" | `/fetch${"" | "/by-id" | "/dm"}` | `/create${"" | "/dm"}`}`
  | `messages${"" | `/fetch${"" | "/by-id"}`}`
  | `reports${
      | ""
      | `/fetch${
          | ""
          | "/by-id"
          | "/open"
          | `/related${"" | "/by-content" | "/by-user"}`
          | `/snapshots${"" | "/by-report" | "/by-user"}`}`}`
  | `sessions${"" | `/fetch${"" | "/by-account-id"}`}`
  | `servers${"" | `/fetch${"" | "/by-id"}`}`
  | `users${"" | `/fetch${"" | "/by-id" | "/memberships"}`}`;

const ACL: Record<string, Set<Permission>> = {
  "insert@revolt.chat": new Set([
    "users/fetch/by-id",
    "reports/fetch/open",
    "reports/fetch/by-id",
    "reports/fetch/related",
    "reports/fetch/snapshots/by-report",
  ] as Permission[]),
};

function hasPermission(email: string, permission: Permission) {
  const segments = permission.split("/");
  while (segments.length) {
    if (ACL[email].has(segments.join("/") as Permission)) {
      return true;
    }

    segments.pop();
  }

  return false;
}

export async function hasPermissionFromSession(permission: Permission) {
  const session = await getServerSession();
  if (!session?.user?.email) throw "Not authenticated.";
  return hasPermission(session.user.email, permission);
}

export async function checkPermission(permission: Permission) {
  if (!(await hasPermissionFromSession(permission)))
    throw `Missing permission ${permission}`;
}