vale
/
panel
forked from administration/panel
1
0
Fork 0
Code Pull Requests Activity
panel/lib/accessPermissions.ts

180 lines
4.4 KiB
TypeScript
Raw Blame History

import { getServerSession } from "next-auth";
import { insertAuditLog } from "./db";
type Permission =
| "authifier"
| "publish_message"
| "chat_message"
| `accounts${
| ""
| `/fetch${"" | "/by-id"}`
| "/disable"
| "/restore"
| `/deletion${"" | "/queue" | "/cancel"}`}`
| `bots${
| ""
| `/fetch${"" | "/by-id" | "/by-user"}`
| `/update${"" | "/discoverability"}`}`
| `channels${"" | `/fetch${"" | "/by-id" | "/dm"}` | `/create${"" | "/dm"}`}`
| `messages${"" | `/fetch${"" | "/by-id" | "/by-user"}`}`
| `reports${
| ""
| `/fetch${
| ""
| "/by-id"
| "/open"
| `/related${"" | "/by-content" | "/by-user" | "/against-user"}`
| `/snapshots${"" | "/by-report" | "/by-user"}`}`
| `/update${
| ""
| "/notes"
| "/resolve"
| "/reject"
| "/reopen"
| `/bulk-close${"" | "/by-user"}`}`}`
| `sessions${"" | `/fetch${"" | "/by-account-id"}`}`
| `servers${
| ""
| `/fetch${"" | "/by-id"}`
| `/update${"" | "/flags" | "/discoverability"}`}`
| `users${
| ""
| `/fetch${
| ""
| "/by-id"
| "/memberships"
| "/strikes"
| "/notices"
| "/relations"}`
| `/create${"" | "/alert" | "/strike"}`
| `/update${"" | "/badges"}`
| `/action${"" | "/unsuspend" | "/suspend" | "/wipe" | "/ban"}`}`;
const PermissionSets = {
// Admin
admin: [
"authifier",
"publish_message",
"chat_message",
"accounts",
"bots",
"channels",
"messages",
"reports",
"sessions",
"servers",
"users",
] as Permission[],
// View open reports
"view-open-reports": [
"users/fetch/by-id",
"reports/fetch/open",
"reports/fetch/by-id",
"reports/fetch/related",
"reports/fetch/snapshots/by-report",
] as Permission[],
// Edit reports
"edit-reports": [
"reports/update/notes",
"reports/update/resolve",
"reports/update/reject",
"reports/update/reopen",
] as Permission[],
// Revolt Discover
"revolt-discover": [
"servers/fetch/by-id",
"servers/update/flags",
"servers/update/discoverability",
"bots/fetch/by-id",
"bots/update/discoverability",
] as Permission[],
// User support
"user-support": [
"accounts/fetch/by-id",
"users/fetch/by-id",
"users/fetch/strikes",
"users/fetch/notices",
"accounts/disable",
"accounts/restore",
"accounts/deletion/queue",
"accounts/deletion/cancel",
] as Permission[],
// Moderate users
"moderate-users": [
// "bots/fetch/by-user",
// "messages/fetch/by-user",
// "users/fetch/memberships",
// "servers/fetch",
"reports/fetch/related/by-user",
"reports/fetch/related/by-content",
"reports/fetch/related/against-user",
"users/create/alert",
"users/create/strike",
"users/action/suspend",
"users/action/wipe",
"users/action/ban",
"users/action/unsuspend",
"accounts/disable",
"accounts/restore",
"publish_message",
"chat_message",
] as Permission[],
};
const Roles = {
moderator: [
...PermissionSets["view-open-reports"],
...PermissionSets["edit-reports"],
...PermissionSets["moderate-users"],
],
"user-support": [...PermissionSets["user-support"]],
"revolt-discover": [...PermissionSets["revolt-discover"]],
admin: [...PermissionSets["admin"]],
};
const ACL: Record<string, Set<Permission>> = {
"insert@revolt.chat": new Set([...Roles["moderator"]] as Permission[]),
};
function hasPermission(email: string, permission: Permission) {
// if (email === "insert@revolt.chat") return true;
if (!ACL[email]) throw `user is not registered in system: ${email}`;
const segments = permission.split("/");
while (segments.length) {
if (ACL[email].has(segments.join("/") as Permission)) {
return true;
}
segments.pop();
}
return false;
}
export async function hasPermissionFromSession(permission: Permission) {
const session = await getServerSession();
if (!session?.user?.email) throw "Not authenticated.";
return hasPermission(session.user.email, permission);
}
export async function checkPermission(
permission: Permission,
context: any,
args?: any
) {
if (!(await hasPermissionFromSession(permission)))
throw `Missing permission ${permission}`;
await insertAuditLog(permission, context, args);
}
View Git Blame Copy Permalink