From 0f49afec121f45d846d6095070b6379f46e802c7 Mon Sep 17 00:00:00 2001
From: Scott Idem <stidem@gmail.com>
Date: Thu, 3 Oct 2024 16:04:00 -0400
Subject: [PATCH] Working on improved default permissions and allow control per
 site and site domains.

---
 src/lib/ae_core_functions.ts              |  4 +--
 src/lib/ae_stores.ts                      |  3 ++
 src/lib/ae_utils/ae_utils__perm_checks.ts |  4 +++
 src/routes/+layout.svelte                 | 41 +++++++++++++++++++++--
 src/routes/+layout.ts                     | 25 ++++++++++++++
 5 files changed, 73 insertions(+), 4 deletions(-)

diff --git a/src/lib/ae_core_functions.ts b/src/lib/ae_core_functions.ts
index d6aff02f..89dd2034 100644
--- a/src/lib/ae_core_functions.ts
+++ b/src/lib/ae_core_functions.ts
@@ -87,8 +87,8 @@ async function handle_load_ae_obj_id__site_domain(
         no_account_id: no_account_id,
         obj_type: 'site_domain',
         obj_id: fqdn, // NOTE: This is the FQDN, not normally the ID.
-        use_alt_table: true, // NOTE: This will use the table_name_alt value instead of the table_name value in the API config.
-        use_alt_base: true, // NOTE: This will use the base_name_alt value instead of the base_name value in the API config.
+        use_alt_table: true, // NOTE: This will use the table_name_alt value (v_site_domain_fqdn_id) instead of the table_name value in the API config.
+        use_alt_base: true, // NOTE: This will use the base_name_alt value (Site_Domain_FQDN_ID_Base) instead of the base_name value in the API config.
         params: params,
         timeout: timeout,
         log_lvl: log_lvl
diff --git a/src/lib/ae_stores.ts b/src/lib/ae_stores.ts
index d2b79601..4943d8f5 100644
--- a/src/lib/ae_stores.ts
+++ b/src/lib/ae_stores.ts
@@ -66,7 +66,10 @@ export let ae_app_local_data_struct: key_val = {
     'account_id': ae_account_id, // OSIT Demo _XY7DXtc9MY
     'account_code': 'not_set',
     'account_name': 'Account Name Not Set',
+    'allow_access': false, // Set to key if access is allowed.
     'site_domain': null, // https://example.com, https://dev.example.com, etc.
+    'site_access_key': null,
+    'site_domain_access_key': null,
     'site_cfg_json': {
         slct__event_id: null,
         slct__event_badge_template_id: null,
diff --git a/src/lib/ae_utils/ae_utils__perm_checks.ts b/src/lib/ae_utils/ae_utils__perm_checks.ts
index 9abd149d..36f64d21 100644
--- a/src/lib/ae_utils/ae_utils__perm_checks.ts
+++ b/src/lib/ae_utils/ae_utils__perm_checks.ts
@@ -8,6 +8,7 @@ export let process_permission_checks = function process_permission_checks(access
     let access_checks: key_val = {};
 
     if (access_type == 'super') {
+        access_checks.allow_access = true;
         access_checks.access_type = 'super';
 
         access_checks.super_check = true;
@@ -34,6 +35,7 @@ export let process_permission_checks = function process_permission_checks(access
         access_checks.authenticated_access = true;
         access_checks.anonymous_access = true;
     } else if (access_type == 'manager') {
+        access_checks.allow_access = true;
         access_checks.access_type = 'manager';
 
         access_checks.super_check = false;
@@ -60,6 +62,7 @@ export let process_permission_checks = function process_permission_checks(access
         access_checks.authenticated_access = true;
         access_checks.anonymous_access = true;
     } else if (access_type == 'administrator') {
+        access_checks.allow_access = true;
         access_checks.access_type = 'administrator';
 
         access_checks.super_check = false;
@@ -86,6 +89,7 @@ export let process_permission_checks = function process_permission_checks(access
         access_checks.authenticated_access = true;
         access_checks.anonymous_access = true;
     } else if (access_type == 'trusted') {
+        access_checks.allow_access = true; // Should this be true?? -2024-10-03
         access_checks.access_type = 'trusted';
 
         access_checks.super_check = false;
diff --git a/src/routes/+layout.svelte b/src/routes/+layout.svelte
index 7699e08f..43004932 100644
--- a/src/routes/+layout.svelte
+++ b/src/routes/+layout.svelte
@@ -115,6 +115,25 @@ if ($ae_loc.site_cfg_json.slct__sponsorship_cfg_id) {
     console.log(`No Sponsorship Config ID set.`);
 }
 
+
+if ($ae_loc.allow_access && !$ae_loc.key_checked) {
+    console.log(`PASS: The access key was checked earlier.`);
+} else if ($ae_loc.allow_access && $ae_loc.key_checked) {
+    console.log(`PASS: The access key was checked earlier and we just now checked the key.`);
+} else if (!$ae_loc.allow_access && $ae_loc.key_checked) {
+    console.log(`FAIL: The access key was checked earlier and failed.`);
+    if ($ae_loc.administrator_access) {
+        console.log(`FAIL: The access key was checked earlier and failed, but we have administrator access.`);
+        $ae_loc.allow_access = true;
+    }
+} else {
+    console.log(`FAIL: The access key was not checked earlier.`);
+    // $ae_loc.key_checked = true;
+}
+
+// $: access_key = data.url.searchParams.get('key');
+// console.log(`access_key = `, access_key);
+
 if (browser) {
     // Waiting until the browser exists.
     if ($ae_loc && $ae_sess && $ae_loc.ver_idb != $ae_sess.ver_idb) {
@@ -313,6 +332,8 @@ onMount(() => {
         }
     });
 
+    // console.log(`access_key = `, access_key);
+
 });
 </script>
 
@@ -376,8 +397,24 @@ onMount(() => {
     </svelte:fragment>
 
 
-    <!-- Page Route Content -->
-    <slot />
+    <!-- !($ae_loc.site_access_key && $ae_loc.site_domain_access_key)
+    || ($ae_loc.site_access_key == access_key || $ae_loc.site_domain_access_key == access_key)} -->
+    {#if
+        $ae_loc.allow_access}
+
+        <!-- {$ae_loc?.site_access_key ?? '-- site access key not set --'} -->
+        <!-- {$ae_loc?.site_domain_access_key ?? '-- site domain access key not set --'} -->
+        <!-- {access_key ?? '-- param key not set --'} -->
+
+        <!-- Page Route Content -->
+        <slot />
+
+    {:else}
+        <div class="flex flex-col items-center justify-center h-screen">
+            <h1 class="text-4xl font-bold text-red-500">Access Denied</h1>
+            <p class="text-lg text-gray-500">You do not have access to this site.</p>
+        </div>
+    {/if}
 
 
     <svelte:fragment slot="footer">
diff --git a/src/routes/+layout.ts b/src/routes/+layout.ts
index 51cfc260..b83b5e8b 100644
--- a/src/routes/+layout.ts
+++ b/src/routes/+layout.ts
@@ -162,6 +162,31 @@ export async function load({ fetch, params, parent, route, url }) { // params, r
             ae_loc_init['site_google_tracking_id'] = site_domain_results.google_tracking_id;
             ae_loc_init['site_access_code_kv'] = site_domain_results.access_code_kv_json;
             ae_loc_init['site_cfg_json'] = site_domain_results.cfg_json;
+            ae_loc_init['site_access_key'] = site_domain_results.access_key; // This is the general site access key
+            ae_loc_init['site_domain_access_key'] = site_domain_results.site_domain_access_key; // This is specific to a (sub)domain.
+
+            if (!ae_loc_init['site_access_key'] && !ae_loc_init['site_domain_access_key']) {
+                ae_loc_init['key_checked'] = true;
+                ae_loc_init['allow_access'] = true; // No access key is required here.
+            } else {
+                let access_key = url.searchParams.get('key');
+                console.log(`root layout.ts: access_key = `, access_key);
+                if (access_key) {
+                    if (access_key == ae_loc_init['site_access_key']) {
+                        ae_loc_init['key_checked'] = ae_loc_init['site_access_key'];
+                        ae_loc_init['allow_access'] = ae_loc_init['site_access_key'];
+                    } else if (access_key == ae_loc_init['site_domain_access_key']) {
+                        ae_loc_init['key_checked'] = ae_loc_init['site_domain_access_key'];
+                        ae_loc_init['allow_access'] = ae_loc_init['site_domain_access_key'];
+                    } else {
+                        ae_loc_init['key_checked'] = true;
+                        ae_loc_init['allow_access'] = false;
+                    }
+                } else {
+                    ae_loc_init['key_checked'] = true;
+                    // ae_loc_init['allow_access'] = false; // An access key is required at this point.
+                }
+            }
 
             console.log(`root layout.ts: Returning account_id = `, site_domain_results.account_id_random);