Working on improved default permissions and allow control per site and site domains.

2024-10-03 16:04:00 -04:00
parent d6d4c88728
commit 0f49afec12
5 changed files with 73 additions and 4 deletions
--- a/src/lib/ae_core_functions.ts
+++ b/src/lib/ae_core_functions.ts
@@ -87,8 +87,8 @@ async function handle_load_ae_obj_id__site_domain(
        no_account_id: no_account_id,
        obj_type: 'site_domain',
        obj_id: fqdn, // NOTE: This is the FQDN, not normally the ID.
-        use_alt_table: true, // NOTE: This will use the table_name_alt value instead of the table_name value in the API config.
-        use_alt_base: true, // NOTE: This will use the base_name_alt value instead of the base_name value in the API config.
+        use_alt_table: true, // NOTE: This will use the table_name_alt value (v_site_domain_fqdn_id) instead of the table_name value in the API config.
+        use_alt_base: true, // NOTE: This will use the base_name_alt value (Site_Domain_FQDN_ID_Base) instead of the base_name value in the API config.
        params: params,
        timeout: timeout,
        log_lvl: log_lvl
--- a/src/lib/ae_stores.ts
+++ b/src/lib/ae_stores.ts
@@ -66,7 +66,10 @@ export let ae_app_local_data_struct: key_val = {
    'account_id': ae_account_id, // OSIT Demo _XY7DXtc9MY
    'account_code': 'not_set',
    'account_name': 'Account Name Not Set',
+    'allow_access': false, // Set to key if access is allowed.
    'site_domain': null, // https://example.com, https://dev.example.com, etc.
+    'site_access_key': null,
+    'site_domain_access_key': null,
    'site_cfg_json': {
        slct__event_id: null,
        slct__event_badge_template_id: null,
--- a/src/lib/ae_utils/ae_utils__perm_checks.ts
+++ b/src/lib/ae_utils/ae_utils__perm_checks.ts
@@ -8,6 +8,7 @@ export let process_permission_checks = function process_permission_checks(access
    let access_checks: key_val = {};

    if (access_type == 'super') {
+        access_checks.allow_access = true;
        access_checks.access_type = 'super';

        access_checks.super_check = true;
@@ -34,6 +35,7 @@ export let process_permission_checks = function process_permission_checks(access
        access_checks.authenticated_access = true;
        access_checks.anonymous_access = true;
    } else if (access_type == 'manager') {
+        access_checks.allow_access = true;
        access_checks.access_type = 'manager';

        access_checks.super_check = false;
@@ -60,6 +62,7 @@ export let process_permission_checks = function process_permission_checks(access
        access_checks.authenticated_access = true;
        access_checks.anonymous_access = true;
    } else if (access_type == 'administrator') {
+        access_checks.allow_access = true;
        access_checks.access_type = 'administrator';

        access_checks.super_check = false;
@@ -86,6 +89,7 @@ export let process_permission_checks = function process_permission_checks(access
        access_checks.authenticated_access = true;
        access_checks.anonymous_access = true;
    } else if (access_type == 'trusted') {
+        access_checks.allow_access = true; // Should this be true?? -2024-10-03
        access_checks.access_type = 'trusted';

        access_checks.super_check = false;
--- a/src/routes/+layout.svelte
+++ b/src/routes/+layout.svelte
@@ -115,6 +115,25 @@ if ($ae_loc.site_cfg_json.slct__sponsorship_cfg_id) {
    console.log(`No Sponsorship Config ID set.`);
 }

+
+if ($ae_loc.allow_access && !$ae_loc.key_checked) {
+    console.log(`PASS: The access key was checked earlier.`);
+} else if ($ae_loc.allow_access && $ae_loc.key_checked) {
+    console.log(`PASS: The access key was checked earlier and we just now checked the key.`);
+} else if (!$ae_loc.allow_access && $ae_loc.key_checked) {
+    console.log(`FAIL: The access key was checked earlier and failed.`);
+    if ($ae_loc.administrator_access) {
+        console.log(`FAIL: The access key was checked earlier and failed, but we have administrator access.`);
+        $ae_loc.allow_access = true;
+    }
+} else {
+    console.log(`FAIL: The access key was not checked earlier.`);
+    // $ae_loc.key_checked = true;
+}
+
+// $: access_key = data.url.searchParams.get('key');
+// console.log(`access_key = `, access_key);
+
 if (browser) {
    // Waiting until the browser exists.
    if ($ae_loc && $ae_sess && $ae_loc.ver_idb != $ae_sess.ver_idb) {
@@ -313,6 +332,8 @@ onMount(() => {
        }
    });

+    // console.log(`access_key = `, access_key);
+
 });
 </script>

@@ -376,8 +397,24 @@ onMount(() => {
    </svelte:fragment>


-    <!-- Page Route Content -->
-    <slot />
+    <!-- !($ae_loc.site_access_key && $ae_loc.site_domain_access_key)
+    || ($ae_loc.site_access_key == access_key || $ae_loc.site_domain_access_key == access_key)} -->
+    {#if
+        $ae_loc.allow_access}
+
+        <!-- {$ae_loc?.site_access_key ?? '-- site access key not set --'} -->
+        <!-- {$ae_loc?.site_domain_access_key ?? '-- site domain access key not set --'} -->
+        <!-- {access_key ?? '-- param key not set --'} -->
+
+        <!-- Page Route Content -->
+        <slot />
+
+    {:else}
+        <div class="flex flex-col items-center justify-center h-screen">
+            <h1 class="text-4xl font-bold text-red-500">Access Denied</h1>
+            <p class="text-lg text-gray-500">You do not have access to this site.</p>
+        </div>
+    {/if}


    <svelte:fragment slot="footer">
--- a/src/routes/+layout.ts
+++ b/src/routes/+layout.ts
@@ -162,6 +162,31 @@ export async function load({ fetch, params, parent, route, url }) { // params, r
            ae_loc_init['site_google_tracking_id'] = site_domain_results.google_tracking_id;
            ae_loc_init['site_access_code_kv'] = site_domain_results.access_code_kv_json;
            ae_loc_init['site_cfg_json'] = site_domain_results.cfg_json;
+            ae_loc_init['site_access_key'] = site_domain_results.access_key; // This is the general site access key
+            ae_loc_init['site_domain_access_key'] = site_domain_results.site_domain_access_key; // This is specific to a (sub)domain.
+
+            if (!ae_loc_init['site_access_key'] && !ae_loc_init['site_domain_access_key']) {
+                ae_loc_init['key_checked'] = true;
+                ae_loc_init['allow_access'] = true; // No access key is required here.
+            } else {
+                let access_key = url.searchParams.get('key');
+                console.log(`root layout.ts: access_key = `, access_key);
+                if (access_key) {
+                    if (access_key == ae_loc_init['site_access_key']) {
+                        ae_loc_init['key_checked'] = ae_loc_init['site_access_key'];
+                        ae_loc_init['allow_access'] = ae_loc_init['site_access_key'];
+                    } else if (access_key == ae_loc_init['site_domain_access_key']) {
+                        ae_loc_init['key_checked'] = ae_loc_init['site_domain_access_key'];
+                        ae_loc_init['allow_access'] = ae_loc_init['site_domain_access_key'];
+                    } else {
+                        ae_loc_init['key_checked'] = true;
+                        ae_loc_init['allow_access'] = false;
+                    }
+                } else {
+                    ae_loc_init['key_checked'] = true;
+                    // ae_loc_init['allow_access'] = false; // An access key is required at this point.
+                }
+            }

            console.log(`root layout.ts: Returning account_id = `, site_domain_results.account_id_random);