Stabilized hierarchical permissions and implemented strict visibility gating.
Standardized access level hierarchy (super > manager > administrator > trusted) and added hierarchical comparison utilities to 'ae_util'. Refactored IDAA layout to use an 'Upgrade-Only' permission strategy, preventing context-specific identifications from downgrading global Manager privileges. Implemented strict gated filtering in the Journal Entry list: hidden and disabled items now correctly require both the appropriate hierarchical role (Trusted/Admin) AND active Edit Mode.
This commit is contained in:
Scott Idem
@@ -286,11 +286,11 @@ async function _refresh_journal_li_background({
|
||||
let promise;
|
||||
if (qry_person_id) {
|
||||
const search_query: any = {
|
||||
and: [{ field: 'person_id_random', op: 'eq', value: qry_person_id }]
|
||||
and: [{ field: 'person_id', op: 'eq', value: qry_person_id }]
|
||||
};
|
||||
if (for_obj_id)
|
||||
search_query.and.push({
|
||||
field: `${for_obj_type}_id_random`,
|
||||
field: `${for_obj_type}_id`,
|
||||
op: 'eq',
|
||||
value: for_obj_id
|
||||
});
|
||||
@@ -344,7 +344,7 @@ async function _refresh_journal_li_background({
|
||||
load_ae_obj_li__journal_entry({
|
||||
api_cfg,
|
||||
for_obj_type: 'journal',
|
||||
for_obj_id: journal.journal_id_random,
|
||||
for_obj_id: journal.journal_id,
|
||||
enabled,
|
||||
hidden,
|
||||
limit,
|
||||
@@ -396,7 +396,7 @@ export async function create_ae_obj__journal({
|
||||
api_cfg: api_cfg,
|
||||
obj_type: 'journal',
|
||||
fields: {
|
||||
account_id_random: account_id,
|
||||
account_id: account_id,
|
||||
...data_kv
|
||||
},
|
||||
params: params,
|
||||
@@ -613,7 +613,7 @@ export async function qry__journal({
|
||||
if (journal_id) {
|
||||
// Assuming journal_id here is actually the account_id as per original usage context
|
||||
search_query.and.push({
|
||||
field: 'account_id_random',
|
||||
field: 'account_id',
|
||||
op: 'eq',
|
||||
value: journal_id
|
||||
});
|
||||
@@ -797,7 +797,6 @@ async function _process_generic_props<T extends Record<string, any>>({
|
||||
// --- Common Transformations ---
|
||||
|
||||
// 1. Standardize ID and other '_random' fields
|
||||
// The API often returns fields like 'person_id_random', which need to be aliased to 'person_id'.
|
||||
for (const key in processed_obj) {
|
||||
if (key.endsWith('_random')) {
|
||||
const newKey = key.slice(0, -7); // Remove '_random' suffix
|
||||
@@ -805,7 +804,7 @@ async function _process_generic_props<T extends Record<string, any>>({
|
||||
}
|
||||
}
|
||||
// Ensure 'id' is set from '[obj_type]_id_random'
|
||||
const randomIdKey = `${obj_type}_id_random`;
|
||||
const randomIdKey = `${obj_type}_id`;
|
||||
if (processed_obj[randomIdKey]) {
|
||||
(processed_obj as any).id = processed_obj[randomIdKey];
|
||||
}
|
||||
|
||||
@@ -396,13 +396,13 @@ export async function qry__journal_entry({
|
||||
// Context scoping: Prefer journal_id if provided, otherwise fallback to person_id (global search)
|
||||
if (journal_id) {
|
||||
search_query.and.push({
|
||||
field: 'journal_id_random',
|
||||
field: 'journal_id',
|
||||
op: 'eq',
|
||||
value: journal_id
|
||||
});
|
||||
} else if (person_id) {
|
||||
search_query.and.push({
|
||||
field: 'person_id_random',
|
||||
field: 'person_id',
|
||||
op: 'eq',
|
||||
value: person_id
|
||||
});
|
||||
@@ -621,7 +621,7 @@ export async function update_ae_obj__journal_entry({
|
||||
// }
|
||||
|
||||
// if (obj_li && obj_li.length) {
|
||||
// // let obj_li_id = obj_li.map((obj: any) => obj.journal_entry_id_random);
|
||||
// // let obj_li_id = obj_li.map((obj: any) => obj.journal_entry_id);
|
||||
// const obj_li_id: string[] = [];
|
||||
|
||||
// for (const obj of obj_li) {
|
||||
@@ -785,7 +785,7 @@ export async function update_ae_obj__journal_entry({
|
||||
// try {
|
||||
// id_random = await db_journals.journal_entry.put(obj_record);
|
||||
// } catch (error) {
|
||||
// console.log(`Error: Failed to put ${obj.journal_entry_id_random}: ${error}`);
|
||||
// console.log(`Error: Failed to put ${obj.journal_entry_id}: ${error}`);
|
||||
// }
|
||||
// } else {
|
||||
// if (log_lvl) {
|
||||
@@ -926,7 +926,6 @@ async function _process_generic_props<T extends Record<string, any>>({
|
||||
// --- Common Transformations ---
|
||||
|
||||
// 1. Standardize ID and other '_random' fields
|
||||
// The API often returns fields like 'person_id_random', which need to be aliased to 'person_id'.
|
||||
for (const key in processed_obj) {
|
||||
if (key.endsWith('_random')) {
|
||||
const newKey = key.slice(0, -7); // Remove '_random' suffix
|
||||
@@ -934,7 +933,7 @@ async function _process_generic_props<T extends Record<string, any>>({
|
||||
}
|
||||
}
|
||||
// Ensure 'id' is set from '[obj_type]_id_random'
|
||||
const randomIdKey = `${obj_type}_id_random`;
|
||||
const randomIdKey = `${obj_type}_id`;
|
||||
if (processed_obj[randomIdKey]) {
|
||||
(processed_obj as any).id = processed_obj[randomIdKey];
|
||||
}
|
||||
@@ -982,7 +981,7 @@ export async function process_ae_obj__journal_entry_props({
|
||||
// Inject journal_id if provided and missing
|
||||
if (journal_id) {
|
||||
if (!obj.journal_id) obj.journal_id = journal_id;
|
||||
if (!obj.journal_id_random) obj.journal_id_random = journal_id;
|
||||
// if (!obj.journal_id_random) obj.journal_id_random = journal_id;
|
||||
}
|
||||
|
||||
// Content processing
|
||||
|
||||
@@ -39,11 +39,11 @@ export interface Journal extends ae_Journal {
|
||||
export const journal_field_li = [
|
||||
'id',
|
||||
'journal_id',
|
||||
'journal_id_random',
|
||||
// 'journal_id_random',
|
||||
'account_id',
|
||||
'account_id_random',
|
||||
// 'account_id_random',
|
||||
'person_id',
|
||||
'person_id_random',
|
||||
// 'person_id_random',
|
||||
'code',
|
||||
'name',
|
||||
'short_name',
|
||||
@@ -88,11 +88,11 @@ export interface Journal_Entry extends ae_JournalEntry {
|
||||
export const journal_entry_field_li = [
|
||||
'id',
|
||||
'journal_entry_id',
|
||||
'journal_entry_id_random',
|
||||
// 'journal_entry_id_random',
|
||||
'journal_id',
|
||||
'journal_id_random',
|
||||
// 'journal_id_random',
|
||||
'person_id',
|
||||
'person_id_random',
|
||||
// 'person_id_random',
|
||||
'code',
|
||||
'name',
|
||||
'short_name',
|
||||
@@ -122,16 +122,16 @@ export class MySubClassedDexie extends Dexie {
|
||||
super('ae_journals_db');
|
||||
this.version(5).stores({
|
||||
journal: `
|
||||
id, journal_id, journal_id_random,
|
||||
id, journal_id,
|
||||
code,
|
||||
account_id, account_id_random,
|
||||
person_id, person_id_random,
|
||||
account_id,
|
||||
person_id,
|
||||
name,
|
||||
enable, hide, priority, sort, group, created_on, updated_on`,
|
||||
journal_entry: `
|
||||
id, journal_entry_id, journal_entry_id_random,
|
||||
journal_id, journal_id_random,
|
||||
person_id, person_id_random,
|
||||
id, journal_entry_id,
|
||||
journal_id,
|
||||
person_id,
|
||||
code,
|
||||
template,
|
||||
name,
|
||||
|
||||
@@ -9,7 +9,7 @@ import {
|
||||
import { get_obj_li_w_match_prop } from './ae_utils__get_obj_li_w_match_prop';
|
||||
import { file_extension_icon } from './ae_utils__file_extension_icon';
|
||||
import { file_extension_icon_lucide } from './ae_utils__file_extension_icon_lucide';
|
||||
import { process_permission_checks } from './ae_utils__perm_checks';
|
||||
import { process_permission_checks, compare_access_levels } from './ae_utils__perm_checks';
|
||||
import { iso_datetime_formatter } from './ae_utils__datetime_format';
|
||||
import { is_datetime_recent } from './ae_utils__is_datetime_recent';
|
||||
import { extract_prefixed_form_data } from './ae_utils__extract_prefixed_form_data';
|
||||
@@ -331,6 +331,7 @@ function shorten_filename({
|
||||
export const ae_util = {
|
||||
is_datetime_recent: is_datetime_recent,
|
||||
process_permission_checks: process_permission_checks,
|
||||
compare_access_levels: compare_access_levels,
|
||||
iso_datetime_formatter: iso_datetime_formatter,
|
||||
clean_filename: clean_filename,
|
||||
format_bytes: format_bytes,
|
||||
|
||||
@@ -2,7 +2,34 @@ type key_val = {
|
||||
[key: string]: any;
|
||||
};
|
||||
|
||||
// Hierarchical Order (Highest to Lowest)
|
||||
export const access_level_order = [
|
||||
'super',
|
||||
'manager',
|
||||
'administrator',
|
||||
'trusted',
|
||||
'public',
|
||||
'authenticated',
|
||||
'anonymous'
|
||||
];
|
||||
|
||||
/**
|
||||
* Compares two access levels based on the hierarchy.
|
||||
* @returns 1 if level_a is higher, -1 if level_b is higher, 0 if equal.
|
||||
*/
|
||||
export const compare_access_levels = function (level_a: string, level_b: string): number {
|
||||
const index_a = access_level_order.indexOf(level_a || 'anonymous');
|
||||
const index_b = access_level_order.indexOf(level_b || 'anonymous');
|
||||
|
||||
// LOWER index means HIGHER priority in the array
|
||||
if (index_a < index_b) return 1;
|
||||
if (index_a > index_b) return -1;
|
||||
return 0;
|
||||
};
|
||||
|
||||
// NOTE: I know there is a better more efficient way to do this, but I don't have time for that right now.
|
||||
// Reminder: super > manager > administrator > trusted > public > authenticated > anonymous
|
||||
// Super is the highest level. Anonymous is the lowest level.
|
||||
export const process_permission_checks = function process_permission_checks(access_type: string) {
|
||||
// let access_checks = { 'access_type': null, 'super_check': null };
|
||||
const access_checks: key_val = {};
|
||||
|
||||
@@ -163,9 +163,9 @@ export interface ae_Journal extends ae_BaseObj {
|
||||
*/
|
||||
export interface ae_JournalEntry extends ae_BaseObj {
|
||||
journal_entry_id: string;
|
||||
journal_entry_id_random: string;
|
||||
// journal_entry_id_random: string;
|
||||
journal_id: string;
|
||||
journal_id_random: string;
|
||||
// journal_id_random: string;
|
||||
|
||||
person_id?: string;
|
||||
person_id_random?: string;
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
// *** Import other supporting libraries
|
||||
|
||||
// *** Import Aether specific variables and functions
|
||||
import { ae_util } from '$lib/ae_utils/ae_utils';
|
||||
import {
|
||||
ae_snip,
|
||||
ae_loc,
|
||||
@@ -58,96 +59,36 @@
|
||||
}
|
||||
$idaa_loc.novi_admin_li = $ae_loc.site_cfg_json?.novi_admin_li ?? [];
|
||||
$idaa_loc.novi_trusted_li = $ae_loc.site_cfg_json?.novi_trusted_li ?? [];
|
||||
// console.log(`$idaa_loc.novi_uuid:`, $idaa_loc.novi_uuid);
|
||||
// console.log(`$idaa_loc.novi_admin_li:`, $idaa_loc.novi_admin_li);
|
||||
|
||||
// Reminder: super > manager > administrator > trusted > public > authenticated > anonymous
|
||||
|
||||
// NOTE: This is checking if they are in an iframe *and* have a Novi UUID. We ignore the iframe mode for trusted and above (administrators, managers, etc).
|
||||
if (
|
||||
$ae_loc?.iframe &&
|
||||
$idaa_loc?.novi_uuid?.length == 36 &&
|
||||
$idaa_loc?.novi_email?.length > 3 &&
|
||||
$idaa_loc?.novi_full_name?.length > 0
|
||||
) {
|
||||
$ae_loc.access_type = 'authenticated';
|
||||
$ae_loc.super_access = false;
|
||||
$ae_loc.manager_access = false;
|
||||
$ae_loc.administrator_access = false;
|
||||
$ae_loc.trusted_access = false;
|
||||
$ae_loc.public_access = false;
|
||||
$ae_loc.authenticated_access = true;
|
||||
$ae_loc.anonymous_access = true;
|
||||
|
||||
// Resetting these just in case...
|
||||
$idaa_loc.bb.qry__hidden == 'not_hidden';
|
||||
$idaa_loc.bb.qry__enabled == 'enabled';
|
||||
// NOTE: This is sort of temporary while we work on getting Jisti working with IDAA's Novi site.
|
||||
} else if (
|
||||
$ae_loc?.iframe &&
|
||||
$idaa_loc?.novi_uuid?.length == 36
|
||||
) {
|
||||
$ae_loc.access_type = 'authenticated';
|
||||
$ae_loc.super_access = false;
|
||||
$ae_loc.manager_access = false;
|
||||
$ae_loc.administrator_access = false;
|
||||
$ae_loc.trusted_access = false;
|
||||
$ae_loc.public_access = false;
|
||||
$ae_loc.authenticated_access = true;
|
||||
$ae_loc.anonymous_access = true;
|
||||
|
||||
// Resetting these just in case...
|
||||
$idaa_loc.bb.qry__hidden == 'not_hidden';
|
||||
$idaa_loc.bb.qry__enabled == 'enabled';
|
||||
} else if ($ae_loc?.iframe) {
|
||||
$ae_loc.access_type = 'anonymous';
|
||||
$ae_loc.super_access = false;
|
||||
$ae_loc.manager_access = false;
|
||||
$ae_loc.administrator_access = false;
|
||||
$ae_loc.trusted_access = false;
|
||||
$ae_loc.public_access = false;
|
||||
$ae_loc.authenticated_access = false;
|
||||
$ae_loc.anonymous_access = true;
|
||||
|
||||
// Resetting these just in case...
|
||||
$idaa_loc.bb.qry__hidden == 'not_hidden';
|
||||
$idaa_loc.bb.qry__enabled == 'enabled';
|
||||
}
|
||||
|
||||
// Determine target Novi-based access level
|
||||
let target_novi_level = 'anonymous';
|
||||
if ($idaa_loc.novi_uuid) {
|
||||
let flag = false;
|
||||
// NOTE: Check if the novi_uuid is in the novi_admin_li list
|
||||
if ($idaa_loc.novi_admin_li) {
|
||||
if ($idaa_loc.novi_admin_li.includes($idaa_loc.novi_uuid)) {
|
||||
$ae_loc.access_type = 'administrator';
|
||||
$ae_loc.super_access = false;
|
||||
$ae_loc.manager_access = false;
|
||||
$ae_loc.administrator_access = true;
|
||||
$ae_loc.trusted_access = true;
|
||||
$ae_loc.public_access = true;
|
||||
$ae_loc.authenticated_access = true;
|
||||
$ae_loc.anonymous_access = true;
|
||||
|
||||
flag = true;
|
||||
}
|
||||
}
|
||||
|
||||
// NOTE: Check if the novi_uuid is in the novi_trusted_li list
|
||||
if ($idaa_loc.novi_trusted_li) {
|
||||
if ($idaa_loc.novi_trusted_li.includes($idaa_loc.novi_uuid)) {
|
||||
$ae_loc.access_type = 'trusted';
|
||||
$ae_loc.super_access = false;
|
||||
$ae_loc.manager_access = false;
|
||||
$ae_loc.administrator_access = false;
|
||||
$ae_loc.trusted_access = true;
|
||||
$ae_loc.public_access = true;
|
||||
$ae_loc.authenticated_access = true;
|
||||
$ae_loc.anonymous_access = true;
|
||||
|
||||
flag = true;
|
||||
}
|
||||
if ($idaa_loc.novi_admin_li?.includes($idaa_loc.novi_uuid)) {
|
||||
target_novi_level = 'administrator';
|
||||
} else if ($idaa_loc.novi_trusted_li?.includes($idaa_loc.novi_uuid)) {
|
||||
target_novi_level = 'trusted';
|
||||
} else if ($ae_loc?.iframe && $idaa_loc?.novi_uuid?.length == 36) {
|
||||
target_novi_level = 'authenticated';
|
||||
}
|
||||
} else if ($ae_loc?.iframe) {
|
||||
target_novi_level = 'anonymous';
|
||||
}
|
||||
|
||||
// PERMISSION UPGRADE STRATEGY:
|
||||
// Only apply Novi-based permissions if they are HIGHER than the current level.
|
||||
// This prevents a global 'manager' from being downgraded to 'administrator' or 'authenticated' by the IDAA layout.
|
||||
const current_level = $ae_loc.access_type || 'anonymous';
|
||||
if (ae_util.compare_access_levels(target_novi_level, current_level) === 1) {
|
||||
console.log(`IDAA Layout: Upgrading access from ${current_level} to ${target_novi_level} (Novi detected)`);
|
||||
const perms = ae_util.process_permission_checks(target_novi_level);
|
||||
$ae_loc = { ...$ae_loc, ...perms };
|
||||
} else {
|
||||
if (log_lvl > 1) console.log(`IDAA Layout: Keeping current access ${current_level} (Novi level ${target_novi_level} is not an upgrade)`);
|
||||
}
|
||||
|
||||
// Resetting these just in case...
|
||||
$idaa_loc.bb.qry__hidden = 'not_hidden';
|
||||
$idaa_loc.bb.qry__enabled = 'enabled';
|
||||
});
|
||||
}
|
||||
});
|
||||
|
||||
@@ -95,15 +95,22 @@
|
||||
const filtered = list.filter((item: any) => {
|
||||
if (!item) return false;
|
||||
|
||||
// ADMIN/TRUSTED: See everything
|
||||
if ($ae_loc.trusted_access) return true;
|
||||
|
||||
// PUBLIC: Filter hidden/disabled
|
||||
// Permissive defaults for missing metadata
|
||||
const is_hidden = item.hide === true || item.hide === 1;
|
||||
const is_disabled = item.enable === false || item.enable === 0;
|
||||
|
||||
return !is_hidden && !is_disabled;
|
||||
// Standard Visibility: Filter out hidden/disabled if not in Edit Mode
|
||||
if (!$ae_loc.edit_mode) {
|
||||
return !is_hidden && !is_disabled;
|
||||
}
|
||||
|
||||
// Edit Mode Gating:
|
||||
// - To see Hidden: Must have Trusted Access or higher
|
||||
if (is_hidden && !$ae_loc.trusted_access) return false;
|
||||
|
||||
// - To see Disabled: Must have Administrator Access or higher
|
||||
if (is_disabled && !$ae_loc.administrator_access) return false;
|
||||
|
||||
return true;
|
||||
});
|
||||
|
||||
if (log_lvl)
|
||||
|
||||
Reference in New Issue
Block a user