Stabilized hierarchical permissions and implemented strict visibility gating.
Standardized access level hierarchy (super > manager > administrator > trusted) and added hierarchical comparison utilities to 'ae_util'. Refactored IDAA layout to use an 'Upgrade-Only' permission strategy, preventing context-specific identifications from downgrading global Manager privileges. Implemented strict gated filtering in the Journal Entry list: hidden and disabled items now correctly require both the appropriate hierarchical role (Trusted/Admin) AND active Edit Mode.
This commit is contained in:
Scott Idem
@@ -8,6 +8,7 @@
|
||||
// *** Import other supporting libraries
|
||||
|
||||
// *** Import Aether specific variables and functions
|
||||
import { ae_util } from '$lib/ae_utils/ae_utils';
|
||||
import {
|
||||
ae_snip,
|
||||
ae_loc,
|
||||
@@ -58,96 +59,36 @@
|
||||
}
|
||||
$idaa_loc.novi_admin_li = $ae_loc.site_cfg_json?.novi_admin_li ?? [];
|
||||
$idaa_loc.novi_trusted_li = $ae_loc.site_cfg_json?.novi_trusted_li ?? [];
|
||||
// console.log(`$idaa_loc.novi_uuid:`, $idaa_loc.novi_uuid);
|
||||
// console.log(`$idaa_loc.novi_admin_li:`, $idaa_loc.novi_admin_li);
|
||||
|
||||
// Reminder: super > manager > administrator > trusted > public > authenticated > anonymous
|
||||
|
||||
// NOTE: This is checking if they are in an iframe *and* have a Novi UUID. We ignore the iframe mode for trusted and above (administrators, managers, etc).
|
||||
if (
|
||||
$ae_loc?.iframe &&
|
||||
$idaa_loc?.novi_uuid?.length == 36 &&
|
||||
$idaa_loc?.novi_email?.length > 3 &&
|
||||
$idaa_loc?.novi_full_name?.length > 0
|
||||
) {
|
||||
$ae_loc.access_type = 'authenticated';
|
||||
$ae_loc.super_access = false;
|
||||
$ae_loc.manager_access = false;
|
||||
$ae_loc.administrator_access = false;
|
||||
$ae_loc.trusted_access = false;
|
||||
$ae_loc.public_access = false;
|
||||
$ae_loc.authenticated_access = true;
|
||||
$ae_loc.anonymous_access = true;
|
||||
|
||||
// Resetting these just in case...
|
||||
$idaa_loc.bb.qry__hidden == 'not_hidden';
|
||||
$idaa_loc.bb.qry__enabled == 'enabled';
|
||||
// NOTE: This is sort of temporary while we work on getting Jisti working with IDAA's Novi site.
|
||||
} else if (
|
||||
$ae_loc?.iframe &&
|
||||
$idaa_loc?.novi_uuid?.length == 36
|
||||
) {
|
||||
$ae_loc.access_type = 'authenticated';
|
||||
$ae_loc.super_access = false;
|
||||
$ae_loc.manager_access = false;
|
||||
$ae_loc.administrator_access = false;
|
||||
$ae_loc.trusted_access = false;
|
||||
$ae_loc.public_access = false;
|
||||
$ae_loc.authenticated_access = true;
|
||||
$ae_loc.anonymous_access = true;
|
||||
|
||||
// Resetting these just in case...
|
||||
$idaa_loc.bb.qry__hidden == 'not_hidden';
|
||||
$idaa_loc.bb.qry__enabled == 'enabled';
|
||||
} else if ($ae_loc?.iframe) {
|
||||
$ae_loc.access_type = 'anonymous';
|
||||
$ae_loc.super_access = false;
|
||||
$ae_loc.manager_access = false;
|
||||
$ae_loc.administrator_access = false;
|
||||
$ae_loc.trusted_access = false;
|
||||
$ae_loc.public_access = false;
|
||||
$ae_loc.authenticated_access = false;
|
||||
$ae_loc.anonymous_access = true;
|
||||
|
||||
// Resetting these just in case...
|
||||
$idaa_loc.bb.qry__hidden == 'not_hidden';
|
||||
$idaa_loc.bb.qry__enabled == 'enabled';
|
||||
}
|
||||
|
||||
// Determine target Novi-based access level
|
||||
let target_novi_level = 'anonymous';
|
||||
if ($idaa_loc.novi_uuid) {
|
||||
let flag = false;
|
||||
// NOTE: Check if the novi_uuid is in the novi_admin_li list
|
||||
if ($idaa_loc.novi_admin_li) {
|
||||
if ($idaa_loc.novi_admin_li.includes($idaa_loc.novi_uuid)) {
|
||||
$ae_loc.access_type = 'administrator';
|
||||
$ae_loc.super_access = false;
|
||||
$ae_loc.manager_access = false;
|
||||
$ae_loc.administrator_access = true;
|
||||
$ae_loc.trusted_access = true;
|
||||
$ae_loc.public_access = true;
|
||||
$ae_loc.authenticated_access = true;
|
||||
$ae_loc.anonymous_access = true;
|
||||
|
||||
flag = true;
|
||||
}
|
||||
}
|
||||
|
||||
// NOTE: Check if the novi_uuid is in the novi_trusted_li list
|
||||
if ($idaa_loc.novi_trusted_li) {
|
||||
if ($idaa_loc.novi_trusted_li.includes($idaa_loc.novi_uuid)) {
|
||||
$ae_loc.access_type = 'trusted';
|
||||
$ae_loc.super_access = false;
|
||||
$ae_loc.manager_access = false;
|
||||
$ae_loc.administrator_access = false;
|
||||
$ae_loc.trusted_access = true;
|
||||
$ae_loc.public_access = true;
|
||||
$ae_loc.authenticated_access = true;
|
||||
$ae_loc.anonymous_access = true;
|
||||
|
||||
flag = true;
|
||||
}
|
||||
if ($idaa_loc.novi_admin_li?.includes($idaa_loc.novi_uuid)) {
|
||||
target_novi_level = 'administrator';
|
||||
} else if ($idaa_loc.novi_trusted_li?.includes($idaa_loc.novi_uuid)) {
|
||||
target_novi_level = 'trusted';
|
||||
} else if ($ae_loc?.iframe && $idaa_loc?.novi_uuid?.length == 36) {
|
||||
target_novi_level = 'authenticated';
|
||||
}
|
||||
} else if ($ae_loc?.iframe) {
|
||||
target_novi_level = 'anonymous';
|
||||
}
|
||||
|
||||
// PERMISSION UPGRADE STRATEGY:
|
||||
// Only apply Novi-based permissions if they are HIGHER than the current level.
|
||||
// This prevents a global 'manager' from being downgraded to 'administrator' or 'authenticated' by the IDAA layout.
|
||||
const current_level = $ae_loc.access_type || 'anonymous';
|
||||
if (ae_util.compare_access_levels(target_novi_level, current_level) === 1) {
|
||||
console.log(`IDAA Layout: Upgrading access from ${current_level} to ${target_novi_level} (Novi detected)`);
|
||||
const perms = ae_util.process_permission_checks(target_novi_level);
|
||||
$ae_loc = { ...$ae_loc, ...perms };
|
||||
} else {
|
||||
if (log_lvl > 1) console.log(`IDAA Layout: Keeping current access ${current_level} (Novi level ${target_novi_level} is not an upgrade)`);
|
||||
}
|
||||
|
||||
// Resetting these just in case...
|
||||
$idaa_loc.bb.qry__hidden = 'not_hidden';
|
||||
$idaa_loc.bb.qry__enabled = 'enabled';
|
||||
});
|
||||
}
|
||||
});
|
||||
|
||||
@@ -95,15 +95,22 @@
|
||||
const filtered = list.filter((item: any) => {
|
||||
if (!item) return false;
|
||||
|
||||
// ADMIN/TRUSTED: See everything
|
||||
if ($ae_loc.trusted_access) return true;
|
||||
|
||||
// PUBLIC: Filter hidden/disabled
|
||||
// Permissive defaults for missing metadata
|
||||
const is_hidden = item.hide === true || item.hide === 1;
|
||||
const is_disabled = item.enable === false || item.enable === 0;
|
||||
|
||||
return !is_hidden && !is_disabled;
|
||||
// Standard Visibility: Filter out hidden/disabled if not in Edit Mode
|
||||
if (!$ae_loc.edit_mode) {
|
||||
return !is_hidden && !is_disabled;
|
||||
}
|
||||
|
||||
// Edit Mode Gating:
|
||||
// - To see Hidden: Must have Trusted Access or higher
|
||||
if (is_hidden && !$ae_loc.trusted_access) return false;
|
||||
|
||||
// - To see Disabled: Must have Administrator Access or higher
|
||||
if (is_disabled && !$ae_loc.administrator_access) return false;
|
||||
|
||||
return true;
|
||||
});
|
||||
|
||||
if (log_lvl)
|
||||
|
||||
Reference in New Issue
Block a user