Scott.Idem/OSIT-AE-App-Svelte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Stabilized hierarchical permissions and implemented strict visibility gating.

Browse Source 
Standardized access level hierarchy (super > manager > administrator > trusted) and added hierarchical comparison utilities to 'ae_util'.

Refactored IDAA layout to use an 'Upgrade-Only' permission strategy, preventing context-specific identifications from downgrading global Manager privileges.

Implemented strict gated filtering in the Journal Entry list: hidden and disabled items now correctly require both the appropriate hierarchical role (Trusted/Admin) AND active Edit Mode.
This commit is contained in:
Scott Idem
2026-02-16 17:12:24 -05:00
parent fb724411d3
commit f96f7069a4
8 changed files with 95 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/lib/ae_journals/ae_journals__journal.ts
View File

@@ -286,11 +286,11 @@ async function _refresh_journal_li_background({
let promise; let promise;
if (qry_person_id) { if (qry_person_id) {
const search_query: any = { const search_query: any = {
and: [{ field: 'person_id_random', op: 'eq', value: qry_person_id }] and: [{ field: 'person_id', op: 'eq', value: qry_person_id }]
}; };
if (for_obj_id) if (for_obj_id)
search_query.and.push({ search_query.and.push({
field: `${for_obj_type}_id_random`, field: `${for_obj_type}_id`,
op: 'eq', op: 'eq',
value: for_obj_id value: for_obj_id
}); });
@@ -344,7 +344,7 @@ async function _refresh_journal_li_background({
load_ae_obj_li__journal_entry({ load_ae_obj_li__journal_entry({
api_cfg, api_cfg,
for_obj_type: 'journal', for_obj_type: 'journal',
for_obj_id: journal.journal_id_random, for_obj_id: journal.journal_id,
enabled, enabled,
hidden, hidden,
limit, limit,
@@ -396,7 +396,7 @@ export async function create_ae_obj__journal({
api_cfg: api_cfg, api_cfg: api_cfg,
obj_type: 'journal', obj_type: 'journal',
fields: { fields: {
account_id_random: account_id, account_id: account_id,
...data_kv ...data_kv
}, },
params: params, params: params,
@@ -613,7 +613,7 @@ export async function qry__journal({
if (journal_id) { if (journal_id) {
// Assuming journal_id here is actually the account_id as per original usage context // Assuming journal_id here is actually the account_id as per original usage context
search_query.and.push({ search_query.and.push({
field: 'account_id_random', field: 'account_id',
op: 'eq', op: 'eq',
value: journal_id value: journal_id
}); });
@@ -797,7 +797,6 @@ async function _process_generic_props<T extends Record<string, any>>({
// --- Common Transformations --- // --- Common Transformations ---
// 1. Standardize ID and other '_random' fields // 1. Standardize ID and other '_random' fields
// The API often returns fields like 'person_id_random', which need to be aliased to 'person_id'.
for (const key in processed_obj) { for (const key in processed_obj) {
if (key.endsWith('_random')) { if (key.endsWith('_random')) {
const newKey = key.slice(0, -7); // Remove '_random' suffix const newKey = key.slice(0, -7); // Remove '_random' suffix
@@ -805,7 +804,7 @@ async function _process_generic_props<T extends Record<string, any>>({
} }
} }
// Ensure 'id' is set from '[obj_type]_id_random' // Ensure 'id' is set from '[obj_type]_id_random'
const randomIdKey = `${obj_type}_id_random`; const randomIdKey = `${obj_type}_id`;
if (processed_obj[randomIdKey]) { if (processed_obj[randomIdKey]) {
(processed_obj as any).id = processed_obj[randomIdKey]; (processed_obj as any).id = processed_obj[randomIdKey];
} }

13
src/lib/ae_journals/ae_journals__journal_entry.ts
View File

@@ -396,13 +396,13 @@ export async function qry__journal_entry({
// Context scoping: Prefer journal_id if provided, otherwise fallback to person_id (global search) // Context scoping: Prefer journal_id if provided, otherwise fallback to person_id (global search)
if (journal_id) { if (journal_id) {
search_query.and.push({ search_query.and.push({
field: 'journal_id_random', field: 'journal_id',
op: 'eq', op: 'eq',
value: journal_id value: journal_id
}); });
} else if (person_id) { } else if (person_id) {
search_query.and.push({ search_query.and.push({
field: 'person_id_random', field: 'person_id',
op: 'eq', op: 'eq',
value: person_id value: person_id
}); });
@@ -621,7 +621,7 @@ export async function update_ae_obj__journal_entry({
// } // }
// if (obj_li && obj_li.length) { // if (obj_li && obj_li.length) {
// // let obj_li_id = obj_li.map((obj: any) => obj.journal_entry_id_random); // // let obj_li_id = obj_li.map((obj: any) => obj.journal_entry_id);
// const obj_li_id: string[] = []; // const obj_li_id: string[] = [];
// for (const obj of obj_li) { // for (const obj of obj_li) {
@@ -785,7 +785,7 @@ export async function update_ae_obj__journal_entry({
// try { // try {
// id_random = await db_journals.journal_entry.put(obj_record); // id_random = await db_journals.journal_entry.put(obj_record);
// } catch (error) { // } catch (error) {
// console.log(`Error: Failed to put ${obj.journal_entry_id_random}: ${error}`); // console.log(`Error: Failed to put ${obj.journal_entry_id}: ${error}`);
// } // }
// } else { // } else {
// if (log_lvl) { // if (log_lvl) {
@@ -926,7 +926,6 @@ async function _process_generic_props<T extends Record<string, any>>({
// --- Common Transformations --- // --- Common Transformations ---
// 1. Standardize ID and other '_random' fields // 1. Standardize ID and other '_random' fields
// The API often returns fields like 'person_id_random', which need to be aliased to 'person_id'.
for (const key in processed_obj) { for (const key in processed_obj) {
if (key.endsWith('_random')) { if (key.endsWith('_random')) {
const newKey = key.slice(0, -7); // Remove '_random' suffix const newKey = key.slice(0, -7); // Remove '_random' suffix
@@ -934,7 +933,7 @@ async function _process_generic_props<T extends Record<string, any>>({
} }
} }
// Ensure 'id' is set from '[obj_type]_id_random' // Ensure 'id' is set from '[obj_type]_id_random'
const randomIdKey = `${obj_type}_id_random`; const randomIdKey = `${obj_type}_id`;
if (processed_obj[randomIdKey]) { if (processed_obj[randomIdKey]) {
(processed_obj as any).id = processed_obj[randomIdKey]; (processed_obj as any).id = processed_obj[randomIdKey];
} }
@@ -982,7 +981,7 @@ export async function process_ae_obj__journal_entry_props({
// Inject journal_id if provided and missing // Inject journal_id if provided and missing
if (journal_id) { if (journal_id) {
if (!obj.journal_id) obj.journal_id = journal_id; if (!obj.journal_id) obj.journal_id = journal_id;
if (!obj.journal_id_random) obj.journal_id_random = journal_id; // if (!obj.journal_id_random) obj.journal_id_random = journal_id;
} }
// Content processing // Content processing

24
src/lib/ae_journals/db_journals.ts
View File

@@ -39,11 +39,11 @@ export interface Journal extends ae_Journal {
export const journal_field_li = [ export const journal_field_li = [
'id', 'id',
'journal_id', 'journal_id',
'journal_id_random', // 'journal_id_random',
'account_id', 'account_id',
'account_id_random', // 'account_id_random',
'person_id', 'person_id',
'person_id_random', // 'person_id_random',
'code', 'code',
'name', 'name',
'short_name', 'short_name',
@@ -88,11 +88,11 @@ export interface Journal_Entry extends ae_JournalEntry {
export const journal_entry_field_li = [ export const journal_entry_field_li = [
'id', 'id',
'journal_entry_id', 'journal_entry_id',
'journal_entry_id_random', // 'journal_entry_id_random',
'journal_id', 'journal_id',
'journal_id_random', // 'journal_id_random',
'person_id', 'person_id',
'person_id_random', // 'person_id_random',
'code', 'code',
'name', 'name',
'short_name', 'short_name',
@@ -122,16 +122,16 @@ export class MySubClassedDexie extends Dexie {
super('ae_journals_db'); super('ae_journals_db');
this.version(5).stores({ this.version(5).stores({
journal: ` journal: `
id, journal_id, journal_id_random, id, journal_id,
code, code,
account_id, account_id_random, account_id,
person_id, person_id_random, person_id,
name, name,
enable, hide, priority, sort, group, created_on, updated_on`, enable, hide, priority, sort, group, created_on, updated_on`,
journal_entry: ` journal_entry: `
id, journal_entry_id, journal_entry_id_random, id, journal_entry_id,
journal_id, journal_id_random, journal_id,
person_id, person_id_random, person_id,
code, code,
template, template,
name, name,

3
src/lib/ae_utils/ae_utils.ts
View File

@@ -9,7 +9,7 @@ import {
import { get_obj_li_w_match_prop } from './ae_utils__get_obj_li_w_match_prop'; import { get_obj_li_w_match_prop } from './ae_utils__get_obj_li_w_match_prop';
import { file_extension_icon } from './ae_utils__file_extension_icon'; import { file_extension_icon } from './ae_utils__file_extension_icon';
import { file_extension_icon_lucide } from './ae_utils__file_extension_icon_lucide'; import { file_extension_icon_lucide } from './ae_utils__file_extension_icon_lucide';
import { process_permission_checks } from './ae_utils__perm_checks'; import { process_permission_checks, compare_access_levels } from './ae_utils__perm_checks';
import { iso_datetime_formatter } from './ae_utils__datetime_format'; import { iso_datetime_formatter } from './ae_utils__datetime_format';
import { is_datetime_recent } from './ae_utils__is_datetime_recent'; import { is_datetime_recent } from './ae_utils__is_datetime_recent';
import { extract_prefixed_form_data } from './ae_utils__extract_prefixed_form_data'; import { extract_prefixed_form_data } from './ae_utils__extract_prefixed_form_data';
@@ -331,6 +331,7 @@ function shorten_filename({
export const ae_util = { export const ae_util = {
is_datetime_recent: is_datetime_recent, is_datetime_recent: is_datetime_recent,
process_permission_checks: process_permission_checks, process_permission_checks: process_permission_checks,
compare_access_levels: compare_access_levels,
iso_datetime_formatter: iso_datetime_formatter, iso_datetime_formatter: iso_datetime_formatter,
clean_filename: clean_filename, clean_filename: clean_filename,
format_bytes: format_bytes, format_bytes: format_bytes,

27
src/lib/ae_utils/ae_utils__perm_checks.ts
View File

@@ -2,7 +2,34 @@ type key_val = {
[key: string]: any; [key: string]: any;
}; };
// Hierarchical Order (Highest to Lowest)
export const access_level_order = [
'super',
'manager',
'administrator',
'trusted',
'public',
'authenticated',
'anonymous'
];
/**
* Compares two access levels based on the hierarchy.
* @returns 1 if level_a is higher, -1 if level_b is higher, 0 if equal.
*/
export const compare_access_levels = function (level_a: string, level_b: string): number {
const index_a = access_level_order.indexOf(level_a || 'anonymous');
const index_b = access_level_order.indexOf(level_b || 'anonymous');
// LOWER index means HIGHER priority in the array
if (index_a < index_b) return 1;
if (index_a > index_b) return -1;
return 0;
};
// NOTE: I know there is a better more efficient way to do this, but I don't have time for that right now. // NOTE: I know there is a better more efficient way to do this, but I don't have time for that right now.
// Reminder: super > manager > administrator > trusted > public > authenticated > anonymous
// Super is the highest level. Anonymous is the lowest level.
export const process_permission_checks = function process_permission_checks(access_type: string) { export const process_permission_checks = function process_permission_checks(access_type: string) {
// let access_checks = { 'access_type': null, 'super_check': null }; // let access_checks = { 'access_type': null, 'super_check': null };
const access_checks: key_val = {}; const access_checks: key_val = {};

4
src/lib/types/ae_types.ts
View File

@@ -163,9 +163,9 @@ export interface ae_Journal extends ae_BaseObj {
*/ */
export interface ae_JournalEntry extends ae_BaseObj { export interface ae_JournalEntry extends ae_BaseObj {
journal_entry_id: string; journal_entry_id: string;
journal_entry_id_random: string; // journal_entry_id_random: string;
journal_id: string; journal_id: string;
journal_id_random: string; // journal_id_random: string;
person_id?: string; person_id?: string;
person_id_random?: string; person_id_random?: string;

113
src/routes/idaa/(idaa)/+layout.svelte
View File

@@ -8,6 +8,7 @@
// *** Import other supporting libraries // *** Import other supporting libraries
// *** Import Aether specific variables and functions // *** Import Aether specific variables and functions
import { ae_util } from '$lib/ae_utils/ae_utils';
import { import {
ae_snip, ae_snip,
ae_loc, ae_loc,
@@ -58,96 +59,36 @@
} }
$idaa_loc.novi_admin_li = $ae_loc.site_cfg_json?.novi_admin_li ?? []; $idaa_loc.novi_admin_li = $ae_loc.site_cfg_json?.novi_admin_li ?? [];
$idaa_loc.novi_trusted_li = $ae_loc.site_cfg_json?.novi_trusted_li ?? []; $idaa_loc.novi_trusted_li = $ae_loc.site_cfg_json?.novi_trusted_li ?? [];
// console.log(`$idaa_loc.novi_uuid:`, $idaa_loc.novi_uuid);
// console.log(`$idaa_loc.novi_admin_li:`, $idaa_loc.novi_admin_li);
// Reminder: super > manager > administrator > trusted > public > authenticated > anonymous
// NOTE: This is checking if they are in an iframe *and* have a Novi UUID. We ignore the iframe mode for trusted and above (administrators, managers, etc).
if (
$ae_loc?.iframe &&
$idaa_loc?.novi_uuid?.length == 36 &&
$idaa_loc?.novi_email?.length > 3 &&
$idaa_loc?.novi_full_name?.length > 0
) {
$ae_loc.access_type = 'authenticated';
$ae_loc.super_access = false;
$ae_loc.manager_access = false;
$ae_loc.administrator_access = false;
$ae_loc.trusted_access = false;
$ae_loc.public_access = false;
$ae_loc.authenticated_access = true;
$ae_loc.anonymous_access = true;
// Resetting these just in case...
$idaa_loc.bb.qry__hidden == 'not_hidden';
$idaa_loc.bb.qry__enabled == 'enabled';
// NOTE: This is sort of temporary while we work on getting Jisti working with IDAA's Novi site.
} else if (
$ae_loc?.iframe &&
$idaa_loc?.novi_uuid?.length == 36
) {
$ae_loc.access_type = 'authenticated';
$ae_loc.super_access = false;
$ae_loc.manager_access = false;
$ae_loc.administrator_access = false;
$ae_loc.trusted_access = false;
$ae_loc.public_access = false;
$ae_loc.authenticated_access = true;
$ae_loc.anonymous_access = true;
// Resetting these just in case...
$idaa_loc.bb.qry__hidden == 'not_hidden';
$idaa_loc.bb.qry__enabled == 'enabled';
} else if ($ae_loc?.iframe) {
$ae_loc.access_type = 'anonymous';
$ae_loc.super_access = false;
$ae_loc.manager_access = false;
$ae_loc.administrator_access = false;
$ae_loc.trusted_access = false;
$ae_loc.public_access = false;
$ae_loc.authenticated_access = false;
$ae_loc.anonymous_access = true;
// Resetting these just in case...
$idaa_loc.bb.qry__hidden == 'not_hidden';
$idaa_loc.bb.qry__enabled == 'enabled';
}
// Determine target Novi-based access level
let target_novi_level = 'anonymous';
if ($idaa_loc.novi_uuid) { if ($idaa_loc.novi_uuid) {
let flag = false; if ($idaa_loc.novi_admin_li?.includes($idaa_loc.novi_uuid)) {
// NOTE: Check if the novi_uuid is in the novi_admin_li list target_novi_level = 'administrator';
if ($idaa_loc.novi_admin_li) { } else if ($idaa_loc.novi_trusted_li?.includes($idaa_loc.novi_uuid)) {
if ($idaa_loc.novi_admin_li.includes($idaa_loc.novi_uuid)) { target_novi_level = 'trusted';
$ae_loc.access_type = 'administrator'; } else if ($ae_loc?.iframe && $idaa_loc?.novi_uuid?.length == 36) {
$ae_loc.super_access = false; target_novi_level = 'authenticated';
$ae_loc.manager_access = false;
$ae_loc.administrator_access = true;
$ae_loc.trusted_access = true;
$ae_loc.public_access = true;
$ae_loc.authenticated_access = true;
$ae_loc.anonymous_access = true;
flag = true;
}
}
// NOTE: Check if the novi_uuid is in the novi_trusted_li list
if ($idaa_loc.novi_trusted_li) {
if ($idaa_loc.novi_trusted_li.includes($idaa_loc.novi_uuid)) {
$ae_loc.access_type = 'trusted';
$ae_loc.super_access = false;
$ae_loc.manager_access = false;
$ae_loc.administrator_access = false;
$ae_loc.trusted_access = true;
$ae_loc.public_access = true;
$ae_loc.authenticated_access = true;
$ae_loc.anonymous_access = true;
flag = true;
}
} }
} else if ($ae_loc?.iframe) {
target_novi_level = 'anonymous';
} }
// PERMISSION UPGRADE STRATEGY:
// Only apply Novi-based permissions if they are HIGHER than the current level.
// This prevents a global 'manager' from being downgraded to 'administrator' or 'authenticated' by the IDAA layout.
const current_level = $ae_loc.access_type || 'anonymous';
if (ae_util.compare_access_levels(target_novi_level, current_level) === 1) {
console.log(`IDAA Layout: Upgrading access from ${current_level} to ${target_novi_level} (Novi detected)`);
const perms = ae_util.process_permission_checks(target_novi_level);
$ae_loc = { ...$ae_loc, ...perms };
} else {
if (log_lvl > 1) console.log(`IDAA Layout: Keeping current access ${current_level} (Novi level ${target_novi_level} is not an upgrade)`);
}
// Resetting these just in case...
$idaa_loc.bb.qry__hidden = 'not_hidden';
$idaa_loc.bb.qry__enabled = 'enabled';
}); });
} }
}); });

19
src/routes/journals/ae_comp__journal_entry_obj_li.svelte
View File

@@ -95,15 +95,22 @@
const filtered = list.filter((item: any) => { const filtered = list.filter((item: any) => {
if (!item) return false; if (!item) return false;
// ADMIN/TRUSTED: See everything
if ($ae_loc.trusted_access) return true;
// PUBLIC: Filter hidden/disabled
// Permissive defaults for missing metadata
const is_hidden = item.hide === true || item.hide === 1; const is_hidden = item.hide === true || item.hide === 1;
const is_disabled = item.enable === false || item.enable === 0; const is_disabled = item.enable === false || item.enable === 0;
return !is_hidden && !is_disabled; // Standard Visibility: Filter out hidden/disabled if not in Edit Mode
if (!$ae_loc.edit_mode) {
return !is_hidden && !is_disabled;
}
// Edit Mode Gating:
// - To see Hidden: Must have Trusted Access or higher
if (is_hidden && !$ae_loc.trusted_access) return false;
// - To see Disabled: Must have Administrator Access or higher
if (is_disabled && !$ae_loc.administrator_access) return false;
return true;
}); });
if (log_lvl) if (log_lvl)