fix: roles read & write

Author: andreazuccaspindox

packages/flowerbase/src/features/triggers/__tests__/index.test.ts

@@ -21,8 +21,8 @@ describe('activateTriggers', () => {
 
   it('skips triggers marked as disabled', async () => {
     const functionsList = {
-      runEnabled: jest.fn(),
-      runDisabled: jest.fn()
+      runEnabled: { code: 'exports = async () => {}' },
+      runDisabled: { code: 'exports = async () => {}' }
     }
 
     await activateTriggers({

packages/flowerbase/src/services/mongodb-atlas/__tests__/findOneAndUpdate.test.ts

@@ -171,7 +171,7 @@ describe('mongodb-atlas findOneAndUpdate', () => {
 
     const app = createAppWithCollection(collection)
     const operators = MongoDbAtlas(app as any, {
-      rules: createRules({ insert: false }),
+      rules: createRules({ write: undefined, insert: false }),
       user: { id: 'user-1' }
     })
       .db('db')

packages/flowerbase/src/utils/__tests__/STEP_C_STATES.test.ts

@@ -89,13 +89,13 @@ describe('STEP_C_STATES', () => {
     })
     mockedLogInfo.mockRestore()
   })
-  it('evaluateTopLevelWrite should end a success validation when write is true and no field rules exist', async () => {
+  it('evaluateTopLevelWrite should end a success validation when read is true', async () => {
     const mockedLogInfo = jest
       .spyOn(Utils, 'logMachineInfo')
       .mockImplementation(() => 'Mocked Value')
-    ;(evaluateTopLevelWriteFn as jest.Mock).mockReturnValue(true)
+    ;(evaluateTopLevelWriteFn as jest.Mock).mockReturnValue(false)
     ;(checkFieldsPropertyExists as jest.Mock).mockReturnValue(false)
-    const mockContext = { prevParams: { readCheck: false } } as unknown as MachineContext
+    const mockContext = { prevParams: { readCheck: true } } as unknown as MachineContext
     await evaluateTopLevelWrite({
       endValidation,
       context: mockContext,
@@ -112,9 +112,8 @@ describe('STEP_C_STATES', () => {
     })
     mockedLogInfo.mockRestore()
   })
-  it('evaluateTopLevelWrite should go to checkFieldsProperty when write is true and field rules exist', async () => {
+  it('evaluateTopLevelWrite should end a success validation when read is false and write is true', async () => {
     ;(evaluateTopLevelWriteFn as jest.Mock).mockReturnValue(true)
-    ;(checkFieldsPropertyExists as jest.Mock).mockReturnValue(true)
     const mockContext = { prevParams: { readCheck: false } } as unknown as MachineContext
     await evaluateTopLevelWrite({
       endValidation,
@@ -123,13 +122,13 @@ describe('STEP_C_STATES', () => {
       next,
       initialStep: null
     })
-    expect(next).toHaveBeenCalledWith('checkFieldsProperty')
+    expect(endValidation).toHaveBeenCalledWith({ success: true })
   })
-  it('evaluateTopLevelWrite should end a failed validation if both read and write are not true', async () => {
+  it('evaluateTopLevelWrite should end a failed validation when read is false and write is not true', async () => {
     (evaluateTopLevelWriteFn as jest.Mock).mockReturnValue(false)
     const mockContext = {
       prevParams: {
-        readCheck: undefined
+        readCheck: false
       }
     } as unknown as MachineContext
     await evaluateTopLevelWrite({
@@ -141,12 +140,45 @@ describe('STEP_C_STATES', () => {
     })
     expect(endValidation).toHaveBeenCalledWith({ success: false })
   })
-  it('evaluateTopLevelWrite should allow through readCheck=true even if write=false', async () => {
+  it('evaluateTopLevelWrite should end a success validation when read is undefined and write is true', async () => {
+    ;(evaluateTopLevelWriteFn as jest.Mock).mockReturnValue(true)
+    const mockContext = {
+      prevParams: {
+        readCheck: undefined
+      }
+    } as unknown as MachineContext
+    await evaluateTopLevelWrite({
+      endValidation,
+      context: mockContext,
+      goToNextValidationStage,
+      next,
+      initialStep: null
+    })
+    expect(endValidation).toHaveBeenCalledWith({ success: true })
+  })
+  it('evaluateTopLevelWrite should go to checkFieldsProperty when read and write are undefined/false but fields exist', async () => {
     (evaluateTopLevelWriteFn as jest.Mock).mockReturnValue(false)
+    ;(checkFieldsPropertyExists as jest.Mock).mockReturnValue(true)
+    const mockContext = {
+      prevParams: {
+        readCheck: undefined
+      }
+    } as unknown as MachineContext
+    await evaluateTopLevelWrite({
+      endValidation,
+      context: mockContext,
+      goToNextValidationStage,
+      next,
+      initialStep: null
+    })
+    expect(next).toHaveBeenCalledWith('checkFieldsProperty')
+  })
+  it('evaluateTopLevelWrite should end a failed validation when read and write are undefined/false and no field rules exist', async () => {
+    ;(evaluateTopLevelWriteFn as jest.Mock).mockReturnValue(undefined)
     ;(checkFieldsPropertyExists as jest.Mock).mockReturnValue(false)
     const mockContext = {
       prevParams: {
-        readCheck: true
+        readCheck: undefined
       }
     } as unknown as MachineContext
     await evaluateTopLevelWrite({
@@ -156,6 +188,6 @@ describe('STEP_C_STATES', () => {
       next,
       initialStep: null
     })
-    expect(endValidation).toHaveBeenCalledWith({ success: true })
+    expect(endValidation).toHaveBeenCalledWith({ success: false })
   })
 })

packages/flowerbase/src/utils/__tests__/WRITE_STEP_B_STATES.test.ts

@@ -77,9 +77,8 @@ describe('WRITE STEP_B_STATES', () => {
     expect(endValidation).toHaveBeenCalledWith({ success: false })
   })
 
-  it('allows write when write=true and no field-level rules are defined', async () => {
+  it('routes to insert check when write=true', async () => {
     ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(true)
-    ;(checkFieldsPropertyExists as jest.Mock).mockReturnValue(false)
     const context = {} as MachineContext
     await evaluateTopLevelWrite({
       context,
@@ -88,10 +87,10 @@ describe('WRITE STEP_B_STATES', () => {
       next,
       initialStep: null
     })
-    expect(endValidation).toHaveBeenCalledWith({ success: true })
+    expect(next).toHaveBeenCalledWith('evaluateTopLevelInsert')
   })
 
-  it('routes to field-level checks when write=true and field-level rules exist', async () => {
+  it('routes to insert check when write=true and field-level rules exist', async () => {
     ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(true)
     ;(checkFieldsPropertyExists as jest.Mock).mockReturnValue(true)
     const context = {} as MachineContext
@@ -102,7 +101,7 @@ describe('WRITE STEP_B_STATES', () => {
       next,
       initialStep: null
     })
-    expect(next).toHaveBeenCalledWith('checkFieldsProperty')
+    expect(next).toHaveBeenCalledWith('evaluateTopLevelInsert')
   })
 
   it('denies when write=false', async () => {
@@ -118,7 +117,7 @@ describe('WRITE STEP_B_STATES', () => {
     expect(endValidation).toHaveBeenCalledWith({ success: false })
   })
 
-  it('routes to insert check when write is undefined', async () => {
+  it('routes to field-level checks when write is undefined', async () => {
     ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(undefined)
     const context = {} as MachineContext
     await evaluateTopLevelWrite({
@@ -128,7 +127,7 @@ describe('WRITE STEP_B_STATES', () => {
       next,
       initialStep: null
     })
-    expect(next).toHaveBeenCalledWith('evaluateTopLevelInsert')
+    expect(next).toHaveBeenCalledWith('checkFieldsProperty')
   })
 
   it('denies insert when insert is false/undefined', async () => {
@@ -144,9 +143,8 @@ describe('WRITE STEP_B_STATES', () => {
     expect(endValidation).toHaveBeenCalledWith({ success: false })
   })
 
-  it('allows insert when insert=true and no field-level rules are defined', async () => {
+  it('allows when insert=true', async () => {
     ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(true)
-    ;(checkFieldsPropertyExists as jest.Mock).mockReturnValue(false)
     const context = {} as MachineContext
     await evaluateTopLevelInsert({
       context,
@@ -158,20 +156,6 @@ describe('WRITE STEP_B_STATES', () => {
     expect(endValidation).toHaveBeenCalledWith({ success: true })
   })
 
-  it('routes insert to field-level checks when rules exist', async () => {
-    ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(true)
-    ;(checkFieldsPropertyExists as jest.Mock).mockReturnValue(true)
-    const context = {} as MachineContext
-    await evaluateTopLevelInsert({
-      context,
-      endValidation,
-      goToNextValidationStage,
-      next,
-      initialStep: null
-    })
-    expect(next).toHaveBeenCalledWith('checkFieldsProperty')
-  })
-
   it('routes checkFieldsProperty to checkIsValidFieldName when field rules exist', async () => {
     ;(checkFieldsPropertyExists as jest.Mock).mockReturnValue(true)
     const context = {} as MachineContext

packages/flowerbase/src/utils/roles/helpers.ts

@@ -8,25 +8,38 @@ import { MachineContext } from './machines/interface'
 
 const functionsConditions = ['%%true', '%%false']
 
+const normalizeUserRole = (user?: MachineContext['user']) => {
+  if (!user) return user
+  if (typeof user !== 'object') return user
+  const candidate = user as Record<string, unknown>
+  if (typeof candidate.role === 'string') return user
+  const customRole =
+    typeof candidate.custom_data === 'object' && candidate.custom_data !== null
+      ? (candidate.custom_data as Record<string, unknown>).role
+      : undefined
+  return typeof customRole === 'string' ? ({ ...candidate, role: customRole } as MachineContext['user']) : user
+}
+
 export const evaluateExpression = async (
   params: MachineContext['params'],
   expression?: PermissionExpression,
   user?: MachineContext['user']
 ): Promise<boolean> => {
   if (!expression || typeof expression === 'boolean') return !!expression
+  const normalizedUser = normalizeUserRole(user)
 
   const value = {
     ...params.expansions,
     ...params.cursor,
-    '%%user': user,
+    '%%user': normalizedUser,
     '%%true': true
   }
   const conditions = expandQuery(expression, value)
   const complexCondition = Object.entries(conditions as Record<string, any>).find(([key]) =>
     functionsConditions.includes(key)
   )
   return complexCondition
-    ? await evaluateComplexExpression(complexCondition, params, user)
+    ? await evaluateComplexExpression(complexCondition, params, normalizedUser)
     : rulesMatcherUtils.checkRule(conditions, value, {})
 }
 
@@ -36,6 +49,7 @@ const evaluateComplexExpression = async (
   user: MachineContext['user']
 ): Promise<boolean> => {
   const [key, config] = condition
+  const normalizedUser = normalizeUserRole(user)
 
   const functionConfig = config['%function']
   const { name, arguments: fnArguments } = functionConfig
@@ -47,7 +61,7 @@ const evaluateComplexExpression = async (
     ...params.expansions,
     ...params.cursor,
     '%%root': params.cursor,
-    '%%user': user,
+    '%%user': normalizedUser,
     '%%true': true,
     '%%false': false
   }
@@ -62,7 +76,7 @@ const evaluateComplexExpression = async (
     args: expandedArguments,
     app,
     rules: StateManager.select("rules"),
-    user,
+    user: normalizedUser,
     currentFunction,
     functionName: name,
     functionsList,

packages/flowerbase/src/utils/roles/machines/fieldPermissions.ts

@@ -54,7 +54,10 @@ export const hasAdditionalFieldsDefined = (role?: Role) =>
 
 export const filterDocumentByFieldPermissions = async (
   context: Pick<MachineContext, 'params' | 'role' | 'user'>,
-  mode: 'read' | 'write'
+  mode: 'read' | 'write',
+  options?: {
+    defaultAllow?: boolean
+  }
 ): Promise<Document> => {
   const source = context.params?.cursor
   if (!isObject(source)) return {}
@@ -66,12 +69,13 @@ export const filterDocumentByFieldPermissions = async (
   for (const [key, value] of Object.entries(source)) {
     const fieldPermission = fields[key]
     const permission = fieldPermission ?? getAdditionalFieldPermission(additionalFields, key)
-    if (!permission) continue
-
-    const allowed =
-      mode === 'read'
-        ? await canReadField(context, permission)
-        : await canWriteField(context, permission)
+    let allowed = options?.defaultAllow === true
+    if (permission) {
+      allowed =
+        mode === 'read'
+          ? await canReadField(context, permission)
+          : await canWriteField(context, permission)
+    }
 
     if (allowed) {
       document[key] = value

packages/flowerbase/src/utils/roles/machines/read/C/index.ts

@@ -1,13 +1,13 @@
+import { States } from '../../interface'
+import { logMachineInfo } from '../../utils'
 import {
   checkFieldsPropertyExists,
   evaluateTopLevelReadFn,
   evaluateTopLevelWriteFn
 } from './validators'
-import { States } from '../../interface'
-import { logMachineInfo } from '../../utils'
 
 export const STEP_C_STATES: States = {
-  evaluateTopLevelRead: async ({ context, next, endValidation }) => {
+  evaluateTopLevelRead: async ({ context, next }) => {
     logMachineInfo({
       enabled: context.enableLog,
       machine: 'C',
@@ -25,11 +25,18 @@ export const STEP_C_STATES: States = {
       stepName: 'evaluateTopLevelWrite'
     })
     const writeCheck = await evaluateTopLevelWriteFn(context)
-    const readCheck = context?.prevParams?.readCheck === true
-    if (!readCheck && !writeCheck) return endValidation({ success: false })
+    const readCheck = context?.prevParams?.readCheck
+
+    if (readCheck === true || writeCheck === true) {
+      return checkFieldsPropertyExists(context)
+        ? next('checkFieldsProperty')
+        : endValidation({ success: true })
+    }
+
+    if (readCheck === false) return endValidation({ success: false })
     return checkFieldsPropertyExists(context)
       ? next('checkFieldsProperty')
-      : endValidation({ success: true })
+      : endValidation({ success: false })
   },
   checkFieldsProperty: async ({ context, goToNextValidationStage }) => {
     logMachineInfo({

packages/flowerbase/src/utils/roles/machines/read/D/validators.ts

@@ -1,3 +1,4 @@
+import { evaluateTopLevelPermissionsFn } from '../../commonValidators'
 import {
   filterDocumentByFieldPermissions,
   hasAdditionalFieldsDefined
@@ -8,5 +9,11 @@ export const checkAdditionalFieldsFn = ({ role }: MachineContext) => {
   return hasAdditionalFieldsDefined(role)
 }
 
-export const checkIsValidFieldNameFn = async (context: MachineContext) =>
-  await filterDocumentByFieldPermissions(context, 'read')
+export const checkIsValidFieldNameFn = async (context: MachineContext) => {
+  const readCheck = await evaluateTopLevelPermissionsFn(context, 'read')
+  const writeCheck = await evaluateTopLevelPermissionsFn(context, 'write')
+
+  return await filterDocumentByFieldPermissions(context, 'read', {
+    defaultAllow: readCheck === true || writeCheck === true
+  })
+}

packages/flowerbase/src/utils/roles/machines/write/B/index.ts

@@ -37,14 +37,12 @@ export const STEP_B_STATES: States = {
     })
     const check = await evaluateTopLevelPermissionsFn(context, 'write')
     if (check) {
-      return checkFieldsPropertyExists(context)
-        ? next('checkFieldsProperty')
-        : endValidation({ success: true })
+      return next('evaluateTopLevelInsert')
     }
     if (check === false) {
       return endValidation({ success: false })
     }
-    return next('evaluateTopLevelInsert')
+    return next('checkFieldsProperty')
   },
   checkFieldsProperty: async ({ context, goToNextValidationStage }) => {
     logMachineInfo({
@@ -69,8 +67,6 @@ export const STEP_B_STATES: States = {
     if (!check) {
       return endValidation({ success: false })
     }
-    return checkFieldsPropertyExists(context)
-      ? next('checkFieldsProperty')
-      : endValidation({ success: true })
+    return endValidation({ success: true })
   }
 }

packages/flowerbase/src/utils/roles/machines/write/C/validators.ts

@@ -8,5 +8,8 @@ export const checkAdditionalFieldsFn = ({ role }: MachineContext) => {
   return hasAdditionalFieldsDefined(role)
 }
 
-export const checkIsValidFieldNameFn = async (context: MachineContext) =>
-  await filterDocumentByFieldPermissions(context, 'write')
+export const checkIsValidFieldNameFn = async (context: MachineContext) => {
+  return await filterDocumentByFieldPermissions(context, 'write', {
+    defaultAllow: typeof context.role.write !== 'undefined'
+  })
+}