add rbac + db-create script

2026-04-25 13:31:02 +00:00
parent 44f8ecdc85
commit 84c3d9f9ba
21 changed files with 908 additions and 336 deletions
--- a/utils.js
+++ b/utils.js
@@ -23,14 +23,22 @@ global.json = {
  startMenuItems: new HotReload(path.join(global.path.source, 'models', 'integratedStartMenuItems.json'))
 }

-
-module.exports = startMenuItems = async function (app, sAMAccountName) {
+module.exports = startMenuItems = async function (app, objectGuid, debug = false) {

  function safeClone(obj) {
    return JSON.parse(JSON.stringify(obj));
  }

-  const integratedStartmenuItems = safeClone(service.get('fileSystemManager').loadJSON(global.json.startMenuItems.filePath));
+  const log = (...args) => {
+    if (debug) console.log('[RBAC DEBUG]', ...args);
+  };
+
+  // =========================
+  // Load menu sources
+  // =========================
+  const integratedStartmenuItems =
+    service.get('fileSystemManager')
+      .loadJSON(global.json.startMenuItems.filePath) || [];

  const plugins = service
    .get('pluginManager')
@@ -40,59 +48,123 @@ module.exports = startMenuItems = async function (app, sAMAccountName) {
      section: 'Plugin'
    }));

-  let getAllPlugins = [...plugins, ...integratedStartmenuItems];
+  let allPlugins = [...plugins, ...integratedStartmenuItems];

-  for (const plugin of getAllPlugins) {
+  // =========================
+  // Load user permissions
+  // =========================
+  const authManager = service.get('authenticationManager');

-    plugin.menu.items = await Promise.all(
-      (plugin.menu.items || []).map(async item => {
+  const userPermissions =
+    (await authManager.resolvePermissions(objectGuid))
+      ?.permissions || [];

-        const authorized =
-          item.label === 'hr' ||
-          item.permissions.includes('Administration')
-            ? global.json.configuration.live.administration.some(
-                name => name.toLowerCase() === sAMAccountName.toLowerCase()
-              )
-            : item.permissions.includes('*') ||
-              (
-                await Promise.all(
-                  item.permissions.map(async permission =>
-                    (await service.get('activeDirectoryManager').getGroup(permission)) &&
-                    (await service.get('activeDirectoryManager').isUserMemberOfRecursive(
-                      sAMAccountName,
-                      permission
-                    ))
-                  )
-                )
-              ).some(Boolean);
+  const normalizedPermissions = userPermissions.map(p => ({
+    scope: p.scope,
+    action: p.action,
+    resource: p.resource || null
+  }));

-        return {
-          ...safeClone(item),
-          authorized
-        };
-      })
-    );
+  log('USER OBJECTGUID:', objectGuid);
+  log('PERMISSIONS:', normalizedPermissions);
+
+  // =========================
+  // SUPER ADMIN CHECK
+  // =========================
+  const isSuperAdmin = normalizedPermissions.some(p =>
+    p.scope === 'SYSTEM' &&
+    p.resource === 'ALL' &&
+    p.action === 'ALL'
+  );
+
+  log('SUPER ADMIN:', isSuperAdmin);
+
+  // =========================
+  // BUILD MENU
+  // =========================
+  for (const plugin of allPlugins) {
+
+    plugin.menu.items = (plugin.menu.items || []).map(item => {
+
+      const resource = item.label;
+      const requiredPermissions = item.permissions || [];
+
+      const debugTrace = [];
+
+      const authorized = isSuperAdmin
+        ? (debugTrace.push('SUPERADMIN OVERRIDE'), true)
+        : normalizedPermissions.some(userPerm => {
+
+            return requiredPermissions.some(required => {
+
+              const scopeMatch =
+                userPerm.scope === required.scope;
+
+              const actionMatch =
+                userPerm.action === 'ALL' ||
+                userPerm.action === required.action ||
+                required.action === 'ALL';
+
+              const resourceMatch =
+                !userPerm.resource ||
+                userPerm.resource === 'ALL' ||
+                userPerm.resource === resource;
+
+              const result = scopeMatch && actionMatch && resourceMatch;
+
+              if (debug) {
+                debugTrace.push({
+                  userPerm,
+                  required,
+                  scopeMatch,
+                  actionMatch,
+                  resourceMatch,
+                  result
+                });
+              }
+
+              return result;
+            });
+          });
+
+      if (debug) {
+        log(`\n--- MENU ITEM: ${item.label} ---`);
+        log('AUTHORIZED:', authorized);
+        log('TRACE:', debugTrace);
+      }
+
+      return {
+        ...safeClone(item),
+        authorized
+      };
+    });

    plugin.onlyAdministration =
-      plugin.menu.items.every(item => !item.authorized) &&
-      !global.json.configuration.live.administration.includes(sAMAccountName);
+      plugin.menu.items.every(i => !i.authorized);
+
+    if (debug) {
+      log(`PLUGIN: ${plugin.name}`);
+      log('VISIBLE:', !plugin.onlyAdministration);
+    }
  }

-  getAllPlugins = getAllPlugins
-    .filter(plugin => !plugin.onlyAdministration)
-    .filter(plugin => plugin.active);
-
-  app.locals.startMenuItems = getAllPlugins;
-
-  return [...getAllPlugins];
+  // =========================
+  // FILTER FINAL MENU
+  // =========================
+  allPlugins = allPlugins
+    .filter(p => !p.onlyAdministration)
+    .filter(p => p.active);
+  app.locals.startMenuItems = allPlugins;
+  return allPlugins;
 };
-// module.exports = startMenuItems = async function(app, sAMAccountName) {
-// function safeClone(obj) {
-//   return JSON.parse(JSON.stringify(obj));
-// }
-//   delete integratedStartmenuItems;

-//   integratedStartmenuItems = safeClone(json.startMenuItems.live);
+// module.exports = startMenuItems = async function (app, sAMAccountName) {
+
+//   function safeClone(obj) {
+//     return JSON.parse(JSON.stringify(obj));
+//   }
+
+//   const integratedStartmenuItems = safeClone(service.get('fileSystemManager').loadJSON(global.json.startMenuItems.filePath));

 //   const plugins = service
 //     .get('pluginManager')
@@ -112,13 +184,18 @@ module.exports = startMenuItems = async function (app, sAMAccountName) {
 //         const authorized =
 //           item.label === 'hr' ||
 //           item.permissions.includes('Administration')
-//             ? global.json.configuration.live.administration.some(name => name.toLowerCase() === sAMAccountName.toLowerCase())
+//             ? global.json.configuration.live.administration.some(
+//                 name => name.toLowerCase() === sAMAccountName.toLowerCase()
+//               )
 //             : item.permissions.includes('*') ||
 //               (
 //                 await Promise.all(
 //                   item.permissions.map(async permission =>
 //                     (await service.get('activeDirectoryManager').getGroup(permission)) &&
-//                     (await service.get('activeDirectoryManager').isUserMemberOfRecursive(sAMAccountName, permission))
+//                     (await service.get('activeDirectoryManager').isUserMemberOfRecursive(
+//                       sAMAccountName,
+//                       permission
+//                     ))
 //                   )
 //                 )
 //               ).some(Boolean);
@@ -145,6 +222,7 @@ module.exports = startMenuItems = async function (app, sAMAccountName) {
 // };


+
 /**
 * Convert date into custom dateformat
  * @param {any} date - Valid date as datetype or string