chore: role base implementation

backend/core-api/src/apollo/resolvers/mutations.ts

@@ -18,6 +18,7 @@ import { relationsMutations } from '@/relations/graphql/mutations';
 import { segmentMutations } from '@/segments/graphql/resolvers/mutations';
 import { tagMutations } from '@/tags/graphql/mutations';
 import { notificationMutations } from '~/modules/notifications/graphql/resolver/mutations';
+import { roleMutations } from '~/modules/permissions/graphql/resolvers/mutations/role';
 
 export const mutations = {
   ...contactMutations,
@@ -40,4 +41,5 @@ export const mutations = {
   ...automationMutations,
   ...notificationMutations,
   ...internalNoteMutations,
+  ...roleMutations,
 };

backend/core-api/src/apollo/resolvers/queries.ts

@@ -20,6 +20,7 @@ import { segmentQueries } from '@/segments/graphql/resolvers';
 import { tagQueries } from '@/tags/graphql/queries';
 
 import { notificationQueries } from '@/notifications/graphql/resolver/queries';
+import { roleQueries } from '@/permissions/graphql/resolvers/queries/role';
 
 export const queries = {
   ...contactQueries,
@@ -43,4 +44,5 @@ export const queries = {
   ...logQueries,
   ...notificationQueries,
   ...internalNoteQueries,
+  ...roleQueries,
 };

backend/core-api/src/apollo/resolvers/resolvers.ts

@@ -3,13 +3,14 @@ import contactResolvers from '@/contacts/graphql/resolvers/customResolvers';
 import documentResolvers from '@/documents/graphql/customResolvers';
 import internalNoteResolvers from '@/internalNote/graphql/customResolvers';
 import logResolvers from '@/logs/graphql/resolvers/customResolvers';
+import notificationResolvers from '@/notifications/graphql/customResolvers';
 import brandResolvers from '@/organization/brand/graphql/customResolver/brand';
 import structureResolvers from '@/organization/structure/graphql/resolvers/customResolvers';
 import userResolvers from '@/organization/team-member/graphql/customResolver';
+import permissionResolvers from '@/permissions/graphql/resolvers/customResolver';
 import productResolvers from '@/products/graphql/resolvers/customResolvers';
 import segmentResolvers from '@/segments/graphql/resolvers/customResolvers';
 import tagResolvers from '@/tags/graphql/customResolvers';
-import notificationResolvers from '@/notifications/graphql/customResolvers';
 
 export const customResolvers = {
   ...contactResolvers,
@@ -24,4 +25,5 @@ export const customResolvers = {
   ...notificationResolvers,
   ...documentResolvers,
   ...internalNoteResolvers,
+  ...permissionResolvers,
 };

backend/core-api/src/apollo/schema/schema.ts

@@ -142,15 +142,21 @@ import {
 } from '@/logs/graphql/schema';
 
 import {
-  mutations as NotificationsMutations,
-  queries as NotificationsQueries,
-  types as NotificationsTypes,
-} from '@/notifications/graphql/schema';
-import{
   mutations as InternalNoteMutations,
   queries as InternalNoteQueries,
   types as InternalNoteTypes,
 } from '@/internalNote/graphql/schemas';
+import {
+  mutations as NotificationsMutations,
+  queries as NotificationsQueries,
+  types as NotificationsTypes,
+} from '@/notifications/graphql/schema';
+
+import {
+  mutations as RoleMutations,
+  queries as RoleQueries,
+  types as RoleTypes,
+} from '@/permissions/graphql/schemas/role';
 
 export const types = `
     enum CacheControlScope {
@@ -192,6 +198,7 @@ export const types = `
     ${LogsTypes}
     ${NotificationsTypes}
     ${InternalNoteTypes}
+    ${RoleTypes}
   `;
 
 export const queries = `
@@ -221,6 +228,7 @@ export const queries = `
     ${LogsQueries}
      ${NotificationsQueries}
     ${InternalNoteQueries}
+    ${RoleQueries}
   `;
 
 export const mutations = `
@@ -249,6 +257,7 @@ export const mutations = `
     ${AutomationsMutations}
     ${NotificationsMutations}
     ${InternalNoteMutations}
+    ${RoleMutations}
   `;
 
 export default { types, queries, mutations };

backend/core-api/src/connectionResolvers.ts

@@ -77,6 +77,7 @@ import {
   IProductDocument,
   IProductsConfigDocument,
   IRelationDocument,
+  IRoleDocument,
   ITagDocument,
   IUomDocument,
   IUserDocument,
@@ -145,6 +146,10 @@ import {
   INotificationDocument,
   notificationSchema,
 } from 'erxes-api-shared/core-modules';
+import {
+  IRoleModel,
+  loadRoleClass,
+} from '~/modules/permissions/db/models/Roles';
 import {
   IAutomationModel,
   loadClass as loadAutomationClass,
@@ -162,6 +167,7 @@ export interface IModels {
   UserMovements: IUserMovemmentModel;
   Configs: IConfigModel;
   Permissions: IPermissionModel;
+  Roles: IRoleModel;
   UsersGroups: IUserGroupModel;
   Tags: ITagModel;
   InternalNotes: IInternalNoteModel;
@@ -244,6 +250,11 @@ export const loadClasses = (
     loadPermissionClass(models),
   );
 
+  models.Roles = db.model<IRoleDocument, IRoleModel>(
+    'roles',
+    loadRoleClass(models),
+  );
+
   models.UsersGroups = db.model<IUserGroupDocument, IUserGroupModel>(
     'user_groups',
     loadUserGroupClass(models),

backend/core-api/src/modules/organization/team-member/db/models/Users.ts

@@ -25,6 +25,7 @@ import {
 
 import { USER_MOVEMENT_STATUSES } from 'erxes-api-shared/core-modules';
 import { title } from 'process';
+import { PERMISSION_ROLES } from '~/modules/permissions/db/constants';
 
 const SALT_WORK_FACTOR = 10;
 
@@ -234,7 +235,7 @@ export const loadUserClass = (models: IModels) => {
         this.checkPassword(password);
       }
 
-      return models.Users.create({
+      const user = await models.Users.create({
         isOwner,
         username,
         email,
@@ -246,6 +247,13 @@ export const loadUserClass = (models: IModels) => {
         password: notUsePassword ? '' : await this.generatePassword(password),
         code: await this.generateUserCode(),
       });
+
+      models.Roles.create({
+        userId: user._id,
+        role: PERMISSION_ROLES.MEMBER,
+      });
+
+      return user;
     }
 
     /**
@@ -329,7 +337,7 @@ export const loadUserClass = (models: IModels) => {
 
       this.checkPassword(password);
 
-      await models.Users.create({
+      const user = await models.Users.create({
         email,
         groupIds: [groupId],
         isActive: true,
@@ -341,6 +349,11 @@ export const loadUserClass = (models: IModels) => {
         brandIds,
       });
 
+      models.Roles.create({
+        userId: user._id,
+        role: PERMISSION_ROLES.MEMBER,
+      });
+
       return token;
     }
 

backend/core-api/src/modules/organization/team-member/graphql/mutations.ts

@@ -1,10 +1,11 @@
-import { IContext } from '~/connectionResolvers';
 import {
-  IUser,
   IDetail,
-  ILink,
   IEmailSignature,
+  ILink,
+  IUser,
 } from 'erxes-api-shared/core-types';
+import { IContext } from '~/connectionResolvers';
+import { PERMISSION_ROLES } from '~/modules/permissions/db/constants';
 
 export interface IUsersEdit extends IUser {
   channelIds?: string[];
@@ -48,7 +49,12 @@ export const userMutations = {
       },
     };
 
-    await models.Users.createUser(doc);
+    const user = await models.Users.createUser(doc);
+
+    models.Roles.create({
+      userId: user._id,
+      role: PERMISSION_ROLES.OWNER,
+    });
 
     if (subscribeEmail && process.env.NODE_ENV === 'production') {
       await fetch('https://erxes.io/subscribe', {
@@ -138,14 +144,14 @@ export const userMutations = {
       details,
       links,
       employeeId,
-      positionIds
+      positionIds,
     }: {
       username: string;
       email: string;
       details: IDetail;
       links: ILink;
       employeeId: string;
-      positionIds: string[]
+      positionIds: string[];
     },
     { user, models }: IContext,
   ) {
@@ -158,7 +164,7 @@ export const userMutations = {
       },
       links,
       employeeId,
-      positionIds
+      positionIds,
     };
 
     const updatedUser = await models.Users.editProfile(user._id, doc);

backend/core-api/src/modules/permissions/db/constants.ts

@@ -0,0 +1,6 @@
+export const PERMISSION_ROLES = {
+  OWNER: 'owner',
+  ADMIN: 'admin',
+  MEMBER: 'member',
+  ALL: ['owner', 'admin', 'member'],
+};

backend/core-api/src/modules/permissions/db/definitions/roles.ts

@@ -0,0 +1,16 @@
+import { Schema } from 'mongoose';
+import { PERMISSION_ROLES } from '~/modules/permissions/db/constants';
+
+export const roleSchema = new Schema(
+  {
+    userId: { type: String, label: 'User' },
+    role: {
+      type: String,
+      enum: PERMISSION_ROLES.ALL,
+      label: 'Role',
+    },
+  },
+  {
+    timestamps: true,
+  },
+);

backend/core-api/src/modules/permissions/db/models/Roles.ts

@@ -0,0 +1,101 @@
+import {
+  IRole,
+  IRoleDocument,
+  IUserDocument,
+} from 'erxes-api-shared/core-types';
+import { Model } from 'mongoose';
+import { IModels } from '~/connectionResolvers';
+import { PERMISSION_ROLES } from '~/modules/permissions/db/constants';
+import { roleSchema } from '../definitions/roles';
+
+export interface IRoleModel extends Model<IRoleDocument> {
+  getRole(_id: string): Promise<IRoleDocument>;
+  createRole(doc: IRole, user: IUserDocument): Promise<IRoleDocument>;
+  updateRole(doc: IRole, user: IUserDocument): Promise<IRoleDocument>;
+}
+
+export const loadRoleClass = (models: IModels) => {
+  class Role {
+    public static async validateRole(doc: IRole, user: IUserDocument) {
+      const { userId, role } = doc || {};
+
+      if (!PERMISSION_ROLES.ALL.includes(role)) {
+        throw new Error('Invalid role');
+      }
+
+      const userRole = await models.Roles.findOne({
+        userId: user._id,
+      }).lean();
+
+      if (!userRole) {
+        throw new Error('Role not found for user.');
+      }
+
+      if (userRole.role === PERMISSION_ROLES.OWNER) {
+        return;
+      }
+
+      if (userRole.role === PERMISSION_ROLES.ADMIN) {
+        const isOwner = await models.Roles.findOne({
+          userId,
+          role: PERMISSION_ROLES.OWNER,
+        }).lean();
+
+        if (isOwner) {
+          throw new Error('Access denied');
+        }
+
+        const isMember = await models.Roles.findOne({
+          userId,
+          role: PERMISSION_ROLES.MEMBER,
+        }).lean();
+
+        if (isMember && role === PERMISSION_ROLES.OWNER) {
+          throw new Error('Access denied');
+        }
+      }
+
+      if (userRole.role === PERMISSION_ROLES.MEMBER) {
+        throw new Error('Access denied');
+      }
+    }
+
+    public static async getRole(_id: string) {
+      const role = await models.Roles.findOne({ _id }).lean();
+
+      if (!role) {
+        throw new Error('Role not found');
+      }
+
+      return role;
+    }
+
+    public static async createRole(doc: IRole, user: IUserDocument) {
+      await this.validateRole(doc, user);
+
+      const { userId } = doc;
+
+      const role = await models.Roles.findOne({ userId }).lean();
+
+      if (role) {
+        throw new Error('Role already exists');
+      }
+
+      return await models.Roles.create(doc);
+    }
+
+    public static async updateRole(doc: IRole, user: IUserDocument) {
+      await this.validateRole(doc, user);
+
+      const { userId } = doc;
+
+      return await models.Roles.findOneAndUpdate({ userId }, doc, {
+        new: true,
+      });
+    }
+  }
+
+  roleSchema.loadClass(Role);
+
+  return roleSchema;
+};

backend/core-api/src/modules/permissions/graphql/resolvers/customResolver/index.ts

@@ -0,0 +1,5 @@
+import Role from './role';
+
+export default {
+  Role,
+};

backend/core-api/src/modules/permissions/graphql/resolvers/customResolver/role.ts

@@ -0,0 +1,19 @@
+import { IPermissionDocument } from 'erxes-api-shared/core-types';
+import { IContext } from '~/connectionResolvers';
+
+export default {
+  __resolveReference: async (
+    { _id }: { _id: string },
+    { models }: IContext,
+  ) => {
+    return await models.Permissions.getPermission(_id);
+  },
+
+  user: async (permission: IPermissionDocument) => {
+    if (!permission.userId) {
+      return;
+    }
+
+    return { __typename: 'User', _id: permission.userId };
+  },
+};