screentinker/server/lib/permissions.js

// Phase 2.1: permission helpers.
//
// Routes call these as Express middleware to gate access, or as predicate
// functions to branch within a handler. They presume resolveTenancy has
// already attached req.workspaceId / req.workspaceRole / req.orgRole /
// req.isPlatformAdmin.
//
// Layering (top wins):
//   1. req.isPlatformAdmin -> allow anything
//   2. req.orgRole in {org_owner, org_admin} -> allow read/write/admin within the org
//      org_owner also has billing.write and org.delete (not exposed in 2.1)
//   3. req.workspaceRole in {workspace_admin, workspace_editor, workspace_viewer}
//      gates resource access per the role's bands

'use strict';

function canRead(req) {
  if (req.isPlatformAdmin) return true;
  if (req.orgRole === 'org_owner' || req.orgRole === 'org_admin') return true;
  return !!req.workspaceRole; // any workspace_member can read
}

function canWrite(req) {
  if (req.isPlatformAdmin) return true;
  if (req.orgRole === 'org_owner' || req.orgRole === 'org_admin') return true;
  return req.workspaceRole === 'workspace_admin' || req.workspaceRole === 'workspace_editor';
}

function canAdmin(req) {
  if (req.isPlatformAdmin) return true;
  if (req.orgRole === 'org_owner' || req.orgRole === 'org_admin') return true;
  return req.workspaceRole === 'workspace_admin';
}

function isOrgAdmin(req) {
  if (req.isPlatformAdmin) return true;
  return req.orgRole === 'org_owner' || req.orgRole === 'org_admin';
}

function isOrgOwner(req) {
  if (req.isPlatformAdmin) return true;
  return req.orgRole === 'org_owner';
}

// ---- middleware variants ----

function requireWorkspace(req, res, next) {
  if (!req.workspaceId) {
    return res.status(403).json({ error: 'No workspace context' });
  }
  next();
}

function requireWorkspaceRead(req, res, next) {
  if (!canRead(req)) {
    return res.status(403).json({ error: 'Workspace access required' });
  }
  next();
}

function requireWorkspaceWrite(req, res, next) {
  if (!canWrite(req)) {
    return res.status(403).json({ error: 'Workspace editor or admin required' });
  }
  next();
}

function requireWorkspaceAdmin(req, res, next) {
  if (!canAdmin(req)) {
    return res.status(403).json({ error: 'Workspace admin required' });
  }
  next();
}

function requireOrgAdmin(req, res, next) {
  if (!isOrgAdmin(req)) {
    return res.status(403).json({ error: 'Organization admin required' });
  }
  next();
}

function requireOrgOwner(req, res, next) {
  if (!isOrgOwner(req)) {
    return res.status(403).json({ error: 'Organization owner required' });
  }
  next();
}

function requirePlatformAdmin(req, res, next) {
  if (!req.user || req.user.role !== 'platform_admin') {
    return res.status(403).json({ error: 'Platform admin required' });
  }
  next();
}

// Decoupled "can admin this workspace" predicate. Unlike canAdmin(req) above,
// this takes an explicit (user, workspace) pair instead of reading from req,
// so it works for routes that operate on a target workspace specified by URL
// param (rename, future settings/delete) rather than the caller's currently
// active one. Does its own DB lookups against workspace_members + organization_members.
function canAdminWorkspace(db, user, workspace) {
  if (!user || !workspace) return false;
  if (user.role === 'platform_admin' || user.role === 'superadmin') return true;
  const om = db.prepare('SELECT role FROM organization_members WHERE organization_id = ? AND user_id = ?')
    .get(workspace.organization_id, user.id);
  if (om && (om.role === 'org_owner' || om.role === 'org_admin')) return true;
  const wm = db.prepare('SELECT role FROM workspace_members WHERE workspace_id = ? AND user_id = ?')
    .get(workspace.id, user.id);
  return wm && wm.role === 'workspace_admin';
}

module.exports = {
  // boolean predicates
  canRead, canWrite, canAdmin, canAdminWorkspace, isOrgAdmin, isOrgOwner,
  // express middleware
  requireWorkspace,
  requireWorkspaceRead,
  requireWorkspaceWrite,
  requireWorkspaceAdmin,
  requireOrgAdmin,
  requireOrgOwner,
  requirePlatformAdmin,
};