d4dbf44781
Complete Script Generator feature including: Backend: - ScriptCategory, ScriptTemplate, ScriptGeneration models - ScriptTemplateEngine with substitution, filters, sanitization - CRUD + share API endpoints with permission checks - Integration tests for permissions and sharing - Migration 057 with AD User Management seed templates Frontend — Script Library: - Browse templates with category tabs and search - Configure pane with parameter form and script generation - Script preview with live substitution and copy/download - scriptGeneratorStore Zustand store Frontend — Template Editor: - Full CRUD form with metadata, script body (Monaco Editor), parameters - ParameterSchemaBuilder with visual builder + JSON toggle - ScriptManagePage with routing and nav link Frontend — Parameter Detector: - Client-side PowerShell parameter detection engine - Detects script-level param() blocks and variable assignments - Type inference from PS type annotations and value patterns - ParameterDetectorStepper one-by-one review UI with accept/skip Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
87 lines
2.8 KiB
TypeScript
87 lines
2.8 KiB
TypeScript
/**
|
|
* Centralized permissions hook for ResolutionFlow.
|
|
*
|
|
* Role hierarchy: super_admin > owner > engineer > viewer
|
|
*
|
|
* Mirrors backend logic in backend/app/core/permissions.py
|
|
*/
|
|
import { useAuthStore } from '@/store/authStore'
|
|
import type { User } from '@/types'
|
|
|
|
export type EffectiveRole = 'super_admin' | 'owner' | 'engineer' | 'viewer'
|
|
|
|
const ROLE_HIERARCHY: Record<EffectiveRole, number> = {
|
|
super_admin: 4,
|
|
owner: 3,
|
|
engineer: 2,
|
|
viewer: 1,
|
|
}
|
|
|
|
function getEffectiveRole(user: User | null): EffectiveRole {
|
|
if (!user) return 'viewer'
|
|
if (user.is_super_admin) return 'super_admin'
|
|
if (user.account_role === 'owner') return 'owner'
|
|
return user.role as EffectiveRole
|
|
}
|
|
|
|
function hasMinimumRole(user: User | null, minimum: EffectiveRole): boolean {
|
|
const effective = getEffectiveRole(user)
|
|
return ROLE_HIERARCHY[effective] >= ROLE_HIERARCHY[minimum]
|
|
}
|
|
|
|
export function usePermissions() {
|
|
const { user } = useAuthStore()
|
|
|
|
const effectiveRole = getEffectiveRole(user)
|
|
|
|
return {
|
|
effectiveRole,
|
|
isSuperAdmin: effectiveRole === 'super_admin',
|
|
isAccountOwner: effectiveRole === 'owner' || effectiveRole === 'super_admin',
|
|
isEngineer: hasMinimumRole(user, 'engineer'),
|
|
isViewer: effectiveRole === 'viewer',
|
|
|
|
// Content creation permissions
|
|
canCreateTrees: hasMinimumRole(user, 'engineer'),
|
|
canCreateSteps: hasMinimumRole(user, 'engineer'),
|
|
|
|
// Resource-specific checks
|
|
canEditTree: (tree: { author_id: string | null; account_id?: string | null }) => {
|
|
if (!user) return false
|
|
if (user.is_super_admin) return true
|
|
if (!hasMinimumRole(user, 'engineer')) return false
|
|
if (tree.author_id && tree.author_id === user.id) return true
|
|
if (user.account_role === 'owner' && tree.account_id === user.account_id && user.account_id) return true
|
|
return false
|
|
},
|
|
|
|
canDeleteTree: () => {
|
|
if (!user) return false
|
|
return user.is_super_admin
|
|
},
|
|
|
|
canEditStep: (step: { created_by: string }) => {
|
|
if (!user) return false
|
|
if (user.is_super_admin) return true
|
|
if (!hasMinimumRole(user, 'engineer')) return false
|
|
return step.created_by === user.id
|
|
},
|
|
|
|
// Management permissions
|
|
canManageCategories: hasMinimumRole(user, 'owner'),
|
|
canManageGlobalCategories: effectiveRole === 'super_admin',
|
|
canManageAccount: effectiveRole === 'super_admin' || effectiveRole === 'owner',
|
|
|
|
canManageScriptTemplate: (template: { created_by: string | null; team_id?: string | null }) => {
|
|
if (!user) return false
|
|
if (user.is_super_admin) return true
|
|
if (user.account_role === 'owner') return true
|
|
return template.created_by === user.id
|
|
},
|
|
|
|
canShareScriptTemplate: effectiveRole === 'super_admin' || effectiveRole === 'owner',
|
|
|
|
canCreateScriptTemplate: hasMinimumRole(user, 'engineer'),
|
|
}
|
|
}
|