Merge public-gh/master into paperclip-company-import-export

2026-03-20 06:25:24 -05:00
parent 5f2b1b63c2 dfdd3784b9
commit d07d86f778
41 changed files with 11912 additions and 392 deletions
--- a/server/src/services/access.ts
+++ b/server/src/services/access.ts
@@ -279,6 +279,86 @@ export function accessService(db: Db) {
    return sourceMemberships;
  }

+  async function listPrincipalGrants(
+    companyId: string,
+    principalType: PrincipalType,
+    principalId: string,
+  ) {
+    return db
+      .select()
+      .from(principalPermissionGrants)
+      .where(
+        and(
+          eq(principalPermissionGrants.companyId, companyId),
+          eq(principalPermissionGrants.principalType, principalType),
+          eq(principalPermissionGrants.principalId, principalId),
+        ),
+      )
+      .orderBy(principalPermissionGrants.permissionKey);
+  }
+
+  async function setPrincipalPermission(
+    companyId: string,
+    principalType: PrincipalType,
+    principalId: string,
+    permissionKey: PermissionKey,
+    enabled: boolean,
+    grantedByUserId: string | null,
+    scope: Record<string, unknown> | null = null,
+  ) {
+    if (!enabled) {
+      await db
+        .delete(principalPermissionGrants)
+        .where(
+          and(
+            eq(principalPermissionGrants.companyId, companyId),
+            eq(principalPermissionGrants.principalType, principalType),
+            eq(principalPermissionGrants.principalId, principalId),
+            eq(principalPermissionGrants.permissionKey, permissionKey),
+          ),
+        );
+      return;
+    }
+
+    await ensureMembership(companyId, principalType, principalId, "member", "active");
+
+    const existing = await db
+      .select()
+      .from(principalPermissionGrants)
+      .where(
+        and(
+          eq(principalPermissionGrants.companyId, companyId),
+          eq(principalPermissionGrants.principalType, principalType),
+          eq(principalPermissionGrants.principalId, principalId),
+          eq(principalPermissionGrants.permissionKey, permissionKey),
+        ),
+      )
+      .then((rows) => rows[0] ?? null);
+
+    if (existing) {
+      await db
+        .update(principalPermissionGrants)
+        .set({
+          scope,
+          grantedByUserId,
+          updatedAt: new Date(),
+        })
+        .where(eq(principalPermissionGrants.id, existing.id));
+      return;
+    }
+
+    await db.insert(principalPermissionGrants).values({
+      companyId,
+      principalType,
+      principalId,
+      permissionKey,
+      scope,
+      grantedByUserId,
+      createdAt: new Date(),
+      updatedAt: new Date(),
+    });
+  }
+
  return {
    isInstanceAdmin,
    canUser,
@@ -294,5 +374,7 @@ export function accessService(db: Db) {
    listUserCompanyAccess,
    setUserCompanyAccess,
    setPrincipalGrants,
+    listPrincipalGrants,
+    setPrincipalPermission,
  };
 }