NORY-46: refactor permission checks after rebase

2025-04-18 00:21:18 +00:00 · 2025-04-08 10:52:47 +02:00 · 2025-04-08 10:52:47 +02:00 · 222a93886b
commit 222a93886b
parent d9a3cde169
3 changed files with 51 additions and 25 deletions
--- a/dashboard/src/app/(inside)/client/page.tsx
+++ b/dashboard/src/app/(inside)/client/page.tsx
@ -1,7 +1,10 @@
 import { getOAuth2Api } from '@/ory/sdk/server';
-import { ClientDataTable } from '@/app/(inside)/client/data-table';
 import { Button } from '@/components/ui/button';
 import Link from 'next/link';
+import { checkPermission, requireSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';
+import InsufficientPermission from '@/components/insufficient-permission';
+import { ClientDataTable } from '@/app/(inside)/client/data-table';

 export interface FetchClientPageProps {
    pageSize: number;
@ -31,6 +34,12 @@ function parseTokens(link: string) {
 async function fetchClientPage({ pageSize, pageToken }: FetchClientPageProps) {
    'use server';

+    const session = await requireSession();
+    const allowed = await checkPermission(permission.client.it, relation.access, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
    const oAuth2Api = await getOAuth2Api();
    const response = await oAuth2Api.listOAuth2Clients({
        pageSize: pageSize,
@ -45,10 +54,16 @@ async function fetchClientPage({ pageSize, pageToken }: FetchClientPageProps) {

 export default async function ListClientPage() {

+    const session = await requireSession();
+    const identityId = session.identity!.id;
+
+    const pmAccessClient = await checkPermission(permission.client.it, relation.access, identityId);
+    const pmCreateClient = await checkPermission(permission.client.it, relation.create, identityId);
+
    let pageSize = 100;
    let pageToken: string = '00000000-0000-0000-0000-000000000000';

-    const initialFetch = await fetchClientPage({ pageSize, pageToken });
+    const initialFetch = pmAccessClient && await fetchClientPage({ pageSize, pageToken });

    return (
        <div className="space-y-4">
@ -57,17 +72,31 @@ export default async function ListClientPage() {
                <p className="text-lg font-light">
                    See and manage all OAuth2 clients registered with your Ory Hydra instance
                </p>
-                <Button className="absolute bottom-0 right-0" asChild>
-                    <Link href="/client/create">
-                        Create new client
-                    </Link>
-                </Button>
+                {
+                    pmCreateClient && (
+                        <Button className="absolute bottom-0 right-0" asChild>
+                            <Link href="/client/create">
+                                Create new client
+                            </Link>
+                        </Button>
+                    )
+                }
            </div>
-            <ClientDataTable
-                data={initialFetch.data}
-                pageSize={pageSize}
-                pageToken={initialFetch.tokens.get('next')}
-                fetchClientPage={fetchClientPage}/>
+            {
+                pmAccessClient ?
+                    (
+                        initialFetch && <ClientDataTable
+                            data={initialFetch.data}
+                            pageSize={pageSize}
+                            pageToken={initialFetch.tokens.get('next')}
+                            fetchClientPage={fetchClientPage}/>
+                    )
+                    :
+                    <InsufficientPermission
+                        permission={permission.client.it}
+                        relation={relation.access}
+                        identityId={identityId}/>
+            }
        </div>
    );
 }
--- a/dashboard/src/lib/action/client.ts
+++ b/dashboard/src/lib/action/client.ts
@ -2,24 +2,18 @@

 import { clientFormSchema } from '@/lib/forms/client-form';
 import { z } from 'zod';
-import { getFrontendApi, getOAuth2Api } from '@/ory/sdk/server';
-import { cookies } from 'next/headers';
+import { getOAuth2Api } from '@/ory/sdk/server';
+import { checkPermission, requireSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';

 export async function createClient(
    formData: z.infer<typeof clientFormSchema>,
 ) {

-    const cookie = await cookies();
-    const frontendApi = await getFrontendApi();
-
-    const session = await frontendApi
-        .toSession({ cookie: 'ory_kratos_session=' + cookie.get('ory_kratos_session')?.value })
-        .then((response) => response.data)
-        .catch(() => null);
-
-    if (!session) {
-        console.log('Unauthorised action call');
-        throw 'Unauthorised';
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.client.it, relation.create, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
    }

    console.log(session.identity?.traits.email, 'posted form', formData);
--- a/dashboard/src/lib/permission.ts
+++ b/dashboard/src/lib/permission.ts
@ -13,6 +13,9 @@ export const permission = {
        state: 'admin.user.state',
        trait: 'admin.user.trait',
    },
+    client: {
+        it: 'admin.client',
+    },
 };

 export const relation = {