diff --git a/dashboard/src/app/(inside)/client/page.tsx b/dashboard/src/app/(inside)/client/page.tsx index be59eba..42e0092 100644 --- a/dashboard/src/app/(inside)/client/page.tsx +++ b/dashboard/src/app/(inside)/client/page.tsx @@ -1,7 +1,10 @@ import { getOAuth2Api } from '@/ory/sdk/server'; -import { ClientDataTable } from '@/app/(inside)/client/data-table'; import { Button } from '@/components/ui/button'; import Link from 'next/link'; +import { checkPermission, requireSession } from '@/lib/action/authentication'; +import { permission, relation } from '@/lib/permission'; +import InsufficientPermission from '@/components/insufficient-permission'; +import { ClientDataTable } from '@/app/(inside)/client/data-table'; export interface FetchClientPageProps { pageSize: number; @@ -31,6 +34,12 @@ function parseTokens(link: string) { async function fetchClientPage({ pageSize, pageToken }: FetchClientPageProps) { 'use server'; + const session = await requireSession(); + const allowed = await checkPermission(permission.client.it, relation.access, session.identity!.id); + if (!allowed) { + throw Error('Unauthorised'); + } + const oAuth2Api = await getOAuth2Api(); const response = await oAuth2Api.listOAuth2Clients({ pageSize: pageSize, @@ -45,10 +54,16 @@ async function fetchClientPage({ pageSize, pageToken }: FetchClientPageProps) { export default async function ListClientPage() { + const session = await requireSession(); + const identityId = session.identity!.id; + + const pmAccessClient = await checkPermission(permission.client.it, relation.access, identityId); + const pmCreateClient = await checkPermission(permission.client.it, relation.create, identityId); + let pageSize = 100; let pageToken: string = '00000000-0000-0000-0000-000000000000'; - const initialFetch = await fetchClientPage({ pageSize, pageToken }); + const initialFetch = pmAccessClient && await fetchClientPage({ pageSize, pageToken }); return (
@@ -57,17 +72,31 @@ export default async function ListClientPage() {

See and manage all OAuth2 clients registered with your Ory Hydra instance

- + { + pmCreateClient && ( + + ) + }
- + { + pmAccessClient ? + ( + initialFetch && + ) + : + + } ); } diff --git a/dashboard/src/lib/action/client.ts b/dashboard/src/lib/action/client.ts index 5cc2799..fb5156b 100644 --- a/dashboard/src/lib/action/client.ts +++ b/dashboard/src/lib/action/client.ts @@ -2,24 +2,18 @@ import { clientFormSchema } from '@/lib/forms/client-form'; import { z } from 'zod'; -import { getFrontendApi, getOAuth2Api } from '@/ory/sdk/server'; -import { cookies } from 'next/headers'; +import { getOAuth2Api } from '@/ory/sdk/server'; +import { checkPermission, requireSession } from '@/lib/action/authentication'; +import { permission, relation } from '@/lib/permission'; export async function createClient( formData: z.infer, ) { - const cookie = await cookies(); - const frontendApi = await getFrontendApi(); - - const session = await frontendApi - .toSession({ cookie: 'ory_kratos_session=' + cookie.get('ory_kratos_session')?.value }) - .then((response) => response.data) - .catch(() => null); - - if (!session) { - console.log('Unauthorised action call'); - throw 'Unauthorised'; + const session = await requireSession(); + const allowed = await checkPermission(permission.client.it, relation.create, session.identity!.id); + if (!allowed) { + throw Error('Unauthorised'); } console.log(session.identity?.traits.email, 'posted form', formData); diff --git a/dashboard/src/lib/permission.ts b/dashboard/src/lib/permission.ts index 9fc8ba0..38619ac 100644 --- a/dashboard/src/lib/permission.ts +++ b/dashboard/src/lib/permission.ts @@ -13,6 +13,9 @@ export const permission = { state: 'admin.user.state', trait: 'admin.user.trait', }, + client: { + it: 'admin.client', + }, }; export const relation = {