From 222a93886b6ec9a0d53ccca102a7701efda3bcef Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Tue, 8 Apr 2025 10:52:47 +0200
Subject: [PATCH] NORY-46: refactor permission checks after rebase

---
 dashboard/src/app/(inside)/client/page.tsx | 53 +++++++++++++++++-----
 dashboard/src/lib/action/client.ts         | 20 +++-----
 dashboard/src/lib/permission.ts            |  3 ++
 3 files changed, 51 insertions(+), 25 deletions(-)

diff --git a/dashboard/src/app/(inside)/client/page.tsx b/dashboard/src/app/(inside)/client/page.tsx
index be59eba..42e0092 100644
--- a/dashboard/src/app/(inside)/client/page.tsx
+++ b/dashboard/src/app/(inside)/client/page.tsx
@@ -1,7 +1,10 @@
 import { getOAuth2Api } from '@/ory/sdk/server';
-import { ClientDataTable } from '@/app/(inside)/client/data-table';
 import { Button } from '@/components/ui/button';
 import Link from 'next/link';
+import { checkPermission, requireSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';
+import InsufficientPermission from '@/components/insufficient-permission';
+import { ClientDataTable } from '@/app/(inside)/client/data-table';
 
 export interface FetchClientPageProps {
     pageSize: number;
@@ -31,6 +34,12 @@ function parseTokens(link: string) {
 async function fetchClientPage({ pageSize, pageToken }: FetchClientPageProps) {
     'use server';
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.client.it, relation.access, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const oAuth2Api = await getOAuth2Api();
     const response = await oAuth2Api.listOAuth2Clients({
         pageSize: pageSize,
@@ -45,10 +54,16 @@ async function fetchClientPage({ pageSize, pageToken }: FetchClientPageProps) {
 
 export default async function ListClientPage() {
 
+    const session = await requireSession();
+    const identityId = session.identity!.id;
+
+    const pmAccessClient = await checkPermission(permission.client.it, relation.access, identityId);
+    const pmCreateClient = await checkPermission(permission.client.it, relation.create, identityId);
+
     let pageSize = 100;
     let pageToken: string = '00000000-0000-0000-0000-000000000000';
 
-    const initialFetch = await fetchClientPage({ pageSize, pageToken });
+    const initialFetch = pmAccessClient && await fetchClientPage({ pageSize, pageToken });
 
     return (
         <div className="space-y-4">
@@ -57,17 +72,31 @@ export default async function ListClientPage() {
                 <p className="text-lg font-light">
                     See and manage all OAuth2 clients registered with your Ory Hydra instance
                 </p>
-                <Button className="absolute bottom-0 right-0" asChild>
-                    <Link href="/client/create">
-                        Create new client
-                    </Link>
-                </Button>
+                {
+                    pmCreateClient && (
+                        <Button className="absolute bottom-0 right-0" asChild>
+                            <Link href="/client/create">
+                                Create new client
+                            </Link>
+                        </Button>
+                    )
+                }
             </div>
-            <ClientDataTable
-                data={initialFetch.data}
-                pageSize={pageSize}
-                pageToken={initialFetch.tokens.get('next')}
-                fetchClientPage={fetchClientPage}/>
+            {
+                pmAccessClient ?
+                    (
+                        initialFetch && <ClientDataTable
+                            data={initialFetch.data}
+                            pageSize={pageSize}
+                            pageToken={initialFetch.tokens.get('next')}
+                            fetchClientPage={fetchClientPage}/>
+                    )
+                    :
+                    <InsufficientPermission
+                        permission={permission.client.it}
+                        relation={relation.access}
+                        identityId={identityId}/>
+            }
         </div>
     );
 }
diff --git a/dashboard/src/lib/action/client.ts b/dashboard/src/lib/action/client.ts
index 5cc2799..fb5156b 100644
--- a/dashboard/src/lib/action/client.ts
+++ b/dashboard/src/lib/action/client.ts
@@ -2,24 +2,18 @@
 
 import { clientFormSchema } from '@/lib/forms/client-form';
 import { z } from 'zod';
-import { getFrontendApi, getOAuth2Api } from '@/ory/sdk/server';
-import { cookies } from 'next/headers';
+import { getOAuth2Api } from '@/ory/sdk/server';
+import { checkPermission, requireSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';
 
 export async function createClient(
     formData: z.infer<typeof clientFormSchema>,
 ) {
 
-    const cookie = await cookies();
-    const frontendApi = await getFrontendApi();
-
-    const session = await frontendApi
-        .toSession({ cookie: 'ory_kratos_session=' + cookie.get('ory_kratos_session')?.value })
-        .then((response) => response.data)
-        .catch(() => null);
-
-    if (!session) {
-        console.log('Unauthorised action call');
-        throw 'Unauthorised';
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.client.it, relation.create, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
     }
 
     console.log(session.identity?.traits.email, 'posted form', formData);
diff --git a/dashboard/src/lib/permission.ts b/dashboard/src/lib/permission.ts
index 9fc8ba0..38619ac 100644
--- a/dashboard/src/lib/permission.ts
+++ b/dashboard/src/lib/permission.ts
@@ -13,6 +13,9 @@ export const permission = {
         state: 'admin.user.state',
         trait: 'admin.user.trait',
     },
+    client: {
+        it: 'admin.client',
+    },
 };
 
 export const relation = {