myxelium/Toju
1
0
Fork 0
Code Issues 14 Pull Requests Actions Packages Projects 2 Releases 33 Wiki Activity

refactor: stricter domain: access-control

Browse Source
This commit is contained in:
SocksOnHead
2026-04-11 13:25:26 +02:00
parent 6800c73292
commit 0b9a9f311e
16 changed files with 46 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
toju-app/src/app/domains/README.md
View File

@@ -9,7 +9,7 @@ infrastructure adapters and UI.
| Domain | Purpose | Public entry point |
| -------------------- | ------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------- |
| **attachment** | File upload/download, chunk transfer, persistence | `AttachmentFacade` |
| **access-control** | Role, permission, moderation, and room access rules | `normalizeRoomAccessControl()`, `resolveRoomPermission()` |
| **access-control** | Role, permission, ban matching, moderation, and room access rules | `normalizeRoomAccessControl()`, `resolveRoomPermission()`, `hasRoomBanForUser()` |
| **auth** | Login / register HTTP orchestration, user-bar UI | `AuthService` |
| **chat** | Messaging rules, sync logic, GIF/Klipy integration, chat UI | `KlipyService`, `canEditMessage()`, `ChatMessagesComponent` |
| **notifications** | Notification preferences, unread tracking, desktop alert orchestration | `NotificationsFacade` |

21
toju-app/src/app/domains/access-control/README.md
View File

@@ -7,13 +7,18 @@ Role and permission rules for servers, including default system roles, role assi
```
access-control/
├── domain/
│ ├── access-control.models.ts MemberIdentity and RoomPermissionDefinition domain types
── access-control.constants.ts SYSTEM_ROLE_IDS and permission metadata
│ ├── role.rules.ts Role defaults, normalization, ordering, create/update helpers
├── role-assignment.rules.ts Assignment normalization and member-role lookups
│ ├── permission.rules.ts Permission resolution and moderation hierarchy checks
├── room.rules.ts Legacy compatibility, room hydration, room-level normalization
│ └── access-control.logic.ts Public barrel for domain rules
│ ├── models/
│ └── access-control.model.ts MemberIdentity and RoomPermissionDefinition domain types
│ ├── constants/
│ └── access-control.constants.ts SYSTEM_ROLE_IDS and permission metadata
│ ├── util/
│ └── access-control.util.ts Internal helpers (normalization, identity matching, sorting)
│ └── rules/
│ ├── role.rules.ts Role defaults, normalization, ordering, create/update helpers
│ ├── role-assignment.rules.ts Assignment normalization and member-role lookups
│ ├── permission.rules.ts Permission resolution and moderation hierarchy checks
│ ├── room.rules.ts Legacy compatibility, room hydration, room-level normalization
│ └── ban.rules.ts Ban matching and user-ban resolution
└── index.ts Domain barrel used by other layers
```
@@ -29,6 +34,8 @@ access-control/
| `canManageMember(...)` | Applies both permission checks and role hierarchy checks |
| `canManageRole(...)` | Prevents editing roles at or above the actor's highest role |
| `normalizeRoomAccessControl(room)` | Produces a fully hydrated room with normalized roles, assignments, overrides, and legacy compatibility fields |
| `hasRoomBanForUser(bans, user, persistedUserId?)` | Returns true when any active ban entry targets the provided user |
| `isRoomBanMatch(ban, user, persistedUserId?)` | Returns true when a single ban entry targets the provided user |
## Layering

6
toju-app/src/app/domains/access-control/domain/access-control.logic.ts
View File

@@ -1,6 +0,0 @@
export * from './access-control.models';
export * from './access-control.constants';
export * from './role.rules';
export * from './role-assignment.rules';
export * from './permission.rules';
export * from './room.rules';

2
toju-app/src/app/domains/access-control/domain/access-control.constants.ts → toju-app/src/app/domains/access-control/domain/constants/access-control.constants.ts
View File

@@ -1,4 +1,4 @@
import type { RoomPermissionDefinition } from './access-control.models';
import type { RoomPermissionDefinition } from '../models/access-control.model';
export const SYSTEM_ROLE_IDS = {
everyone: 'system-everyone',

2
toju-app/src/app/domains/access-control/domain/access-control.models.ts → toju-app/src/app/domains/access-control/domain/models/access-control.model.ts
View File

@@ -2,7 +2,7 @@ import type {
RoomMember,
RoomPermissionKey,
User
} from '../../../shared-kernel';
} from '../../../../shared-kernel';
export interface RoomPermissionDefinition {
key: RoomPermissionKey;

47
toju-app/src/app/domains/access-control/domain/rules/ban.rules.ts Normal file
View File

@@ -0,0 +1,47 @@
import { BanEntry, User } from '../../../../shared-kernel';
type BanAwareUser = Pick<User, 'id' | 'oderId'> | null | undefined;
/** Build the set of user identifiers that may appear in room ban entries. */
export function getRoomBanCandidateIds(user: BanAwareUser, persistedUserId?: string | null): string[] {
const candidates = [
user?.id,
user?.oderId,
persistedUserId
].filter((value): value is string => typeof value === 'string' && value.trim().length > 0);
return Array.from(new Set(candidates));
}
/** Resolve the user identifier stored by a ban entry, with legacy fallback support. */
export function getRoomBanTargetId(ban: Pick<BanEntry, 'userId' | 'oderId'>): string {
if (typeof ban.userId === 'string' && ban.userId.trim().length > 0) {
return ban.userId;
}
return ban.oderId;
}
/** Return true when the given ban targets the provided user. */
export function isRoomBanMatch(
ban: Pick<BanEntry, 'userId' | 'oderId'>,
user: BanAwareUser,
persistedUserId?: string | null
): boolean {
const candidateIds = getRoomBanCandidateIds(user, persistedUserId);
if (candidateIds.length === 0) {
return false;
}
return candidateIds.includes(getRoomBanTargetId(ban));
}
/** Return true when any active ban entry targets the provided user. */
export function hasRoomBanForUser(
bans: Pick<BanEntry, 'userId' | 'oderId'>[],
user: BanAwareUser,
persistedUserId?: string | null
): boolean {
return bans.some((ban) => isRoomBanMatch(ban, user, persistedUserId));
}

8
toju-app/src/app/domains/access-control/domain/permission.rules.ts → toju-app/src/app/domains/access-control/domain/rules/permission.rules.ts
View File

@@ -4,9 +4,9 @@ import {
Room,
RoomPermissionKey,
RoomRole
} from '../../../shared-kernel';
import { SYSTEM_ROLE_IDS } from './access-control.constants';
import type { MemberIdentity } from './access-control.models';
} from '../../../../shared-kernel';
import { SYSTEM_ROLE_IDS } from '../constants/access-control.constants';
import type { MemberIdentity } from '../models/access-control.model';
import {
buildRoleLookup,
getRolePermissionState,
@@ -14,7 +14,7 @@ import {
normalizePermissionState,
roleSortAscending,
compareText
} from './access-control.internal';
} from '../util/access-control.util';
import { getAssignedRoleIds, getHighestAssignedRole } from './role-assignment.rules';
import { getRoomRoleById, normalizeRoomRoles } from './role.rules';

8
toju-app/src/app/domains/access-control/domain/role-assignment.rules.ts → toju-app/src/app/domains/access-control/domain/rules/role-assignment.rules.ts
View File

@@ -3,9 +3,9 @@ import {
RoomMember,
RoomRole,
RoomRoleAssignment
} from '../../../shared-kernel';
import { SYSTEM_ROLE_IDS } from './access-control.constants';
import type { MemberIdentity } from './access-control.models';
} from '../../../../shared-kernel';
import { SYSTEM_ROLE_IDS } from '../constants/access-control.constants';
import type { MemberIdentity } from '../models/access-control.model';
import {
buildRoleLookup,
compareText,
@@ -13,7 +13,7 @@ import {
matchesIdentity,
roleSortDescending,
uniqueStrings
} from './access-control.internal';
} from '../util/access-control.util';
import { getRoomRoleById, normalizeRoomRoles } from './role.rules';
function sortAssignments(assignments: readonly RoomRoleAssignment[]): RoomRoleAssignment[] {

6
toju-app/src/app/domains/access-control/domain/role.rules.ts → toju-app/src/app/domains/access-control/domain/rules/role.rules.ts
View File

@@ -2,8 +2,8 @@ import {
RoomPermissionMatrix,
RoomPermissions,
RoomRole
} from '../../../shared-kernel';
import { SYSTEM_ROLE_IDS } from './access-control.constants';
} from '../../../../shared-kernel';
import { SYSTEM_ROLE_IDS } from '../constants/access-control.constants';
import {
buildRoleLookup,
buildSystemRole,
@@ -12,7 +12,7 @@ import {
normalizePermissionMatrix,
roleSortAscending,
roleSortDescending
} from './access-control.internal';
} from '../util/access-control.util';
const ROLE_COLORS = {
everyone: '#6b7280',

8
toju-app/src/app/domains/access-control/domain/room.rules.ts → toju-app/src/app/domains/access-control/domain/rules/room.rules.ts
View File

@@ -7,14 +7,14 @@ import {
RoomRole,
RoomRoleAssignment,
UserRole
} from '../../../shared-kernel';
import { SYSTEM_ROLE_IDS } from './access-control.constants';
} from '../../../../shared-kernel';
import { SYSTEM_ROLE_IDS } from '../constants/access-control.constants';
import {
getRolePermissionState,
permissionStateToBoolean,
resolveLegacyAllowState
} from './access-control.internal';
import type { MemberIdentity } from './access-control.models';
} from '../util/access-control.util';
import type { MemberIdentity } from '../models/access-control.model';
import {
getAssignedRoleIds,
normalizeRoomRoleAssignments,

4
toju-app/src/app/domains/access-control/domain/access-control.internal.ts → toju-app/src/app/domains/access-control/domain/util/access-control.util.ts
View File

@@ -5,8 +5,8 @@ import {
RoomRole,
RoomRoleAssignment,
ROOM_PERMISSION_KEYS
} from '../../../shared-kernel';
import type { MemberIdentity } from './access-control.models';
} from '../../../../shared-kernel';
import type { MemberIdentity } from '../models/access-control.model';
export function normalizeName(name: string): string {
return name.trim().replace(/\s+/g, ' ');

13
toju-app/src/app/domains/access-control/index.ts
View File

@@ -1,6 +1,7 @@
export * from './domain/access-control.models';
export * from './domain/access-control.constants';
export * from './domain/role.rules';
export * from './domain/role-assignment.rules';
export * from './domain/permission.rules';
export * from './domain/room.rules';
export * from './domain/models/access-control.model';
export * from './domain/constants/access-control.constants';
export * from './domain/rules/role.rules';
export * from './domain/rules/role-assignment.rules';
export * from './domain/rules/permission.rules';
export * from './domain/rules/room.rules';
export * from './domain/rules/ban.rules';

2
toju-app/src/app/domains/server-directory/feature/server-search/server-search.component.ts
View File

@@ -40,7 +40,7 @@ import { type ServerInfo } from '../../domain/server-directory.models';
import { ServerDirectoryFacade } from '../../application/server-directory.facade';
import { selectCurrentUser } from '../../../../store/users/users.selectors';
import { ConfirmDialogComponent } from '../../../../shared';
import { hasRoomBanForUser } from '../../../../core/helpers/room-ban.helpers';
import { hasRoomBanForUser } from '../../../access-control';
@Component({
selector: 'app-server-search',