refactor: stricter domain: access-control

2026-04-11 13:25:26 +02:00
parent 6800c73292
commit 0b9a9f311e
16 changed files with 46 additions and 44 deletions
--- a/toju-app/src/app/domains/access-control/README.md
+++ b/toju-app/src/app/domains/access-control/README.md
@@ -7,13 +7,18 @@ Role and permission rules for servers, including default system roles, role assi
 ```
 access-control/
 ├── domain/
-│   ├── access-control.models.ts            MemberIdentity and RoomPermissionDefinition domain types
-│   ├── access-control.constants.ts         SYSTEM_ROLE_IDS and permission metadata
-│   ├── role.rules.ts                       Role defaults, normalization, ordering, create/update helpers
-│   ├── role-assignment.rules.ts            Assignment normalization and member-role lookups
-│   ├── permission.rules.ts                 Permission resolution and moderation hierarchy checks
-│   ├── room.rules.ts                       Legacy compatibility, room hydration, room-level normalization
-│   └── access-control.logic.ts             Public barrel for domain rules
+│   ├── models/
+│   │   └── access-control.model.ts         MemberIdentity and RoomPermissionDefinition domain types
+│   ├── constants/
+│   │   └── access-control.constants.ts     SYSTEM_ROLE_IDS and permission metadata
+│   ├── util/
+│   │   └── access-control.util.ts          Internal helpers (normalization, identity matching, sorting)
+│   └── rules/
+│       ├── role.rules.ts                   Role defaults, normalization, ordering, create/update helpers
+│       ├── role-assignment.rules.ts        Assignment normalization and member-role lookups
+│       ├── permission.rules.ts             Permission resolution and moderation hierarchy checks
+│       ├── room.rules.ts                   Legacy compatibility, room hydration, room-level normalization
+│       └── ban.rules.ts                    Ban matching and user-ban resolution
 │
 └── index.ts                                Domain barrel used by other layers
 ```
@@ -29,6 +34,8 @@ access-control/
 | `canManageMember(...)`                                          | Applies both permission checks and role hierarchy checks                                                      |
 | `canManageRole(...)`                                            | Prevents editing roles at or above the actor's highest role                                                   |
 | `normalizeRoomAccessControl(room)`                              | Produces a fully hydrated room with normalized roles, assignments, overrides, and legacy compatibility fields |
+| `hasRoomBanForUser(bans, user, persistedUserId?)`               | Returns true when any active ban entry targets the provided user                                              |
+| `isRoomBanMatch(ban, user, persistedUserId?)`                   | Returns true when a single ban entry targets the provided user                                                |

 ## Layering