Add access control rework

2026-04-02 03:18:37 +02:00
parent 314a26325f
commit 37cac95b38
111 changed files with 5355 additions and 1892 deletions
--- a/toju-app/src/app/store/users/users.effects.ts
+++ b/toju-app/src/app/store/users/users.effects.ts
@@ -35,6 +35,11 @@ import { selectCurrentRoom, selectSavedRooms } from '../rooms/rooms.selectors';
 import { RealtimeSessionFacade } from '../../core/realtime';
 import { DatabaseService } from '../../infrastructure/persistence';
 import { ServerDirectoryFacade } from '../../domains/server-directory';
+import {
+  canManageMember,
+  resolveLegacyRole,
+  resolveRoomPermission
+} from '../../domains/access-control';
 import {
  BanEntry,
  ChatEvent,
@@ -157,7 +162,7 @@ export class UsersEffects {
        if (!room)
          return EMPTY;

-        const canKick = this.canKickInRoom(room, currentUser, currentRoom);
+        const canKick = this.canKickInRoom(room, currentUser, currentRoom, userId);

        if (!canKick)
          return EMPTY;
@@ -227,7 +232,7 @@ export class UsersEffects {
        if (!room)
          return EMPTY;

-        const canBan = this.canBanInRoom(room, currentUser, currentRoom);
+        const canBan = this.canBanInRoom(room, currentUser, currentRoom, userId);

        if (!canBan)
          return EMPTY;
@@ -487,31 +492,19 @@ export class UsersEffects {
  private canModerateRoom(room: Room, currentUser: User, currentRoom: Room | null): boolean {
    const role = this.getCurrentUserRoleForRoom(room, currentUser, currentRoom);

-    return role === 'host' || role === 'admin';
+    return role === 'host' || resolveRoomPermission(room, currentUser, 'manageBans');
  }

-  private canKickInRoom(room: Room, currentUser: User, currentRoom: Room | null): boolean {
-    const role = this.getCurrentUserRoleForRoom(room, currentUser, currentRoom);
-
-    return role === 'host' || role === 'admin' || role === 'moderator';
+  private canKickInRoom(room: Room, currentUser: User, currentRoom: Room | null, targetUserId: string): boolean {
+    return canManageMember(room, currentUser, findRoomMember(room.members ?? [], targetUserId) ?? { id: targetUserId }, 'kickMembers');
  }

-  private canBanInRoom(room: Room, currentUser: User, currentRoom: Room | null): boolean {
-    const role = this.getCurrentUserRoleForRoom(room, currentUser, currentRoom);
-
-    return role === 'host' || role === 'admin';
+  private canBanInRoom(room: Room, currentUser: User, currentRoom: Room | null, targetUserId: string): boolean {
+    return canManageMember(room, currentUser, findRoomMember(room.members ?? [], targetUserId) ?? { id: targetUserId }, 'banMembers');
  }

  private getCurrentUserRoleForRoom(room: Room, currentUser: User, currentRoom: Room | null): User['role'] | null {
-    return (
-      room.hostId === currentUser.id || room.hostId === currentUser.oderId
-    )
-      ? 'host'
-      : (currentRoom?.id === room.id
-        ? currentUser.role
-        : (findRoomMember(room.members ?? [], currentUser.id)?.role
-          || findRoomMember(room.members ?? [], currentUser.oderId)?.role
-          || null));
+    return resolveLegacyRole(currentRoom?.id === room.id ? currentRoom : room, currentUser);
  }

  private removeMemberFromRoom(room: Room, targetUserId: string): Partial<Room> {