myxelium/Toju
1
0
Fork 0
Code Issues 14 Pull Requests Actions Packages Projects 2 Releases 36 Wiki Activity
Files
37cac95b3817ff38b8f944d85a7a86d4fbb58454
Toju/toju-app/src/app/domains/access-control
History
Myx 37cac95b38 Add access control rework
2026-04-02 03:18:37 +02:00
..
domain
Add access control rework
2026-04-02 03:18:37 +02:00
index.ts
Add access control rework
2026-04-02 03:18:37 +02:00
README.md
Add access control rework
2026-04-02 03:18:37 +02:00

README.md

Access Control Domain

Role and permission rules for servers, including default system roles, role assignment normalization, permission resolution, legacy compatibility mapping, and room-level access-control hydration.

Module map

access-control/
├── domain/
│   ├── access-control.models.ts            MemberIdentity and RoomPermissionDefinition domain types
│   ├── access-control.constants.ts         SYSTEM_ROLE_IDS and permission metadata
│   ├── role.rules.ts                       Role defaults, normalization, ordering, create/update helpers
│   ├── role-assignment.rules.ts            Assignment normalization and member-role lookups
│   ├── permission.rules.ts                 Permission resolution and moderation hierarchy checks
│   ├── room.rules.ts                       Legacy compatibility, room hydration, room-level normalization
│   └── access-control.logic.ts             Public barrel for domain rules
│
└── index.ts                                Domain barrel used by other layers

Domain rules

Function Purpose
normalizeRoomRoles(room.roles, room.permissions) Repairs missing/default roles and keeps role ordering stable
normalizeRoomRoleAssignments(...) Deduplicates and backfills member role assignments from legacy member role fields
normalizeChannelPermissionOverrides(...) Deduplicates valid channel overrides and drops invalid references
resolveRoomPermission(room, identity, permission, channelId?) Resolves effective permission state including overrides
canManageMember(...) Applies both permission checks and role hierarchy checks
canManageRole(...) Prevents editing roles at or above the actor's highest role
normalizeRoomAccessControl(room) Produces a fully hydrated room with normalized roles, assignments, overrides, and legacy compatibility fields

Layering

  • Domain rules stay pure and only depend on shared-kernel contracts plus other files in this domain.
  • Renderer shells and NgRx effects should keep importing from src/app/domains/access-control/ instead of internal files.
  • Legacy room.permissions booleans remain compatibility output only; normalized data lives on roles, roleAssignments, channelPermissions, and slowModeInterval.
Reference in New Issue View Git Blame Copy Permalink