quietlight/skraak.app - Change HVD2NGYM4J2PKQ72SFMXLBGQPKPCGDRB54IK3ISOQZDWKGM3WGQQC

added access control to datasets

Created by AEj8dahVWy718uSSFPe9VSRJ5qX5G8pC2zvFzJJ8yzBd on May 24, 2025

HVD2NGYM4J2PKQ72SFMXLBGQPKPCGDRB54IK3ISOQZDWKGM3WGQQC

Dependencies

In channels

main

Change contents

Replacement in src/worker/index.ts at line 31 [5.240196]
B:BD[4.36] → [4.36:44]
```
  label
```
[4.36]
[6.171]
```
  label,
  accessGrant,
  userRole
```

Insertion in src/worker/index.ts at line 77 [5.240196]

[5.240269]


/**
 * Helper function to check if a user has a specific permission for a dataset
 * 
 * @param db - Database connection
 * @param userId - User ID to check permissions for
 * @param datasetId - Dataset ID to check permissions for
 * @param permission - Permission to check (READ, EDIT, DELETE, etc.)
 * @returns Promise<boolean> - True if user has permission, false otherwise
 */
async function checkUserPermission(
  // eslint-disable-next-line @typescript-eslint/no-explicit-any
  db: any, 
  userId: string, 
  datasetId: string, 
  permission: string
): Promise<boolean> {
  try {
    // First check if user is the owner (owners have all permissions)
    const ownerCheck = await db
      .select({ owner: dataset.owner })
      .from(dataset)
      .where(eq(dataset.id, datasetId))
      .limit(1);
    
    if (ownerCheck.length > 0 && ownerCheck[0].owner === userId) {
      return true;
    }
    
    // Get user's role
    const userRoleResult = await db
      .select({ role: userRole.role })
      .from(userRole)
      .where(eq(userRole.userId, userId))
      .limit(1);
    
    const userRoleName = userRoleResult.length > 0 ? userRoleResult[0].role : 'USER';
    
    // Check access grants
    const grants = await db
      .select({ permission: accessGrant.permission })
      .from(accessGrant)
      .where(sqlExpr`
        ${accessGrant.datasetId} = ${datasetId} AND 
        ${accessGrant.permission} = ${permission} AND 
        ${accessGrant.active} = true AND
        (
          (${accessGrant.userId} = ${userId}) OR 
          (${accessGrant.userId} IS NULL AND ${accessGrant.role} = ${userRoleName})
        )
      `)
      .limit(1);
    
    return grants.length > 0;
  } catch (error) {
    console.error('Error checking user permission:', error);
    return false;
  }
}

Replacement in src/worker/index.ts at line 221 [5.240196]

B:BD[7.1159] → [7.1159:1200]

 * Protected API route to fetch datasets

[7.1159]

[2.4419]

 * Protected API route to fetch datasets with role-based access control

Replacement in src/worker/index.ts at line 226 [5.240196]

B:BD[2.4521] → [2.4521:4619]

 *   - data: Array of dataset objects with id, name, description, public status, createdAt, owner

[2.4521]

[2.4619]

 *   - data: Array of dataset objects with permissions for the authenticated user

Replacement in src/worker/index.ts at line 228 [5.240196]

B:BD[2.4678] → [2.4678:4738]

 * @description Returns active datasets limited to 20 items

[2.4678]

[2.4738]

 * @description Returns datasets the user has READ access to, along with their specific permissions

Replacement in src/worker/index.ts at line 232 [5.240196]

B:BD[2.4785] → [2.4785:4899]

 *       { "id": "123", "name": "Bird Sounds 2024", "description": "Costa Rica recordings", "public": true, ... }

[2.4785]

[2.4899]

 *       { 
 *         "id": "123", 
 *         "name": "Bird Sounds 2024", 
 *         "description": "Costa Rica recordings", 
 *         "public": true, 
 *         "permissions": ["READ", "EDIT", "DELETE"]
 *       }

Replacement in src/worker/index.ts at line 247 [5.240196]

B:BD[8.18003] → [9.11:112]

    const userId = jwtPayload.sub; // User ID from JWT // Subject claim usually contains the user ID

[8.18003]

[10.11868]

    const userId = jwtPayload.sub; // User ID from JWT

Replacement in src/worker/index.ts at line 253 [5.240196]

B:BD[10.11910] → [11.5567:5630]

B:BD[11.5630] → [12.11:100]

B:BD[12.100] → [13.11:349]

    // Query datasets that are owned by the authenticated user
    // const results = await db.select().from(dataset).where(eq(dataset.owner, userId));
    const results = await db.select({
      id: dataset.id,
      name: dataset.name,
      description: dataset.description,
      public: dataset.public,
      createdAt: dataset.createdAt,
      owner: dataset.owner
    }).from(dataset)
      .where(eq(dataset.active, true))
      .limit(20); // Add pagination with 20 datasets limit

[10.11910]

[14.125309]

    // First, get the user's role
    const userRoleResult = await db
      .select({ role: userRole.role })
      .from(userRole)
      .where(eq(userRole.userId, userId))
      .limit(1);
    
    const userRoleName = userRoleResult.length > 0 ? userRoleResult[0].role : 'USER';
    
    // Query to get datasets with permissions
    // This complex query gets datasets where the user has READ access either through:
    // 1. Direct user-specific grants
    // 2. Role-based grants for their role
    // 3. Being the owner of the dataset
    const results = await db
      .select({
        id: dataset.id,
        name: dataset.name,
        description: dataset.description,
        public: dataset.public,
        createdAt: dataset.createdAt,
        owner: dataset.owner,
        type: dataset.type,
        permission: accessGrant.permission,
        userId: accessGrant.userId
      })
      .from(dataset)
      .leftJoin(
        accessGrant,
        sqlExpr`${accessGrant.datasetId} = ${dataset.id} AND ${accessGrant.active} = true AND (
          (${accessGrant.userId} = ${userId}) OR 
          (${accessGrant.userId} IS NULL AND ${accessGrant.role} = ${userRoleName})
        )`
      )
      .where(sqlExpr`
        ${dataset.active} = true AND (
          ${dataset.owner} = ${userId} OR
          ${accessGrant.permission} IS NOT NULL
        )
      `)
      .orderBy(dataset.name);
    
    // Group results by dataset and collect permissions
    const datasetMap = new Map<string, {
      id: string;
      name: string;
      description: string | null;
      public: boolean;
      createdAt: string;
      owner: string;
      type: string;
      permissions: string[];
    }>();
    
    results.forEach(row => {
      if (!datasetMap.has(row.id)) {
        // If user is owner, they have all permissions
        const isOwner = row.owner === userId;
        const basePermissions = isOwner ? ['READ', 'UPLOAD', 'DOWNLOAD', 'EDIT', 'DELETE'] : [];
        
        datasetMap.set(row.id, {
          id: row.id,
          name: row.name,
          description: row.description,
          public: row.public ?? false,
          createdAt: row.createdAt?.toISOString() ?? new Date().toISOString(),
          owner: row.owner,
          type: row.type,
          permissions: basePermissions
        });
      }
      
      // Add permission from access grants (avoid duplicates)
      if (row.permission && !datasetMap.get(row.id)!.permissions.includes(row.permission)) {
        datasetMap.get(row.id)!.permissions.push(row.permission);
      }
    });
    
    // Filter datasets to only include those with READ permission
    const datasetsWithReadAccess = Array.from(datasetMap.values())
      .filter(dataset => dataset.permissions.includes('READ'))
      .slice(0, 20); // Limit to 20 datasets

Replacement in src/worker/index.ts at line 337 [5.240196]

B:BD[14.125334] → [14.125334:125355]

B:BD[14.125355] → [10.12038:12105]

      data: results,
      userId: userId // Include user ID for debugging/confirmation

[14.125334]

[14.125355]

      data: datasetsWithReadAccess,
      userId: userId,
      userRole: userRoleName

Insertion in src/worker/index.ts at line 1348 [5.240196]

[15.982]

    // Connect to the database first to check permissions
    const sql = neon(c.env.DATABASE_URL);
    const db = drizzle(sql);
    
    // Check if user has permission to create datasets (ADMIN or CURATOR roles)
    const userRoleResult = await db
      .select({ role: userRole.role })
      .from(userRole)
      .where(eq(userRole.userId, userId))
      .limit(1);
    
    const userRoleName = userRoleResult.length > 0 ? userRoleResult[0].role : 'USER';
    
    if (userRoleName !== 'ADMIN' && userRoleName !== 'CURATOR') {
      return c.json({
        error: "You don't have permission to create datasets"
      }, 403);
    }

Deletion in src/worker/index.ts at line 1411 [5.240196]

B:BD[15.2216] → [15.2216:2319]


    // Connect to the database
    const sql = neon(c.env.DATABASE_URL);
    const db = drizzle(sql);

Replacement in src/worker/index.ts at line 1524 [5.240196]

B:BD[3.1992] → [3.1992:2062]

    // Check ownership
    if (existingDataset[0].owner !== userId) {

[3.1992]

[3.2062]

    // Check if user has permission to edit this dataset
    const hasEditPermission = await checkUserPermission(db, userId, datasetId, 'EDIT');
    
    if (!hasEditPermission) {

Insertion in src/types/dataset.ts at line 17 [16.8805]
[16.9085]
[16.9085]
```
  permissions?: string[]; // User's permissions for this dataset
```
Insertion in src/types/dataset.ts at line 22 [16.8805]
[16.9143]
[16.9143]
```
  userId?: string;
  userRole?: string;
```

Insertion in src/components/Datasets.tsx at line 30 [17.3332]

[3.4909]

[15.3979]

  const [, setUserRole] = useState<string>('USER');
  const [canCreateDatasets, setCanCreateDatasets] = useState<boolean>(false);

Insertion in src/components/Datasets.tsx at line 68 [17.3332]

[17.4802]

        
        // Set user role and determine if user can create datasets
        if (data.userRole) {
          setUserRole(data.userRole);
          setCanCreateDatasets(data.userRole === 'ADMIN' || data.userRole === 'CURATOR');
        }

Replacement in src/components/Datasets.tsx at line 250 [17.3332]

B:BD[15.6203] → [15.6203:6221]

B:BD[15.6221] → [3.8910:8948]

∅:D[3.8948] → [15.6273:6470]

B:BD[15.6273] → [15.6273:6470]

          <Button
            onClick={handleCreateNew}
            variant="default"
            size="sm"
            className="flex items-center gap-2"
          >
            <Plus className="h-4 w-4" />
            Add Dataset
          </Button>

[15.6203]

[15.6470]

          {canCreateDatasets && (
            <Button
              onClick={handleCreateNew}
              variant="default"
              size="sm"
              className="flex items-center gap-2"
            >
              <Plus className="h-4 w-4" />
              Add Dataset
            </Button>
          )}

Replacement in src/components/Datasets.tsx at line 312 [17.3332]

B:BD[3.9991] → [3.9991:10997]

                      <Button
                        onClick={(e) => {
                          e.stopPropagation();
                          handleEditDataset(dataset);
                        }}
                        variant="ghost"
                        size="sm"
                        className="p-1 h-8 w-8"
                        title="Edit dataset"
                      >
                        <Edit className="h-4 w-4" />
                      </Button>
                      <Button
                        onClick={(e) => {
                          e.stopPropagation();
                          handleDeleteDataset(dataset);
                        }}
                        variant="ghost"
                        size="sm"
                        className="p-1 h-8 w-8 text-red-600 hover:text-red-700 hover:bg-red-50"
                        title="Delete dataset"
                      >
                        <Trash2 className="h-4 w-4" />
                      </Button>

[3.9991]

[3.10997]

                      {dataset.permissions?.includes('EDIT') && (
                        <Button
                          onClick={(e) => {
                            e.stopPropagation();
                            handleEditDataset(dataset);
                          }}
                          variant="ghost"
                          size="sm"
                          className="p-1 h-8 w-8"
                          title="Edit dataset"
                        >
                          <Edit className="h-4 w-4" />
                        </Button>
                      )}
                      {dataset.permissions?.includes('DELETE') && (
                        <Button
                          onClick={(e) => {
                            e.stopPropagation();
                            handleDeleteDataset(dataset);
                          }}
                          variant="ghost"
                          size="sm"
                          className="p-1 h-8 w-8 text-red-600 hover:text-red-700 hover:bg-red-50"
                          title="Delete dataset"
                        >
                          <Trash2 className="h-4 w-4" />
                        </Button>
                      )}
                      {/* Show placeholder if no actions available */}
                      {!dataset.permissions?.includes('EDIT') && !dataset.permissions?.includes('DELETE') && (
                        <span className="text-gray-400 text-sm">—</span>
                      )}