quietlight/skraak.app - Change TGGXF43HKM7KPF4OS4ANJTSSS3LKMJKPXL7PLY5CZJGIFQW4CQYAC

fixing up auth, roles and access grants now always required' '

Created by AEj8dahVWy718uSSFPe9VSRJ5qX5G8pC2zvFzJJ8yzBd on June 1, 2025

TGGXF43HKM7KPF4OS4ANJTSSS3LKMJKPXL7PLY5CZJGIFQW4CQYAC

Dependencies

In channels

main

Change contents

Replacement in src/worker/routes/selections.ts at line 13 [5.2260]
∅:D[4.9405] → [5.2290:2341]
B:BD[5.2290] → [5.2290:2341]
```
import { authenticate } from "../middleware/auth";
```
[4.9405]
[4.9406]
```
import { authenticate, checkUserPermission } from "../middleware/auth";
```
Replacement in src/worker/routes/selections.ts at line 15 [5.2260]
∅:D[4.9458] → [5.2341:2378]
B:BD[5.2341] → [5.2341:2378]
```
import type { Env } from "../types";
```
[4.9458]
[5.2378]
```
import type { Env, JWTPayload } from "../types";
```

Insertion in src/worker/routes/selections.ts at line 47 [5.2260]

[4.11056]

    const jwtPayload = (c as unknown as { jwtPayload: JWTPayload }).jwtPayload;
    const userId = jwtPayload.sub;

Insertion in src/worker/routes/selections.ts at line 84 [5.2260]

[4.12117]

    
    // Check if user has READ permission for this dataset
    const hasPermission = await checkUserPermission(db, userId, datasetId, 'READ');
    
    if (!hasPermission) {
      return c.json({
        error: "Access denied: No READ permission for this dataset"
      }, 403);
    }

Insertion in src/worker/routes/locations.ts at line 58 [5.2606]

[5.4931]

    // Check if user has READ permission for this dataset
    const hasPermission = await checkUserPermission(db, userId, datasetId, 'READ');
    
    if (!hasPermission) {
      return c.json({
        error: "Access denied: No READ permission for this dataset"
      }, 403);
    }

Replacement in src/worker/routes/files.ts at line 17 [5.16112]
∅:D[4.21202] → [5.16142:16193]
B:BD[5.16142] → [5.16142:16193]
```
import { authenticate } from "../middleware/auth";
```
[4.21202]
[4.21203]
```
import { authenticate, checkUserPermission } from "../middleware/auth";
```
Replacement in src/worker/routes/files.ts at line 24 [5.16112]
∅:D[2.7519] → [5.16193:16230]
∅:D[4.21255] → [5.16193:16230]
B:BD[5.16193] → [5.16193:16230]
```
import type { Env } from "../types";
```
[2.7519]
[5.16230]
```
import type { Env, JWTPayload } from "../types";
```

Insertion in src/worker/routes/files.ts at line 56 [5.16112]

[4.22773]

    const jwtPayload = (c as unknown as { jwtPayload: JWTPayload }).jwtPayload;
    const userId = jwtPayload.sub;

Insertion in src/worker/routes/files.ts at line 89 [5.16112]

[4.23845]

    
    // Get the datasetId for this cluster to check permissions
    const clusterResult = await db
      .select({ datasetId: cluster.datasetId })
      .from(cluster)
      .where(eq(cluster.id, clusterId))
      .limit(1);

Insertion in src/worker/routes/files.ts at line 97 [5.16112]

[4.23850]

    if (clusterResult.length === 0) {
      return c.json({
        error: "Cluster not found"
      }, 404);
    }
    
    const datasetId = clusterResult[0].datasetId;
    
    // Check if user has READ permission for this dataset
    const hasPermission = await checkUserPermission(db, userId, datasetId, 'READ');
    
    if (!hasPermission) {
      return c.json({
        error: "Access denied: No READ permission for this dataset"
      }, 403);
    }

Replacement in src/worker/routes/datasets.ts at line 53 [5.16845]

B:BD[5.18469] → [5.18469:18555]

    const userRoleName = userRoleResult.length > 0 ? userRoleResult[0].role : 'USER';

[5.18469]

[5.18555]

    const userRoleName = userRoleResult.length > 0 ? userRoleResult[0].role : null;

Replacement in src/worker/routes/datasets.ts at line 55 [5.16845]

B:BD[5.18560] → [5.18560:18844]

    // Query to get datasets with permissions
    // This complex query gets datasets where the user has READ access either through:
    // 1. Direct user-specific grants
    // 2. Role-based grants for their role
    // 3. Being the owner of the dataset
    const results = await db

[5.18560]

[5.18844]

    // If user has no role, return empty result with helpful message
    if (!userRoleName) {
      return c.json({
        data: [],
        userId: userId,
        userRole: null,
        message: "No access granted. Please contact an administrator to assign you a role."
      });
    }
    
    // Get datasets with explicit READ grants - owners must also have grants
    const grantedDatasets = await db

Replacement in src/worker/routes/datasets.ts at line 79 [5.16845]
B:BD[5.19191] → [5.19191:19208]
```
      .leftJoin(
```
[5.19191]
[5.19208]
```
      .innerJoin(
```

Replacement in src/worker/routes/datasets.ts at line 81 [5.16845]

B:BD[5.19229] → [5.19229:19325]

        sqlExpr`${accessGrant.datasetId} = ${dataset.id} AND ${accessGrant.active} = true AND (

[5.19229]

[5.19325]

        sqlExpr`${accessGrant.datasetId} = ${dataset.id} AND ${accessGrant.active} = true AND ${accessGrant.permission} = 'READ' AND (

Replacement in src/worker/routes/datasets.ts at line 83 [5.16845]

B:BD[5.19375] → [5.19375:19459]

          (${accessGrant.userId} IS NULL AND ${accessGrant.role} = ${userRoleName})

[5.19375]

[5.19459]

          (${accessGrant.userId} IS NULL AND ${userRoleName} IS NOT NULL AND ${accessGrant.role} = ${userRoleName})

Replacement in src/worker/routes/datasets.ts at line 86 [5.16845]

B:BD[5.19478] → [5.19478:19648]

      .where(sqlExpr`
        ${dataset.active} = true AND (
          ${dataset.owner} = ${userId} OR
          ${accessGrant.permission} IS NOT NULL
        )
      `)

[5.19478]

[5.19648]

      .where(sqlExpr`${dataset.active} = true`)

Insertion in src/worker/routes/datasets.ts at line 88 [5.16845]

[5.19678]


    // Results now only include datasets with explicit grants
    const results = grantedDatasets;

Replacement in src/worker/routes/datasets.ts at line 104 [5.16845]

B:BD[5.19985] → [5.19985:20014]

    results.forEach(row => {

[5.19985]

[5.20014]

    // Process results - we know these all have READ access via grants
    for (const row of results) {

Deletion in src/worker/routes/datasets.ts at line 107 [5.16845]

B:BD[5.20051] → [5.20051:20258]

        // If user is owner, they have all permissions
        const isOwner = row.owner === userId;
        const basePermissions = isOwner ? ['READ', 'UPLOAD', 'DOWNLOAD', 'EDIT', 'DELETE'] : [];

Replacement in src/worker/routes/datasets.ts at line 115 [5.16845]

B:BD[5.20551] → [5.20551:20590]

          permissions: basePermissions

[5.20551]

[5.20590]

          permissions: ['READ'] // Base permission, will be expanded below

Insertion in src/worker/routes/datasets.ts at line 118 [5.16845]

[5.20610]

    }
    // Now get all permissions for each dataset
    for (const datasetId of datasetMap.keys()) {
      const allPermissions = await db
        .select({
          permission: accessGrant.permission
        })
        .from(accessGrant)
        .where(sqlExpr`
          ${accessGrant.datasetId} = ${datasetId} AND 
          ${accessGrant.active} = true AND 
          (
            (${accessGrant.userId} = ${userId}) OR 
            (${accessGrant.userId} IS NULL AND ${userRoleName} IS NOT NULL AND ${accessGrant.role} = ${userRoleName})
          )
        `);

Replacement in src/worker/routes/datasets.ts at line 136 [5.16845]

B:BD[5.20617] → [5.20617:20854]

      // Add permission from access grants (avoid duplicates)
      if (row.permission && !datasetMap.get(row.id)!.permissions.includes(row.permission)) {
        datasetMap.get(row.id)!.permissions.push(row.permission);
      }
    });

[5.20617]

[5.20854]

      const datasetData = datasetMap.get(datasetId)!;
      
      // Collect unique permissions from grants - applies to ALL users including owners
      const permissions = new Set(['READ']); // We know they have read access
      allPermissions.forEach(p => permissions.add(p.permission));
      datasetData.permissions = Array.from(permissions);
    }

Replacement in src/worker/routes/datasets.ts at line 144 [5.16845]

B:BD[5.20859] → [5.20859:21100]

    // Filter datasets to only include those with READ permission
    const datasetsWithReadAccess = Array.from(datasetMap.values())
      .filter(dataset => dataset.permissions.includes('READ'))
      .slice(0, 20); // Limit to 20 datasets

[5.20859]

[5.21100]

    const datasetsWithReadAccess = Array.from(datasetMap.values()).slice(0, 20);

Replacement in src/worker/routes/datasets.ts at line 197 [5.16845]

B:BD[5.22782] → [5.22782:22868]

    const userRoleName = userRoleResult.length > 0 ? userRoleResult[0].role : 'USER';

[5.22782]

[5.22868]

    const userRoleName = userRoleResult.length > 0 ? userRoleResult[0].role : null;

Replacement in src/worker/routes/datasets.ts at line 504 [5.16845]

B:BD[3.23636] → [3.23636:23722]

    const userRoleName = userRoleResult.length > 0 ? userRoleResult[0].role : 'USER';

[3.23636]

[3.23722]

    const userRoleName = userRoleResult.length > 0 ? userRoleResult[0].role : null;

Replacement in src/worker/routes/datasets.ts at line 548 [5.16845]

B:BD[3.24899] → [3.24899:24986]

            (${accessGrant.role} = ${userRoleName} AND ${accessGrant.userId} IS NULL)

[3.24899]

[3.24986]

            (${accessGrant.role} = ${userRoleName} AND ${accessGrant.userId} IS NULL AND ${userRoleName} IS NOT NULL)

Replacement in src/worker/routes/clusters.ts at line 5 [5.30184]
B:BD[5.30270] → [5.30270:30296]
```
  cyclicRecordingPattern 
```
[5.30270]
[5.30296]
```
  cyclicRecordingPattern,
  location
```

Replacement in src/worker/routes/clusters.ts at line 8 [5.30184]

B:BD[5.30325] → [5.30325:30376]

import { authenticate } from "../middleware/auth";

[5.30325]

[5.30376]

import { authenticate, checkUserPermission } from "../middleware/auth";

Replacement in src/worker/routes/clusters.ts at line 10 [5.30184]
B:BD[5.30428] → [5.30428:30465]
```
import type { Env } from "../types";
```
[5.30428]
[5.30465]
```
import type { Env, JWTPayload } from "../types";
```

Replacement in src/worker/routes/clusters.ts at line 16 [5.30184]

B:BD[5.30570] → [5.30570:30614]

    // Authentication handled by middleware

[5.30570]

[5.30614]

    const jwtPayload = (c as unknown as { jwtPayload: JWTPayload }).jwtPayload;
    const userId = jwtPayload.sub;

Insertion in src/worker/routes/clusters.ts at line 28 [5.30184]

[5.30845]

    
    // Get the datasetId for this location to check permissions
    const locationResult = await db
      .select({ datasetId: location.datasetId })
      .from(location)
      .where(eq(location.id, locationId))
      .limit(1);

Insertion in src/worker/routes/clusters.ts at line 36 [5.30184]

[5.30850]

    if (locationResult.length === 0) {
      return c.json({
        error: "Location not found"
      }, 404);
    }
    
    const datasetId = locationResult[0].datasetId;
    
    // Check if user has READ permission for this dataset
    const hasPermission = await checkUserPermission(db, userId, datasetId, 'READ');
    
    if (!hasPermission) {
      return c.json({
        error: "Access denied: No READ permission for this dataset"
      }, 403);
    }

Replacement in src/worker/middleware/auth.ts at line 4 [5.33804]

B:BD[5.33917] → [5.33917:33986]

import { dataset, accessGrant, userRole } from "../../../db/schema";

[5.33917]

[5.33986]

import { accessGrant, userRole } from "../../../db/schema";

Replacement in src/worker/middleware/auth.ts at line 24 [5.33804]

B:BD[5.34629] → [5.34629:34974]

    // First check if user is the owner (owners have all permissions)
    const ownerCheck = await db
      .select({ owner: dataset.owner })
      .from(dataset)
      .where(eq(dataset.id, datasetId))
      .limit(1);
    
    if (ownerCheck.length > 0 && ownerCheck[0].owner === userId) {
      return true;
    }
    
    // Get user's role

[5.34629]

[5.34974]

    // Get user's role - ALL users must have a valid role to access data

Replacement in src/worker/middleware/auth.ts at line 31 [5.33804]

B:BD[5.35135] → [5.35135:35221]

    const userRoleName = userRoleResult.length > 0 ? userRoleResult[0].role : 'USER';

[5.35135]

[5.35221]

    const userRoleName = userRoleResult.length > 0 ? userRoleResult[0].role : null;

Replacement in src/worker/middleware/auth.ts at line 33 [5.33804]

B:BD[5.35226] → [5.35226:35253]

    // Check access grants

[5.35226]

[5.35253]

    // No role = no access (including owners)
    if (!userRoleName || !['ADMIN', 'USER', 'CURATOR'].includes(userRoleName)) {
      return false;
    }
    
    // Check access grants - now applies to ALL users including owners

Insertion in src/types/dataset.ts at line 24 [7.8805]
[6.6245]
[7.9143]
```
  message?: string;
```

Insertion in src/components/Datasets.tsx at line 68 [8.3332]

[8.4802]

[6.6398]

        
        // Show message if provided (e.g., for users without roles)
        if (data.message) {
          setError(data.message);
        }

Replacement in src/components/Datasets.tsx at line 272 [8.3332]

B:BD[8.5479] → [8.5479:5548]

      {error && <p className="text-red-600 mb-4">Error: {error}</p>}

[8.5479]

[8.5548]

      {error && (
        <p className={`mb-4 ${error.includes('No access granted') || error.includes('contact an administrator') ? 'text-amber-600' : 'text-red-600'}`}>
          {error.includes('Error: ') ? error : `Info: ${error}`}
        </p>
      )}