feat(fullstack): Add notifications, user is now an entity, add testcontainers, rework custom permissions, get user from JWT in endpoints

2025-08-09 10:09:00 +02:00
parent a5eae07eaf
commit 7e55a336f2
44 changed files with 1571 additions and 139 deletions
--- a/legalconsenthub/server/utils/permissions.ts
+++ b/legalconsenthub/server/utils/permissions.ts
@@ -1,55 +1,87 @@
 import { createAccessControl } from 'better-auth/plugins/access'
+import { defaultStatements, adminAc, memberAc, ownerAc } from 'better-auth/plugins/organization/access'
+import { defu } from 'defu'

-export const statement = {
+const customStatements = {
  application_form: ['create', 'read', 'update', 'delete', 'approve', 'reject', 'submit'],
  agreement: ['create', 'read', 'update', 'sign', 'approve', 'reject'],
-  organization: ['create', 'read', 'update', 'delete', 'manage_settings'],
-  member: ['create', 'read', 'update', 'delete', 'invite', 'remove'],
  comment: ['create', 'read', 'update', 'delete'],
  document: ['create', 'read', 'update', 'delete', 'download', 'upload']
 } as const

+export const statement = {
+  ...customStatements,
+  ...defaultStatements
+} as const
+
 export const accessControl = createAccessControl(statement)

-// Roles with specific permissions
-export const employerRole = accessControl.newRole({
-  application_form: ['create', 'read', 'approve', 'reject'],
-  agreement: ['create', 'read', 'sign', 'approve'],
-  member: ['invite', 'read'],
-  comment: ['create', 'read', 'update', 'delete'],
-  document: ['create', 'read', 'update', 'delete', 'download', 'upload']
-})
+export const employerRole = accessControl.newRole(
+  defu(
+    {
+      application_form: ['create', 'read', 'approve', 'reject'],
+      agreement: ['create', 'read', 'sign', 'approve'],
+      comment: ['create', 'read', 'update', 'delete'],
+      document: ['create', 'read', 'update', 'delete', 'download', 'upload']
+    },
+    memberAc.statements
+  ) as Parameters<typeof accessControl.newRole>[0]
+)

-export const worksCouncilMemberRole = accessControl.newRole({
-  application_form: ['create', 'read', 'update', 'submit'],
-  agreement: ['read', 'sign', 'approve'],
-  member: ['read'],
-  comment: ['create', 'read', 'update', 'delete'],
-  document: ['create', 'read', 'update', 'download', 'upload']
-})
+export const worksCouncilMemberRole = accessControl.newRole(
+  defu(
+    {
+      application_form: ['create', 'read', 'update', 'submit'],
+      agreement: ['read', 'sign', 'approve'],
+      comment: ['create', 'read', 'update', 'delete'],
+      document: ['create', 'read', 'update', 'download', 'upload']
+    },
+    memberAc.statements
+  ) as Parameters<typeof accessControl.newRole>[0]
+)

-export const employeeRole = accessControl.newRole({
-  application_form: ['read'],
-  agreement: ['read'],
-  member: ['read'],
-  comment: ['create', 'read'],
-  document: ['read', 'download']
-})
+export const employeeRole = accessControl.newRole(
+  defu(
+    {
+      application_form: ['read'],
+      agreement: ['read'],
+      comment: ['create', 'read'],
+      document: ['read', 'download']
+    },
+    memberAc.statements
+  ) as Parameters<typeof accessControl.newRole>[0]
+)

-export const adminRole = accessControl.newRole({
-  application_form: ['create', 'read', 'update', 'delete', 'approve', 'reject'],
-  agreement: ['create', 'read', 'update', 'sign', 'approve', 'reject'],
-  organization: ['create', 'read', 'update', 'delete', 'manage_settings'],
-  member: ['create', 'read', 'update', 'delete', 'invite', 'remove'],
-  comment: ['create', 'read', 'update', 'delete'],
-  document: ['create', 'read', 'update', 'delete', 'download', 'upload']
-})
+export const adminRole = accessControl.newRole(
+  defu(
+    {
+      application_form: ['create', 'read', 'update', 'delete', 'approve', 'reject'],
+      agreement: ['create', 'read', 'update', 'sign', 'approve', 'reject'],
+      comment: ['create', 'read', 'update', 'delete'],
+      document: ['create', 'read', 'update', 'delete', 'download', 'upload']
+    },
+    adminAc.statements
+  ) as Parameters<typeof accessControl.newRole>[0]
+)
+
+export const ownerRole = accessControl.newRole(
+  defu(
+    {
+      application_form: ['create', 'read', 'update', 'delete', 'approve', 'reject', 'submit'],
+      agreement: ['create', 'read', 'update', 'sign', 'approve', 'reject'],
+      comment: ['create', 'read', 'update', 'delete'],
+      document: ['create', 'read', 'update', 'delete', 'download', 'upload']
+    },
+    ownerAc.statements
+  ) as Parameters<typeof accessControl.newRole>[0]
+)

 export const ROLES = {
  EMPLOYER: 'employer',
  WORKS_COUNCIL_MEMBER: 'works_council_member',
  EMPLOYEE: 'employee',
-  ADMIN: 'admin'
+  ADMIN: 'admin',
+  OWNER: 'owner'
 } as const

 export type LegalRole = (typeof ROLES)[keyof typeof ROLES]