refactor: improve event subscribe permission system functionality

backend/src/modules/DataModule/DataModuleEvent.ts

@@ -1,15 +1,18 @@
+import { HydratedDocument, Model } from "mongoose";
 import DataModule from "../DataModule";
 import ModuleEvent from "../EventsModule/ModuleEvent";
-import { HydratedDocument } from "mongoose";
 import { UserSchema } from "./models/users/schema";
-import { GetPermissionsResult } from "./models/users/jobs/GetPermissions";
-import GetModelPermissions from "./models/users/jobs/GetModelPermissions";
 
 export default abstract class DataModuleEvent extends ModuleEvent {
 	protected static _module = DataModule;
 
 	protected static _modelName: string;
 
+	protected static _hasPermission:
+		| boolean
+		| CallableFunction
+		| (boolean | CallableFunction)[] = false;
+
 	public static override getName() {
 		return `${this._modelName}.${super.getName()}`;
 	}
@@ -19,18 +22,21 @@ export default abstract class DataModuleEvent extends ModuleEvent {
 	}
 
 	public static async hasPermission(
-		user: HydratedDocument<UserSchema> | null,
-		scope?: string
+		model: HydratedDocument<Model<any>>, // TODO model can be null too, as GetModelPermissions is currently written
+		user: HydratedDocument<UserSchema> | null
 	) {
-		const permissions = (await new GetModelPermissions({
-			_id: user?._id,
-			modelName: this.getModelName(),
-			modelId: scope
-		}).execute()) as GetPermissionsResult;
-
-		return !!(
-			permissions[`event:${this.getKey(scope)}`] ||
-			permissions[`event:${this.getPath()}:*`]
-		);
+		const options = Array.isArray(this._hasPermission)
+			? this._hasPermission
+			: [this._hasPermission];
+
+		return options.reduce(async (previous, option) => {
+			if (await previous) return true;
+
+			if (typeof option === "boolean") return option;
+
+			if (typeof option === "function") return option(model, user);
+
+			return false;
+		}, Promise.resolve(false));
 	}
 }

backend/src/modules/DataModule/DataModuleJob.ts

@@ -44,7 +44,7 @@ export default abstract class DataModuleJob extends Job {
 	}
 
 	public static async hasPermission(
-		model: HydratedDocument<Model<any>>,
+		model: HydratedDocument<Model<any>>, // TODO model can be null too, as GetModelPermissions is currently written
 		user: HydratedDocument<UserSchema> | null
 	) {
 		const options = Array.isArray(this._hasPermission)

backend/src/modules/DataModule/ModelDeletedEvent.ts

@@ -1,23 +1,5 @@
-import { HydratedDocument } from "mongoose";
 import DataModuleEvent from "./DataModuleEvent";
-import { UserSchema } from "@models/users/schema";
-import GetModelPermissions, { GetModelPermissionsResult } from "@models/users/jobs/GetModelPermissions";
 
 export default abstract class ModelDeletedEvent extends DataModuleEvent {
 	protected static _name = "deleted";
-
-	public static async hasPermission(
-		user: HydratedDocument<UserSchema> | null,
-		scope?: string
-	) {
-		const permissions = (await new GetModelPermissions({
-			_id: user?._id,
-			modelName: this.getModelName(),
-			modelId: scope
-		}).execute()) as GetModelPermissionsResult;
-
-		return !!(
-			permissions[`data.${this.getModelName()}.findById`]
-		);
-	}
 }

backend/src/modules/DataModule/ModelUpdatedEvent.ts

@@ -1,23 +1,5 @@
-import { HydratedDocument } from "mongoose";
 import DataModuleEvent from "./DataModuleEvent";
-import { UserSchema } from "@models/users/schema";
-import GetModelPermissions, { GetModelPermissionsResult } from "@models/users/jobs/GetModelPermissions";
 
 export default abstract class ModelUpdatedEvent extends DataModuleEvent {
 	protected static _name = "updated";
-
-	public static async hasPermission(
-		user: HydratedDocument<UserSchema> | null,
-		scope?: string
-	) {
-		const permissions = (await new GetModelPermissions({
-			_id: user?._id,
-			modelName: this.getModelName(),
-			modelId: scope
-		}).execute()) as GetModelPermissionsResult;
-
-		return !!(
-			permissions[`data.${this.getModelName()}.findById`]
-		);
-	}
 }

backend/src/modules/DataModule/models/news/events/NewsDeletedEvent.ts

@@ -1,5 +1,16 @@
+import { HydratedDocument, Schema } from "mongoose";
 import ModelDeletedEvent from "@/modules/DataModule/ModelDeletedEvent";
+import { NewsStatus } from "@/modules/DataModule/models/news/NewsStatus";
 
 export default abstract class NewsDeletedEvent extends ModelDeletedEvent {
 	protected static _modelName = "news";
+
+	protected static _hasPermission = <ModelSchemaType extends Schema>(
+		model: HydratedDocument<ModelSchemaType>
+	) => {
+		// eslint-disable-next-line
+		// @ts-ignore
+		if (model?.status === NewsStatus.PUBLISHED) return true;
+		return false;
+	};
 }

backend/src/modules/DataModule/models/news/events/NewsUpdatedEvent.ts

@@ -1,5 +1,16 @@
+import { HydratedDocument, Schema } from "mongoose";
 import ModelUpdatedEvent from "@/modules/DataModule/ModelUpdatedEvent";
+import { NewsStatus } from "@/modules/DataModule/models/news/NewsStatus";
 
 export default abstract class NewsUpdatedEvent extends ModelUpdatedEvent {
 	protected static _modelName = "news";
+
+	protected static _hasPermission = <ModelSchemaType extends Schema>(
+		model: HydratedDocument<ModelSchemaType>
+	) => {
+		// eslint-disable-next-line
+		// @ts-ignore
+		if (model?.status === NewsStatus.PUBLISHED) return true;
+		return false;
+	};
 }

backend/src/modules/DataModule/models/users/jobs/GetModelPermissions.ts

@@ -2,9 +2,10 @@ import { isObjectIdOrHexString } from "mongoose";
 import { forEachIn } from "@common/utils/forEachIn";
 import CacheModule from "@/modules/CacheModule";
 import DataModule from "@/modules/DataModule";
-import ModuleManager from "@/ModuleManager";
 import GetPermissions, { GetPermissionsResult } from "./GetPermissions";
 import DataModuleJob from "@/modules/DataModule/DataModuleJob";
+import DataModuleEvent from "@/modules/DataModule/DataModuleEvent";
+import { EventClass } from "@/modules/EventsModule/Event";
 
 export type GetSingleModelPermissionsResult = Record<string, boolean>; // Returned when getting permissions for a single modelId
 export type GetMultipleModelPermissionsResult = Record<
@@ -13,8 +14,16 @@ export type GetMultipleModelPermissionsResult = Record<
 >; // Returned when getting permissions for several modelIds
 export type GetModelPermissionsResult =
 	| GetSingleModelPermissionsResult
-	| GetMultipleModelPermissionsResult;
-
+	| GetMultipleModelPermissionsResult; // TODO We should probably combine this into a single type of response to make it simpler
+
+/**
+ * Returns permissions for zero, one or more modelIds, for a single modelName, for a specific user
+ * For each modelId, it will return an object with permissions, where object keys are the DataModule job names in camelCase,
+ * prefixed by "data.", and the value is whether the user has permission or not
+ * For events, it will be DataModule event names in camelCase, prefixed by "event.data."
+ *
+ * If no modelId is provided, it will not include jobs that apply specifically to a single modelId (those ending in ById)
+ */
 export default class GetModelPermissions extends DataModuleJob {
 	protected static _modelName = "users";
 
@@ -41,6 +50,7 @@ export default class GetModelPermissions extends DataModuleJob {
 		const { modelName, modelId, modelIds } = this._payload;
 
 		const user = await this._context.getUser().catch(() => null);
+		// Gets the generic permissions for the current user, these are not model-specific
 		const permissions = (await this._context.executeJob(
 			GetPermissions
 		)) as GetPermissionsResult;
@@ -48,6 +58,7 @@ export default class GetModelPermissions extends DataModuleJob {
 		const Model = await DataModule.getModel(modelName);
 		if (!Model) throw new Error("Model not found");
 
+		// If no modelId is supplied, we want to return generic permissions for the provided model for the current user
 		if (!modelId && (!modelIds || modelIds.length === 0)) {
 			const cacheKey = this._getCacheKey(user, modelName);
 			const cached = await CacheModule.get(cacheKey);
@@ -65,6 +76,7 @@ export default class GetModelPermissions extends DataModuleJob {
 			return modelPermissions;
 		}
 
+		// For a single modelId, we want to return the permissions for that model for the current user
 		if (modelId) {
 			const cacheKey = this._getCacheKey(user, modelName, modelId);
 			const cached = await CacheModule.get(cacheKey);
@@ -89,6 +101,7 @@ export default class GetModelPermissions extends DataModuleJob {
 		const result: any = {};
 		const uncachedModelIds: any = [];
 
+		// Go through the modelIds, check if any of them already have cached permissions. If they do, use those. For the rest, collect the id's
 		await forEachIn(modelIds, async modelId => {
 			const cacheKey = this._getCacheKey(user, modelName, modelId);
 			const cached = await CacheModule.get(cacheKey);
@@ -99,8 +112,10 @@ export default class GetModelPermissions extends DataModuleJob {
 			uncachedModelIds.push(modelId);
 		});
 
+		// For the modelIds that were not cached, get the documents from MongoDB
 		const uncachedModels = await Model.find({ _id: uncachedModelIds });
 
+		// Loop through the modelIds that were not cached, and get the permissions for each one individually
 		await forEachIn(uncachedModelIds, async modelId => {
 			const model = uncachedModels.find(
 				model => model._id.toString() === modelId.toString()
@@ -124,6 +139,15 @@ export default class GetModelPermissions extends DataModuleJob {
 		return result;
 	}
 
+	/**
+	 * Returns the permissions for the provided user, generic permissions, model and, if provided, the modelId
+	 * It will first take the generic permissions, only including the data/event data permisisons for the provided modelName
+	 * After that, it loops through all DataModule jobs for the provided modelName, and checks if the user has permission for that job
+	 * If it does, it includes these job names in the result, along with the filtered generic permissions.
+	 * One example: with modelName being news, it would get the news FindById job, which always results in "data.news.findById" being true
+	 * due to _hasPermission being true in that class
+	 * It will also loop through DataModule events in the same manner, except without the extra logic for findById
+	 */
 	protected async _getPermissionsForModel(
 		user: any,
 		permissions: GetPermissionsResult,
@@ -131,6 +155,7 @@ export default class GetModelPermissions extends DataModuleJob {
 		modelId: string,
 		model?: any
 	) {
+		// Filters the generic permissions, only returning the data or event data permissions for the provided model
 		const modelPermissions = Object.fromEntries(
 			Object.entries(permissions).filter(
 				([permission]) =>
@@ -139,37 +164,95 @@ export default class GetModelPermissions extends DataModuleJob {
 			)
 		);
 
-		await forEachIn(
-			Object.entries(
-				ModuleManager.getModule("data")?.getJobs() ?? {}
-			).filter(
-				([jobName]) =>
-					jobName.startsWith(modelName.toString()) &&
-					(modelId ? true : !jobName.endsWith("ById"))
-			) as [string, typeof DataModuleJob][],
-			async ([jobName, Job]) => {
-				jobName = `data.${jobName}`;
+		/**
+		 * Get all DataModule jobs for the provided model.
+		 * If a modelId is specified, it will return any ById jobs, like DeleteById.
+		 * If not specified, it will not return any *ById jobs.
+		 */
+		const dataModuleJobs = Object.entries(
+			// ModuleManager.getModule("data")?.getJobs() ?? {}
+			DataModule.getJobs() ?? {}
+		).filter(
+			([jobName]) =>
+				jobName.startsWith(modelName.toString()) &&
+				(modelId ? true : !jobName.endsWith("ById"))
+		) as [string, typeof DataModuleJob][];
+
+		// Loops through all data jobs
+		await forEachIn(dataModuleJobs, async ([jobName, Job]) => {
+			jobName = `data.${jobName}`; // For example, data.news.getData
+
+			// If the generic permissions contains the current job, we don't need to continue further, just say the user has permission for this job
+			if (permissions[jobName]) {
+				modelPermissions[jobName] = true;
+				return;
+			}
 
-				let hasPermission = permissions[jobName];
+			// If the generic permissions has access to for example "data.news.findManyById.*", the user will have permission to the job "data.news.findManyById"
+			if (permissions[`${jobName}.*`]) {
+				modelPermissions[jobName] = true;
+				return;
+			}
 
-				if (!hasPermission && modelId)
-					hasPermission =
-						permissions[`${jobName}.*`] ||
-						permissions[`${jobName}.${modelId}`];
+			/**
+			 * If we haven't found a generic permission, but the current job has a hasPermission function, call that function to see if the current user
+			 * should have permission for the provided model (document? TODO) (if any). The job, for example data.news.findManyById, will already be aware of the model name
+			 * hasPermission can be overwritten, but by default it will check _hasPermission. This is false by default, but can be true, or a function or array of functions
+			 */
+			if (
+				typeof Job.hasPermission === "function" &&
+				(await Job.hasPermission(model, user))
+			) {
+				modelPermissions[jobName] = true;
+				return;
+			}
 
-				if (hasPermission) {
-					modelPermissions[jobName] = true;
+			// We haven't found permission so far, so we can assume we don't have permission
+			modelPermissions[jobName] = false;
+		});
 
-					return;
-				}
+		/**
+		 * Get all DataModule events for the provided model.
+		 */
+		const dataModuleEvents = Object.entries(
+			DataModule.getEvents() ?? {}
+		).filter(([eventName]) =>
+			eventName.startsWith(modelName.toString())
+		) as [string, typeof DataModuleEvent & EventClass][];
+
+		// Loops through all data events
+		await forEachIn(dataModuleEvents, async ([eventName, Event]) => {
+			eventName = `event.data.${eventName}`; // For example, event.data.news.created
+
+			// If the generic permissions contains the current event, we don't need to continue further, just say the user has permission for this event
+			if (permissions[eventName]) {
+				modelPermissions[eventName] = true;
+				return;
+			}
 
-				if (typeof Job.hasPermission === "function") {
-					hasPermission = await Job.hasPermission(model, user);
-				}
+			// If the generic permissions has access to for example "event.data.news.updated.*", the user will have permission to the event "event.data.news.updated" regardless of the model id
+			if (permissions[`${eventName}.*`]) {
+				modelPermissions[eventName] = true;
+				return;
+			}
 
-				modelPermissions[jobName] = !!hasPermission;
+			/**
+			 * If we haven't found a generic permission, but the current event has a hasPermission function, call that function to see if the current user
+			 * should have permission for the provided model (if any). The event, for example event.data.news.updated, will already be aware of the model name
+			 * hasPermission can be overwritten, but by default it will check _hasPermission. This is false by default, but can be changed to true, or a function,
+			 * or an array of functions
+			 */
+			if (
+				typeof Event.hasPermission === "function" &&
+				(await Event.hasPermission(model, user))
+			) {
+				modelPermissions[eventName] = true;
+				return;
 			}
-		);
+
+			// We haven't found permission so far, so we can assume we don't have permission
+			modelPermissions[eventName] = false;
+		});
 
 		return modelPermissions;
 	}

backend/src/modules/DataModule/models/users/jobs/GetPermissions.ts

@@ -5,6 +5,10 @@ import DataModuleJob from "@/modules/DataModule/DataModuleJob";
 
 export type GetPermissionsResult = Record<string, boolean>;
 
+/**
+ * This jobs returns the static/pre-defined permissions for the current user/guest based on the user's role.
+ * Permissions are cached. No cache invalidation machanism has been implemented yet, but it expires naturally after 6 minutes.
+ */
 export default class GetPermissions extends DataModuleJob {
 	protected static _modelName = "users";
 

backend/src/modules/DataModule/models/users/permissions.ts

@@ -191,7 +191,9 @@ const admin = {
 	// 	  }
 	// 	: {})
 
-	"event.model.news.created": true // WIP - regular users need to be able to subscribe to certain news subscribe events
+	"event.data.news.created": true, // For now, only admins can subscribe to these, but that's just temporary
+	"event.data.news.updated.*": true,
+	"event.data.news.deleted.*": true
 };
 
 const permissions: Record<

backend/src/modules/EventsModule.ts

@@ -13,8 +13,19 @@ import BaseModule, { ModuleStatus } from "@/BaseModule";
 import WebSocketModule from "./WebSocketModule";
 import Event from "@/modules/EventsModule/Event";
 import ModuleManager from "@/ModuleManager";
+import DataModule from "@/modules/DataModule";
+import { GetPermissionsResult } from "@/modules/DataModule/models/users/jobs/GetPermissions";
+import { GetSingleModelPermissionsResult } from "@/modules/DataModule/models/users/jobs/GetModelPermissions";
+
+const permissionRegex =
+	// eslint-disable-next-line max-len
+	/^event.(?<moduleName>[a-z]+)\.(?<modelOrEventName>[A-z]+)\.(?<eventName>[A-z]+)(?:\.(?<modelId>[A-z0-9]{24}))?(?:\.(?<extra>[A-z]+))?$/;
 
 export class EventsModule extends BaseModule {
+	/**
+	 * The events module is used to subscribe to events, and to publish events. Events can be documents updating, being created or being deleted.
+	 * Other events can be JobFinished? But probably not for frontend. So atm frontend can only subscribe to update/created/deleted.
+	 */
 	private _pubClient?: RedisClientType<
 		RedisDefaultModules & RedisModules,
 		RedisFunctions,
@@ -192,6 +203,54 @@ export class EventsModule extends BaseModule {
 		);
 	}
 
+	/**
+	 * Like JobContext assertPermission, checks if the current user has permission to subscribe to the event associated
+	 * with the provided permission.
+	 * Permission can be for example "event.data.news.created" or "event.data.news.updated.6687eec103808fe513c937ff"
+	 */
+	public async assertPermission(permission: string) {
+		console.log("Assert permission", permission);
+		let hasPermission = false;
+
+		const { moduleName, modelOrEventName, eventName, modelId, extra } =
+			permissionRegex.exec(permission)?.groups ?? {};
+
+		if (moduleName === "data" && modelOrEventName && eventName) {
+			const GetModelPermissions = DataModule.getJob(
+				"users.getModelPermissions"
+			);
+
+			// eslint-disable-next-line
+			// @ts-ignore
+			const permissions = (await new GetModelPermissions({
+				modelName: modelOrEventName,
+				modelId
+				// eslint-disable-next-line
+				// @ts-ignore
+			}).execute()) as unknown as GetSingleModelPermissionsResult;
+
+			let modelPermission = `event.data.${modelOrEventName}.${eventName}`;
+
+			if (extra) modelPermission += `.${extra}`;
+
+			hasPermission = permissions[modelPermission];
+		} else {
+			const GetPermissions = DataModule.getJob("users.getPermissions");
+
+			const permissions =
+				// eslint-disable-next-line
+				// @ts-ignore
+				(await new GetPermissions().execute()) as unknown as GetPermissionsResult;
+
+			hasPermission = permissions[permission];
+		}
+
+		if (!hasPermission)
+			throw new Error(
+				`Insufficient permissions for permission ${permission}`
+			);
+	}
+
 	/**
 	 * createKey - Create hex key
 	 */

backend/src/modules/EventsModule/Event.ts

@@ -1,8 +1,3 @@
-import { HydratedDocument } from "mongoose";
-import { UserSchema } from "@models/users/schema";
-import { GetPermissionsResult } from "../DataModule/models/users/jobs/GetPermissions";
-import DataModule from "../DataModule";
-
 export default abstract class Event {
 	protected static _namespace: string;
 
@@ -52,22 +47,6 @@ export default abstract class Event {
 		return this._type;
 	}
 
-	public static async hasPermission(
-		user: HydratedDocument<UserSchema> | null,
-		scope?: string
-	) {
-		const GetPermissions = DataModule.getJob("users.getPermissions");
-
-		const permissions = (await new GetPermissions({
-			_id: user?._id
-		}).execute()) as GetPermissionsResult;
-
-		return !!(
-			permissions[`event:${this.getKey(scope)}`] ||
-			permissions[`event:${this.getPath()}:*`]
-		);
-	}
-
 	public static makeMessage(data: any) {
 		if (["object", "array"].includes(typeof data))
 			return JSON.stringify(data);
@@ -119,4 +98,4 @@ export default abstract class Event {
 
 export type EventClass = {
 	new (...params: ConstructorParameters<typeof Event>): Event;
-};
+} & typeof Event;

backend/src/modules/EventsModule/jobs/Subscribe.ts

@@ -1,6 +1,6 @@
 import Job, { JobOptions } from "@/Job";
 import EventsModule from "@/modules/EventsModule";
-import Event from "../Event";
+import Event from "@/modules/EventsModule/Event";
 
 export default class Subscribe extends Job {
 	protected static _hasPermission = true;
@@ -18,19 +18,15 @@ export default class Subscribe extends Job {
 	}
 
 	protected override async _authorize() {
+		// Channel could be data.news.created, or something like data.news.updated:SOME_OBJECT_ID
 		const { channel } = this._payload;
 
+		// Path can be for example data.news.created. Scope will be anything after ":", but isn't required, so could be undefined
 		const { path, scope } = Event.parseKey(channel);
 
-		const EventClass = EventsModule.getEvent(path);
+		const permission = scope ? `event.${path}.${scope}` : `event.${path}`;
 
-		const hasPermission = await EventClass.hasPermission(
-			await this._context.getUser().catch(() => null),
-			scope
-		);
-
-		if (!hasPermission)
-			throw new Error(`Insufficient permissions for event ${channel}`);
+		await EventsModule.assertPermission(permission);
 	}
 
 	protected async _execute() {