Migrate CanImpersonate Event/Hook

Author: CarsonF

src/components/authorization/authorization.module.ts

@@ -7,7 +7,7 @@ import {
   SessionExtraInfoResolver,
 } from './authorization.resolver';
 import { BetaFeaturesGranter } from './dto/beta-features.dto';
-import { CanImpersonateHandler } from './handler/can-impersonate.handler';
+import { CanImpersonateViaPrivilegesHandler } from './handler/can-impersonate-via-privileges.handler';
 import * as Policies from './policies';
 import { PolicyModule } from './policy/policy.module';
 
@@ -19,7 +19,7 @@ import { PolicyModule } from './policy/policy.module';
     LoginExtraInfoResolver,
     RegisterExtraInfoResolver,
     SessionExtraInfoResolver,
-    CanImpersonateHandler,
+    CanImpersonateViaPrivilegesHandler,
     ...Object.values(Policies),
     AssignableRolesGranter,
     BetaFeaturesGranter,

src/components/authorization/handler/can-impersonate-via-privileges.handler.ts

@@ -0,0 +1,17 @@
+import { Injectable } from '@nestjs/common';
+import { CanImpersonateHook } from '~/core/authentication/hooks/can-impersonate.hook';
+import { OnHook } from '~/core/hooks';
+import { AssignableRoles } from '../dto/assignable-roles.dto';
+import { Privileges } from '../policy';
+
+@Injectable()
+export class CanImpersonateViaPrivilegesHandler {
+  constructor(private readonly privileges: Privileges) {}
+
+  @OnHook(CanImpersonateHook)
+  canImpersonate({ session, allow }: CanImpersonateHook) {
+    const p = this.privileges.for(AssignableRoles);
+    const granted = session.roles.values().every((role) => p.can('edit', role));
+    allow.vote(granted);
+  }
+}

src/components/authorization/handler/can-impersonate.handler.ts

@@ -1,6 +1,6 @@
 import { type PollVoter } from '~/common';
 import { type Session } from '../session/session.dto';
 
-export class CanImpersonateEvent {
+export class CanImpersonateHook {
   constructor(readonly session: Session, readonly allow: PollVoter<boolean>) {}
 }

src/core/authentication/events/can-impersonate.event.ts renamed to src/core/authentication/hooks/can-impersonate.hook.ts

@@ -9,11 +9,11 @@ import {
   ServerException,
   UnauthorizedException,
 } from '~/common';
-import { IEventBus } from '~/core/events';
+import { Hooks } from '~/core/hooks';
 import { ILogger, Logger } from '~/core/logger';
 import { SystemAgentRepository } from '../../../components/user/system-agent.repository';
 import { AuthenticationRepository } from '../authentication.repository';
-import { CanImpersonateEvent } from '../events/can-impersonate.event';
+import { CanImpersonateHook } from '../hooks/can-impersonate.hook';
 import { JwtService } from '../jwt.service';
 import { NoSessionException } from './no-session.exception';
 import { Session } from './session.dto';
@@ -26,7 +26,7 @@ import { SessionHost } from './session.host';
 export class SessionManager {
   constructor(
     private readonly agents: SystemAgentRepository,
-    private readonly events: IEventBus,
+    private readonly hooks: Hooks,
     private readonly jwt: JwtService,
     private readonly sessionHost: SessionHost,
     private readonly repo: AuthenticationRepository,
@@ -105,11 +105,11 @@ export class SessionManager {
     if (impersonatee) {
       const allowImpersonation = new Poll();
       await this.sessionHost.withSession(requesterSession, async () => {
-        const event = new CanImpersonateEvent(
+        const event = new CanImpersonateHook(
           requesterSession,
           allowImpersonation,
         );
-        await this.events.publish(event);
+        await this.hooks.run(event);
       });
       if (!(allowImpersonation.plurality && !allowImpersonation.vetoed)) {
         // Don't expose what the requester is unable to do as this could leak