Stop scoping Session.roles

Author: CarsonF

src/components/authorization/dto/role.dto.ts

@@ -1,13 +1,6 @@
 import { type Role } from '~/common';
 
-export type ProjectScope = 'project';
-export type GlobalScope = 'global';
-
-// Scope for roles. Does this role apply anywhere or only with project membership?
-export type AuthScope = GlobalScope | ProjectScope;
-
-export type ProjectScopedRole = `${ProjectScope}:${Role}`;
-export type GlobalScopedRole = `${GlobalScope}:${Role}`;
+type AuthScope = 'global' | 'project';
 
 export type ScopedRole = `${AuthScope}:${Role}` | 'member:true';
 

src/components/authorization/handler/can-impersonate.handler.ts

@@ -1,6 +1,5 @@
 import { CanImpersonateEvent } from '~/core/authentication/events/can-impersonate.event';
 import { EventsHandler } from '~/core/events';
-import { withoutScope } from '../dto';
 import { AssignableRoles } from '../dto/assignable-roles.dto';
 import { Privileges } from '../policy';
 
@@ -10,9 +9,7 @@ export class CanImpersonateHandler {
 
   handle(event: CanImpersonateEvent) {
     const p = this.privileges.for(AssignableRoles);
-    const valid = event.session.roles.every((role) =>
-      p.can('edit', withoutScope(role)),
-    );
+    const valid = event.session.roles.every((role) => p.can('edit', role));
     event.allow.vote(valid);
   }
 }

src/components/authorization/policies/conditions/role.condition.ts

@@ -1,6 +1,5 @@
 import { inspect } from 'util';
 import { type Role } from '~/common';
-import { withoutScope } from '../../dto';
 import {
   type AsEdgeQLParams,
   type Condition,
@@ -13,7 +12,7 @@ export class RoleCondition implements Condition {
   constructor(readonly allowed: ReadonlySet<Role>) {}
 
   isAllowed({ session }: IsAllowedParams<any>) {
-    const given = session.roles.map(withoutScope);
+    const given = session.roles;
     return given.some((role) => this.allowed.has(role));
   }
 

src/components/authorization/policy/executor/policy-executor.ts

@@ -4,7 +4,6 @@ import { identity, intersection } from 'lodash';
 import { type EnhancedResource } from '~/common';
 import { Identity, type Session } from '~/core/authentication';
 import { type QueryFragment } from '~/core/database/query';
-import { withoutScope } from '../../dto';
 import { RoleCondition } from '../../policies/conditions/role.condition';
 import { type Permission } from '../builder/perm-granter';
 import {
@@ -282,7 +281,7 @@ export class PolicyExecutor {
       }
       const rolesSpecifiedByPolicyThatUserHas = intersection(
         policy.roles,
-        session.roles.map(withoutScope),
+        session.roles,
       );
       return rolesSpecifiedByPolicyThatUserHas.length > 0;
     });

src/components/engagement/engagement.rules.ts

@@ -12,7 +12,6 @@ import { ILogger, Logger } from '~/core';
 import { Identity } from '~/core/authentication';
 import { DatabaseService } from '~/core/database';
 import { ACTIVE, INACTIVE } from '~/core/database/query';
-import { withoutScope } from '../authorization/dto';
 import { ProjectStep } from '../project/dto';
 import {
   EngagementStatus,
@@ -314,7 +313,7 @@ export class EngagementRules {
 
   async getAvailableTransitions(
     engagementId: ID,
-    currentUserRoles?: Role[],
+    currentUserRoles?: readonly Role[],
     changeset?: ID,
   ): Promise<EngagementStatusTransition[]> {
     const session = this.identity.current;
@@ -330,7 +329,7 @@ export class EngagementRules {
     );
 
     // If current user is not an approver (based on roles) then don't allow any transitions
-    currentUserRoles ??= session.roles.map(withoutScope);
+    currentUserRoles ??= session.roles;
     if (intersection(approvers, currentUserRoles).length === 0) {
       return [];
     }
@@ -358,7 +357,7 @@ export class EngagementRules {
 
   async canBypassWorkflow() {
     const session = this.identity.current;
-    const roles = session.roles.map(withoutScope);
+    const roles = session.roles;
     return intersection(rolesThatCanBypassWorkflow, roles).length > 0;
   }
 
@@ -370,7 +369,7 @@ export class EngagementRules {
     // If current user's roles include a role that can bypass workflow
     // stop the check here.
     const session = this.identity.current;
-    const currentUserRoles = session.roles.map(withoutScope);
+    const currentUserRoles = session.roles;
     if (intersection(rolesThatCanBypassWorkflow, currentUserRoles).length > 0) {
       return;
     }

src/components/project/project.service.ts

@@ -25,7 +25,6 @@ import { Identity } from '~/core/authentication';
 import { Transactional } from '~/core/database';
 import { type AnyChangesOf } from '~/core/database/changes';
 import { Privileges } from '../authorization';
-import { withoutScope } from '../authorization/dto';
 import { BudgetService } from '../budget';
 import { BudgetStatus, type SecuredBudget } from '../budget/dto';
 import { EngagementService } from '../engagement';
@@ -160,9 +159,9 @@ export class ProjectService {
       await this.projectMembers.create(
         {
           userId: session.userId,
-          roles: session.roles
-            .map(withoutScope)
-            .filter((role) => Role.applicableToProjectMembership.has(role)),
+          roles: session.roles.filter((role) =>
+            Role.applicableToProjectMembership.has(role),
+          ),
           projectId: project,
         },
         false,

src/core/authentication/authentication.gel.repository.ts

@@ -2,7 +2,7 @@ import { Injectable } from '@nestjs/common';
 import { IntegrityError } from 'gel';
 import { type ID, type PublicOf, ServerException } from '~/common';
 import { RootUserAlias } from '../config/root-user.config';
-import { DbTraceLayer, disableAccessPolicies, e, Gel, withScope } from '../gel';
+import { DbTraceLayer, disableAccessPolicies, e, Gel } from '../gel';
 import type { AuthenticationRepository } from './authentication.repository';
 import { type LoginInput } from './dto';
 import { type Session } from './session/session.dto';
@@ -138,8 +138,8 @@ export class AuthenticationGelRepository
       return e.select(e.Auth.Session, (session) => ({
         filter_single: { token },
         userId: session.user.id,
-        roles: withScope('global', session.user.roles),
-        impersonateeRoles: withScope('global', impersonatee.roles),
+        roles: session.user.roles,
+        impersonateeRoles: impersonatee.roles,
       }));
     },
   );
@@ -151,7 +151,7 @@ export class AuthenticationGelRepository
     { userId: e.uuid },
     ({ userId }) => {
       const user = e.cast(e.User, userId);
-      return withScope('global', user.roles);
+      return user.roles;
     },
   );
 

src/core/authentication/authentication.repository.ts

@@ -1,8 +1,7 @@
 import { Injectable } from '@nestjs/common';
 import { node, relation } from 'cypher-query-builder';
 import { DateTime } from 'luxon';
-import { type ID, ServerException } from '~/common';
-import { type ScopedRole } from '../../components/authorization/dto';
+import { type ID, type Role, ServerException } from '~/common';
 import { DatabaseService, DbTraceLayer, OnIndex } from '../database';
 import {
   ACTIVE,
@@ -201,8 +200,8 @@ export class AuthenticationRepository {
       )
       .return<{
         userId: ID | null;
-        roles: readonly ScopedRole[];
-        impersonateeRoles: readonly ScopedRole[] | null;
+        roles: readonly Role[];
+        impersonateeRoles: readonly Role[] | null;
       }>([
         'user.id as userId',
         'roles',

src/core/authentication/session/session.dto.ts

@@ -1,13 +1,12 @@
 import { type DateTime } from 'luxon';
-import { DataObject, UnauthenticatedException } from '~/common';
+import { DataObject, type Role, UnauthenticatedException } from '~/common';
 import { type ID } from '~/common/id-field';
-import { type ScopedRole } from '../../../components/authorization/dto';
 
 class RawSession extends DataObject {
   readonly token: string;
   readonly issuedAt: DateTime;
   readonly userId: ID;
-  readonly roles: readonly ScopedRole[];
+  readonly roles: readonly Role[];
   readonly anonymous: boolean;
 
   /**
@@ -19,7 +18,7 @@ class RawSession extends DataObject {
    */
   readonly impersonatee?: {
     id?: ID;
-    roles: readonly ScopedRole[];
+    roles: readonly Role[];
   };
 }
 
@@ -42,7 +41,7 @@ export class Session extends RawSession {
   }
 
   get isAdmin() {
-    return this.roles.includes('global:Administrator');
+    return this.roles.includes('Administrator');
   }
 
   isSelf(id: ID<'User'>) {

src/core/authentication/session/session.initiator.ts

@@ -11,7 +11,6 @@ import {
 } from '~/common';
 import { ConfigService } from '~/core/config/config.service';
 import { ILogger, Logger } from '~/core/logger';
-import { rolesForScope } from '../../../components/authorization/dto';
 import { type IRequest } from '../../http';
 import { type Session } from './session.dto';
 import { type SessionManager } from './session.manager';
@@ -97,9 +96,7 @@ export class SessionInitiator {
       return undefined;
     }
 
-    const scoped = (roles ?? [])
-      .map(assertValidRole)
-      .map(rolesForScope('global'));
+    const scoped = (roles ?? []).map(assertValidRole);
 
     return { id: user, roles: scoped };
   }