Provide real privilege context with available transition checks

This allows transitions to depend on membership, sensitivity, etc.

Author: CarsonF

src/components/project/workflow/migrations/step-history-to-workflow-events.migration.ts

@@ -75,6 +75,7 @@ export class StepHistoryToWorkflowEventsMigration extends BaseMigration {
             moduleRef: this.moduleRef,
             migrationPrevStep: prev.value,
           },
+          project,
           // We don't know who did it, so we can't confirm this was an official
           // transition instead of a bypass.
           // Guess that it was if a transition exists.

src/components/project/workflow/project-workflow.service.ts

@@ -50,6 +50,7 @@ export class ProjectWorkflowService extends WorkflowService(ProjectWorkflow) {
     return await this.resolveAvailable(
       project.step.value!,
       { project, moduleRef: this.moduleRef },
+      project,
       session,
     );
   }

src/components/workflow/workflow.granter.ts

@@ -1,6 +1,6 @@
 import { Query } from 'cypher-query-builder';
 import { inspect, InspectOptionsStylized } from 'util';
-import { ID, isIdLike, Many } from '~/common';
+import { ID, Many } from '~/common';
 import { ResourceGranter } from '../authorization';
 import { action } from '../authorization/policy/builder/perm-granter';
 import { PropsGranterFn } from '../authorization/policy/builder/resource-granter';
@@ -108,13 +108,11 @@ export function WorkflowEventGranter<W extends Workflow>(workflow: W) {
         // These should be treated as false without error.
         return false;
       }
-      const transitionKey = object.transition;
+      const transitionKey = Reflect.get(object, TransitionKey);
       if (!transitionKey) {
         return false;
       }
-      return this.allowedTransitionKeys.has(
-        isIdLike(transitionKey) ? transitionKey : transitionKey.key,
-      );
+      return this.allowedTransitionKeys.has(transitionKey);
     }
 
     asCypherCondition(query: Query) {
@@ -191,3 +189,15 @@ export function WorkflowEventGranter<W extends Workflow>(workflow: W) {
 
   return WorkflowEventGranterClass;
 }
+
+const TransitionKey = Symbol('TransitionKey');
+
+export const withTransitionKey = <T extends object>(
+  obj: T,
+  transitionKey: ID,
+) =>
+  Object.defineProperty(obj, TransitionKey, {
+    value: transitionKey,
+    enumerable: false,
+    configurable: true,
+  });

src/components/workflow/workflow.service.ts

@@ -4,6 +4,7 @@ import { ID, Session, UnauthorizedException } from '~/common';
 import { Privileges } from '../authorization';
 import { Workflow } from './define-workflow';
 import { ExecuteTransitionInput as ExecuteTransitionInputFn } from './dto';
+import { withTransitionKey } from './workflow.granter';
 
 type ExecuteTransitionInput = ReturnType<
   typeof ExecuteTransitionInputFn
@@ -29,6 +30,7 @@ export const WorkflowService = <W extends Workflow>(workflow: W) => {
     protected async resolveAvailable(
       currentState: W['state'],
       dynamicContext: W['context'],
+      privilegeContext: object,
       session: Session,
     ) {
       let available = this.workflow.transitions;
@@ -43,7 +45,9 @@ export const WorkflowService = <W extends Workflow>(workflow: W) => {
       available = available.filter((t) =>
         // I don't have a good way to type this right now.
         // Context usage is still fuzzy when conditions need different shapes.
-        p.forContext({ transition: t.key } as any).can('create'),
+        p
+          .forContext(withTransitionKey(privilegeContext, t.key) as any)
+          .can('create'),
       );
 
       // Resolve conditions & filter as needed