refactor(rbac): enhance permission checking logic

fulleni · fulleni · commit 4e79d3a7cc9b · 2025-07-10T11:32:52.000+01:00
- Update hasPermission method to consider both appRole and dashboardRole
- Modify isAdmin method to check dashboardRole directly
- Improve documentation to reflect new logic and role separation
diff --git a/lib/src/rbac/permission_service.dart b/lib/src/rbac/permission_service.dart
@@ -4,40 +4,47 @@ import 'package:ht_shared/ht_shared.dart';
 /// {@template permission_service}
 /// Service responsible for checking if a user has a specific permission.
 ///
-/// This service uses the predefined [rolePermissions] map to determine
-/// a user's access rights based on their roles. It also includes
-/// an explicit check for the 'admin' role, granting them all permissions.
+/// This service uses the predefined [rolePermissions] map to determine a user's
+/// access rights based on their `appRole` and `dashboardRole`. It also
+/// includes an explicit check for the `admin` role, granting them all
+/// permissions.
 /// {@endtemplate}
 class PermissionService {
   /// {@macro permission_service}
   const PermissionService();
 
   /// Checks if the given [user] has the specified [permission].
   ///
-  /// Returns `true` if the user's role grants the permission, or if the user
-  /// is an administrator. Returns `false` otherwise.
+  /// Returns `true` if the user's combined roles grant the permission, or if
+  /// the user is an administrator. Returns `false` otherwise.
   ///
   /// - [user]: The authenticated user.
   /// - [permission]: The permission string to check (e.g., `headline.read`).
   bool hasPermission(User user, String permission) {
     // Administrators implicitly have all permissions.
-    if (user.roles.contains(UserRoles.admin)) {
+    if (isAdmin(user)) {
       return true;
     }
 
-    // Check if any of the user's roles grant the required permission.
-    return user.roles.any(
-      (role) => rolePermissions[role]?.contains(permission) ?? false,
-    );
+    // Get the permission sets for the user's app and dashboard roles.
+    final appPermissions = rolePermissions[user.appRole] ?? const <String>{};
+    final dashboardPermissions =
+        rolePermissions[user.dashboardRole] ?? const <String>{};
+
+    // Combine the permissions from both roles.
+    final totalPermissions = {...appPermissions, ...dashboardPermissions};
+
+    // Check if the combined set contains the required permission.
+    return totalPermissions.contains(permission);
   }
 
-  /// Checks if the given [user] has the 'admin' role.
+  /// Checks if the given [user] has the `admin` dashboard role.
   ///
   /// This is a convenience method for checks that are strictly limited
   /// to administrators, bypassing the permission map.
   ///
   /// - [user]: The authenticated user.
   bool isAdmin(User user) {
-    return user.roles.contains(UserRoles.admin);
+    return user.dashboardRole == DashboardUserRole.admin;
   }
 }
