feat(auth): implement access control based on ownership

fulleni · fulleni · commit 9de9ebb34a4b · 2025-05-15T06:26:08.000+01:00
- Added ownership types to models
- Implemented access control in routes
- Updated model configurations
diff --git a/lib/src/registry/model_registry.dart b/lib/src/registry/model_registry.dart
@@ -5,12 +5,19 @@ import 'package:dart_frog/dart_frog.dart';
 import 'package:ht_data_client/ht_data_client.dart';
 import 'package:ht_shared/ht_shared.dart';
 
-/// Defines the ownership type of a data model.
+/// Defines the ownership type of a data model and associated access rules.
 enum ModelOwnership {
-  /// Data is global and not specific to any single user.
-  global,
+  /// Indicates the resource is fully managed by admins (only admins can
+  /// Create, Read, Update, Delete).
+  adminOwned,
 
-  /// Data is owned by a specific user.
+  /// Indicates the resource is managed by admins (only admins can Create,
+  /// Update, Delete), but read operations (GET) are allowed for all
+  /// authenticated users.
+  adminOwnedReadAllowed,
+
+  /// Indicates the resource is owned by a specific user (only the owning user
+  /// or an admin can Create, Read, Update, Delete).
   userOwned,
 }
 
@@ -65,22 +72,22 @@ final modelRegistry = <String, ModelConfig<dynamic>>{
   'headline': ModelConfig<Headline>(
     fromJson: Headline.fromJson,
     getId: (h) => h.id,
-    ownership: ModelOwnership.global, // Added ownership
+    ownership: ModelOwnership.adminOwnedReadAllowed, // Updated ownership
   ),
   'category': ModelConfig<Category>(
     fromJson: Category.fromJson,
     getId: (c) => c.id,
-    ownership: ModelOwnership.global, // Added ownership
+    ownership: ModelOwnership.adminOwnedReadAllowed, // Updated ownership
   ),
   'source': ModelConfig<Source>(
     fromJson: Source.fromJson,
     getId: (s) => s.id,
-    ownership: ModelOwnership.global, // Added ownership
+    ownership: ModelOwnership.adminOwnedReadAllowed, // Updated ownership
   ),
   'country': ModelConfig<Country>(
     fromJson: Country.fromJson,
     getId: (c) => c.id, // Assuming Country has an 'id' field
-    ownership: ModelOwnership.global, // Added ownership
+    ownership: ModelOwnership.adminOwnedReadAllowed, // Updated ownership
   ),
 };
 
diff --git a/routes/api/v1/data/[id].dart b/routes/api/v1/data/[id].dart
@@ -80,9 +80,19 @@ Future<Response> _handleGet(
   User authenticatedUser,
   String requestId,
 ) async {
+  // Apply access control based on ownership type for GET requests
+  if (modelConfig.ownership == ModelOwnership.adminOwned &&
+      !authenticatedUser.isAdmin) {
+    throw const ForbiddenException(
+      'You do not have permission to read this resource.',
+    );
+  }
+
   dynamic item;
 
   String? userIdForRepoCall;
+  // For userOwned models, pass the authenticated user's ID to the repository
+  // for filtering. For adminOwned/adminOwnedReadAllowed, pass null.
   if (modelConfig.ownership == ModelOwnership.userOwned) {
     userIdForRepoCall = authenticatedUser.id;
   } else {
@@ -188,14 +198,29 @@ Future<Response> _handlePut(
     );
   }
 
+  // Apply access control based on ownership type for PUT requests
+  if ((modelConfig.ownership == ModelOwnership.adminOwned ||
+          modelConfig.ownership == ModelOwnership.adminOwnedReadAllowed) &&
+      !authenticatedUser.isAdmin) {
+    throw const ForbiddenException(
+      'Only administrators can update this resource.',
+    );
+  }
+  if (modelConfig.ownership == ModelOwnership.userOwned &&
+      !authenticatedUser.isAdmin) {
+    // For userOwned, non-admins must be the owner.
+    // The repository will enforce this check when userIdForRepoCall is passed.
+  }
+
   dynamic updatedItem;
 
   String? userIdForRepoCall;
+  // For userOwned models, pass the authenticated user's ID to the repository
+  // for ownership enforcement. For adminOwned/adminOwnedReadAllowed, pass null
+  // (repository handles admin updates).
   if (modelConfig.ownership == ModelOwnership.userOwned) {
     userIdForRepoCall = authenticatedUser.id;
   } else {
-    // TODO(fulleni): For global models, update might imply admin rights.
-    // For now, pass null, consider adding an admin user check.
     userIdForRepoCall = null;
   }
 
@@ -323,12 +348,27 @@ Future<Response> _handleDelete(
   User authenticatedUser,
   String requestId,
 ) async {
+  // Apply access control based on ownership type for DELETE requests
+  if ((modelConfig.ownership == ModelOwnership.adminOwned ||
+          modelConfig.ownership == ModelOwnership.adminOwnedReadAllowed) &&
+      !authenticatedUser.isAdmin) {
+    throw const ForbiddenException(
+      'Only administrators can delete this resource.',
+    );
+  }
+  if (modelConfig.ownership == ModelOwnership.userOwned &&
+      !authenticatedUser.isAdmin) {
+    // For userOwned, non-admins must be the owner.
+    // The repository will enforce this check when userIdForRepoCall is passed.
+  }
+
   String? userIdForRepoCall;
+  // For userOwned models, pass the authenticated user's ID to the repository
+  // for ownership enforcement. For adminOwned/adminOwnedReadAllowed, pass null
+  // (repository handles admin deletions).
   if (modelConfig.ownership == ModelOwnership.userOwned) {
     userIdForRepoCall = authenticatedUser.id;
   } else {
-    // TODO(fulleni): For global models, update might imply admin rights.
-    // For now, pass null, consider adding an admin user check.
     userIdForRepoCall = null;
   }
 
diff --git a/routes/api/v1/data/index.dart b/routes/api/v1/data/index.dart
@@ -82,7 +82,17 @@ Future<Response> _handleGet(
   // Process based on model type
   PaginatedResponse<dynamic> paginatedResponse;
 
+  // Apply access control based on ownership type for GET requests
+  if (modelConfig.ownership == ModelOwnership.adminOwned &&
+      !authenticatedUser.isAdmin) {
+    throw const ForbiddenException(
+      'You do not have permission to read this resource.',
+    );
+  }
+
   String? userIdForRepoCall;
+  // For userOwned models, pass the authenticated user's ID to the repository
+  // for filtering. For adminOwned/adminOwnedReadAllowed, pass null.
   if (modelConfig.ownership == ModelOwnership.userOwned) {
     userIdForRepoCall = authenticatedUser.id;
   } else {
@@ -230,15 +240,25 @@ Future<Response> _handlePost(
     );
   }
 
+  // Apply access control based on ownership type for POST requests
+  if ((modelConfig.ownership == ModelOwnership.adminOwned ||
+          modelConfig.ownership == ModelOwnership.adminOwnedReadAllowed) &&
+      !authenticatedUser.isAdmin) {
+    throw const ForbiddenException(
+      'Only administrators can create this resource.',
+    );
+  }
+
   // Process based on model type
   dynamic createdItem;
 
   String? userIdForRepoCall;
+  // For userOwned models, pass the authenticated user's ID to the repository
+  // for associating ownership during creation. For adminOwned/adminOwnedReadAllowed,
+  // pass null (repository handles admin creation).
   if (modelConfig.ownership == ModelOwnership.userOwned) {
     userIdForRepoCall = authenticatedUser.id;
   } else {
-    // TODO(fulleni): For global models, update might imply admin rights.
-    // For now, pass null, consider adding an admin user check.
     userIdForRepoCall = null;
   }
 
