use Polar shorthand rules

Author: kenfdev

server/src/auth/policies/core/members.polar

@@ -1,10 +1,6 @@
-has_permission(user: User, "read", member: Member) if
-  user.memberInfo.department.id = member.department.id or
-  user.memberInfo.department.name = "hr";
-
-has_permission(user: User, "update", member: Member) if
-  user.memberInfo.id = member.id or
-  user.memberInfo.department.name = "hr";
+has_role(user: User, "hr_member", _member: Member) if user.memberInfo.department.name = "hr";
+has_role(user: User, "self", member: Member) if user.memberInfo.id = member.id;
+has_role(user: User, "same_department", member: Member) if user.memberInfo.department.id = member.department.id;
 
 allow_field(user: User, "read", member: Member, field) if
   # anyone can read public fields

server/src/auth/policies/members.polar

@@ -6,7 +6,14 @@ has_permission(_: User, "read", _department: Department);
 
 resource Member {
   permissions = ["read", "update"];
+  roles = ["self", "same_department", "hr_member"];
   relations = {department: Department};
+
+  "read" if "same_department";
+  "read" if "hr_member";
+
+  "update" if "self";
+  "update" if "hr_member";
 }
 
 has_relation(department: Department, "department", member: Member) if

server/src/auth/policies/orm/members.polar

@@ -1,7 +1,3 @@
-has_permission(user: User, "read", member: Member) if
-  user.member.department.id = member.departmentId or
-  user.member.department.name = "hr";
-
-has_permission(user: User, "update", member: Member) if
-  user.member.id = member.id or
-  user.member.department.name = "hr";
+has_role(user: User, "hr_member", _member: Member) if user.member.department.name = "hr";
+has_role(user: User, "self", member: Member) if user.member.id = member.id;
+has_role(user: User, "same_department", member: Member) if user.member.department.id = member.department.id;

server/src/database/seeds/create-users-members.seed.ts

@@ -36,7 +36,7 @@ export default class CreateUsersAndMembers implements Seeder {
       memberId: engineeringMember.id,
     });
 
-    const members = await factory(MemberOrm)().createMany(10);
+    const members = await factory(MemberOrm)().createMany(20);
     for (const member of members) {
       await factory(UserOrm)().create({ memberId: member.id });
     }

server/tests/integration/members/listAllMembers.test.ts

@@ -56,9 +56,10 @@ describe('ListAllMembers', () => {
         loggedInUser = USERS.nonAdminAndEngineer;
         res = await authorizeRequest(
           request(app).get('/members'),
-          USERS.nonAdminAndEngineer.userId
+          loggedInUser.userId
         ).expect(200);
         expect(res.body.members).toBeInstanceOf(Array);
+        expect(res.body.members.length).toBeGreaterThan(1);
       });
 
       it('should return only members of the users department', async () => {
@@ -68,9 +69,9 @@ describe('ListAllMembers', () => {
         }
       });
 
-      it("should omit member's private fields such as salaries except for the logged in user and should not be editable", async () => {
+      it("should omit member's private fields such as salaries except for the logged in user and should not be editable", () => {
         const { members } = res.body;
-        const membersLoggedInUserExcluded = members.find(
+        const membersLoggedInUserExcluded = members.filter(
           (m: any) => m.id !== loggedInUser.memberId
         );
         for (const member of membersLoggedInUserExcluded) {
@@ -97,12 +98,12 @@ describe('ListAllMembers', () => {
         loggedInUser = USERS.nonAdminAndHr;
         res = await authorizeRequest(
           request(app).get('/members'),
-          USERS.nonAdminAndHr.userId
+          loggedInUser.userId
         ).expect(200);
         expect(res.body.members).toBeInstanceOf(Array);
       });
 
-      it('should return all members with all fields present', async () => {
+      it('should return all members with all fields present', () => {
         const { members } = res.body;
         for (const member of members) {
           expect(member.salary).toBeDefined();