feat: APP-882 Update author role permissions

[blushi]

Description

Needs https://github.com/regen-network/regen-server/pull/564 before it can be tested

Part of https://regennetwork.atlassian.net/browse/APP-882

Authors should not be allowed to:

• update others' posts
• see others draft and private posts (while private posts generic info do appear on the dashboard data posts table for them, the private post detailed content remains unaccessible)

---

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

• provided a link to the relevant issue or specification
• provided instructions on how to test
• reviewed "Files changed" and left comments if necessary
• confirmed all CI checks have passed

How to test

1. From one of your organization project as an owner/admin, add a new author (from a wallet/email that you can log in with). This project should have a draft post and a private post that the owner/admin created
2. Log out from the owner/admin account or use another browser
3. Log in with the new author account
4. Go to the project page from 1. and double check that you cannot see the draft post, only "1 private post" is displayed
5. Create a new draft post for this project and verify you can edit/delete it from the data stream
6. Create a new private post for this project and verify you can see and delete it from data stream and the post page. From the post page it should also be possible to share a secret link.

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

• confirmed all author checklist items have been addressed
• reviewed code correctness and readability
• verified React components follow DRY principles
• reviewed documentation is accurate
• reviewed tests
• manually tested (if applicable)

[netlify]

✅ Deploy Preview for terrasos ready!

Name	Link
🔨 Latest commit	8aea233
🔍 Latest deploy log	https://app.netlify.com/projects/terrasos/deploys/69afd7e89628b60008ad4ac6
😎 Deploy Preview	https://deploy-preview-2811--terrasos.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant enhancement to the platform's permission management, specifically targeting the 'Author' role. The core objective is to refine access control for data posts, ensuring that authors can only manage their own content and have restricted visibility into private or draft posts created by others. This change involves a comprehensive refactoring of permission-related logic across several components, moving towards a more explicit and secure role-based access model.

Highlights

• Granular Author Permissions: Implemented a more granular permission system for authors, restricting them from updating other users' posts and viewing private or draft posts created by others. This enhances data privacy and content management.
• Permission Logic Refactoring: Replaced a generic isAdmin flag with specific, role-based utility functions (getCanCreatePost, getCanSeeOrManagePost, getCanViewPrivatePost, getCanViewDraftPost) to determine user capabilities for posts. This provides a more robust and explicit access control mechanism.
• UI Component Updates: Updated various UI components (PostFiles.Public.tsx, PostFiles.tsx, Post.Header.tsx) to consume the new permission flags, ensuring that content visibility and action buttons (like edit/delete) are correctly displayed based on the user's role and post ownership.
• Documentation and Testing: Updated the ROLE_AUTHOR_DESCRIPTION to reflect the new permissions and added comprehensive unit tests for the new permission utility functions, covering various roles and ownership scenarios.

Changelog

• web-components/src/components/organisms/PostFiles/PostFiles.Public.tsx
  • Updated the Props type to replace isAdmin with canViewPrivatePost.
  • Modified the component signature to use canViewPrivatePost instead of isAdmin.
  • Adjusted conditional rendering logic to utilize canViewPrivatePost for displaying private content.
• web-components/src/components/organisms/PostFiles/PostFiles.stories.tsx
  • Added canViewPrivatePost: false to Public, PrivateLocations, and PrivateFiles stories.
  • Replaced isAdmin: true with canViewPrivatePost: true in PrivateLocationsAsAdmin and PrivateFilesAsAdmin stories.
• web-components/src/components/organisms/PostFiles/PostFiles.tsx
  • Updated the PostFilesProps type to replace isAdmin with canViewPrivatePost.
  • Modified the component signature to use canViewPrivatePost instead of isAdmin.
  • Adjusted conditional rendering logic and height calculation to utilize canViewPrivatePost.
• web-marketplace/src/components/organisms/ProjectCollaborators/ProjectCollaborators.constants.tsx
  • Updated the ROLE_AUTHOR_DESCRIPTION to specify that authors can only manage their own data posts and cannot see private post data.
• web-marketplace/src/components/templates/ProjectDetails/ProjectDetails.DataStream.Post.tsx
  • Imported useMemo and useAuth hooks.
  • Replaced canManagePost and canViewPost props with a single role prop.
  • Introduced currentAccountId from useAuth to determine permissions.
  • Calculated canManagePost and canViewPost using new utility functions based on role, creatorAccountId, and currentAccountId.
• web-marketplace/src/components/templates/ProjectDetails/ProjectDetails.DataStream.tsx
  • Imported ProjectRole type.
  • Replaced canManagePost and canViewPost props with a single role prop.
  • Passed the new role prop down to DataStreamPost components.
• web-marketplace/src/components/templates/ProjectDetails/ProjectDetails.tsx
  • Updated imports for permission utility functions, replacing getCanManagePost and getCanViewPost with getCanCreatePost, getCanSeeOrManagePost, and getCanViewPrivatePost.
  • Removed direct calculation of canManagePost and canViewPost.
  • Calculated canCreatePost using the new getCanCreatePost utility.
  • Updated the canCreatePost prop in ProjectDetailsHeader and removed canManagePost and canViewPost props from the DataStream component.
• web-marketplace/src/components/templates/ProjectFormTemplate/ProjectFormAccessTemplate.utils.test.ts
  • Imported uuidv4 for generating unique IDs in tests.
  • Renamed getCanManagePost tests to getCanSeeOrManagePost.
  • Modified tests to include creatorAccountId and currentAccountId for getCanSeeOrManagePost, specifically verifying author permissions for their own posts versus others'.
• web-marketplace/src/components/templates/ProjectFormTemplate/ProjectFormAccessTemplate.utils.ts
  • Renamed getCanManagePost to getCanCreatePost.
  • Introduced new utility functions: getCanSeeOrManagePost, getCanViewPrivatePost, and getCanViewDraftPost.
  • Implemented logic within these new functions to determine permissions based on role, creatorAccountId, and currentAccountId, adding specific conditions for ROLE_AUTHOR.
• web-marketplace/src/legacy-pages/CreateOrganization/hooks/useMigrateProjects/useMigrateProjects.utils.test.ts
  • Removed authorAssignments from the expected result in the getOrgAssignments test.
• web-marketplace/src/legacy-pages/Dashboard/MyProjects/ManageProject.tsx
  • Updated imports for permission utility functions, replacing getCanManagePost with getCanCreatePost and getCanSeeOrManagePost.
  • Replaced canManagePost with canCreatePost based on the new getCanCreatePost utility.
  • Updated the canCreatePost prop in ProjectDashboardBanner and the conditional rendering for PostFlow.
• web-marketplace/src/legacy-pages/Post/Post.Header.tsx
  • Updated the Props type to replace isAdmin with canManagePost.
  • Modified the component signature to use canManagePost instead of isAdmin.
  • Adjusted conditional rendering logic to utilize canManagePost for displaying private post tags and edit/delete options.
• web-marketplace/src/legacy-pages/Post/Post.tsx
  • Imported useCanAccessManageProjectWithRole, useLedger, useWallet, getProjectQuery, and the new permission utility functions.
  • Replaced activeAccountId with currentAccountId.
  • Fetched onChainProject and role using useCanAccessManageProjectWithRole.
  • Replaced the isAdmin boolean with canManagePost, canViewPrivatePost, and canViewDraftPost derived from the new utility functions and the user's role.
  • Updated conditional rendering for NotFoundPage, PostPrivate, PostHeader, PostFiles, and image display based on these new permission flags.
  • Updated projectHref and adminAddr to consistently use offChainProject.

Activity

• This pull request is part of the APP-882 initiative.
• Testing for this PR is dependent on the completion and merge of https://github.com/regen-network/regen-server/pull/564.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request refactors post and project access control by replacing a generic isAdmin flag with more specific permissions like canViewPrivatePost, canManagePost, canCreatePost, and canViewDraftPost, centralizing this logic into new utility functions based on user roles and account IDs. However, a high-severity broken access control vulnerability exists in Post.tsx where the canViewDraftPost logic is inverted, inadvertently allowing unauthorized users to view draft posts. Additionally, the getCanViewDraftPost utility function is a duplicate of getCanSeeOrManagePost and should be removed for better maintainability.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8aea233ff4

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[blushi]

@erikalogie @S4mmyb see testing instructions