@restnfeel/agentc-starter-kit/src/lib/auth/roles.ts

한국어 기업용 CMS 모듈 - Task Master AI와 함께 빠르게 웹사이트를 구현할 수 있는 재사용 가능한 컴포넌트 시스템

export enum UserRole {
  SUPER_ADMIN = "super_admin",
  SITE_ADMIN = "site_admin",
  EDITOR = "editor",
  VIEWER = "viewer",
}

export enum Permission {
  // Site management
  CREATE_SITE = "create_site",
  DELETE_SITE = "delete_site",
  UPDATE_SITE = "update_site",
  VIEW_SITE = "view_site",
  PUBLISH_SITE = "publish_site",

  // User management
  INVITE_USER = "invite_user",
  REMOVE_USER = "remove_user",
  UPDATE_USER_ROLE = "update_user_role",
  VIEW_USERS = "view_users",

  // Template management
  CREATE_TEMPLATE = "create_template",
  UPDATE_TEMPLATE = "update_template",
  DELETE_TEMPLATE = "delete_template",
  VIEW_TEMPLATES = "view_templates",

  // Domain management
  MANAGE_DOMAINS = "manage_domains",

  // System settings
  MANAGE_SYSTEM_SETTINGS = "manage_system_settings",
  VIEW_SYSTEM_LOGS = "view_system_logs",

  // Content management
  CREATE_CONTENT = "create_content",
  UPDATE_CONTENT = "update_content",
  DELETE_CONTENT = "delete_content",
  VIEW_CONTENT = "view_content",
}

export const ROLE_PERMISSIONS: Record<UserRole, Permission[]> = {
  [UserRole.SUPER_ADMIN]: [
    // All permissions
    Permission.CREATE_SITE,
    Permission.DELETE_SITE,
    Permission.UPDATE_SITE,
    Permission.VIEW_SITE,
    Permission.PUBLISH_SITE,
    Permission.INVITE_USER,
    Permission.REMOVE_USER,
    Permission.UPDATE_USER_ROLE,
    Permission.VIEW_USERS,
    Permission.CREATE_TEMPLATE,
    Permission.UPDATE_TEMPLATE,
    Permission.DELETE_TEMPLATE,
    Permission.VIEW_TEMPLATES,
    Permission.MANAGE_DOMAINS,
    Permission.MANAGE_SYSTEM_SETTINGS,
    Permission.VIEW_SYSTEM_LOGS,
    Permission.CREATE_CONTENT,
    Permission.UPDATE_CONTENT,
    Permission.DELETE_CONTENT,
    Permission.VIEW_CONTENT,
  ],

  [UserRole.SITE_ADMIN]: [
    // Site management for assigned sites
    Permission.CREATE_SITE,
    Permission.UPDATE_SITE,
    Permission.VIEW_SITE,
    Permission.PUBLISH_SITE,
    Permission.INVITE_USER,
    Permission.VIEW_USERS,
    Permission.VIEW_TEMPLATES,
    Permission.MANAGE_DOMAINS,
    Permission.CREATE_CONTENT,
    Permission.UPDATE_CONTENT,
    Permission.DELETE_CONTENT,
    Permission.VIEW_CONTENT,
  ],

  [UserRole.EDITOR]: [
    // Content management only
    Permission.VIEW_SITE,
    Permission.CREATE_CONTENT,
    Permission.UPDATE_CONTENT,
    Permission.VIEW_CONTENT,
    Permission.VIEW_TEMPLATES,
  ],

  [UserRole.VIEWER]: [
    // Read-only access
    Permission.VIEW_SITE,
    Permission.VIEW_CONTENT,
    Permission.VIEW_TEMPLATES,
  ],
};

export interface UserPermissions {
  userId: string;
  role: UserRole;
  siteIds?: string[]; // For site-specific permissions
  permissions: Permission[];
}

export class PermissionChecker {
  private userPermissions: UserPermissions;

  constructor(userPermissions: UserPermissions) {
    this.userPermissions = userPermissions;
  }

  hasPermission(permission: Permission, siteId?: string): boolean {
    // Super admin has all permissions
    if (this.userPermissions.role === UserRole.SUPER_ADMIN) {
      return true;
    }

    // Check if user has the permission
    if (!this.userPermissions.permissions.includes(permission)) {
      return false;
    }

    // If site-specific permission is required, check site access
    if (siteId && this.userPermissions.siteIds) {
      return this.userPermissions.siteIds.includes(siteId);
    }

    return true;
  }

  canAccessSite(siteId: string): boolean {
    if (this.userPermissions.role === UserRole.SUPER_ADMIN) {
      return true;
    }

    return this.userPermissions.siteIds?.includes(siteId) ?? false;
  }

  canManageUsers(): boolean {
    return (
      this.hasPermission(Permission.INVITE_USER) ||
      this.hasPermission(Permission.REMOVE_USER) ||
      this.hasPermission(Permission.UPDATE_USER_ROLE)
    );
  }

  canManageSites(): boolean {
    return (
      this.hasPermission(Permission.CREATE_SITE) ||
      this.hasPermission(Permission.UPDATE_SITE) ||
      this.hasPermission(Permission.DELETE_SITE)
    );
  }

  getAccessibleSites(): string[] {
    if (this.userPermissions.role === UserRole.SUPER_ADMIN) {
      return []; // Empty array means access to all sites
    }

    return this.userPermissions.siteIds ?? [];
  }
}

export function getUserPermissions(
  role: UserRole,
  siteIds?: string[]
): UserPermissions {
  return {
    userId: "", // Will be set by the calling code
    role,
    siteIds,
    permissions: ROLE_PERMISSIONS[role],
  };
}

export function hasRequiredRole(
  userRole: UserRole,
  requiredRole: UserRole
): boolean {
  const roleHierarchy = {
    [UserRole.VIEWER]: 0,
    [UserRole.EDITOR]: 1,
    [UserRole.SITE_ADMIN]: 2,
    [UserRole.SUPER_ADMIN]: 3,
  };

  return roleHierarchy[userRole] >= roleHierarchy[requiredRole];
}

// Middleware helper for API routes
export function requirePermission(permission: Permission, siteId?: string) {
  return (userPermissions: UserPermissions): boolean => {
    const checker = new PermissionChecker(userPermissions);
    return checker.hasPermission(permission, siteId);
  };
}

// React hook for permission checking in components
export function usePermissions(userPermissions: UserPermissions) {
  const checker = new PermissionChecker(userPermissions);

  return {
    hasPermission: (permission: Permission, siteId?: string) =>
      checker.hasPermission(permission, siteId),
    canAccessSite: (siteId: string) => checker.canAccessSite(siteId),
    canManageUsers: () => checker.canManageUsers(),
    canManageSites: () => checker.canManageSites(),
    getAccessibleSites: () => checker.getAccessibleSites(),
    role: userPermissions.role,
  };
}