better-auth
Version:
The most comprehensive authentication framework for TypeScript.
1 lines • 52.5 kB
Source Map (JSON)
{"version":3,"file":"crud-access-control.mjs","names":["condition: Where","member","updateData: Partial<OrganizationRole>","hasNecessaryPermissions: {\n\t\tresource: { [x: string]: string[] };\n\t\thasPermission: boolean;\n\t}[]","errorMessage: string"],"sources":["../../../../src/plugins/organization/routes/crud-access-control.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { createAuthEndpoint } from \"@better-auth/core/api\";\nimport type { Where } from \"@better-auth/core/db/adapter\";\nimport * as z from \"zod\";\nimport { APIError } from \"../../../api\";\nimport type { InferAdditionalFieldsFromPluginOptions } from \"../../../db\";\nimport { toZodSchema } from \"../../../db\";\nimport type { User } from \"../../../types\";\nimport type { AccessControl } from \"../../access\";\nimport { orgSessionMiddleware } from \"../call\";\nimport { ORGANIZATION_ERROR_CODES } from \"../error-codes\";\nimport { hasPermission } from \"../has-permission\";\nimport type { Member, OrganizationRole } from \"../schema\";\nimport type { OrganizationOptions } from \"../types\";\n\ntype IsExactlyEmptyObject<T> = keyof T extends never // no keys\n\t? T extends {} // is assignable to {}\n\t\t? {} extends T\n\t\t\t? true\n\t\t\t: false // and {} is assignable to it\n\t\t: false\n\t: false;\n\nconst normalizeRoleName = (role: string) => role.toLowerCase();\nconst DEFAULT_MAXIMUM_ROLES_PER_ORGANIZATION = Number.POSITIVE_INFINITY;\n\nconst getAdditionalFields = <\n\tO extends OrganizationOptions,\n\tAllPartial extends boolean = false,\n>(\n\toptions: O,\n\tshouldBePartial: AllPartial = false as AllPartial,\n) => {\n\tconst additionalFields =\n\t\toptions?.schema?.organizationRole?.additionalFields || {};\n\tif (shouldBePartial) {\n\t\tfor (const key in additionalFields) {\n\t\t\tadditionalFields[key]!.required = false;\n\t\t}\n\t}\n\tconst additionalFieldsSchema = toZodSchema({\n\t\tfields: additionalFields,\n\t\tisClientSide: true,\n\t});\n\ttype AdditionalFields = AllPartial extends true\n\t\t? Partial<InferAdditionalFieldsFromPluginOptions<\"organizationRole\", O>>\n\t\t: InferAdditionalFieldsFromPluginOptions<\"organizationRole\", O>;\n\ttype ReturnAdditionalFields = InferAdditionalFieldsFromPluginOptions<\n\t\t\"organizationRole\",\n\t\tO,\n\t\tfalse\n\t>;\n\n\treturn {\n\t\tadditionalFieldsSchema,\n\t\t$AdditionalFields: {} as AdditionalFields,\n\t\t$ReturnAdditionalFields: {} as ReturnAdditionalFields,\n\t};\n};\n\nconst baseCreateOrgRoleSchema = z.object({\n\torganizationId: z.string().optional().meta({\n\t\tdescription:\n\t\t\t\"The id of the organization to create the role in. If not provided, the user's active organization will be used.\",\n\t}),\n\trole: z.string().meta({\n\t\tdescription: \"The name of the role to create\",\n\t}),\n\tpermission: z.record(z.string(), z.array(z.string())).meta({\n\t\tdescription: \"The permission to assign to the role\",\n\t}),\n});\n\nexport const createOrgRole = <O extends OrganizationOptions>(options: O) => {\n\tconst { additionalFieldsSchema, $AdditionalFields, $ReturnAdditionalFields } =\n\t\tgetAdditionalFields<O>(options, false);\n\ttype AdditionalFields = typeof $AdditionalFields;\n\ttype ReturnAdditionalFields = typeof $ReturnAdditionalFields;\n\n\treturn createAuthEndpoint(\n\t\t\"/organization/create-role\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: baseCreateOrgRoleSchema.safeExtend({\n\t\t\t\tadditionalFields: z\n\t\t\t\t\t.object({ ...additionalFieldsSchema.shape })\n\t\t\t\t\t.optional(),\n\t\t\t}),\n\t\t\tmetadata: {\n\t\t\t\t$Infer: {\n\t\t\t\t\tbody: {} as {\n\t\t\t\t\t\torganizationId?: string | undefined;\n\t\t\t\t\t\trole: string;\n\t\t\t\t\t\tpermission: Record<string, string[]>;\n\t\t\t\t\t} & (IsExactlyEmptyObject<AdditionalFields> extends true\n\t\t\t\t\t\t? { additionalFields?: {} | undefined }\n\t\t\t\t\t\t: { additionalFields: AdditionalFields }),\n\t\t\t\t},\n\t\t\t},\n\t\t\trequireHeaders: true,\n\t\t\tuse: [orgSessionMiddleware],\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst { session, user } = ctx.context.session;\n\t\t\tlet roleName = ctx.body.role;\n\t\t\tconst permission = ctx.body.permission;\n\t\t\tconst additionalFields = ctx.body.additionalFields;\n\n\t\t\tconst ac = options.ac;\n\t\t\tif (!ac) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The organization plugin is missing a pre-defined ac instance.`,\n\t\t\t\t\t`\\nPlease refer to the documentation here: https://better-auth.com/docs/plugins/organization#dynamic-access-control`,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"NOT_IMPLEMENTED\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.MISSING_AC_INSTANCE,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\t// Get the organization id where the role will be created.\n\t\t\t// We can verify if the org id is valid and associated with the user in the next step when we try to find the member.\n\t\t\tconst organizationId =\n\t\t\t\tctx.body.organizationId ?? session.activeOrganizationId;\n\t\t\tif (!organizationId) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The session is missing an active organization id to create a role. Either set an active org id, or pass an organizationId in the request body.`,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage:\n\t\t\t\t\t\tORGANIZATION_ERROR_CODES.YOU_MUST_BE_IN_AN_ORGANIZATION_TO_CREATE_A_ROLE,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\troleName = normalizeRoleName(roleName);\n\n\t\t\tawait checkIfRoleNameIsTakenByPreDefinedRole({\n\t\t\t\trole: roleName,\n\t\t\t\torganizationId,\n\t\t\t\toptions,\n\t\t\t\tctx,\n\t\t\t});\n\n\t\t\t// Get the user's role associated with the organization.\n\t\t\t// This also serves as a check to ensure the org id is valid.\n\t\t\tconst member = await ctx.context.adapter.findOne<Member>({\n\t\t\t\tmodel: \"member\",\n\t\t\t\twhere: [\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"organizationId\",\n\t\t\t\t\t\tvalue: organizationId,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\t\tvalue: user.id,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t});\n\t\t\tif (!member) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The user is not a member of the organization to create a role.`,\n\t\t\t\t\t{\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t\torganizationId,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage:\n\t\t\t\t\t\tORGANIZATION_ERROR_CODES.YOU_ARE_NOT_A_MEMBER_OF_THIS_ORGANIZATION,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst canCreateRole = await hasPermission(\n\t\t\t\t{\n\t\t\t\t\toptions,\n\t\t\t\t\torganizationId,\n\t\t\t\t\tpermissions: {\n\t\t\t\t\t\tac: [\"create\"],\n\t\t\t\t\t},\n\t\t\t\t\trole: member.role,\n\t\t\t\t},\n\t\t\t\tctx,\n\t\t\t);\n\t\t\tif (!canCreateRole) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The user is not permitted to create a role. If this is unexpected, please make sure the role associated to that member has the \"ac\" resource with the \"create\" permission.`,\n\t\t\t\t\t{\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t\torganizationId,\n\t\t\t\t\t\trole: member.role,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage:\n\t\t\t\t\t\tORGANIZATION_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_CREATE_A_ROLE,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst maximumRolesPerOrganization =\n\t\t\t\ttypeof options.dynamicAccessControl?.maximumRolesPerOrganization ===\n\t\t\t\t\"function\"\n\t\t\t\t\t? await options.dynamicAccessControl.maximumRolesPerOrganization(\n\t\t\t\t\t\t\torganizationId,\n\t\t\t\t\t\t)\n\t\t\t\t\t: (options.dynamicAccessControl?.maximumRolesPerOrganization ??\n\t\t\t\t\t\tDEFAULT_MAXIMUM_ROLES_PER_ORGANIZATION);\n\t\t\tconst rolesInDB = await ctx.context.adapter.count({\n\t\t\t\tmodel: \"organizationRole\",\n\t\t\t\twhere: [\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"organizationId\",\n\t\t\t\t\t\tvalue: organizationId,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t});\n\t\t\tif (rolesInDB >= maximumRolesPerOrganization) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] Failed to create a new role, the organization has too many roles. Maximum allowed roles is ${maximumRolesPerOrganization}.`,\n\t\t\t\t\t{\n\t\t\t\t\t\torganizationId,\n\t\t\t\t\t\tmaximumRolesPerOrganization,\n\t\t\t\t\t\trolesInDB,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.TOO_MANY_ROLES,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tawait checkForInvalidResources({ ac, ctx, permission });\n\n\t\t\tawait checkIfMemberHasPermission({\n\t\t\t\tctx,\n\t\t\t\tmember,\n\t\t\t\toptions,\n\t\t\t\torganizationId,\n\t\t\t\tpermissionRequired: permission,\n\t\t\t\tuser,\n\t\t\t\taction: \"create\",\n\t\t\t});\n\n\t\t\tawait checkIfRoleNameIsTakenByRoleInDB({\n\t\t\t\tctx,\n\t\t\t\torganizationId,\n\t\t\t\trole: roleName,\n\t\t\t});\n\n\t\t\tconst newRole = ac.newRole(permission);\n\n\t\t\tconst newRoleInDB = await ctx.context.adapter.create<\n\t\t\t\tOmit<OrganizationRole, \"permission\"> & { permission: string }\n\t\t\t>({\n\t\t\t\tmodel: \"organizationRole\",\n\t\t\t\tdata: {\n\t\t\t\t\tcreatedAt: new Date(),\n\t\t\t\t\torganizationId,\n\t\t\t\t\tpermission: JSON.stringify(permission),\n\t\t\t\t\trole: roleName,\n\t\t\t\t\t...additionalFields,\n\t\t\t\t},\n\t\t\t});\n\n\t\t\tconst data = {\n\t\t\t\t...newRoleInDB,\n\t\t\t\tpermission,\n\t\t\t} as OrganizationRole & ReturnAdditionalFields;\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t\troleData: data,\n\t\t\t\tstatements: newRole.statements,\n\t\t\t});\n\t\t},\n\t);\n};\n\nconst deleteOrgRoleBodySchema = z\n\t.object({\n\t\torganizationId: z.string().optional().meta({\n\t\t\tdescription:\n\t\t\t\t\"The id of the organization to create the role in. If not provided, the user's active organization will be used.\",\n\t\t}),\n\t})\n\t.and(\n\t\tz.union([\n\t\t\tz.object({\n\t\t\t\troleName: z.string().nonempty().meta({\n\t\t\t\t\tdescription: \"The name of the role to delete\",\n\t\t\t\t}),\n\t\t\t}),\n\t\t\tz.object({\n\t\t\t\troleId: z.string().nonempty().meta({\n\t\t\t\t\tdescription: \"The id of the role to delete\",\n\t\t\t\t}),\n\t\t\t}),\n\t\t]),\n\t);\n\nexport const deleteOrgRole = <O extends OrganizationOptions>(options: O) => {\n\treturn createAuthEndpoint(\n\t\t\"/organization/delete-role\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: deleteOrgRoleBodySchema,\n\t\t\trequireHeaders: true,\n\t\t\tuse: [orgSessionMiddleware],\n\t\t\tmetadata: {\n\t\t\t\t$Infer: {\n\t\t\t\t\tbody: {} as {\n\t\t\t\t\t\troleName?: string | undefined;\n\t\t\t\t\t\troleId?: string | undefined;\n\t\t\t\t\t\torganizationId?: string | undefined;\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst { session, user } = ctx.context.session;\n\n\t\t\tconst organizationId =\n\t\t\t\tctx.body.organizationId ?? session.activeOrganizationId;\n\t\t\tif (!organizationId) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The session is missing an active organization id to delete a role. Either set an active org id, or pass an organizationId in the request body.`,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.NO_ACTIVE_ORGANIZATION,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst member = await ctx.context.adapter.findOne<Member>({\n\t\t\t\tmodel: \"member\",\n\t\t\t\twhere: [\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"organizationId\",\n\t\t\t\t\t\tvalue: organizationId,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\t\tvalue: user.id,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t});\n\t\t\tif (!member) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The user is not a member of the organization to delete a role.`,\n\t\t\t\t\t{\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t\torganizationId,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage:\n\t\t\t\t\t\tORGANIZATION_ERROR_CODES.YOU_ARE_NOT_A_MEMBER_OF_THIS_ORGANIZATION,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst canDeleteRole = await hasPermission(\n\t\t\t\t{\n\t\t\t\t\toptions,\n\t\t\t\t\torganizationId,\n\t\t\t\t\tpermissions: {\n\t\t\t\t\t\tac: [\"delete\"],\n\t\t\t\t\t},\n\t\t\t\t\trole: member.role,\n\t\t\t\t},\n\t\t\t\tctx,\n\t\t\t);\n\t\t\tif (!canDeleteRole) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The user is not permitted to delete a role. If this is unexpected, please make sure the role associated to that member has the \"ac\" resource with the \"delete\" permission.`,\n\t\t\t\t\t{\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t\torganizationId,\n\t\t\t\t\t\trole: member.role,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage:\n\t\t\t\t\t\tORGANIZATION_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_DELETE_A_ROLE,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tif (ctx.body.roleName) {\n\t\t\t\tconst roleName = ctx.body.roleName;\n\t\t\t\tconst defaultRoles = options.roles\n\t\t\t\t\t? Object.keys(options.roles)\n\t\t\t\t\t: [\"owner\", \"admin\", \"member\"];\n\t\t\t\tif (defaultRoles.includes(roleName)) {\n\t\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t\t`[Dynamic Access Control] Cannot delete a pre-defined role.`,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\troleName,\n\t\t\t\t\t\t\torganizationId,\n\t\t\t\t\t\t\tdefaultRoles,\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.CANNOT_DELETE_A_PRE_DEFINED_ROLE,\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tlet condition: Where;\n\t\t\tif (ctx.body.roleName) {\n\t\t\t\tcondition = {\n\t\t\t\t\tfield: \"role\",\n\t\t\t\t\tvalue: ctx.body.roleName,\n\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t};\n\t\t\t} else if (ctx.body.roleId) {\n\t\t\t\tcondition = {\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t\tvalue: ctx.body.roleId,\n\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t};\n\t\t\t} else {\n\t\t\t\t// shouldn't be able to reach here given the schema validation.\n\t\t\t\t// But just in case, throw an error.\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The role name/id is not provided in the request body.`,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.ROLE_NOT_FOUND,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst existingRoleInDB =\n\t\t\t\tawait ctx.context.adapter.findOne<OrganizationRole>({\n\t\t\t\t\tmodel: \"organizationRole\",\n\t\t\t\t\twhere: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tfield: \"organizationId\",\n\t\t\t\t\t\t\tvalue: organizationId,\n\t\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tcondition,\n\t\t\t\t\t],\n\t\t\t\t});\n\t\t\tif (!existingRoleInDB) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The role name/id does not exist in the database.`,\n\t\t\t\t\t{\n\t\t\t\t\t\t...(\"roleName\" in ctx.body\n\t\t\t\t\t\t\t? { roleName: ctx.body.roleName }\n\t\t\t\t\t\t\t: { roleId: ctx.body.roleId }),\n\t\t\t\t\t\torganizationId,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.ROLE_NOT_FOUND,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\texistingRoleInDB.permission = JSON.parse(\n\t\t\t\texistingRoleInDB.permission as never as string,\n\t\t\t);\n\n\t\t\t// Check if any members are assigned to this role\n\t\t\tconst roleToDelete = existingRoleInDB.role;\n\t\t\tconst members = await ctx.context.adapter.findMany<Member>({\n\t\t\t\tmodel: \"member\",\n\t\t\t\twhere: [\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"organizationId\",\n\t\t\t\t\t\tvalue: organizationId,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"role\",\n\t\t\t\t\t\tvalue: roleToDelete,\n\t\t\t\t\t\toperator: \"contains\",\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t});\n\t\t\tconst memberWithRole = members.find((member) => {\n\t\t\t\tconst memberRoles = member.role.split(\",\").map((r) => r.trim());\n\t\t\t\treturn memberRoles.includes(roleToDelete);\n\t\t\t});\n\t\t\tif (memberWithRole) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] Cannot delete a role that is assigned to members.`,\n\t\t\t\t\t{\n\t\t\t\t\t\trole: existingRoleInDB.role,\n\t\t\t\t\t\torganizationId,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.ROLE_IS_ASSIGNED_TO_MEMBERS,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tawait ctx.context.adapter.delete({\n\t\t\t\tmodel: \"organizationRole\",\n\t\t\t\twhere: [\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"organizationId\",\n\t\t\t\t\t\tvalue: organizationId,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t\tcondition,\n\t\t\t\t],\n\t\t\t});\n\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t});\n\t\t},\n\t);\n};\n\nconst listOrgRolesQuerySchema = z\n\t.object({\n\t\torganizationId: z.string().optional().meta({\n\t\t\tdescription:\n\t\t\t\t\"The id of the organization to list roles for. If not provided, the user's active organization will be used.\",\n\t\t}),\n\t})\n\t.optional();\n\nexport const listOrgRoles = <O extends OrganizationOptions>(options: O) => {\n\tconst { $ReturnAdditionalFields } = getAdditionalFields<O>(options, false);\n\ttype ReturnAdditionalFields = typeof $ReturnAdditionalFields;\n\n\treturn createAuthEndpoint(\n\t\t\"/organization/list-roles\",\n\t\t{\n\t\t\tmethod: \"GET\",\n\t\t\trequireHeaders: true,\n\t\t\tuse: [orgSessionMiddleware],\n\t\t\tquery: listOrgRolesQuerySchema,\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst { session, user } = ctx.context.session;\n\n\t\t\tconst organizationId =\n\t\t\t\tctx.query?.organizationId ?? session.activeOrganizationId;\n\t\t\tif (!organizationId) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The session is missing an active organization id to list roles. Either set an active org id, or pass an organizationId in the request query.`,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.NO_ACTIVE_ORGANIZATION,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst member = await ctx.context.adapter.findOne<Member>({\n\t\t\t\tmodel: \"member\",\n\t\t\t\twhere: [\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"organizationId\",\n\t\t\t\t\t\tvalue: organizationId,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\t\tvalue: user.id,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t});\n\t\t\tif (!member) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The user is not a member of the organization to list roles.`,\n\t\t\t\t\t{\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t\torganizationId,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage:\n\t\t\t\t\t\tORGANIZATION_ERROR_CODES.YOU_ARE_NOT_A_MEMBER_OF_THIS_ORGANIZATION,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst canListRoles = await hasPermission(\n\t\t\t\t{\n\t\t\t\t\toptions,\n\t\t\t\t\torganizationId,\n\t\t\t\t\tpermissions: {\n\t\t\t\t\t\tac: [\"read\"],\n\t\t\t\t\t},\n\t\t\t\t\trole: member.role,\n\t\t\t\t},\n\t\t\t\tctx,\n\t\t\t);\n\t\t\tif (!canListRoles) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The user is not permitted to list roles.`,\n\t\t\t\t\t{\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t\torganizationId,\n\t\t\t\t\t\trole: member.role,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_LIST_A_ROLE,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tlet roles = await ctx.context.adapter.findMany<\n\t\t\t\tOrganizationRole & ReturnAdditionalFields\n\t\t\t>({\n\t\t\t\tmodel: \"organizationRole\",\n\t\t\t\twhere: [\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"organizationId\",\n\t\t\t\t\t\tvalue: organizationId,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t});\n\n\t\t\troles = roles.map((x) => ({\n\t\t\t\t...x,\n\t\t\t\tpermission: JSON.parse(x.permission as never as string),\n\t\t\t}));\n\n\t\t\treturn ctx.json(roles);\n\t\t},\n\t);\n};\n\nconst getOrgRoleQuerySchema = z\n\t.object({\n\t\torganizationId: z.string().optional().meta({\n\t\t\tdescription:\n\t\t\t\t\"The id of the organization to read a role for. If not provided, the user's active organization will be used.\",\n\t\t}),\n\t})\n\t.and(\n\t\tz.union([\n\t\t\tz.object({\n\t\t\t\troleName: z.string().nonempty().meta({\n\t\t\t\t\tdescription: \"The name of the role to read\",\n\t\t\t\t}),\n\t\t\t}),\n\t\t\tz.object({\n\t\t\t\troleId: z.string().nonempty().meta({\n\t\t\t\t\tdescription: \"The id of the role to read\",\n\t\t\t\t}),\n\t\t\t}),\n\t\t]),\n\t)\n\t.optional();\n\nexport const getOrgRole = <O extends OrganizationOptions>(options: O) => {\n\tconst { $ReturnAdditionalFields } = getAdditionalFields<O>(options, false);\n\ttype ReturnAdditionalFields = typeof $ReturnAdditionalFields;\n\treturn createAuthEndpoint(\n\t\t\"/organization/get-role\",\n\t\t{\n\t\t\tmethod: \"GET\",\n\t\t\trequireHeaders: true,\n\t\t\tuse: [orgSessionMiddleware],\n\t\t\tquery: getOrgRoleQuerySchema,\n\t\t\tmetadata: {\n\t\t\t\t$Infer: {\n\t\t\t\t\tquery: {} as {\n\t\t\t\t\t\torganizationId?: string | undefined;\n\t\t\t\t\t\troleName?: string | undefined;\n\t\t\t\t\t\troleId?: string | undefined;\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst { session, user } = ctx.context.session;\n\n\t\t\tconst organizationId =\n\t\t\t\tctx.query?.organizationId ?? session.activeOrganizationId;\n\t\t\tif (!organizationId) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The session is missing an active organization id to read a role. Either set an active org id, or pass an organizationId in the request query.`,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.NO_ACTIVE_ORGANIZATION,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst member = await ctx.context.adapter.findOne<Member>({\n\t\t\t\tmodel: \"member\",\n\t\t\t\twhere: [\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"organizationId\",\n\t\t\t\t\t\tvalue: organizationId,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\t\tvalue: user.id,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t});\n\t\t\tif (!member) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The user is not a member of the organization to read a role.`,\n\t\t\t\t\t{\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t\torganizationId,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage:\n\t\t\t\t\t\tORGANIZATION_ERROR_CODES.YOU_ARE_NOT_A_MEMBER_OF_THIS_ORGANIZATION,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst canListRoles = await hasPermission(\n\t\t\t\t{\n\t\t\t\t\toptions,\n\t\t\t\t\torganizationId,\n\t\t\t\t\tpermissions: {\n\t\t\t\t\t\tac: [\"read\"],\n\t\t\t\t\t},\n\t\t\t\t\trole: member.role,\n\t\t\t\t},\n\t\t\t\tctx,\n\t\t\t);\n\t\t\tif (!canListRoles) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The user is not permitted to read a role.`,\n\t\t\t\t\t{\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t\torganizationId,\n\t\t\t\t\t\trole: member.role,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_READ_A_ROLE,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tlet condition: Where;\n\t\t\tif (ctx.query.roleName) {\n\t\t\t\tcondition = {\n\t\t\t\t\tfield: \"role\",\n\t\t\t\t\tvalue: ctx.query.roleName,\n\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t};\n\t\t\t} else if (ctx.query.roleId) {\n\t\t\t\tcondition = {\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t\tvalue: ctx.query.roleId,\n\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t};\n\t\t\t} else {\n\t\t\t\t// shouldn't be able to reach here given the schema validation.\n\t\t\t\t// But just in case, throw an error.\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The role name/id is not provided in the request query.`,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.ROLE_NOT_FOUND,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst role = await ctx.context.adapter.findOne<OrganizationRole>({\n\t\t\t\tmodel: \"organizationRole\",\n\t\t\t\twhere: [\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"organizationId\",\n\t\t\t\t\t\tvalue: organizationId,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t\tcondition,\n\t\t\t\t],\n\t\t\t});\n\t\t\tif (!role) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The role name/id does not exist in the database.`,\n\t\t\t\t\t{\n\t\t\t\t\t\t...(\"roleName\" in ctx.query\n\t\t\t\t\t\t\t? { roleName: ctx.query.roleName }\n\t\t\t\t\t\t\t: { roleId: ctx.query.roleId }),\n\t\t\t\t\t\torganizationId,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.ROLE_NOT_FOUND,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\trole.permission = JSON.parse(role.permission as never as string);\n\n\t\t\treturn ctx.json(role as OrganizationRole & ReturnAdditionalFields);\n\t\t},\n\t);\n};\n\nconst roleNameOrIdSchema = z.union([\n\tz.object({\n\t\troleName: z.string().nonempty().meta({\n\t\t\tdescription: \"The name of the role to update\",\n\t\t}),\n\t}),\n\tz.object({\n\t\troleId: z.string().nonempty().meta({\n\t\t\tdescription: \"The id of the role to update\",\n\t\t}),\n\t}),\n]);\n\nexport const updateOrgRole = <O extends OrganizationOptions>(options: O) => {\n\tconst { additionalFieldsSchema, $AdditionalFields, $ReturnAdditionalFields } =\n\t\tgetAdditionalFields<O, true>(options, true);\n\ttype AdditionalFields = typeof $AdditionalFields;\n\ttype ReturnAdditionalFields = typeof $ReturnAdditionalFields;\n\n\treturn createAuthEndpoint(\n\t\t\"/organization/update-role\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: z\n\t\t\t\t.object({\n\t\t\t\t\torganizationId: z.string().optional().meta({\n\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\"The id of the organization to update the role in. If not provided, the user's active organization will be used.\",\n\t\t\t\t\t}),\n\t\t\t\t\tdata: z.object({\n\t\t\t\t\t\tpermission: z\n\t\t\t\t\t\t\t.record(z.string(), z.array(z.string()))\n\t\t\t\t\t\t\t.optional()\n\t\t\t\t\t\t\t.meta({\n\t\t\t\t\t\t\t\tdescription: \"The permission to update the role with\",\n\t\t\t\t\t\t\t}),\n\t\t\t\t\t\troleName: z.string().optional().meta({\n\t\t\t\t\t\t\tdescription: \"The name of the role to update\",\n\t\t\t\t\t\t}),\n\t\t\t\t\t\t...additionalFieldsSchema.shape,\n\t\t\t\t\t}),\n\t\t\t\t})\n\t\t\t\t.and(roleNameOrIdSchema),\n\t\t\tmetadata: {\n\t\t\t\t$Infer: {\n\t\t\t\t\tbody: {} as {\n\t\t\t\t\t\torganizationId?: string | undefined;\n\t\t\t\t\t\tdata: {\n\t\t\t\t\t\t\tpermission?: Record<string, string[]> | undefined;\n\t\t\t\t\t\t\troleName?: string | undefined;\n\t\t\t\t\t\t} & AdditionalFields;\n\t\t\t\t\t\troleName?: string | undefined;\n\t\t\t\t\t\troleId?: string | undefined;\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\trequireHeaders: true,\n\t\t\tuse: [orgSessionMiddleware],\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst { session, user } = ctx.context.session;\n\n\t\t\tconst ac = options.ac;\n\t\t\tif (!ac) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The organization plugin is missing a pre-defined ac instance.`,\n\t\t\t\t\t`\\nPlease refer to the documentation here: https://better-auth.com/docs/plugins/organization#dynamic-access-control`,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"NOT_IMPLEMENTED\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.MISSING_AC_INSTANCE,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst organizationId =\n\t\t\t\tctx.body.organizationId ?? session.activeOrganizationId;\n\t\t\tif (!organizationId) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The session is missing an active organization id to update a role. Either set an active org id, or pass an organizationId in the request body.`,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.NO_ACTIVE_ORGANIZATION,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst member = await ctx.context.adapter.findOne<Member>({\n\t\t\t\tmodel: \"member\",\n\t\t\t\twhere: [\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"organizationId\",\n\t\t\t\t\t\tvalue: organizationId,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\t\tvalue: user.id,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t});\n\t\t\tif (!member) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The user is not a member of the organization to update a role.`,\n\t\t\t\t\t{\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t\torganizationId,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage:\n\t\t\t\t\t\tORGANIZATION_ERROR_CODES.YOU_ARE_NOT_A_MEMBER_OF_THIS_ORGANIZATION,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst canUpdateRole = await hasPermission(\n\t\t\t\t{\n\t\t\t\t\toptions,\n\t\t\t\t\torganizationId,\n\t\t\t\t\trole: member.role,\n\t\t\t\t\tpermissions: {\n\t\t\t\t\t\tac: [\"update\"],\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tctx,\n\t\t\t);\n\t\t\tif (!canUpdateRole) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The user is not permitted to update a role.`,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage:\n\t\t\t\t\t\tORGANIZATION_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_UPDATE_A_ROLE,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tlet condition: Where;\n\t\t\tif (ctx.body.roleName) {\n\t\t\t\tcondition = {\n\t\t\t\t\tfield: \"role\",\n\t\t\t\t\tvalue: ctx.body.roleName,\n\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t};\n\t\t\t} else if (ctx.body.roleId) {\n\t\t\t\tcondition = {\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t\tvalue: ctx.body.roleId,\n\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t};\n\t\t\t} else {\n\t\t\t\t// shouldn't be able to reach here given the schema validation.\n\t\t\t\t// But just in case, throw an error.\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The role name/id is not provided in the request body.`,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.ROLE_NOT_FOUND,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst role = await ctx.context.adapter.findOne<OrganizationRole>({\n\t\t\t\tmodel: \"organizationRole\",\n\t\t\t\twhere: [\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"organizationId\",\n\t\t\t\t\t\tvalue: organizationId,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t\tcondition,\n\t\t\t\t],\n\t\t\t});\n\t\t\tif (!role) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t`[Dynamic Access Control] The role name/id does not exist in the database.`,\n\t\t\t\t\t{\n\t\t\t\t\t\t...(\"roleName\" in ctx.body\n\t\t\t\t\t\t\t? { roleName: ctx.body.roleName }\n\t\t\t\t\t\t\t: { roleId: ctx.body.roleId }),\n\t\t\t\t\t\torganizationId,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ORGANIZATION_ERROR_CODES.ROLE_NOT_FOUND,\n\t\t\t\t});\n\t\t\t}\n\t\t\trole.permission = role.permission\n\t\t\t\t? JSON.parse(role.permission as never as string)\n\t\t\t\t: undefined;\n\n\t\t\tconst {\n\t\t\t\tpermission: _,\n\t\t\t\troleName: __,\n\t\t\t\t...additionalFields\n\t\t\t} = ctx.body.data;\n\n\t\t\tconst updateData: Partial<OrganizationRole> = {\n\t\t\t\t...additionalFields,\n\t\t\t};\n\n\t\t\tif (ctx.body.data.permission) {\n\t\t\t\tconst newPermission = ctx.body.data.permission;\n\n\t\t\t\tawait checkForInvalidResources({ ac, ctx, permission: newPermission });\n\n\t\t\t\tawait checkIfMemberHasPermission({\n\t\t\t\t\tctx,\n\t\t\t\t\tmember,\n\t\t\t\t\toptions,\n\t\t\t\t\torganizationId,\n\t\t\t\t\tpermissionRequired: newPermission,\n\t\t\t\t\tuser,\n\t\t\t\t\taction: \"update\",\n\t\t\t\t});\n\n\t\t\t\tupdateData.permission = newPermission;\n\t\t\t}\n\t\t\tif (ctx.body.data.roleName) {\n\t\t\t\tlet newRoleName = ctx.body.data.roleName;\n\n\t\t\t\tnewRoleName = normalizeRoleName(newRoleName);\n\n\t\t\t\tawait checkIfRoleNameIsTakenByPreDefinedRole({\n\t\t\t\t\trole: newRoleName,\n\t\t\t\t\torganizationId,\n\t\t\t\t\toptions,\n\t\t\t\t\tctx,\n\t\t\t\t});\n\t\t\t\tawait checkIfRoleNameIsTakenByRoleInDB({\n\t\t\t\t\trole: newRoleName,\n\t\t\t\t\torganizationId,\n\t\t\t\t\tctx,\n\t\t\t\t});\n\n\t\t\t\tupdateData.role = newRoleName;\n\t\t\t}\n\n\t\t\t// -----\n\t\t\t// Apply the updates\n\t\t\tconst update = {\n\t\t\t\t...updateData,\n\t\t\t\t...(updateData.permission\n\t\t\t\t\t? { permission: JSON.stringify(updateData.permission) }\n\t\t\t\t\t: {}),\n\t\t\t};\n\t\t\tawait ctx.context.adapter.update<OrganizationRole>({\n\t\t\t\tmodel: \"organizationRole\",\n\t\t\t\twhere: [\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"organizationId\",\n\t\t\t\t\t\tvalue: organizationId,\n\t\t\t\t\t\toperator: \"eq\",\n\t\t\t\t\t\tconnector: \"AND\",\n\t\t\t\t\t},\n\t\t\t\t\tcondition,\n\t\t\t\t],\n\t\t\t\tupdate,\n\t\t\t});\n\n\t\t\t// -----\n\t\t\t// Return the updated role\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t\troleData: {\n\t\t\t\t\t...role,\n\t\t\t\t\t...update,\n\t\t\t\t\tpermission: updateData.permission || role.permission || null,\n\t\t\t\t} as OrganizationRole & ReturnAdditionalFields,\n\t\t\t});\n\t\t},\n\t);\n};\n\nasync function checkForInvalidResources({\n\tac,\n\tctx,\n\tpermission,\n}: {\n\tac: AccessControl;\n\tctx: GenericEndpointContext;\n\tpermission: Record<string, string[]>;\n}) {\n\tconst validResources = Object.keys(ac.statements);\n\tconst providedResources = Object.keys(permission);\n\tconst hasInvalidResource = providedResources.some(\n\t\t(r) => !validResources.includes(r),\n\t);\n\tif (hasInvalidResource) {\n\t\tctx.context.logger.error(\n\t\t\t`[Dynamic Access Control] The provided permission includes an invalid resource.`,\n\t\t\t{\n\t\t\t\tprovidedResources,\n\t\t\t\tvalidResources,\n\t\t\t},\n\t\t);\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\tmessage: ORGANIZATION_ERROR_CODES.INVALID_RESOURCE,\n\t\t});\n\t}\n}\n\nasync function checkIfMemberHasPermission({\n\tctx,\n\tpermissionRequired: permission,\n\toptions,\n\torganizationId,\n\tmember,\n\tuser,\n\taction,\n}: {\n\tctx: GenericEndpointContext;\n\tpermissionRequired: Record<string, string[]>;\n\toptions: OrganizationOptions;\n\torganizationId: string;\n\tmember: Member;\n\tuser: User;\n\taction: \"create\" | \"update\" | \"delete\" | \"read\" | \"list\" | \"get\";\n}) {\n\tconst hasNecessaryPermissions: {\n\t\tresource: { [x: string]: string[] };\n\t\thasPermission: boolean;\n\t}[] = [];\n\tconst permissionEntries = Object.entries(permission);\n\tfor await (const [resource, permissions] of permissionEntries) {\n\t\tfor await (const perm of permissions) {\n\t\t\thasNecessaryPermissions.push({\n\t\t\t\tresource: { [resource]: [perm] },\n\t\t\t\thasPermission: await hasPermission(\n\t\t\t\t\t{\n\t\t\t\t\t\toptions,\n\t\t\t\t\t\torganizationId,\n\t\t\t\t\t\tpermissions: { [resource]: [perm] },\n\t\t\t\t\t\tuseMemoryCache: true,\n\t\t\t\t\t\trole: member.role,\n\t\t\t\t\t},\n\t\t\t\t\tctx,\n\t\t\t\t),\n\t\t\t});\n\t\t}\n\t}\n\tconst missingPermissions = hasNecessaryPermissions\n\t\t.filter((x) => x.hasPermission === false)\n\t\t.map((x) => {\n\t\t\tconst key = Object.keys(x.resource)[0]!;\n\t\t\treturn `${key}:${x.resource[key]![0]}` as const;\n\t\t});\n\tif (missingPermissions.length > 0) {\n\t\tctx.context.logger.error(\n\t\t\t`[Dynamic Access Control] The user is missing permissions necessary to ${action} a role with those set of permissions.\\n`,\n\t\t\t{\n\t\t\t\tuserId: user.id,\n\t\t\t\torganizationId,\n\t\t\t\trole: member.role,\n\t\t\t\tmissingPermissions,\n\t\t\t},\n\t\t);\n\t\tlet errorMessage: string;\n\t\tif (action === \"create\")\n\t\t\terrorMessage =\n\t\t\t\tORGANIZATION_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_CREATE_A_ROLE;\n\t\telse if (action === \"update\")\n\t\t\terrorMessage =\n\t\t\t\tORGANIZATION_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_UPDATE_A_ROLE;\n\t\telse if (action === \"delete\")\n\t\t\terrorMessage =\n\t\t\t\tORGANIZATION_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_DELETE_A_ROLE;\n\t\telse if (action === \"read\")\n\t\t\terrorMessage =\n\t\t\t\tORGANIZATION_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_READ_A_ROLE;\n\t\telse if (action === \"list\")\n\t\t\terrorMessage =\n\t\t\t\tORGANIZATION_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_LIST_A_ROLE;\n\t\telse\n\t\t\terrorMessage = ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_GET_A_ROLE;\n\n\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\tmessage: errorMessage,\n\t\t\tmissingPermissions,\n\t\t});\n\t}\n}\n\nasync function checkIfRoleNameIsTakenByPreDefinedRole({\n\toptions,\n\torganizationId,\n\trole,\n\tctx,\n}: {\n\toptions: OrganizationOptions;\n\torganizationId: string;\n\trole: string;\n\tctx: GenericEndpointContext;\n}) {\n\tconst defaultRoles = options.roles\n\t\t? Object.keys(options.roles)\n\t\t: [\"owner\", \"admin\", \"member\"];\n\tif (defaultRoles.includes(role)) {\n\t\tctx.context.logger.error(\n\t\t\t`[Dynamic Access Control] The role name \"${role}\" is already taken by a pre-defined role.`,\n\t\t\t{\n\t\t\t\trole,\n\t\t\t\torganizationId,\n\t\t\t\tdefaultRoles,\n\t\t\t},\n\t\t);\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\tmessage: ORGANIZATION_ERROR_CODES.ROLE_NAME_IS_ALREADY_TAKEN,\n\t\t});\n\t}\n}\n\nasync function checkIfRoleNameIsTakenByRoleInDB({\n\torganizationId,\n\trole,\n\tctx,\n}: {\n\tctx: GenericEndpointContext;\n\torganizationId: string;\n\trole: string;\n}) {\n\tconst existingRoleInDB = await ctx.context.adapter.findOne<OrganizationRole>({\n\t\tmodel: \"organizationRole\",\n\t\twhere: [\n\t\t\t{\n\t\t\t\tfield: \"organizationId\",\n\t\t\t\tvalue: organizationId,\n\t\t\t\toperator: \"eq\",\n\t\t\t\tconnector: \"AND\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tfield: \"role\",\n\t\t\t\tvalue: role,\n\t\t\t\toperator: \"eq\",\n\t\t\t\tconnector: \"AND\",\n\t\t\t},\n\t\t],\n\t});\n\tif (existingRoleInDB) {\n\t\tctx.context.logger.error(\n\t\t\t`[Dynamic Access Control] The role name \"${role}\" is already taken by a role in the database.`,\n\t\t\t{\n\t\t\t\trole,\n\t\t\t\torganizationId,\n\t\t\t},\n\t\t);\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\tmessage: ORGANIZATION_ERROR_CODES.ROLE_NAME_IS_ALREADY_TAKEN,\n\t\t});\n\t}\n}\n"],"mappings":";;;;;;;;;;AAuBA,MAAM,qBAAqB,SAAiB,KAAK,aAAa;AAC9D,MAAM,yCAAyC,OAAO;AAEtD,MAAM,uBAIL,SACA,kBAA8B,UAC1B;CACJ,MAAM,mBACL,SAAS,QAAQ,kBAAkB,oBAAoB,EAAE;AAC1D,KAAI,gBACH,MAAK,MAAM,OAAO,iBACjB,kBAAiB,KAAM,WAAW;AAgBpC,QAAO;EACN,wBAd8B,YAAY;GAC1C,QAAQ;GACR,cAAc;GACd,CAAC;EAYD,mBAAmB,EAAE;EACrB,yBAAyB,EAAE;EAC3B;;AAGF,MAAM,0BAA0B,EAAE,OAAO;CACxC,gBAAgB,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK,EAC1C,aACC,mHACD,CAAC;CACF,MAAM,EAAE,QAAQ,CAAC,KAAK,EACrB,aAAa,kCACb,CAAC;CACF,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,KAAK,EAC1D,aAAa,wCACb,CAAC;CACF,CAAC;AAEF,MAAa,iBAAgD,YAAe;CAC3E,MAAM,EAAE,wBAAwB,mBAAmB,4BAClD,oBAAuB,SAAS,MAAM;AAIvC,QAAO,mBACN,6BACA;EACC,QAAQ;EACR,MAAM,wBAAwB,WAAW,EACxC,kBAAkB,EAChB,OAAO,EAAE,GAAG,uBAAuB,OAAO,CAAC,CAC3C,UAAU,EACZ,CAAC;EACF,UAAU,EACT,QAAQ,EACP,MAAM,EAAE,EAOR,EACD;EACD,gBAAgB;EAChB,KAAK,CAAC,qBAAqB;EAC3B,EACD,OAAO,QAAQ;EACd,MAAM,EAAE,SAAS,SAAS,IAAI,QAAQ;EACtC,IAAI,WAAW,IAAI,KAAK;EACxB,MAAM,aAAa,IAAI,KAAK;EAC5B,MAAM,mBAAmB,IAAI,KAAK;EAElC,MAAM,KAAK,QAAQ;AACnB,MAAI,CAAC,IAAI;AACR,OAAI,QAAQ,OAAO,MAClB,0FACA,qHACA;AACD,SAAM,IAAI,SAAS,mBAAmB,EACrC,SAAS,yBAAyB,qBAClC,CAAC;;EAKH,MAAM,iBACL,IAAI,KAAK,kBAAkB,QAAQ;AACpC,MAAI,CAAC,gBAAgB;AACpB,OAAI,QAAQ,OAAO,MAClB,0KACA;AACD,SAAM,IAAI,SAAS,eAAe,EACjC,SACC,yBAAyB,iDAC1B,CAAC;;AAGH,aAAW,kBAAkB,SAAS;AAEtC,QAAM,uCAAuC;GAC5C,MAAM;GACN;GACA;GACA;GACA,CAAC;EAIF,MAAM,SAAS,MAAM,IAAI,QAAQ,QAAQ,QAAgB;GACxD,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,UAAU;IACV,WAAW;IACX,EACD;IACC,OAAO;IACP,OAAO,KAAK;IACZ,UAAU;IACV,WAAW;IACX,CACD;GACD,CAAC;AACF,MAAI,CAAC,QAAQ;AACZ,OAAI,QAAQ,OAAO,MAClB,2FACA;IACC,QAAQ,KAAK;IACb;IACA,CACD;AACD,SAAM,IAAI,SAAS,aAAa,EAC/B,SACC,yBAAyB,2CAC1B,CAAC;;AAcH,MAAI,CAXkB,MAAM,cAC3B;GACC;GACA;GACA,aAAa,EACZ,IAAI,CAAC,SAAS,EACd;GACD,MAAM,OAAO;GACb,EACD,IACA,EACmB;AACnB,OAAI,QAAQ,OAAO,MAClB,uMACA;IACC,QAAQ,KAAK;IACb;IACA,MAAM,OAAO;IACb,CACD;AACD,SAAM,IAAI,SAAS,aAAa,EAC/B,SACC,yBAAyB,sCAC1B,CAAC;;EAGH,MAAM,8BACL,OAAO,QAAQ,sBAAsB,gCACrC,aACG,MAAM,QAAQ,qBAAqB,4BACnC,eACA,GACC,QAAQ,sBAAsB,+BAChC;EACH,MAAM,YAAY,MAAM,IAAI,QAAQ,QAAQ,MAAM;GACjD,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,UAAU;IACV,WAAW;IACX,CACD;GACD,CAAC;AACF,MAAI,aAAa,6BAA6B;AAC7C,OAAI,QAAQ,OAAO,MAClB,uHAAuH,4BAA4B,IACnJ;IACC;IACA;IACA;IACA,CACD;AACD,SAAM,IAAI,SAAS,eAAe,EACjC,SAAS,yBAAyB,gBAClC,CAAC;;AAGH,QAAM,yBAAyB;GAAE;GAAI;GAAK;GAAY,CAAC;AAEvD,QAAM,2BAA2B;GAChC;GACA;GACA;GACA;GACA,oBAAoB;GACpB;GACA,QAAQ;GACR,CAAC;AAEF,QAAM,iCAAiC;GACtC;GACA;GACA,MAAM;GACN,CAAC;EAEF,MAAM,UAAU,GAAG,QAAQ,WAAW;EAetC,MAAM,OAAO;GACZ,GAdmB,MAAM,IAAI,QAAQ,QAAQ,OAE5C;IACD,OAAO;IACP,MAAM;KACL,2BAAW,IAAI,MAAM;KACrB;KACA,YAAY,KAAK,UAAU,WAAW;KACtC,MAAM;KACN,GAAG;KACH;IACD,CAAC;GAID;GACA;AACD,SAAO,IAAI,KAAK;GACf,SAAS;GACT,UAAU;GACV,YAAY,QAAQ;GACpB,CAAC;GAEH;;AAGF,MAAM,0BAA0B,EAC9B,OAAO,EACP,gBAAgB,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK,EAC1C,aACC,mHACD,CAAC,EACF,CAAC,CACD,IACA,EAAE,MAAM,CACP,EAAE,OAAO,EACR,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK,EACpC,aAAa,kCACb,CAAC,EACF,CAAC,EACF,EAAE,OAAO,EACR,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK,EAClC,aAAa,gCACb,CAAC,EACF,CAAC,CACF,CAAC,CACF;AAEF,MAAa,iBAAgD,YAAe;AAC3E,QAAO,mBACN,6BACA;EACC,QAAQ;EACR,MAAM;EACN,gBAAgB;EAChB,KAAK,CAAC,qBAAqB;EAC3B,UAAU,EACT,QAAQ,EACP,MAAM,EAAE,EAKR,EACD;EACD,EACD,OAAO,QAAQ;EACd,MAAM,EAAE,SAAS,SAAS,IAAI,QAAQ;EAEtC,MAAM,iBACL,IAAI,KAAK,kBAAkB,QAAQ;AACpC,MAAI,CAAC,gBAAgB;AACpB,OAAI,QAAQ,OAAO,MAClB,0KACA;AACD,SAAM,IAAI,SAAS,eAAe,EACjC,SAAS,yBAAyB,wBAClC,CAAC;;EAGH,MAAM,SAAS,MAAM,IAAI,QAAQ,QAAQ,QAAgB;GACxD,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,UAAU;IACV,WAAW;IACX,EACD;IACC,OAAO;IACP,OAAO,KAAK;IACZ,UAAU;IACV,WAAW;IACX,CACD;GACD,CAAC;AACF,MAAI,CAAC,QAAQ;AACZ,OAAI,QAAQ,OAAO,MAClB,2FACA;IACC,QAAQ,KAAK;IACb;IACA,CACD;AACD,SAAM,IAAI,SAAS,aAAa,EAC/B,SACC,yBAAyB,2CAC1B,CAAC;;AAcH,MAAI,CAXkB,MAAM,cAC3B;GACC;GACA;GACA,aAAa,EACZ,IAAI,CAAC,SAAS,EACd;GACD,MAAM,OAAO;GACb,EACD,IACA,EACmB;AACnB,OAAI,QAAQ,OAAO,MAClB,uMACA;IACC,QAAQ,KAAK;IACb;IACA,MAAM,OAAO;IACb,CACD;AACD,SAAM,IAAI,SAAS,aAAa,EAC/B,SACC,yBAAyB,sCAC1B,CAAC;;AAGH,MAAI,IAAI,KAAK,UAAU;GACtB,MAAM,WAAW,IAAI,KAAK;GAC1B,MAAM,eAAe,QAAQ,QAC1B,OAAO,KAAK,QAAQ,MAAM,GAC1B;IAAC;IAAS;IAAS;IAAS;AAC/B,OAAI,aAAa,SAAS,SAAS,EAAE;AACpC,QAAI,QAAQ,OAAO,MAClB,8DACA;KACC;KACA;KACA;KACA,CACD;AACD,UAAM,IAAI,SAAS,eAAe,EACjC,SAAS,yBAAyB,kCAClC,CAAC;;;EAIJ,IAAIA;AACJ,MAAI,IAAI,KAAK,SACZ,aAAY;GACX,OAAO;GACP,OAAO,IAAI,KAAK;GAChB,UAAU;GACV,WAAW;GACX;WACS,IAAI,KAAK,OACnB,aAAY;GACX,OAAO;GACP,OAAO,IAAI,KAAK;GAChB,UAAU;GACV,WAAW;GACX;OACK;AAGN,OAAI,QAAQ,OAAO,MAClB,iFACA;AACD,SAAM,IAAI,SAAS,eAAe,EACjC,SAAS,yBAAyB,gBAClC,CAAC;;EAEH,MAAM,mBACL,MAAM,IAAI,QAAQ,QAAQ,QAA0B;GACnD,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,UAAU;IACV,WAAW;IACX,EACD,UACA;GACD,CAAC;AACH,MAAI,CAAC,kBAAkB;AACtB,OAAI,QAAQ,OAAO,MAClB,6EACA;IACC,GAAI,cAAc,IAAI,OACnB,EAAE,UAAU,IAAI,KAAK,UAAU,GAC/B,EAAE,QAAQ,IAAI,KAAK,QAAQ;IAC9B;IACA,CACD;AACD,SAAM,IAAI,SAAS,eAAe,EACjC,SAAS,yBAAyB,gBAClC,CAAC;;AAGH,mBAAiB,aAAa,KAAK,MAClC,iBAAiB,WACjB;EAGD,MAAM,eAAe,iBAAiB;AAqBtC,OApBgB,MAAM,IAAI,QAAQ,QAAQ,SAAiB;GAC1D,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,UAAU;IACV,WAAW;IACX,EACD;IACC,OAAO;IACP,OAAO;IACP,UAAU;IACV,CACD;GACD,CAAC,EAC6B,MAAM,aAAW;AAE/C,UADoBC,SAAO,KAAK,MAAM,IAAI,CAAC,KAAK,MAAM,EAAE,MAAM,CAAC,CAC5C,SAAS,aAAa;IACxC,EACkB;AACnB,OAAI,QAAQ,OAAO,MAClB,8EACA;IACC,MAAM,iBAAiB;IACvB;IACA,CACD;AACD,SAAM,IAAI,SAAS,eAAe,EACjC,SAAS,yBAAyB,6BAClC,CAAC;;AAGH,QAAM,IAAI,QAAQ,QAAQ,OAAO;GAChC,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,UAAU;IACV,WAAW;IACX,EACD,UACA;GACD,CAAC;AAEF,SAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;GAEH;;AAGF,MAAM,0BAA0B,EAC9B,OAAO,EACP,gBAAgB,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK,EAC1C,aACC,+GACD,CAAC,EACF,CAAC,CACD,UAAU;AAEZ,MAAa,gBAA+C,YAAe;CAC1E,MAAM,EAAE,4BAA4B,oBAAuB,SAAS,MAAM;AAG1E,QAAO,mBACN,4BACA;EACC,QAAQ;EACR,gBAAgB;EAChB,KAAK,CAAC,qBAAqB;EAC3B,OAAO;EACP,EACD,OAAO,QAAQ;EACd,MAAM,EAAE,SAAS,SAAS,IAAI,QAAQ;EAEtC,MAAM,iBACL,IAAI,OAAO,kBAAkB,QAAQ;AACtC,MAAI,CAAC,gBAAgB;AACpB,OAAI,QAAQ,OAAO,MAClB,wKACA;AACD,SAAM,IAAI,SAAS,eAAe,EACjC,SAAS,yBAAyB,wBAClC,CAAC;;EAGH,MAAM,SAAS,MAAM,IAAI,QAAQ,QAAQ,QAAgB;GACxD,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,UAAU;IACV,WAAW;IACX,EACD;IACC,OAAO;IACP,OAAO,KAAK;IACZ,UAAU;IACV,WAAW;IACX,CACD;GACD,CAAC;AACF,MAAI,CAAC,QAAQ;AACZ,OAAI,QAAQ,OAAO,MAClB,wFACA;IACC,QAAQ,KAAK;IACb;IACA,CACD;AACD,SAAM,IAAI,SAAS,aAAa,EAC/B,SACC,yBAAyB,2CAC1B,CAAC;;AAcH,MAAI,CAXiB,MAAM,cAC1B;GACC;GACA;GACA,aAAa,EACZ,IAAI,CAAC,OAAO,EACZ;GACD,MAAM,OAAO;GACb,EACD,IACA,EACkB;AAClB,OAAI,QAAQ,OAAO,MAClB,qEACA;IACC,QAAQ,KAAK;IACb;IACA,MAAM,OAAO;IACb,CACD;AACD,SAAM,IAAI,SAAS,aAAa,EAC/B,SAAS,yBAAyB,oCAClC,CAAC;;EAGH,IAAI,QAAQ,MAAM,IAAI,QAAQ,QAAQ,SAEpC;GACD,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,UAAU;IACV,WAAW;IACX,CACD;GACD,CAAC;AAEF,UAAQ,MAAM,KAAK,OAAO;GACzB,GAAG;GACH,YAAY,KAAK,MAAM,EAAE,WAA8B;GACvD,EAAE;AAEH,SAAO,IAAI,KAAK,MAAM;GAEvB;;AAGF,MAAM,wBAAwB,EAC5B,OAAO,EACP,gBAAgB,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK,EAC1C,aACC,gHACD,CAAC,EACF,CAAC,CACD,IACA,EAAE,MAAM,CACP,EAAE,OAAO,EACR,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK,EACpC,aAAa,gCACb,CAAC,EACF,CAAC,EACF,EAAE,OAAO,EACR,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK,EAClC,aAAa,8BACb,CAAC,EACF,CAAC,CACF,CAAC,CACF,CACA,UAAU;AAEZ,MAAa,cAA6C,YAAe;CACxE,MAAM,EAAE,4BAA4B,oBAAuB,SAAS,MAAM;AAE1E,QAAO,mBACN,0BACA;EACC,QAAQ;EACR,gBAAgB;EAChB,KAAK,CAAC,qBAAqB;EAC3B,OAAO;EACP,UAAU,EACT,QAAQ,EACP,OAAO,EAAE,EAKT,EACD;EACD,EACD,OAAO,QAAQ;EACd,MAAM,EAAE,SAAS,SAAS,IAAI,QAAQ;EAEtC,MAAM,iBACL,IAAI,OAAO,kBAAkB,QAAQ;AACtC,MAAI,CAAC,gBAAgB;AACpB,OAAI,QAAQ,OAAO,MAClB,yKACA;AACD,SAAM,IAAI,SAAS,eAAe,EACjC,SAAS,yBAAyB,wBAClC,CAAC;;EAGH,MAAM,SAAS,MAAM,IAAI,QAAQ,QAAQ,QAAgB;GACxD,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,UAAU;IACV,WAAW;IACX,EACD;IACC,OAAO;IACP,OAAO,KAAK;IACZ,UAAU;IACV,WAAW;IACX,CACD;GACD,CAAC;AACF,MAAI,CAAC,QAAQ;AACZ,OAAI,QAAQ,OAAO,MAClB,yFACA;IACC,QAAQ,KAAK;IACb;IACA,CACD;AACD,SAAM,IAAI,SAAS,aAAa,EAC/B,SACC,yBAAyB,2CAC1B,CAAC;;AAcH,MAAI,CAXiB,MAAM,cAC1B;GACC;GACA;GACA,aAAa,EACZ,IAAI,CAAC,OAAO,EACZ;GACD,MAAM,OAAO;GACb,EACD,IACA,EACkB;AAClB,OAAI,QAAQ,OAAO,MAClB,sEACA;IACC,QAAQ,KAAK;IACb;IACA,MAAM,OAAO;IACb,CACD;AACD,SAAM,IAAI,SAAS,aAAa,EAC/B,SAAS,yBAAyB,oCAClC,CAAC;;EAGH,IAAID;AACJ,MAAI,IAAI,MAAM,SACb,aAAY;GACX,OAAO;GACP,OAAO,IAAI,MAAM;GACjB,UAAU;GACV,WAAW;GACX;WACS,IAAI,MAAM,OACpB,aAAY;GACX,OAAO;GACP,OAAO,IAAI,MAAM;GACjB,UAAU;GACV,WAAW;GACX;OACK;AAGN,OAAI,QAAQ,OAAO,MAClB,kFACA;AACD,SAAM,IAAI,SAAS,eAAe,EACjC,SAAS,yBAAyB,gBAClC,CAAC;;EAEH,MAAM,OAAO,MAAM,IAAI,QAAQ,QAAQ,QAA0B;GAChE,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,UAAU;IACV,WAAW;IACX,EACD,UACA;GACD,CAAC;AACF,MAAI,CAAC,MAAM;AACV,OAAI,QAAQ,OAAO,MAClB,6EACA;IACC,GAAI,cAAc,IAAI,QACnB,EAAE,UAAU,IAAI,MAAM,UAAU,GAChC,EAAE,QAAQ,IAAI,MAAM,QAAQ;IAC/B;IACA,CACD;AACD,SAAM,IAAI,SAAS,eAAe,EACjC,SAAS,yBAAyB,gBAClC,CAAC;;AAGH,OAAK,aAAa,KAAK,MAAM,KAAK,WAA8B;AAEhE,SAAO,IAAI,KAAK,KAAkD;GAEnE;;AAGF,MAAM,qBAAqB,EAAE,MAAM,CAClC,EAAE,OAAO,EACR,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK,EACpC,aAAa,kCACb,CAAC,EACF,CAAC,EACF,EAAE,OAAO,EACR,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK,EAClC,aAAa,gCACb,CAAC,EACF,CAAC,CACF,CAAC;AAEF,MAAa,iBAAgD,YAAe;CAC3E,MAAM,EAAE,wBAAwB,mBAAmB,4BAClD,oBAA6B,SAAS,KAAK;AAI5C,QAAO,mBACN,6BACA;EACC,QAAQ;EACR,MAAM,EACJ,OAAO;GACP,gBAAgB,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK,EAC1C,aACC,mHACD,CAAC;GACF,MAAM,EAAE,OAAO;IACd,YAAY,EACV,OAAO,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CACvC,UAAU,CACV,KAAK,EACL,aAAa,0CACb,CAAC;IACH,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK,EACpC,aAAa,kCACb,CAAC;IACF,GAAG,uBAAuB;IAC1B,CAAC;GACF,CAAC,CACD,IAAI,mBAAmB;EACzB,UAAU,EACT,QAAQ,EACP,MAAM,EAAE,EASR,EACD;EACD,gBAAgB;EAChB,KAAK,CAAC,qBAAqB;EAC3B,EACD,OAAO,QAAQ;EACd,MAAM,EAAE,SAAS,SAAS,IAAI,QAAQ;EAEtC,MAAM,KAAK,QAAQ;AACnB,MAAI,CAAC,IAAI;AACR,OAAI,QAAQ,OAAO,MAClB,0FACA,qHACA;AACD,SAAM,IAAI,SAAS,mBAAmB,EACrC,SAAS,yBAAyB,qBAClC,CAAC;;EAGH,MAAM,iBACL,IAAI,KAAK,kBAAkB,QAAQ;AACpC,MAAI,CAAC,gBAAgB;AACpB,OAAI,QAAQ,OAAO,MAClB,0KACA;AACD,SAAM,IAAI,SAAS,eAAe,EACjC,SAAS,yBAAyB,wBAClC,CAAC;;EAGH,MAAM,SAAS,MAAM,IAAI,QAAQ,QAAQ,QAAgB;GACxD,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,UAAU;IACV,WAAW;IACX,EACD;IACC,OAAO;IACP,OAAO,KAAK;IACZ,UAAU;IACV,WAAW;IACX,CACD;GACD,CAAC;AACF,MAAI,CAAC,QAAQ;AACZ,OAAI,QAAQ,OAAO,MAClB,2FACA;IACC,QAAQ,KAAK;IACb;IACA,CACD;AACD,SAAM,IAAI,SAAS,aAAa,EAC/B,SACC,yBAAyB,2CAC1B,CAAC;;AAcH,MAAI,CAXkB,MAAM,cAC3B;GACC;GACA;GACA,MAAM,OAAO;GACb,aAAa,EACZ,IAAI,CAAC,SAAS,EACd;GACD,EACD,IACA,EACmB;AACnB,OAAI,QAAQ,OAAO,MAClB,uEACA;AACD,SAAM,IAAI,SAAS,aAAa,EAC/B,SACC,yBAAyB,sCAC1B,CAAC;;EAGH,IAAIA;AACJ,MAAI,IAAI,KAAK,SACZ,aAAY;GACX,OAAO;GACP,OAAO,IAAI,KAAK;GAChB,UAAU;GACV,WAAW;GACX;WACS,IAAI,KAAK,OACnB,aAAY;GACX,OAAO;GACP,OAAO,IAAI,KAAK;GAChB,UAAU;GACV,WAAW;GACX;OACK;AAGN,OAAI,QAAQ,OAAO,MAClB,iFACA;AACD,SAAM,IAAI,SAAS,eAAe,EACjC,SAAS,yBAAyB,gBAClC,CAAC;;EAEH,MAAM,OAAO,MAAM,IAAI,QAAQ,QAAQ,QAA0B;GAChE,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,UAAU;IACV,WAAW;IACX,EACD,UACA;GACD,CAAC;AACF,MAAI,CAAC,MAAM;AACV,OAAI,QAAQ,OAAO,MAClB,6EACA;IACC,GAAI,cAAc,IAAI,OACnB,EAAE,UAAU,IAAI,KAAK,UAAU,GAC/B,EAAE,QAAQ,IAAI,KAAK,QAAQ;IAC9B;IACA,CACD;AACD,SAAM,IAAI,SAAS,eAAe,EACjC,SAAS,yBAAyB,gBAClC,CAAC;;AAEH,OAAK,aAAa,KAAK,aACpB,KAAK,MAAM,KAAK,WAA8B,GAC9C;EAEH,MAAM,EACL,YAAY,GACZ,UAAU,IACV,GAAG,qBACA,IAAI,K