UNPKG

payload-gatekeeper

Version:

The ultimate access control gatekeeper for Payload CMS v3 - Advanced RBAC with wildcard support, auto role assignment, and flexible configuration

github.com/sSeewald/payload-gatekeeper

sSeewald/payload-gatekeeper

153 lines 6.08 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
import { PERMISSIONS } from '../constants'; import { getRolesSlug } from './getRolesSlug'; // Regex cache for compiled patterns - safe for multi-instance as patterns don't change const regexCache = new Map(); const MAX_REGEX_CACHE_SIZE = 100; /** * Get or create cached regex for permission pattern */ const getPermissionRegex = (pattern) => { let regex = regexCache.get(pattern); if (!regex) { const regexPattern = pattern .replace(/\./g, '\\.') // Escape dots .replace(/\*/g, '.*'); // Convert * to .* regex = new RegExp(`^${regexPattern}$`); // Limit cache size to prevent memory issues if (regexCache.size < MAX_REGEX_CACHE_SIZE) { regexCache.set(pattern, regex); } } return regex; }; /** * Check if user has required permission * Supports wildcards and pattern matching * Optimized for performance with early returns */ export const hasPermission = (userPermissions, requiredPermission) => { // Early return for invalid input if (!userPermissions?.length) { return false; } // Most common case: Super admin check if (userPermissions.includes(PERMISSIONS.ALL)) { return true; } // Second most common: Exact permission match if (userPermissions.includes(requiredPermission)) { return true; } // Optimized wildcard checking for (const permission of userPermissions) { // Skip non-wildcard permissions (already checked above) if (!permission.includes('*')) { continue; } // Fast check for common "collection.*" pattern (but only if it's the last segment) if (permission.endsWith('.*') && permission.indexOf('*') === permission.length - 1) { const prefix = permission.slice(0, -1); // Remove the asterisk if (requiredPermission.startsWith(prefix)) { return true; } continue; } // All other wildcard patterns (including multiple wildcards, use regex) if (getPermissionRegex(permission).test(requiredPermission)) { return true; } } return false; }; /** * Check if a permission is covered by user permissions * Handles wildcards like 'users.*' covering 'users.read' * Optimized version using early returns and cached regex */ export const isPermissionCovered = (permission, userPermissions) => { // Early return for empty permissions if (!userPermissions.length) return false; // Use optimized hasPermission function which already handles all cases efficiently return hasPermission(userPermissions, permission); }; /** * Check if user can assign a specific role * Based on permission subset check and protected flag */ export const canAssignRole = (userPermissions, targetRole) => { // Protected roles need * permission if (targetRole.protected && !userPermissions.includes('*')) { return false; } // Check if all target permissions are covered by user permissions const targetPermissions = targetRole.permissions || []; return targetPermissions.every((perm) => isPermissionCovered(perm, userPermissions)); }; /** * Helper function for access control checks * Supports string ID, number ID, populated role object, null, and undefined * Note: With afterRead hook, role should usually be populated already */ export const checkPermission = async (payload, // eslint-disable-next-line @typescript-eslint/no-explicit-any userRole, permission, userId, options) => { try { // Special case: First user (ID 1) always has all permissions // This handles the case where the first user is created without a role if (userId && (userId === 1 || userId === '1')) { return true; } // Public user (no userId and no role) - use public role permissions if (!userId && !userRole) { // Check if public role is disabled if (options?.disablePublicRole) { return false; } // Get public permissions (custom or default) const publicPermissions = options?.publicRolePermissions || ['*.read']; // Check permission against public permissions return hasPermission(publicPermissions, permission); } // No role = no permissions (except for first user and public) // Allow role ID 0 but not null/undefined if (userRole === null || userRole === undefined) { return false; } // Get role details based on type let role = null; if (typeof userRole === 'object') { // Role is already populated (should be the normal case with authenticate hook) role = userRole; } else if (typeof userRole === 'string' || typeof userRole === 'number') { // Role is an ID - this is a fallback for cases where authenticate hook didn't run // (e.g., during seeding, migrations, or direct API calls) const roleId = String(userRole); // Convert number to string for findByID try { role = await payload.findByID({ collection: getRolesSlug(), id: roleId, depth: 0, // Don't need nested data }); } catch (err) { // Role not found or error loading console.warn(`Could not load role ${roleId}:`, err); return false; } } // Check if role exists and is active if (!role || (typeof role === 'object' && 'active' in role && !role.active)) { return false; } // Check permissions const permissions = typeof role === 'object' && 'permissions' in role ? role.permissions : []; return hasPermission(permissions, permission); } catch (error) { console.error('Permission check error:', error); return false; } }; //# sourceMappingURL=checkPermission.js.map