UNPKG

sanity

Version:

Sanity is a real-time content infrastructure with a scalable, hosted backend featuring a Graph Oriented Query Language (GROQ), asset pipelines and fast edge caches

www.sanity.io

sanity-io/sanity

143 lines (122 loc) 4.61 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
import {type SanityClient} from '@sanity/client' import {type CurrentUser, type SanityDocument} from '@sanity/types' import {evaluate, parse} from 'groq-js' import {defer, of} from 'rxjs' import {distinctUntilChanged, publishReplay, switchMap} from 'rxjs/operators' import {refCountDelay} from 'rxjs-etc/operators' import shallowEquals from 'shallow-equals' import {debugGrants$} from './debug' import { type DocumentValuePermission, type EvaluationParams, type Grant, type GrantsStore, type PermissionCheckResult, } from './types' async function getDatasetGrants( client: SanityClient, projectId: string, dataset: string, ): Promise<Grant[]> { // `acl` stands for access control list and returns a list of grants const grants: Grant[] = await client.request({ uri: `/projects/${projectId}/datasets/${dataset}/acl`, tag: 'acl.get', withCredentials: true, }) return grants } function getParams(userId: string | null): EvaluationParams { const params: EvaluationParams = {} if (userId !== null) { params.identity = userId } return params } const PARSED_FILTERS_MEMO = new Map() async function matchesFilter(userId: string | null, filter: string, document: SanityDocument) { if (!PARSED_FILTERS_MEMO.has(filter)) { // note: it might be tempting to also memoize the result of the evaluation here, // Currently these filters are typically evaluated whenever a document change, which means they will be evaluated // quite frequently with different versions of the document. There might be some gains in finding out which subset of document // properties to use as key (e.g. by looking at the parsed filter and see what properties the filter cares about) // But as always, it's worth considering if the complexity/memory usage is worth the potential perf gain… PARSED_FILTERS_MEMO.set(filter, parse(`*[${filter}]`)) } const parsed = PARSED_FILTERS_MEMO.get(filter) const evalParams = getParams(userId) const {identity} = evalParams const params: Record<string, unknown> = {...evalParams} const data = await (await evaluate(parsed, {dataset: [document], identity, params})).get() return data?.length === 1 } interface GrantsStoreOptionsCurrentUser { client: SanityClient /** * @deprecated The `currentUser` option is deprecated. Use `userId` instead. */ currentUser: CurrentUser | null } interface GrantsStoreOptionsUserId { client: SanityClient userId: string | null } /** @internal */ export type GrantsStoreOptions = GrantsStoreOptionsCurrentUser | GrantsStoreOptionsUserId /** @internal */ export function createGrantsStore(opts: GrantsStoreOptions): GrantsStore { const {client} = opts const versionedClient = client.withConfig({apiVersion: '2021-06-07'}) const userId = 'userId' in opts ? opts.userId : opts?.currentUser?.id || null const datasetGrants$ = defer(() => of(versionedClient.config())).pipe( switchMap(({projectId, dataset}) => { if (!projectId || !dataset) { throw new Error('Missing projectId or dataset') } return getDatasetGrants(versionedClient, projectId, dataset) }), ) const currentUserDatasetGrants = debugGrants$.pipe( switchMap((debugGrants) => (debugGrants ? of(debugGrants) : datasetGrants$)), publishReplay(1), refCountDelay(1000), ) return { checkDocumentPermission(permission: DocumentValuePermission, document: SanityDocument) { return currentUserDatasetGrants.pipe( switchMap((grants) => grantsPermissionOn(userId, grants, permission, document)), distinctUntilChanged(shallowEquals), ) }, } } /** * @internal * Takes a grants object, a permission and a document * checks whether the permission is granted for the given document */ export async function grantsPermissionOn( userId: string | null, grants: Grant[], permission: DocumentValuePermission, document: SanityDocument | null, ): Promise<PermissionCheckResult> { if (!document) { // we say it's granted if null due to initial states return {granted: true, reason: 'Null document, nothing to check'} } if (!grants.length) { return {granted: false, reason: 'No document grants'} } const matchingGrants: Grant[] = [] for (const grant of grants) { if (await matchesFilter(userId, grant.filter, document)) { matchingGrants.push(grant) } } const foundMatch = matchingGrants.some((grant) => grant.permissions.some((p) => p === permission)) return { granted: foundMatch, reason: foundMatch ? `Matching grant` : `No matching grants found`, } }