fix(dash/team): 🛂 Update edit permissions to use shared perms instead of sso perms

Nudelsuppe42 · Nudelsuppe42 · commit 1175ab177438 · 2025-11-19T20:01:38.000+01:00
diff --git a/apps/dashboard/src/actions/getUser.ts b/apps/dashboard/src/actions/getUser.ts
@@ -1,25 +1,46 @@
-import { User } from '@/types/User';
 import { getSession } from '@/util/auth';
-import { authedFetcher } from '@/util/data';
 import prisma from '@/util/db';
+import { cache } from 'react';
 
 export const getUser = async () => {
 	const session = await getSession();
 	if (!session) throw Error('No session found');
 
-	const user = await prisma.user.findFirst({
-		where: { ssoId: session.user.id },
-		select: {
-			id: true,
-			ssoId: true,
-			username: true,
-			discordId: true,
-			minecraft: true,
-			avatar: true,
-		},
-	});
+	const user = await cache(
+		async (id: string) =>
+			await prisma.user.findFirst({
+				where: { ssoId: id },
+				select: {
+					id: true,
+					ssoId: true,
+					username: true,
+					discordId: true,
+					minecraft: true,
+					avatar: true,
+				},
+			}),
+	)(session.user.id);
 
 	if (!user) throw Error('User not found');
 
-	return user;
+	return user!;
 };
+
+export const getUserPermissions = cache(async (ssoId?: string) => {
+	if (!ssoId) {
+		const session = await getSession();
+		if (!session) throw Error('No session found');
+		ssoId = session.user.id;
+	}
+
+	const permissions = await prisma.userPermission.findMany({
+		where: {
+			user: { ssoId },
+		},
+		include: {
+			permission: true,
+			buildTeam: { select: { id: true, slug: true, name: true } },
+		},
+	});
+	return permissions;
+});
diff --git a/apps/dashboard/src/app/(sideNavbar)/team/[slug]/edit/page.tsx b/apps/dashboard/src/app/(sideNavbar)/team/[slug]/edit/page.tsx
@@ -45,7 +45,7 @@ export default async function Page({ params }: { params: Promise<{ slug: string
 	const ownerGenerateTokenAction = ownerGenerateToken.bind(null, { userId: user.id, id: team.id });
 
 	return (
-		<Protection requiredRole="get-teams">
+		<Protection requiredBuildTeam={{ permission: 'team.settings.edit', slug: 'de' }}>
 			<ContentWrapper maw="90vw">
 				<SaveNotification />
 				<form action={userEditTeamInfo}>
diff --git a/apps/dashboard/src/components/Protection.tsx b/apps/dashboard/src/components/Protection.tsx
@@ -3,16 +3,71 @@ import { getSession, hasRole } from '@/util/auth';
 
 import ErrorDisplay from './core/ErrorDisplay';
 
+import { getUserPermissions } from '@/actions/getUser';
+import { Permisision } from '@repo/db';
 import type { JSX } from 'react';
 
-export async function Protection({ children, requiredRole }: { children: JSX.Element; requiredRole: string }) {
-	const session = await getSession();
+export async function Protection(
+	props:
+		| { children: JSX.Element; requiredRole: string }
+		| {
+				children: JSX.Element;
+				requiredBuildTeam: ({ id: string } | { slug: string }) & { permission: Permisision['id'] };
+		  },
+) {
+	if ('requiredRole' in props) {
+		const session = await getSession();
 
-	if (!hasRole(session, requiredRole)) {
-		return (
-			<ErrorDisplay message="The Page you are trying to open requires special permissions. You are not authorized to view it. If you think this is a mistake please contact us." />
-		);
+		if (!hasRole(session, props.requiredRole)) {
+			return (
+				<ErrorDisplay message="The Page you are trying to open requires special permissions. You are not authorized to view it. If you think this is a mistake please contact us." />
+			);
+		}
+
+		return props.children;
+	}
+
+	if ('requiredBuildTeam' in props && props.requiredBuildTeam) {
+		const permissions = await getUserPermissions();
+
+		const hasPermission = permissions.some((perm) => {
+			// 1. user has global permission (no buildteam referenced)
+			if (props.requiredBuildTeam.permission === perm.permission.id && !perm.buildTeam) {
+				return true;
+			}
+			// 2. user has permission for buildteam with id
+			if (
+				'id' in props.requiredBuildTeam &&
+				perm.buildTeam &&
+				props.requiredBuildTeam.permission === perm.permission.id &&
+				props.requiredBuildTeam.id === perm.buildTeam.id
+			) {
+				return true;
+			}
+			// 3. user has permission for buildteam with slug
+			if (
+				'slug' in props.requiredBuildTeam &&
+				perm.buildTeam &&
+				props.requiredBuildTeam.permission === perm.permission.id &&
+				props.requiredBuildTeam.slug === perm.buildTeam.slug
+			) {
+				return true;
+			}
+		});
+
+		if (!hasPermission) {
+			return (
+				<ErrorDisplay message="The Page you are trying to open requires special permissions. You are not authorized to view it. If you think this is a mistake please contact us." />
+			);
+		}
+
+		return props.children;
 	}
 
-	return children;
+	return (
+		<ErrorDisplay
+			message="There was an error computing your permissions to access this page. Please reload the page and message us."
+			showBackButton
+		/>
+	);
 }
