quotas definitions.ts

62.28% Statements 71/114
82.35% Branches 14/17
87.5% Functions 14/16
62.28% Lines 71/114
Press n or j to go to the next uncovered block, b, p or k for the previous block.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115 1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
135x
135x
1x
1x
1x
45x
1x
1x
1x
28x
1x
1x
1x
50x
50x
2x
2x
2x
 
 
 
 
 
 
 
 
 
 
 
 
50x
50x
50x
50x
50x
50x
2x
2x
2x
2x
2x
 
 
 
 
 
 
 
 
 
50x
1x
1x
1x
43x
43x
2x
2x
2x
 
 
 
 
 
 
 
 
 
 
 
 
43x
43x
43x
1x
1x
1x
 
 
 
 
 
 
 
 
 
 
1x
1x
1x
64x
64x
64x
64x
1x
1x
1x
1x
1x
1x
1x
1x
1x
  import { VariableType } from '@amalia/amalia-lang/tokens/types';
import { assert } from '@amalia/ext/typescript';
 
import { SubsetAccessEnum } from '../../subsets/enums';
import { SubjectsEnum, type DefinePermissions, type UserRoleForAccessControl } from '../../types';
 
import { QuotasActions } from './actions';
import { type AssignValuesQuotaSubject, type ViewQuotaSubject } from './subjects';
 
export const quotasAbilityDefinitions = {
  ADMIN(_, { can }) {
    can(QuotasActions.view, SubjectsEnum.Quota, { predicate: () => true, subset: SubsetAccessEnum.EVERYTHING });
    can(QuotasActions.assign_values, SubjectsEnum.Quota);
  },
 
  READ_ONLY_ADMIN(_, { can }) {
    can(QuotasActions.view, SubjectsEnum.Quota, { predicate: () => true, subset: SubsetAccessEnum.EVERYTHING });
  },
 
  FINANCE(_, { can }) {
    can(QuotasActions.view, SubjectsEnum.Quota, { predicate: () => true, subset: SubsetAccessEnum.EVERYTHING });
  },
 
  MANAGER({ user, hierarchy }, { can }) {
    can(QuotasActions.view, SubjectsEnum.Quota, {
      predicate: ({ quotaType, userId, teamId, date }: ViewQuotaSubject) => {
        if (quotaType === VariableType.user) {
          return userId && (userId === user.id || hierarchy.isManagerOf(userId, date ?? new Date()));
        }

        if (quotaType === VariableType.team) {
          return (
            teamId &&
            // Either you're a direct member of this team (like any regular employee).
            (hierarchy.isTeamMember(teamId, date ?? new Date()) ||
              // Or you manage it, either directly or from a higher hierarchy level.
              hierarchy.isTeamManager(teamId, date ?? new Date()))
          );
        }

        return false;
      },
      subset: SubsetAccessEnum.MATCH_TEAMS_AND_MANAGEES,
    });
 
    can(QuotasActions.assign_values, SubjectsEnum.Quota, {
      predicate: ({ quotaType, userId, teamId, date }: AssignValuesQuotaSubject) => {
        if (quotaType === VariableType.user) {
          // Quota type should be discriminating but it's not so the subject cannot be either.
          assert(userId, 'User ID missing');
          return hierarchy.isManagerOf(userId, date ?? new Date());
        }

        if (quotaType === VariableType.team) {
          // Quota type should be discriminating but it's not so the subject cannot be either.
          assert(teamId, 'Team ID missing');
          return hierarchy.isTeamManager(teamId, date ?? new Date());
        }

        return false;
      },
    });
  },
 
  READ_ONLY_MANAGER({ user, hierarchy }, { can }) {
    can(QuotasActions.view, SubjectsEnum.Quota, {
      predicate: ({ quotaType, userId, teamId, date }: ViewQuotaSubject) => {
        if (quotaType === VariableType.user) {
          return userId && (userId === user.id || hierarchy.isManagerOf(userId, date ?? new Date()));
        }

        if (quotaType === VariableType.team) {
          return (
            teamId &&
            // Either you're a direct member of this team (like any regular employee).
            (hierarchy.isTeamMember(teamId, date ?? new Date()) ||
              // Or you manage it, either directly or from a higher hierarchy level.
              hierarchy.isTeamManager(teamId, date ?? new Date()))
          );
        }

        return false;
      },
      subset: SubsetAccessEnum.MATCH_TEAMS_AND_MANAGEES,
    });
  },
 
  SCOPED_ADMIN({ adminScopesContainer }, { can }) {
    assert(adminScopesContainer, 'Admin scope container missing for someone with scoped admin role.');
    can(QuotasActions.view, SubjectsEnum.Quota, {
      predicate: (viewQuotaSubject: ViewQuotaSubject) => adminScopesContainer.canAccessQuotaValue(viewQuotaSubject),
      subset: SubsetAccessEnum.IN_MY_SCOPE,
    });

    can(QuotasActions.assign_values, SubjectsEnum.Quota, {
      predicate: (viewQuotaSubject: ViewQuotaSubject) => adminScopesContainer.canAccessQuotaValue(viewQuotaSubject),
      subset: SubsetAccessEnum.IN_MY_SCOPE,
    });
  },
 
  EMPLOYEE({ user }, { can }) {
    can(QuotasActions.view, SubjectsEnum.Quota, {
      predicate: ({ userId }: ViewQuotaSubject) => userId === user.id,
      subset: SubsetAccessEnum.MATCH_TEAMS_AND_MANAGEES,
    });
  },
 
  READ_ONLY_EMPLOYEE({ user }, { can }) {
    can(QuotasActions.view, SubjectsEnum.Quota, {
      predicate: ({ userId }: ViewQuotaSubject) => userId === user.id,
      subset: SubsetAccessEnum.MATCH_TEAMS_AND_MANAGEES,
    });
  },
} as const satisfies Partial<Record<UserRoleForAccessControl, DefinePermissions>>;