Plugin permissions in workspace (#8728)

Signed-off-by: Anton Alexeyev <[email protected]>

Author: utkaka

models/controlled-documents/src/permissions.ts

@@ -12,6 +12,7 @@ export function definePermissions (builder: Builder): void {
     core.space.Model,
     {
       label: documents.string.ReviewDocumentPermission,
+      scope: 'space',
       description: documents.string.ReviewDocumentDescription
     },
     documents.permission.ReviewDocument
@@ -22,6 +23,7 @@ export function definePermissions (builder: Builder): void {
     core.space.Model,
     {
       label: documents.string.ApproveDocumentPermission,
+      scope: 'space',
       description: documents.string.ApproveDocumentDescription
     },
     documents.permission.ApproveDocument
@@ -32,6 +34,7 @@ export function definePermissions (builder: Builder): void {
     core.space.Model,
     {
       label: documents.string.ArchiveDocumentPermission,
+      scope: 'space',
       description: documents.string.ArchiveDocumentDescription
     },
     documents.permission.ArchiveDocument
@@ -42,6 +45,7 @@ export function definePermissions (builder: Builder): void {
     core.space.Model,
     {
       label: documents.string.CoAuthorDocumentPermission,
+      scope: 'space',
       description: documents.string.CoAuthorDocumentDescription
     },
     documents.permission.CoAuthorDocument
@@ -52,6 +56,7 @@ export function definePermissions (builder: Builder): void {
     core.space.Model,
     {
       label: documents.string.CreateDocumentPermission,
+      scope: 'space',
       description: documents.string.CreateDocumentDescription
     },
     documents.permission.CreateDocument
@@ -62,6 +67,7 @@ export function definePermissions (builder: Builder): void {
     core.space.Model,
     {
       label: documents.string.UpdateDocumentOwnerPermission,
+      scope: 'space',
       description: documents.string.UpdateDocumentOwnerDescription
     },
     documents.permission.UpdateDocumentOwner
@@ -72,6 +78,7 @@ export function definePermissions (builder: Builder): void {
     core.space.Model,
     {
       label: documents.string.CreateDocumentCategoryPermission,
+      scope: 'space',
       description: documents.string.CreateDocumentCategoryDescription
     },
     documents.permission.CreateDocumentCategory
@@ -82,6 +89,7 @@ export function definePermissions (builder: Builder): void {
     core.space.Model,
     {
       label: documents.string.UpdateDocumentCategoryPermission,
+      scope: 'space',
       description: documents.string.UpdateDocumentCategoryDescription
     },
     documents.permission.UpdateDocumentCategory
@@ -92,6 +100,7 @@ export function definePermissions (builder: Builder): void {
     core.space.Model,
     {
       label: documents.string.DeleteDocumentCategoryPermission,
+      scope: 'space',
       description: documents.string.DeleteDocumentCategoryDescription
     },
     documents.permission.DeleteDocumentCategory

models/core/src/permissions.ts

@@ -23,6 +23,7 @@ export function definePermissions (builder: Builder): void {
     core.space.Model,
     {
       label: core.string.CreateObject,
+      scope: 'space',
       description: core.string.CreateObjectDescription
     },
     core.permission.CreateObject
@@ -33,6 +34,7 @@ export function definePermissions (builder: Builder): void {
     core.space.Model,
     {
       label: core.string.UpdateObject,
+      scope: 'space',
       description: core.string.UpdateObjectDescription
     },
     core.permission.UpdateObject
@@ -43,6 +45,7 @@ export function definePermissions (builder: Builder): void {
     core.space.Model,
     {
       label: core.string.DeleteObject,
+      scope: 'space',
       description: core.string.DeleteObjectDescription
     },
     core.permission.DeleteObject
@@ -53,36 +56,20 @@ export function definePermissions (builder: Builder): void {
     core.space.Model,
     {
       label: core.string.ForbidDeleteObject,
+      txClass: core.class.TxRemoveDoc,
+      forbid: true,
+      scope: 'space',
       description: core.string.ForbidDeleteObjectDescription
     },
     core.permission.ForbidDeleteObject
   )
 
-  builder.createDoc(
-    core.class.Permission,
-    core.space.Model,
-    {
-      label: core.string.UpdateObject,
-      description: core.string.UpdateObjectDescription
-    },
-    core.permission.UpdateObject
-  )
-
-  builder.createDoc(
-    core.class.Permission,
-    core.space.Model,
-    {
-      label: core.string.DeleteObject,
-      description: core.string.DeleteObjectDescription
-    },
-    core.permission.DeleteObject
-  )
-
   builder.createDoc(
     core.class.Permission,
     core.space.Model,
     {
       label: core.string.UpdateSpace,
+      scope: 'space',
       description: core.string.UpdateSpaceDescription
     },
     core.permission.UpdateSpace
@@ -93,18 +80,9 @@ export function definePermissions (builder: Builder): void {
     core.space.Model,
     {
       label: core.string.ArchiveSpace,
+      scope: 'space',
       description: core.string.ArchiveSpaceDescription
     },
     core.permission.ArchiveSpace
   )
-
-  builder.createDoc(
-    core.class.Permission,
-    core.space.Model,
-    {
-      label: core.string.CreateProject,
-      description: core.string.CreateProjectDescription
-    },
-    core.permission.CreateProject
-  )
 }

models/core/src/security.ts

@@ -29,7 +29,9 @@ import {
   type Space,
   type SpaceType,
   type SpaceTypeDescriptor,
-  type TypedSpace
+  type TypedSpace,
+  type Doc,
+  type Tx
 } from '@hcengineering/core'
 import {
   ArrOf,
@@ -155,6 +157,10 @@ export class TRole extends TAttachedDoc implements Role {
 @UX(core.string.Permission)
 export class TPermission extends TDoc implements Permission {
   label!: IntlString
+  txClass?: Ref<Class<Tx>>
+  forbid?: boolean
+  objectClass?: Ref<Class<Doc<Space>>>
+  scope?: 'space' | 'workspace'
   description?: IntlString
   icon?: Asset
 }

models/core/src/spaceType.ts

@@ -24,7 +24,7 @@ const roles = [
   {
     _id: core.role.Admin,
     name: 'Admin',
-    permissions: [core.permission.UpdateObject, core.permission.DeleteObject, core.permission.CreateProject]
+    permissions: [core.permission.UpdateObject, core.permission.DeleteObject]
   }
 ]
 
@@ -46,7 +46,7 @@ export function defineSpaceType (builder: Builder): void {
       description: core.string.SpacesDescription,
       icon: '' as Asset, // FIXME
       baseClass: core.class.Space,
-      availablePermissions: [core.permission.UpdateObject, core.permission.DeleteObject, core.permission.CreateProject],
+      availablePermissions: [core.permission.UpdateObject, core.permission.DeleteObject],
       system: true
     },
     core.descriptor.SpacesType

models/document/src/index.ts

@@ -53,6 +53,7 @@ import { type Asset, getEmbeddedLabel } from '@hcengineering/platform'
 import tags from '@hcengineering/tags'
 import time, { type ToDo, type Todoable } from '@hcengineering/time'
 import document from './plugin'
+import { definePermissions } from './permissions'
 
 export { documentId } from '@hcengineering/document'
 
@@ -560,6 +561,7 @@ export function createModel (builder: Builder): void {
   defineDocument(builder)
 
   defineApplication(builder)
+  definePermissions(builder)
 
   builder.createDoc(core.class.DomainIndexConfiguration, core.space.Model, {
     domain: DOMAIN_DOCUMENT,

models/document/src/permissions.ts

@@ -0,0 +1,19 @@
+import type { Builder } from '@hcengineering/model'
+import core from '@hcengineering/core'
+import document from '@hcengineering/document'
+
+export function definePermissions (builder: Builder): void {
+  builder.createDoc(
+    core.class.Permission,
+    core.space.Model,
+    {
+      label: document.string.ForbidCreateTeamspacePermission,
+      scope: 'workspace',
+      txClass: core.class.TxCreateDoc,
+      objectClass: document.class.Teamspace,
+      forbid: true,
+      description: document.string.ForbidCreateTeamspacePermissionDescription
+    },
+    document.permission.ForbidCreateTeamspace
+  )
+}

models/drive/src/index.ts

@@ -63,6 +63,7 @@ import workbench from '@hcengineering/model-workbench'
 import { getEmbeddedLabel } from '@hcengineering/platform'
 
 import drive from './plugin'
+import { definePermissions } from './permissions'
 
 export { driveId } from '@hcengineering/drive'
 export { driveOperation } from './migration'
@@ -790,4 +791,5 @@ export function createModel (builder: Builder): void {
   defineFile(builder)
   defineFileVersion(builder)
   defineApplication(builder)
+  definePermissions(builder)
 }

models/drive/src/permissions.ts

@@ -0,0 +1,19 @@
+import type { Builder } from '@hcengineering/model'
+import core from '@hcengineering/core'
+import drive from '@hcengineering/drive'
+
+export function definePermissions (builder: Builder): void {
+  builder.createDoc(
+    core.class.Permission,
+    core.space.Model,
+    {
+      label: drive.string.ForbidCreateDrivePermission,
+      scope: 'workspace',
+      txClass: core.class.TxCreateDoc,
+      objectClass: drive.class.Drive,
+      forbid: true,
+      description: drive.string.ForbidCreateDrivePermissionDescription
+    },
+    drive.permission.ForbidCreateDrive
+  )
+}

models/lead/src/index.ts

@@ -32,6 +32,7 @@ import { type ViewOptionsModel } from '@hcengineering/view'
 
 import lead from './plugin'
 import { defineSpaceType } from './spaceType'
+import { definePermissions } from './permissions'
 import { TCustomer, TFunnel, TLead } from './types'
 
 export { leadId } from '@hcengineering/lead'
@@ -659,4 +660,5 @@ export function createModel (builder: Builder): void {
   })
 
   defineSpaceType(builder)
+  definePermissions(builder)
 }

models/lead/src/permissions.ts

@@ -0,0 +1,19 @@
+import type { Builder } from '@hcengineering/model'
+import core from '@hcengineering/core'
+import lead from '@hcengineering/lead'
+
+export function definePermissions (builder: Builder): void {
+  builder.createDoc(
+    core.class.Permission,
+    core.space.Model,
+    {
+      label: lead.string.ForbidCreateFunnelPermission,
+      scope: 'workspace',
+      txClass: core.class.TxCreateDoc,
+      objectClass: lead.class.Funnel,
+      forbid: true,
+      description: lead.string.ForbidCreateFunnelPermissionDescription
+    },
+    lead.permission.ForbidCreateFunnel
+  )
+}

models/recruit/src/index.ts

@@ -38,6 +38,7 @@ import { type KeyBinding, type ViewOptionModel, type ViewOptionsModel } from '@h
 import recruit from './plugin'
 import { createReviewModel, reviewTableConfig, reviewTableOptions } from './review'
 import { defineSpaceType } from './spaceType'
+import { definePermissions } from './permissions'
 import { TApplicant, TApplicantMatch, TCandidate, TOpinion, TReview, TVacancy, TVacancyList } from './types'
 
 export { recruitId } from '@hcengineering/recruit'
@@ -1609,4 +1610,5 @@ export function createModel (builder: Builder): void {
   )
 
   defineSpaceType(builder)
+  definePermissions(builder)
 }

models/recruit/src/permissions.ts

@@ -0,0 +1,19 @@
+import type { Builder } from '@hcengineering/model'
+import core from '@hcengineering/core'
+import recruit from '@hcengineering/recruit'
+
+export function definePermissions (builder: Builder): void {
+  builder.createDoc(
+    core.class.Permission,
+    core.space.Model,
+    {
+      label: recruit.string.ForbidCreateVacancyPermission,
+      scope: 'workspace',
+      txClass: core.class.TxCreateDoc,
+      objectClass: recruit.class.Vacancy,
+      forbid: true,
+      description: recruit.string.ForbidCreateVacancyPermissionDescription
+    },
+    recruit.permission.ForbidCreateVacancy
+  )
+}

models/tracker/src/index.ts

@@ -32,6 +32,7 @@ import { PaletteColorIndexes } from '@hcengineering/ui/src/colors'
 import { createActions as defineActions } from './actions'
 import tracker from './plugin'
 import { definePresenters } from './presenters'
+import { definePermissions } from './permissions'
 import {
   DOMAIN_TRACKER,
   TClassicProjectTypeData,
@@ -708,6 +709,7 @@ export function createModel (builder: Builder): void {
     ]
   })
 
+  definePermissions(builder)
   defineSpaceType(builder)
 }
 

models/tracker/src/permissions.ts

@@ -0,0 +1,19 @@
+import type { Builder } from '@hcengineering/model'
+import core from '@hcengineering/core'
+import tracker from '@hcengineering/tracker'
+
+export function definePermissions (builder: Builder): void {
+  builder.createDoc(
+    core.class.Permission,
+    core.space.Model,
+    {
+      label: tracker.string.ForbidCreateProjectPermission,
+      txClass: core.class.TxCreateDoc,
+      objectClass: tracker.class.Project,
+      forbid: true,
+      scope: 'workspace',
+      description: tracker.string.ForbidCreateProjectPermissionDescription
+    },
+    tracker.permission.ForbidCreateProject
+  )
+}