[Api+Web] Require authentication to retrieve roles and permissions

jordan-powers · jordan-powers · commit e5ee65bc5614 · 2025-10-12T17:39:07.000-07:00
diff --git a/attendance-api/routes/api.php b/attendance-api/routes/api.php
@@ -53,11 +53,10 @@
     Route::get('reports/student-stats', [ReportController::class, 'studentStats']);
     Route::get('poll', [PollController::class, 'poll']);
 
+    Route::get('roles', fn () => collect([
+        "roles" => Role::all()->map(fn ($role) => ['name'=>$role->name, 'permissions'=>$role->permissions->pluck("name")]),
+        "permissions" => Permission::all()->pluck("name")
+    ]));
 });
 
-Route::get('roles', fn () => collect([
-    "roles" => Role::all()->map(fn ($role) => ['name'=>$role->name, 'permissions'=>$role->permissions->pluck("name")]),
-    "permissions" => Permission::all()->pluck("name")
-]));
 Route::get('info', fn () => ['git_hash' => config('app.git_hash')]);
-
diff --git a/attendance-web/src/app/services/permissions.service.ts b/attendance-web/src/app/services/permissions.service.ts
@@ -1,45 +1,42 @@
 import { HttpClient } from '@angular/common/http';
 import { Injectable } from '@angular/core';
-import { map, Observable, of, ReplaySubject, switchMap, take } from 'rxjs';
-import { Permission, Role, RolesResponse } from 'src/app/models/role.model';
+import { map, Observable, of, shareReplay, switchMap } from 'rxjs';
+import { Role, RolesResponse } from 'src/app/models/role.model';
 import { environment } from 'src/environments/environment';
 import { AuthService } from './auth.service';
 
 @Injectable({
   providedIn: 'root'
 })
 export class PermissionsService {
-  private readonly roles = new ReplaySubject<Map<string, Role>>(1);
-  private readonly permissions = new ReplaySubject<Permission[]>(1);
+  private readonly roles: Observable<Map<string, Role>>;
 
   constructor(private httpClient: HttpClient, private authService: AuthService) {
-    this.httpClient.get<RolesResponse>(environment.apiRoot + '/roles').subscribe(roles => {
-      this.roles.next(new Map(roles.roles.map(role => [role.name, role])));
-      this.permissions.next(roles.permissions);
-    });
+    this.roles = this.httpClient.get<RolesResponse>(environment.apiRoot + '/roles').pipe(
+      map(rolesResponse => new Map(rolesResponse.roles.map(role => [role.name, role]))),
+      shareReplay(1)
+    );
   }
 
   public getAllRoles(): Observable<Role[]> {
     return this.roles.pipe(map(roles => Array.from(roles.values())));
   }
 
-  public checkPermissions(permissions: string[]): Observable<boolean> {
+  public getCurrentUserPermissions(): Observable<string[]> {
     return this.authService.getUser().pipe(
-      take(1),
-      switchMap(user => user === null ? of(false) : this.roles.pipe(map(roles =>
-        user.role_names.reduce((prev, role) => {
-          if (prev) {
-            return true;
-          }
-
-          if (!roles.has(role)) {
-            return false;
-          }
+      switchMap(user => user === null ? of([])
+        : this.roles.pipe(
+          map(roles => user.role_names.flatMap(role => roles.get(role)?.permissions ?? []))
+        )
+      )
+    );
+  }
 
-          const role_permissions = roles.get(role)!!.permissions;
-          return permissions.reduce((prev, permission) => prev && role_permissions.includes(permission), true);
-        }, false)
-      ))
-    ));
+  public checkPermissions(neededPermissions: string[]): Observable<boolean> {
+    return this.getCurrentUserPermissions().pipe(
+      map(userPermissions => {
+        return neededPermissions.reduce((allowed, neededPermission) => allowed && userPermissions.includes(neededPermission), true);
+      })
+    );
   }
 }
