dev: move implied system perms

src/backend/src/data/hardcoded-permissions.js

@@ -62,7 +62,57 @@ const implicit_user_app_permissions = [
     },
 ];
 
+const hardcoded_user_group_permissions = {
+    system: {
+        'b7220104-7905-4985-b996-649fdcdb3c8f': {
+            'driver:puter-kvstore': {
+                $: 'json-address',
+                path: '/admin/.policy/drivers.json',
+                selector: 'temp.kv'
+            },
+            'driver:puter-notifications': {
+                $: 'json-address',
+                path: '/admin/.policy/drivers.json',
+                selector: 'temp.es'
+            },
+            'driver:puter-apps': {
+                $: 'json-address',
+                path: '/admin/.policy/drivers.json',
+                selector: 'temp.es'
+            },
+            'driver:puter-subdomains': {
+                $: 'json-address',
+                path: '/admin/.policy/drivers.json',
+                selector: 'temp.es'
+            },
+        },
+        '78b1b1dd-c959-44d2-b02c-8735671f9997': {
+            'driver:puter-kvstore': {
+                $: 'json-address',
+                path: '/admin/.policy/drivers.json',
+                selector: 'user.kv'
+            },
+            'driver:puter-notifications': {
+                $: 'json-address',
+                path: '/admin/.policy/drivers.json',
+                selector: 'user.es'
+            },
+            'driver:puter-apps': {
+                $: 'json-address',
+                path: '/admin/.policy/drivers.json',
+                selector: 'user.es'
+            },
+            'driver:puter-subdomains': {
+                $: 'json-address',
+                path: '/admin/.policy/drivers.json',
+                selector: 'user.es'
+            },
+        },
+    },
+};
+
 module.exports = {
     implicit_user_app_permissions,
     default_implicit_user_app_permissions,
+    hardcoded_user_group_permissions,
 };

src/backend/src/services/database/sqlite_setup/0026_user-groups.dbmig.js

@@ -8,88 +8,3 @@ const { insertId: temp_group_id } = await write(
         '{"title": "Guest", "color": "#777777"}'
     ]
 );
-const [{id: system_user_id}] = await read(
-    "SELECT id FROM `user` WHERE username='system'"
-);
-const [{id: user_group_id}] = await read(
-    'SELECT id FROM `group` WHERE uid=?',
-    ['78b1b1dd-c959-44d2-b02c-8735671f9997']
-);
-
-const user_types = structutil.apply_keys(
-    ['name', 'group_id'],
-    ['temp', temp_group_id],
-    ['user', user_group_id],
-);
-const drivers = structutil.apply_keys(
-    ['driver_id', 'selector'],
-    ['driver:puter-kvstore', 'kv'],
-    ['driver:puter-notifications', 'es'],
-    ['driver:puter-apps', 'es'],
-    ['driver:puter-subdomains', 'es'],
-);
-
-const perms = structutil.cart_product(
-    [user_types, drivers]);
-
-for ( const perm of perms ) {
-    const [user_type, driver] = perm;
-    log.info('permission info', { user_type, driver });
-    debugger;
-    // temp user drivers
-    await write(
-        'INSERT INTO `user_to_group_permissions` ' +
-        '(`user_id`, `group_id`, `permission`, `extra`) ' +
-        'VALUES (?, ?, ?, ?)',
-        [
-            system_user_id, user_type.group_id,
-            driver.driver_id,
-            JSON.stringify({
-                policy: {
-                    $: 'json-address',
-                    path: '/admin/.policy/drivers.json',
-                    selector: user_type.name + '.' +
-                        driver.selector,
-                }
-            }),
-        ]
-    );
-}
-
-/*
-// temp user drivers
-await write(
-    'INSERT INTO `user_to_group_permissions` ' +
-    '(`user_id`, `group_id`, `permission`, `extra`) ' +
-    'VALUES (?, ?, ?, ?)',
-    [
-        system_user_id, temp_group_id,
-        'driver:puter-kvstore',
-        JSON.stringify({
-            policy: {
-                $: 'json-address',
-                path: '/admin/.policy/drivers.json',
-                selector: 'temp.kv',
-            }
-        }),
-    ]
-);
-
-// registered user drivers
-await write(
-    'INSERT INTO `user_to_group_permissions` ' +
-    '(`user_id`, `group_id`, `permission`, `extra`) ' +
-    'VALUES (?, ?, ?, ?)',
-    [
-        system_user_id, user_group_id,
-        'driver:puter-kvstore',
-        JSON.stringify({
-            policy: {
-                $: 'json-address',
-                path: '/admin/.policy/drivers.json',
-                selector: 'user.kv',
-            }
-        }),
-    ]
-);
-*/

src/backend/src/unstructured/permission-scanners.js

@@ -1,10 +1,18 @@
 const {
     default_implicit_user_app_permissions,
     implicit_user_app_permissions,
+    hardcoded_user_group_permissions,
 } = require("../data/hardcoded-permissions");
 const { get_user } = require("../helpers");
 const { Actor, UserActorType, AppUnderUserActorType } = require("../services/auth/Actor");
 
+/*
+    OPTIMAL FOLD LEVEL: 3
+    
+    "Ctrl+K, Ctrl+3" or "⌘K, ⌘3";
+    "Ctrl+K, Ctrl+J" or "⌘K, ⌘J";
+*/
+
 const PERMISSION_SCANNERS = [
     {
         name: 'implied',
@@ -85,6 +93,54 @@ const PERMISSION_SCANNERS = [
             }
         }
     },
+    {
+        name: 'hc-user-group-user',
+        async scan (a) {
+            const { reading, actor, permission_options } = a.values();
+            if ( !(actor.type instanceof UserActorType)  ) {
+                return;
+            }
+
+            const svc_group = await a.iget('services').get('group');
+            const groups = await svc_group.list_groups_with_member(
+                { user_id: actor.type.user.id });
+            console.log('uh, groups?', actor.type.user.id, groups);
+            const group_uids = {};
+            for ( const group of groups ) {
+                group_uids[group.values.uid] = group;
+            }
+            console.log('group uids', group_uids);
+            
+            for ( const issuer_username in hardcoded_user_group_permissions ) {
+                const issuer_actor = new Actor({
+                    type: new UserActorType({
+                        user: await get_user({ username: issuer_username }),
+                    }),
+                });
+                const issuer_groups =
+                    hardcoded_user_group_permissions[issuer_username];
+                console.log('issuer groups', issuer_groups);
+                for ( const group_uid in issuer_groups ) {
+                    if ( ! group_uids[group_uid] ) continue;
+                    const issuer_group = issuer_groups[group_uid];
+                    for ( const permission of permission_options ) {
+                        console.log('permission?', permission);
+                        if ( ! issuer_group.hasOwnProperty(permission) ) continue;
+                        const issuer_reading =
+                            await a.icall('scan', issuer_actor, permission)
+                        reading.push({
+                            $: 'path',
+                            via: 'hc-user-group',
+                            permission,
+                            issuer_username,
+                            reading: issuer_reading,
+                            group_id: group_uids[group_uid].id,
+                        });
+                    }
+                }
+            }
+        }
+    },
     {
         name: 'user-group-user',
         async scan (a) {