Merge pull request #1161 from CodeForAfrica/ft/trustlab-rbac

feat(access): add role-based access control and permissions

Author: kelvinkipruto

apps/trustlab/payload-types.ts

@@ -67,17 +67,19 @@ export interface Config {
   };
   blocks: {};
   collections: {
-    pages: Page;
     media: Media;
+    pages: Page;
+    posts: Post;
     users: User;
     "payload-locked-documents": PayloadLockedDocument;
     "payload-preferences": PayloadPreference;
     "payload-migrations": PayloadMigration;
   };
   collectionsJoins: {};
   collectionsSelect: {
-    pages: PagesSelect<false> | PagesSelect<true>;
     media: MediaSelect<false> | MediaSelect<true>;
+    pages: PagesSelect<false> | PagesSelect<true>;
+    posts: PostsSelect<false> | PostsSelect<true>;
     users: UsersSelect<false> | UsersSelect<true>;
     "payload-locked-documents":
       | PayloadLockedDocumentsSelect<false>
@@ -125,69 +127,14 @@ export interface UserAuthOperations {
     password: string;
   };
 }
-/**
- * This interface was referenced by `Config`'s JSON-Schema
- * via the `definition` "pages".
- */
-export interface Page {
-  id: string;
-  title: string;
-  fullTitle?: string | null;
-  slug?: string | null;
-  blocks?:
-    | {
-        title: string;
-        content: {
-          root: {
-            type: string;
-            children: {
-              type: string;
-              version: number;
-              [k: string]: unknown;
-            }[];
-            direction: ("ltr" | "rtl") | null;
-            format:
-              | "left"
-              | "start"
-              | "center"
-              | "right"
-              | "end"
-              | "justify"
-              | "";
-            indent: number;
-            version: number;
-          };
-          [k: string]: unknown;
-        };
-        id?: string | null;
-        blockName?: string | null;
-        blockType: "test";
-      }[]
-    | null;
-  parent?: (string | null) | Page;
-  breadcrumbs?:
-    | {
-        doc?: (string | null) | Page;
-        url?: string | null;
-        label?: string | null;
-        id?: string | null;
-      }[]
-    | null;
-  meta?: {
-    title?: string | null;
-    description?: string | null;
-  };
-  updatedAt: string;
-  createdAt: string;
-  _status?: ("draft" | "published") | null;
-}
 /**
  * This interface was referenced by `Config`'s JSON-Schema
  * via the `definition` "media".
  */
 export interface Media {
   id: string;
   alt: string;
+  createdBy?: (string | null) | User;
   updatedAt: string;
   createdAt: string;
   url?: string | null;
@@ -266,6 +213,7 @@ export interface User {
   id: string;
   firstName: string;
   lastName: string;
+  role: "administrator" | "editor" | "author";
   updatedAt: string;
   createdAt: string;
   email: string;
@@ -277,20 +225,93 @@ export interface User {
   lockUntil?: string | null;
   password?: string | null;
 }
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "pages".
+ */
+export interface Page {
+  id: string;
+  title: string;
+  fullTitle?: string | null;
+  slug?: string | null;
+  blocks?:
+    | {
+        title: string;
+        content: {
+          root: {
+            type: string;
+            children: {
+              type: string;
+              version: number;
+              [k: string]: unknown;
+            }[];
+            direction: ("ltr" | "rtl") | null;
+            format:
+              | "left"
+              | "start"
+              | "center"
+              | "right"
+              | "end"
+              | "justify"
+              | "";
+            indent: number;
+            version: number;
+          };
+          [k: string]: unknown;
+        };
+        id?: string | null;
+        blockName?: string | null;
+        blockType: "test";
+      }[]
+    | null;
+  parent?: (string | null) | Page;
+  breadcrumbs?:
+    | {
+        doc?: (string | null) | Page;
+        url?: string | null;
+        label?: string | null;
+        id?: string | null;
+      }[]
+    | null;
+  meta?: {
+    title?: string | null;
+    description?: string | null;
+  };
+  updatedAt: string;
+  createdAt: string;
+  _status?: ("draft" | "published") | null;
+}
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "posts".
+ */
+export interface Post {
+  id: string;
+  title: string;
+  slug?: string | null;
+  createdBy?: (string | null) | User;
+  updatedAt: string;
+  createdAt: string;
+  _status?: ("draft" | "published") | null;
+}
 /**
  * This interface was referenced by `Config`'s JSON-Schema
  * via the `definition` "payload-locked-documents".
  */
 export interface PayloadLockedDocument {
   id: string;
   document?:
+    | ({
+        relationTo: "media";
+        value: string | Media;
+      } | null)
     | ({
         relationTo: "pages";
         value: string | Page;
       } | null)
     | ({
-        relationTo: "media";
-        value: string | Media;
+        relationTo: "posts";
+        value: string | Post;
       } | null)
     | ({
         relationTo: "users";
@@ -338,51 +359,13 @@ export interface PayloadMigration {
   updatedAt: string;
   createdAt: string;
 }
-/**
- * This interface was referenced by `Config`'s JSON-Schema
- * via the `definition` "pages_select".
- */
-export interface PagesSelect<T extends boolean = true> {
-  title?: T;
-  fullTitle?: T;
-  slug?: T;
-  blocks?:
-    | T
-    | {
-        test?:
-          | T
-          | {
-              title?: T;
-              content?: T;
-              id?: T;
-              blockName?: T;
-            };
-      };
-  parent?: T;
-  breadcrumbs?:
-    | T
-    | {
-        doc?: T;
-        url?: T;
-        label?: T;
-        id?: T;
-      };
-  meta?:
-    | T
-    | {
-        title?: T;
-        description?: T;
-      };
-  updatedAt?: T;
-  createdAt?: T;
-  _status?: T;
-}
 /**
  * This interface was referenced by `Config`'s JSON-Schema
  * via the `definition` "media_select".
  */
 export interface MediaSelect<T extends boolean = true> {
   alt?: T;
+  createdBy?: T;
   updatedAt?: T;
   createdAt?: T;
   url?: T;
@@ -469,13 +452,65 @@ export interface MediaSelect<T extends boolean = true> {
             };
       };
 }
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "pages_select".
+ */
+export interface PagesSelect<T extends boolean = true> {
+  title?: T;
+  fullTitle?: T;
+  slug?: T;
+  blocks?:
+    | T
+    | {
+        test?:
+          | T
+          | {
+              title?: T;
+              content?: T;
+              id?: T;
+              blockName?: T;
+            };
+      };
+  parent?: T;
+  breadcrumbs?:
+    | T
+    | {
+        doc?: T;
+        url?: T;
+        label?: T;
+        id?: T;
+      };
+  meta?:
+    | T
+    | {
+        title?: T;
+        description?: T;
+      };
+  updatedAt?: T;
+  createdAt?: T;
+  _status?: T;
+}
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "posts_select".
+ */
+export interface PostsSelect<T extends boolean = true> {
+  title?: T;
+  slug?: T;
+  createdBy?: T;
+  updatedAt?: T;
+  createdAt?: T;
+  _status?: T;
+}
 /**
  * This interface was referenced by `Config`'s JSON-Schema
  * via the `definition` "users_select".
  */
 export interface UsersSelect<T extends boolean = true> {
   firstName?: T;
   lastName?: T;
+  role?: T;
   updatedAt?: T;
   createdAt?: T;
   email?: T;

apps/trustlab/payload.config.ts

@@ -12,6 +12,7 @@ import plugins from "@/trustlab/payload/plugins";
 import Pages from "@/trustlab/payload/collections/Pages";
 import SiteSettings from "@/trustlab/payload/globals";
 import { defaultLocale, locales } from "@/trustlab/payload/utils/locales";
+import Posts from "@/trustlab/payload/collections/Posts";
 const filename = fileURLToPath(import.meta.url);
 const dirname = path.dirname(filename);
 
@@ -57,7 +58,7 @@ export default buildConfig({
       globals: ["site-settings"],
     },
   },
-  collections: [Pages, Media, Users] as CollectionConfig[],
+  collections: [Media, Pages, Posts, Users] as CollectionConfig[],
   cors,
   csrf,
   db: mongooseAdapter({

apps/trustlab/src/app/preview/route.ts

@@ -5,6 +5,7 @@ import { draftMode } from "next/headers";
 import { redirect } from "next/navigation";
 
 import configPromise from "@payload-config";
+import { canManageContent } from "@/trustlab/payload/access/abilities";
 
 export async function GET(
   req: {
@@ -31,10 +32,9 @@ export async function GET(
     );
   }
 
-  let user;
-
+  let authResult;
   try {
-    user = await payload.auth({
+    authResult = await payload.auth({
       req: req as unknown as PayloadRequest,
       headers: req.headers,
     });
@@ -43,23 +43,14 @@ export async function GET(
       { err: error },
       "Error verifying token for live preview",
     );
-    return new Response("You are not allowed to preview this page", {
-      status: 403,
-    });
   }
-
-  const draft = await draftMode();
-
-  if (!user) {
-    draft.disable();
+  if (!(authResult && canManageContent(authResult?.user))) {
     return new Response("You are not allowed to preview this page", {
       status: 403,
     });
   }
 
-  //TODO: Add further checks to ensure the user is allowed to preview this page
-
+  const draft = await draftMode();
   draft.enable();
-
   redirect(path);
 }