card RBAC (#10197)

Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>

Author: BykhovDenis

.vscode/launch.json

@@ -97,7 +97,7 @@
         "MODEL_JSON": "${workspaceRoot}/models/all/bundle/model.json",
         // "SERVER_PROVIDER":"uweb"
         "SERVER_PROVIDER": "ws",
-        "MODEL_VERSION": "0.7.278",
+        "MODEL_VERSION": "0.7.301",
         // "version": "0.7.0",
         "COMMUNICATION_API_ENABLED": "true",
         "ELASTIC_INDEX_NAME": "local_storage_index",
@@ -315,10 +315,11 @@
         "SERVER_SECRET": "secret",
         "TRANSACTOR_URL": "ws://localhost:3332",
         "ACCOUNTS_URL": "http://localhost:3000",
+        "ACCOUNTS_DB_URL": "postgresql://root@huly.local:26257/defaultdb?sslmode=disable",
         "FRONT_URL": "http://localhost:8080",
         "MAIL_URL": "",
         "STORAGE_CONFIG": "datalake|http://localhost:4030",
-        "MODEL_VERSION": "0.7.153",
+        "MODEL_VERSION": "0.7.301",
         "WS_OPERATION": "all+backup",
         "BACKUP_STORAGE": "minio|minio?accessKey=minioadmin&secretKey=minioadmin",
         "BACKUP_BUCKET": "dev-backups",

common/config/rush/pnpm-lock.yaml

@@ -1 +1 @@
-"0.7.292"
+"0.7.301"

common/scripts/version.txt

@@ -160,6 +160,7 @@ async function migrateChannel (
       autoJoin: doc.autoJoin,
       owners: doc.owners,
       types: [chat.masterTag.Thread],
+      type: cardPlugin.spaceType.SpaceType,
       space: cardPlugin.space.Default,
       modifiedBy: doc.modifiedBy,
       modifiedOn: doc.modifiedOn,

dev/tool/src/communication.ts

@@ -26,15 +26,18 @@ import {
   type FavoriteType,
   type MasterTag,
   type ParentInfo,
+  type PermissionObjectClass,
   type Role,
   type Tag
 } from '@hcengineering/card'
 import chunter from '@hcengineering/chunter'
 import core, {
   AccountRole,
   type Blobs,
+  type Class,
   ClassifierKind,
   type CollectionSize,
+  type Doc,
   DOMAIN_MODEL,
   DOMAIN_SPACE,
   IndexKind,
@@ -45,22 +48,23 @@ import core, {
   SortingOrder
 } from '@hcengineering/core'
 import {
+  ArrOf,
   type Builder,
   Collection,
   Hidden,
   Index,
   Mixin,
   Model,
   Prop,
+  ReadOnly,
   TypeCollaborativeDoc,
   TypeNumber,
   TypeRef,
   TypeString,
-  UX,
-  ReadOnly
+  UX
 } from '@hcengineering/model'
 import attachment from '@hcengineering/model-attachment'
-import { TAttachedDoc, TClass, TDoc, TMixin, TSpace } from '@hcengineering/model-core'
+import { TRole as TBaseRole, TClass, TDoc, TMixin, TTypedSpace } from '@hcengineering/model-core'
 import { createPublicLinkAction } from '@hcengineering/model-guest'
 import preference, { TPreference } from '@hcengineering/model-preference'
 import presentation from '@hcengineering/model-presentation'
@@ -72,8 +76,9 @@ import time, { type ToDo } from '@hcengineering/time'
 import { PaletteColorIndexes } from '@hcengineering/ui/src/colors'
 import { type AnyComponent } from '@hcengineering/ui/src/types'
 import { type BuildModelKey } from '@hcengineering/view'
-import card from './plugin'
 import { createActions } from './actions'
+import card from './plugin'
+import { definePermissions } from './permissions'
 
 export { cardId } from '@hcengineering/card'
 
@@ -141,10 +146,11 @@ export class TCard extends TDoc implements Card {
     peerId?: string
 }
 
-@Model(card.class.CardSpace, core.class.Space, DOMAIN_SPACE)
+@Model(card.class.CardSpace, core.class.TypedSpace, DOMAIN_SPACE)
 @UX(core.string.Space)
-export class TCardSpace extends TSpace implements CardSpace {
-  types!: Ref<MasterTag>[]
+export class TCardSpace extends TTypedSpace implements CardSpace {
+  @Prop(ArrOf(TypeRef(card.class.MasterTag)), card.string.MasterTags)
+    types!: Ref<MasterTag>[]
 }
 
 @Model(card.class.MasterTagEditorSection, core.class.Doc, DOMAIN_MODEL)
@@ -169,11 +175,9 @@ export class TCardViewDefaults extends TMasterTag implements CardViewDefaults {
   defaultNavigation?: string
 }
 
-@Model(card.class.Role, core.class.AttachedDoc, DOMAIN_MODEL)
-export class TRole extends TAttachedDoc implements Role {
-  name!: string
-  declare attachedTo: Ref<MasterTag | Tag>
-  declare collection: 'roles'
+@Model(card.class.Role, core.class.Role, DOMAIN_MODEL)
+export class TRole extends TBaseRole implements Role {
+  type!: Ref<MasterTag | Tag>
 }
 
 @Model(card.class.FavoriteCard, preference.class.Preference)
@@ -187,6 +191,11 @@ export class TFavoriteType extends TPreference implements FavoriteType {
   declare attachedTo: Ref<MasterTag>
 }
 
+@Model(card.class.PermissionObjectClass, core.class.Doc, DOMAIN_MODEL)
+export class TPermissionObjectClass extends TDoc implements PermissionObjectClass {
+  objectClass!: Ref<Class<Doc>>
+}
+
 @Mixin(card.mixin.CreateCardExtension, card.class.MasterTag)
 export class TCreateCardExtension extends TMasterTag implements CreateCardExtension {
   component?: AnyComponent
@@ -355,6 +364,7 @@ export function createSystemType (
 
 export function createModel (builder: Builder): void {
   builder.createModel(
+    TPermissionObjectClass,
     TMasterTag,
     TTag,
     TCard,
@@ -368,7 +378,20 @@ export function createModel (builder: Builder): void {
     TCreateCardExtension
   )
 
+  builder.createDoc(
+    core.class.SpaceType,
+    core.space.Model,
+    {
+      name: '',
+      descriptor: core.descriptor.SpacesType,
+      roles: 0,
+      targetClass: core.mixin.SpacesTypeData
+    },
+    card.spaceType.SpaceType
+  )
+
   defineTabs(builder)
+  definePermissions(builder)
 
   builder.mixin(card.class.Card, core.class.Class, view.mixin.ObjectIcon, {
     component: card.component.CardIcon

models/card/src/index.ts

@@ -13,8 +13,16 @@
 // limitations under the License.
 //
 
-import { type Card, cardId, DOMAIN_CARD } from '@hcengineering/card'
-import core, { DOMAIN_MODEL, type Ref, TxOperations, type Client, type Data, type Doc } from '@hcengineering/core'
+import cardPlugin, { type Card, cardId, DOMAIN_CARD, type Role } from '@hcengineering/card'
+import core, {
+  DOMAIN_MODEL,
+  type Ref,
+  TxOperations,
+  type Client,
+  type Data,
+  type Doc,
+  type DocumentUpdate
+} from '@hcengineering/core'
 import {
   tryMigrate,
   tryUpgrade,
@@ -82,11 +90,42 @@ export const cardOperation: MigrateOperation = {
         state: 'make-config-sortable',
         mode: 'upgrade',
         func: makeConfigSortable
+      },
+      {
+        state: 'migrate-roles-v2',
+        mode: 'upgrade',
+        func: migrateRolesToBaseRole
+      },
+      {
+        state: 'add-space-type',
+        mode: 'upgrade',
+        func: addSpaceType
       }
     ])
   }
 }
 
+async function addSpaceType (client: MigrationUpgradeClient): Promise<void> {
+  const txOp = new TxOperations(client, core.account.System)
+  const spaces = await client.findAll(card.class.CardSpace, { type: { $exists: false } })
+  for (const space of spaces) {
+    await txOp.diffUpdate(space, { type: cardPlugin.spaceType.SpaceType })
+  }
+}
+
+async function migrateRolesToBaseRole (client: MigrationUpgradeClient): Promise<void> {
+  const txOp = new TxOperations(client, core.account.System)
+  const roles = await client.findAll(card.class.Role, { attachedTo: { $ne: cardPlugin.spaceType.SpaceType } })
+  for (const role of roles) {
+    const baseRoleData: DocumentUpdate<Role> = {
+      type: role.attachedTo as any,
+      attachedTo: cardPlugin.spaceType.SpaceType,
+      attachedToClass: core.class.SpaceType
+    }
+    await txOp.update(role, baseRoleData)
+  }
+}
+
 async function fillParentInfo (client: Client): Promise<void> {
   const txOp = new TxOperations(client, core.account.System)
   const cards = await client.findAll(card.class.Card, { parentInfo: { $exists: false }, parent: { $ne: null } })
@@ -249,6 +288,7 @@ async function createDefaultProject (tx: TxOperations): Promise<void> {
         members: [],
         archived: false,
         autoJoin: true,
+        type: card.spaceType.SpaceType,
         types: topLevelTypes.map((it) => it._id)
       },
       card.space.Default

models/card/src/migration.ts

@@ -0,0 +1,153 @@
+// Copyright © 2025 Hardcore Engineering Inc.
+//
+// Licensed under the Eclipse Public License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License. You may
+// obtain a copy of the License at https://www.eclipse.org/legal/epl-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import core from '@hcengineering/core'
+import { type Builder } from '@hcengineering/model'
+import card from '.'
+
+export function definePermissions (builder: Builder): void {
+  builder.createDoc(
+    core.class.Permission,
+    core.space.Model,
+    {
+      label: card.string.AddTagPermission,
+      txClass: core.class.TxMixin,
+      objectClass: card.class.Card,
+      scope: 'space'
+    },
+    card.permission.AddTag
+  )
+
+  builder.createDoc(
+    core.class.Permission,
+    core.space.Model,
+    {
+      label: card.string.RemoveTag,
+      txClass: core.class.TxUpdateDoc,
+      txMatch: {
+        'operations.$unset': {
+          $exists: true
+        }
+      },
+      objectClass: card.class.Card,
+      scope: 'space'
+    },
+    card.permission.RemoveTag
+  )
+
+  builder.createDoc(
+    core.class.Permission,
+    core.space.Model,
+    {
+      label: card.string.CreateCardPermission,
+      txClass: core.class.TxCreateDoc,
+      objectClass: card.class.Card,
+      scope: 'space'
+    },
+    card.permission.CreateCard
+  )
+
+  builder.createDoc(
+    core.class.Permission,
+    core.space.Model,
+    {
+      label: card.string.UpdateCard,
+      txClass: core.class.TxUpdateDoc,
+      objectClass: card.class.Card,
+      scope: 'space'
+    },
+    card.permission.UpdateCard
+  )
+
+  builder.createDoc(
+    core.class.Permission,
+    core.space.Model,
+    {
+      label: card.string.RemoveCard,
+      txClass: core.class.TxRemoveDoc,
+      objectClass: card.class.Card,
+      scope: 'space'
+    },
+    card.permission.RemoveCard
+  )
+
+  builder.createDoc(
+    core.class.Permission,
+    core.space.Model,
+    {
+      label: card.string.ForbidAddTagPermission,
+      txClass: core.class.TxMixin,
+      objectClass: card.class.Card,
+      scope: 'space',
+      forbid: true
+    },
+    card.permission.ForbidAddTag
+  )
+
+  builder.createDoc(
+    core.class.Permission,
+    core.space.Model,
+    {
+      label: card.string.ForbidRemoveTag,
+      txClass: core.class.TxUpdateDoc,
+      txMatch: {
+        'operations.$unset': {
+          $exists: true
+        }
+      },
+      objectClass: card.class.Card,
+      scope: 'space',
+      forbid: true
+    },
+    card.permission.ForbidRemoveTag
+  )
+
+  builder.createDoc(
+    core.class.Permission,
+    core.space.Model,
+    {
+      label: card.string.ForbidCreateCardPermission,
+      txClass: core.class.TxCreateDoc,
+      objectClass: card.class.Card,
+      scope: 'space',
+      forbid: true
+    },
+    card.permission.ForbidCreateCard
+  )
+
+  builder.createDoc(
+    core.class.Permission,
+    core.space.Model,
+    {
+      label: card.string.ForbidUpdateCard,
+      txClass: core.class.TxUpdateDoc,
+      objectClass: card.class.Card,
+      scope: 'space',
+      forbid: true
+    },
+    card.permission.ForbidUpdateCard
+  )
+
+  builder.createDoc(
+    core.class.Permission,
+    core.space.Model,
+    {
+      label: card.string.ForbidRemoveCard,
+      txClass: core.class.TxRemoveDoc,
+      objectClass: card.class.Card,
+      scope: 'space',
+      forbid: true
+    },
+    card.permission.ForbidRemoveCard
+  )
+}