Merge branch 'canary' into feat/docker-build-secrets

2026-06-27 01:55:24 +02:00 · 2025-10-24 23:42:23 -06:00
parent b34334701b 0b1e79a8e1
commit babc1c033e
67 changed files with 21028 additions and 200 deletions
--- a/packages/server/src/services/user.ts
+++ b/packages/server/src/services/user.ts
@@ -163,6 +163,24 @@ export const canPerformAccessEnvironment = async (
 	return false;
 };

+export const canPerformDeleteEnvironment = async (
+	userId: string,
+	projectId: string,
+	organizationId: string,
+) => {
+	const { accessedProjects, canDeleteEnvironments } = await findMemberById(
+		userId,
+		organizationId,
+	);
+	const haveAccessToProject = accessedProjects.includes(projectId);
+
+	if (canDeleteEnvironments && haveAccessToProject) {
+		return true;
+	}
+
+	return false;
+};
+
 export const canAccessToTraefikFiles = async (
 	userId: string,
 	organizationId: string,
@@ -240,6 +258,42 @@ export const checkEnvironmentAccess = async (
 	}
 };

+export const checkEnvironmentDeletionPermission = async (
+	userId: string,
+	projectId: string,
+	organizationId: string,
+) => {
+	const member = await findMemberById(userId, organizationId);
+
+	if (!member) {
+		throw new TRPCError({
+			code: "UNAUTHORIZED",
+			message: "User not found in organization",
+		});
+	}
+
+	if (member.role === "owner" || member.role === "admin") {
+		return true;
+	}
+
+	if (!member.canDeleteEnvironments) {
+		throw new TRPCError({
+			code: "UNAUTHORIZED",
+			message: "You don't have permission to delete environments",
+		});
+	}
+
+	const hasProjectAccess = member.accessedProjects.includes(projectId);
+	if (!hasProjectAccess) {
+		throw new TRPCError({
+			code: "UNAUTHORIZED",
+			message: "You don't have access to this project",
+		});
+	}
+
+	return true;
+};
+
 export const checkProjectAccess = async (
 	authId: string,
 	action: "create" | "delete" | "access",
@@ -272,6 +326,46 @@ export const checkProjectAccess = async (
 	}
 };

+export const checkEnvironmentCreationPermission = async (
+	userId: string,
+	projectId: string,
+	organizationId: string,
+) => {
+	// Get user's member record
+	const member = await findMemberById(userId, organizationId);
+
+	if (!member) {
+		throw new TRPCError({
+			code: "UNAUTHORIZED",
+			message: "User not found in organization",
+		});
+	}
+
+	// Owners and admins can always create environments
+	if (member.role === "owner" || member.role === "admin") {
+		return true;
+	}
+
+	// Check if user has canCreateEnvironments permission
+	if (!member.canCreateEnvironments) {
+		throw new TRPCError({
+			code: "UNAUTHORIZED",
+			message: "You don't have permission to create environments",
+		});
+	}
+
+	// Check if user has access to the project
+	const hasProjectAccess = member.accessedProjects.includes(projectId);
+	if (!hasProjectAccess) {
+		throw new TRPCError({
+			code: "UNAUTHORIZED",
+			message: "You don't have access to this project",
+		});
+	}
+
+	return true;
+};
+
 export const findMemberById = async (
 	userId: string,
 	organizationId: string,