extend roomMembershipRule to check for user's school access (primary …

…or secondary)

apps/server/src/modules/room-membership/authorization/room-membership.rule.ts

@@ -1,7 +1,7 @@
+import { Action, AuthorizationContext, AuthorizationInjectionService, Rule } from '@modules/authorization';
 import { Injectable } from '@nestjs/common';
 import { User } from '@shared/domain/entity';
 import { Permission } from '@shared/domain/interface';
-import { AuthorizationInjectionService, Action, AuthorizationContext, Rule } from '@modules/authorization';
 import { RoomMembershipAuthorizable } from '../do/room-membership-authorizable.do';
 
 @Injectable()
@@ -17,6 +17,14 @@ export class RoomMembershipRule implements Rule<RoomMembershipAuthorizable> {
 	}
 
 	public hasPermission(user: User, object: RoomMembershipAuthorizable, context: AuthorizationContext): boolean {
+		const primarySchoolId = user.school.id;
+		const secondarySchools = user.secondarySchools ?? [];
+		const secondarySchoolIds = secondarySchools.map(({ school }) => school.id);
+
+		if (![primarySchoolId, ...secondarySchoolIds].includes(object.schoolId)) {
+			return false;
+		}
+
 		const { action } = context;
 		const permissionsThisUserHas = object.members
 			.filter((member) => member.userId === user.id)

apps/server/src/modules/room-membership/do/room-membership-authorizable.do.ts

@@ -12,10 +12,13 @@ export class RoomMembershipAuthorizable implements AuthorizableObject {
 
 	public readonly roomId: EntityId;
 
+	public readonly schoolId: EntityId;
+
 	public readonly members: UserWithRoomRoles[];
 
-	public constructor(roomId: EntityId, members: UserWithRoomRoles[]) {
+	constructor(roomId: EntityId, members: UserWithRoomRoles[], schoolId: EntityId) {
 		this.members = members;
 		this.roomId = roomId;
+		this.schoolId = schoolId;
 	}
 }

apps/server/src/modules/room-membership/service/room-membership.service.ts

@@ -51,7 +51,8 @@ export class RoomMembershipService {
 	private buildRoomMembershipAuthorizable(
 		roomId: EntityId,
 		group: Group,
-		roleSet: RoleDto[]
+		roleSet: RoleDto[],
+		schoolId: EntityId
 	): RoomMembershipAuthorizable {
 		const members = group.users.map((groupUser): UserWithRoomRoles => {
 			const roleDto = roleSet.find((role) => role.id === groupUser.roleId);
@@ -62,7 +63,7 @@ export class RoomMembershipService {
 			};
 		});
 
-		const roomMembershipAuthorizable = new RoomMembershipAuthorizable(roomId, members);
+		const roomMembershipAuthorizable = new RoomMembershipAuthorizable(roomId, members, schoolId);
 
 		return roomMembershipAuthorizable;
 	}
@@ -120,7 +121,7 @@ export class RoomMembershipService {
 			.map((item) => {
 				const group = groupPage.data.find((g) => g.id === item.userGroupId);
 				if (!group) return null;
-				return this.buildRoomMembershipAuthorizable(item.roomId, group, roleSet);
+				return this.buildRoomMembershipAuthorizable(item.roomId, group, roleSet, item.schoolId);
 			})
 			.filter((item): item is RoomMembershipAuthorizable => item !== null);
 
@@ -130,7 +131,8 @@ export class RoomMembershipService {
 	public async getRoomMembershipAuthorizable(roomId: EntityId): Promise<RoomMembershipAuthorizable> {
 		const roomMembership = await this.roomMembershipRepo.findByRoomId(roomId);
 		if (roomMembership === null) {
-			return new RoomMembershipAuthorizable(roomId, []);
+			const room = await this.roomService.getSingleRoom(roomId);
+			return new RoomMembershipAuthorizable(roomId, [], room.schoolId);
 		}
 		const group = await this.groupService.findById(roomMembership.userGroupId);
 		const roleSet = await this.roleService.findByIds(group.users.map((groupUser) => groupUser.roleId));
@@ -144,7 +146,7 @@ export class RoomMembershipService {
 			};
 		});
 
-		const roomMembershipAuthorizable = new RoomMembershipAuthorizable(roomId, members);
+		const roomMembershipAuthorizable = new RoomMembershipAuthorizable(roomId, members, roomMembership.schoolId);
 
 		return roomMembershipAuthorizable;
 	}