Add back-end support for conversations RBAC

app/api/conversations/[conversationId]/route.ts

@@ -4,7 +4,9 @@ import { z } from 'zod';
 import { conversationService } from '~/lib/services/conversationService';
 import { logger } from '~/utils/logger';
 import { StorageServiceFactory } from '~/lib/services/storage/storage-service-factory';
-import { requireUserId } from '~/auth/session';
+import { requireUserAbility } from '~/auth/session';
+import { PermissionAction } from '@prisma/client';
+import { subject } from '@casl/ability';
 
 export async function GET(request: NextRequest, { params }: { params: Promise<{ conversationId: string }> }) {
   const { conversationId } = await params;
@@ -13,11 +15,15 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
     return NextResponse.json({ error: 'Conversation ID is required' }, { status: 400 });
   }
 
-  const userId = await requireUserId(request);
+  const { userAbility } = await requireUserAbility(request);
 
   try {
-    const conversation = await prisma.conversation.findUnique({
-      where: { id: conversationId, userId },
+    if (userAbility.cannot(PermissionAction.read, subject('Conversation', { id: conversationId }))) {
+      return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
+    }
+
+    const conversationWithMessages = await prisma.conversation.findUnique({
+      where: { id: conversationId },
       include: {
         messages: {
           include: {
@@ -34,11 +40,11 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
       },
     });
 
-    if (!conversation) {
+    if (!conversationWithMessages) {
       return NextResponse.json({ error: 'Conversation not found' }, { status: 404 });
     }
 
-    return NextResponse.json(conversation);
+    return NextResponse.json(conversationWithMessages);
   } catch (error) {
     logger.error('Error fetching conversation:', error);
     return NextResponse.json(
@@ -57,9 +63,13 @@ export async function DELETE(request: NextRequest, { params }: { params: Promise
     return NextResponse.json({ error: 'Conversation ID is required' }, { status: 400 });
   }
 
-  const userId = await requireUserId(request);
+  const { userAbility } = await requireUserAbility(request);
+
+  if (userAbility.cannot(PermissionAction.delete, subject('Conversation', { id: conversationId }))) {
+    return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
+  }
 
-  return handleDelete(conversationId, userId);
+  return handleDelete(conversationId);
 }
 
 export async function PATCH(request: NextRequest, { params }: { params: Promise<{ conversationId: string }> }) {
@@ -69,17 +79,18 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
     return NextResponse.json({ error: 'Conversation ID is required' }, { status: 400 });
   }
 
-  const userId = await requireUserId(request);
+  const { userAbility } = await requireUserAbility(request);
+
+  if (userAbility.cannot(PermissionAction.update, subject('Conversation', { id: conversationId }))) {
+    return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
+  }
 
-  return handlePatch(conversationId, userId, request);
+  return handlePatch(conversationId, request);
 }
 
-async function handleDelete(conversationId: string, userId: string) {
+async function handleDelete(conversationId: string) {
   try {
-    const conversation = await prisma.conversation.findUnique({
-      where: { id: conversationId, userId },
-      select: { id: true },
-    });
+    const conversation = await conversationService.getConversation(conversationId);
 
     if (!conversation) {
       return NextResponse.json({ error: 'Not found' }, { status: 404 });
@@ -89,7 +100,7 @@ async function handleDelete(conversationId: string, userId: string) {
 
     logger.info(`Deleting conversation ${conversationId}`);
 
-    await conversationService.deleteConversation(conversationId, userId);
+    await conversationService.deleteConversation(conversationId);
     await storageService.deleteAll(`snapshots/${conversationId}`);
 
     logger.info(`Deleted conversation ${conversationId}`);
@@ -112,12 +123,12 @@ const UPDATE_CONVERSATION_SCHEMA = z.object({
   dataSourceId: z.string().optional(),
 });
 
-async function handlePatch(conversationId: string, userId: string, request: NextRequest) {
+async function handlePatch(conversationId: string, request: NextRequest) {
   try {
     const body = await request.json();
     const updateData = UPDATE_CONVERSATION_SCHEMA.parse(body);
 
-    const updatedConversation = await conversationService.updateConversation(conversationId, userId, updateData);
+    const updatedConversation = await conversationService.updateConversation(conversationId, updateData);
 
     if (!updatedConversation) {
       return NextResponse.json({ error: 'Conversation not found' }, { status: 404 });

app/api/conversations/[conversationId]/snapshots/[id]/rewind/route.ts

@@ -4,10 +4,13 @@ import { snapshotService } from '~/lib/services/snapshotService';
 import { prisma } from '~/lib/prisma';
 import { logger } from '~/utils/logger';
 import { messageService } from '~/lib/services/messageService';
-import { requireUserId } from '~/auth/session';
+import { requireUserAbility } from '~/auth/session';
 import { getTelemetry } from '~/lib/telemetry/telemetry-manager';
 import { TelemetryEventType } from '~/lib/telemetry/telemetry-types';
 import { userService } from '~/lib/services/userService';
+import { PermissionAction, Prisma } from '@prisma/client';
+import { subject } from '@casl/ability';
+import { buildResourceWhereClause } from '~/lib/casl/prisma-helpers';
 
 export async function POST(
   request: NextRequest,
@@ -19,10 +22,16 @@ export async function POST(
     return NextResponse.json({ error: 'Invalid request' }, { status: 400 });
   }
 
-  const userId = await requireUserId(request);
+  const { userAbility, userId } = await requireUserAbility(request);
+
+  if (userAbility.cannot(PermissionAction.update, subject('Conversation', { id: conversationId }))) {
+    return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
+  }
+
+  const permissionWhere = buildResourceWhereClause<'Conversation'>(userAbility, PermissionAction.read, 'Conversation');
 
   const conversation = await prisma.conversation.findUnique({
-    where: { id: conversationId, userId },
+    where: permissionWhere as Prisma.ConversationWhereUniqueInput,
     include: {
       messages: {
         select: {

app/api/conversations/[conversationId]/snapshots/[id]/route.ts

@@ -1,9 +1,10 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { conversationService } from '~/lib/services/conversationService';
 import { StorageServiceFactory } from '~/lib/services/storage/storage-service-factory';
 import { snapshotService } from '~/lib/services/snapshotService';
 import { logger } from '~/utils/logger';
-import { requireUserId } from '~/auth/session';
+import { requireUserAbility } from '~/auth/session';
+import { PermissionAction } from '@prisma/client';
+import { subject } from '@casl/ability';
 
 export async function GET(
   request: NextRequest,
@@ -15,17 +16,10 @@ export async function GET(
     return NextResponse.json({ error: 'Conversation ID and Snapshot ID are required' }, { status: 400 });
   }
 
-  const userId = await requireUserId(request);
+  const { userAbility } = await requireUserAbility(request);
 
-  const conversation = await conversationService.getConversation(conversationId);
-
-  if (!conversation) {
-    return NextResponse.json({ error: 'Conversation not found' }, { status: 404 });
-  }
-
-  // Check if the conversation belongs to the authenticated user
-  if (conversation.userId !== userId) {
-    return NextResponse.json({ error: 'Conversation not found' }, { status: 404 });
+  if (userAbility.cannot(PermissionAction.read, subject('Conversation', { id: conversationId }))) {
+    return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
   }
 
   try {

app/api/conversations/[conversationId]/snapshots/latest/route.ts

@@ -3,7 +3,9 @@ import { conversationService } from '~/lib/services/conversationService';
 import { StorageServiceFactory } from '~/lib/services/storage/storage-service-factory';
 import { snapshotService } from '~/lib/services/snapshotService';
 import { logger } from '~/utils/logger';
-import { requireUserId } from '~/auth/session';
+import { requireUserAbility } from '~/auth/session';
+import { PermissionAction } from '@prisma/client';
+import { subject } from '@casl/ability';
 
 export async function GET(request: NextRequest, { params }: { params: Promise<{ conversationId: string }> }) {
   const { conversationId } = await params;
@@ -12,17 +14,16 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
     return NextResponse.json({ error: 'Conversation ID is required' }, { status: 400 });
   }
 
-  const userId = await requireUserId(request);
+  const { userAbility } = await requireUserAbility(request);
 
   const conversation = await conversationService.getConversation(conversationId);
 
   if (!conversation) {
     return NextResponse.json({ error: 'Conversation not found' }, { status: 404 });
   }
 
-  // Check if the conversation belongs to the authenticated user
-  if (conversation.userId !== userId) {
-    return NextResponse.json({ error: 'Conversation not found' }, { status: 404 });
+  if (userAbility.cannot(PermissionAction.read, subject('Conversation', conversation))) {
+    return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
   }
 
   try {
@@ -58,17 +59,16 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
     return NextResponse.json({ error: 'Conversation ID is required' }, { status: 400 });
   }
 
-  const userId = await requireUserId(request);
+  const { userAbility } = await requireUserAbility(request);
 
   const conversation = await conversationService.getConversation(conversationId);
 
   if (!conversation) {
     return NextResponse.json({ error: 'Conversation not found' }, { status: 404 });
   }
 
-  // Check if the conversation belongs to the authenticated user
-  if (conversation.userId !== userId) {
-    return NextResponse.json({ error: 'Conversation not found' }, { status: 404 });
+  if (userAbility.cannot(PermissionAction.update, subject('Conversation', conversation))) {
+    return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
   }
 
   try {

app/api/conversations/[conversationId]/snapshots/route.ts

@@ -5,8 +5,10 @@ import type { FileMap } from '~/lib/stores/files';
 import { createId } from '@paralleldrive/cuid2';
 import { snapshotService } from '~/lib/services/snapshotService';
 import { logger } from '~/utils/logger';
-import { requireUserId } from '~/auth/session';
+import { requireUserAbility } from '~/auth/session';
 import { prisma } from '~/lib/prisma';
+import { PermissionAction } from '@prisma/client';
+import { subject } from '@casl/ability';
 
 export async function POST(request: NextRequest, { params }: { params: Promise<{ conversationId: string }> }) {
   const { conversationId } = await params;
@@ -15,17 +17,16 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
     return NextResponse.json({ error: 'Conversation ID is required' }, { status: 400 });
   }
 
-  const userId = await requireUserId(request);
+  const { userAbility } = await requireUserAbility(request);
 
   const conversation = await conversationService.getConversation(conversationId);
 
   if (!conversation) {
     return NextResponse.json({ error: 'Conversation not found' }, { status: 404 });
   }
 
-  // Check if the conversation belongs to the authenticated user
-  if (conversation.userId !== userId) {
-    return NextResponse.json({ error: 'Conversation not found' }, { status: 404 });
+  if (userAbility.cannot(PermissionAction.update, subject('Conversation', conversation))) {
+    return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
   }
 
   try {

app/api/conversations/route.ts

@@ -1,15 +1,20 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { conversationService } from '~/lib/services/conversationService';
 import type { Message } from '@prisma/client';
+import { PermissionAction } from '@prisma/client';
 import { snapshotService } from '~/lib/services/snapshotService';
 import { messageService } from '~/lib/services/messageService';
 import { createId } from '@paralleldrive/cuid2';
 import { logger } from '~/utils/logger';
-import { requireUserId } from '~/auth/session';
+import { requireUserAbility } from '~/auth/session';
 import { prisma } from '~/lib/prisma';
 
 export async function POST(request: NextRequest) {
-  const userId = await requireUserId(request);
+  const { userId, userAbility } = await requireUserAbility(request);
+
+  if (userAbility.cannot(PermissionAction.create, 'Conversation')) {
+    return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
+  }
 
   try {
     const body = (await request.json()) as {
@@ -92,10 +97,14 @@ export async function POST(request: NextRequest) {
 }
 
 export async function GET(request: NextRequest) {
-  const userId = await requireUserId(request);
+  const { userAbility } = await requireUserAbility(request);
+
+  if (userAbility.cannot(PermissionAction.read, 'Conversation')) {
+    return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
+  }
 
   try {
-    const conversations = await conversationService.getAllConversations(userId);
+    const conversations = await conversationService.getAllConversationsWithPermissions(userAbility);
     return NextResponse.json(conversations);
   } catch (error) {
     logger.error('Error fetching conversations:', error);

app/lib/casl/prisma-helpers.ts

@@ -2,7 +2,7 @@ import { Prisma, PermissionAction } from '@prisma/client';
 import { accessibleBy } from '@casl/prisma';
 import type { AppAbility } from './user-ability';
 
-export type PrismaResources = 'Environment' | 'DataSource' | 'Website' | 'EnvironmentVariable';
+export type PrismaResources = 'Environment' | 'DataSource' | 'Website' | 'EnvironmentVariable' | 'Conversation';
 
 type WhereInputForResource<T extends PrismaResources> = T extends 'DataSource'
   ? Prisma.DataSourceWhereInput
@@ -12,7 +12,9 @@ type WhereInputForResource<T extends PrismaResources> = T extends 'DataSource'
       ? Prisma.WebsiteWhereInput
       : T extends 'EnvironmentVariable'
         ? Prisma.EnvironmentVariableWhereInput
-        : never;
+        : T extends 'Conversation'
+          ? Prisma.ConversationWhereInput
+          : never;
 
 /**
  * Builds a generic Prisma WHERE clause for a given resource based on a user's abilities.

app/lib/casl/user-ability.ts

@@ -3,7 +3,7 @@ import { PureAbility, AbilityBuilder } from '@casl/ability';
 import { createPrismaAbility } from '@casl/prisma';
 import { PermissionResource, PermissionAction } from '@prisma/client';
 import type { PrismaQuery, Subjects } from '@casl/prisma';
-import type { DataSource, Environment, EnvironmentVariable, Permission, Website } from '@prisma/client';
+import type { DataSource, Environment, EnvironmentVariable, Permission, Website, Conversation } from '@prisma/client';
 import type { PrismaResources } from './prisma-helpers';
 import { getUserPermissions } from '~/lib/services/permissionService';
 import { logger } from '~/utils/logger';
@@ -19,6 +19,7 @@ type PrismaSubjects = Subjects<{
   DataSource: Partial<DataSource>;
   Website: Partial<Website>;
   EnvironmentVariable: Partial<EnvironmentVariable>;
+  Conversation: Partial<Conversation>;
 }>;
 
 type NonPrismaSubjects = Exclude<PermissionResource, PrismaResources>;
@@ -30,7 +31,7 @@ export function createAbilityForUser(userId: string, permissions: Permission[]):
   const { can, build } = new AbilityBuilder<AppAbility>(createPrismaAbility);
 
   permissions.forEach((permission) => {
-    const { action, resource, environmentId, dataSourceId, websiteId } = permission as Permission;
+    const { action, resource, environmentId, dataSourceId, websiteId, conversationId } = permission as Permission;
 
     // Handle different permission scenarios
     switch (resource) {
@@ -75,6 +76,15 @@ export function createAbilityForUser(userId: string, permissions: Permission[]):
 
         break;
 
+      case PermissionResource.Conversation:
+        if (conversationId) {
+          can(action, PermissionResource.Conversation, { id: conversationId });
+        } else {
+          can(action, PermissionResource.Conversation);
+        }
+
+        break;
+
       // Add other resource types as needed...
       default:
         logger.warn(`User ability: Unknown resource type '${resource}' for action '${action}'`);
@@ -86,6 +96,7 @@ export function createAbilityForUser(userId: string, permissions: Permission[]):
   can(PermissionAction.manage, PermissionResource.DataSource, { createdById: userId });
   can(PermissionAction.manage, PermissionResource.Website, { createdById: userId });
   can(PermissionAction.manage, PermissionResource.EnvironmentVariable, { createdById: userId });
+  can(PermissionAction.manage, PermissionResource.Conversation, { userId });
 
   return build();
 }