feat(perm): central permission registry + key validation in linter

- backend/src/permissions/registry.js: single source of truth (PERMISSIONS map) with all 24 keys (16 teacher + 8 student, student keys also cover free_student). Exports isKnown(), listKeys(), byRole(), buildDefaultsMap(). - auth.js: PERM_DEFAULTS now sourced from registry.buildDefaultsMap(); new perm() helper validates key at registration time (crashes early on typos). requirePermission() unchanged — backward compat preserved. - permissionsController.js: ALL_PERMISSIONS now built from registry.byRole(); inline 24-entry array removed. API response shape unchanged. - check-route-auth.js: validates every requirePermission/perm call key against registry; lists unknown keys as errors before exit. perm() added to GUARDS list so it counts as route protection. Discrepancy noted: auth.js had free_student with same 8 keys as student; permissionsController never seeded free_student rows. Registry documents this via roles:[] array; buildDefaultsMap() correctly covers free_student. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17 14:22:18 +03:00
parent 539d33df31
commit 76883b569c
4 changed files with 247 additions and 217 deletions
@@ -1,47 +1,9 @@
-const jwt = require('jsonwebtoken');
-const db  = require('../db/db');
+const jwt      = require('jsonwebtoken');
+const db       = require('../db/db');
+const registry = require('../permissions/registry');

-/* ── Default values for role_permissions (mirrors permissionsController) ── */
-const PERM_DEFAULTS = {
-  teacher: {
-    'questions.manage':     false,
-    'questions.delete':     false,
-    'students.invite':      false,
-    'sessions.reset':       true,
-    'results.export':       true,
-    'classes.manage':       true,
-    'library.upload':       true,
-    'library.folders':      true,
-    'schedule.manage':      true,
-    'announcements.send':   true,
-    'templates.manage':     true,
-    'templates.public':     false,
-    'courses.manage':       true,
-    'courses.interactive':  true,
-    'shop.manage':          false,
-    'gamification.manage':  false,
-  },
-  student: {
-    'tests.free':              true,
-    'board.post':              true,
-    'profile.edit':            true,
-    'shop.purchase':           true,
-    'gamification.challenges': true,
-    'theory.access':           true,
-    'simulations.access':      true,
-    'simulations.quiz':        true,
-  },
-  free_student: {
-    'tests.free':              true,
-    'board.post':              true,
-    'profile.edit':            true,
-    'shop.purchase':           true,
-    'gamification.challenges': true,
-    'theory.access':           true,
-    'simulations.access':      true,
-    'simulations.quiz':        true,
-  },
-};
+/* ── Default values for role_permissions — sourced from central registry ── */
+const PERM_DEFAULTS = registry.buildDefaultsMap();

 function authMiddleware(req, res, next) {
  const header = req.headers.authorization;
@@ -134,6 +96,18 @@ function parentAuth(req, res, next) {
 /* Alias: requireAuth = authMiddleware */
 const requireAuth = authMiddleware;

+/**
+ * perm(key) — ergonomic alias for requirePermission(key).
+ * Throws at module-load time if `key` is not in the registry,
+ * so typos are caught at startup rather than at runtime.
+ */
+function perm(key) {
+  if (!registry.isKnown(key)) {
+    throw new Error(`[auth] Unknown permission key: "${key}". Add it to backend/src/permissions/registry.js`);
+  }
+  return requirePermission(key);
+}
+
 /* optionalAuth: попытаться установить req.user, но не блокировать при отсутствии токена */
 function optionalAuth(req, res, next) {
  const header = req.headers.authorization || '';
@@ -151,4 +125,4 @@ function optionalAuth(req, res, next) {
  next();
 }

-module.exports = { authMiddleware, requireAuth, optionalAuth, requireRole, requirePermission, parentAuth };
+module.exports = { authMiddleware, requireAuth, optionalAuth, requireRole, requirePermission, perm, parentAuth };