letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Implement admin users and roles management

Browse Source 
- Add user CRUD: list, create (via Better Auth), update role/status, remove from port
- Add role CRUD: create, update permissions, delete with system role protection
- Full permissions matrix UI with accordion groups and per-action checkboxes
- Validators, services, API routes, and UI components following existing patterns

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt
2026-04-08 15:47:11 -04:00
parent a13d7503cc
commit f60159e91a
14 changed files with 1460 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
src/lib/services/roles.service.ts Normal file
View File

@@ -0,0 +1,148 @@
import { eq } from 'drizzle-orm';
import { db } from '@/lib/db';
import { roles, userPortRoles } from '@/lib/db/schema';
import type { RolePermissions } from '@/lib/db/schema/users';
import { createAuditLog } from '@/lib/audit';
import { ConflictError, NotFoundError, ValidationError } from '@/lib/errors';
import { emitToRoom } from '@/lib/socket/server';
import type { CreateRoleInput, UpdateRoleInput } from '@/lib/validators/roles';
interface AuditMeta {
userId: string;
portId: string;
ipAddress: string;
userAgent: string;
}
export async function listRoles() {
return db.select().from(roles).orderBy(roles.name);
}
export async function getRole(id: string) {
const role = await db.query.roles.findFirst({
where: eq(roles.id, id),
});
if (!role) throw new NotFoundError('Role');
return role;
}
export async function createRole(data: CreateRoleInput, meta: AuditMeta) {
// Check name uniqueness
const existing = await db.query.roles.findFirst({
where: eq(roles.name, data.name),
});
if (existing) {
throw new ConflictError(`A role named "${data.name}" already exists`);
}
const [role] = await db
.insert(roles)
.values({
name: data.name,
description: data.description ?? null,
permissions: data.permissions as RolePermissions,
})
.returning();
void createAuditLog({
userId: meta.userId,
portId: meta.portId,
action: 'create',
entityType: 'role',
entityId: role!.id,
newValue: { name: role!.name },
ipAddress: meta.ipAddress,
userAgent: meta.userAgent,
});
emitToRoom(`port:${meta.portId}`, 'system:alert', {
alertType: 'role:created',
message: `Role "${role!.name}" created`,
severity: 'info',
});
return role!;
}
export async function updateRole(id: string, data: UpdateRoleInput, meta: AuditMeta) {
const role = await db.query.roles.findFirst({
where: eq(roles.id, id),
});
if (!role) throw new NotFoundError('Role');
// Check name uniqueness if changing name
if (data.name && data.name !== role.name) {
const conflict = await db.query.roles.findFirst({
where: eq(roles.name, data.name),
});
if (conflict) {
throw new ConflictError(`A role named "${data.name}" already exists`);
}
}
const updates: Record<string, unknown> = { updatedAt: new Date() };
if (data.name !== undefined) updates.name = data.name;
if (data.description !== undefined) updates.description = data.description;
if (data.permissions !== undefined) updates.permissions = data.permissions as RolePermissions;
const [updated] = await db.update(roles).set(updates).where(eq(roles.id, id)).returning();
void createAuditLog({
userId: meta.userId,
portId: meta.portId,
action: 'update',
entityType: 'role',
entityId: id,
oldValue: { name: role.name, permissions: role.permissions },
newValue: { name: updated!.name, permissions: updated!.permissions },
ipAddress: meta.ipAddress,
userAgent: meta.userAgent,
});
emitToRoom(`port:${meta.portId}`, 'system:alert', {
alertType: 'role:updated',
message: `Role "${updated!.name}" updated`,
severity: 'info',
});
return updated!;
}
export async function deleteRole(id: string, meta: AuditMeta) {
const role = await db.query.roles.findFirst({
where: eq(roles.id, id),
});
if (!role) throw new NotFoundError('Role');
if (role.isSystem) {
throw new ValidationError('System roles cannot be deleted');
}
// Check if any users are assigned this role
const assignments = await db.query.userPortRoles.findFirst({
where: eq(userPortRoles.roleId, id),
});
if (assignments) {
throw new ConflictError('Cannot delete a role that is assigned to users. Reassign them first.');
}
await db.delete(roles).where(eq(roles.id, id));
void createAuditLog({
userId: meta.userId,
portId: meta.portId,
action: 'delete',
entityType: 'role',
entityId: id,
oldValue: { name: role.name },
ipAddress: meta.ipAddress,
userAgent: meta.userAgent,
});
emitToRoom(`port:${meta.portId}`, 'system:alert', {
alertType: 'role:deleted',
message: `Role "${role.name}" deleted`,
severity: 'info',
});
}

243
src/lib/services/users.service.ts Normal file
View File

@@ -0,0 +1,243 @@
import { and, eq } from 'drizzle-orm';
import { db } from '@/lib/db';
import { user, userProfiles, userPortRoles, roles } from '@/lib/db/schema';
import { auth } from '@/lib/auth';
import { createAuditLog } from '@/lib/audit';
import { ConflictError, NotFoundError, ValidationError } from '@/lib/errors';
import { emitToRoom } from '@/lib/socket/server';
import type { CreateUserInput, UpdateUserInput } from '@/lib/validators/users';
interface AuditMeta {
userId: string;
portId: string;
ipAddress: string;
userAgent: string;
}
export async function listUsers(portId: string) {
const rows = await db
.select({
userId: userPortRoles.userId,
displayName: userProfiles.displayName,
email: user.email,
phone: userProfiles.phone,
isActive: userProfiles.isActive,
isSuperAdmin: userProfiles.isSuperAdmin,
lastLoginAt: userProfiles.lastLoginAt,
roleId: roles.id,
roleName: roles.name,
assignedAt: userPortRoles.createdAt,
})
.from(userPortRoles)
.innerJoin(userProfiles, eq(userPortRoles.userId, userProfiles.userId))
.innerJoin(user, eq(userPortRoles.userId, user.id))
.innerJoin(roles, eq(userPortRoles.roleId, roles.id))
.where(eq(userPortRoles.portId, portId))
.orderBy(userProfiles.displayName);
return rows.map((row) => ({
userId: row.userId,
displayName: row.displayName,
email: row.email,
phone: row.phone,
isActive: row.isActive,
isSuperAdmin: row.isSuperAdmin,
lastLoginAt: row.lastLoginAt,
role: { id: row.roleId, name: row.roleName },
assignedAt: row.assignedAt,
}));
}
export async function getUser(userId: string, portId: string) {
const profile = await db.query.userProfiles.findFirst({
where: eq(userProfiles.userId, userId),
});
if (!profile) throw new NotFoundError('User');
const authUser = await db.query.user.findFirst({
where: eq(user.id, userId),
});
const portRole = await db.query.userPortRoles.findFirst({
where: and(eq(userPortRoles.userId, userId), eq(userPortRoles.portId, portId)),
with: { role: true },
});
if (!portRole) throw new NotFoundError('User not assigned to this port');
return {
userId: profile.userId,
displayName: profile.displayName,
email: authUser?.email ?? '',
phone: profile.phone,
isActive: profile.isActive,
isSuperAdmin: profile.isSuperAdmin,
lastLoginAt: profile.lastLoginAt,
avatarUrl: profile.avatarUrl,
preferences: profile.preferences,
role: { id: portRole.role.id, name: portRole.role.name },
createdAt: profile.createdAt,
};
}
export async function createUser(portId: string, data: CreateUserInput, meta: AuditMeta) {
// Check email uniqueness
const existingUser = await db.query.user.findFirst({
where: eq(user.email, data.email.toLowerCase()),
});
if (existingUser) {
throw new ConflictError('A user with this email already exists');
}
// Validate role exists
const role = await db.query.roles.findFirst({
where: eq(roles.id, data.roleId),
});
if (!role) throw new ValidationError('Invalid role ID');
// Create Better Auth user
const authResult = await auth.api.signUpEmail({
body: {
email: data.email.toLowerCase(),
password: data.password,
name: data.name,
},
});
const newUserId = authResult.user.id;
// Create CRM profile
await db.insert(userProfiles).values({
userId: newUserId,
displayName: data.displayName,
phone: data.phone ?? null,
});
// Assign to port with role
await db.insert(userPortRoles).values({
userId: newUserId,
portId,
roleId: data.roleId,
assignedBy: meta.userId,
});
void createAuditLog({
userId: meta.userId,
portId,
action: 'create',
entityType: 'user',
entityId: newUserId,
newValue: { email: data.email, displayName: data.displayName, role: role.name },
ipAddress: meta.ipAddress,
userAgent: meta.userAgent,
});
emitToRoom(`port:${portId}`, 'system:alert', {
alertType: 'user:created',
message: `User "${data.displayName}" added`,
severity: 'info',
});
return getUser(newUserId, portId);
}
export async function updateUser(
userId: string,
portId: string,
data: UpdateUserInput,
meta: AuditMeta,
) {
const profile = await db.query.userProfiles.findFirst({
where: eq(userProfiles.userId, userId),
});
if (!profile) throw new NotFoundError('User');
const portRole = await db.query.userPortRoles.findFirst({
where: and(eq(userPortRoles.userId, userId), eq(userPortRoles.portId, portId)),
});
if (!portRole) throw new NotFoundError('User not assigned to this port');
// Update profile fields
const profileUpdates: Record<string, unknown> = { updatedAt: new Date() };
if (data.displayName !== undefined) profileUpdates.displayName = data.displayName;
if (data.phone !== undefined) profileUpdates.phone = data.phone;
if (data.isActive !== undefined) profileUpdates.isActive = data.isActive;
if (Object.keys(profileUpdates).length > 1) {
await db.update(userProfiles).set(profileUpdates).where(eq(userProfiles.userId, userId));
}
// Update role assignment
if (data.roleId && data.roleId !== portRole.roleId) {
const newRole = await db.query.roles.findFirst({
where: eq(roles.id, data.roleId),
});
if (!newRole) throw new ValidationError('Invalid role ID');
await db
.update(userPortRoles)
.set({ roleId: data.roleId, assignedBy: meta.userId })
.where(and(eq(userPortRoles.userId, userId), eq(userPortRoles.portId, portId)));
}
void createAuditLog({
userId: meta.userId,
portId,
action: 'update',
entityType: 'user',
entityId: userId,
oldValue: {
displayName: profile.displayName,
isActive: profile.isActive,
roleId: portRole.roleId,
},
newValue: data,
ipAddress: meta.ipAddress,
userAgent: meta.userAgent,
});
emitToRoom(`port:${portId}`, 'system:alert', {
alertType: 'user:updated',
message: `User "${data.displayName ?? profile.displayName}" updated`,
severity: 'info',
});
return getUser(userId, portId);
}
export async function removeUserFromPort(userId: string, portId: string, meta: AuditMeta) {
const portRole = await db.query.userPortRoles.findFirst({
where: and(eq(userPortRoles.userId, userId), eq(userPortRoles.portId, portId)),
});
if (!portRole) throw new NotFoundError('User not assigned to this port');
// Prevent removing yourself
if (userId === meta.userId) {
throw new ValidationError('Cannot remove yourself from the port');
}
await db
.delete(userPortRoles)
.where(and(eq(userPortRoles.userId, userId), eq(userPortRoles.portId, portId)));
const profile = await db.query.userProfiles.findFirst({
where: eq(userProfiles.userId, userId),
});
void createAuditLog({
userId: meta.userId,
portId,
action: 'delete',
entityType: 'user',
entityId: userId,
oldValue: { displayName: profile?.displayName, roleId: portRole.roleId },
ipAddress: meta.ipAddress,
userAgent: meta.userAgent,
});
emitToRoom(`port:${portId}`, 'system:alert', {
alertType: 'user:removed',
message: `User "${profile?.displayName}" removed from port`,
severity: 'info',
});
}

35
src/lib/validators/roles.ts Normal file
View File

@@ -0,0 +1,35 @@
import { z } from 'zod';
const permissionGroupSchema = z.record(z.string(), z.boolean());
const rolePermissionsSchema = z.object({
clients: permissionGroupSchema,
interests: permissionGroupSchema,
berths: permissionGroupSchema,
documents: permissionGroupSchema,
expenses: permissionGroupSchema,
invoices: permissionGroupSchema,
files: permissionGroupSchema,
email: permissionGroupSchema,
reminders: permissionGroupSchema,
calendar: permissionGroupSchema,
reports: permissionGroupSchema,
document_templates: permissionGroupSchema,
admin: permissionGroupSchema,
});
export const createRoleSchema = z.object({
name: z.string().min(1).max(100),
description: z.string().max(500).optional(),
permissions: rolePermissionsSchema,
});
export type CreateRoleInput = z.infer<typeof createRoleSchema>;
export const updateRoleSchema = z.object({
name: z.string().min(1).max(100).optional(),
description: z.string().max(500).nullable().optional(),
permissions: rolePermissionsSchema.optional(),
});
export type UpdateRoleInput = z.infer<typeof updateRoleSchema>;

27
src/lib/validators/users.ts Normal file
View File

@@ -0,0 +1,27 @@
import { z } from 'zod';
export const createUserSchema = z.object({
email: z.string().email(),
name: z.string().min(1).max(200),
password: z.string().min(12),
displayName: z.string().min(1).max(200),
phone: z.string().optional(),
roleId: z.string().uuid(),
});
export type CreateUserInput = z.infer<typeof createUserSchema>;
export const updateUserSchema = z.object({
displayName: z.string().min(1).max(200).optional(),
phone: z.string().nullable().optional(),
isActive: z.boolean().optional(),
roleId: z.string().uuid().optional(),
});
export type UpdateUserInput = z.infer<typeof updateUserSchema>;
export const resetPasswordSchema = z.object({
newPassword: z.string().min(12),
});
export type ResetPasswordInput = z.infer<typeof resetPasswordSchema>;