feat: support parent-based areaRestrictions in config for areas.json

config/local.example.json

@@ -90,11 +90,13 @@
     "areaRestrictions": [
       {
         "roles": [],
-        "areas": []
+        "areas": [],
+        "parent": []
       },
       {
         "roles": [],
-        "areas": []
+        "areas": [],
+        "parent": []
       }
     ],
     "aliases": [

packages/config/lib/mutations.js

@@ -307,9 +307,10 @@ const applyMutations = (config) => {
   })
 
   config.authentication.areaRestrictions =
-    config.authentication.areaRestrictions.map(({ roles, areas }) => ({
+    config.authentication.areaRestrictions.map(({ roles, areas, parent }) => ({
       roles: roles.flatMap(replaceAliases),
       areas,
+      parent,
     }))
 
   config.authentication.strategies = config.authentication.strategies.map(

packages/types/lib/config.d.ts

@@ -53,7 +53,7 @@ export type Config<Client extends boolean = false> = DeepMerge<
     }
     areas: ConfigAreas
     authentication: {
-      areaRestrictions: { roles: string[]; areas: string[] }[]
+      areaRestrictions: { roles: string[]; areas: string[]; parent?: string[] }[]
       // Unfortunately these types are not convenient for looping the `perms` object...
       // excludeFromTutorial: (keyof BaseConfig['authentication']['perms'])[]
       // alwaysEnabledPerms: (keyof BaseConfig['authentication']['perms'])[]

server/src/graphql/resolvers.js

@@ -18,6 +18,10 @@ const { getPolyVector } = require('../utils/getPolyVector')
 const { getPlacementCells } = require('../utils/getPlacementCells')
 const { getTypeCells } = require('../utils/getTypeCells')
 const { getValidCoords } = require('../utils/getValidCoords')
+const { hasUnrestrictedAreaGrant } = require('../utils/areaPerms')
+const {
+  getAccessibleScanAreasMenu,
+} = require('../utils/getAccessibleScanAreasMenu')
 
 /** @type {import("@apollo/server").ApolloServerOptions<import("@rm/types").GqlContext>['resolvers']} */
 const resolvers = {
@@ -355,54 +359,47 @@ const resolvers = {
     scanAreas: (_, _args, { req, perms }) => {
       if (perms?.scanAreas) {
         const scanAreas = config.getAreas(req, 'scanAreas')
+        const unrestrictedAreaGrant = hasUnrestrictedAreaGrant(
+          perms.areaRestrictions,
+        )
+        const parentKeyByName = Object.fromEntries(
+          scanAreas.features
+            .filter(
+              (feature) =>
+                !feature.properties.parent &&
+                feature.properties.name &&
+                feature.properties.key,
+            )
+            .map((feature) => [
+              feature.properties.name,
+              feature.properties.key,
+            ]),
+        )
+        const canAccessArea = (properties) =>
+          unrestrictedAreaGrant ||
+          !perms.areaRestrictions.length ||
+          perms.areaRestrictions.includes(properties.key) ||
+          perms.areaRestrictions.includes(properties.name) ||
+          (!!properties.parent &&
+            (perms.areaRestrictions.includes(
+              parentKeyByName[properties.parent],
+            ) ||
+              perms.areaRestrictions.includes(properties.parent)))
+
         return [
           {
             ...scanAreas,
             features: scanAreas.features.filter(
               (feature) =>
-                !feature.properties.hidden &&
-                (!perms.areaRestrictions.length ||
-                  perms.areaRestrictions.includes(feature.properties.name) ||
-                  perms.areaRestrictions.includes(feature.properties.parent)),
+                !feature.properties.hidden && canAccessArea(feature.properties),
             ),
           },
         ]
       }
       return [{ features: [] }]
     },
-    scanAreasMenu: (_, _args, { req, perms }) => {
-      if (perms?.scanAreas) {
-        const scanAreas = config.getAreas(req, 'scanAreasMenu')
-        if (perms.areaRestrictions.length) {
-          const filtered = scanAreas
-            .map((parent) => ({
-              ...parent,
-              children: perms.areaRestrictions.includes(parent.name)
-                ? parent.children
-                : parent.children.filter((child) =>
-                    perms.areaRestrictions.includes(child.properties.name),
-                  ),
-            }))
-            .filter((parent) => parent.children.length)
-
-          // // Adds new blanks to account for area restrictions trimming some
-          // filtered.forEach(({ children }) => {
-          //   if (children.length % 2 === 1) {
-          //     children.push({
-          //       type: 'Feature',
-          //       properties: {
-          //         name: '',
-          //         manual: !!config.getSafe('manualAreas.length'),
-          //       },
-          //     })
-          //   }
-          // })
-          return filtered
-        }
-        return scanAreas.filter((parent) => parent.children.length)
-      }
-      return []
-    },
+    scanAreasMenu: (_, _args, { req, perms }) =>
+      getAccessibleScanAreasMenu(req, perms),
     scannerConfig: (_, { mode }, { perms }) => {
       const scanner = config.getSafe('scanner')
       const modeConfig = scanner[mode]

server/src/middleware/apollo.js

@@ -7,6 +7,7 @@ const { parse } = require('graphql')
 const { state } = require('../services/state')
 const { version } = require('../../../package.json')
 const { DataLimitCheck } = require('../services/DataLimitCheck')
+const { normalizeAreaRestrictions } = require('../utils/areaPerms')
 
 /**
  *
@@ -16,7 +17,16 @@ const { DataLimitCheck } = require('../services/DataLimitCheck')
 function apolloMiddleware(server) {
   return expressMiddleware(server, {
     context: async ({ req, res }) => {
-      const perms = req.user ? req.user.perms : req.session.perms
+      const rawPerms = req.user ? req.user.perms : req.session.perms
+      const perms = rawPerms
+        ? {
+            ...rawPerms,
+            areaRestrictions: normalizeAreaRestrictions(
+              rawPerms.areaRestrictions || [],
+              req,
+            ),
+          }
+        : rawPerms
       const username = req?.user?.username || ''
       const id = req?.user?.id || 0
 

server/src/middleware/passport.js

@@ -1,6 +1,7 @@
 // @ts-check
 
 const passport = require('passport')
+const { normalizeAreaRestrictions } = require('../utils/areaPerms')
 
 /**
  *
@@ -16,6 +17,12 @@ passport.serializeUser(async (user, done) => {
 })
 
 passport.deserializeUser(async (user, done) => {
+  if (Array.isArray(user?.perms?.areaRestrictions)) {
+    user.perms.areaRestrictions = normalizeAreaRestrictions(
+      user.perms.areaRestrictions,
+    )
+  }
+
   if (user.perms.map) {
     done(null, user)
   } else {

server/src/models/Weather.js

@@ -8,6 +8,8 @@ const config = require('@rm/config')
 
 const { getPolyVector } = require('../utils/getPolyVector')
 const { getPolygonBbox } = require('../utils/getBbox')
+const { consolidateAreas } = require('../utils/consolidateAreas')
+const { hasUnrestrictedAreaGrant } = require('../utils/areaPerms')
 
 class Weather extends Model {
   static get tableName() {
@@ -42,14 +44,24 @@ class Weather extends Model {
     const results = await query
 
     const areas = config.getSafe('areas')
-    const cleanUserAreas = (args.filters.onlyAreas || []).filter((area) =>
-      areas.names.has(area),
+    const unrestrictedAreaGrant = hasUnrestrictedAreaGrant(
+      perms.areaRestrictions,
     )
-    const merged = perms.areaRestrictions.length
-      ? perms.areaRestrictions.filter(
-          (area) => !cleanUserAreas.length || cleanUserAreas.includes(area),
-        )
-      : cleanUserAreas
+    const hasAreaFilter =
+      (!unrestrictedAreaGrant && perms.areaRestrictions.length) ||
+      (args.filters.onlyAreas || []).length
+    const merged = hasAreaFilter
+      ? [
+          ...consolidateAreas(
+            unrestrictedAreaGrant ? [] : perms.areaRestrictions,
+            args.filters.onlyAreas,
+          ),
+        ]
+      : []
+
+    if (hasAreaFilter && !merged.length) {
+      return []
+    }
 
     const boundPolygon = getPolygonBbox(args)
     return results
@@ -61,7 +73,7 @@ class Weather extends Model {
           (pointInPolygon(center, boundPolygon) ||
             booleanOverlap(geojson, boundPolygon) ||
             booleanContains(geojson, boundPolygon)) &&
-          (!merged.length ||
+          (!hasAreaFilter ||
             merged.some(
               (area) =>
                 areas.scanAreasObj[area] &&

server/src/routes/rootRouter.js

@@ -140,7 +140,7 @@ rootRouter.get('/api/settings', async (req, res, next) => {
         ...Object.fromEntries(
           Object.keys(authentication.perms).map((p) => [p, false]),
         ),
-        areaRestrictions: areaPerms(['none']),
+        areaRestrictions: areaPerms(['none'], req, true),
         webhooks: [],
         scanner: Object.keys(scanner).filter(
           (key) =>

server/src/services/DiscordClient.js

@@ -6,7 +6,7 @@ const passport = require('passport')
 const config = require('@rm/config')
 
 const { logUserAuth } = require('./logUserAuth')
-const { areaPerms } = require('../utils/areaPerms')
+const { resolveAreaPerms } = require('../utils/areaPerms')
 const { webhookPerms } = require('../utils/webhookPerms')
 const { scannerPerms, scannerCooldownBypass } = require('../utils/scannerPerms')
 const { mergePerms } = require('../utils/mergePerms')
@@ -125,9 +125,10 @@ class DiscordClient extends AuthClient {
   /**
    *
    * @param {import('passport-discord').Profile} user
+   * @param {import('express').Request} req
    * @returns {Promise<import("@rm/types").Permissions>}
    */
-  async getPerms(user) {
+  async getPerms(user, req) {
     const trialActive = this.trialManager.active()
     /** @type {import("@rm/types").Permissions} */
     // @ts-ignore
@@ -205,7 +206,8 @@ class DiscordClient extends AuthClient {
                   }
                 }
               })
-              areaPerms(userRoles).forEach((x) =>
+              const guildAreaPerms = resolveAreaPerms(userRoles, req, true)
+              guildAreaPerms.areaRestrictions.forEach((x) =>
                 permSets.areaRestrictions.add(x),
               )
               webhookPerms(userRoles, 'discordRoles', trialActive).forEach(
@@ -278,7 +280,7 @@ class DiscordClient extends AuthClient {
         username: profile.username,
         avatar: profile.avatar || '',
         locale: profile.locale,
-        perms: await this.getPerms(profile),
+        perms: await this.getPerms(profile, req),
         rmStrategy: this.rmStrategy,
         valid: false,
       }

server/src/services/LocalClient.js

@@ -35,7 +35,7 @@ class LocalClient extends AuthClient {
   }
 
   /** @type {import('passport-local').VerifyFunctionWithRequest} */
-  async authHandler(_req, username, password, done) {
+  async authHandler(req, username, password, done) {
     const forceTutorial = config.getSafe('map.misc.forceTutorial')
     const trialActive = this.trialManager.active()
     const localPerms = Object.keys(this.perms).filter((key) =>
@@ -44,7 +44,7 @@ class LocalClient extends AuthClient {
     const user = {
       perms: /** @type {import('@rm/types').Permissions} */ ({
         ...Object.fromEntries(Object.keys(this.perms).map((x) => [x, false])),
-        areaRestrictions: areaPerms(localPerms),
+        areaRestrictions: areaPerms(localPerms, req, true),
         webhooks: [],
         scanner: [],
         scannerCooldownBypass: [],

server/src/services/TelegramClient.js

@@ -62,9 +62,10 @@ class TelegramClient extends AuthClient {
    *
    * @param {TGUser} user
    * @param {string[]} groups
+   * @param {import('express').Request} req
    * @returns {TGUser & { perms: import("@rm/types").Permissions }}
    */
-  getUserPerms(user, groups) {
+  getUserPerms(user, groups, req) {
     const trialActive = this.trialManager.active()
     let gainedAccessViaTrial = false
 
@@ -99,7 +100,7 @@ class TelegramClient extends AuthClient {
         ...perms,
         trial: gainedAccessViaTrial,
         admin: false,
-        areaRestrictions: areaPerms(groups),
+        areaRestrictions: areaPerms(groups, req, true),
         webhooks: webhookPerms(groups, 'telegramGroups', trialActive),
         scanner: scannerPerms(groups, 'telegramGroups', trialActive),
         scannerCooldownBypass: scannerCooldownBypass(groups, 'telegramGroups'),
@@ -124,7 +125,7 @@ class TelegramClient extends AuthClient {
   async authHandler(req, profile, done) {
     const baseUser = { ...profile, rmStrategy: this.rmStrategy }
     const groups = await this.getUserGroups(baseUser)
-    const user = this.getUserPerms(baseUser, groups)
+    const user = this.getUserPerms(baseUser, groups, req)
 
     if (!user.perms.map) {
       this.log.warn(user.username, 'was not given map perms')

server/src/services/logUserAuth.js

@@ -1,6 +1,10 @@
 // @ts-check
 const { default: fetch } = require('node-fetch')
 const { log, TAGS } = require('@rm/logger')
+const {
+  getPublicAreaRestrictions,
+  normalizeAreaRestrictions,
+} = require('../utils/areaPerms')
 
 // PII fields inside getAuthInfo embed
 const PII_FIELDS = [
@@ -155,16 +159,19 @@ async function logUserAuth(req, user, strategy = 'custom', hidePii = false) {
     ],
     timestamp: new Date().toISOString(),
   }
-  if (user.perms.areaRestrictions.length) {
-    const trimmed = user.perms.areaRestrictions
+  const publicAreaRestrictions = getPublicAreaRestrictions(
+    normalizeAreaRestrictions(user.perms.areaRestrictions || [], req),
+  )
+  if (publicAreaRestrictions.length) {
+    const trimmed = publicAreaRestrictions
       .filter((_f, i) => i < 15)
       .map((f) => capCamel(f))
       .join('\n')
     embed.fields.push({
-      name: `(${user.perms.areaRestrictions.length}) Area Restrictions`,
+      name: `(${publicAreaRestrictions.length}) Area Restrictions`,
       value:
-        user.perms.areaRestrictions.length > 15
-          ? `${trimmed}\n...${user.perms.areaRestrictions.length - 15} more`
+        publicAreaRestrictions.length > 15
+          ? `${trimmed}\n...${publicAreaRestrictions.length - 15} more`
           : trimmed,
       inline: true,
     })