refactor(core): Move more code into @n8n/permissions. Add aditional tests and docs (no-changelog) (#15062)

Co-authored-by: Danny Martini <danny@n8n.io>

Author: netroy

packages/@n8n/api-types/src/index.ts

@@ -18,7 +18,6 @@ export { passwordSchema } from './schemas/password.schema';
 export type {
 	ProjectType,
 	ProjectIcon,
-	ProjectRole,
 	ProjectRelation,
 } from './schemas/project.schema';
 

packages/@n8n/api-types/src/schemas/__tests__/project.schema.test.ts

@@ -2,7 +2,6 @@ import {
 	projectNameSchema,
 	projectTypeSchema,
 	projectIconSchema,
-	projectRoleSchema,
 	projectRelationSchema,
 } from '../project.schema';
 
@@ -57,19 +56,6 @@ describe('project.schema', () => {
 		});
 	});
 
-	describe('projectRoleSchema', () => {
-		test.each([
-			{ name: 'valid role: project:personalOwner', value: 'project:personalOwner', expected: true },
-			{ name: 'valid role: project:admin', value: 'project:admin', expected: true },
-			{ name: 'valid role: project:editor', value: 'project:editor', expected: true },
-			{ name: 'valid role: project:viewer', value: 'project:viewer', expected: true },
-			{ name: 'invalid role', value: 'invalid-role', expected: false },
-		])('should validate $name', ({ value, expected }) => {
-			const result = projectRoleSchema.safeParse(value);
-			expect(result.success).toBe(expected);
-		});
-	});
-
 	describe('projectRelationSchema', () => {
 		test.each([
 			{

packages/@n8n/api-types/src/schemas/project.schema.ts

@@ -1,3 +1,4 @@
+import { projectRoleSchema } from '@n8n/permissions';
 import { z } from 'zod';
 
 export const projectNameSchema = z.string().min(1).max(255);
@@ -11,14 +12,6 @@ export const projectIconSchema = z.object({
 });
 export type ProjectIcon = z.infer<typeof projectIconSchema>;
 
-export const projectRoleSchema = z.enum([
-	'project:personalOwner', // personalOwner is only used for personal projects
-	'project:admin',
-	'project:editor',
-	'project:viewer',
-]);
-export type ProjectRole = z.infer<typeof projectRoleSchema>;
-
 export const projectRelationSchema = z.object({
 	userId: z.string(),
 	role: projectRoleSchema,

packages/@n8n/api-types/tsconfig.build.json

@@ -7,5 +7,5 @@
 		"tsBuildInfoFile": "dist/build.tsbuildinfo"
 	},
 	"include": ["src/**/*.ts"],
-	"exclude": ["test/**", "src/**/__tests__/**"]
+	"exclude": ["src/**/__tests__/**"]
 }

packages/@n8n/api-types/tsconfig.json

@@ -6,5 +6,10 @@
 		"baseUrl": "src",
 		"tsBuildInfoFile": "dist/typecheck.tsbuildinfo"
 	},
-	"include": ["src/**/*.ts", "test/**/*.ts"]
+	"include": ["src/**/*.ts"],
+	"references": [
+		{ "path": "../../workflow/tsconfig.build.json" },
+		{ "path": "../config/tsconfig.build.json" },
+		{ "path": "../permissions/tsconfig.build.json" }
+	]
 }

packages/@n8n/db/src/entities/project-relation.ts

@@ -1,3 +1,4 @@
+import { ProjectRole } from '@n8n/permissions';
 import { Column, Entity, ManyToOne, PrimaryColumn } from '@n8n/typeorm';
 
 import { WithTimestamps } from './abstract-entity';
@@ -7,7 +8,7 @@ import { User } from './user';
 @Entity()
 export class ProjectRelation extends WithTimestamps {
 	@Column({ type: 'varchar' })
-	role: 'project:personalOwner' | 'project:admin' | 'project:editor' | 'project:viewer';
+	role: ProjectRole;
 
 	@ManyToOne('User', 'projectRelations')
 	user: User;

packages/@n8n/db/src/entities/shared-credentials.ts

@@ -1,13 +1,13 @@
+import { CredentialSharingRole } from '@n8n/permissions';
 import { Column, Entity, ManyToOne, PrimaryColumn } from '@n8n/typeorm';
 
 import { WithTimestamps } from './abstract-entity';
 import { CredentialsEntity } from './credentials-entity';
 import { Project } from './project';
-import { CredentialSharingRole } from './types-db';
 
 @Entity()
 export class SharedCredentials extends WithTimestamps {
-	@Column()
+	@Column({ type: 'varchar' })
 	role: CredentialSharingRole;
 
 	@ManyToOne('CredentialsEntity', 'shared')

packages/@n8n/db/src/entities/shared-workflow.ts

@@ -1,13 +1,13 @@
+import { WorkflowSharingRole } from '@n8n/permissions';
 import { Column, Entity, ManyToOne, PrimaryColumn } from '@n8n/typeorm';
 
 import { WithTimestamps } from './abstract-entity';
 import { Project } from './project';
-import { WorkflowSharingRole } from './types-db';
 import { WorkflowEntity } from './workflow-entity';
 
 @Entity()
 export class SharedWorkflow extends WithTimestamps {
-	@Column()
+	@Column({ type: 'varchar' })
 	role: WorkflowSharingRole;
 
 	@ManyToOne('WorkflowEntity', 'shared')

packages/@n8n/db/src/entities/types-db.ts

@@ -269,10 +269,6 @@ export const enum StatisticsNames {
 	dataLoaded = 'data_loaded',
 }
 
-export type CredentialSharingRole = 'credential:owner' | 'credential:user';
-
-export type WorkflowSharingRole = 'workflow:owner' | 'workflow:editor';
-
 export type AuthProviderType = 'ldap' | 'email' | 'saml'; // | 'google';
 
 export type FolderWithWorkflowAndSubFolderCount = Folder & {

packages/@n8n/db/src/entities/user.ts

@@ -1,5 +1,5 @@
-import { hasScope, type ScopeOptions, type Scope, GlobalRole } from '@n8n/permissions';
-import { GLOBAL_OWNER_SCOPES, GLOBAL_MEMBER_SCOPES, GLOBAL_ADMIN_SCOPES } from '@n8n/permissions';
+import type { AuthPrincipal } from '@n8n/permissions';
+import { GlobalRole } from '@n8n/permissions';
 import {
 	AfterLoad,
 	AfterUpdate,
@@ -25,14 +25,8 @@ import { lowerCaser, objectRetriever } from '../utils/transformers';
 import { NoUrl } from '../utils/validators/no-url.validator';
 import { NoXss } from '../utils/validators/no-xss.validator';
 
-const STATIC_SCOPE_MAP: Record<GlobalRole, Scope[]> = {
-	'global:owner': GLOBAL_OWNER_SCOPES,
-	'global:member': GLOBAL_MEMBER_SCOPES,
-	'global:admin': GLOBAL_ADMIN_SCOPES,
-};
-
 @Entity()
-export class User extends WithTimestamps implements IUser {
+export class User extends WithTimestamps implements IUser, AuthPrincipal {
 	@PrimaryGeneratedColumn('uuid')
 	id: string;
 
@@ -113,31 +107,6 @@ export class User extends WithTimestamps implements IUser {
 		this.isPending = this.password === null && this.role !== 'global:owner';
 	}
 
-	/**
-	 * Whether the user is instance owner
-	 */
-	isOwner: boolean;
-
-	@AfterLoad()
-	computeIsOwner(): void {
-		this.isOwner = this.role === 'global:owner';
-	}
-
-	get globalScopes() {
-		return STATIC_SCOPE_MAP[this.role] ?? [];
-	}
-
-	hasGlobalScope(scope: Scope | Scope[], scopeOptions?: ScopeOptions): boolean {
-		return hasScope(
-			scope,
-			{
-				global: this.globalScopes,
-			},
-			undefined,
-			scopeOptions,
-		);
-	}
-
 	toJSON() {
 		const { password, ...rest } = this;
 		return rest;

packages/@n8n/db/tsconfig.json

@@ -11,5 +11,12 @@
 		// remove all options below this line
 		"strictPropertyInitialization": false
 	},
-	"include": ["src/**/*.ts"]
+	"include": ["src/**/*.ts"],
+	"references": [
+		{ "path": "../../core/tsconfig.build.json" },
+		{ "path": "../../workflow/tsconfig.build.json" },
+		{ "path": "../config/tsconfig.build.json" },
+		{ "path": "../di/tsconfig.build.json" },
+		{ "path": "../permissions/tsconfig.build.json" }
+	]
 }

packages/@n8n/decorators/tsconfig.json

@@ -8,5 +8,11 @@
 		"experimentalDecorators": true,
 		"emitDecoratorMetadata": true
 	},
-	"include": ["src/**/*.ts"]
+	"include": ["src/**/*.ts"],
+	"references": [
+		{ "path": "../../workflow/tsconfig.build.json" },
+		{ "path": "../constants/tsconfig.build.json" },
+		{ "path": "../di/tsconfig.build.json" },
+		{ "path": "../permissions/tsconfig.build.json" }
+	]
 }

packages/@n8n/permissions/package.json

@@ -20,6 +20,9 @@
   "files": [
     "dist/**/*"
   ],
+  "dependencies": {
+    "zod": "catalog:"
+  },
   "devDependencies": {
     "@n8n/typescript-config": "workspace:*"
   }

packages/@n8n/permissions/src/__tests__/schemas.test.ts

@@ -0,0 +1,93 @@
+import {
+	roleNamespaceSchema,
+	globalRoleSchema,
+	assignableGlobalRoleSchema,
+	projectRoleSchema,
+	credentialSharingRoleSchema,
+	workflowSharingRoleSchema,
+} from '../schemas.ee';
+
+describe('roleNamespaceSchema', () => {
+	test.each([
+		{ name: 'valid namespace: global', value: 'global', expected: true },
+		{ name: 'valid namespace: project', value: 'project', expected: true },
+		{ name: 'valid namespace: credential', value: 'credential', expected: true },
+		{ name: 'valid namespace: workflow', value: 'workflow', expected: true },
+		{ name: 'invalid namespace', value: 'invalid-namespace', expected: false },
+		{ name: 'numeric value', value: 123, expected: false },
+		{ name: 'null value', value: null, expected: false },
+	])('should validate $name', ({ value, expected }) => {
+		const result = roleNamespaceSchema.safeParse(value);
+		expect(result.success).toBe(expected);
+	});
+});
+
+describe('globalRoleSchema', () => {
+	test.each([
+		{ name: 'valid role: global:owner', value: 'global:owner', expected: true },
+		{ name: 'valid role: global:admin', value: 'global:admin', expected: true },
+		{ name: 'valid role: global:member', value: 'global:member', expected: true },
+		{ name: 'invalid role', value: 'global:invalid', expected: false },
+		{ name: 'invalid prefix', value: 'invalid:admin', expected: false },
+		{ name: 'empty string', value: '', expected: false },
+		{ name: 'undefined value', value: undefined, expected: false },
+	])('should validate $name', ({ value, expected }) => {
+		const result = globalRoleSchema.safeParse(value);
+		expect(result.success).toBe(expected);
+	});
+});
+
+describe('assignableGlobalRoleSchema', () => {
+	test.each([
+		{ name: 'excluded role: global:owner', value: 'global:owner', expected: false },
+		{ name: 'valid role: global:admin', value: 'global:admin', expected: true },
+		{ name: 'valid role: global:member', value: 'global:member', expected: true },
+		{ name: 'invalid role', value: 'global:invalid', expected: false },
+		{ name: 'invalid prefix', value: 'invalid:admin', expected: false },
+		{ name: 'object value', value: {}, expected: false },
+	])('should validate $name', ({ value, expected }) => {
+		const result = assignableGlobalRoleSchema.safeParse(value);
+		expect(result.success).toBe(expected);
+	});
+});
+
+describe('projectRoleSchema', () => {
+	test.each([
+		{ name: 'valid role: project:personalOwner', value: 'project:personalOwner', expected: true },
+		{ name: 'valid role: project:admin', value: 'project:admin', expected: true },
+		{ name: 'valid role: project:editor', value: 'project:editor', expected: true },
+		{ name: 'valid role: project:viewer', value: 'project:viewer', expected: true },
+		{ name: 'invalid role', value: 'invalid-role', expected: false },
+	])('should validate $name', ({ value, expected }) => {
+		const result = projectRoleSchema.safeParse(value);
+		expect(result.success).toBe(expected);
+	});
+});
+
+describe('credentialSharingRoleSchema', () => {
+	test.each([
+		{ name: 'valid role: credential:owner', value: 'credential:owner', expected: true },
+		{ name: 'valid role: credential:user', value: 'credential:user', expected: true },
+		{ name: 'invalid role', value: 'credential:admin', expected: false },
+		{ name: 'invalid prefix', value: 'cred:owner', expected: false },
+		{ name: 'boolean value', value: true, expected: false },
+		{ name: 'array value', value: ['credential:owner'], expected: false },
+	])('should validate $name', ({ value, expected }) => {
+		const result = credentialSharingRoleSchema.safeParse(value);
+		expect(result.success).toBe(expected);
+	});
+});
+
+describe('workflowSharingRoleSchema', () => {
+	test.each([
+		{ name: 'valid role: workflow:owner', value: 'workflow:owner', expected: true },
+		{ name: 'valid role: workflow:editor', value: 'workflow:editor', expected: true },
+		{ name: 'invalid role', value: 'workflow:viewer', expected: false },
+		{ name: 'invalid prefix', value: 'work:owner', expected: false },
+		{ name: 'undefined value', value: undefined, expected: false },
+		{ name: 'empty string', value: '', expected: false },
+	])('should validate $name', ({ value, expected }) => {
+		const result = workflowSharingRoleSchema.safeParse(value);
+		expect(result.success).toBe(expected);
+	});
+});