Move resolved_permissions to user object via toArray()

🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-13 09:04:15 +00:00
parent 6f69534047
commit bb9046af1b
6 changed files with 129 additions and 88 deletions
--- a/app/RSpade/upstream_changes/permission_resolved_01_13.txt
+++ b/app/RSpade/upstream_changes/permission_resolved_01_13.txt
@@ -3,78 +3,44 @@ Date: 2026-01-13

 SUMMARY
    The framework now provides a client-side Permission class for JavaScript
-    permission checking. This uses a new get_resolved_permissions() method on
-    User_Model that returns pre-computed permissions (role defaults with
-    supplementary grants/denies applied). The resolved permissions array is
-    automatically included in window.rsxapp.resolved_permissions.
+    permission checking. User_Model now includes resolved_permissions in its
+    toArray() output and removes role_id__permissions (which is now redundant).

-    If your application has forked User_Model, you must add the new method.
+    The resolved_permissions array contains the user's final permissions after
+    applying role defaults, supplementary grants, and supplementary denies.
+
+    If your application has forked User_Model, you must:
+    1. Add get_resolved_permissions() method
+    2. Add or update toArray() to include resolved_permissions
+    3. Update any code that checks role_id__permissions directly

 AFFECTED FILES
-    Applications with a forked User_Model (e.g., /rsx/models/user_model.php)
-    that extends the framework's User_Model need to ensure the parent class
-    method is accessible.
-
-    If your User_Model OVERRIDES has_permission(), update it to use the new
-    pattern.
+    - /rsx/models/user_model.php (if forked)
+    - Any JavaScript files checking role_id__permissions directly
+    - Any PHP files checking role_id__permissions directly

 CHANGES REQUIRED

    1. If You Have NOT Forked User_Model

-       No action required. The framework's User_Model already has the new
-       method and your application will inherit it automatically.
+       No action required. The framework's User_Model already has all new
+       methods and your application will inherit them automatically.

-    2. If You Have Forked User_Model (extends framework User_Model)
+       HOWEVER: Search your codebase for role_id__permissions usage (see
+       section 5 below).

-       Ensure your class does NOT override has_permission() or if it does,
-       update it to use get_resolved_permissions():
+    2. If You Have Forked User_Model - Add get_resolved_permissions()

-       BEFORE (if overridden):
-           public function has_permission(int $permission): bool
-           {
-               // Custom logic
-               if ($this->role_id === self::ROLE_DISABLED) {
-                   return false;
-               }
-               if ($this->has_supplementary_deny($permission)) {
-                   return false;
-               }
-               if ($this->has_supplementary_grant($permission)) {
-                   return true;
-               }
-               return in_array($permission, $this->role_id__permissions ?? [], true);
-           }
+       Add this method to your User_Model:

-       AFTER:
-           public function has_permission(int $permission): bool
-           {
-               return in_array($permission, $this->get_resolved_permissions(), true);
-           }
-
-       If you need custom permission logic, override get_resolved_permissions()
-       instead of has_permission().
-
-    3. If You Have Completely Replaced User_Model (not extending framework)
-
-       Add the get_resolved_permissions() method to your model:
-
-           /**
-            * Get all resolved permissions for this user
-            *
-            * @return array Array of permission IDs the user has
-            */
           public function get_resolved_permissions(): array
           {
-               // Return empty for disabled users
               if ($this->role_id === self::ROLE_DISABLED) {
                   return [];
               }

-               // Start with role default permissions
               $permissions = $this->role_id__permissions ?? [];

-               // Add supplementary GRANTs
               $supplementary = $this->_load_supplementary_permissions();
               foreach ($supplementary['grants'] as $perm_id) {
                   if (!in_array($perm_id, $permissions, true)) {
@@ -82,20 +48,70 @@ CHANGES REQUIRED
                   }
               }

-               // Remove supplementary DENYs
               $permissions = array_values(array_diff($permissions, $supplementary['denies']));
-
               sort($permissions);
+
               return $permissions;
           }

-       Then update has_permission() to use it:
+    3. If You Have Forked User_Model - Add/Update toArray()
+
+       If you DON'T have a toArray() override, add one:
+
+           public function toArray()
+           {
+               $data = parent::toArray();
+               $data['resolved_permissions'] = $this->get_resolved_permissions();
+               unset($data['role_id__permissions']);
+               return $data;
+           }
+
+       If you ALREADY have a toArray() override, add these lines:
+
+           $data['resolved_permissions'] = $this->get_resolved_permissions();
+           unset($data['role_id__permissions']);
+
+    4. If You Have Forked User_Model - Update has_permission()
+
+       If you override has_permission(), simplify it:

           public function has_permission(int $permission): bool
           {
               return in_array($permission, $this->get_resolved_permissions(), true);
           }

+    5. REQUIRED: Search and Replace role_id__permissions Usage
+
+       Search your /rsx/ directory for any direct usage of role_id__permissions:
+
+           grep -r "role_id__permissions" rsx/
+
+       For each match, update to use the new pattern:
+
+       JAVASCRIPT - BEFORE:
+           if (window.rsxapp.user.role_id__permissions.includes(User_Model.PERM_EDIT_DATA)) {
+           // or
+           const perms = user.role_id__permissions;
+
+       JAVASCRIPT - AFTER:
+           if (Permission.has_permission(User_Model.PERM_EDIT_DATA)) {
+           // or
+           const perms = Permission.get_resolved_permissions();
+           // or
+           const perms = window.rsxapp.user.resolved_permissions;
+
+       PHP - BEFORE:
+           if (in_array($perm, $user->role_id__permissions)) {
+
+       PHP - AFTER:
+           if ($user->has_permission($perm)) {
+           // or
+           if (in_array($perm, $user->get_resolved_permissions())) {
+
+       IMPORTANT: role_id__permissions only contains role defaults. It does NOT
+       include supplementary grants or respect supplementary denies. Always use
+       resolved_permissions or the Permission class for accurate permission checks.
+
 NEW FEATURES AVAILABLE

    PHP:
@@ -110,15 +126,16 @@ NEW FEATURES AVAILABLE
        Permission.can_admin_role(User_Model.ROLE_USER)
        Permission.get_resolved_permissions()

-    window.rsxapp:
-        window.rsxapp.resolved_permissions  // Array of permission IDs
+    window.rsxapp.user:
+        window.rsxapp.user.resolved_permissions  // Array of permission IDs

 VERIFICATION
    1. Load any authenticated page
    2. Open browser console
-    3. Verify: window.rsxapp.resolved_permissions is an array of integers
+    3. Verify: window.rsxapp.user.resolved_permissions is an array of integers
    4. Verify: Permission.has_permission(User_Model.PERM_VIEW_DATA) returns boolean
-    5. If you have a forked User_Model, verify no PHP errors on page load
+    5. Verify: window.rsxapp.user.role_id__permissions is undefined
+    6. If you have a forked User_Model, verify no PHP errors on page load

 REFERENCE
    php artisan rsx:man acls