 Server : Apache/2 System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64 User : gositeme ( 1004) PHP Version : 8.2.29 Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname Directory : /home/gositeme/domains/lavocat.ca/public_html/src/lib/ |
import { getServerSession } from 'next-auth';
import { authOptions } from './auth';
import { NextApiRequest, NextApiResponse } from 'next';
import { useSession } from 'next-auth/react';
import { useRouter } from 'next/router';
import { useEffect } from 'react';
// Define all possible user roles
export const USER_ROLES = {
SUPERADMIN: 'SUPERADMIN',
ADMIN: 'ADMIN',
LAWYER: 'LAWYER',
JURIST: 'JURIST',
JUDGE: 'JUDGE',
MEDIATOR: 'MEDIATOR',
LEGAL_CONSULTANT: 'LEGAL_CONSULTANT',
INVESTIGATOR: 'INVESTIGATOR',
EXPERT_WITNESS: 'EXPERT_WITNESS',
NOTARY: 'NOTARY',
USER: 'USER',
CLIENT: 'CLIENT',
LAW_STUDENT: 'LAW_STUDENT',
LEGAL_INTERN: 'LEGAL_INTERN',
SECRETARY: 'SECRETARY',
ASSISTANT: 'ASSISTANT',
CLERK: 'CLERK',
COURT_CLERK: 'COURT_CLERK',
PARALEGAL: 'PARALEGAL',
} as const;
export type UserRole = typeof USER_ROLES[keyof typeof USER_ROLES];
// Define role hierarchies and permissions
export const ROLE_PERMISSIONS = {
[USER_ROLES.SUPERADMIN]: {
canAccessAll: true,
allowedPages: ['*'],
allowedRoles: Object.values(USER_ROLES),
},
[USER_ROLES.ADMIN]: {
canAccessAll: false,
allowedPages: [
'/admin/*',
'/user/*',
'/lawyer/*',
'/jurist/*',
'/judge/*',
'/mediator/*',
'/consultant/*',
'/investigator/*',
'/expert/*',
'/support/*',
'/student/*',
'/notary/*',
'/client/*',
],
allowedRoles: [
USER_ROLES.ADMIN,
USER_ROLES.LAWYER,
USER_ROLES.JURIST,
USER_ROLES.JUDGE,
USER_ROLES.MEDIATOR,
USER_ROLES.LEGAL_CONSULTANT,
USER_ROLES.INVESTIGATOR,
USER_ROLES.EXPERT_WITNESS,
USER_ROLES.NOTARY,
USER_ROLES.USER,
USER_ROLES.CLIENT,
USER_ROLES.LAW_STUDENT,
USER_ROLES.LEGAL_INTERN,
USER_ROLES.SECRETARY,
USER_ROLES.ASSISTANT,
USER_ROLES.CLERK,
USER_ROLES.COURT_CLERK,
USER_ROLES.PARALEGAL,
],
},
[USER_ROLES.LAWYER]: {
canAccessAll: false,
allowedPages: [
'/lawyer/*',
'/user/profile',
'/user/business-profile',
'/user/business-analytics',
'/user/subscription',
'/client/*',
],
allowedRoles: [USER_ROLES.LAWYER],
},
[USER_ROLES.JURIST]: {
canAccessAll: false,
allowedPages: [
'/jurist/*',
'/user/profile',
'/user/subscription',
],
allowedRoles: [USER_ROLES.JURIST],
},
[USER_ROLES.JUDGE]: {
canAccessAll: false,
allowedPages: [
'/judge/*',
'/user/profile',
'/user/subscription',
],
allowedRoles: [USER_ROLES.JUDGE],
},
[USER_ROLES.MEDIATOR]: {
canAccessAll: false,
allowedPages: [
'/mediator/*',
'/user/profile',
'/user/subscription',
],
allowedRoles: [USER_ROLES.MEDIATOR],
},
[USER_ROLES.LEGAL_CONSULTANT]: {
canAccessAll: false,
allowedPages: [
'/consultant/*',
'/user/profile',
'/user/subscription',
],
allowedRoles: [USER_ROLES.LEGAL_CONSULTANT],
},
[USER_ROLES.INVESTIGATOR]: {
canAccessAll: false,
allowedPages: [
'/investigator/*',
'/user/profile',
'/user/subscription',
],
allowedRoles: [USER_ROLES.INVESTIGATOR],
},
[USER_ROLES.EXPERT_WITNESS]: {
canAccessAll: false,
allowedPages: [
'/expert/*',
'/user/profile',
'/user/subscription',
],
allowedRoles: [USER_ROLES.EXPERT_WITNESS],
},
[USER_ROLES.NOTARY]: {
canAccessAll: false,
allowedPages: [
'/notary/*',
'/user/profile',
'/user/subscription',
],
allowedRoles: [USER_ROLES.NOTARY],
},
[USER_ROLES.USER]: {
canAccessAll: false,
allowedPages: [
'/user/*',
'/client/*',
'/documents',
'/messages',
],
allowedRoles: [USER_ROLES.USER],
},
[USER_ROLES.CLIENT]: {
canAccessAll: false,
allowedPages: [
'/user/*',
'/client/*',
'/documents',
'/messages',
],
allowedRoles: [USER_ROLES.CLIENT],
},
[USER_ROLES.LAW_STUDENT]: {
canAccessAll: false,
allowedPages: [
'/student/*',
'/user/profile',
'/user/subscription',
],
allowedRoles: [USER_ROLES.LAW_STUDENT],
},
[USER_ROLES.LEGAL_INTERN]: {
canAccessAll: false,
allowedPages: [
'/student/*',
'/user/profile',
'/user/subscription',
],
allowedRoles: [USER_ROLES.LEGAL_INTERN],
},
[USER_ROLES.SECRETARY]: {
canAccessAll: false,
allowedPages: [
'/support/*',
'/user/profile',
'/user/subscription',
],
allowedRoles: [USER_ROLES.SECRETARY],
},
[USER_ROLES.ASSISTANT]: {
canAccessAll: false,
allowedPages: [
'/support/*',
'/user/profile',
'/user/subscription',
],
allowedRoles: [USER_ROLES.ASSISTANT],
},
[USER_ROLES.CLERK]: {
canAccessAll: false,
allowedPages: [
'/support/*',
'/user/profile',
'/user/subscription',
],
allowedRoles: [USER_ROLES.CLERK],
},
[USER_ROLES.COURT_CLERK]: {
canAccessAll: false,
allowedPages: [
'/support/*',
'/user/profile',
'/user/subscription',
],
allowedRoles: [USER_ROLES.COURT_CLERK],
},
[USER_ROLES.PARALEGAL]: {
canAccessAll: false,
allowedPages: [
'/support/*',
'/user/profile',
'/user/subscription',
],
allowedRoles: [USER_ROLES.PARALEGAL],
},
};
// Server-side authentication check
export async function requireAuth(req: NextApiRequest, res: NextApiResponse) {
const session = await getServerSession(req, res, authOptions);
if (!session || !session.user || !session.user.id) {
return { authorized: false, session: null, user: null };
}
return { authorized: true, session, user: session.user };
}
// Server-side role-based authorization check
export async function requireRole(
req: NextApiRequest,
res: NextApiResponse,
allowedRoles: UserRole[]
) {
const authResult = await requireAuth(req, res);
if (!authResult.authorized) {
return { authorized: false, session: null, user: null };
}
if (!authResult.user) {
return { authorized: false, session: authResult.session, user: null };
}
const userRole = authResult.user.role as UserRole;
if (!allowedRoles.includes(userRole)) {
return { authorized: false, session: authResult.session, user: authResult.user };
}
return { authorized: true, session: authResult.session, user: authResult.user };
}
// Check if user can access a specific page
export function canAccessPage(userRole: UserRole, pagePath: string): boolean {
const permissions = ROLE_PERMISSIONS[userRole];
if (!permissions) {
return false;
}
if (permissions.canAccessAll) {
return true;
}
return permissions.allowedPages.some(pattern => {
if (pattern === '*') return true;
if (pattern.endsWith('/*')) {
const basePath = pattern.slice(0, -2);
return pagePath.startsWith(basePath);
}
return pagePath === pattern;
});
}
// Client-side authentication hook
export function useRequireAuth(redirectTo: string = '/auth/login') {
const { data: session, status } = useSession();
const router = useRouter();
useEffect(() => {
if (status === 'loading') return;
if (!session || !session.user) {
router.push(redirectTo);
}
}, [session, status, router, redirectTo]);
return { session, status, isAuthenticated: !!session?.user };
}
// Client-side role-based authorization hook
export function useRequireRole(
allowedRoles: UserRole[],
redirectTo: string = '/'
) {
const { data: session, status } = useSession();
const router = useRouter();
useEffect(() => {
if (status === 'loading') return;
if (!session || !session.user) {
router.push('/auth/login');
return;
}
const userRole = session.user.role as UserRole;
if (!allowedRoles.includes(userRole)) {
router.push(redirectTo);
}
}, [session, status, router, allowedRoles, redirectTo]);
return {
session,
status,
isAuthorized: session?.user && allowedRoles.includes(session.user.role as UserRole)
};
}
// Client-side page access check
export function usePageAccess(pagePath: string, redirectTo: string = '/') {
const { data: session, status } = useSession();
const router = useRouter();
useEffect(() => {
if (status === 'loading') return;
if (!session || !session.user) {
router.push('/auth/login');
return;
}
const userRole = session.user.role as UserRole;
if (!canAccessPage(userRole, pagePath)) {
router.push(redirectTo);
}
}, [session, status, router, pagePath, redirectTo]);
return {
session,
status,
canAccess: session?.user && canAccessPage(session.user.role as UserRole, pagePath)
};
}
// Get user's allowed pages
export function getAllowedPages(userRole: UserRole): string[] {
const permissions = ROLE_PERMISSIONS[userRole];
if (!permissions) {
return [];
}
if (permissions.canAccessAll) {
return ['*'];
}
return permissions.allowedPages;
}
// Check if user can impersonate another role
export function canImpersonateRole(currentRole: UserRole, targetRole: UserRole): boolean {
if (currentRole === USER_ROLES.SUPERADMIN) {
return true;
}
if (currentRole === USER_ROLES.ADMIN) {
return targetRole !== USER_ROLES.SUPERADMIN;
}
return false;
}
// Validate role string
export function isValidRole(role: string): role is UserRole {
return Object.values(USER_ROLES).includes(role as UserRole);
}
export function canAccessAdmin(session: any): boolean {
if (!session || !session.user) return false;
const role = session.user.role;
return role === 'SUPERADMIN' || role === 'ADMIN';
}
export function canAccessLawyer(session: any): boolean {
if (!session || !session.user) return false;
const role = session.user.role;
return role === 'LAWYER' || role === 'ADMIN' || role === 'SUPERADMIN';
}
// Check if user can access applications/registrations management
export function canAccessApplications(session: any): boolean {
if (!session || !session.user) return false;
const role = session.user.role;
// SUPERADMIN, ADMIN, and LAWYER can access applications
return role === 'SUPERADMIN' || role === 'ADMIN' || role === 'LAWYER';
}
// Get role-based dashboard URL
export function getRoleBasedDashboard(role: string): string {
switch (role) {
case USER_ROLES.SUPERADMIN:
case 'SUPERADMIN':
case USER_ROLES.ADMIN:
return '/admin/dashboard';
case USER_ROLES.LAWYER:
return '/lawyer/dashboard';
case USER_ROLES.JURIST:
return '/jurist/dashboard';
case USER_ROLES.JUDGE:
return '/judge/dashboard';
case USER_ROLES.MEDIATOR:
return '/mediator/dashboard';
case USER_ROLES.LEGAL_CONSULTANT:
return '/consultant/dashboard';
case USER_ROLES.INVESTIGATOR:
return '/investigator/dashboard';
case USER_ROLES.EXPERT_WITNESS:
return '/expert/dashboard';
case USER_ROLES.NOTARY:
return '/notary/dashboard';
case USER_ROLES.SECRETARY:
case USER_ROLES.ASSISTANT:
case USER_ROLES.CLERK:
case USER_ROLES.COURT_CLERK:
case USER_ROLES.PARALEGAL:
return '/support/dashboard';
case USER_ROLES.LAW_STUDENT:
case USER_ROLES.LEGAL_INTERN:
return '/student/dashboard';
case USER_ROLES.CLIENT:
case USER_ROLES.USER:
return '/client/dashboard';
default:
return '/client/dashboard';
}
}
export function isSuperAdmin(session: any): boolean {
if (!session || !session.user) return false;
const role = session.user.role;
return role === 'SUPERADMIN';
}
// Check if the effective user (original user when impersonating) is SuperAdmin
export function isEffectiveSuperAdmin(session: any): boolean {
if (!session || !session.user) return false;
// If impersonating, check original user's role
if (session.user.isImpersonating && session.user.originalUser) {
return session.user.originalUser.role === 'SUPERADMIN';
}
// Otherwise check current user's role
return session.user.role === 'SUPERADMIN';
}
// Check if the effective user (original user when impersonating) is Admin or SuperAdmin
export function isEffectiveAdmin(session: any): boolean {
if (!session || !session.user) return false;
// If impersonating, check original user's role
if (session.user.isImpersonating && session.user.originalUser) {
const originalRole = session.user.originalUser.role;
return originalRole === 'SUPERADMIN' || originalRole === 'ADMIN';
}
// Otherwise check current user's role
const role = session.user.role;
return role === 'SUPERADMIN' || role === 'ADMIN';
}
// Check if user can access newsletter management
export function canAccessNewsletter(session: any): boolean {
if (!session || !session.user) return false;
const role = session.user.role;
return role === 'SUPERADMIN' || role === 'ADMIN';
}