 Server : Apache/2 System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64 User : gositeme ( 1004) PHP Version : 8.2.29 Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname Directory : /home/gositeme/domains/lavocat.ca/public_html/src/lib/ |
import { User } from '@prisma/client';
// Permission Levels
export enum PermissionLevel {
NONE = 0,
READ = 1,
WRITE = 2,
ADMIN = 3,
OWNER = 4
}
// Resource Types
export enum ResourceType {
CASE = 'case',
DOCUMENT = 'document',
UPDATE = 'update',
ASSIGNMENT = 'assignment',
OFFER = 'offer',
REGISTRATION = 'registration'
}
// Case-specific permissions interface
export interface CasePermissions {
// Ownership
isOwner: boolean;
isLeadLawyer: boolean;
isAssigned: boolean;
isClient: boolean;
isCreator: boolean;
// Actions
canEdit: boolean;
canDelete: boolean;
canAssign: boolean;
canUpdate: boolean;
canCollaborate: boolean;
canViewDocuments: boolean;
canUploadDocuments: boolean;
canCreateOffers: boolean;
canAcceptOffers: boolean;
canViewRegistrations: boolean;
canApproveRegistrations: boolean;
canCreateUpdates: boolean;
canViewAnalytics: boolean;
canManageTeam: boolean;
canCloseCase: boolean;
canReopenCase: boolean;
}
// Permission checker interface
export interface PermissionChecker {
canCreate(user: User, resource: ResourceType): boolean;
canRead(user: User, resource: ResourceType, resourceId?: string, context?: any): boolean;
canUpdate(user: User, resource: ResourceType, resourceId: string, context?: any): boolean;
canDelete(user: User, resource: ResourceType, resourceId: string, context?: any): boolean;
canAssign(user: User, resource: ResourceType, resourceId: string, context?: any): boolean;
canApprove(user: User, resource: ResourceType, resourceId: string, context?: any): boolean;
}
// Role permissions interface
interface RolePermissions {
canCreateCases?: boolean;
canReadOwnCases?: boolean;
canReadAssignedCases?: boolean;
canReadAllCases?: boolean;
canReadPublicCases?: boolean;
canReadCourtCases?: boolean;
canUpdateOwnCases?: boolean;
canUpdateAssignedCases?: boolean;
canUpdateAllCases?: boolean;
canUpdateCourtCases?: boolean;
canUpdateExpertReports?: boolean;
canUpdateSupportTasks?: boolean;
canUpdateNotaryDocuments?: boolean;
canUpdateCases?: boolean;
canDeleteOwnCases?: boolean;
canDeleteCases?: boolean;
canAssignTeam?: boolean;
canAssignAnyRole?: boolean;
canAssignCourtStaff?: boolean;
canAssignMediationTeam?: boolean;
canAssignInvestigationTeam?: boolean;
canAssignSupportTasks?: boolean;
canApproveRegistrations?: boolean;
canApproveCourtOrders?: boolean;
canCollaborate?: boolean;
canViewAllDocuments?: boolean;
canUploadDocuments?: boolean;
canCreateOffers?: boolean;
canAcceptOffers?: boolean;
canViewCaseAnalytics?: boolean;
canViewOwnAnalytics?: boolean;
canViewAllAnalytics?: boolean;
canViewCourtAnalytics?: boolean;
canViewMediationAnalytics?: boolean;
canViewInvestigationAnalytics?: boolean;
canViewExpertAnalytics?: boolean;
canViewSupportAnalytics?: boolean;
canViewLearningAnalytics?: boolean;
canViewNotaryAnalytics?: boolean;
canManageClientRelationships?: boolean;
canManageSystem?: boolean;
canOverridePermissions?: boolean;
canImpersonateUsers?: boolean;
canManageRoles?: boolean;
canCreateCourtOrders?: boolean;
canScheduleHearings?: boolean;
canCreateSettlements?: boolean;
canFacilitateCommunication?: boolean;
canUploadEvidence?: boolean;
canCreateReports?: boolean;
canCreateExpertReports?: boolean;
canUploadCredentials?: boolean;
canProcessDocuments?: boolean;
canObserveCases?: boolean;
canAccessEducationalContent?: boolean;
canNotarizeDocuments?: boolean;
canCreateCertificates?: boolean;
canApplyToCases?: boolean;
canViewPublicCases?: boolean;
}
// Role definitions with permissions
export const ROLE_PERMISSIONS: Record<string, RolePermissions> = {
CLIENT: {
canCreateCases: true,
canReadOwnCases: true,
canUpdateOwnCases: true,
canDeleteOwnCases: true,
canApplyToCases: true,
canViewPublicCases: true,
canCollaborate: true,
canUploadDocuments: true,
canCreateOffers: true,
canAcceptOffers: true,
canViewOwnAnalytics: true,
},
LAWYER: {
canCreateCases: true,
canReadAssignedCases: true,
canUpdateAssignedCases: true,
canDeleteCases: false,
canAssignTeam: true,
canCollaborate: true,
canViewAllDocuments: true,
canUploadDocuments: true,
canCreateOffers: true,
canAcceptOffers: true,
canViewCaseAnalytics: true,
canManageClientRelationships: true,
},
ADMIN: {
canCreateCases: true,
canReadAllCases: true,
canUpdateAllCases: true,
canDeleteCases: true,
canAssignAnyRole: true,
canApproveRegistrations: true,
canViewAllAnalytics: true,
canManageSystem: true,
canOverridePermissions: true,
},
SUPERADMIN: {
canCreateCases: true,
canReadAllCases: true,
canUpdateAllCases: true,
canDeleteCases: true,
canAssignAnyRole: true,
canApproveRegistrations: true,
canViewAllAnalytics: true,
canManageSystem: true,
canOverridePermissions: true,
canImpersonateUsers: true,
canManageRoles: true,
},
JUDGE: {
canCreateCases: false,
canReadCourtCases: true,
canUpdateCourtCases: true,
canDeleteCases: false,
canAssignCourtStaff: true,
canApproveCourtOrders: true,
canViewCourtAnalytics: true,
canCreateCourtOrders: true,
canScheduleHearings: true,
},
MEDIATOR: {
canCreateCases: false,
canReadAssignedCases: true,
canUpdateAssignedCases: true,
canDeleteCases: false,
canAssignMediationTeam: true,
canCreateSettlements: true,
canViewMediationAnalytics: true,
canFacilitateCommunication: true,
},
INVESTIGATOR: {
canCreateCases: false,
canReadAssignedCases: true,
canUpdateAssignedCases: true,
canDeleteCases: false,
canAssignInvestigationTeam: true,
canUploadEvidence: true,
canCreateReports: true,
canViewInvestigationAnalytics: true,
},
EXPERT_WITNESS: {
canCreateCases: false,
canReadAssignedCases: true,
canUpdateExpertReports: true,
canDeleteCases: false,
canCreateExpertReports: true,
canUploadCredentials: true,
canViewExpertAnalytics: true,
},
SUPPORT_STAFF: {
canCreateCases: false,
canReadAssignedCases: true,
canUpdateSupportTasks: true,
canDeleteCases: false,
canAssignSupportTasks: true,
canProcessDocuments: true,
canViewSupportAnalytics: true,
},
STUDENT: {
canCreateCases: false,
canReadPublicCases: true,
canUpdateCases: false,
canDeleteCases: false,
canObserveCases: true,
canViewLearningAnalytics: true,
canAccessEducationalContent: true,
},
NOTARY: {
canCreateCases: false,
canReadAssignedCases: true,
canUpdateNotaryDocuments: true,
canDeleteCases: false,
canNotarizeDocuments: true,
canViewNotaryAnalytics: true,
canCreateCertificates: true,
},
};
// Case permission checker
export class CasePermissionChecker implements PermissionChecker {
canCreate(user: User, resource: ResourceType): boolean {
if (resource !== ResourceType.CASE) return false;
const rolePermissions = ROLE_PERMISSIONS[user.role as keyof typeof ROLE_PERMISSIONS];
return rolePermissions?.canCreateCases || false;
}
canRead(user: User, resource: ResourceType, resourceId?: string, context?: any): boolean {
if (resource !== ResourceType.CASE) return false;
const rolePermissions = ROLE_PERMISSIONS[user.role as keyof typeof ROLE_PERMISSIONS];
// Super admin and admin can read all cases
if (['SUPERADMIN', 'ADMIN'].includes(user.role)) {
return rolePermissions?.canReadAllCases || false;
}
// Other roles have specific read permissions
return rolePermissions?.canReadAssignedCases ||
rolePermissions?.canReadOwnCases ||
rolePermissions?.canReadPublicCases ||
rolePermissions?.canReadCourtCases || false;
}
canUpdate(user: User, resource: ResourceType, resourceId: string, context?: any): boolean {
if (resource !== ResourceType.CASE) return false;
const rolePermissions = ROLE_PERMISSIONS[user.role as keyof typeof ROLE_PERMISSIONS];
// Super admin and admin can update all cases
if (['SUPERADMIN', 'ADMIN'].includes(user.role)) {
return rolePermissions?.canUpdateAllCases || false;
}
// Check if user is owner/creator of the case
if (context?.case?.createdBy === user.id) {
return true;
}
// Check if user is lead lawyer
if (context?.case?.leadLawyerId === user.id) {
return rolePermissions?.canUpdateAssignedCases || false;
}
// Check if user is assigned to the case
if (context?.case?.primaryLawyerId === user.id ||
context?.case?.assistantLawyerId === user.id ||
context?.case?.secretaryId === user.id) {
return rolePermissions?.canUpdateAssignedCases || false;
}
return false;
}
canDelete(user: User, resource: ResourceType, resourceId: string, context?: any): boolean {
if (resource !== ResourceType.CASE) return false;
const rolePermissions = ROLE_PERMISSIONS[user.role as keyof typeof ROLE_PERMISSIONS];
// Only super admin and admin can delete cases
if (['SUPERADMIN', 'ADMIN'].includes(user.role)) {
return rolePermissions?.canDeleteCases || false;
}
// Check if user is owner/creator (for clients)
if (user.role === 'CLIENT' && context?.case?.createdBy === user.id) {
return rolePermissions?.canDeleteOwnCases || false;
}
return false;
}
canAssign(user: User, resource: ResourceType, resourceId: string, context?: any): boolean {
if (resource !== ResourceType.CASE) return false;
const rolePermissions = ROLE_PERMISSIONS[user.role as keyof typeof ROLE_PERMISSIONS];
// Super admin and admin can assign any role
if (['SUPERADMIN', 'ADMIN'].includes(user.role)) {
return rolePermissions?.canAssignAnyRole || false;
}
// Lead lawyers can assign team members
if (context?.case?.leadLawyerId === user.id) {
return rolePermissions?.canAssignTeam || false;
}
// Role-specific assignment permissions
return rolePermissions?.canAssignCourtStaff ||
rolePermissions?.canAssignMediationTeam ||
rolePermissions?.canAssignInvestigationTeam ||
rolePermissions?.canAssignSupportTasks || false;
}
canApprove(user: User, resource: ResourceType, resourceId: string, context?: any): boolean {
if (resource !== ResourceType.CASE) return false;
const rolePermissions = ROLE_PERMISSIONS[user.role as keyof typeof ROLE_PERMISSIONS];
// Super admin and admin can approve anything
if (['SUPERADMIN', 'ADMIN'].includes(user.role)) {
return rolePermissions?.canApproveRegistrations || false;
}
// Role-specific approval permissions
return rolePermissions?.canApproveCourtOrders ||
rolePermissions?.canApproveRegistrations || false;
}
}
// Get case-specific permissions for a user
export function getCasePermissions(user: User, caseData: any): CasePermissions {
const isOwner = caseData?.createdBy === user.id;
const isLeadLawyer = caseData?.leadLawyerId === user.id;
const isAssigned = caseData?.primaryLawyerId === user.id ||
caseData?.assistantLawyerId === user.id ||
caseData?.secretaryId === user.id;
const isClient = caseData?.clientId === user.id;
const isCreator = caseData?.createdBy === user.id;
const rolePermissions = ROLE_PERMISSIONS[user.role] || {};
return {
isOwner,
isLeadLawyer,
isAssigned,
isClient,
isCreator,
// Basic actions
canEdit: ['SUPERADMIN', 'ADMIN'].includes(user.role) ||
(isOwner && rolePermissions.canUpdateOwnCases === true) ||
(isLeadLawyer && rolePermissions.canUpdateAssignedCases === true) ||
(isAssigned && rolePermissions.canUpdateAssignedCases === true),
canDelete: ['SUPERADMIN', 'ADMIN'].includes(user.role) ||
(isOwner && rolePermissions.canDeleteOwnCases === true),
canAssign: ['SUPERADMIN', 'ADMIN'].includes(user.role) ||
(isLeadLawyer && rolePermissions.canAssignTeam === true) ||
rolePermissions.canAssignAnyRole === true ||
rolePermissions.canAssignCourtStaff === true ||
rolePermissions.canAssignMediationTeam === true ||
rolePermissions.canAssignInvestigationTeam === true ||
rolePermissions.canAssignSupportTasks === true,
canUpdate: ['SUPERADMIN', 'ADMIN'].includes(user.role) ||
(isOwner && rolePermissions.canUpdateOwnCases === true) ||
(isLeadLawyer && rolePermissions.canUpdateAssignedCases === true) ||
(isAssigned && rolePermissions.canUpdateAssignedCases === true),
canCollaborate: rolePermissions.canCollaborate === true,
canViewDocuments: ['SUPERADMIN', 'ADMIN'].includes(user.role) ||
rolePermissions.canViewAllDocuments === true ||
isOwner || isLeadLawyer || isAssigned || isClient,
canUploadDocuments: rolePermissions.canUploadDocuments === true,
canCreateOffers: rolePermissions.canCreateOffers === true,
canAcceptOffers: rolePermissions.canAcceptOffers === true,
canViewRegistrations: ['SUPERADMIN', 'ADMIN'].includes(user.role) ||
isLeadLawyer || isAssigned,
canApproveRegistrations: ['SUPERADMIN', 'ADMIN'].includes(user.role) ||
rolePermissions.canApproveRegistrations === true,
canCreateUpdates: ['SUPERADMIN', 'ADMIN'].includes(user.role) ||
isLeadLawyer || isAssigned || isOwner,
canViewAnalytics: ['SUPERADMIN', 'ADMIN'].includes(user.role) ||
rolePermissions.canViewAllAnalytics === true ||
rolePermissions.canViewCaseAnalytics === true ||
rolePermissions.canViewOwnAnalytics === true ||
rolePermissions.canViewCourtAnalytics === true ||
rolePermissions.canViewMediationAnalytics === true ||
rolePermissions.canViewInvestigationAnalytics === true ||
rolePermissions.canViewExpertAnalytics === true ||
rolePermissions.canViewSupportAnalytics === true ||
rolePermissions.canViewLearningAnalytics === true ||
rolePermissions.canViewNotaryAnalytics === true,
canManageTeam: ['SUPERADMIN', 'ADMIN'].includes(user.role) ||
(isLeadLawyer && rolePermissions.canAssignTeam === true),
canCloseCase: ['SUPERADMIN', 'ADMIN'].includes(user.role) ||
isLeadLawyer,
canReopenCase: ['SUPERADMIN', 'ADMIN'].includes(user.role) ||
isLeadLawyer,
};
}
// Check if user can access a specific case
export function canAccessCase(user: User, caseData: any): boolean {
if (['SUPERADMIN', 'ADMIN'].includes(user.role)) {
return true; // Can access all cases
}
// Check ownership
if (caseData?.createdBy === user.id || caseData?.clientId === user.id) {
return true;
}
// Check assignment
if (caseData?.leadLawyerId === user.id ||
caseData?.primaryLawyerId === user.id ||
caseData?.assistantLawyerId === user.id ||
caseData?.secretaryId === user.id) {
return true;
}
// Check public access
if (caseData?.isPublic && user.role === 'STUDENT') {
return true;
}
return false;
}
// Get filtered cases based on user role
export function getCaseFilterForUser(user: User): any {
if (['SUPERADMIN', 'ADMIN'].includes(user.role)) {
return {}; // Can see all cases
}
const filter: any = {};
switch (user.role) {
case 'CLIENT':
filter.OR = [
{ createdBy: user.id },
{ clientId: user.id },
{ isPublic: true }
];
break;
case 'LAWYER':
filter.OR = [
{ leadLawyerId: user.id },
{ primaryLawyerId: user.id },
{ assistantLawyerId: user.id },
{ secretaryId: user.id }
];
break;
case 'JUDGE':
filter.jurisdiction = 'Quebec'; // Default jurisdiction for judges
break;
case 'MEDIATOR':
case 'INVESTIGATOR':
case 'EXPERT_WITNESS':
case 'SUPPORT_STAFF':
case 'NOTARY':
filter.OR = [
{ leadLawyerId: user.id },
{ primaryLawyerId: user.id },
{ assistantLawyerId: user.id },
{ secretaryId: user.id }
];
break;
case 'STUDENT':
filter.isPublic = true;
break;
default:
filter.createdBy = user.id; // Default to own cases
}
return filter;
}