feat: add role-based and resource-level permission enforcement

Author: meser1905

apps/api/src/app.module.ts

@@ -3,6 +3,7 @@ import { APP_FILTER, APP_GUARD } from '@nestjs/core';
 import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
 import { LoggerModule } from 'nestjs-pino';
 import { AppController } from './app.controller';
+import { AccessControlModule } from './common/access/access-control.module';
 import { AllExceptionsFilter } from './common/filters/all-exceptions.filter';
 import { CacheModule } from './common/cache/cache.module';
 import { JwtAuthGuard } from './common/guards/jwt-auth.guard';
@@ -41,6 +42,7 @@ import { UsersModule } from './modules/users/users.module';
     }),
     ThrottlerModule.forRoot([{ ttl: 60_000, limit: 120 }]),
     PrismaModule,
+    AccessControlModule,
     CacheModule,
     JobsModule,
     MailerModule,

apps/api/src/common/access/access-control.module.ts

@@ -0,0 +1,13 @@
+import { Global, Module } from '@nestjs/common';
+import { AccessControlService } from './access-control.service';
+
+/**
+ * Global module exposing {@link AccessControlService} to every feature module
+ * without an explicit import, mirroring how {@link PrismaModule} is wired.
+ */
+@Global()
+@Module({
+  providers: [AccessControlService],
+  exports: [AccessControlService],
+})
+export class AccessControlModule {}

apps/api/src/common/access/access-control.service.ts

@@ -0,0 +1,129 @@
+import { ForbiddenException, Injectable } from '@nestjs/common';
+import type { UserRole } from '@opennota/shared';
+import type { JwtPayload } from '../auth/jwt-payload';
+import { PrismaService } from '../prisma/prisma.service';
+
+/**
+ * Central authority for resource-level (ownership) permission checks.
+ *
+ * Coarse role gating lives in `@Roles(...)` metadata enforced by the
+ * {@link RolesGuard}. This service answers the finer questions a role alone
+ * cannot: *which* subjects a teacher may grade, *which* students' academic
+ * data a user may read. Keeping that logic here means every module enforces
+ * the same rules instead of re-deriving them.
+ */
+@Injectable()
+export class AccessControlService {
+  constructor(private readonly prisma: PrismaService) {}
+
+  /** Staff (ADMIN, PRINCIPAL) are unscoped: they may act on any resource. */
+  isStaff(role: UserRole): boolean {
+    return role === 'ADMIN' || role === 'PRINCIPAL';
+  }
+
+  /** TeacherProfile-subject ids the teacher (identified by user id) teaches. */
+  async teacherSubjectIds(userId: string): Promise<string[]> {
+    const rows = await this.prisma.teacherSubject.findMany({
+      where: { teacher: { userId } },
+      select: { subjectId: true },
+    });
+    return rows.map((row) => row.subjectId);
+  }
+
+  /**
+   * Whether the user may manage (grade, evaluate, weight) the subject. Staff
+   * always may; a teacher only for subjects they are assigned to.
+   */
+  async canManageSubject(user: JwtPayload, subjectId: string): Promise<boolean> {
+    if (this.isStaff(user.role)) {
+      return true;
+    }
+    if (user.role !== 'TEACHER') {
+      return false;
+    }
+    const assignment = await this.prisma.teacherSubject.findFirst({
+      where: { subjectId, teacher: { userId: user.sub } },
+    });
+    return assignment !== null;
+  }
+
+  /** Throws {@link ForbiddenException} unless {@link canManageSubject} holds. */
+  async assertCanManageSubject(user: JwtPayload, subjectId: string): Promise<void> {
+    if (!(await this.canManageSubject(user, subjectId))) {
+      throw new ForbiddenException('You are not assigned to this subject');
+    }
+  }
+
+  /**
+   * Whether the user may read the given student's academic data:
+   *   - staff: any student;
+   *   - teacher: students enrolled in a class group they teach a subject in;
+   *   - student: only themselves;
+   *   - guardian: only their linked students.
+   */
+  async canViewStudent(user: JwtPayload, studentId: string): Promise<boolean> {
+    if (this.isStaff(user.role)) {
+      return true;
+    }
+    if (user.role === 'STUDENT') {
+      const profile = await this.prisma.studentProfile.findUnique({
+        where: { id: studentId },
+        select: { userId: true },
+      });
+      return profile?.userId === user.sub;
+    }
+    if (user.role === 'GUARDIAN') {
+      const link = await this.prisma.studentGuardian.findFirst({
+        where: { studentId, guardian: { userId: user.sub } },
+      });
+      return link !== null;
+    }
+    if (user.role === 'TEACHER') {
+      const enrollment = await this.prisma.enrollment.findFirst({
+        where: {
+          studentId,
+          isActive: true,
+          classGroup: {
+            subjects: {
+              some: {
+                deletedAt: null,
+                teacherSubjects: { some: { teacher: { userId: user.sub } } },
+              },
+            },
+          },
+        },
+      });
+      return enrollment !== null;
+    }
+    return false;
+  }
+
+  /** Throws {@link ForbiddenException} unless {@link canViewStudent} holds. */
+  async assertCanViewStudent(user: JwtPayload, studentId: string): Promise<void> {
+    if (!(await this.canViewStudent(user, studentId))) {
+      throw new ForbiddenException('You do not have permission to view this student');
+    }
+  }
+
+  /**
+   * StudentProfile ids a teacher may read: every active enrollment in a class
+   * group where the teacher teaches at least one subject.
+   */
+  async teacherStudentIds(userId: string): Promise<string[]> {
+    const enrollments = await this.prisma.enrollment.findMany({
+      where: {
+        isActive: true,
+        classGroup: {
+          subjects: {
+            some: {
+              deletedAt: null,
+              teacherSubjects: { some: { teacher: { userId } } },
+            },
+          },
+        },
+      },
+      select: { studentId: true },
+    });
+    return [...new Set(enrollments.map((enrollment) => enrollment.studentId))];
+  }
+}

apps/api/src/modules/evaluations/evaluations.controller.ts

@@ -29,16 +29,17 @@ export class EvaluationsController {
 
   @Get()
   list(
+    @CurrentUser() user: JwtPayload,
     @Query('subjectId') subjectId?: string,
     @Query('termId') termId?: string,
     @Query('classGroupId') classGroupId?: string,
   ) {
-    return this.evaluationsService.list({ subjectId, termId, classGroupId });
+    return this.evaluationsService.list(user, { subjectId, termId, classGroupId });
   }
 
   @Get(':id')
-  findOne(@Param('id') id: string) {
-    return this.evaluationsService.findOne(id);
+  findOne(@CurrentUser() user: JwtPayload, @Param('id') id: string) {
+    return this.evaluationsService.getOne(user, id);
   }
 
   @Post()

apps/api/src/modules/evaluations/evaluations.service.ts

@@ -6,6 +6,7 @@ import {
 } from '@nestjs/common';
 import type { Evaluation } from '@opennota/db';
 import type { CreateEvaluationInput, UpdateEvaluationInput } from '@opennota/shared';
+import { AccessControlService } from '../../common/access/access-control.service';
 import type { JwtPayload } from '../../common/auth/jwt-payload';
 import { PrismaService } from '../../common/prisma/prisma.service';
 
@@ -17,13 +18,25 @@ interface EvaluationFilter {
 
 @Injectable()
 export class EvaluationsService {
-  constructor(private readonly prisma: PrismaService) {}
+  constructor(
+    private readonly prisma: PrismaService,
+    private readonly access: AccessControlService,
+  ) {}
 
-  list(filter: EvaluationFilter): Promise<Evaluation[]> {
+  /** Lists evaluations. Teachers see only their assigned subjects' evaluations. */
+  async list(user: JwtPayload, filter: EvaluationFilter): Promise<Evaluation[]> {
+    let subjectId: string | { in: string[] } | undefined = filter.subjectId;
+    if (user.role === 'TEACHER') {
+      if (filter.subjectId !== undefined) {
+        await this.access.assertCanManageSubject(user, filter.subjectId);
+      } else {
+        subjectId = { in: await this.access.teacherSubjectIds(user.sub) };
+      }
+    }
     return this.prisma.evaluation.findMany({
       where: {
         deletedAt: null,
-        subjectId: filter.subjectId,
+        subjectId,
         termId: filter.termId,
         ...(filter.classGroupId ? { subject: { classGroupId: filter.classGroupId } } : {}),
       },
@@ -41,8 +54,15 @@ export class EvaluationsService {
     return evaluation;
   }
 
+  /** Loads an evaluation, asserting the user may access its subject. */
+  async getOne(user: JwtPayload, id: string): Promise<Evaluation> {
+    const evaluation = await this.findOne(id);
+    await this.access.assertCanManageSubject(user, evaluation.subjectId);
+    return evaluation;
+  }
+
   async create(user: JwtPayload, input: CreateEvaluationInput): Promise<Evaluation> {
-    await this.assertCanManageSubject(user, input.subjectId);
+    await this.access.assertCanManageSubject(user, input.subjectId);
     const teacherId = await this.resolveTeacherId(user, input.subjectId);
     return this.prisma.evaluation.create({
       data: {
@@ -65,7 +85,7 @@ export class EvaluationsService {
 
   async update(user: JwtPayload, id: string, input: UpdateEvaluationInput): Promise<Evaluation> {
     const evaluation = await this.findOne(id);
-    await this.assertCanManageSubject(user, evaluation.subjectId);
+    await this.access.assertCanManageSubject(user, evaluation.subjectId);
     return this.prisma.evaluation.update({
       where: { id },
       data: {
@@ -85,7 +105,7 @@ export class EvaluationsService {
 
   async remove(user: JwtPayload, id: string): Promise<void> {
     const evaluation = await this.findOne(id);
-    await this.assertCanManageSubject(user, evaluation.subjectId);
+    await this.access.assertCanManageSubject(user, evaluation.subjectId);
     await this.prisma.evaluation.update({ where: { id }, data: { deletedAt: new Date() } });
   }
 
@@ -111,16 +131,4 @@ export class EvaluationsService {
     }
     return assignment.teacherId;
   }
-
-  private async assertCanManageSubject(user: JwtPayload, subjectId: string): Promise<void> {
-    if (user.role === 'ADMIN' || user.role === 'PRINCIPAL') {
-      return;
-    }
-    const assignment = await this.prisma.teacherSubject.findFirst({
-      where: { subjectId, teacher: { userId: user.sub } },
-    });
-    if (!assignment) {
-      throw new ForbiddenException('You are not assigned to this subject');
-    }
-  }
 }

apps/api/src/modules/evaluations/grading-weights.controller.ts

@@ -15,8 +15,12 @@ export class GradingWeightsController {
   constructor(private readonly gradingWeightsService: GradingWeightsService) {}
 
   @Get()
-  get(@Query('subjectId') subjectId?: string, @Query('termId') termId?: string) {
-    return this.gradingWeightsService.get(subjectId, termId);
+  get(
+    @CurrentUser() user: JwtPayload,
+    @Query('subjectId') subjectId?: string,
+    @Query('termId') termId?: string,
+  ) {
+    return this.gradingWeightsService.get(user, subjectId, termId);
   }
 
   @Put()

apps/api/src/modules/evaluations/grading-weights.service.ts

@@ -1,21 +1,27 @@
-import { BadRequestException, ForbiddenException, Injectable } from '@nestjs/common';
+import { BadRequestException, Injectable } from '@nestjs/common';
 import type { GradingWeightConfig } from '@opennota/db';
 import type { CreateGradingWeightConfigInput } from '@opennota/shared';
+import { AccessControlService } from '../../common/access/access-control.service';
 import type { JwtPayload } from '../../common/auth/jwt-payload';
 import { PrismaService } from '../../common/prisma/prisma.service';
 
 @Injectable()
 export class GradingWeightsService {
-  constructor(private readonly prisma: PrismaService) {}
+  constructor(
+    private readonly prisma: PrismaService,
+    private readonly access: AccessControlService,
+  ) {}
 
   /** Returns the weight config for a subject/term, or null when none is set. */
-  get(
+  async get(
+    user: JwtPayload,
     subjectId: string | undefined,
     termId: string | undefined,
   ): Promise<GradingWeightConfig | null> {
     if (!subjectId || !termId) {
       throw new BadRequestException('Both subjectId and termId query parameters are required');
     }
+    await this.access.assertCanManageSubject(user, subjectId);
     return this.prisma.gradingWeightConfig.findUnique({
       where: { subjectId_termId: { subjectId, termId } },
     });
@@ -25,7 +31,7 @@ export class GradingWeightsService {
     user: JwtPayload,
     input: CreateGradingWeightConfigInput,
   ): Promise<GradingWeightConfig> {
-    await this.assertCanManageSubject(user, input.subjectId);
+    await this.access.assertCanManageSubject(user, input.subjectId);
     const weights = {
       examWeight: input.examWeight,
       assignmentWeight: input.assignmentWeight,
@@ -39,16 +45,4 @@ export class GradingWeightsService {
       update: weights,
     });
   }
-
-  private async assertCanManageSubject(user: JwtPayload, subjectId: string): Promise<void> {
-    if (user.role === 'ADMIN' || user.role === 'PRINCIPAL') {
-      return;
-    }
-    const assignment = await this.prisma.teacherSubject.findFirst({
-      where: { subjectId, teacher: { userId: user.sub } },
-    });
-    if (!assignment) {
-      throw new ForbiddenException('You are not assigned to this subject');
-    }
-  }
 }

apps/api/src/modules/grades/grades.controller.ts

@@ -17,14 +17,18 @@ export class GradesController {
   constructor(private readonly gradesService: GradesService) {}
 
   @Get()
-  list(@Query('evaluationId') evaluationId?: string) {
-    return this.gradesService.listByEvaluation(evaluationId);
+  list(@CurrentUser() user: JwtPayload, @Query('evaluationId') evaluationId?: string) {
+    return this.gradesService.listByEvaluation(user, evaluationId);
   }
 
   /** Students-by-evaluations matrix backing the grade entry sheet. */
   @Get('sheet')
-  sheet(@Query('subjectId') subjectId?: string, @Query('termId') termId?: string) {
-    return this.gradesService.getGradeSheet(subjectId, termId);
+  sheet(
+    @CurrentUser() user: JwtPayload,
+    @Query('subjectId') subjectId?: string,
+    @Query('termId') termId?: string,
+  ) {
+    return this.gradesService.getGradeSheet(user, subjectId, termId);
   }
 
   @Post()