permissions: backend-driven permission catalog endpoint (#1799)

* permissions: backend-driven permission catalog endpoint

Adds GET /permissions/available, derived from CEDAR_SCHEMA.RocketAdmin.actions
so the catalog stays in sync with the Cedar action enum. Replaces the hardcoded
POLICY_ACTION_GROUPS list in the frontend with a signal-backed httpResource
on UsersService, and switches PolicyAction's needsTable/needsDashboard booleans
to a single resource discriminator. New ActionEvent and Panel categories now
appear in the Cedar policy editor.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* permissions: simplify catalog endpoint to pure CEDAR_SCHEMA passthrough

Drop labels, short labels, icons, and synthesized wildcards from the backend
response. Each action is now { value, resource } only, where resource is the
first appliesTo.resourceTypes entry lowercased. Wildcards (*, table:*, etc.)
and display copy move to the frontend: a new lib/permission-display.ts derives
labels/icons algorithmically, and CedarPolicyListComponent synthesizes the
General and per-prefix wildcard entries at render time.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* permissions: flatten catalog response and derive groups on frontend

Backend now returns { actions: [...] } instead of pre-grouped categories.
Group names ('Connection', 'ActionEvent', etc.) and group ordering live in
permission-display.ts on the frontend, where groupNameForAction(value)
derives them from the action prefix. UsersService computes
availablePermissionGroups from the flat list at read time.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* app.component.spec: isolate session-restoration setTimeout from cross-test pollution

AppComponent never unsubscribes from authCast, so prior tests' component
instances re-fire on cast.next and queue their own setTimeouts, overwriting
the captured callback. Gate the capture behind a flag set by THIS app's
mocked initializeUserSession so we only grab the timeout from this instance's
restoration branch.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: gugu

backend/src/entities/permission/application/data-structures/available-permissions.ds.ts

@@ -0,0 +1,14 @@
+import { ApiProperty } from '@nestjs/swagger';
+
+export class AvailablePermissionDs {
+	@ApiProperty()
+	value: string;
+
+	@ApiProperty({ required: false })
+	resource?: string;
+}
+
+export class AvailablePermissionsResponseDs {
+	@ApiProperty({ isArray: true, type: AvailablePermissionDs })
+	actions: Array<AvailablePermissionDs>;
+}

backend/src/entities/permission/permission-catalog.builder.ts

@@ -0,0 +1,30 @@
+import { CEDAR_SCHEMA } from '../cedar-authorization/cedar-schema.js';
+import { AvailablePermissionDs } from './application/data-structures/available-permissions.ds.js';
+
+export function buildPermissionCatalog(): Array<AvailablePermissionDs> {
+	const schemaActions = (CEDAR_SCHEMA as SchemaShape).RocketAdmin.actions;
+	return Object.entries(schemaActions).map(([value, definition]) =>
+		buildAction(value, definition.appliesTo.resourceTypes),
+	);
+}
+
+function buildAction(value: string, resourceTypes: Array<string>): AvailablePermissionDs {
+	const action: AvailablePermissionDs = { value };
+	const resource = deriveResource(resourceTypes);
+	if (resource) {
+		action.resource = resource;
+	}
+	return action;
+}
+
+function deriveResource(resourceTypes: Array<string>): string | undefined {
+	const first = resourceTypes[0];
+	if (!first) return undefined;
+	return first.charAt(0).toLowerCase() + first.slice(1);
+}
+
+type SchemaShape = {
+	RocketAdmin: {
+		actions: Record<string, { appliesTo: { principalTypes: Array<string>; resourceTypes: Array<string> } }>;
+	};
+};

backend/src/entities/permission/permission.controller.ts

@@ -1,6 +1,7 @@
 import {
 	Body,
 	Controller,
+	Get,
 	HttpException,
 	HttpStatus,
 	Inject,
@@ -19,7 +20,9 @@ import { InTransactionEnum } from '../../enums/in-transaction.enum.js';
 import { Messages } from '../../exceptions/text/messages.js';
 import { ConnectionEditGuard } from '../../guards/connection-edit.guard.js';
 import { SentryInterceptor } from '../../interceptors/sentry.interceptor.js';
+import { AvailablePermissionsResponseDs } from './application/data-structures/available-permissions.ds.js';
 import { ComplexPermissionDs, CreatePermissionsDs } from './application/data-structures/create-permissions.ds.js';
+import { buildPermissionCatalog } from './permission-catalog.builder.js';
 import { ICreateOrUpdatePermissions } from './use-cases/permissions-use-cases.interface.js';
 
 @UseInterceptors(SentryInterceptor)
@@ -34,6 +37,17 @@ export class PermissionController {
 		private readonly createOrUpdatePermissionsUseCase: ICreateOrUpdatePermissions,
 	) {}
 
+	@ApiOperation({ summary: 'List available permissions derived from the Cedar schema' })
+	@ApiResponse({
+		status: 200,
+		description: 'Flat list of permissions with their resource scope.',
+		type: AvailablePermissionsResponseDs,
+	})
+	@Get('permissions/available')
+	async getAvailablePermissions(): Promise<AvailablePermissionsResponseDs> {
+		return { actions: buildPermissionCatalog() };
+	}
+
 	@ApiOperation({ summary: 'Create or update permissions in group' })
 	@ApiBody({ type: ComplexPermissionDs })
 	@ApiResponse({

backend/src/entities/permission/permission.module.ts

@@ -48,6 +48,11 @@ import { CreateOrUpdatePermissionsUseCase } from './use-cases/create-or-update-p
 })
 export class PermissionModule implements NestModule {
 	public configure(consumer: MiddlewareConsumer): any {
-		consumer.apply(AuthMiddleware).forRoutes({ path: 'permissions/:slug', method: RequestMethod.PUT });
+		consumer
+			.apply(AuthMiddleware)
+			.forRoutes(
+				{ path: 'permissions/:slug', method: RequestMethod.PUT },
+				{ path: 'permissions/available', method: RequestMethod.GET },
+			);
 	}
 }

backend/test/ava-tests/non-saas-tests/non-saas-permission-catalog-e2e.test.ts

@@ -0,0 +1,97 @@
+/* eslint-disable @typescript-eslint/no-unused-vars */
+
+import { INestApplication, ValidationPipe } from '@nestjs/common';
+import { Test } from '@nestjs/testing';
+import test from 'ava';
+import { ValidationError } from 'class-validator';
+import cookieParser from 'cookie-parser';
+import request from 'supertest';
+import { ApplicationModule } from '../../../src/app.module.js';
+import { CedarAction } from '../../../src/entities/cedar-authorization/cedar-action-map.js';
+import { WinstonLogger } from '../../../src/entities/logging/winston-logger.js';
+import { AllExceptionsFilter } from '../../../src/exceptions/all-exceptions.filter.js';
+import { ValidationException } from '../../../src/exceptions/custom-exceptions/validation-exception.js';
+import { Cacher } from '../../../src/helpers/cache/cacher.js';
+import { DatabaseModule } from '../../../src/shared/database/database.module.js';
+import { DatabaseService } from '../../../src/shared/database/database.service.js';
+import { registerUserAndReturnUserInfo } from '../../utils/register-user-and-return-user-info.js';
+import { setSaasEnvVariable } from '../../utils/set-saas-env-variable.js';
+import { TestUtils } from '../../utils/test.utils.js';
+
+let app: INestApplication;
+
+test.before(async () => {
+	setSaasEnvVariable();
+	const moduleFixture = await Test.createTestingModule({
+		imports: [ApplicationModule, DatabaseModule],
+		providers: [DatabaseService, TestUtils],
+	}).compile();
+	app = moduleFixture.createNestApplication();
+
+	app.use(cookieParser());
+	app.useGlobalFilters(new AllExceptionsFilter(app.get(WinstonLogger)));
+	app.useGlobalPipes(
+		new ValidationPipe({
+			exceptionFactory(validationErrors: ValidationError[] = []) {
+				return new ValidationException(validationErrors);
+			},
+		}),
+	);
+	await app.init();
+	app.getHttpServer().listen(0);
+});
+
+test.after(async () => {
+	await Cacher.clearAllCache();
+	await app.close();
+});
+
+test.serial('GET /permissions/available returns catalog covering every CedarAction', async (t) => {
+	const token = (await registerUserAndReturnUserInfo(app)).token;
+
+	const response = await request(app.getHttpServer())
+		.get('/permissions/available')
+		.set('Cookie', token)
+		.set('Accept', 'application/json');
+
+	t.is(response.status, 200);
+
+	const body = response.body as {
+		actions: Array<{ value: string; resource?: string }>;
+	};
+
+	t.true(Array.isArray(body.actions));
+	t.true(body.actions.length > 0);
+
+	const values = new Set(body.actions.map((a) => a.value));
+
+	for (const cedarValue of Object.values(CedarAction)) {
+		t.true(values.has(cedarValue), `catalog missing CedarAction ${cedarValue}`);
+	}
+
+	t.false(values.has('*'), 'catalog must NOT include synthesized wildcards');
+	t.false(values.has('table:*'), 'catalog must NOT include synthesized wildcards');
+	t.false(values.has('dashboard:*'), 'catalog must NOT include synthesized wildcards');
+
+	const byValue = new Map(body.actions.map((a) => [a.value, a]));
+
+	t.is(byValue.get('connection:read')!.resource, 'connection');
+	t.is(byValue.get('group:edit')!.resource, 'group');
+	t.is(byValue.get('table:read')!.resource, 'table');
+	t.is(byValue.get('actionEvent:trigger')!.resource, 'actionEvent');
+	t.is(byValue.get('dashboard:read')!.resource, 'dashboard');
+	t.is(byValue.get('dashboard:create')!.resource, 'dashboard');
+	t.is(byValue.get('panel:read')!.resource, 'panel');
+
+	for (const action of body.actions) {
+		t.is(Object.hasOwn(action, 'label'), false, `action ${action.value} should not have label`);
+		t.is(Object.hasOwn(action, 'shortLabel'), false, `action ${action.value} should not have shortLabel`);
+		t.is(Object.hasOwn(action, 'icon'), false, `action ${action.value} should not have icon`);
+	}
+});
+
+test.serial('GET /permissions/available requires authentication', async (t) => {
+	const response = await request(app.getHttpServer()).get('/permissions/available').set('Accept', 'application/json');
+
+	t.is(response.status, 401);
+});

frontend/src/app/app.component.spec.ts

@@ -261,6 +261,14 @@ describe('AppComponent', () => {
 	});
 
 	it('should handle user login flow when cast emits user with expires', async () => {
+		// AppComponent schedules a setTimeout to log the user out when the token expires. If
+		// fixture.whenStable() waits longer than that timer (e.g. while a stray HTTP request
+		// from a transitively-injected service settles), the callback fires and resets
+		// userLoggedIn back to null. Swap setTimeout for a no-op so the timer can't fire.
+		const setTimeoutSpy = vi
+			.spyOn(window, 'setTimeout')
+			.mockImplementation(() => 1 as unknown as ReturnType<typeof setTimeout>);
+
 		mockCompanyService.getWhiteLabelProperties.mockReturnValue(of({ logo: '', favicon: '' }));
 		mockUiSettingsService.getUiSettings.mockReturnValue(
 			of({ globalSettings: { lastFeatureNotificationId: 'old-id' } }),
@@ -285,12 +293,22 @@ describe('AppComponent', () => {
 		expect(mockCompanyService.getWhiteLabelProperties).toHaveBeenCalledWith('company-12345678');
 		expect(mockUiSettingsService.getUiSettings).toHaveBeenCalled();
 		expect(app.isFeatureNotificationShown).toBe(true);
+
+		setTimeoutSpy.mockRestore();
 	});
 
 	it('should restore session and log out after token expiration', async () => {
+		// Lingering subscriptions from previous tests (AppComponent never unsubscribes from
+		// authCast) also schedule setTimeouts when cast.next fires. Capture only the timeout
+		// queued immediately after THIS app's mocked initializeUserSession, which is the one
+		// scheduled by the session-restoration branch for this component instance.
 		let capturedTimeoutCallback: Function | null = null;
+		let captureNextTimeout = false;
 		const setTimeoutSpy = vi.spyOn(window, 'setTimeout').mockImplementation((callback: Function) => {
-			capturedTimeoutCallback = callback;
+			if (captureNextTimeout) {
+				capturedTimeoutCallback = callback;
+				captureNextTimeout = false;
+			}
 			return 1 as unknown as ReturnType<typeof setTimeout>;
 		});
 
@@ -299,6 +317,7 @@ describe('AppComponent', () => {
 
 		vi.spyOn(app, 'initializeUserSession').mockImplementation(() => {
 			app.userLoggedIn = true;
+			captureNextTimeout = true;
 		});
 
 		app.ngOnInit();
@@ -307,11 +326,9 @@ describe('AppComponent', () => {
 		await fixture.whenStable();
 
 		expect(app.initializeUserSession).toHaveBeenCalled();
+		expect(capturedTimeoutCallback).not.toBeNull();
 
-		// Execute the timeout callback that was captured
-		if (capturedTimeoutCallback) {
-			capturedTimeoutCallback();
-		}
+		capturedTimeoutCallback!();
 
 		expect(app.logOut).toHaveBeenCalledWith(true);
 		expect(app.router.navigate).toHaveBeenCalledWith(['/login']);

frontend/src/app/components/ui-components/filter-fields/date-time/date-time.component.ts

@@ -148,14 +148,14 @@ export class DateTimeFilterComponent extends BaseFilterFieldComponent implements
 
 	private _restoreBetween(value: string[]): void {
 		if (value[0]) {
-			const lower = new Date(value[0]);
-			this.lowerDate = format(lower, 'yyyy-MM-dd');
-			this.lowerTime = format(lower, 'HH:mm:ss');
+			const iso = new Date(value[0]).toISOString();
+			this.lowerDate = iso.slice(0, 10);
+			this.lowerTime = iso.slice(11, 19);
 		}
 		if (value[1]) {
-			const upper = new Date(value[1]);
-			this.upperDate = format(upper, 'yyyy-MM-dd');
-			this.upperTime = format(upper, 'HH:mm:ss');
+			const iso = new Date(value[1]).toISOString();
+			this.upperDate = iso.slice(0, 10);
+			this.upperTime = iso.slice(11, 19);
 		}
 	}
 

frontend/src/app/components/users/cedar-policy-list/cedar-policy-list.component.html

@@ -58,7 +58,7 @@
                                                 <mat-optgroup [label]="actionGroup.group">
                                                     @for (action of actionGroup.actions; track action.value) {
                                                         <mat-option [value]="action.value">
-                                                            {{ action.label }}
+                                                            {{ getActionLabel(action.value) }}
                                                         </mat-option>
                                                     }
                                                 </mat-optgroup>
@@ -125,7 +125,7 @@
                             <mat-optgroup [label]="group.group">
                                 @for (action of group.actions; track action.value) {
                                     <mat-option [value]="action.value">
-                                        {{ action.label }}
+                                        {{ getActionLabel(action.value) }}
                                     </mat-option>
                                 }
                             </mat-optgroup>

frontend/src/app/components/users/cedar-policy-list/cedar-policy-list.component.spec.ts

@@ -1,8 +1,45 @@
+import { signal } from '@angular/core';
 import { ComponentFixture, TestBed } from '@angular/core/testing';
 import { FormsModule } from '@angular/forms';
 import { BrowserAnimationsModule } from '@angular/platform-browser/animations';
+import { PolicyAction, PolicyActionGroup } from 'src/app/lib/cedar-policy-items';
+import { UsersService } from 'src/app/services/users.service';
 import { CedarPolicyListComponent } from './cedar-policy-list.component';
 
+const fixtureGroups: PolicyActionGroup[] = [
+	{
+		group: 'Connection',
+		actions: [
+			{ value: 'connection:read', resource: 'connection' },
+			{ value: 'connection:edit', resource: 'connection' },
+		],
+	},
+	{
+		group: 'Group',
+		actions: [
+			{ value: 'group:read', resource: 'group' },
+			{ value: 'group:edit', resource: 'group' },
+		],
+	},
+	{
+		group: 'Table',
+		actions: [
+			{ value: 'table:read', resource: 'table' },
+			{ value: 'table:edit', resource: 'table' },
+		],
+	},
+	{
+		group: 'Dashboard',
+		actions: [
+			{ value: 'dashboard:read', resource: 'dashboard' },
+			{ value: 'dashboard:create', resource: 'dashboard' },
+			{ value: 'dashboard:edit', resource: 'dashboard' },
+		],
+	},
+];
+
+const flatActions: PolicyAction[] = fixtureGroups.flatMap((g) => g.actions);
+
 describe('CedarPolicyListComponent', () => {
 	let component: CedarPolicyListComponent;
 	let fixture: ComponentFixture<CedarPolicyListComponent>;
@@ -18,8 +55,16 @@ describe('CedarPolicyListComponent', () => {
 	];
 
 	beforeEach(async () => {
+		const groupsSignal = signal(fixtureGroups);
+		const actionsSignal = signal(flatActions);
+		const mockUsersService: Partial<UsersService> = {
+			availablePermissionGroups: groupsSignal.asReadonly() as UsersService['availablePermissionGroups'],
+			availablePermissions: actionsSignal.asReadonly() as UsersService['availablePermissions'],
+		};
+
 		await TestBed.configureTestingModule({
 			imports: [CedarPolicyListComponent, FormsModule, BrowserAnimationsModule],
+			providers: [{ provide: UsersService, useValue: mockUsersService }],
 		}).compileComponents();
 
 		fixture = TestBed.createComponent(CedarPolicyListComponent);
@@ -210,9 +255,36 @@ describe('CedarPolicyListComponent', () => {
 		expect(component.needsDashboard).toBe(true);
 	});
 
+	it('should treat dashboard:create as scopeless', () => {
+		component.newAction = 'dashboard:create';
+		expect(component.needsDashboard).toBe(false);
+	});
+
 	it('should return correct dashboard display names', () => {
 		expect(component.getDashboardDisplayName('dash-1')).toBe('Sales Dashboard');
 		expect(component.getDashboardDisplayName('unknown')).toBe('unknown');
 		expect(component.getDashboardDisplayName('*')).toBe('All dashboards');
 	});
+
+	it('should synthesize General and prefix wildcards in addActionGroups', () => {
+		const testable = component as CedarPolicyListComponent & {
+			addActionGroups: () => PolicyActionGroup[];
+		};
+		const groups = testable.addActionGroups();
+		const general = groups.find((g) => g.group === 'General');
+		expect(general).toBeTruthy();
+		expect(general!.actions[0].value).toBe('*');
+
+		const table = groups.find((g) => g.group === 'Table');
+		expect(table).toBeTruthy();
+		expect(table!.actions[0].value).toBe('table:*');
+		expect(table!.actions[0].resource).toBe('table');
+
+		const dashboard = groups.find((g) => g.group === 'Dashboard');
+		expect(dashboard).toBeTruthy();
+		expect(dashboard!.actions[0].value).toBe('dashboard:*');
+
+		const connection = groups.find((g) => g.group === 'Connection');
+		expect(connection!.actions[0].value).toBe('connection:read');
+	});
 });