"use strict"; var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) { var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d; if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc); else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r; return c > 3 && r && Object.defineProperty(target, key, r), r; }; var __metadata = (this && this.__metadata) || function (k, v) { if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v); }; Object.defineProperty(exports, "__esModule", { value: true }); exports.AllPermissionsGuard = exports.PermissionsGuard = exports.RequireRoles = exports.RequirePermissions = exports.ROLES_KEY = exports.PERMISSIONS_KEY = void 0; const common_1 = require("@nestjs/common"); const core_1 = require("@nestjs/core"); const rbac_service_1 = require("../services/rbac.service"); exports.PERMISSIONS_KEY = 'permissions'; exports.ROLES_KEY = 'roles'; const RequirePermissions = (...permissions) => (target, key, descriptor) => { Reflect.defineMetadata(exports.PERMISSIONS_KEY, permissions, descriptor?.value || target); return descriptor || target; }; exports.RequirePermissions = RequirePermissions; const RequireRoles = (...roles) => (target, key, descriptor) => { Reflect.defineMetadata(exports.ROLES_KEY, roles, descriptor?.value || target); return descriptor || target; }; exports.RequireRoles = RequireRoles; let PermissionsGuard = class PermissionsGuard { constructor(reflector, rbacService) { this.reflector = reflector; this.rbacService = rbacService; } async canActivate(context) { const requiredPermissions = this.reflector.getAllAndOverride(exports.PERMISSIONS_KEY, [context.getHandler(), context.getClass()]); const requiredRoles = this.reflector.getAllAndOverride(exports.ROLES_KEY, [ context.getHandler(), context.getClass(), ]); if (!requiredPermissions?.length && !requiredRoles?.length) { return true; } const request = context.switchToHttp().getRequest(); const user = request.user; if (!user) { throw new common_1.ForbiddenException('Usuario no autenticado'); } const { id: userId, tenant_id: tenantId } = user; if (requiredRoles?.length) { for (const role of requiredRoles) { const hasRole = await this.rbacService.userHasRole(userId, tenantId, role); if (hasRole) { return true; } } } if (requiredPermissions?.length) { const hasPermission = await this.rbacService.userHasAnyPermission(userId, tenantId, requiredPermissions); if (hasPermission) { return true; } } throw new common_1.ForbiddenException('No tiene permisos suficientes para esta acción'); } }; exports.PermissionsGuard = PermissionsGuard; exports.PermissionsGuard = PermissionsGuard = __decorate([ (0, common_1.Injectable)(), __metadata("design:paramtypes", [core_1.Reflector, rbac_service_1.RbacService]) ], PermissionsGuard); let AllPermissionsGuard = class AllPermissionsGuard { constructor(reflector, rbacService) { this.reflector = reflector; this.rbacService = rbacService; } async canActivate(context) { const requiredPermissions = this.reflector.getAllAndOverride(exports.PERMISSIONS_KEY, [context.getHandler(), context.getClass()]); if (!requiredPermissions?.length) { return true; } const request = context.switchToHttp().getRequest(); const user = request.user; if (!user) { throw new common_1.ForbiddenException('Usuario no autenticado'); } const hasAll = await this.rbacService.userHasAllPermissions(user.id, user.tenant_id, requiredPermissions); if (!hasAll) { throw new common_1.ForbiddenException('No tiene todos los permisos requeridos'); } return true; } }; exports.AllPermissionsGuard = AllPermissionsGuard; exports.AllPermissionsGuard = AllPermissionsGuard = __decorate([ (0, common_1.Injectable)(), __metadata("design:paramtypes", [core_1.Reflector, rbac_service_1.RbacService]) ], AllPermissionsGuard); //# sourceMappingURL=permissions.guard.js.map