feat: wip casl policies (#334)

* feat: wip casl policies

* feat: add ability guard on pipeline resolvers

* fix: test

server/src/ability/ability.action.ts

@@ -0,0 +1,7 @@
+export enum AbilityAction {
+  Manage = 'manage',
+  Create = 'create',
+  Read = 'read',
+  Update = 'update',
+  Delete = 'delete',
+}

server/src/ability/ability.factory.ts

@@ -0,0 +1,98 @@
+import { PureAbility, AbilityBuilder, subject } from '@casl/ability';
+import { createPrismaAbility, PrismaQuery, Subjects } from '@casl/prisma';
+import { Injectable } from '@nestjs/common';
+import {
+  CommentThread,
+  Company,
+  Comment,
+  Person,
+  RefreshToken,
+  User,
+  Workspace,
+  WorkspaceMember,
+  CommentThreadTarget,
+  Pipeline,
+  PipelineStage,
+  PipelineProgress,
+} from '@prisma/client';
+import { AbilityAction } from './ability.action';
+
+type SubjectsAbility = Subjects<{
+  User: User;
+  Workspace: Workspace;
+  WorkspaceMember: WorkspaceMember;
+  Company: Company;
+  Person: Person;
+  RefreshToken: RefreshToken;
+  CommentThread: CommentThread;
+  Comment: Comment;
+  CommentThreadTarget: CommentThreadTarget;
+  Pipeline: Pipeline;
+  PipelineStage: PipelineStage;
+  PipelineProgress: PipelineProgress;
+}>;
+
+export type AppAbility = PureAbility<
+  [string, SubjectsAbility | 'all'],
+  PrismaQuery
+>;
+
+@Injectable()
+export class AbilityFactory {
+  defineAbility(user: User, workspace: Workspace) {
+    const { can, cannot, build } = new AbilityBuilder<AppAbility>(
+      createPrismaAbility,
+    );
+
+    // User
+    can(AbilityAction.Update, 'User', { id: user.id });
+    cannot(AbilityAction.Delete, 'User');
+
+    // Workspace
+    can(AbilityAction.Read, 'Workspace', { id: workspace.id });
+
+    // Workspace Member
+    can(AbilityAction.Read, 'WorkspaceMember', { userId: user.id });
+
+    // Company
+    can(AbilityAction.Read, 'Company', { workspaceId: workspace.id });
+
+    // Person
+    can(AbilityAction.Read, 'Person', { workspaceId: workspace.id });
+
+    // RefreshToken
+    cannot(AbilityAction.Manage, 'RefreshToken');
+
+    // CommentThread
+    can(AbilityAction.Read, 'CommentThread', { workspaceId: workspace.id });
+
+    // Comment
+    can(AbilityAction.Read, 'Comment', { workspaceId: workspace.id });
+    can(AbilityAction.Update, 'Comment', {
+      workspaceId: workspace.id,
+      authorId: user.id,
+    });
+    can(AbilityAction.Delete, 'Comment', {
+      workspaceId: workspace.id,
+      authorId: user.id,
+    });
+
+    // CommentThreadTarget
+    can(AbilityAction.Read, 'CommentThreadTarget');
+
+    // Pipeline
+    can(AbilityAction.Read, 'Pipeline', { workspaceId: workspace.id });
+
+    // PipelineStage
+    can(AbilityAction.Read, 'PipelineStage', { workspaceId: workspace.id });
+    can(AbilityAction.Update, 'PipelineStage', { workspaceId: workspace.id });
+
+    // PipelineProgress
+    can(AbilityAction.Read, 'PipelineProgress', { workspaceId: workspace.id });
+    can(AbilityAction.Update, 'PipelineProgress', {
+      workspaceId: workspace.id,
+    });
+
+    return build();
+  }
+}

server/src/ability/ability.module.ts

@@ -0,0 +1,243 @@
+import { Global, Module } from '@nestjs/common';
+import { AbilityFactory } from 'src/ability/ability.factory';
+import { PrismaService } from 'src/database/prisma.service';
+import {
+  CreateUserAbilityHandler,
+  DeleteUserAbilityHandler,
+  ManageUserAbilityHandler,
+  ReadUserAbilityHandler,
+  UpdateUserAbilityHandler,
+} from './handlers/user.ability-handler';
+import {
+  CreateWorkspaceAbilityHandler,
+  DeleteWorkspaceAbilityHandler,
+  ManageWorkspaceAbilityHandler,
+  ReadWorkspaceAbilityHandler,
+  UpdateWorkspaceAbilityHandler,
+} from './handlers/workspace.ability-handler';
+import {
+  CreateWorkspaceMemberAbilityHandler,
+  DeleteWorkspaceMemberAbilityHandler,
+  ManageWorkspaceMemberAbilityHandler,
+  ReadWorkspaceMemberAbilityHandler,
+  UpdateWorkspaceMemberAbilityHandler,
+} from './handlers/workspace-member.ability-handler';
+import {
+  ManageCompanyAbilityHandler,
+  ReadCompanyAbilityHandler,
+  CreateCompanyAbilityHandler,
+  UpdateCompanyAbilityHandler,
+  DeleteCompanyAbilityHandler,
+} from './handlers/company.ability-handler';
+import {
+  CreatePersonAbilityHandler,
+  DeletePersonAbilityHandler,
+  ManagePersonAbilityHandler,
+  ReadPersonAbilityHandler,
+  UpdatePersonAbilityHandler,
+} from './handlers/person.ability-handler';
+import {
+  ManageRefreshTokenAbilityHandler,
+  ReadRefreshTokenAbilityHandler,
+  CreateRefreshTokenAbilityHandler,
+  UpdateRefreshTokenAbilityHandler,
+  DeleteRefreshTokenAbilityHandler,
+} from './handlers/refresh-token.ability-handler';
+import {
+  ManageCommentThreadAbilityHandler,
+  ReadCommentThreadAbilityHandler,
+  CreateCommentThreadAbilityHandler,
+  UpdateCommentThreadAbilityHandler,
+  DeleteCommentThreadAbilityHandler,
+} from './handlers/comment-thread.ability-handler';
+import {
+  ManageCommentAbilityHandler,
+  ReadCommentAbilityHandler,
+  CreateCommentAbilityHandler,
+  UpdateCommentAbilityHandler,
+  DeleteCommentAbilityHandler,
+} from './handlers/comment.ability-handler';
+import {
+  ManageCommentThreadTargetAbilityHandler,
+  ReadCommentThreadTargetAbilityHandler,
+  CreateCommentThreadTargetAbilityHandler,
+  UpdateCommentThreadTargetAbilityHandler,
+  DeleteCommentThreadTargetAbilityHandler,
+} from './handlers/comment-thread-target.ability-handler';
+import {
+  ManagePipelineAbilityHandler,
+  ReadPipelineAbilityHandler,
+  CreatePipelineAbilityHandler,
+  UpdatePipelineAbilityHandler,
+  DeletePipelineAbilityHandler,
+} from './handlers/pipeline.ability-handler';
+import {
+  ManagePipelineStageAbilityHandler,
+  ReadPipelineStageAbilityHandler,
+  CreatePipelineStageAbilityHandler,
+  UpdatePipelineStageAbilityHandler,
+  DeletePipelineStageAbilityHandler,
+} from './handlers/pipeline-stage.ability-handler';
+import {
+  ManagePipelineProgressAbilityHandler,
+  ReadPipelineProgressAbilityHandler,
+  CreatePipelineProgressAbilityHandler,
+  UpdatePipelineProgressAbilityHandler,
+  DeletePipelineProgressAbilityHandler,
+} from './handlers/pipeline-progress.ability-handler';
+
+@Global()
+@Module({
+  providers: [
+    AbilityFactory,
+    PrismaService,
+    // User
+    ManageUserAbilityHandler,
+    ReadUserAbilityHandler,
+    CreateUserAbilityHandler,
+    UpdateUserAbilityHandler,
+    DeleteUserAbilityHandler,
+    // Workspace
+    ManageWorkspaceAbilityHandler,
+    ReadWorkspaceAbilityHandler,
+    CreateWorkspaceAbilityHandler,
+    UpdateWorkspaceAbilityHandler,
+    DeleteWorkspaceAbilityHandler,
+    // Workspace Member
+    ManageWorkspaceMemberAbilityHandler,
+    ReadWorkspaceMemberAbilityHandler,
+    CreateWorkspaceMemberAbilityHandler,
+    UpdateWorkspaceMemberAbilityHandler,
+    DeleteWorkspaceMemberAbilityHandler,
+    // Company
+    ManageCompanyAbilityHandler,
+    ReadCompanyAbilityHandler,
+    CreateCompanyAbilityHandler,
+    UpdateCompanyAbilityHandler,
+    DeleteCompanyAbilityHandler,
+    // Person
+    ManagePersonAbilityHandler,
+    ReadPersonAbilityHandler,
+    CreatePersonAbilityHandler,
+    UpdatePersonAbilityHandler,
+    DeletePersonAbilityHandler,
+    // RefreshToken
+    ManageRefreshTokenAbilityHandler,
+    ReadRefreshTokenAbilityHandler,
+    CreateRefreshTokenAbilityHandler,
+    UpdateRefreshTokenAbilityHandler,
+    DeleteRefreshTokenAbilityHandler,
+    // CommentThread
+    ManageCommentThreadAbilityHandler,
+    ReadCommentThreadAbilityHandler,
+    CreateCommentThreadAbilityHandler,
+    UpdateCommentThreadAbilityHandler,
+    DeleteCommentThreadAbilityHandler,
+    // Comment
+    ManageCommentAbilityHandler,
+    ReadCommentAbilityHandler,
+    CreateCommentAbilityHandler,
+    UpdateCommentAbilityHandler,
+    DeleteCommentAbilityHandler,
+    // CommentThreadTarget
+    ManageCommentThreadTargetAbilityHandler,
+    ReadCommentThreadTargetAbilityHandler,
+    CreateCommentThreadTargetAbilityHandler,
+    UpdateCommentThreadTargetAbilityHandler,
+    DeleteCommentThreadTargetAbilityHandler,
+    // Pipeline
+    ManagePipelineAbilityHandler,
+    ReadPipelineAbilityHandler,
+    CreatePipelineAbilityHandler,
+    UpdatePipelineAbilityHandler,
+    DeletePipelineAbilityHandler,
+    // PipelineStage
+    ManagePipelineStageAbilityHandler,
+    ReadPipelineStageAbilityHandler,
+    CreatePipelineStageAbilityHandler,
+    UpdatePipelineStageAbilityHandler,
+    DeletePipelineStageAbilityHandler,
+    // PipelineProgress
+    ManagePipelineProgressAbilityHandler,
+    ReadPipelineProgressAbilityHandler,
+    CreatePipelineProgressAbilityHandler,
+    UpdatePipelineProgressAbilityHandler,
+    DeletePipelineProgressAbilityHandler,
+  ],
+  exports: [
+    AbilityFactory,
+    // User
+    ManageUserAbilityHandler,
+    ReadUserAbilityHandler,
+    CreateUserAbilityHandler,
+    UpdateUserAbilityHandler,
+    DeleteUserAbilityHandler,
+    // Workspace
+    ManageWorkspaceAbilityHandler,
+    ReadWorkspaceAbilityHandler,
+    CreateWorkspaceAbilityHandler,
+    UpdateWorkspaceAbilityHandler,
+    DeleteWorkspaceAbilityHandler,
+    // Workspace Member
+    ManageWorkspaceMemberAbilityHandler,
+    ReadWorkspaceMemberAbilityHandler,
+    CreateWorkspaceMemberAbilityHandler,
+    UpdateWorkspaceMemberAbilityHandler,
+    DeleteWorkspaceMemberAbilityHandler,
+    // Company
+    ManageCompanyAbilityHandler,
+    ReadCompanyAbilityHandler,
+    CreateCompanyAbilityHandler,
+    UpdateCompanyAbilityHandler,
+    DeleteCompanyAbilityHandler,
+    // Person
+    ManagePersonAbilityHandler,
+    ReadPersonAbilityHandler,
+    CreatePersonAbilityHandler,
+    UpdatePersonAbilityHandler,
+    DeletePersonAbilityHandler,
+    // RefreshToken
+    ManageRefreshTokenAbilityHandler,
+    ReadRefreshTokenAbilityHandler,
+    CreateRefreshTokenAbilityHandler,
+    UpdateRefreshTokenAbilityHandler,
+    DeleteRefreshTokenAbilityHandler,
+    // CommentThread
+    ManageCommentThreadAbilityHandler,
+    ReadCommentThreadAbilityHandler,
+    CreateCommentThreadAbilityHandler,
+    UpdateCommentThreadAbilityHandler,
+    DeleteCommentThreadAbilityHandler,
+    // Comment
+    ManageCommentAbilityHandler,
+    ReadCommentAbilityHandler,
+    CreateCommentAbilityHandler,
+    UpdateCommentAbilityHandler,
+    DeleteCommentAbilityHandler,
+    // CommentThreadTarget
+    ManageCommentThreadTargetAbilityHandler,
+    ReadCommentThreadTargetAbilityHandler,
+    CreateCommentThreadTargetAbilityHandler,
+    UpdateCommentThreadTargetAbilityHandler,
+    DeleteCommentThreadTargetAbilityHandler,
+    // Pipeline
+    ManagePipelineAbilityHandler,
+    ReadPipelineAbilityHandler,
+    CreatePipelineAbilityHandler,
+    UpdatePipelineAbilityHandler,
+    DeletePipelineAbilityHandler,
+    // PipelineStage
+    ManagePipelineStageAbilityHandler,
+    ReadPipelineStageAbilityHandler,
+    CreatePipelineStageAbilityHandler,
+    UpdatePipelineStageAbilityHandler,
+    DeletePipelineStageAbilityHandler,
+    // PipelineProgress
+    ManagePipelineProgressAbilityHandler,
+    ReadPipelineProgressAbilityHandler,
+    CreatePipelineProgressAbilityHandler,
+    UpdatePipelineProgressAbilityHandler,
+    DeletePipelineProgressAbilityHandler,
+  ],
+})
+export class AbilityModule {}

server/src/ability/handlers/comment-thread-target.ability-handler.ts

@@ -0,0 +1,50 @@
+import { PrismaService } from 'src/database/prisma.service';
+import { AbilityAction } from '../ability.action';
+import { AppAbility } from '../ability.factory';
+import { IAbilityHandler } from '../interfaces/ability-handler.interface';
+import { Injectable } from '@nestjs/common';
+
+@Injectable()
+export class ManageCommentThreadTargetAbilityHandler
+  implements IAbilityHandler
+{
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Manage, 'CommentThreadTarget');
+  }
+}
+
+@Injectable()
+export class ReadCommentThreadTargetAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Read, 'CommentThreadTarget');
+  }
+}
+
+@Injectable()
+export class CreateCommentThreadTargetAbilityHandler
+  implements IAbilityHandler
+{
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Create, 'CommentThreadTarget');
+  }
+}
+
+@Injectable()
+export class UpdateCommentThreadTargetAbilityHandler
+  implements IAbilityHandler
+{
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Update, 'CommentThreadTarget');
+  }
+}
+
+@Injectable()
+export class DeleteCommentThreadTargetAbilityHandler
+  implements IAbilityHandler
+{
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Delete, 'CommentThreadTarget');
+  }
+}

server/src/ability/handlers/comment-thread.ability-handler.ts

@@ -0,0 +1,42 @@
+import { PrismaService } from 'src/database/prisma.service';
+import { AbilityAction } from '../ability.action';
+import { AppAbility } from '../ability.factory';
+import { IAbilityHandler } from '../interfaces/ability-handler.interface';
+import { Injectable } from '@nestjs/common';
+
+@Injectable()
+export class ManageCommentThreadAbilityHandler implements IAbilityHandler {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Manage, 'CommentThread');
+  }
+}
+
+@Injectable()
+export class ReadCommentThreadAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Read, 'CommentThread');
+  }
+}
+
+@Injectable()
+export class CreateCommentThreadAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Create, 'CommentThread');
+  }
+}
+
+@Injectable()
+export class UpdateCommentThreadAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Update, 'CommentThread');
+  }
+}
+
+@Injectable()
+export class DeleteCommentThreadAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Delete, 'CommentThread');
+  }
+}

server/src/ability/handlers/comment.ability-handler.ts

@@ -0,0 +1,42 @@
+import { PrismaService } from 'src/database/prisma.service';
+import { AbilityAction } from '../ability.action';
+import { AppAbility } from '../ability.factory';
+import { IAbilityHandler } from '../interfaces/ability-handler.interface';
+import { Injectable } from '@nestjs/common';
+
+@Injectable()
+export class ManageCommentAbilityHandler implements IAbilityHandler {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Manage, 'Comment');
+  }
+}
+
+@Injectable()
+export class ReadCommentAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Read, 'Comment');
+  }
+}
+
+@Injectable()
+export class CreateCommentAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Create, 'Comment');
+  }
+}
+
+@Injectable()
+export class UpdateCommentAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Update, 'Comment');
+  }
+}
+
+@Injectable()
+export class DeleteCommentAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Delete, 'Comment');
+  }
+}

server/src/ability/handlers/company.ability-handler.ts

@@ -0,0 +1,42 @@
+import { PrismaService } from 'src/database/prisma.service';
+import { AbilityAction } from '../ability.action';
+import { AppAbility } from '../ability.factory';
+import { IAbilityHandler } from '../interfaces/ability-handler.interface';
+import { Injectable } from '@nestjs/common';
+
+@Injectable()
+export class ManageCompanyAbilityHandler implements IAbilityHandler {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Manage, 'Company');
+  }
+}
+
+@Injectable()
+export class ReadCompanyAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Read, 'Company');
+  }
+}
+
+@Injectable()
+export class CreateCompanyAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Create, 'Company');
+  }
+}
+
+@Injectable()
+export class UpdateCompanyAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Update, 'Company');
+  }
+}
+
+@Injectable()
+export class DeleteCompanyAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Delete, 'Company');
+  }
+}

server/src/ability/handlers/person.ability-handler.ts

@@ -0,0 +1,42 @@
+import { PrismaService } from 'src/database/prisma.service';
+import { AbilityAction } from '../ability.action';
+import { AppAbility } from '../ability.factory';
+import { IAbilityHandler } from '../interfaces/ability-handler.interface';
+import { Injectable } from '@nestjs/common';
+
+@Injectable()
+export class ManagePersonAbilityHandler implements IAbilityHandler {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Manage, 'Person');
+  }
+}
+
+@Injectable()
+export class ReadPersonAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Read, 'Person');
+  }
+}
+
+@Injectable()
+export class CreatePersonAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Create, 'Person');
+  }
+}
+
+@Injectable()
+export class UpdatePersonAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Update, 'Person');
+  }
+}
+
+@Injectable()
+export class DeletePersonAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Delete, 'Person');
+  }
+}

server/src/ability/handlers/pipeline-progress.ability-handler.ts

@@ -0,0 +1,78 @@
+import { PrismaService } from 'src/database/prisma.service';
+import { AbilityAction } from '../ability.action';
+import { AppAbility } from '../ability.factory';
+import { IAbilityHandler } from '../interfaces/ability-handler.interface';
+import {
+  ExecutionContext,
+  Injectable,
+  NotFoundException,
+} from '@nestjs/common';
+import { GqlExecutionContext } from '@nestjs/graphql';
+import { assert } from 'src/utils/assert';
+import { subject } from '@casl/ability';
+import { PipelineProgressWhereInput } from 'src/core/@generated/pipeline-progress/pipeline-progress-where.input';
+
+class PipelineProgressArgs {
+  where?: PipelineProgressWhereInput;
+}
+
+@Injectable()
+export class ManagePipelineProgressAbilityHandler implements IAbilityHandler {
+  async handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Manage, 'PipelineProgress');
+  }
+}
+
+@Injectable()
+export class ReadPipelineProgressAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Read, 'PipelineProgress');
+  }
+}
+
+@Injectable()
+export class CreatePipelineProgressAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Create, 'PipelineProgress');
+  }
+}
+
+@Injectable()
+export class UpdatePipelineProgressAbilityHandler implements IAbilityHandler {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility, context: ExecutionContext) {
+    const gqlContext = GqlExecutionContext.create(context);
+    const args = gqlContext.getArgs<PipelineProgressArgs>();
+    const pipelineProgress =
+      await this.prismaService.pipelineProgress.findFirst({
+        where: args.where,
+      });
+    assert(pipelineProgress, '', NotFoundException);
+
+    return ability.can(
+      AbilityAction.Update,
+      subject('PipelineProgress', pipelineProgress),
+    );
+  }
+}
+
+@Injectable()
+export class DeletePipelineProgressAbilityHandler implements IAbilityHandler {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility, context: ExecutionContext) {
+    const gqlContext = GqlExecutionContext.create(context);
+    const args = gqlContext.getArgs<PipelineProgressArgs>();
+    const pipelineProgress =
+      await this.prismaService.pipelineProgress.findFirst({
+        where: args.where,
+      });
+    assert(pipelineProgress, '', NotFoundException);
+
+    return ability.can(
+      AbilityAction.Delete,
+      subject('PipelineProgress', pipelineProgress),
+    );
+  }
+}

server/src/ability/handlers/pipeline-stage.ability-handler.ts

@@ -0,0 +1,76 @@
+import { PrismaService } from 'src/database/prisma.service';
+import { AbilityAction } from '../ability.action';
+import { AppAbility } from '../ability.factory';
+import { IAbilityHandler } from '../interfaces/ability-handler.interface';
+import {
+  ExecutionContext,
+  Injectable,
+  NotFoundException,
+} from '@nestjs/common';
+import { PipelineStageWhereInput } from 'src/core/@generated/pipeline-stage/pipeline-stage-where.input';
+import { GqlExecutionContext } from '@nestjs/graphql';
+import { assert } from 'src/utils/assert';
+import { subject } from '@casl/ability';
+
+class PipelineStageArgs {
+  where?: PipelineStageWhereInput;
+}
+
+@Injectable()
+export class ManagePipelineStageAbilityHandler implements IAbilityHandler {
+  async handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Manage, 'PipelineStage');
+  }
+}
+
+@Injectable()
+export class ReadPipelineStageAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Read, 'PipelineStage');
+  }
+}
+
+@Injectable()
+export class CreatePipelineStageAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Create, 'PipelineStage');
+  }
+}
+
+@Injectable()
+export class UpdatePipelineStageAbilityHandler implements IAbilityHandler {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility, context: ExecutionContext) {
+    const gqlContext = GqlExecutionContext.create(context);
+    const args = gqlContext.getArgs<PipelineStageArgs>();
+    const pipelineStage = await this.prismaService.pipelineStage.findFirst({
+      where: args.where,
+    });
+    assert(pipelineStage, '', NotFoundException);
+
+    return ability.can(
+      AbilityAction.Update,
+      subject('PipelineStage', pipelineStage),
+    );
+  }
+}
+
+@Injectable()
+export class DeletePipelineStageAbilityHandler implements IAbilityHandler {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility, context: ExecutionContext) {
+    const gqlContext = GqlExecutionContext.create(context);
+    const args = gqlContext.getArgs<PipelineStageArgs>();
+    const pipelineStage = await this.prismaService.pipelineStage.findFirst({
+      where: args.where,
+    });
+    assert(pipelineStage, '', NotFoundException);
+
+    return ability.can(
+      AbilityAction.Delete,
+      subject('PipelineStage', pipelineStage),
+    );
+  }
+}

server/src/ability/handlers/pipeline.ability-handler.ts

@@ -0,0 +1,70 @@
+import { PrismaService } from 'src/database/prisma.service';
+import { AbilityAction } from '../ability.action';
+import { AppAbility } from '../ability.factory';
+import { IAbilityHandler } from '../interfaces/ability-handler.interface';
+import {
+  ExecutionContext,
+  Injectable,
+  NotFoundException,
+} from '@nestjs/common';
+import { PipelineWhereInput } from 'src/core/@generated/pipeline/pipeline-where.input';
+import { GqlExecutionContext } from '@nestjs/graphql';
+import { assert } from 'src/utils/assert';
+import { subject } from '@casl/ability';
+
+class PipelineArgs {
+  where?: PipelineWhereInput;
+}
+
+@Injectable()
+export class ManagePipelineAbilityHandler implements IAbilityHandler {
+  async handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Manage, 'Pipeline');
+  }
+}
+
+@Injectable()
+export class ReadPipelineAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Read, 'Pipeline');
+  }
+}
+
+@Injectable()
+export class CreatePipelineAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Create, 'Pipeline');
+  }
+}
+
+@Injectable()
+export class UpdatePipelineAbilityHandler implements IAbilityHandler {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility, context: ExecutionContext) {
+    const gqlContext = GqlExecutionContext.create(context);
+    const args = gqlContext.getArgs<PipelineArgs>();
+    const pipeline = await this.prismaService.pipeline.findFirst({
+      where: args.where,
+    });
+    assert(pipeline, '', NotFoundException);
+
+    return ability.can(AbilityAction.Update, subject('Pipeline', pipeline));
+  }
+}
+
+@Injectable()
+export class DeletePipelineAbilityHandler implements IAbilityHandler {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility, context: ExecutionContext) {
+    const gqlContext = GqlExecutionContext.create(context);
+    const args = gqlContext.getArgs<PipelineArgs>();
+    const pipeline = await this.prismaService.pipeline.findFirst({
+      where: args.where,
+    });
+    assert(pipeline, '', NotFoundException);
+
+    return ability.can(AbilityAction.Delete, subject('Pipeline', pipeline));
+  }
+}

server/src/ability/handlers/refresh-token.ability-handler.ts

@@ -0,0 +1,42 @@
+import { PrismaService } from 'src/database/prisma.service';
+import { AbilityAction } from '../ability.action';
+import { AppAbility } from '../ability.factory';
+import { IAbilityHandler } from '../interfaces/ability-handler.interface';
+import { Injectable } from '@nestjs/common';
+
+@Injectable()
+export class ManageRefreshTokenAbilityHandler implements IAbilityHandler {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Manage, 'RefreshToken');
+  }
+}
+
+@Injectable()
+export class ReadRefreshTokenAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Read, 'RefreshToken');
+  }
+}
+
+@Injectable()
+export class CreateRefreshTokenAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Create, 'RefreshToken');
+  }
+}
+
+@Injectable()
+export class UpdateRefreshTokenAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Update, 'RefreshToken');
+  }
+}
+
+@Injectable()
+export class DeleteRefreshTokenAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Delete, 'RefreshToken');
+  }
+}

server/src/ability/handlers/user.ability-handler.ts

@@ -0,0 +1,42 @@
+import { PrismaService } from 'src/database/prisma.service';
+import { AbilityAction } from '../ability.action';
+import { AppAbility } from '../ability.factory';
+import { IAbilityHandler } from '../interfaces/ability-handler.interface';
+import { Injectable } from '@nestjs/common';
+
+@Injectable()
+export class ManageUserAbilityHandler implements IAbilityHandler {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Manage, 'User');
+  }
+}
+
+@Injectable()
+export class ReadUserAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Read, 'User');
+  }
+}
+
+@Injectable()
+export class CreateUserAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Create, 'User');
+  }
+}
+
+@Injectable()
+export class UpdateUserAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Update, 'User');
+  }
+}
+
+@Injectable()
+export class DeleteUserAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Delete, 'User');
+  }
+}

server/src/ability/handlers/workspace-member.ability-handler.ts

@@ -0,0 +1,42 @@
+import { PrismaService } from 'src/database/prisma.service';
+import { AbilityAction } from '../ability.action';
+import { AppAbility } from '../ability.factory';
+import { IAbilityHandler } from '../interfaces/ability-handler.interface';
+import { Injectable } from '@nestjs/common';
+
+@Injectable()
+export class ManageWorkspaceMemberAbilityHandler implements IAbilityHandler {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Manage, 'WorkspaceMember');
+  }
+}
+
+@Injectable()
+export class ReadWorkspaceMemberAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Read, 'WorkspaceMember');
+  }
+}
+
+@Injectable()
+export class CreateWorkspaceMemberAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Create, 'WorkspaceMember');
+  }
+}
+
+@Injectable()
+export class UpdateWorkspaceMemberAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Update, 'WorkspaceMember');
+  }
+}
+
+@Injectable()
+export class DeleteWorkspaceMemberAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Delete, 'WorkspaceMember');
+  }
+}

server/src/ability/handlers/workspace.ability-handler.ts

@@ -0,0 +1,42 @@
+import { PrismaService } from 'src/database/prisma.service';
+import { AbilityAction } from '../ability.action';
+import { AppAbility } from '../ability.factory';
+import { IAbilityHandler } from '../interfaces/ability-handler.interface';
+import { Injectable } from '@nestjs/common';
+
+@Injectable()
+export class ManageWorkspaceAbilityHandler implements IAbilityHandler {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Manage, 'Workspace');
+  }
+}
+
+@Injectable()
+export class ReadWorkspaceAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Read, 'Workspace');
+  }
+}
+
+@Injectable()
+export class CreateWorkspaceAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Create, 'Workspace');
+  }
+}
+
+@Injectable()
+export class UpdateWorkspaceAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Update, 'Workspace');
+  }
+}
+
+@Injectable()
+export class DeleteWorkspaceAbilityHandler implements IAbilityHandler {
+  handle(ability: AppAbility) {
+    return ability.can(AbilityAction.Delete, 'Workspace');
+  }
+}

server/src/ability/interfaces/ability-handler.interface.ts

@@ -0,0 +1,11 @@
+import { ExecutionContext, Type } from '@nestjs/common';
+import { AppAbility } from '../ability.factory';
+
+export interface IAbilityHandler {
+  handle(
+    ability: AppAbility,
+    executionContext: ExecutionContext,
+  ): Promise<boolean> | boolean;
+}
+
+export type AbilityHandler = Type<IAbilityHandler>;