(
credentialId: string,
userId: string,
options?: { workspaceAccess?: WorkspaceAccess }
)
| 54 | * redundant lookup; it is reused only when it matches the credential's workspace. |
| 55 | */ |
| 56 | export async function getCredentialActorContext( |
| 57 | credentialId: string, |
| 58 | userId: string, |
| 59 | options?: { workspaceAccess?: WorkspaceAccess } |
| 60 | ): Promise<CredentialActorContext> { |
| 61 | const [credentialRow] = await db |
| 62 | .select() |
| 63 | .from(credential) |
| 64 | .where(eq(credential.id, credentialId)) |
| 65 | .limit(1) |
| 66 | |
| 67 | if (!credentialRow) { |
| 68 | return { |
| 69 | credential: null, |
| 70 | member: null, |
| 71 | hasWorkspaceAccess: false, |
| 72 | canWriteWorkspace: false, |
| 73 | isAdmin: false, |
| 74 | } |
| 75 | } |
| 76 | |
| 77 | const providedAccess = options?.workspaceAccess |
| 78 | const workspaceAccess = |
| 79 | providedAccess && providedAccess.workspace?.id === credentialRow.workspaceId |
| 80 | ? providedAccess |
| 81 | : await checkWorkspaceAccess(credentialRow.workspaceId, userId) |
| 82 | const [memberRow] = await db |
| 83 | .select() |
| 84 | .from(credentialMember) |
| 85 | .where( |
| 86 | and( |
| 87 | eq(credentialMember.credentialId, credentialId), |
| 88 | eq(credentialMember.userId, userId), |
| 89 | eq(credentialMember.status, 'active') |
| 90 | ) |
| 91 | ) |
| 92 | .limit(1) |
| 93 | |
| 94 | const isAdmin = deriveCredentialAdmin({ |
| 95 | credentialType: credentialRow.type, |
| 96 | memberRole: memberRow?.role, |
| 97 | workspaceCanAdmin: workspaceAccess.canAdmin, |
| 98 | }) |
| 99 | |
| 100 | return { |
| 101 | credential: credentialRow, |
| 102 | member: memberRow ?? null, |
| 103 | hasWorkspaceAccess: workspaceAccess.hasAccess, |
| 104 | canWriteWorkspace: workspaceAccess.canWrite, |
| 105 | isAdmin, |
| 106 | } |
| 107 | } |
| 108 | |
| 109 | /** |
| 110 | * Revokes all credential memberships for a user across one or more workspaces. |
no test coverage detected