feat: create permission table

[pyphilia]

This is a draft: it still looks messy. The goal would be to centralized the permission so it's not always "deduced" by the frontend.

We could add operations non related to items too (eg. prevent pseudo members to export their own analytics)

The idea would be to allow it to be used:

const shouldShow = can(COPY, item, member)

if(!shouldShow) { 
  return null
  // or
  return <You don't have the permission to perform this op>
}

return <div/>

Instead of having many ways to check the permissions

// create app data - only signed in member can create data
const shouldShow = Boolean(member)
// copy, create - only signed in member (and not pseudo) can copy
const shouldShow = Boolean(member && member !== PSEUDO)
// hide item - at least write, the front needs to always remember which permission is required
const shouldShow = PermissionLevelCompare.gte(permission, WRITE)

if(!shouldShow) { 
  return null
  // or
  return <You don't have the permission to perform this op>
}

return <div/>

Questions:

• could this be used in the backend?

[sonarqubecloud]

Quality Gate passed

Issues
11 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[spaenleh]

Thank you for this PR, I like the idea, and I see the need to have a better way to express the abilities in a central way, so the frontend can present a consistent UI and we are confident that users get the expected experience.

It reminds me of https://casl.js.org/v6/en/ I don't know if we should try to use it, as it may be overkill, so maybe we start with rolling out our own implementation. But maybe there are some things we can take from them.

Already it looks good, I did not fully review, let me know if you want to discuss this today.

[Defferrard]

This PR is 🔥, I love it !
What about using namespaces so we reduce the amount of operations ? We can also have an enumeration of roles so we can type check it !

Suggested change

	export enum Operation {
	ReadItem = 'read-item',
	MoveItem = 'move-item',
	CopyItem = 'copy-item',
	HideItem = 'hide-item',
	DownloadItem = 'download-item',
	}
	// don't take into account hidden: suppose backend will prevent read from beginning
	// pseudonymized users cannot create items and can only view a specific item
	const SIGNED_IN_OPERATIONS_PERMISSIONS = {
	[Operation.ReadItem]: {
	admin: true,
	write: true,
	read: true,
	pseudonymized: true,
	public: true,
	},
	[Operation.CopyItem]: {
	admin: true,
	write: true,
	read: true,
	pseudonymized: false,
	public: true,
	},
	export enum Operation {
	Read = 'read',
	Move = 'move',
	Copy = 'copy',
	Hide = 'hide',
	Download = 'download',
	}
	export enum Namespace {
	Item = 'item',
	Membership = 'Membership',
	Analytics = 'Analytics',
	Profile = 'Profile'
	}
	export enum Role {
	Admin = 'admin',
	Write = 'write',
	Read = 'read',
	Pseudonymized = 'pseudonymized',
	Public = 'public'
	}
	// don't take into account hidden: suppose backend will prevent read from beginning
	// pseudonymized users cannot create items and can only view a specific item
	const SIGNED_IN_OPERATIONS_PERMISSIONS: { [key in Namespace]?: { [key in Operation]?: { [key in Role]?: boolean } } } = {
	[Namespace.Item]: {
	[Operation.Read]: {
	[Role.Admin]: true,
	[Role.Write]: true,
	[Role.Read]: true,
	[Role.Pseudonymized]: true,
	[Role.Public]: true,
	},
	[Operation.Copy]: {
	[Role.Admin]: true,
	[Role.Write]: true,
	[Role.Read]: true,
	[Role.Pseudonymized]: false,
	[Role.Public]: true,
	},