"use client"; import * as React from "react"; import { useParams, useRouter } from "next/navigation"; import Link from "next/link"; import { useSession } from "next-auth/react"; import { ArrowLeft, KeyRound, ShieldCheck, ShieldOff, Layers, Plus, X, UserCog, Search, } from "lucide-react"; import { toast } from "sonner"; import equal from "fast-deep-equal"; import { useGetUserQuery, useGetPermissionsQuery, useSetUserPermissionsMutation } from "@/api/rtk"; import { filterSalesTargetCatalogPermissions } from "@/lib/sales-target-catalog"; import { getApiEntityId } from "@/api/permissions/types"; import type { ApiUser } from "@/api/users/types"; import type { Permission } from "@/api/permissions/types"; import { useAuthToken } from "@/hooks/use-auth-token"; import { useAbility } from "@/components/providers/ability-provider"; import { useAppDispatch, useAppSelector } from "@/store/hooks"; import { selectUserFromCache, setUserInCache } from "@/store"; import { Button } from "@/components/ui/button"; import { Loading } from "@/components/ui/loading"; import { NoDataFound } from "@/components/ui/no-data-found"; import { KPICard } from "@/components/ui/kpi-card"; import { Checkbox } from "@/components/ui/checkbox"; import { cn } from "@/lib/utils"; import { AddPermissionDialog } from "./add-permission-dialog"; // ─── helpers ──────────────────────────────────────────────────────────────── const EMPTY_ARRAY: any[] = []; function getRoleName(role: ApiUser["role"]): string { if (!role) return "—"; return typeof role === "string" ? role : role.name; } function getRolePermissions(user: ApiUser | undefined): Permission[] { const role = user?.role; if (!role || typeof role === "string") return []; const raw = role.permissions ?? []; if (!Array.isArray(raw)) return []; return raw.filter( (p): p is Permission => typeof p === "object" && p != null && "action" in p && "resource" in p ); } /** Stable key for matching catalog permissions to role grants (resource + action). */ function permissionKey(p: Pick): string { return `${String(p.resource).toUpperCase()}.${String(p.action).toUpperCase()}`; } function groupByResource(perms: Permission[]): Map { const map = new Map(); for (const p of perms) { const key = p.resource || "OTHER"; const list = map.get(key); if (list) list.push(p); else map.set(key, [p]); } for (const [, list] of map) { list.sort((a, b) => a.action.localeCompare(b.action, undefined, { sensitivity: "base" })); } return map; } function formatResourceTitle(resource: string): string { return resource .split("_") .filter(Boolean) .map((w) => w.charAt(0).toUpperCase() + w.slice(1).toLowerCase()) .join(" "); } const ACTION_COLORS: Record = { create: "bg-emerald-50 text-emerald-700 border-emerald-200", read: "bg-blue-50 text-blue-700 border-blue-200", update: "bg-amber-50 text-amber-700 border-amber-200", delete: "bg-red-50 text-red-700 border-red-200", manage: "bg-purple-50 text-purple-700 border-purple-200", }; function actionBadgeClass(action: string): string { return ACTION_COLORS[action.toLowerCase()] ?? "bg-gray-50 text-gray-700 border-gray-200"; } // ─── sub-components ────────────────────────────────────────────────────────── function PermissionCard({ resource, perms, badge, selectedIds, onToggle, }: { resource: string; perms: Permission[]; badge?: React.ReactNode; selectedIds?: Set; onToggle?: (pid: string) => void; }) { return (

{formatResourceTitle(resource)}

{resource}

{badge} {perms.length} {perms.length === 1 ? "action" : "actions"}
    {perms.map((p, idx) => { const pid = getApiEntityId(p); const isSelected = !!(pid && selectedIds?.has(pid)); return (
  • {onToggle && pid && ( onToggle(pid)} className="border-[#d0d5dd]" /> )} {p.action}
    {p.resource}.{p.action}
    • ); })}
); } // ─── main page ─────────────────────────────────────────────────────────────── export default function UserPermissionsPage() { const params = useParams(); const router = useRouter(); const ability = useAbility(); const { token } = useAuthToken(); const { update: updateSession, status: sessionStatus } = useSession(); const dispatch = useAppDispatch(); const id = typeof params.id === "string" ? params.id : ""; const canRead = ability.can("read", "user"); const canManageUser = ability.can("manage", "user"); const canCreateUser = ability.can("create", "user"); const canUpdateUser = ability.can("update", "user"); /** Add / remove direct grants — same idea as Users list (create/manage/update on USER). */ const canEditDirectGrants = canManageUser || canCreateUser || canUpdateUser; // Cache-first: read from persisted slice const cachedUser = useAppSelector((state) => selectUserFromCache(state, id)); // Background fetch const { data: latestUser, isLoading, isError, error } = useGetUserQuery(id, { skip: !token || !id || !canRead, }); // Use latest data if available, otherwise fallback to cache const user = latestUser || cachedUser; // Background validation & cache update React.useEffect(() => { if (latestUser) { if (!equal(cachedUser, latestUser)) { dispatch(setUserInCache(latestUser)); } } }, [latestUser, cachedUser, dispatch]); const { data: allPermissionsData } = useGetPermissionsQuery(undefined, { skip: !token || !canEditDirectGrants, }); const allPermissions = React.useMemo( () => filterSalesTargetCatalogPermissions(allPermissionsData ?? []), [allPermissionsData], ); const [setUserPermissions, { isLoading: isSavingPermissions }] = useSetUserPermissionsMutation(); const [permissionActionBusy, setPermissionActionBusy] = React.useState(false); const isPermissionBusy = isSavingPermissions || permissionActionBusy; // ── role permissions (read-only) ── const rolePerms = React.useMemo(() => { const fromObjects = getRolePermissions(user); if (fromObjects.length > 0) return fromObjects; const role = user?.role; if (!role || typeof role === "string") return []; const raw = role.permissions ?? []; if (!Array.isArray(raw)) return []; const ids = raw.filter((x): x is string => typeof x === "string"); if (ids.length === 0 || allPermissions.length === 0) return []; const byId = new Map(); for (const p of allPermissions) { const pid = getApiEntityId(p); if (pid) byId.set(pid, p); } const out: Permission[] = []; for (const rid of ids) { const p = byId.get(rid); if (p) out.push(p); } return out; }, [user, allPermissions]); const roleGrouped = React.useMemo(() => groupByResource(rolePerms), [rolePerms]); const roleKeys = React.useMemo( () => Array.from(roleGrouped.keys()).sort((a, b) => a.localeCompare(b, undefined, { sensitivity: "base" })), [roleGrouped] ); const rolePermissionKeys = React.useMemo(() => { const keys = new Set(); for (const p of rolePerms) { if (p.resource && p.action) keys.add(permissionKey(p)); } return keys; }, [rolePerms]); // ── custom permissions (editable) ── const savedCustomIds = React.useMemo( () => new Set((user?.customPermissions ?? []).map((p) => getApiEntityId(p)).filter(Boolean) as string[]), [user] ); const savedCustomIdsStr = Array.from(savedCustomIds).sort().join(","); const [selectedIds, setSelectedIds] = React.useState>(new Set()); const [toDeleteIds, setToDeleteIds] = React.useState>(new Set()); // sync when user loads React.useEffect(() => { setSelectedIds(new Set(savedCustomIds)); setToDeleteIds(new Set()); }, [savedCustomIdsStr]); // Stabilize dependency const customPerms = React.useMemo( () => allPermissions.filter((p) => { const pid = getApiEntityId(p); return pid && selectedIds.has(pid); }), [allPermissions, selectedIds] ); const customGrouped = React.useMemo(() => groupByResource(customPerms), [customPerms]); const customKeys = React.useMemo( () => Array.from(customGrouped.keys()).sort((a, b) => a.localeCompare(b, undefined, { sensitivity: "base" })), [customGrouped] ); // permissions not already granted (custom id or same resource+action on role) const availableToAdd = React.useMemo( () => allPermissions.filter((p) => { const pid = getApiEntityId(p); if (!pid || selectedIds.has(pid)) return false; if (rolePermissionKeys.has(permissionKey(p))) return false; return true; }), [allPermissions, selectedIds, rolePermissionKeys] ); const fullCatalogNothingToAdd = allPermissions.length > 0 && availableToAdd.length === 0; const coverageNotice = React.useMemo(() => { if (!fullCatalogNothingToAdd) return null; if (rolePerms.length > 0 && customPerms.length === 0) { return "All permissions are already included through this user's role. Nothing else to add."; } if (rolePerms.length > 0 && customPerms.length > 0) { return "All permissions are already covered by this user's role and direct grants. Nothing else to add."; } return "You have already added all direct permissions."; }, [fullCatalogNothingToAdd, rolePerms.length, customPerms.length]); const availableGrouped = React.useMemo(() => groupByResource(availableToAdd), [availableToAdd]); const availableKeys = React.useMemo( () => Array.from(availableGrouped.keys()).sort((a, b) => a.localeCompare(b, undefined, { sensitivity: "base" })), [availableGrouped] ); const [addOpen, setAddOpen] = React.useState(false); const handleToggleDelete = (pid: string) => { setToDeleteIds((prev) => { const next = new Set(prev); if (next.has(pid)) next.delete(pid); else next.add(pid); return next; }); }; async function removeSelectedPermissions() { if (toDeleteIds.size === 0) return; const nextIds = Array.from(selectedIds).filter(id => !toDeleteIds.has(id)); setPermissionActionBusy(true); try { await setUserPermissions({ id, permissionIds: nextIds }).unwrap(); toast.success(`${toDeleteIds.size} permissions removed`); setToDeleteIds(new Set()); await updateSession(); } catch { toast.error("Failed to remove permissions"); } finally { setPermissionActionBusy(false); } } // ── guards ── if (!token) { return (
); } if (!canRead) { if (isPermissionBusy || sessionStatus === "loading") { return (
); } return (
); } return (
{isPermissionBusy && (
)} {/* ── Page header ── */}

User Permissions

{user && (

{user.name} · {user.email}

)}
{/* ── Loading / error ── */} {isLoading && } {isError && (
{error && typeof error === "object" && "data" in error ? String((error as { data?: { message?: unknown } }).data?.message ?? "Failed to load user") : "Failed to load user"}
)} {!isLoading && !isError && user && (
{/* ── KPI cards ── */}
} className="bg-white/40 backdrop-blur-sm border-white/60 shadow-sm rounded-2xl" /> } className="bg-white/40 backdrop-blur-sm border-white/60 shadow-sm rounded-2xl" /> } className="bg-white/40 backdrop-blur-sm border-white/60 shadow-sm rounded-2xl" /> } className="bg-white/40 backdrop-blur-sm border-white/60 shadow-sm rounded-2xl" />
{/* ══════════════════════════════════════════════ SECTION 1 — Role permissions (read-only) ══════════════════════════════════════════════ */}

Role Permissions

{rolePerms.length} total — inherited from role, read-only
{rolePerms.length === 0 ? (
} message="No role permissions" description="This user's role has no permission records attached." />
) : (
{roleKeys.map((resource) => ( ))}
)}
{/* ══════════════════════════════════════════════ SECTION 2 — Custom permissions (editable) ══════════════════════════════════════════════ */}

Custom Permissions

{customPerms.length} total
— granted directly to this user {canEditDirectGrants && (
{toDeleteIds.size > 0 && ( )} {availableToAdd.length > 0 && ( )}
)}
{fullCatalogNothingToAdd && coverageNotice && (

{coverageNotice}

)} {customPerms.length === 0 ? (
} message="No custom permissions" description={ canEditDirectGrants ? fullCatalogNothingToAdd && coverageNotice ? coverageNotice : 'Use "Add Permission" to grant direct access to this user.' : "No custom permissions have been assigned to this user." } />
) : (
{customKeys.map((resource) => ( ))}
)}
)}
); }