Migrate more privileges to be permissions

app/admin/AdminSidebarClient.tsx

@@ -126,7 +126,7 @@ export interface AdminSidebarMenuSubMenuItem {
     /**
      * Whether the menu should be open by default. Defaults to false.
      */
-    defaultOpen?: boolean | Privilege;
+    defaultOpen?: boolean;
 
     /**
      * Child menu items that should be shown as part of this entry.

app/admin/TopLevelLayout.tsx

@@ -24,6 +24,8 @@ import { type AdminSidebarMenuEntry, AdminSidebar } from './AdminSidebar';
 import { Privilege } from '@lib/auth/Privileges';
 import { requireAuthenticationContext } from '@lib/auth/AuthenticationContext';
 
+import { kAnyEvent, kAnyTeam } from '@lib/auth/AccessControl';
+
 export default async function TopLevelLayout(props: React.PropsWithChildren) {
     const { access, user } = await requireAuthenticationContext();
 
@@ -37,7 +39,7 @@ export default async function TopLevelLayout(props: React.PropsWithChildren) {
         {
             icon: <FeedOutlinedIcon />,
             label: 'Content',
-            privilege: Privilege.SystemAdministrator,
+            permission: 'system.content',
             url: '/admin/content',
         },
         {
@@ -49,7 +51,13 @@ export default async function TopLevelLayout(props: React.PropsWithChildren) {
         {
             icon: <EventNoteIcon />,
             label: 'Events',
-            privilege: Privilege.EventAdministrator,
+            permission: {
+                permission: 'event.visible',
+                options: {
+                    event: kAnyEvent,
+                    team: kAnyTeam,
+                },
+            },
             url: '/admin/events',
         },
         {
@@ -63,6 +71,8 @@ export default async function TopLevelLayout(props: React.PropsWithChildren) {
         {
             icon: <ChatBubbleOutlineIcon />,
             label: 'Communication',
+            // permission: system.feedback
+            // permission: system.internals
             privilege: [
                 Privilege.SystemOutboxAccess,
                 Privilege.SystemSubscriptionManagement,
@@ -72,7 +82,7 @@ export default async function TopLevelLayout(props: React.PropsWithChildren) {
                 {
                     icon: <FeedbackOutlinedIcon />,
                     label: 'Feedback',
-                    privilege: Privilege.SystemAdministrator,
+                    permission: 'system.feedback',
                     url: '/admin/system/feedback',
                 },
                 {
@@ -90,7 +100,7 @@ export default async function TopLevelLayout(props: React.PropsWithChildren) {
                 {
                     icon: <WebhookIcon />,
                     label: 'Webhooks',
-                    privilege: Privilege.SystemAdministrator,
+                    permission: 'system.internals',
                     url: '/admin/system/webhooks',
                 },
             ],
@@ -99,11 +109,13 @@ export default async function TopLevelLayout(props: React.PropsWithChildren) {
             icon: <DeviceHubIcon />,
             label: 'System',
             permission: [
-                'system.ai',
                 'system.displays',
+                'system.internals.ai',
+                'system.internals.scheduler',
+                'system.internals.settings',
                 { permission: 'system.logs', operation: 'read' },
             ],
-            defaultOpen: Privilege.SystemAdministrator,
+            defaultOpen: access.can('system.internals'),
             menu: [
                 {
                     icon: <TabletIcon />,
@@ -114,13 +126,13 @@ export default async function TopLevelLayout(props: React.PropsWithChildren) {
                 {
                     icon: <ModelTrainingIcon />,
                     label: 'Generative AI',
-                    permission: 'system.ai',
+                    permission: 'system.internals.ai',
                     url: '/admin/system/ai',
                 },
                 {
                     icon: <ApiIcon />,
                     label: 'Integrations',
-                    privilege: Privilege.Administrator,
+                    permission: 'system.internals.settings',
                     url: '/admin/system/integrations',
                 },
                 {
@@ -135,13 +147,13 @@ export default async function TopLevelLayout(props: React.PropsWithChildren) {
                 {
                     icon: <ManageHistoryIcon />,
                     label: 'Scheduler',
-                    privilege: Privilege.SystemAdministrator,
+                    permission: 'system.internals.scheduler',
                     url: '/admin/system/scheduler',
                 },
                 {
                     icon: <SettingsIcon />,
                     label: 'Settings',
-                    privilege: Privilege.SystemAdministrator,
+                    permission: 'system.internals.settings',
                     url: '/admin/system/settings',
                 }
             ]

app/admin/page.tsx

@@ -9,7 +9,6 @@ import type { SchedulerStatus } from './dashboard/SchedulerCard';
 import type { User } from '@lib/auth/User';
 import { default as TopLevelLayout } from './TopLevelLayout';
 import { Dashboard } from './dashboard/Dashboard';
-import { Privilege, can } from '@lib/auth/Privileges';
 import { RegistrationStatus } from '@lib/database/Types';
 import { Temporal } from '@lib/Temporal';
 import { requireAuthenticationContext } from '@lib/auth/AuthenticationContext';
@@ -82,15 +81,15 @@ async function fetchBirthdays(user: User) {
  * give an overview of what's going on. Exact cards depend on the user's access level.
  */
 export default async function AdminPage() {
-    const { events, user } = await requireAuthenticationContext({ check: 'admin' });
+    const { access, events, user } = await requireAuthenticationContext({ check: 'admin' });
 
     // TODO: Filter for participating events in `fetchBirthdays`
     const { currentBirthdays, upcomingBirthdays } = await fetchBirthdays(user);
 
     const connectionPool = getConnectionPool();
     let databaseStatus: DatabaseStatus | undefined;
 
-    if (can(user, Privilege.SystemAdministrator) && connectionPool) {
+    if (access.can('system.internals') && connectionPool) {
         databaseStatus = {
             connections: {
                 active: connectionPool.activeConnections(),
@@ -102,7 +101,7 @@ export default async function AdminPage() {
     }
 
     let schedulerStatus: SchedulerStatus | undefined;
-    if (can(user, Privilege.SystemAdministrator)) {
+    if (access.can('system.internals.scheduler')) {
         let timeSinceLastExecutionMs: number | undefined = undefined;
         if (globalScheduler.lastExecution !== undefined) {
             const diffNs = process.hrtime.bigint() - globalScheduler.lastExecution;

app/admin/system/ai/page.tsx

@@ -18,7 +18,7 @@ import { requireAuthenticationContext } from '@lib/auth/AuthenticationContext';
 export default async function AiPage() {
     await requireAuthenticationContext({
         check: 'admin',
-        permission: 'system.ai',
+        permission: 'system.internals.ai',
     });
 
     // Settings to load for this page, shared across the different displays.

app/admin/system/ai/prompt/[prompt]/page.tsx

@@ -19,7 +19,7 @@ import { requireAuthenticationContext } from '@lib/auth/AuthenticationContext';
 export default async function AiPromptExplorer(props: NextPageParams<'prompt'>) {
     await requireAuthenticationContext({
         check: 'admin',
-        permission: 'system.ai',
+        permission: 'system.internals.ai',
     });
 
     const personality = await readSetting('gen-ai-personality') ?? '';

app/admin/system/debug/page.tsx

@@ -67,7 +67,7 @@ async function debugAction(formData: unknown) {
 export default async function DebugPage() {
     await requireAuthenticationContext({
         check: 'admin',
-        privilege: Privilege.SystemAdministrator,
+        permission: 'system.internals',
     });
 
     const debugValues: Record<string, any> = {};

app/admin/system/displays/page.tsx

@@ -6,7 +6,6 @@ import type { Metadata } from 'next';
 import type { DisplayTableEventOption, DisplayTableLocationOption } from './DisplaysTable';
 import { DisplaysTable } from './DisplaysTable';
 import { HelpRequestTable } from './HelpRequestTable';
-import { Privilege } from '@lib/auth/Privileges';
 import { Section } from '@app/admin/components/Section';
 import { SectionIntroduction } from '@app/admin/components/SectionIntroduction';
 import { requireAuthenticationContext } from '@lib/auth/AuthenticationContext';

app/admin/system/feedback/page.tsx

@@ -3,7 +3,6 @@
 
 import type { Metadata } from 'next';
 
-import { Privilege } from '@lib/auth/Privileges';
 import { Section } from '../../components/Section';
 import { SectionIntroduction } from '../../components/SectionIntroduction';
 import { requireAuthenticationContext } from '@lib/auth/AuthenticationContext';
@@ -16,7 +15,7 @@ import { FeedbackDataTable } from './FeedbackDataTable';
 export default async function FeedbackPage() {
     await requireAuthenticationContext({
         check: 'admin',
-        privilege: Privilege.SystemAdministrator,
+        permission: 'system.feedback',
     });
 
     // TODO: Consider allowing a response to be composed automagically.

app/admin/system/integrations/page.tsx

@@ -7,7 +7,6 @@ import { AnimeCon, type AnimeConSettings } from './AnimeCon';
 import { Email, type EmailSettings } from './Email';
 import { Google, type GoogleSettings } from './Google';
 import { StatusHeader } from './StatusHeader';
-import { Privilege } from '@lib/auth/Privileges';
 import { Twilio } from './Twilio';
 import { VertexAI, type VertexAISettings } from './VertexAI';
 import { VertexSupportedModels } from '@lib/integrations/vertexai/VertexSupportedModels';
@@ -22,7 +21,7 @@ import type { TwilioSettings } from '@lib/integrations/twilio/TwilioClient';
 export default async function IntegrationsPage() {
     await requireAuthenticationContext({
         check: 'admin',
-        privilege: Privilege.Administrator,
+        permission: 'system.internals.settings',
     });
 
     const settings = await readSettings([

app/admin/system/scheduler/[id]/page.tsx

@@ -32,7 +32,7 @@ export default async function TaskPage(props: NextPageParams<'id'>) {
 
     await requireAuthenticationContext({
         check: 'admin',
-        privilege: Privilege.SystemAdministrator,
+        permission: 'system.internals.scheduler',
     });
 
     const task = await db.selectFrom(tTasks)

app/admin/system/scheduler/page.tsx

@@ -15,7 +15,7 @@ import { requireAuthenticationContext } from '@lib/auth/AuthenticationContext';
 export default async function SchedulerPage() {
     await requireAuthenticationContext({
         check: 'admin',
-        privilege: Privilege.SystemAdministrator,
+        permission: 'system.internals.scheduler',
     });
 
     return (

app/admin/system/settings/page.tsx

@@ -5,7 +5,6 @@ import type { Metadata } from 'next';
 
 import Alert from '@mui/material/Alert';
 
-import { Privilege } from '@lib/auth/Privileges';
 import { Section } from '@app/admin/components/Section';
 import { SettingSection, type ConfigurableSetting } from './SettingSection';
 import { readSettings, type Setting } from '@lib/Settings';
@@ -19,7 +18,7 @@ import { SettingUtilitiesSection } from './SettingUtilitiesSection';
 export default async function IntegrationsPage() {
     await requireAuthenticationContext({
         check: 'admin',
-        privilege: Privilege.SystemAdministrator,
+        permission: 'system.internals.settings',
     });
 
     // The configuration for settings contains the individual settings, the data types, and the

app/api/admin/scheduler/[[...id]]/route.ts

@@ -82,7 +82,7 @@ export const { GET } = createDataTableApi(kSchedulerRowModel, kSchedulerContext,
     async accessCheck(context, action, props) {
         executeAccessCheck(props.authenticationContext, {
             check: 'admin',
-            privilege: Privilege.SystemAdministrator,
+            permission: 'system.internals.scheduler',
         });
     },
 

app/api/admin/scheduler/scheduleTask.ts

@@ -67,7 +67,7 @@ type Response = ApiResponse<typeof kScheduleTaskDefinition>;
 export async function scheduleTask(request: Request, props: ActionProps): Promise<Response> {
     executeAccessCheck(props.authenticationContext, {
         check: 'admin',
-        privilege: Privilege.SystemAdministrator,
+        permission: 'system.internals.scheduler',
     });
 
     if ('taskId' in request) {

app/api/admin/serviceHealth.ts

@@ -174,7 +174,7 @@ async function runVertexAIHealthCheck(): Promise<Response> {
 export async function serviceHealth(request: Request, props: ActionProps): Promise<Response> {
     executeAccessCheck(props.authenticationContext, {
         check: 'admin',
-        privilege: Privilege.SystemAdministrator,
+        permission: 'system.internals',
     });
 
     switch (request.service) {

app/api/admin/updateSettings.ts

@@ -50,7 +50,7 @@ type Response = ApiResponse<typeof kUpdateSettingsDefinition>;
 export async function updateSettings(request: Request, props: ActionProps): Promise<Response> {
     executeAccessCheck(props.authenticationContext, {
         check: 'admin',
-        privilege: Privilege.SystemAdministrator,
+        permission: 'system.internals.settings',
     });
 
     const settings: { [k: string]: boolean | number | string } = { /* will be composed */ };

app/api/admin/vertexAi.ts

@@ -58,7 +58,7 @@ type Response = ApiResponse<typeof kVertexAiDefinition>;
 export async function vertexAi(request: Request, props: ActionProps): Promise<Response> {
     executeAccessCheck(props.authenticationContext, {
         check: 'admin',
-        privilege: Privilege.SystemAdministrator,
+        permission: 'system.internals.settings',
     });
 
     const { settings } = request;

app/api/ai/generatePrompt.ts

@@ -160,7 +160,7 @@ export async function generatePrompt(request: Request, props: ActionProps): Prom
         case 'approve-volunteer':
             executeAccessCheck(props.authenticationContext, {
                 check: 'admin',
-                permission: or('system.ai', {
+                permission: or('system.internals.ai', {
                     permission: 'event.applications',
                     operation: 'update',
                     options: {
@@ -190,7 +190,7 @@ export async function generatePrompt(request: Request, props: ActionProps): Prom
         case 'reject-volunteer':
             executeAccessCheck(props.authenticationContext, {
                 check: 'admin',
-                permission: or('system.ai', {
+                permission: or('system.internals.ai', {
                     permission: 'event.applications',
                     operation: 'update',
                     options: {
@@ -209,7 +209,7 @@ export async function generatePrompt(request: Request, props: ActionProps): Prom
 
     // Install personality and prompt overrides when provided. This feature is only accessible
     // through the Generative AI Explorer pages, and relies on a special permission.
-    if (request.overrides && props.access.can('system.ai'))
+    if (request.overrides && props.access.can('system.internals.ai'))
         generator.setOverrides(request.overrides.personality, request.overrides.prompt);
 
     const { context, prompt, subject } = await generator.build(request.language);

app/api/ai/updateSettings.ts

@@ -50,7 +50,7 @@ type Response = ApiResponse<typeof kUpdateAiSettingsDefinition>;
 export async function updateSettings(request: Request, props: ActionProps): Promise<Response> {
     executeAccessCheck(props.authenticationContext, {
         check: 'admin',
-        permission: 'system.ai',
+        permission: 'system.internals.ai',
     });
 
     if (request.personality) {

app/api/event/schedule/submitFeedback.ts

@@ -8,7 +8,6 @@ import type { ActionProps } from '../../Action';
 import type { ApiDefinition, ApiRequest, ApiResponse } from '../../Types';
 import { Log, LogType } from '@lib/Log';
 import { LogSeverity } from '@lib/database/Types';
-import { Privilege, can } from '@lib/auth/Privileges';
 import db, { tFeedback } from '@lib/database';
 
 /**
@@ -66,7 +65,7 @@ export async function submitFeedback(request: Request, props: ActionProps): Prom
     let userId: number | undefined = props.user.userId;
     let feedbackName: string | undefined;
 
-    if (can(props.user, Privilege.Feedback) && !!request.overrides) {
+    if (props.access.can('system.feedback') && !!request.overrides) {
         if (!!request.overrides.userId || !!request.overrides.name) {
             userId = request.overrides.userId ?? undefined;
             feedbackName = request.overrides.name ?? undefined;

app/feedback/page.tsx

@@ -5,7 +5,6 @@ import { notFound } from 'next/navigation';
 
 import { ExportLayout } from '@app/exports/[slug]/ExportLayout';
 import { FeedbackForm } from './FeedbackForm';
-import { Privilege } from '@lib/auth/Privileges';
 import { Temporal } from '@lib/Temporal';
 import { requireAuthenticationContext } from '@lib/auth/AuthenticationContext';
 
@@ -18,7 +17,7 @@ import { getStaticContent } from '@lib/Content';
  * soliciting feedback from volunteers. The page will automatically determine the right event.
  */
 export default async function FeedbackPage() {
-    await requireAuthenticationContext({ privilege: Privilege.Feedback });
+    await requireAuthenticationContext({ permission: 'system.feedback' });
 
     const currentTime = Temporal.Now.zonedDateTimeISO('utc');
     const eventSelectionTime = currentTime.subtract({ days: 30 });