feat(editor): Replace middleware for Role checks with Scope checks

packages/@n8n/permissions/src/types.ts

@@ -1,19 +1,21 @@
 export type DefaultOperations = 'create' | 'read' | 'update' | 'delete' | 'list';
 export type Resource =
-	| 'workflow'
-	| 'tag'
-	| 'user'
+	| 'auditLogs'
+	| 'communityPackage'
 	| 'credential'
-	| 'variable'
-	| 'sourceControl'
 	| 'externalSecretsProvider'
 	| 'externalSecret'
 	| 'eventBusEvent'
 	| 'eventBusDestination'
-	| 'orchestration'
-	| 'communityPackage'
 	| 'ldap'
-	| 'saml';
+	| 'logStreaming'
+	| 'orchestration'
+	| 'sourceControl'
+	| 'saml'
+	| 'tag'
+	| 'user'
+	| 'variable'
+	| 'workflow';
 
 export type ResourceScope<
 	R extends Resource,
@@ -22,45 +24,49 @@ export type ResourceScope<
 
 export type WildcardScope = `${Resource}:*` | '*';
 
-export type WorkflowScope = ResourceScope<'workflow', DefaultOperations | 'share'>;
-export type TagScope = ResourceScope<'tag'>;
-export type UserScope = ResourceScope<'user', DefaultOperations | 'resetPassword'>;
+export type AuditLogsScope = ResourceScope<'auditLogs', 'manage'>;
+export type CommunityPackageScope = ResourceScope<
+	'communityPackage',
+	'install' | 'uninstall' | 'update' | 'list' | 'manage'
+>;
 export type CredentialScope = ResourceScope<'credential', DefaultOperations | 'share'>;
-export type VariableScope = ResourceScope<'variable'>;
-export type SourceControlScope = ResourceScope<'sourceControl', 'pull' | 'push' | 'manage'>;
+export type ExternalSecretScope = ResourceScope<'externalSecret', 'list'>;
 export type ExternalSecretProviderScope = ResourceScope<
 	'externalSecretsProvider',
 	DefaultOperations | 'sync'
 >;
-export type ExternalSecretScope = ResourceScope<'externalSecret', 'list'>;
-export type EventBusEventScope = ResourceScope<'eventBusEvent', DefaultOperations | 'query'>;
 export type EventBusDestinationScope = ResourceScope<
 	'eventBusDestination',
 	DefaultOperations | 'test'
 >;
-export type OrchestrationScope = ResourceScope<'orchestration', 'read' | 'list'>;
-export type CommunityPackageScope = ResourceScope<
-	'communityPackage',
-	'install' | 'uninstall' | 'update' | 'list'
->;
+export type EventBusEventScope = ResourceScope<'eventBusEvent', DefaultOperations | 'query'>;
 export type LdapScope = ResourceScope<'ldap', 'manage' | 'sync'>;
+export type LogStreamingScope = ResourceScope<'logStreaming', 'manage'>;
+export type OrchestrationScope = ResourceScope<'orchestration', 'read' | 'list'>;
 export type SamlScope = ResourceScope<'saml', 'manage'>;
+export type SourceControlScope = ResourceScope<'sourceControl', 'pull' | 'push' | 'manage'>;
+export type TagScope = ResourceScope<'tag'>;
+export type UserScope = ResourceScope<'user', DefaultOperations | 'resetPassword'>;
+export type VariableScope = ResourceScope<'variable'>;
+export type WorkflowScope = ResourceScope<'workflow', DefaultOperations | 'share'>;
 
 export type Scope =
-	| WorkflowScope
-	| TagScope
-	| UserScope
+	| AuditLogsScope
+	| CommunityPackageScope
 	| CredentialScope
-	| VariableScope
-	| SourceControlScope
 	| ExternalSecretProviderScope
 	| ExternalSecretScope
 	| EventBusEventScope
 	| EventBusDestinationScope
-	| OrchestrationScope
-	| CommunityPackageScope
 	| LdapScope
-	| SamlScope;
+	| LogStreamingScope
+	| OrchestrationScope
+	| SamlScope
+	| SourceControlScope
+	| TagScope
+	| UserScope
+	| VariableScope
+	| WorkflowScope;
 
 export type ScopeLevel = 'global' | 'project' | 'resource';
 export type GetScopeLevel<T extends ScopeLevel> = Record<T, Scope[]>;

packages/cli/src/permissions/roles.ts

@@ -1,53 +1,17 @@
 import type { Scope } from '@n8n/permissions';
 
 export const ownerPermissions: Scope[] = [
-	'workflow:create',
-	'workflow:read',
-	'workflow:update',
-	'workflow:delete',
-	'workflow:list',
-	'workflow:share',
-	'tag:create',
-	'tag:read',
-	'tag:update',
-	'tag:delete',
-	'tag:list',
-	'user:create',
-	'user:read',
-	'user:update',
-	'user:delete',
-	'user:list',
-	'user:resetPassword',
+	'auditLogs:manage',
 	'credential:create',
 	'credential:read',
 	'credential:update',
 	'credential:delete',
 	'credential:list',
 	'credential:share',
-	'variable:create',
-	'variable:read',
-	'variable:update',
-	'variable:delete',
-	'variable:list',
-	'sourceControl:pull',
-	'sourceControl:push',
-	'sourceControl:manage',
-	'externalSecretsProvider:create',
-	'externalSecretsProvider:read',
-	'externalSecretsProvider:update',
-	'externalSecretsProvider:delete',
-	'externalSecretsProvider:list',
-	'externalSecretsProvider:sync',
-	'externalSecret:list',
-	'orchestration:read',
-	'orchestration:list',
 	'communityPackage:install',
 	'communityPackage:uninstall',
 	'communityPackage:update',
 	'communityPackage:list',
-	'ldap:manage',
-	'ldap:sync',
-	'saml:manage',
 	'eventBusEvent:create',
 	'eventBusEvent:read',
 	'eventBusEvent:update',
@@ -61,18 +25,56 @@ export const ownerPermissions: Scope[] = [
 	'eventBusDestination:delete',
 	'eventBusDestination:list',
 	'eventBusDestination:test',
-];
-export const adminPermissions: Scope[] = ownerPermissions.concat();
-export const memberPermissions: Scope[] = [
-	'user:list',
-	'variable:list',
-	'variable:read',
+	'externalSecretsProvider:create',
+	'externalSecretsProvider:read',
+	'externalSecretsProvider:update',
+	'externalSecretsProvider:delete',
+	'externalSecretsProvider:list',
+	'externalSecretsProvider:sync',
+	'externalSecret:list',
+	'ldap:manage',
+	'ldap:sync',
+	'logStreaming:manage',
+	'orchestration:read',
+	'orchestration:list',
+	'saml:manage',
+	'sourceControl:pull',
+	'sourceControl:push',
+	'sourceControl:manage',
 	'tag:create',
 	'tag:read',
 	'tag:update',
+	'tag:delete',
 	'tag:list',
+	'user:create',
+	'user:read',
+	'user:update',
+	'user:delete',
+	'user:list',
+	'user:resetPassword',
+	'variable:create',
+	'variable:read',
+	'variable:update',
+	'variable:delete',
+	'variable:list',
+	'workflow:create',
+	'workflow:read',
+	'workflow:update',
+	'workflow:delete',
+	'workflow:list',
+	'workflow:share',
+];
+export const adminPermissions: Scope[] = ownerPermissions.concat();
+export const memberPermissions: Scope[] = [
 	'eventBusEvent:list',
 	'eventBusEvent:read',
 	'eventBusDestination:list',
 	'eventBusDestination:test',
+	'tag:create',
+	'tag:read',
+	'tag:update',
+	'tag:list',
+	'user:list',
+	'variable:list',
+	'variable:read',
 ];

packages/editor-ui/src/components/MainSidebar.vue

@@ -120,7 +120,7 @@
 import { isNavigationFailure } from 'vue-router';
 import ExecutionsUsage from '@/components/ExecutionsUsage.vue';
 import MainSidebarSourceControl from '@/components/MainSidebarSourceControl.vue';
 import { ROLE } from '@/utils/userUtils';
 import { hasPermission } from '@/rbac/permissions';
 
 export default defineComponent({
@@ -177,9 +177,7 @@
 			return accessibleRoute !== null;
 		},
 		showUserArea(): boolean {
-			return hasPermission(['role'], {
-				role: [ROLE.Member, ROLE.Owner],
-			});
+			return hasPermission(['authenticated']);
 		},
 		workflowExecution(): IExecutionResponse | null {
 			return this.workflowsStore.getWorkflowExecution;

packages/editor-ui/src/rbac/checks/__tests__/hasScope.test.ts

@@ -1,6 +1,6 @@
 import { useRBACStore } from '@/stores/rbac.store';
 import { hasScope } from '@/rbac/checks/hasScope';
-import type { HasScopeOptions } from '@n8n/permissions';
+import type { ScopeOptions } from '@n8n/permissions';
 
 vi.mock('@/stores/rbac.store', () => ({
 	useRBACStore: vi.fn(),
@@ -19,7 +19,7 @@ describe('Checks', () => {
 			} as unknown as ReturnType<typeof useRBACStore>);
 
 			const scope = 'workflow:read';
-			const options: HasScopeOptions = { mode: 'allOf' };
+			const options: ScopeOptions = { mode: 'allOf' };
 			const projectId = 'proj123';
 			const resourceType = 'workflow';
 			const resourceId = 'res123';

packages/editor-ui/src/rbac/checks/__tests__/isDefaultUser.test.ts

@@ -0,0 +1,27 @@
+import { useUsersStore } from '@/stores/users.store';
+import { isDefaultUser } from '@/rbac/checks/isDefaultUser';
+
+vi.mock('@/stores/users.store', () => ({
+	useUsersStore: vi.fn(),
+}));
+
+describe('Checks', () => {
+	describe('isDefaultUser()', () => {
+		it('should return false if user not logged in', () => {
+			vi.mocked(useUsersStore).mockReturnValue({ currentUser: null } as ReturnType<
+				typeof useUsersStore
+			>);
+
+			expect(isDefaultUser()).toBe(false);
+		});
+
+		it('should return true if user is default user', () => {
+			const mockUser = { id: 'user123', name: 'Test User', isDefaultUser: true };
+			vi.mocked(useUsersStore).mockReturnValue({ currentUser: mockUser } as unknown as ReturnType<
+				typeof useUsersStore
+			>);
+
+			expect(isDefaultUser()).toBe(mockUser.isDefaultUser);
+		});
+	});
+});

packages/editor-ui/src/rbac/checks/index.ts

@@ -1,6 +1,7 @@
 export * from './hasRole';
 export * from './hasScope';
 export * from './isAuthenticated';
+export * from './isDefaultUser';
 export * from './isEnterpriseFeatureEnabled';
 export * from './isGuest';
 export * from './isValid';

packages/editor-ui/src/rbac/checks/isDefaultUser.ts

@@ -0,0 +1,12 @@
+import { useUsersStore } from '@/stores/users.store';
+import type { DefaultUserMiddlewareOptions, RBACPermissionCheck } from '@/types/rbac';
+
+export const isDefaultUser: RBACPermissionCheck<DefaultUserMiddlewareOptions> = () => {
+	const usersStore = useUsersStore();
+	const currentUser = usersStore.currentUser;
+
+	if (currentUser) {
+		return currentUser.isDefaultUser;
+	}
+	return false;
+};

packages/editor-ui/src/rbac/middleware.ts

@@ -5,6 +5,7 @@ import { guestMiddleware } from '@/rbac/middleware/guest';
 import { rbacMiddleware } from '@/rbac/middleware/rbac';
 import { roleMiddleware } from '@/rbac/middleware/role';
 import { customMiddleware } from '@/rbac/middleware/custom';
+import { defaultUserMiddleware } from '@/rbac/middleware/defaultUser';
 
 type Middleware = {
 	[key in RouterMiddlewareType]: RouterMiddleware<MiddlewareOptions[key]>;
@@ -13,6 +14,7 @@ type Middleware = {
 export const middleware: Middleware = {
 	authenticated: authenticatedMiddleware,
 	custom: customMiddleware,
+	defaultUser: defaultUserMiddleware,
 	enterprise: enterpriseMiddleware,
 	guest: guestMiddleware,
 	rbac: rbacMiddleware,

packages/editor-ui/src/rbac/middleware/__tests__/defaultUser.test.ts

@@ -0,0 +1,55 @@
+import { useUsersStore } from '@/stores/users.store';
+import { VIEWS } from '@/constants';
+import { defaultUserMiddleware } from '@/rbac/middleware/defaultUser';
+import type { RouteLocationNormalized } from 'vue-router';
+import { authenticatedMiddleware } from '@/rbac/middleware/authenticated';
+
+vi.mock('@/stores/users.store', () => ({
+	useUsersStore: vi.fn(),
+}));
+
+describe('Middleware', () => {
+	describe('defaultUser', () => {
+		it('should redirect to homepage if user not logged in', async () => {
+			vi.mocked(useUsersStore).mockReturnValue({
+				currentUser: null,
+			} as ReturnType<typeof useUsersStore>);
+
+			const nextMock = vi.fn();
+			const toMock = { query: {} } as RouteLocationNormalized;
+			const fromMock = {} as RouteLocationNormalized;
+
+			await defaultUserMiddleware(toMock, fromMock, nextMock, {});
+
+			expect(nextMock).toHaveBeenCalledWith({ name: VIEWS.HOMEPAGE });
+		});
+
+		it('should redirect to homepage if user is not default user', async () => {
+			vi.mocked(useUsersStore).mockReturnValue({
+				currentUser: { id: '123', isDefaultUser: false },
+			} as ReturnType<typeof useUsersStore>);
+
+			const nextMock = vi.fn();
+			const toMock = { query: {} } as RouteLocationNormalized;
+			const fromMock = {} as RouteLocationNormalized;
+
+			await defaultUserMiddleware(toMock, fromMock, nextMock, {});
+
+			expect(nextMock).toHaveBeenCalledWith({ name: VIEWS.HOMEPAGE });
+		});
+
+		it('should allow navigation if a current user is present', async () => {
+			vi.mocked(useUsersStore).mockReturnValue({
+				currentUser: { id: '123', isDefaultUser: true },
+			} as ReturnType<typeof useUsersStore>);
+
+			const nextMock = vi.fn();
+			const toMock = { query: {} } as RouteLocationNormalized;
+			const fromMock = {} as RouteLocationNormalized;
+
+			await defaultUserMiddleware(toMock, fromMock, nextMock, {});
+
+			expect(nextMock).not.toHaveBeenCalled();
+		});
+	});
+});

packages/editor-ui/src/rbac/middleware/defaultUser.ts

@@ -0,0 +1,15 @@
+import type { RouterMiddleware } from '@/types/router';
+import { VIEWS } from '@/constants';
+import type { DefaultUserMiddlewareOptions } from '@/types/rbac';
+import { isDefaultUser } from '@/rbac/checks';
+
+export const defaultUserMiddleware: RouterMiddleware<DefaultUserMiddlewareOptions> = async (
+	to,
+	from,
+	next,
+) => {
+	const valid = isDefaultUser();
+	if (!valid) {
+		return next({ name: VIEWS.HOMEPAGE });
+	}
+};