Ignore user permissions when using system user (#1761)

The `UserPermissionsGuard` didn't allow requests when using a system
user (e.g., basic authorization during site build).

.changeset/moody-falcons-fix.md

@@ -0,0 +1,7 @@
+---
+"@comet/cms-api": patch
+---
+
+Ignore user permissions when using system user
+
+The `UserPermissionsGuard` didn't allow requests when using a system user (e.g., basic authorization during site build).

packages/api/cms-api/src/access-log/access-log.module.ts

@@ -3,10 +3,11 @@ import { APP_INTERCEPTOR } from "@nestjs/core";
 import { Request } from "express";
 
 import { CurrentUser } from "../user-permissions/dto/current-user";
+import { SystemUser } from "../user-permissions/user-permissions.types";
 import { SHOULD_LOG_REQUEST } from "./access-log.constants";
 import { AccessLogInterceptor } from "./access-log.interceptor";
 
-export type ShouldLogRequest = ({ user, req }: { user?: CurrentUser | true; req: Request }) => boolean;
+export type ShouldLogRequest = ({ user, req }: { user?: CurrentUser | SystemUser; req: Request }) => boolean;
 
 interface AccessLogModuleOptions {
     shouldLogRequest?: ShouldLogRequest;

packages/api/cms-api/src/user-permissions/auth/user-permissions.guard.ts

@@ -6,7 +6,7 @@ import { ContentScopeService } from "../content-scope.service";
 import { RequiredPermissionMetadata } from "../decorators/required-permission.decorator";
 import { CurrentUser } from "../dto/current-user";
 import { ACCESS_CONTROL_SERVICE } from "../user-permissions.constants";
-import { AccessControlServiceInterface } from "../user-permissions.types";
+import { AccessControlServiceInterface, SystemUser } from "../user-permissions.types";
 
 @Injectable()
 export class UserPermissionsGuard implements CanActivate {
@@ -25,6 +25,9 @@ export class UserPermissionsGuard implements CanActivate {
         const user = this.getUser(context);
         if (!user) return false;
 
+        // System user authenticated via basic auth
+        if (user === true) return true;
+
         const requiredPermission = this.getDecorator<RequiredPermissionMetadata>(context, "requiredPermission");
         if (!requiredPermission) throw new Error(`RequiredPermission decorator is missing in ${location}`);
         const requiredPermissions = requiredPermission.requiredPermission;
@@ -51,10 +54,10 @@ export class UserPermissionsGuard implements CanActivate {
         }
     }
 
-    private getUser(context: ExecutionContext): CurrentUser | undefined {
+    private getUser(context: ExecutionContext): CurrentUser | SystemUser | undefined {
         const request =
             context.getType().toString() === "graphql" ? GqlExecutionContext.create(context).getContext().req : context.switchToHttp().getRequest();
-        return request.user as CurrentUser | undefined;
+        return request.user as CurrentUser | SystemUser | undefined;
     }
 
     private getDecorator<T = object>(context: ExecutionContext, decorator: string): T {

packages/api/cms-api/src/user-permissions/user-permissions.types.ts

@@ -13,6 +13,8 @@ export enum UserPermissions {
 
 export type Users = [User[], number];
 
+export type SystemUser = true;
+
 type PermissionForUser = {
     permission: string;
     contentScopes?: ContentScope[];
@@ -22,7 +24,7 @@ export type PermissionsForUser = PermissionForUser[] | UserPermissions.allPermis
 export type ContentScopesForUser = ContentScope[] | UserPermissions.allContentScopes;
 
 export interface AccessControlServiceInterface {
-    isAllowed(user: CurrentUser, permission: string, contentScope?: ContentScope): boolean;
+    isAllowed(user: CurrentUser | SystemUser, permission: string, contentScope?: ContentScope): boolean;
     getPermissionsForUser?: (user: User) => Promise<PermissionsForUser> | PermissionsForUser;
     getContentScopesForUser?: (user: User) => Promise<ContentScopesForUser> | ContentScopesForUser;
 }