feat(rbac): implement NIP-29 room roles and permission gating (#47)

2026-04-17 05:57:10 +05:30
parent 4a967de184
commit abc6dc2860
11 changed files with 951 additions and 140 deletions
@@ -20,7 +20,6 @@ import {
  partition,
  shuffle,
  parseJson,
-  memoize,
  addToMapKey,
  identity,
  always,
@@ -84,7 +83,6 @@ import {
  ROOM_JOIN,
  ROOM_LEAVE,
  ROOM_MEMBERS,
-  ROOM_ADMINS,
  ROOM_META,
  ROOM_DELETE,
  ROOM_REMOVE_MEMBER,
@@ -152,6 +150,15 @@ import {
 } from "@welshman/app"
 import {checkRelayHasLivekit} from "$lib/livekit"
 import {readFeed} from "@lib/feeds"
+import {
+  parseRoomMembers,
+  deriveRoomMembers as deriveRoomMembersByRole,
+  deriveRoomAdmins as deriveRoomAdminsByRole,
+  deriveUserIsSpaceAdmin as deriveUserIsSpaceAdminByRole,
+  deriveUserIsRoomAdmin as deriveUserIsRoomAdminByRole,
+  deriveUserSpacePermissions,
+} from "@app/core/roles"
+import type {RoomMember} from "@app/core/roles"

 export const fromCsv = (s: string) => (s || "").split(",").filter(identity)

@@ -813,13 +820,7 @@ export const deriveSpaceMembers = (url: string) =>
    uniq(getTagValues("member", event?.tags ?? [])),
  )

-export const deriveRoomMembers = (url: string, h: string) => {
-  const filters: Filter[] = [{kinds: [ROOM_MEMBERS], "#d": [h]}]
-
-  return derived(deriveEventsForUrl(url, filters), ([event]) =>
-    uniq(getPubkeyTagValues(event?.tags ?? [])),
-  )
-}
+export const deriveRoomMembers = deriveRoomMembersByRole

 export type BannedPubkeyItem = {
  pubkey: string
@@ -839,19 +840,7 @@ export const deriveSpaceBannedPubkeyItems = (url: string) => {
  return store
 }

-export const deriveRoomAdmins = (url: string, h: string) => {
-  const filters: Filter[] = [{kinds: [ROOM_ADMINS], "#d": [h]}]
-
-  return derived(deriveEventsForUrl(url, filters), $events => {
-    const adminsEvent = first($events)
-
-    if (adminsEvent) {
-      return getPubkeyTagValues(adminsEvent.tags)
-    }
-
-    return []
-  })
-}
+export const deriveRoomAdmins = deriveRoomAdminsByRole

 const getRoomMembers = (_url: string, h: string, events: TrustedEvent[]) => {
  const members = new Set<string>()
@@ -860,8 +849,8 @@ const getRoomMembers = (_url: string, h: string, events: TrustedEvent[]) => {
    if (event.kind === ROOM_MEMBERS && getTagValue("d", event.tags) === h) {
      members.clear()

-      for (const pubkey of uniq(getPubkeyTagValues(event.tags))) {
-        members.add(pubkey)
+      for (const member of parseRoomMembers(event.tags)) {
+        members.add(member.pubkey)
      }

      continue
@@ -894,16 +883,30 @@ const getRoomMembers = (_url: string, h: string, events: TrustedEvent[]) => {

 export const deriveSpaceActionItems = (url: string) =>
  derived(
-    deriveEventsForUrl(url, [
-      {
-        kinds: [REPORT, ROOM_JOIN, ROOM_LEAVE, ROOM_MEMBERS, ROOM_ADD_MEMBER, ROOM_REMOVE_MEMBER],
-      },
-    ]),
-    $events => {
+    [
+      deriveEventsForUrl(url, [
+        {
+          kinds: [REPORT, ROOM_JOIN, ROOM_LEAVE, ROOM_MEMBERS, ROOM_ADD_MEMBER, ROOM_REMOVE_MEMBER],
+        },
+      ]),
+      deriveUserIsSpaceAdmin(url),
+      deriveUserSpacePermissions(url),
+    ],
+    ([$events, $isAdmin, $permissions]) => {
+      if (!$isAdmin) {
+        return []
+      }
+
      const getRoomId = (e: TrustedEvent) =>
        getTagValue(e.kind === ROOM_MEMBERS ? "d" : "h", e.tags)
      const reports = $events.filter(e => e.kind === REPORT)
      const pendingJoins: TrustedEvent[] = []
+      const canReviewReports = $permissions.has(9005) || $permissions.size === 0
+      const canReviewJoins =
+        $permissions.has(9000) ||
+        $permissions.has(9001) ||
+        $permissions.has(9009) ||
+        $permissions.size === 0

      // Room-level join requests — most recent per pubkey+h
      for (const [h, roomEvents] of groupBy(getRoomId, $events)) {
@@ -960,7 +963,10 @@ export const deriveSpaceActionItems = (url: string) =>
        )
      }

-      return sortEventsDesc([...reports, ...pendingJoins])
+      return sortEventsDesc([
+        ...(canReviewReports ? reports : []),
+        ...(canReviewJoins ? pendingJoins : []),
+      ])
    },
  )

@@ -972,17 +978,7 @@ export enum MembershipStatus {
  Granted,
 }

-export const deriveUserIsSpaceAdmin = memoize((url?: string) => {
-  const store = writable(false)
-
-  if (url) {
-    manageRelay(url, {method: ManagementMethod.SupportedMethods, params: []}).then(res =>
-      store.set(Boolean(res.result?.length)),
-    )
-  }
-
-  return store
-})
+export const deriveUserIsSpaceAdmin = deriveUserIsSpaceAdminByRole

 export const deriveUserSpaceMembershipStatus = (url: string) => {
  // Fetch member list and user add/remove events directly in this derivation.
@@ -1046,11 +1042,7 @@ export const deriveUserSpaceMembershipStatus = (url: string) => {
  )
 }

-export const deriveUserIsRoomAdmin = (url: string, h: string) =>
-  derived(
-    [pubkey, deriveRoomAdmins(url, h), deriveUserIsSpaceAdmin(url)],
-    ([$pubkey, $admins, $isSpaceAdmin]) => $isSpaceAdmin || $admins.includes($pubkey!),
-  )
+export const deriveUserIsRoomAdmin = deriveUserIsRoomAdminByRole

 export const deriveUserRoomMembershipStatus = (url: string, h: string) => {
  // Fetch the room member list and the current user's add/remove events.
@@ -1075,7 +1067,7 @@ export const deriveUserRoomMembershipStatus = (url: string, h: string) => {

      if ($memberList) {
        // Member list exists - check if user is in it.
-        isMember = $memberList.includes($pubkey!)
+        isMember = $memberList.some((member: RoomMember) => member.pubkey === $pubkey)
      } else {
        // No member list available - replay the user's add/remove history.
        for (const event of sortEventsAsc($userAddRemoveEvents)) {