import type { Role } from "@prisma/client"; export type Permission = | "create_po" | "submit_po" | "edit_own_draft_po" | "view_own_pos" | "view_all_pos" | "approve_po" | "reject_po" | "request_edits" | "request_vendor_id" | "process_payment" | "confirm_receipt" | "view_analytics" | "export_reports" | "manage_users" | "manage_vendors" | "manage_vessels_accounts" | "manage_products" | "manage_sites"; const ROLE_PERMISSIONS: Record = { TECHNICAL: ["create_po", "submit_po", "edit_own_draft_po", "view_own_pos", "confirm_receipt"], MANNING: ["create_po", "submit_po", "edit_own_draft_po", "view_own_pos", "confirm_receipt"], ACCOUNTS: ["view_all_pos", "process_payment", "manage_vendors"], MANAGER: [ "create_po", "submit_po", "edit_own_draft_po", "view_own_pos", "view_all_pos", "approve_po", "reject_po", "request_edits", "request_vendor_id", "view_analytics", "export_reports", "manage_vendors", "manage_vessels_accounts", "manage_products", "manage_sites", ], SUPERUSER: [ "create_po", "submit_po", "edit_own_draft_po", "view_own_pos", "view_all_pos", "approve_po", "reject_po", "request_edits", "request_vendor_id", "process_payment", "confirm_receipt", "view_analytics", "export_reports", ], AUDITOR: ["view_own_pos", "view_all_pos", "view_analytics", "export_reports"], ADMIN: [ "view_own_pos", "view_all_pos", "view_analytics", "export_reports", "manage_users", "manage_vendors", "manage_vessels_accounts", "manage_products", "manage_sites", ], }; export function hasPermission(role: Role, permission: Permission): boolean { return ROLE_PERMISSIONS[role]?.includes(permission) ?? false; } export function requirePermission(role: Role, permission: Permission): void { if (!hasPermission(role, permission)) { throw new Error(`Forbidden: role ${role} lacks permission ${permission}`); } } export function getPermissions(role: Role): Permission[] { return ROLE_PERMISSIONS[role] ?? []; }