feature(grants): add support for validating built-in $identity param

To support more advanced ACL where users have access to edit their own
documents we need to inject the user id when evaluating the grant
filters

Author: sgulseth

packages/@sanity/base/src/datastores/grants/createGrantsStore.ts

@@ -5,7 +5,14 @@ import {evaluate, parse} from 'groq-js'
 import {SanityDocument} from '@sanity/types'
 import {refCountDelay} from 'rxjs-etc/operators'
 import sanityClient from 'part:@sanity/base/client'
-import {GrantsStore, DocumentPermissionName, Grant, PermissionCheckResult} from './types'
+import userStore from '../user'
+import {
+  GrantsStore,
+  DocumentPermissionName,
+  Grant,
+  PermissionCheckResult,
+  EvaluationParams,
+} from './types'
 import {debugGrants$} from './debug'
 
 const client = sanityClient.withConfig({apiVersion: '2021-06-07'})
@@ -21,6 +28,16 @@ async function getDatasetGrants(projectId: string, dataset: string): Promise<Gra
   return grants
 }
 
+async function getParams(): Promise<EvaluationParams> {
+  const params: EvaluationParams = {}
+  const user = await userStore.getCurrentUser()
+  if (user !== null) {
+    params.identity = user.id
+  }
+
+  return params
+}
+
 const PARSED_FILTERS_MEMO = new Map()
 async function matchesFilter(filter: string, document: SanityDocument) {
   if (!PARSED_FILTERS_MEMO.has(filter)) {
@@ -32,7 +49,9 @@ async function matchesFilter(filter: string, document: SanityDocument) {
     PARSED_FILTERS_MEMO.set(filter, parse(`*[${filter}]`))
   }
   const parsed = PARSED_FILTERS_MEMO.get(filter)
-  const data = await (await evaluate(parsed, {dataset: [document]})).get()
+
+  const params = await getParams()
+  const data = await (await evaluate(parsed, {dataset: [document], params})).get()
   return data?.length === 1
 }
 

packages/@sanity/base/src/datastores/grants/highlevel.ts

@@ -18,21 +18,21 @@ function getSchemaType(typeName: string): SchemaType {
   return type
 }
 
-export function canCreateType(typeName: string) {
+export function canCreateType(id: string, typeName: string) {
   const type = getSchemaType(typeName)
   return from(resolveInitialValueForType(type)).pipe(
     mergeMap((initialValue: any) => {
       return grantsStore.checkDocumentPermission('create', {
         ...initialValue,
-        _id: type.liveEdit ? 'dummy-id' : 'drafts.dummy-id',
+        _id: type.liveEdit ? id : `drafts.${id}`,
         _type: typeName,
       })
     })
   )
 }
 
 export function canCreateAnyOf(types: string[]) {
-  return combineLatest(types.map((typeName) => canCreateType(typeName))).pipe(
+  return combineLatest(types.map((typeName) => canCreateType('dummy-id', typeName))).pipe(
     map((results) => {
       const granted = results.some((res) => res.granted)
       return {

packages/@sanity/base/src/datastores/grants/hooks.ts

@@ -52,7 +52,7 @@ export function unstable_useCheckDocumentPermission(
             return canUpdate(id, type)
           }
           if (permission === 'create') {
-            return canCreateType(type)
+            return canCreateType(id, type)
           }
           if (permission === 'publish') {
             return canPublish(id, type)

packages/@sanity/base/src/datastores/grants/types.ts

@@ -19,3 +19,7 @@ export interface GrantsStore {
     document: Partial<SanityDocument>
   ): Observable<PermissionCheckResult>
 }
+
+export interface EvaluationParams {
+  identity?: string
+}