Skip to content

enhance: granular RBAC AND DEPENDABOT management #737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RUKAYAT-CODER merged 1 commit into from
May 30, 2026
Merged

enhance: granular RBAC AND DEPENDABOT management #737

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
300 changes: 297 additions & 3 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,300 @@
version: 2
updates:
- package-ecosystem: 'npm'
directory: '/'
# npm dependencies - regular updates
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: 'weekly'
interval: "weekly"
day: "monday"
time: "02:00"
timezone: "UTC"
open-pull-requests-limit: 20
labels:
- "dependencies"
- "npm"
reviewers:
- "@teachlink/backend-maintainers"
assignees:
- "@teachlink/backend-maintainers"
commit-message:
prefix: "deps"
prefix-development: "deps"
include: "scope"
ignore:
# Ignore deprecated packages that we know about
- dependency-name: "lodash"
versions: [">=4.17.15 <5.0.0"]
allow:
- dependency-type: "direct"
- dependency-type: "indirect"
# Automatically merge non-major version updates
automerge:
- type: "version"
update-types:
- "minor"
- "patch"
method: "squash"
merge-conditions:
- required
- required

# npm dependencies - security updates (more frequent)
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
time: "02:00"
timezone: "UTC"
open-pull-requests-limit: 10
labels:
- "dependencies"
- "security"
- "npm"
reviewers:
- "@teachlink/backend-maintainers"
assignees:
- "@teachlink/backend-maintainers"
commit-message:
prefix: "deps"
prefix-development: "deps"
include: "scope"
ignore: []
allow:
- dependency-type: "direct"
- dependency-type: "indirect"
# Automatically merge security updates and minor/patch version updates
automerge:
- type: "security"
method: "squash"
- type: "version"
update-types:
- "minor"
- "patch"
method: "squash"
merge-conditions:
- required
- required

# Docker dependencies - regular updates
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
day: "tuesday"
time: "02:00"
timezone: "UTC"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "docker"
reviewers:
- "@teachlink/backend-maintainers"
assignees:
- "@teachlink/backend-maintainers"
commit-message:
prefix: "deps"
prefix-development: "deps"
include: "scope"
ignore: []
allow:
- dependency-type: "direct"
- dependency-type: "indirect"
# Automatically merge non-major version updates
automerge:
- type: "version"
update-types:
- "minor"
- "patch"
method: "squash"
merge-conditions:
- required
- required

# Docker dependencies - security updates (more frequent)
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "daily"
time: "02:00"
timezone: "UTC"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "security"
- "docker"
reviewers:
- "@teachlink/backend-maintainers"
assignees:
- "@teachlink/backend-maintainers"
commit-message:
prefix: "deps"
prefix-development: "deps"
include: "scope"
ignore: []
allow:
- dependency-type: "direct"
- dependency-type: "indirect"
# Automatically merge security updates and minor/patch version updates
automerge:
- type: "security"
method: "squash"
- type: "version"
update-types:
- "minor"
- "patch"
method: "squash"
merge-conditions:
- required
- required

# GitHub Actions - regular updates
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "wednesday"
time: "02:00"
timezone: "UTC"
open-pull-requests-limit: 10
labels:
- "dependencies"
- "github-actions"
reviewers:
- "@teachlink/backend-maintainers"
assignees:
- "@teachlink/backend-maintainers"
commit-message:
prefix: "deps"
prefix-development: "deps"
include: "scope"
ignore: []
allow:
- dependency-type: "direct"
# Automatically merge non-major version updates
automerge:
- type: "version"
update-types:
- "minor"
- "patch"
method: "squash"
merge-conditions:
- required
- required

# GitHub Actions - security updates (more frequent)
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
time: "02:00"
timezone: "UTC"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "security"
- "github-actions"
reviewers:
- "@teachlink/backend-maintainers"
assignees:
- "@teachlink/backend-maintainers"
commit-message:
prefix: "deps"
prefix-development: "deps"
include: "scope"
ignore: []
allow:
- dependency-type: "direct"
# Automatically merge security updates and minor/patch version updates
automerge:
- type: "security"
method: "squash"
- type: "version"
update-types:
- "minor"
- "patch"
method: "squash"
merge-conditions:
- required
- required

# pip dependencies (Python SDK) - regular updates
- package-ecosystem: "pip"
directory: "/sdk/python"
schedule:
interval: "weekly"
day: "thursday"
time: "02:00"
timezone: "UTC"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "pip"
reviewers:
- "@teachlink/backend-maintainers"
assignees:
- "@teachlink/backend-maintainers"
commit-message:
prefix: "deps"
prefix-development: "deps"
include: "scope"
ignore: []
allow:
- dependency-type: "direct"
- dependency-type: "indirect"
# Automatically merge non-major version updates
automerge:
- type: "version"
update-types:
- "minor"
- "patch"
method: "squash"
merge-conditions:
- required
- required

# pip dependencies (Python SDK) - security updates (more frequent)
- package-ecosystem: "pip"
directory: "/sdk/python"
schedule:
interval: "daily"
time: "02:00"
timezone: "UTC"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "security"
- "pip"
reviewers:
- "@teachlink/backend-maintainers"
assignees:
- "@teachlink/backend-maintainers"
commit-message:
prefix: "deps"
prefix-development: "deps"
include: "scope"
ignore: []
allow:
- dependency-type: "direct"
- dependency-type: "indirect"
# Automatically merge security updates and minor/patch version updates
automerge:
- type: "security"
method: "squash"
- type: "version"
update-types:
- "minor"
- "patch"
method: "squash"
merge-conditions:
- required
- required

# Options for handling updates
options:
# Allow Dependabot to create PRs for security updates even if they would normally be ignored
allow:
dependency-type: "direct"
dependency-type: "indirect"
# Don't auto-close old PRs when new ones are opened for the same dependency
# This helps prevent losing track of updates
pull-request-limit: 25
6 changes: 4 additions & 2 deletions src/auth/auth.module.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ import { JwtModule } from '@nestjs/jwt';
import { TypeOrmModule } from '@nestjs/typeorm';
import { User } from '../users/entities/user.entity';
import { JwtStrategy } from './jwt.strategy';
import { RolesGuard } from './guards/roles.guard';
import { PermissionsGuard } from './guards/permissions.guard';

/**
* Registers the authentication module with Passport and JWT support.
Expand All @@ -17,7 +19,7 @@ import { JwtStrategy } from './jwt.strategy';
}),
TypeOrmModule.forFeature([User]),
],
providers: [JwtStrategy],
exports: [PassportModule, JwtModule],
providers: [JwtStrategy, RolesGuard, PermissionsGuard],
exports: [PassportModule, JwtModule, RolesGuard, PermissionsGuard],
})
export class AuthModule {}
3 changes: 3 additions & 0 deletions src/auth/decorators/permissions.decorator.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
import { SetMetadata } from '@nestjs/common';
export const PERMISSIONS_KEY = 'permissions';
export const Permissions = (...permissions: string[]) => SetMetadata(PERMISSIONS_KEY, permissions);
3 changes: 1 addition & 2 deletions src/auth/decorators/roles.decorator.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
import { SetMetadata } from '@nestjs/common';
import { UserRole } from '../../users/entities/user.entity';
export const ROLES_KEY = 'roles';
export const Roles = (...roles: UserRole[]) => SetMetadata(ROLES_KEY, roles);
export const Roles = (...roles: string[]) => SetMetadata(ROLES_KEY, roles);
37 changes: 37 additions & 0 deletions src/auth/guards/permissions.guard.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
import { Injectable, CanActivate, ExecutionContext, ForbiddenException } from '@nestjs/common';

Check warning on line 1 in src/auth/guards/permissions.guard.ts

View workflow job for this annotation

GitHub Actions / ESLint 

'ForbiddenException' is defined but never used. Allowed unused vars must match /^_/u
import { Reflector } from '@nestjs/core';
import { PERMISSIONS_KEY } from '../decorators/permissions.decorator';

/**
* Protects permissions execution paths.
*/
@Injectable()
export class PermissionsGuard implements CanActivate {
constructor(private reflector: Reflector) {}

/**
* Executes can Activate.
* @param context The context.
* @returns Whether the operation succeeded.
*/
canActivate(context: ExecutionContext): boolean {
const requiredPermissions = this.reflector.getAllAndOverride<string[]>(PERMISSIONS_KEY, [
context.getHandler(),
context.getClass(),
]);

if (!requiredPermissions) {
return true;
}

const request = context.switchToHttp().getRequest();
const user = request.user;
if (!user) {
// This should not happen if the JWT guard is applied, but just in case.
return false;
}

// Assuming user.permissions is an array of permission strings in the format "resource:action"
return requiredPermissions.every(permission => user.permissions.includes(permission));
}
}
Loading
Loading