refactor(auth): update resource mapping from "portal" to "trust" in permissions

Author: Marfuen

apps/api/src/audit/audit-log.interceptor.spec.ts

@@ -381,10 +381,10 @@ describe('AuditLogInterceptor', () => {
     });
   });
 
-  it('should map resource "portal" to entity type "trust"', (done) => {
+  it('should map resource "trust" to entity type "trust"', (done) => {
     jest.spyOn(reflector, 'getAllAndOverride').mockImplementation((key) => {
       if (key === PERMISSIONS_KEY) {
-        return [{ resource: 'portal', actions: ['update'] }];
+        return [{ resource: 'trust', actions: ['update'] }];
       }
       if (key === SKIP_AUDIT_LOG_KEY) return false;
       return undefined;

apps/api/src/auth/auth.server.ts

@@ -40,7 +40,7 @@ const statement = {
   questionnaire: ['create', 'read', 'update', 'delete', 'respond'],
   integration: ['create', 'read', 'update', 'delete'],
   app: ['read'],
-  portal: ['read', 'update'],
+  trust: ['read', 'update'],
 } as const;
 
 const ac = createAccessControl(statement);
@@ -60,7 +60,7 @@ const owner = ac.newRole({
   questionnaire: ['create', 'read', 'update', 'delete', 'respond'],
   integration: ['create', 'read', 'update', 'delete'],
   app: ['read'],
-  portal: ['read', 'update'],
+  trust: ['read', 'update'],
 });
 
 const admin = ac.newRole({
@@ -78,7 +78,7 @@ const admin = ac.newRole({
   questionnaire: ['create', 'read', 'update', 'delete', 'respond'],
   integration: ['create', 'read', 'update', 'delete'],
   app: ['read'],
-  portal: ['read', 'update'],
+  trust: ['read', 'update'],
 });
 
 const auditor = ac.newRole({
@@ -97,22 +97,22 @@ const auditor = ac.newRole({
   questionnaire: ['read'],
   integration: ['read'],
   app: ['read'],
-  portal: ['read'],
+  trust: ['read'],
 });
 
 const employee = ac.newRole({
   task: ['read', 'complete'],
   evidence: ['read', 'upload'],
   policy: ['read'],
   questionnaire: ['read', 'respond'],
-  portal: ['read', 'update'],
+  trust: ['read', 'update'],
 });
 
 const contractor = ac.newRole({
   task: ['read', 'complete'],
   evidence: ['read', 'upload'],
   policy: ['read'],
-  portal: ['read', 'update'],
+  trust: ['read', 'update'],
 });
 
 const allRoles = {

apps/api/src/auth/require-permission.decorator.ts

@@ -68,7 +68,7 @@ export type GRCResource =
   | 'cloud-security'
   | 'training'
   | 'app'
-  | 'portal';
+  | 'trust';
 
 /**
  * Action types available for GRC resources

apps/api/src/people/people.controller.ts

@@ -410,7 +410,6 @@ export class PeopleController {
   }
 
   @Get('me/email-preferences')
-  @RequirePermission('member', 'read')
   @ApiOperation({ summary: 'Get current user email notification preferences' })
   async getEmailPreferences(
     @AuthContext() authContext: AuthContextType,
@@ -430,7 +429,6 @@ export class PeopleController {
   }
 
   @Put('me/email-preferences')
-  @RequirePermission('member', 'read')
   @ApiOperation({ summary: 'Update current user email notification preferences' })
   async updateEmailPreferences(
     @AuthContext() authContext: AuthContextType,

apps/api/src/roles/roles.controller.ts

@@ -6,6 +6,7 @@ import {
   Param,
   Patch,
   Post,
+  Query,
   UseGuards,
 } from '@nestjs/common';
 import {
@@ -120,6 +121,46 @@ export class RolesController {
     return this.rolesService.listRoles(organizationId);
   }
 
+  @Get('permissions')
+  @RequirePermission('app', 'read')
+  @ApiOperation({
+    summary: 'Resolve permissions for custom roles',
+    description:
+      'Returns the merged permissions for the given custom role names. Used by the frontend to resolve effective permissions for users with custom roles.',
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'Merged permissions for the requested roles',
+    schema: {
+      type: 'object',
+      properties: {
+        permissions: {
+          type: 'object',
+          additionalProperties: {
+            type: 'array',
+            items: { type: 'string' },
+          },
+        },
+      },
+    },
+  })
+  @ApiResponse({ status: 401, description: 'Unauthorized' })
+  async getPermissionsForRoles(
+    @OrganizationId() organizationId: string,
+    @Query('roles') roles: string,
+  ) {
+    const roleNames = (roles || '')
+      .split(',')
+      .map((r) => r.trim())
+      .filter(Boolean);
+    const permissions =
+      await this.rolesService.getPermissionsForRoles(
+        organizationId,
+        roleNames,
+      );
+    return { permissions };
+  }
+
   @Get(':roleId')
   @RequirePermission('ac', 'read')
   @ApiOperation({

apps/api/src/roles/roles.service.ts

@@ -20,7 +20,7 @@ const VALID_RESOURCES: Record<string, string[]> = {
   questionnaire: ['create', 'read', 'update', 'delete', 'respond'],
   integration: ['create', 'read', 'update', 'delete'],
   app: ['read'],
-  portal: ['read', 'update'],
+  trust: ['read', 'update'],
 };
 
 // Built-in roles that cannot be modified or deleted
@@ -142,20 +142,20 @@ export class RolesService {
           questionnaire: ['read'],
           integration: ['read'],
           app: ['read'],
-          portal: ['read'],
+          trust: ['read'],
         },
         employee: {
           task: ['read', 'complete'],
           evidence: ['read', 'upload'],
           policy: ['read'],
           questionnaire: ['read', 'respond'],
-          portal: ['read', 'update'],
+          trust: ['read', 'update'],
         },
         contractor: {
           task: ['read', 'complete'],
           evidence: ['read', 'upload'],
           policy: ['read'],
-          portal: ['read', 'update'],
+          trust: ['read', 'update'],
         },
       };
       return builtInPermissions[roleName] || {};
@@ -410,6 +410,46 @@ export class RolesService {
     return { success: true, message: `Role '${role.name}' deleted` };
   }
 
+  /**
+   * Get merged permissions for a list of custom role names.
+   * Used by the frontend to resolve effective permissions for custom roles.
+   */
+  async getPermissionsForRoles(
+    organizationId: string,
+    roleNames: string[],
+  ): Promise<Record<string, string[]>> {
+    if (roleNames.length === 0) return {};
+
+    const customRoles = await db.organizationRole.findMany({
+      where: {
+        organizationId,
+        name: { in: roleNames },
+      },
+    });
+
+    const combined: Record<string, string[]> = {};
+    for (const role of customRoles) {
+      const perms =
+        typeof role.permissions === 'string'
+          ? JSON.parse(role.permissions)
+          : role.permissions;
+      for (const [resource, actions] of Object.entries(
+        perms as Record<string, string[]>,
+      )) {
+        if (!combined[resource]) {
+          combined[resource] = [];
+        }
+        for (const action of actions) {
+          if (!combined[resource].includes(action)) {
+            combined[resource].push(action);
+          }
+        }
+      }
+    }
+
+    return combined;
+  }
+
   /**
    * Get description for built-in roles
    */

apps/api/src/trust-portal/trust-access.controller.ts

@@ -79,7 +79,7 @@ export class TrustAccessController {
 
   @Get('admin/requests')
   @UseGuards(HybridAuthGuard, PermissionGuard)
-  @RequirePermission('portal', 'read')
+  @RequirePermission('trust', 'read')
   @ApiSecurity('apikey')
   @HttpCode(HttpStatus.OK)
   @ApiOperation({
@@ -99,7 +99,7 @@ export class TrustAccessController {
 
   @Get('admin/requests/:id')
   @UseGuards(HybridAuthGuard, PermissionGuard)
-  @RequirePermission('portal', 'read')
+  @RequirePermission('trust', 'read')
   @ApiSecurity('apikey')
   @HttpCode(HttpStatus.OK)
   @ApiOperation({
@@ -119,7 +119,7 @@ export class TrustAccessController {
 
   @Post('admin/requests/:id/approve')
   @UseGuards(HybridAuthGuard, PermissionGuard)
-  @RequirePermission('portal', 'update')
+  @RequirePermission('trust', 'update')
   @ApiSecurity('apikey')
   @HttpCode(HttpStatus.OK)
   @ApiOperation({
@@ -154,7 +154,7 @@ export class TrustAccessController {
 
   @Post('admin/requests/:id/deny')
   @UseGuards(HybridAuthGuard, PermissionGuard)
-  @RequirePermission('portal', 'update')
+  @RequirePermission('trust', 'update')
   @ApiSecurity('apikey')
   @HttpCode(HttpStatus.OK)
   @ApiOperation({
@@ -186,7 +186,7 @@ export class TrustAccessController {
 
   @Get('admin/grants')
   @UseGuards(HybridAuthGuard, PermissionGuard)
-  @RequirePermission('portal', 'read')
+  @RequirePermission('trust', 'read')
   @ApiSecurity('apikey')
   @HttpCode(HttpStatus.OK)
   @ApiOperation({
@@ -200,7 +200,7 @@ export class TrustAccessController {
 
   @Post('admin/grants/:id/revoke')
   @UseGuards(HybridAuthGuard, PermissionGuard)
-  @RequirePermission('portal', 'update')
+  @RequirePermission('trust', 'update')
   @ApiSecurity('apikey')
   @HttpCode(HttpStatus.OK)
   @ApiOperation({
@@ -232,7 +232,7 @@ export class TrustAccessController {
 
   @Post('admin/grants/:id/resend-access-email')
   @UseGuards(HybridAuthGuard, PermissionGuard)
-  @RequirePermission('portal', 'update')
+  @RequirePermission('trust', 'update')
   @ApiSecurity('apikey')
   @HttpCode(HttpStatus.OK)
   @ApiOperation({
@@ -319,7 +319,7 @@ export class TrustAccessController {
 
   @Post('admin/requests/:id/resend-nda')
   @UseGuards(HybridAuthGuard, PermissionGuard)
-  @RequirePermission('portal', 'update')
+  @RequirePermission('trust', 'update')
   @ApiSecurity('apikey')
   @HttpCode(HttpStatus.OK)
   @ApiOperation({
@@ -339,7 +339,7 @@ export class TrustAccessController {
 
   @Post('admin/requests/:id/preview-nda')
   @UseGuards(HybridAuthGuard, PermissionGuard)
-  @RequirePermission('portal', 'read')
+  @RequirePermission('trust', 'read')
   @ApiSecurity('apikey')
   @HttpCode(HttpStatus.OK)
   @ApiOperation({