Further work, need to have a larger think about the API of this.

packages/server/src/api/controllers/permission.js

@@ -2,9 +2,34 @@ const {
   BUILTIN_PERMISSIONS,
   PermissionLevels,
 } = require("../../utilities/security/permissions")
+const { getRoleParams } = require("../../db/utils")
+const CouchDB = require("../../db")
 
-function updatePermissionOnRole(roleId, permissions, remove = false) {
+async function updatePermissionOnRole(
+  appId,
+  roleId,
+  permissions,
+  remove = false
+) {
+  const db = new CouchDB(appId)
+  const body = await db.allDocs(
+    getRoleParams(null, {
+      include_docs: true,
+    })
+  )
+  const dbRoles = body.rows.map(row => row.doc)
+  const docUpdates = []
 
+  // now try to find any roles which need updated, e.g. removing the
+  // resource from another role and then adding to the new role
+  for (let role of dbRoles) {
+    if (role.permissions) {
+      // TODO
+    }
+  }
+
+  // TODO: NEED TO WORK THIS PART OUT
+  return await db.bulkDocs(docUpdates)
 }
 
 exports.fetchBuiltin = function(ctx) {
@@ -16,10 +41,15 @@ exports.fetchLevels = function(ctx) {
 }
 
 exports.addPermission = async function(ctx) {
-  const permissions = ctx.body.permissions, appId = ctx.appId
+  const appId = ctx.appId,
-  updatePermissionOnRole
+    roleId = ctx.params.roleId,
+    resourceId = ctx.params.resourceId
+  ctx.body = await updatePermissionOnRole(appId, roleId, resourceId)
 }
 
 exports.removePermission = async function(ctx) {
-  const permissions = ctx.body.permissions, appId = ctx.appId
+  const appId = ctx.appId,
+    roleId = ctx.params.roleId,
+    resourceId = ctx.params.resourceId
+  ctx.body = await updatePermissionOnRole(appId, roleId, resourceId, true)
 }

packages/server/src/api/routes/permission.js

@@ -30,16 +30,14 @@ function generateRemoveValidator() {
 router
   .get("/api/permission/builtin", authorized(BUILDER), controller.fetchBuiltin)
   .get("/api/permission/levels", authorized(BUILDER), controller.fetchLevels)
-  .patch(
+  .post(
-    "/api/permission/:roleId/add",
+    "/api/permission/:roleId/:resourceId",
     authorized(BUILDER),
-    generateAddValidator(),
     controller.addPermission
   )
-  .patch(
+  .delete(
-    "/api/permission/:roleId/remove",
+    "/api/permission/:roleId/:resourceId",
     authorized(BUILDER),
-    generateRemoveValidator(),
     controller.removePermission
   )
 

packages/server/src/api/routes/role.js

@@ -1,7 +1,10 @@
 const Router = require("@koa/router")
 const controller = require("../controllers/role")
 const authorized = require("../../middleware/authorized")
-const { BUILDER } = require("../../utilities/security/permissions")
+const {
+  BUILDER,
+  PermissionLevels,
+} = require("../../utilities/security/permissions")
 const Joi = require("joi")
 const joiValidator = require("../../middleware/joi-validator")
 const {
@@ -11,12 +14,17 @@ const {
 const router = Router()
 
 function generateValidator() {
+  const permLevelArray = Object.values(PermissionLevels)
   // prettier-ignore
   return joiValidator.body(Joi.object({
     _id: Joi.string().optional(),
     _rev: Joi.string().optional(),
     name: Joi.string().required(),
+    // this is the base permission ID (for now a built in)
     permissionId: Joi.string().valid(...Object.values(BUILTIN_PERMISSION_IDS)).required(),
+    permissions: Joi.object()
+      .pattern(/.*/, [Joi.string().valid(...permLevelArray)])
+      .optional(),
     inherits: Joi.string().optional(),
   }).unknown(true))
 }