Legg til node_access i STDB + synk fra maskinrommet

Visibility-filtrering (oppgave 4.3, del 1/2): - Ny node_access-tabell i STDB-modulen som speiler PG - Reducers: upsert_node_access, delete_node_access, delete_node_access_for_subject - STDB-klient i maskinrommet: metoder for node_access - Warmup synker node_access fra PG til STDB ved oppstart - Tilgangsgivende edges synker node_access til STDB etter PG-commit - clear_all tømmer også node_access Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-17 15:09:55 +01:00 · 2026-03-17 15:09:55 +01:00 · 8fa2849f0c
commit 8fa2849f0c
parent 68bcd57d84
5 changed files with 220 additions and 5 deletions
--- a/maskinrommet/src/intentions.rs
+++ b/maskinrommet/src/intentions.rs
@ -309,6 +309,7 @@ pub async fn create_edge(
    let edge_type = req.edge_type.clone();
    spawn_pg_insert_edge(
        state.db.clone(),
+        state.stdb.clone(),
        edge_id,
        req.source_id,
        req.target_id,
@ -569,8 +570,10 @@ fn edge_type_to_access_level(edge_type: &str) -> Option<&'static str> {
 /// Spawner en tokio-task som skriver edgen til PostgreSQL i bakgrunnen.
 /// For tilgangsgivende edges (owner, admin, member_of, reader) kalles
 /// recompute_access i samme transaksjon — ingen vindu med stale tilgang.
+/// Synker også node_access til STDB for visibility-filtrering i frontend.
 fn spawn_pg_insert_edge(
    db: PgPool,
+    stdb: crate::stdb::StdbClient,
    edge_id: Uuid,
    source_id: Uuid,
    target_id: Uuid,
@ -593,6 +596,9 @@ fn spawn_pg_insert_edge(
                        access_level = %level,
                        "Edge + node_access persistert til PostgreSQL"
                    );
+
+                    // Synk oppdatert node_access til STDB
+                    sync_node_access_to_stdb(&db, &stdb, source_id).await;
                }
                Err(e) => {
                    tracing::error!(
@ -632,6 +638,58 @@ fn spawn_pg_insert_edge(
    });
 }

+/// Synkroniserer node_access-rader for et subject fra PG til STDB.
+/// Kalles etter recompute_access for å holde STDB i synk.
+async fn sync_node_access_to_stdb(db: &PgPool, stdb: &crate::stdb::StdbClient, subject_id: Uuid) {
+    let rows = sqlx::query_as::<_, NodeAccessRow>(
+        "SELECT subject_id, object_id, access::text as access, \
+         COALESCE(via_edge::text, '') as via_edge \
+         FROM node_access WHERE subject_id = $1",
+    )
+    .bind(subject_id)
+    .fetch_all(db)
+    .await;
+
+    match rows {
+        Ok(rows) => {
+            for row in &rows {
+                if let Err(e) = stdb
+                    .upsert_node_access(
+                        &row.subject_id.to_string(),
+                        &row.object_id.to_string(),
+                        &row.access,
+                        &row.via_edge,
+                    )
+                    .await
+                {
+                    tracing::error!(
+                        subject_id = %row.subject_id,
+                        object_id = %row.object_id,
+                        error = %e,
+                        "Kunne ikke synke node_access til STDB"
+                    );
+                }
+            }
+            tracing::info!(
+                subject_id = %subject_id,
+                count = rows.len(),
+                "node_access synket til STDB"
+            );
+        }
+        Err(e) => {
+            tracing::error!(subject_id = %subject_id, error = %e, "Kunne ikke hente node_access fra PG");
+        }
+    }
+}
+
+#[derive(sqlx::FromRow)]
+struct NodeAccessRow {
+    subject_id: Uuid,
+    object_id: Uuid,
+    access: String,
+    via_edge: String,
+}
+
 /// Inserter en tilgangsgivende edge og oppdaterer node_access i én transaksjon.
 /// source_id = subject (bruker/team), target_id = object (noden det gis tilgang til).
 async fn insert_edge_with_access(
--- a/maskinrommet/src/main.rs
+++ b/maskinrommet/src/main.rs
@ -95,9 +95,10 @@ async fn main() {
    match warmup::run(&db, &stdb).await {
        Ok(stats) => {
            tracing::info!(
-                "Warmup fullført: {} noder, {} edges",
+                "Warmup fullført: {} noder, {} edges, {} access",
                stats.nodes,
-                stats.edges
+                stats.edges,
+                stats.access
            );
        }
        Err(e) => {
--- a/maskinrommet/src/stdb.rs
+++ b/maskinrommet/src/stdb.rs
@ -235,6 +235,52 @@ impl StdbClient {
        self.call_reducer("delete_edge", &Args { id }).await
    }

+    // =========================================================================
+    // NodeAccess-operasjoner
+    // =========================================================================
+
+    pub async fn upsert_node_access(
+        &self,
+        subject_id: &str,
+        object_id: &str,
+        access: &str,
+        via_edge: &str,
+    ) -> Result<(), StdbError> {
+        #[derive(Serialize)]
+        struct Args<'a> {
+            subject_id: &'a str,
+            object_id: &'a str,
+            access: &'a str,
+            via_edge: &'a str,
+        }
+
+        self.call_reducer(
+            "upsert_node_access",
+            &Args {
+                subject_id,
+                object_id,
+                access,
+                via_edge,
+            },
+        )
+        .await
+    }
+
+    pub async fn delete_node_access(
+        &self,
+        subject_id: &str,
+        object_id: &str,
+    ) -> Result<(), StdbError> {
+        #[derive(Serialize)]
+        struct Args<'a> {
+            subject_id: &'a str,
+            object_id: &'a str,
+        }
+
+        self.call_reducer("delete_node_access", &Args { subject_id, object_id })
+            .await
+    }
+
    // =========================================================================
    // Vedlikehold
    // =========================================================================
--- a/maskinrommet/src/warmup.rs
+++ b/maskinrommet/src/warmup.rs
@ -68,17 +68,40 @@ pub async fn run(db: &PgPool, stdb: &StdbClient) -> Result<WarmupStats, Box<dyn
    }
    tracing::info!("Warmup: {edge_count} edges lastet");

+    // 4. Last alle node_access-rader
+    let access_rows = sqlx::query_as::<_, PgNodeAccess>(
+        "SELECT subject_id, object_id, access::text, \
+         COALESCE(via_edge::text, '') as via_edge \
+         FROM node_access"
+    )
+    .fetch_all(db)
+    .await?;
+
+    let access_count = access_rows.len();
+    for row in &access_rows {
+        stdb.upsert_node_access(
+            &row.subject_id.to_string(),
+            &row.object_id.to_string(),
+            &row.access,
+            &row.via_edge,
+        )
+        .await?;
+    }
+    tracing::info!("Warmup: {access_count} node_access-rader lastet");
+
    let stats = WarmupStats {
        nodes: node_count,
        edges: edge_count,
+        access: access_count,
    };
-    tracing::info!("Warmup: ferdig ({} noder, {} edges)", stats.nodes, stats.edges);
+    tracing::info!("Warmup: ferdig ({} noder, {} edges, {} access)", stats.nodes, stats.edges, stats.access);
    Ok(stats)
 }

 pub struct WarmupStats {
    pub nodes: usize,
    pub edges: usize,
+    pub access: usize,
 }

 // PG-radtyper for sqlx
@ -95,6 +118,15 @@ struct PgNode {
    created_by: String,
 }

+#[derive(sqlx::FromRow)]
+#[allow(dead_code)]
+struct PgNodeAccess {
+    subject_id: uuid::Uuid,
+    object_id: uuid::Uuid,
+    access: String,
+    via_edge: String,
+}
+
 #[derive(sqlx::FromRow)]
 #[allow(dead_code)]
 struct PgEdge {
--- a/spacetimedb/src/lib.rs
+++ b/spacetimedb/src/lib.rs
@ -29,6 +29,22 @@ pub struct Node {
    pub created_by: String,
 }

+/// Speiler PG node_access-tabellen (materialisert tilgangsmatrise).
+/// subject_id = bruker/team, object_id = noden det gis tilgang til.
+/// Brukes av frontend for visibility-filtrering.
+#[spacetimedb::table(accessor = node_access, public)]
+pub struct NodeAccess {
+    #[primary_key]
+    pub id: String, // "{subject_id}:{object_id}" — kompositt-nøkkel som streng
+
+    #[index(btree)]
+    pub subject_id: String,
+    #[index(btree)]
+    pub object_id: String,
+    pub access: String, // reader, member, admin, owner
+    pub via_edge: String,
+}
+
 /// Speiler PG edges-tabellen.
 #[spacetimedb::table(accessor = edge, public)]
 pub struct Edge {
@ -140,6 +156,64 @@ pub fn delete_node(ctx: &ReducerContext, id: String) -> Result<(), String> {
    Ok(())
 }

+// =============================================================================
+// NodeAccess CRUD
+// =============================================================================
+
+/// Upsert: opprett eller oppdater tilgang. id = "{subject_id}:{object_id}".
+#[reducer]
+pub fn upsert_node_access(
+    ctx: &ReducerContext,
+    subject_id: String,
+    object_id: String,
+    access: String,
+    via_edge: String,
+) -> Result<(), String> {
+    let id = format!("{subject_id}:{object_id}");
+
+    if let Some(existing) = ctx.db.node_access().id().find(&id) {
+        ctx.db.node_access().id().update(NodeAccess {
+            access,
+            via_edge,
+            ..existing
+        });
+    } else {
+        ctx.db.node_access().insert(NodeAccess {
+            id,
+            subject_id,
+            object_id,
+            access,
+            via_edge,
+        });
+    }
+    Ok(())
+}
+
+/// Slett en spesifikk tilgangsrad.
+#[reducer]
+pub fn delete_node_access(
+    ctx: &ReducerContext,
+    subject_id: String,
+    object_id: String,
+) -> Result<(), String> {
+    let id = format!("{subject_id}:{object_id}");
+    ctx.db.node_access().id().delete(&id);
+    Ok(())
+}
+
+/// Slett all tilgang for et gitt subject (brukes ved fjerning av bruker/team).
+#[reducer]
+pub fn delete_node_access_for_subject(
+    ctx: &ReducerContext,
+    subject_id: String,
+) -> Result<(), String> {
+    let entries: Vec<_> = ctx.db.node_access().subject_id().filter(&subject_id).collect();
+    for entry in entries {
+        ctx.db.node_access().id().delete(&entry.id);
+    }
+    Ok(())
+}
+
 // =============================================================================
 // Edge CRUD
 // =============================================================================
@ -203,9 +277,13 @@ pub fn delete_edge(ctx: &ReducerContext, id: String) -> Result<(), String> {
 // Warmup/vedlikehold
 // =============================================================================

-/// Tøm alle noder og edges (brukes ved restart/warmup for å unngå duplikater)
+/// Tøm alle noder, edges og node_access (brukes ved restart/warmup for å unngå duplikater)
 #[reducer]
 pub fn clear_all(ctx: &ReducerContext) -> Result<(), String> {
+    let all_access: Vec<_> = ctx.db.node_access().iter().collect();
+    for a in all_access {
+        ctx.db.node_access().id().delete(&a.id);
+    }
    let all_edges: Vec<_> = ctx.db.edge().iter().collect();
    for e in all_edges {
        ctx.db.edge().id().delete(&e.id);
@ -214,6 +292,6 @@ pub fn clear_all(ctx: &ReducerContext) -> Result<(), String> {
    for n in all_nodes {
        ctx.db.node().id().delete(&n.id);
    }
-    log::info!("Alle noder og edges slettet (clear_all)");
+    log::info!("Alle noder, edges og node_access slettet (clear_all)");
    Ok(())
 }