while-basic
diff --git a/‎apps/backend/prisma/migrations/20240507195652_team/migration.sql‎
Lines changed: 1 addition & 1 deletion b/‎apps/backend/prisma/migrations/20240507195652_team/migration.sql‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎apps/backend/prisma/migrations/20250324204959_project_user_permissions/migration.sql‎
Lines changed: 23 additions & 0 deletions b/‎apps/backend/prisma/migrations/20250324204959_project_user_permissions/migration.sql‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎apps/backend/prisma/schema.prisma‎
Lines changed: 25 additions & 5 deletions b/‎apps/backend/prisma/schema.prisma‎
Lines changed: 25 additions & 5 deletions
diff --git a/‎apps/backend/src/app/api/latest/projects/current/crud.tsx‎
Lines changed: 35 additions & 3 deletions b/‎apps/backend/src/app/api/latest/projects/current/crud.tsx‎
Lines changed: 35 additions & 3 deletions
diff --git a/‎apps/backend/src/app/api/latest/team-invitations/crud.tsx‎
Lines changed: 0 additions & 1 deletion b/‎apps/backend/src/app/api/latest/team-invitations/crud.tsx‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎apps/backend/src/app/api/latest/team-permission-definitions/crud.tsx‎
Lines changed: 7 additions & 5 deletions b/‎apps/backend/src/app/api/latest/team-permission-definitions/crud.tsx‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎apps/backend/src/app/api/latest/user-permission-definitions/[permission_id]/route.tsx‎
Lines changed: 4 additions & 0 deletions b/‎apps/backend/src/app/api/latest/user-permission-definitions/[permission_id]/route.tsx‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎apps/backend/src/app/api/latest/user-permission-definitions/crud.tsx‎
Lines changed: 47 additions & 0 deletions b/‎apps/backend/src/app/api/latest/user-permission-definitions/crud.tsx‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎apps/backend/src/app/api/latest/user-permission-definitions/route.tsx‎
Lines changed: 4 additions & 0 deletions b/‎apps/backend/src/app/api/latest/user-permission-definitions/route.tsx‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎apps/backend/src/app/api/latest/user-permissions/[user_id]/[permission_id]/route.tsx‎
Lines changed: 4 additions & 0 deletions b/‎apps/backend/src/app/api/latest/user-permissions/[user_id]/[permission_id]/route.tsx‎
Lines changed: 4 additions & 0 deletions
@@ -1,6 +1,6 @@
 
 -- CreateEnum
-CREATE TYPE "PermissionScope" AS ENUM ('GLOBAL', 'TEAM');
+CREATE TYPE "PermissionScope" AS ENUM ('USER', 'TEAM');
 
 -- AlterTable
 ALTER TABLE "ProjectConfig" ADD COLUMN "createTeamOnSignUp" BOOLEAN NOT NULL DEFAULT false;
 
@@ -0,0 +1,23 @@
+-- AlterTable
+ALTER TABLE "Permission" ADD COLUMN     "isDefaultUserPermission" BOOLEAN NOT NULL DEFAULT false;
+
+-- CreateTable
+CREATE TABLE "ProjectUserDirectPermission" (
+    "id" UUID NOT NULL,
+    "tenancyId" UUID NOT NULL,
+    "projectUserId" UUID NOT NULL,
+    "permissionDbId" UUID,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "ProjectUserDirectPermission_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "ProjectUserDirectPermission_tenancyId_projectUserId_permiss_key" ON "ProjectUserDirectPermission"("tenancyId", "projectUserId", "permissionDbId");
+
+-- AddForeignKey
+ALTER TABLE "ProjectUserDirectPermission" ADD CONSTRAINT "ProjectUserDirectPermission_tenancyId_projectUserId_fkey" FOREIGN KEY ("tenancyId", "projectUserId") REFERENCES "ProjectUser"("tenancyId", "projectUserId") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "ProjectUserDirectPermission" ADD CONSTRAINT "ProjectUserDirectPermission_permissionDbId_fkey" FOREIGN KEY ("permissionDbId") REFERENCES "Permission"("dbId") ON DELETE CASCADE ON UPDATE CASCADE;
@@ -159,6 +159,23 @@ model TeamMember {
@@unique([tenancyId, projectUserId, isSelected])
 }
 
+model ProjectUserDirectPermission {
+  id             String  @id @default(uuid()) @db.Uuid
+  tenancyId      String  @db.Uuid
+  projectUserId  String  @db.Uuid
+  permissionDbId String? @db.Uuid
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  projectUser ProjectUser @relation(fields: [tenancyId, projectUserId], references: [tenancyId, projectUserId], onDelete: Cascade)
+
+  // no [systemPermission] yet, we'll add it when the need arises
+  permission Permission? @relation(fields: [permissionDbId], references: [dbId], onDelete: Cascade)
+
+  @@unique([tenancyId, projectUserId, permissionDbId])
+}
+
 model TeamMemberDirectPermission {
   id             String  @id @default(uuid()) @db.Uuid
   tenancyId      String  @db.Uuid
@@ -194,25 +211,27 @@ model Permission {
 
   description String?
 
-  // The scope of the permission. If projectConfigId is set, may be GLOBAL or TEAM; if teamId is set, must be TEAM.
+  // The scope of the permission. If projectConfigId is set, may be USER or TEAM; if teamId is set, must be TEAM.
   scope PermissionScope
 
   projectConfig ProjectConfig? @relation(fields: [projectConfigId], references: [id], onDelete: Cascade)
   team          Team?          @relation(fields: [tenancyId, teamId], references: [tenancyId, teamId], onDelete: Cascade)
 
-  parentEdges                PermissionEdge[]             @relation("ChildPermission")
-  childEdges                 PermissionEdge[]             @relation("ParentPermission")
-  teamMemberDirectPermission TeamMemberDirectPermission[]
+  parentEdges                 PermissionEdge[]              @relation("ChildPermission")
+  childEdges                  PermissionEdge[]              @relation("ParentPermission")
+  teamMemberDirectPermission  TeamMemberDirectPermission[]
+  projectUserDirectPermission ProjectUserDirectPermission[]
 
   isDefaultTeamCreatorPermission Boolean @default(false)
   isDefaultTeamMemberPermission  Boolean @default(false)
+  isDefaultUserPermission        Boolean @default(false)
 
@@unique([projectConfigId, queryableId])
@@unique([tenancyId, teamId, queryableId])
 }
 
 enum PermissionScope {
-  GLOBAL
+  USER
   TEAM
 }
 
@@ -279,6 +298,7 @@ model ProjectUser {
   otpAuthMethod      OtpAuthMethod[]
   oauthAuthMethod    OAuthAuthMethod[]
   SentEmail          SentEmail[]
+  directPermissions  ProjectUserDirectPermission[]
 
@@id([tenancyId, projectUserId])
@@unique([mirroredProjectId, mirroredBranchId, projectUserId])
 
@@ -1,4 +1,4 @@
-import { isTeamSystemPermission, listTeamPermissionDefinitions, teamSystemPermissionStringToDBType } from "@/lib/permissions";
+import { isTeamSystemPermission, listPermissionDefinitions, teamSystemPermissionStringToDBType } from "@/lib/permissions";
 import { fullProjectInclude, projectPrismaToCrud } from "@/lib/projects";
 import { ensureSharedProvider } from "@/lib/request-checks";
 import { retryTransaction } from "@/prisma-client";
@@ -33,8 +33,40 @@ export const projectsCrudHandlers = createLazyProxy(() => createCrudHandlers(pro
         },
       ] as const;
 
-      const permissions = await listTeamPermissionDefinitions(tx, auth.tenancy);
+      const teamPermissions = await listPermissionDefinitions(tx, "TEAM", auth.tenancy);
+      const userPermissions = await listPermissionDefinitions(tx, "USER", auth.tenancy);
 
+      // Handle user default permissions
+      const userDefaultPerms = data.config?.user_default_permissions?.map((p) => p.id);
+      if (userDefaultPerms) {
+        if (!userDefaultPerms.every((id) => userPermissions.some((perm) => perm.id === id))) {
+          throw new StatusError(StatusError.BadRequest,
+            `Invalid user default permission ids: ${userDefaultPerms.filter(id => !userPermissions.some(perm => perm.id === id)).join(', ')}`);
+        }
+
+        // Remove existing default user permissions
+        await tx.permission.updateMany({
+          where: {
+            projectConfigId: oldProject.config.id,
+          },
+          data: {
+            isDefaultUserPermission: false,
+          },
+        });
+
+        // Add new default user permissions
+        await tx.permission.updateMany({
+          where: {
+            projectConfigId: oldProject.config.id,
+            queryableId: {
+              in: userDefaultPerms,
+            },
+          },
+          data: {
+            isDefaultUserPermission: true,
+          },
+        });
+      }
 
       for (const param of dbParams) {
         const defaultPerms = data.config?.[param.optionName]?.map((p) => p.id);
@@ -43,7 +75,7 @@ export const projectsCrudHandlers = createLazyProxy(() => createCrudHandlers(pro
           continue;
         }
 
-        if (!defaultPerms.every((id) => permissions.some((perm) => perm.id === id))) {
+        if (!defaultPerms.every((id) => teamPermissions.some((perm) => perm.id === id))) {
           throw new StatusError(StatusError.BadRequest, "Invalid team default permission ids");
         }
 
 
@@ -20,7 +20,6 @@ export const teamInvitationsCrudHandlers = createLazyProxy(() => createCrudHandl
       if (auth.type === 'client') {
         // Client can only:
         // - list invitations in their own team if they have the $read_members AND $invite_members permissions
-
         const currentUserId = auth.user?.id ?? throwErr(new KnownErrors.CannotGetOwnUserWithoutUser());
 
         await ensureTeamMembershipExists(tx, { tenancyId: auth.tenancy.id, teamId: query.team_id, userId: currentUserId });
 
@@ -1,4 +1,4 @@
-import { createTeamPermissionDefinition, deleteTeamPermissionDefinition, listTeamPermissionDefinitions, updateTeamPermissionDefinitions } from "@/lib/permissions";
+import { createPermissionDefinition, deletePermissionDefinition, listPermissionDefinitions, updatePermissionDefinitions } from "@/lib/permissions";
 import { retryTransaction } from "@/prisma-client";
 import { createCrudHandlers } from "@/route-handlers/crud-handler";
 import { teamPermissionDefinitionsCrud } from '@stackframe/stack-shared/dist/interface/crud/team-permissions';
@@ -11,15 +11,17 @@ export const teamPermissionDefinitionsCrudHandlers = createLazyProxy(() => creat
   }),
   async onCreate({ auth, data }) {
     return await retryTransaction(async (tx) => {
-      return await createTeamPermissionDefinition(tx, {
+      return await createPermissionDefinition(tx, {
+        scope: "TEAM",
         tenancy: auth.tenancy,
         data,
       });
     });
   },
   async onUpdate({ auth, data, params }) {
     return await retryTransaction(async (tx) => {
-      return await updateTeamPermissionDefinitions(tx, {
+      return await updatePermissionDefinitions(tx, {
+        scope: "TEAM",
         tenancy: auth.tenancy,
         permissionId: params.permission_id,
         data,
@@ -28,7 +30,7 @@ export const teamPermissionDefinitionsCrudHandlers = createLazyProxy(() => creat
   },
   async onDelete({ auth, params }) {
     return await retryTransaction(async (tx) => {
-      await deleteTeamPermissionDefinition(tx, {
+      await deletePermissionDefinition(tx, {
         tenancy: auth.tenancy,
         permissionId: params.permission_id
       });
@@ -37,7 +39,7 @@ export const teamPermissionDefinitionsCrudHandlers = createLazyProxy(() => creat
   async onList({ auth }) {
     return await retryTransaction(async (tx) => {
       return {
-        items: await listTeamPermissionDefinitions(tx, auth.tenancy),
+        items: await listPermissionDefinitions(tx, "TEAM", auth.tenancy),
         is_paginated: false,
       };
     });
 
@@ -0,0 +1,4 @@
+import { userPermissionDefinitionsCrudHandlers } from "../crud";
+
+export const PATCH = userPermissionDefinitionsCrudHandlers.updateHandler;
+export const DELETE = userPermissionDefinitionsCrudHandlers.deleteHandler;
@@ -0,0 +1,47 @@
+import { createPermissionDefinition, deletePermissionDefinition, listPermissionDefinitions, updatePermissionDefinitions } from "@/lib/permissions";
+import { retryTransaction } from "@/prisma-client";
+import { createCrudHandlers } from "@/route-handlers/crud-handler";
+import { userPermissionDefinitionsCrud } from '@stackframe/stack-shared/dist/interface/crud/user-permissions';
+import { teamPermissionDefinitionIdSchema, yupObject } from "@stackframe/stack-shared/dist/schema-fields";
+import { createLazyProxy } from "@stackframe/stack-shared/dist/utils/proxies";
+
+export const userPermissionDefinitionsCrudHandlers = createLazyProxy(() => createCrudHandlers(userPermissionDefinitionsCrud, {
+  paramsSchema: yupObject({
+    permission_id: teamPermissionDefinitionIdSchema.defined(),
+  }),
+  async onCreate({ auth, data }) {
+    return await retryTransaction(async (tx) => {
+      return await createPermissionDefinition(tx, {
+        scope: "USER",
+        tenancy: auth.tenancy,
+        data,
+      });
+    });
+  },
+  async onUpdate({ auth, data, params }) {
+    return await retryTransaction(async (tx) => {
+      return await updatePermissionDefinitions(tx, {
+        scope: "USER",
+        tenancy: auth.tenancy,
+        permissionId: params.permission_id,
+        data,
+      });
+    });
+  },
+  async onDelete({ auth, params }) {
+    return await retryTransaction(async (tx) => {
+      await deletePermissionDefinition(tx, {
+        tenancy: auth.tenancy,
+        permissionId: params.permission_id
+      });
+    });
+  },
+  async onList({ auth }) {
+    return await retryTransaction(async (tx) => {
+      return {
+        items: await listPermissionDefinitions(tx, "USER", auth.tenancy),
+        is_paginated: false,
+      };
+    });
+  },
+}));
@@ -0,0 +1,4 @@
+import { userPermissionDefinitionsCrudHandlers } from "./crud";
+
+export const POST = userPermissionDefinitionsCrudHandlers.createHandler;
+export const GET = userPermissionDefinitionsCrudHandlers.listHandler;
@@ -0,0 +1,4 @@
+import { userPermissionsCrudHandlers } from "../../crud";
+
+export const POST = userPermissionsCrudHandlers.createHandler;
+export const DELETE = userPermissionsCrudHandlers.deleteHandler;