expand user permissions

src/lib/auth.ts

@@ -67,7 +67,7 @@ export async function verifyPassword(password: string, hash: string): Promise<bo
 }
 
 // Auth guard result type
-type AuthSuccess = { session: IronSession<SessionData> }
+type AuthSuccess = { session: IronSession<SessionData>; accessLevel?: 'admin' | 'write' | 'read' }
 type AuthResult = AuthSuccess | NextResponse
 
 // Read-only session from an API route request (throwaway response)
@@ -100,13 +100,22 @@ export async function requireLibraryAccess(req: NextRequest, libraryId: string):
   if (!session.userId) {
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
   }
-  if (session.role === 'admin') return { session }
+  if (session.role === 'admin') return { session, accessLevel: 'admin' }
 
   // Lazy import to avoid pulling DB into edge contexts
-  const { getPermittedLibraryIds } = await import('./users')
-  const permitted = getPermittedLibraryIds(session.userId)
-  if (!permitted.includes(libraryId)) {
+  const { getLibraryAccessLevel } = await import('./users')
+  const accessLevel = getLibraryAccessLevel(session.userId, libraryId)
+  if (!accessLevel) {
     return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
   }
-  return { session }
+  return { session, accessLevel }
+}
+
+export async function requireLibraryWriteAccess(req: NextRequest, libraryId: string): Promise<AuthResult> {
+  const result = await requireLibraryAccess(req, libraryId)
+  if (result instanceof NextResponse) return result
+  if (result.accessLevel === 'read') {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+  }
+  return result
 }