Add back-end support for conversations RBAC

[mlanlazc]

PR title is self-descriptive.

UI part will be added in the separate PR.

[gemini-code-assist]

Summary of Changes

Hello @mlanlazc, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request establishes comprehensive backend support for Role-Based Access Control (RBAC) specifically tailored for conversation resources. It integrates the @casl/ability library to enforce permissions across various conversation-related API endpoints, ensuring that users can only perform actions for which they have explicit authorization. The changes encompass schema modifications to track conversation-specific permissions, updates to API routes to incorporate ability checks, and refactoring of the conversation service to utilize the new permission system. This foundational work enables a more secure and granular access control mechanism for user conversations, with the UI integration planned for a subsequent PR.

Highlights

• Introduction of Conversation RBAC: This pull request fully implements Role-Based Access Control (RBAC) for conversation resources, allowing for granular permission management over user conversations.
• API Endpoint Authorization: All conversation-related API endpoints (GET, POST, PATCH, DELETE) have been updated to incorporate authorization checks using the @casl/ability library, ensuring that users can only perform actions for which they have explicit permissions.
• Database Schema Updates: The Prisma schema has been extended to include 'Conversation' as a PermissionResource and RoleScope, and a new conversationId field has been added to the Permission model to support conversation-specific access control.
• Refactored Conversation Service: The conversationService functions have been refactored to remove direct userId checks, instead leveraging the new ability system for authorization when fetching, updating, or deleting conversations.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces Role-Based Access Control (RBAC) for conversations, which is a significant enhancement to the application's security model. The changes are comprehensive, touching API routes, services, CASL ability definitions, and the database schema. The core logic correctly replaces direct user ID checks with permission-based authorization using @casl/ability. My review focuses on ensuring the correct and consistent application of these new permission checks. I've identified a potential runtime error in one of the API routes due to incorrect use of a Prisma query and a semantic inconsistency in the permission action used for creating snapshots. Overall, this is a solid implementation of a critical feature.