Centralize all frontend permission definitions in a single actionPermissions registry

[Copilot]

Permission requirements were duplicated across config.js, config.json, and ad-hoc component logic, with many engine-side OR checks (e.g. DELETE on processInstance OR DELETE_INSTANCE on processDefinition) reduced to a single-alternative AND check, silently losing correctness.

Changes

New: frontend/src/utils/actionPermissions.js

Single source of truth for 40+ action permissions, directly mirroring AuthorizationCommandChecker.java:

// AND – all resource types required (conjunctive)
createProcessInstance: { processDefinition: ['CREATE_INSTANCE'], processInstance: ['CREATE'] }

// OR – any alternative suffices (disjunctive, as the engine checks it)
updateProcessInstanceVariable: [
  { processInstance: ['UPDATE_VARIABLE'] },
  { processDefinition: ['UPDATE_INSTANCE_VARIABLE'] },
  { processInstance: ['UPDATE'] },
  { processDefinition: ['UPDATE_INSTANCE'] },
]

toConfigPermissions() converts the registry to the flat legacy format (first alternative for OR entries) for backward compatibility with existing processByPermissions / filtersByPermissions call sites.

frontend/src/utils/permissionsUtils.js

Added checkActionAllowed(actionDef, resourceId, userPermissions, authorizationEnabled) — dispatches on object (AND) vs. array (OR) format.

frontend/src/permissions.js

Added checkActionPermission(actionName, resourceId) mixin method — looks up the action in ACTION_PERMISSIONS and evaluates with full OR/AND support. Warns on unknown action names.

frontend/src/utils/config.js

• DEFAULT_CONFIG.permissions replaced by toConfigPermissions(ACTION_PERMISSIONS) — all defaults come from the registry
• Fixed long-standing typo udpateInstanceProcessDefinition → updateInstanceProcessDefinition

frontend/public/config.json

Removed the permissions section — now authoritative only in actionPermissions.js.

frontend/src/library.js

Exports ACTION_PERMISSIONS, toConfigPermissions, checkActionAllowed for library consumers.

Tests

configPermissions in the test file is now derived from toConfigPermissions(ACTION_PERMISSIONS). Added 37 tests covering the registry structure, toConfigPermissions, checkActionAllowed (AND/OR paths, all updateProcessInstanceVariable alternatives, suspendProcessInstance engine alternatives), and checkActionPermission mixin integration.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.