From 237dc2ef9a91e74e2979d5a7caad22efe67df8c9 Mon Sep 17 00:00:00 2001
From: KernelDeimos <7225168+KernelDeimos@users.noreply.github.com>
Date: Thu, 4 Dec 2025 19:13:38 -0500
Subject: [PATCH] fix: get subdomains permission working

---
 src/backend/src/CoreModule.js                        | 3 ++-
 src/backend/src/modules/apps/AppPermissionService.js | 3 ++-
 src/backend/src/om/entitystorage/AppLimitedES.js     | 4 ++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/backend/src/CoreModule.js b/src/backend/src/CoreModule.js
index 3176a051..9d3db967 100644
--- a/src/backend/src/CoreModule.js
+++ b/src/backend/src/CoreModule.js
@@ -158,6 +158,7 @@ const install = async ({ context, services, app, useapi, modapi }) => {
             SQLES, { table: 'app', debug: true },
             AppES,
             AppLimitedES, {
+                permission_prefix: 'apps-of-user',
                 // When apps query es:apps, they're allowed to see apps which
                 // are approved for listing and they're allowed to see their
                 // own entry.
@@ -202,7 +203,7 @@ const install = async ({ context, services, app, useapi, modapi }) => {
         upstream: ESBuilder.create([
             SQLES, { table: 'subdomains', debug: true },
             SubdomainES,
-            AppLimitedES,
+            AppLimitedES, { permission_prefix: 'subdomains-of-user' },
             WriteByOwnerOnlyES,
             ValidationES,
             SetOwnerES,
diff --git a/src/backend/src/modules/apps/AppPermissionService.js b/src/backend/src/modules/apps/AppPermissionService.js
index a0c2ab7d..8170f0c5 100644
--- a/src/backend/src/modules/apps/AppPermissionService.js
+++ b/src/backend/src/modules/apps/AppPermissionService.js
@@ -8,7 +8,8 @@ class AppPermissionService extends BaseService {
         svc_permission.register_implicator(PermissionImplicator.create({
             id: 'user-can-grant-read-own-apps',
             matcher: permission => {
-                return permission.startsWith('apps-of-user:');
+                return permission.startsWith('apps-of-user:') ||
+                    permission.startsWith('subdomains-of-user:');
             },
             checker: async ({ actor, permission }) => {
                 if ( ! (actor.type instanceof UserActorType) ) {
diff --git a/src/backend/src/om/entitystorage/AppLimitedES.js b/src/backend/src/om/entitystorage/AppLimitedES.js
index 771e5229..ff18507b 100644
--- a/src/backend/src/om/entitystorage/AppLimitedES.js
+++ b/src/backend/src/om/entitystorage/AppLimitedES.js
@@ -35,7 +35,7 @@ class AppLimitedES extends BaseES {
         app_under_user_check:
         if ( actor.type instanceof AppUnderUserActorType ) {
             const svc_permission = Context.get('services').get('permission');
-            const perm = PermissionUtil.join('apps-of-user', actor.type.user.uuid, 'read');
+            const perm = PermissionUtil.join(this.permission_prefix, actor.type.user.uuid, 'read');
             const can_read_any = await svc_permission.check(actor, perm);
 
             if ( can_read_any ) break app_under_user_check;
@@ -124,7 +124,7 @@ class AppLimitedES extends BaseES {
         // (in which case we return early)
         {
             const svc_permission = Context.get('services').get('permission');
-            const perm = PermissionUtil.join('apps-of-user', actor.type.user.uuid, 'write');
+            const perm = PermissionUtil.join(this.permission_prefix, actor.type.user.uuid, 'write');
             const can_write_any = await svc_permission.check(actor, perm);
             if ( can_write_any ) return;
         }