From f6e6e8dff829eb86a4bfa7129f01e4c0b18517db Mon Sep 17 00:00:00 2001
From: KernelDeimos <eric.alex.dube@gmail.com>
Date: Sun, 6 Jul 2025 15:52:11 -0400
Subject: [PATCH] fix: shortcut KV permissions

All users have access to KV, however the permission system is used
because:
1. KV is a driver, and all drivers have access checks
2. The rate limit policy comes from the permission system

This change uses support for implicit permission shortcuts to prevent
any of the permission association tables from being read. It also
hard-codes the policy so that KV's rate-limit policy is not read from
the policy.json file.
---
 src/backend/src/CoreModule.js                 |  3 ++
 .../auth/PermissionShortcutService.js         | 30 +++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 src/backend/src/services/auth/PermissionShortcutService.js

diff --git a/src/backend/src/CoreModule.js b/src/backend/src/CoreModule.js
index 06238c6e..c9e16441 100644
--- a/src/backend/src/CoreModule.js
+++ b/src/backend/src/CoreModule.js
@@ -394,6 +394,9 @@ const install = async ({ services, app, useapi, modapi }) => {
 
     const { WorkerService } = require('./services/worker/WorkerService');
     services.registerService("worker-service", WorkerService)
+
+    const { PermissionShortcutService } = require('./services/auth/PermissionShortcutService');
+    services.registerService('permission-shortcut', PermissionShortcutService);
 }
 
 const install_legacy = async ({ services }) => {
diff --git a/src/backend/src/services/auth/PermissionShortcutService.js b/src/backend/src/services/auth/PermissionShortcutService.js
new file mode 100644
index 00000000..3b6ac744
--- /dev/null
+++ b/src/backend/src/services/auth/PermissionShortcutService.js
@@ -0,0 +1,30 @@
+const BaseService = require("../BaseService");
+const { PermissionImplicator } = require("./PermissionService");
+
+class PermissionShortcutService extends BaseService {
+    _init () {
+        const svc_permission = this.services.get('permission');
+        
+        svc_permission.register_implicator(PermissionImplicator.create({
+            id: 'kv permissions are easy',
+            shortcut: true,
+            matcher: permission => {
+                return permission === 'service:puter-kvstore:ii:puter-kvstore';
+            },
+            checker: async ({ actor }) => {
+                return {
+                    policy: {
+                        "rate-limit": {
+                            max: 3000,
+                            period: 30000,
+                        }
+                    }
+                };
+            }
+        }));
+    }
+}
+
+module.exports = {
+    PermissionShortcutService,
+};
\ No newline at end of file