fix: expand proposal reader access

[jekabs-karklins]

Description

This PR introduces expanded access for proposal readers by changing the role field permissions of type string[] to config of type JSONB.

Motivation and Context

The change is required to provide a more granular access control and increase the capabilities of proposal readers and any derived role in general. With this change we address speciffic request to toggle proposal reader permissions to allow reading

• FAP realted information'
• Technical review related information
• Logs
• Administration data (read only).

Changes

1. Introduced a new database patch to change the role permissions to JSONB and set different access levels for the proposal reader role.
2. Updated Authorizers
3. We keep config as unknown type in the database layer but once we convert the database record to Role object, we use typescript descriminator to enforce that type of config for USER role is different than type of config for PROPOSAL_READER role
4. The types are also reflected in Graphql layer and union types are used for configs where applicable

Demo

In this demo

• new role is created and configured
• new role is assigned
• tags are assifned to role and to the call
• user logs in and verifies that it can see the expected tabs
• role configuration is altered by removing some permissions and adding others
• user logs in again to check that the changes has takken effect

Video link

Kooha-2026-05-18-16-32-44.webm

How Has This Been Tested?

Added unit tests and e2e tests to cover the changes

Fixes Jira Issue

https://jira.ess.eu//browse/SWAP-5559

Tests included/Docs Updated?

• I have added tests to cover my changes.

[Copilot]

Pull request overview

This PR expands proposal-reader capabilities by replacing role permissions with structured role config and using those flags to control proposal-related access in the backend and frontend.

Changes:

• Replaces role permissions with JSONB config and adds GraphQL role config types/inputs.
• Adds proposal-reader config flags for FAP, technical review, admin, and log access.
• Updates frontend role management, proposal modal tabs, read-only admin display, and related tests.

Reviewed changes

Copilot reviewed 43 out of 44 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
apps/frontend/src/graphql/user/getUserWithRoles.graphql	Fetches role config instead of permissions.
apps/frontend/src/graphql/user/getRoles.graphql	Fetches role config and tags.
apps/frontend/src/graphql/user/getMyRoles.graphql	Fetches role config for current user roles.
apps/frontend/src/graphql/admin/fragment.roleConfig.graphql	Adds union fragment for role config.
apps/frontend/src/graphql/admin/fragment.role.graphql	Updates role fragment to include config.
apps/frontend/src/components/review/ProposalReviewContent.tsx	Adds proposal-reader access to review/admin/log tab content.
apps/frontend/src/components/proposal/ProposalTableOfficer.tsx	Uses proposal-reader config to determine modal tabs.
apps/frontend/src/components/proposal/ProposalAdminReadOnly.tsx	Adds read-only administration display.
apps/frontend/src/components/admin/UserRoleConfigForm.tsx	Adds user role config form.
apps/frontend/src/components/admin/RoleModal.tsx	Updates role creation/editing to submit config.
apps/frontend/src/components/admin/RoleManagement.tsx	Uses role config in role table/modal mapping.
apps/frontend/src/components/admin/ProposalReaderRoleConfigForm.tsx	Adds proposal-reader config checkbox form.
apps/e2e/cypress/types/tag.d.ts	Adds Cypress command typings for tag helpers.
apps/e2e/cypress/support/tag.ts	Adds Cypress tag helper commands.
apps/e2e/cypress/e2e/roleManagement.cy.ts	Adds role config E2E coverage.
apps/backend/src/resolvers/types/Role.ts	Adds GraphQL role config union and resolver.
apps/backend/src/resolvers/types/Proposal.ts	Routes proposal FAP resolution through query authorization.
apps/backend/src/resolvers/types/AuthJwtPayload.ts	Removes model interface implementation.
apps/backend/src/resolvers/mutations/UpdateRoleMutation.ts	Replaces permissions input with config input.
apps/backend/src/resolvers/mutations/RoleConfigInput.ts	Adds role config GraphQL inputs.
apps/backend/src/resolvers/mutations/CreateRoleMutation.ts	Replaces permissions input with config input.
apps/backend/src/queries/ReviewQueries.ts	Allows proposal readers with FAP access to read proposal reviews.
apps/backend/src/queries/ReviewQueries.spec.ts	Adds proposal-reader FAP access tests.
apps/backend/src/queries/ProposalQueries.ts	Adjusts field redaction for proposal readers.
apps/backend/src/queries/FapQueries.ts	Adds proposal-reader FAP config check.
apps/backend/src/queries/FapQueries.spec.ts	Adds FAP config tests.
apps/backend/src/queries/EventLogQueries.ts	Adds proposal-reader log config check.
apps/backend/src/queries/EventLogQueries.spec.ts	Adds event-log config tests.
apps/backend/src/mutations/RoleMutations.spec.ts	Updates role mutation tests for config.
apps/backend/src/models/Role.ts	Replaces role class/permissions with typed config model.
apps/backend/src/decorators/Authorized.ts	Removes dynamic method-permission handling.
apps/backend/src/datasources/stfc/StfcUserDataSource.spec.ts	Updates role test fixtures.
apps/backend/src/datasources/postgres/UserDataSource.ts	Maps role records through config-based role factory.
apps/backend/src/datasources/postgres/RoleDataSource.ts	Persists role config JSONB.
apps/backend/src/datasources/postgres/records.ts	Updates role record mapping for config.
apps/backend/src/datasources/mockups/UserDataSource.ts	Updates mock roles and proposal-reader config fixtures.
apps/backend/src/datasources/mockups/RoleDataSource.ts	Updates mock role datasource for config.
apps/backend/src/datasources/mockups/FapDataSource.ts	Updates mock role shape.
apps/backend/src/auth/UserAuthorization.ts	Adds proposal-reader role helper.
apps/backend/src/auth/TechnicalReviewAuthorization.ts	Adds proposal-reader technical-review read check.
apps/backend/src/auth/ReviewAuthorization.ts	Adds proposal-reader FAP review read check.
apps/backend/src/auth/ProposalAuthorization.ts	Import cleanup.
apps/backend/src/auth/ProposalAuthorization.spec.ts	Updates fixtures for config.
apps/backend/db_patches/0210_ChangeRolePermissionsToJsonb.sql	Adds DB patch replacing permissions with config.

Comments suppressed due to low confidence (3)

apps/frontend/src/components/proposal/ProposalTableOfficer.tsx:372

• This has the same selected-role mismatch as the technical-review check: it picks the first role with the proposal_reader short code rather than the active currentRoleId, so FAP tab visibility can be based on another proposal-reader role's config.
  apps/frontend/src/components/proposal/ProposalTableOfficer.tsx:388
• This lookup can use the config from a different proposal-reader role than the one currently selected, because it matches only on short code. Admin tab visibility should be based on the active role id/config to avoid showing or hiding this tab incorrectly.
  apps/frontend/src/components/proposal/ProposalTableOfficer.tsx:406
• This lookup can use the log-access setting from a different proposal-reader role than the active one. Use the selected role's id/config instead of the first matching short code so users with multiple proposal-reader roles get the correct Logs tab visibility.

[simonfernandes]

Looks good 👍

[simonfernandes]

suggestion: Constants could be used here

[jekabs-karklins]

done