feat(push_notification): implement user-owned device query and permission

fulleni · fulleni · commit 8e0b50417cf2 · 2025-11-22T07:11:59.000+01:00
- Add push_notification_device readAll operation to DataOperationRegistry
- Update ModelActionPermission for collection and item GET for push_notification_device
- Allow authenticated users to fetch their own notification devices
- Implement ownership check for specific device retrieval
diff --git a/lib/src/registry/data_operation_registry.dart b/lib/src/registry/data_operation_registry.dart
@@ -184,6 +184,13 @@ class DataOperationRegistry {
             sort: s,
             pagination: p,
           ),
+      'push_notification_device': (c, uid, f, s, p) =>
+          c.read<DataRepository<PushNotificationDevice>>().readAll(
+                userId: uid,
+                filter: f,
+                sort: s,
+                pagination: p,
+              ),
     });
 
     // --- Register Item Creators ---
diff --git a/lib/src/registry/model_registry.dart b/lib/src/registry/model_registry.dart
@@ -429,12 +429,19 @@ final modelRegistry = <String, ModelConfig<dynamic>>{
     fromJson: PushNotificationDevice.fromJson,
     getId: (d) => d.id,
     getOwnerId: (dynamic item) => (item as PushNotificationDevice).userId,
+    // Collection GET is allowed for a user to fetch their own notification devices.
+    // The generic route handler will automatically scope the query to the
+    // authenticated user's ID because `getOwnerId` is defined.
     getCollectionPermission: const ModelActionPermission(
-      type: RequiredPermissionType.unsupported,
+      type: RequiredPermissionType.specificPermission,
+      permission: Permissions.pushNotificationDeviceReadOwned,
     ),
-    // Required by the ownership check middelware
+    // Item GET is allowed for a user to fetch a single one of their devices.
+    // The ownership check middleware will verify they own this specific item.
     getItemPermission: const ModelActionPermission(
-      type: RequiredPermissionType.adminOnly,
+      type: RequiredPermissionType.specificPermission,
+      permission: Permissions.pushNotificationDeviceReadOwned,
+      requiresOwnershipCheck: true,
     ),
     // POST is allowed for any authenticated user to register their own device.
     // A custom check within the DataOperationRegistry's creator function will
