boss/src/lib/boss-attachment-access.ts

import type { AuthSession, BossState, Project } from "@/lib/boss-data";

function getAccountOwnedDeviceIds(state: BossState, account: string) {
  return new Set(
    state.devices
      .filter((device) => device.account === account)
      .map((device) => device.id),
  );
}

export function canSessionAccessAttachmentProject(
  state: BossState,
  session: Pick<AuthSession, "account" | "role">,
  project: Pick<Project, "deviceIds" | "groupMembers">,
) {
  if (session.role === "highest_admin") {
    return true;
  }

  const ownedDeviceIds = getAccountOwnedDeviceIds(state, session.account);
  if (ownedDeviceIds.size === 0) {
    return false;
  }

  for (const deviceId of project.deviceIds) {
    if (ownedDeviceIds.has(deviceId)) {
      return true;
    }
  }

  for (const member of project.groupMembers) {
    if (ownedDeviceIds.has(member.deviceId)) {
      return true;
    }
  }

  return false;
}