MCP: bloquear escritura de records por accessList del usuario

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

mcp-server/tools/helpers/accessControl.js

@@ -0,0 +1,38 @@
+import fs from 'fs';
+import path from 'path';
+
+/**
+ * Check if the current user has write access to a table.
+ * Reads .acai file from ACAI_PROJECT_DIR.
+ * Returns { allowed: true } or { allowed: false, error: "..." }
+ */
+export function canAccessTable(tableName) {
+    const projectDir = process.env.ACAI_PROJECT_DIR || "";
+    if (!projectDir) return { allowed: true }; // no project dir, don't block
+
+    const acaiFile = path.join(projectDir, ".acai");
+    try {
+        if (!fs.existsSync(acaiFile)) return { allowed: true };
+        const data = JSON.parse(fs.readFileSync(acaiFile, "utf-8"));
+        const user = data.user || {};
+
+        // Admin has full access
+        if (user.isAdmin === "1" || user.isAdmin === 1) return { allowed: true };
+
+        const accessList = user.accessList || {};
+        if (!accessList || Object.keys(accessList).length === 0) return { allowed: true };
+
+        // all.accessLevel >= 9 means full access
+        const allAccess = parseInt(accessList.all?.accessLevel || "0");
+        if (allAccess >= 9) return { allowed: true };
+
+        // Check specific table (without cms_ prefix)
+        const bare = tableName.replace(/^cms_/, "");
+        const entry = accessList[bare];
+        if (entry && parseInt(entry.accessLevel || "0") > 0) return { allowed: true };
+
+        return { allowed: false, error: `No tienes acceso a la tabla '${bare}'` };
+    } catch (e) {
+        return { allowed: true }; // On error, don't block
+    }
+}