2 files changed, 29 insertions, 0 deletions

diff --git a/src/lib/Utility/authorisation.test.ts b/src/lib/Utility/authorisation.test.ts
new file mode 100644
index 00000000..0027782b
--- /dev/null
+++ b/src/lib/Utility/authorisation.test.ts
@@ -0,0 +1,20 @@
+import { describe, expect, it } from "vitest";
+import { isOwnerOrPrivileged } from "./authorisation";
+
+describe("isOwnerOrPrivileged", () => {
+	it("allows the owner to act on their own resources", () => {
+		expect(isOwnerOrPrivileged(7, 7, false)).toBe(true);
+	});
+
+	it("allows a privileged user to act on anyone", () => {
+		expect(isOwnerOrPrivileged(7, 999, true)).toBe(true);
+	});
+
+	it("blocks a non-privileged user acting on someone else (the IDOR case)", () => {
+		expect(isOwnerOrPrivileged(7, 999, false)).toBe(false);
+	});
+
+	it("allows a privileged owner (both conditions)", () => {
+		expect(isOwnerOrPrivileged(7, 7, true)).toBe(true);
+	});
+});
diff --git a/src/lib/Utility/authorisation.ts b/src/lib/Utility/authorisation.ts
new file mode 100644
index 00000000..c6b64414
--- /dev/null
+++ b/src/lib/Utility/authorisation.ts
@@ -0,0 +1,9 @@
+/**
+ * Whether a caller may act on resources belonging to `targetUserId`: either the
+ * caller owns them, or the caller is a privileged (allow-listed) user.
+ */
+export const isOwnerOrPrivileged = (
+	callerUserId: number,
+	targetUserId: number,
+	privileged: boolean,
+) => privileged || callerUserId === targetUserId;