npm - @axium/server - Versions diffs - 0.36.6 → 0.37.1 - Mend

@axium/server 0.36.6 → 0.37.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/dist/acl.d.ts +1 -0
package/dist/acl.js +1 -1
package/dist/auth.d.ts +2 -2
package/dist/auth.js +30 -9
package/dist/database.d.ts +11 -507
package/dist/database.js +8 -557
package/dist/db/connection.d.ts +5 -0
package/dist/db/connection.js +18 -0
package/dist/db/data.d.ts +119 -0
package/dist/db/data.js +113 -0
package/dist/db/delta.d.ts +147 -0
package/dist/db/delta.js +390 -0
package/dist/db/schema.d.ts +268 -0
package/dist/db/schema.js +169 -0
package/dist/{db.json → db/schema.json} +5 -3
package/dist/main.js +37 -23
package/package.json +2 -2
package/routes/admin/users/+page.svelte +1 -1
package/schemas/db.json +48 -13

package/dist/acl.d.ts CHANGED Viewed

@@ -19,6 +19,7 @@ export type PermissionsFor<TB extends TableName> = Omit<kysely.Selectable<db.Sch
 export type Result<TB extends TableName> = AccessControlInternal & PermissionsFor<TB>;
 export type WithACL<TB extends TargetName> = kysely.Selectable<db.Schema[TB]> & {
     userId: string;
+    parentId?: string | null;
     acl: Result<`acl.${TB}`>[];
 };
 export interface ACLSelectionOptions {

package/dist/acl.js CHANGED Viewed

@@ -77,7 +77,7 @@ export function check(acl, permissions) {
 }
 export function listTables() {
     const tables = {};
-    for (const [, file] of db.getSchemaFiles()) {
+    for (const [, file] of db.schema.getFiles()) {
         Object.assign(tables, file.acl_tables || {});
     }
     return tables;

package/dist/auth.d.ts CHANGED Viewed

@@ -41,9 +41,9 @@ export interface ItemAuthResult<TB extends acl.TargetName> {
     user?: UserInternal;
     session?: SessionInternal;
 }
-export declare function authSessionForItem<const TB extends acl.TargetName>(itemType: TB, itemId: string, permissions: Partial<acl.PermissionsFor<`acl.${TB}`>>, session?: SessionAndUser | null): Promise<ItemAuthResult<TB>>;
+export declare function authSessionForItem<const TB extends acl.TargetName>(itemType: TB, itemId: string, permissions: Partial<acl.PermissionsFor<`acl.${TB}`>>, session?: SessionAndUser | null, recursive?: boolean): Promise<ItemAuthResult<TB>>;
 /**
  * Authenticate a request against an "item" which has an ACL table.
  * This will fetch the item, ACLs, users, and the authenticating session.
  */
-export declare function authRequestForItem<const TB extends acl.TargetName>(request: Request, itemType: TB, itemId: string, permissions: Partial<acl.PermissionsFor<`acl.${TB}`>>): Promise<ItemAuthResult<TB>>;
+export declare function authRequestForItem<const TB extends acl.TargetName>(request: Request, itemType: TB, itemId: string, permissions: Partial<acl.PermissionsFor<`acl.${TB}`>>, recursive?: boolean): Promise<ItemAuthResult<TB>>;

package/dist/auth.js CHANGED Viewed

@@ -110,7 +110,7 @@ export async function checkAuthForUser(request, userId, sensitive = false) {
         error(403, 'This token can not be used for sensitive actions');
     return Object.assign(session, { accessor: session.user });
 }
-export async function authSessionForItem(itemType, itemId, permissions, session) {
+export async function authSessionForItem(itemType, itemId, permissions, session, recursive = false) {
     const { userId, user } = session ?? {};
     // Note: we need to do casting because of TS limitations with generics
     const item = (await db
@@ -137,21 +137,42 @@ export async function authSessionForItem(itemType, itemId, permissions, session)
     if (userId == item.userId)
         return result;
     result.fromACL = true;
-    if (!item.acl || !item.acl.length)
-        error(403, 'Item is not shared with you');
-    const missing = Array.from(acl.check(item.acl, permissions));
-    if (missing.length)
-        error(403, 'Missing permissions: ' + missing.join(', '));
-    return result;
+    let current = item;
+    for (let i = 0; i < 25; i++) {
+        try {
+            if (!current.acl || !current.acl.length)
+                error(403, 'Item is not shared with you');
+            const missing = Array.from(acl.check(current.acl, permissions));
+            if (missing.length)
+                error(403, 'Missing permissions: ' + missing.join(', '));
+            return result;
+        }
+        catch (e) {
+            if (!current.parentId || !recursive)
+                throw e;
+            current = (await db
+                .selectFrom(itemType)
+                .selectAll()
+                .where('id', '=', current.parentId)
+                .$if(!!userId, eb => eb.select(acl.from(itemType, { user })))
+                .executeTakeFirstOrThrow()
+                .catch(e => {
+                if (e.message.includes('no rows'))
+                    error(404, itemType + ' not found');
+                throw e;
+            }));
+        }
+    }
+    error(403, 'You do not have permissions for any of the last 25 parent items');
 }
 /**
  * Authenticate a request against an "item" which has an ACL table.
  * This will fetch the item, ACLs, users, and the authenticating session.
  */
-export async function authRequestForItem(request, itemType, itemId, permissions) {
+export async function authRequestForItem(request, itemType, itemId, permissions, recursive = false) {
     const token = getToken(request, false);
     if (!token)
         error(401, 'Missing token');
     const session = await getSessionAndUser(token).catch(() => null);
-    return await authSessionForItem(itemType, itemId, permissions, session);
+    return await authSessionForItem(itemType, itemId, permissions, session, recursive);
 }