@axium/server 0.38.3 → 0.39.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/acl.d.ts +7 -8
- package/dist/acl.js +8 -2
- package/dist/auth.js +7 -6
- package/package.json +1 -1
package/dist/acl.d.ts
CHANGED
|
@@ -16,23 +16,22 @@ type _TargetNames = keyof db.Schema & keyof {
|
|
|
16
16
|
*/
|
|
17
17
|
export type TableName = _TableNames extends never ? keyof db.Schema : _TableNames;
|
|
18
18
|
export type TargetName = _TargetNames extends never ? keyof db.Schema : _TargetNames;
|
|
19
|
-
export
|
|
20
|
-
|
|
21
|
-
export type PermissionsFor<TB extends TableName> = Omit<kysely.Selectable<db.Schema[TB]>, keyof AccessControlInternal | number | symbol>;
|
|
22
|
-
export type Result<TB extends TableName> = AccessControlInternal & PermissionsFor<TB>;
|
|
19
|
+
export type PermissionsFor<TB extends TableName> = Omit<kysely.Selectable<db.Schema[TB]>, keyof AccessControl | number | symbol>;
|
|
20
|
+
export type Result<TB extends TableName> = AccessControl & PermissionsFor<TB>;
|
|
23
21
|
export type WithACL<TB extends TargetName> = kysely.Selectable<db.Schema[TB]> & {
|
|
24
22
|
userId: string;
|
|
25
23
|
parentId?: string | null;
|
|
26
24
|
acl: Result<`acl.${TB}`>[];
|
|
27
25
|
};
|
|
26
|
+
/** Match ACL entries, optionally selecting for a given user-like object */
|
|
27
|
+
export declare function match(user?: Pick<UserInternal, 'id' | 'roles' | 'tags'>): (eb: kysely.ExpressionBuilder<db.Schema, any>) => kysely.ExpressionWrapper<db.Schema, any, kysely.SqlBool>;
|
|
28
|
+
export declare function controlMatchesUser(control: AccessControl, user: Pick<UserInternal, 'id' | 'roles' | 'tags'>): boolean | "" | null | undefined;
|
|
28
29
|
export interface ACLSelectionOptions {
|
|
29
|
-
/** If specified, filters by user UUID */
|
|
30
|
-
user?: Pick<UserInternal, 'id' | 'roles' | 'tags'>;
|
|
31
30
|
/** Instead of using the `id` from `table`, use the `id` from this instead */
|
|
32
31
|
alias?: string;
|
|
32
|
+
/** If set, only ACLs that match the provided info will be selected. */
|
|
33
|
+
filterByUser?: Pick<UserInternal, 'id' | 'roles' | 'tags'>;
|
|
33
34
|
}
|
|
34
|
-
/** Match ACL entries, optionally selecting for a given user-like object */
|
|
35
|
-
export declare function match(user?: Pick<UserInternal, 'id' | 'roles' | 'tags'>): (eb: kysely.ExpressionBuilder<db.Schema, any>) => kysely.ExpressionWrapper<db.Schema, any, kysely.SqlBool>;
|
|
36
35
|
/**
|
|
37
36
|
* Helper to select all access controls for a given table, including the user information.
|
|
38
37
|
* Optionally filter for the entries applicable to a specific user.
|
package/dist/acl.js
CHANGED
|
@@ -15,6 +15,12 @@ export function match(user) {
|
|
|
15
15
|
return eb.or(ors);
|
|
16
16
|
};
|
|
17
17
|
}
|
|
18
|
+
export function controlMatchesUser(control, user) {
|
|
19
|
+
return ((!control.role && !control.tag && !control.userId) ||
|
|
20
|
+
control.userId === user.id ||
|
|
21
|
+
(control.role && user.roles.includes(control.role)) ||
|
|
22
|
+
(control.tag && user.tags.includes(control.tag)));
|
|
23
|
+
}
|
|
18
24
|
/**
|
|
19
25
|
* Helper to select all access controls for a given table, including the user information.
|
|
20
26
|
* Optionally filter for the entries applicable to a specific user.
|
|
@@ -24,9 +30,9 @@ export function from(table, opt = {}) {
|
|
|
24
30
|
return (eb) => jsonArrayFrom(eb
|
|
25
31
|
.selectFrom(`acl.${table} as _acl`)
|
|
26
32
|
.selectAll()
|
|
27
|
-
|
|
33
|
+
.select(db.userFromId)
|
|
28
34
|
.whereRef('_acl.itemId', '=', `${opt.alias || table}.id`)
|
|
29
|
-
.where(match(opt.
|
|
35
|
+
.$if(!!opt.filterByUser, qb => qb.where(match(opt.filterByUser))))
|
|
30
36
|
.$castTo()
|
|
31
37
|
.as('acl');
|
|
32
38
|
}
|
package/dist/auth.js
CHANGED
|
@@ -118,7 +118,7 @@ export async function authSessionForItem(itemType, itemId, permissions, session,
|
|
|
118
118
|
.selectFrom(itemType)
|
|
119
119
|
.selectAll()
|
|
120
120
|
.where('id', '=', itemId)
|
|
121
|
-
.select(acl.from(itemType
|
|
121
|
+
.select(acl.from(itemType))
|
|
122
122
|
.executeTakeFirstOrThrow()
|
|
123
123
|
.catch(e => {
|
|
124
124
|
if (e.message.includes('no rows'))
|
|
@@ -138,18 +138,18 @@ export async function authSessionForItem(itemType, itemId, permissions, session,
|
|
|
138
138
|
if (userId == item.userId)
|
|
139
139
|
return result;
|
|
140
140
|
result.fromACL = true;
|
|
141
|
-
const
|
|
141
|
+
const controls = recursive
|
|
142
142
|
? await db
|
|
143
143
|
.withRecursive('parents', qc => qc.selectFrom(itemType)
|
|
144
144
|
.select(['id', 'parentId'])
|
|
145
145
|
.$castTo()
|
|
146
|
-
.select(acl.from(itemType
|
|
146
|
+
.select(acl.from(itemType))
|
|
147
147
|
.select(eb => eb.lit(0).as('depth'))
|
|
148
148
|
.where('id', '=', itemId)
|
|
149
149
|
.unionAll(qc.selectFrom(`${itemType} as item`)
|
|
150
150
|
.select(['item.id', 'item.parentId'])
|
|
151
151
|
.innerJoin('parents as p', 'item.id', 'p.parentId')
|
|
152
|
-
.select(acl.from(itemType, {
|
|
152
|
+
.select(acl.from(itemType, { alias: 'item', filterByUser: user }))
|
|
153
153
|
.select(eb => eb(eb.ref('p.depth'), '+', eb.lit(1)).as('depth'))))
|
|
154
154
|
.selectFrom('parents')
|
|
155
155
|
.select('acl')
|
|
@@ -166,9 +166,10 @@ export async function authSessionForItem(itemType, itemId, permissions, session,
|
|
|
166
166
|
}
|
|
167
167
|
})
|
|
168
168
|
: item.acl;
|
|
169
|
-
|
|
169
|
+
const matching = controls.filter(c => acl.controlMatchesUser(c, user));
|
|
170
|
+
if (!matching.length)
|
|
170
171
|
error(403, 'Item is not shared with you');
|
|
171
|
-
const missing = Array.from(acl.check(
|
|
172
|
+
const missing = Array.from(acl.check(matching, permissions));
|
|
172
173
|
if (missing.length)
|
|
173
174
|
error(403, 'Missing permissions: ' + missing.join(', '));
|
|
174
175
|
return result;
|