npm - @boarteam/boar-pack-users-backend - Versions diffs - 6.7.0 → 6.8.0 - Mend

@boarteam/boar-pack-users-backend 6.7.0 → 6.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +3 -3
package/src/casl/fields-permission.interceptor.ts +58 -0
package/src/users/users.controller.ts +8 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@boarteam/boar-pack-users-backend",
-  "version": "6.7.0",
+  "version": "6.8.0",
   "description": "NestJS Users module including permissions system, authentication strategies etc",
   "main": "src/index",
   "files": [
@@ -14,7 +14,7 @@
     "access": "public"
   },
   "dependencies": {
-    "@boarteam/boar-pack-common-backend": "^3.1.0",
+    "@boarteam/boar-pack-common-backend": "^3.1.1",
     "@casl/ability": "^6.7.3",
     "@dataui/crud": "^5.3.4",
     "@dataui/crud-typeorm": "^5.3.4",
@@ -64,5 +64,5 @@
     "yalc:push": "yalc push",
     "gen-types": "SWAGGER=true JWT_SECRET=swagger nest start"
   },
-  "gitHead": "a701f41e1d4c51394193a5bb7877e037cb8fab89"
+  "gitHead": "04d19f79a5bb2e27afcf0496e31ed7c5b990fdd7"
 }

package/src/casl/fields-permission.interceptor.ts ADDED Viewed

@@ -0,0 +1,58 @@
+// fields-permission.interceptor.ts
+import { CallHandler, ExecutionContext, ForbiddenException, Injectable, NestInterceptor, } from '@nestjs/common';
+import { permittedFieldsOf } from '@casl/ability/extra';
+import { Observable } from 'rxjs';
+import { Request } from 'express';
+import { Action } from "./action.enum";
+import { Subjects } from "./casl-ability.factory";
+import { PARSED_CRUD_REQUEST_KEY } from "@dataui/crud/lib/constants";
+type Fields = string[] | undefined;
+@Injectable()
+export class FieldsPermissionInterceptor implements NestInterceptor {
+  constructor(
+    private readonly subject: Subjects,
+    private readonly action: Action,
+  ) {
+  }
+  private anyField = '*';
+  intercept(ctx: ExecutionContext, next: CallHandler): Observable<any> {
+    const req = ctx.switchToHttp().getRequest<Request>();
+    const ability = req.user?.ability;
+    if (!ability) {
+      throw new ForbiddenException('No ability found on user');
+    }
+    const permitted = permittedFieldsOf(ability, this.action, this.subject, {
+      // how to read fields from each rule
+      fieldsFrom: (rule) => rule.fields || [this.anyField],
+    }) as string[];
+    if (permitted.includes(this.anyField)) {
+      // all fields are permitted
+      return next.handle();
+    }
+    // @ts-ignore
+    const crudReq = req[PARSED_CRUD_REQUEST_KEY];
+    const requested = (crudReq?.parsed?.fields as Fields) ?? [];
+    const finalFields =
+      (requested && requested.length > 0)
+        ? requested.filter((f) => permitted.includes(f))
+        : permitted;
+    if (!finalFields || finalFields.length === 0) {
+      throw new ForbiddenException('No readable fields for this resource');
+    }
+    // enforce selection for Nestjsx/CRUD + TypeORM
+    //    This makes CRUD build QB with SELECT only these columns.
+    if (!crudReq.parsed) crudReq.parsed = {} as any;
+    (crudReq.parsed as any).fields = finalFields;
+    return next.handle();
+  }
+}

package/src/users/users.controller.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { Controller, UseFilters, UseGuards } from '@nestjs/common';
 import { UsersService } from './users.service';
 import { Crud } from '@dataui/crud';
 import { User } from './entities/user.entity';
-import { CheckPolicies, ManageAllPolicy } from '../casl';
+import { Action, CheckPolicies } from '../casl';
 import { UserCreateDto } from './dto/user-create.dto';
 import { ApiExtraModels, ApiTags } from '@nestjs/swagger';
 import { UserUpdateDto } from "./dto/user-update.dto";
@@ -12,6 +12,7 @@ import { UsersEditingGuard } from "./users-editing.guard";
 import { ViewUsersPolicy } from "./policies/view-users.policy";
 import { Tools } from "@boarteam/boar-pack-common-backend";
 import { ManageUsersPolicy } from "./policies/manage-users.policy";
+import { FieldsPermissionInterceptor } from "../casl/fields-permission.interceptor";
 @Crud({
   model: {
@@ -35,11 +36,17 @@ import { ManageUsersPolicy } from "./policies/manage-users.policy";
       decorators: [
         CheckPolicies(new ViewUsersPolicy()),
       ],
+      interceptors: [
+        new FieldsPermissionInterceptor(User, Action.Read),
+      ],
     },
     getOneBase: {
       decorators: [
         CheckPolicies(new ViewUsersPolicy()),
       ],
+      interceptors: [
+        new FieldsPermissionInterceptor(User, Action.Read),
+      ],
     },
     createOneBase: {
       interceptors: [