@forestadmin/agent 1.66.0 → 1.66.1

package/dist/agent/services/chart.d.ts

@@ -0,0 +1,102 @@
+import { Collection, ConditionTree } from '@forestadmin/datasource-toolkit';
+import { Context } from 'koa';
+
+import { AgentOptionsWithDefaults } from '../types';
+
+declare type RolesOptions = Pick<
+  AgentOptionsWithDefaults,
+  'forestServerUrl' | 'envSecret' | 'isProduction' | 'permissionsCacheDurationInSeconds'
+>;
+export interface FilterCondition {
+  value: boolean | number | string | string[];
+  fieldName: string | null;
+  subFieldName: string | null;
+  embeddedFieldName?: string | null;
+  operator: string;
+}
+export interface Filter {
+  type: 'and' | 'or';
+  conditions: FilterCondition[] | null;
+}
+export declare enum ChartType {
+  Pie = 'Pie',
+  Value = 'Value',
+  Leaderboard = 'Leaderboard',
+  Line = 'Line',
+  Objective = 'Objective',
+  Percentage = 'Percentage',
+}
+export interface BaseChart {
+  id: string;
+  type: ChartType;
+}
+export interface ApiRouteChart extends BaseChart {
+  type: ChartType;
+  apiRoute: string;
+}
+export interface QueryChart extends BaseChart {
+  type: ChartType;
+  query: string;
+  filter?: Record<string, any>;
+}
+export interface LeaderboardChart extends BaseChart {
+  type: ChartType.Leaderboard;
+  sourceCollectionName: string | number;
+  labelFieldName: string;
+  relationshipFieldName: string;
+  aggregateFieldName: string | null;
+  aggregator: 'Sum' | 'Count';
+  limit: number;
+}
+export interface LineChart extends BaseChart {
+  type: ChartType.Line;
+  sourceCollectionName: string | number;
+  groupByFieldName: string;
+  aggregateFieldName: string | null;
+  aggregator: 'Sum' | 'Count';
+  timeRange: 'Day' | 'Week' | 'Month' | 'Year';
+  filter: Filter | null;
+}
+export interface ObjectiveChart extends BaseChart {
+  type: ChartType.Objective;
+  sourceCollectionName: string | number;
+  aggregateFieldName: string;
+  aggregator: 'Sum' | 'Count';
+  objective: number;
+  filter: Filter | null;
+}
+export interface PercentageChart extends BaseChart {
+  type: ChartType.Percentage;
+  numeratorChartId: string;
+  denominatorChartId: string;
+}
+export interface PieChart extends BaseChart {
+  type: ChartType.Pie;
+  sourceCollectionName: string | number;
+  aggregateFieldName: string;
+  groupByFieldName: string;
+  aggregator: 'Sum' | 'Count';
+  filter: Filter | null;
+}
+export interface ValueChart extends BaseChart {
+  type: ChartType.Value;
+  sourceCollectionName: string | number;
+  aggregateFieldName: string;
+  aggregator: 'Sum' | 'Count';
+  filter: Filter | null;
+}
+export default class ChartService {
+  private options;
+  private cache;
+  constructor(options: RolesOptions);
+  invalidateCache(renderingId: number): void;
+  /** Checks that a charting query is in the list of allowed queries */
+  canChart(context: Context): Promise<void>;
+  /** Check if a user is allowed to perform a specific action */
+  can(context: Context, action: string, allowRefetch?: boolean): Promise<void>;
+  getScope(collection: Collection, context: Context): Promise<ConditionTree>;
+  /** Get cached version of "rendering permissions" */
+  private getRenderingPermissions;
+}
+export {};
+// # sourceMappingURL=chart.d.ts.map

package/dist/agent/services/chart.js

@@ -0,0 +1,114 @@
+const __importDefault =
+  (this && this.__importDefault) ||
+  function (mod) {
+    return mod && mod.__esModule ? mod : { default: mod };
+  };
+
+Object.defineProperty(exports, '__esModule', { value: true });
+exports.ChartType = void 0;
+const lru_cache_1 = __importDefault(require('lru-cache'));
+const object_hash_1 = __importDefault(require('object-hash'));
+const types_1 = require('../types');
+const forest_http_api_1 = __importDefault(require('../utils/forest-http-api'));
+
+let ChartType;
+
+(function (ChartType) {
+  ChartType.Pie = 'Pie';
+  ChartType.Value = 'Value';
+  ChartType.Leaderboard = 'Leaderboard';
+  ChartType.Line = 'Line';
+  ChartType.Objective = 'Objective';
+  ChartType.Percentage = 'Percentage';
+})((ChartType = exports.ChartType || (exports.ChartType = {})));
+
+class ChartService {
+  constructor(options) {
+    this.options = options;
+    this.cache = new lru_cache_1.default({
+      max: 256,
+      ttl: this.options.permissionsCacheDurationInSeconds * 1000,
+    });
+  }
+
+  invalidateCache(renderingId) {
+    this.cache.delete(renderingId);
+  }
+
+  /** Checks that a charting query is in the list of allowed queries */
+  async canChart(context) {
+    // If the permissions level already allow the chart, no need to check further
+    if (['admin', 'editor', 'developer'].includes(context.state.user.permissionLevel)) {
+      return;
+    }
+
+    const chart = { ...context.request.body };
+    // When the server sends the data of the allowed charts, the target column is not specified
+    // for relations => allow them all.
+    if (chart?.group_by_field?.includes(':'))
+      chart.group_by_field = chart.group_by_field.substring(0, chart.group_by_field.indexOf(':'));
+    const chartHash = (0, object_hash_1.default)(chart, {
+      respectType: false,
+      excludeKeys: key => chart[key] === null,
+    });
+    await this.can(context, `chart:${chartHash}`);
+  }
+
+  /** Check if a user is allowed to perform a specific action */
+  async can(context, action, allowRefetch = true) {
+    const { id: userId, renderingId } = context.state.user;
+    const perms = await this.getRenderingPermissions(renderingId);
+    const isAllowed = perms.actions.has(action) || perms.actionsByUser[action]?.has(userId);
+
+    if (!isAllowed && allowRefetch) {
+      this.invalidateCache(renderingId);
+
+      return this.can(context, action, false);
+    }
+
+    if (!isAllowed) {
+      context.throw(types_1.HttpCode.Forbidden, 'Forbidden');
+    }
+  }
+
+  async getScope(collection, context) {
+    const { user } = context.state;
+    const perms = await this.getRenderingPermissions(user.renderingId);
+    const scopes = perms.scopes[collection.name];
+    if (!scopes) return null;
+
+    return scopes.conditionTree.replaceLeafs(leaf => {
+      const dynamicValues = scopes.dynamicScopeValues?.[user.id];
+
+      if (typeof leaf.value === 'string' && leaf.value.startsWith('$currentUser')) {
+        // Search replacement hash from forestadmin server
+        if (dynamicValues) {
+          return leaf.override({ value: dynamicValues[leaf.value] });
+        }
+
+        // Search JWT token (new user)
+        return leaf.override({
+          value: leaf.value.startsWith('$currentUser.tags.')
+            ? user.tags[leaf.value.substring(18)]
+            : user[leaf.value.substring(13)],
+        });
+      }
+
+      return leaf;
+    });
+  }
+
+  /** Get cached version of "rendering permissions" */
+  getRenderingPermissions(renderingId) {
+    if (!this.cache.has(renderingId))
+      this.cache.set(
+        renderingId,
+        forest_http_api_1.default.getPermissions(this.options, renderingId),
+      );
+
+    // We already checked the entry is up-to-date with the .has() call => allowStale
+    return this.cache.get(renderingId, { allowStale: true });
+  }
+}
+exports.default = ChartService;
+// # sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2hhcnQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvYWdlbnQvc2VydmljZXMvY2hhcnQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7O0FBRUEsMERBQWlDO0FBQ2pDLDhEQUFxQztBQUVyQyxvQ0FBOEQ7QUFDOUQsK0VBQStFO0FBcUIvRSxJQUFZLFNBT1g7QUFQRCxXQUFZLFNBQVM7SUFDbkIsd0JBQVcsQ0FBQTtJQUNYLDRCQUFlLENBQUE7SUFDZix3Q0FBMkIsQ0FBQTtJQUMzQiwwQkFBYSxDQUFBO0lBQ2Isb0NBQXVCLENBQUE7SUFDdkIsc0NBQXlCLENBQUE7QUFDM0IsQ0FBQyxFQVBXLFNBQVMsR0FBVCxpQkFBUyxLQUFULGlCQUFTLFFBT3BCO0FBc0VELE1BQXFCLFlBQVk7SUFJL0IsWUFBWSxPQUFxQjtRQUMvQixJQUFJLENBQUMsT0FBTyxHQUFHLE9BQU8sQ0FBQztRQUN2QixJQUFJLENBQUMsS0FBSyxHQUFHLElBQUksbUJBQVEsQ0FBQztZQUN4QixHQUFHLEVBQUUsR0FBRztZQUNSLEdBQUcsRUFBRSxJQUFJLENBQUMsT0FBTyxDQUFDLGlDQUFpQyxHQUFHLElBQUk7U0FDM0QsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVELGVBQWUsQ0FBQyxXQUFtQjtRQUNqQyxJQUFJLENBQUMsS0FBSyxDQUFDLE1BQU0sQ0FBQyxXQUFXLENBQUMsQ0FBQztJQUNqQyxDQUFDO0lBRUQscUVBQXFFO0lBQ3JFLEtBQUssQ0FBQyxRQUFRLENBQUMsT0FBZ0I7UUFDN0IsNkVBQTZFO1FBQzdFLElBQUksQ0FBQyxPQUFPLEVBQUUsUUFBUSxFQUFFLFdBQVcsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQyxlQUFlLENBQUMsRUFBRTtZQUNqRixPQUFPO1NBQ1I7UUFFRCxNQUFNLEtBQUssR0FBRyxFQUFFLEdBQUcsT0FBTyxDQUFDLE9BQU8sQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUUxQywyRkFBMkY7UUFDM0YsbUNBQW1DO1FBQ25DLElBQUksS0FBSyxFQUFFLGNBQWMsRUFBRSxRQUFRLENBQUMsR0FBRyxDQUFDO1lBQ3RDLEtBQUssQ0FBQyxjQUFjLEdBQUcsS0FBSyxDQUFDLGNBQWMsQ0FBQyxTQUFTLENBQUMsQ0FBQyxFQUFFLEtBQUssQ0FBQyxjQUFjLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7UUFFOUYsTUFBTSxTQUFTLEdBQUcsSUFBQSxxQkFBVSxFQUFDLEtBQUssRUFBRTtZQUNsQyxXQUFXLEVBQUUsS0FBSztZQUNsQixXQUFXLEVBQUUsR0FBRyxDQUFDLEVBQUUsQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLEtBQUssSUFBSTtTQUN4QyxDQUFDLENBQUM7UUFFSCxNQUFNLElBQUksQ0FBQyxHQUFHLENBQUMsT0FBTyxFQUFFLFNBQVMsU0FBUyxFQUFFLENBQUMsQ0FBQztJQUNoRCxDQUFDO0lBRUQsOERBQThEO0lBQzlELEtBQUssQ0FBQyxHQUFHLENBQUMsT0FBZ0IsRUFBRSxNQUFjLEVBQUUsWUFBWSxHQUFHLElBQUk7UUFDN0QsTUFBTSxFQUFFLEVBQUUsRUFBRSxNQUFNLEVBQUUsV0FBVyxFQUFFLEdBQUcsT0FBTyxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUM7UUFDdkQsTUFBTSxLQUFLLEdBQUcsTUFBTSxJQUFJLENBQUMsdUJBQXVCLENBQUMsV0FBVyxDQUFDLENBQUM7UUFDOUQsTUFBTSxTQUFTLEdBQUcsS0FBSyxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLElBQUksS0FBSyxDQUFDLGFBQWEsQ0FBQyxNQUFNLENBQUMsRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLENBQUM7UUFFeEYsSUFBSSxDQUFDLFNBQVMsSUFBSSxZQUFZLEVBQUU7WUFDOUIsSUFBSSxDQUFDLGVBQWUsQ0FBQyxXQUFXLENBQUMsQ0FBQztZQUVsQyxPQUFPLElBQUksQ0FBQyxHQUFHLENBQUMsT0FBTyxFQUFFLE1BQU0sRUFBRSxLQUFLLENBQUMsQ0FBQztTQUN6QztRQUVELElBQUksQ0FBQyxTQUFTLEVBQUU7WUFDZCxPQUFPLENBQUMsS0FBSyxDQUFDLGdCQUFRLENBQUMsU0FBUyxFQUFFLFdBQVcsQ0FBQyxDQUFDO1NBQ2hEO0lBQ0gsQ0FBQztJQUVELEtBQUssQ0FBQyxRQUFRLENBQUMsVUFBc0IsRUFBRSxPQUFnQjtRQUNyRCxNQUFNLEVBQUUsSUFBSSxFQUFFLEdBQUcsT0FBTyxDQUFDLEtBQUssQ0FBQztRQUMvQixNQUFNLEtBQUssR0FBRyxNQUFNLElBQUksQ0FBQyx1QkFBdUIsQ0FBQyxJQUFJLENBQUMsV0FBVyxDQUFDLENBQUM7UUFDbkUsTUFBTSxNQUFNLEdBQUcsS0FBSyxDQUFDLE1BQU0sQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLENBQUM7UUFFN0MsSUFBSSxDQUFDLE1BQU07WUFBRSxPQUFPLElBQUksQ0FBQztRQUV6QixPQUFPLE1BQU0sQ0FBQyxhQUFhLENBQUMsWUFBWSxDQUFDLElBQUksQ0FBQyxFQUFFO1lBQzlDLE1BQU0sYUFBYSxHQUFHLE1BQU0sQ0FBQyxrQkFBa0IsRUFBRSxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUMsQ0FBQztZQUUzRCxJQUFJLE9BQU8sSUFBSSxDQUFDLEtBQUssS0FBSyxRQUFRLElBQUksSUFBSSxDQUFDLEtBQUssQ0FBQyxVQUFVLENBQUMsY0FBYyxDQUFDLEVBQUU7Z0JBQzNFLGtEQUFrRDtnQkFDbEQsSUFBSSxhQUFhLEVBQUU7b0JBQ2pCLE9BQU8sSUFBSSxDQUFDLFFBQVEsQ0FBQyxFQUFFLEtBQUssRUFBRSxhQUFhLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsQ0FBQztpQkFDNUQ7Z0JBRUQsOEJBQThCO2dCQUM5QixPQUFPLElBQUksQ0FBQyxRQUFRLENBQUM7b0JBQ25CLEtBQUssRUFBRSxJQUFJLENBQUMsS0FBSyxDQUFDLFVBQVUsQ0FBQyxvQkFBb0IsQ0FBQzt3QkFDaEQsQ0FBQyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxTQUFTLENBQUMsRUFBRSxDQUFDLENBQUM7d0JBQ3JDLENBQUMsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxTQUFTLENBQUMsRUFBRSxDQUFDLENBQUM7aUJBQ25DLENBQUMsQ0FBQzthQUNKO1lBRUQsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRCxvREFBb0Q7SUFDNUMsdUJBQXVCLENBQUMsV0FBbUI7UUFDakQsSUFBSSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLFdBQVcsQ0FBQztZQUM5QixJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxXQUFXLEVBQUUseUJBQWEsQ0FBQyxjQUFjLENBQUMsSUFBSSxDQUFDLE9BQU8sRUFBRSxXQUFXLENBQUMsQ0FBQyxDQUFDO1FBRXZGLGdGQUFnRjtRQUNoRixPQUFPLElBQUksQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLFdBQVcsRUFBRSxFQUFFLFVBQVUsRUFBRSxJQUFJLEVBQUUsQ0FBQyxDQUFDO0lBQzNELENBQUM7Q0FDRjtBQTNGRCwrQkEyRkMifQ==

package/dist/routes/access/api-chart.d.ts

@@ -0,0 +1,16 @@
+/// <reference types="koa__router" />
+import { DataSource } from '@forestadmin/datasource-toolkit';
+import Router from '@koa/router';
+import { AgentOptionsWithDefaults, RouteType } from '../../types';
+import { ForestAdminHttpDriverServices } from '../../services';
+import BaseRoute from '../base-route';
+export default class ApiChartRoute extends BaseRoute {
+    readonly type = RouteType.PrivateRoute;
+    private dataSource;
+    private chartName;
+    constructor(services: ForestAdminHttpDriverServices, options: AgentOptionsWithDefaults, dataSource: DataSource, chartName: string);
+    setupRoutes(router: Router): void;
+    private handleApiChart;
+    private handleSmartChart;
+}
+//# sourceMappingURL=api-chart.d.ts.map

package/dist/routes/access/api-chart.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const uuid_1 = require("uuid");
+const path_1 = __importDefault(require("path"));
+const types_1 = require("../../types");
+const base_route_1 = __importDefault(require("../base-route"));
+const query_string_1 = __importDefault(require("../../utils/query-string"));
+class ApiChartRoute extends base_route_1.default {
+    constructor(services, options, dataSource, chartName) {
+        super(services, options);
+        this.type = types_1.RouteType.PrivateRoute;
+        this.dataSource = dataSource;
+        this.chartName = chartName;
+    }
+    setupRoutes(router) {
+        // Mount both GET and POST, respectively for smart and api charts.
+        const suffix = `/_charts/${this.chartName}`;
+        router.get(suffix, this.handleSmartChart.bind(this));
+        router.post(suffix, this.handleApiChart.bind(this));
+        // Log the route to help the customer fill the url in the frontend
+        if (!this.options.isProduction) {
+            const url = path_1.default.posix.join('/', this.options.prefix, 'forest', suffix);
+            this.options.logger('Info', `Chart '${this.chartName}' was mounted at '${url}'`);
+        }
+    }
+    async handleApiChart(context) {
+        // Api Charts need the data to be formatted in JSON-API
+        context.response.body = {
+            data: {
+                id: (0, uuid_1.v1)(),
+                type: 'stats',
+                attributes: {
+                    value: await this.dataSource.renderChart(query_string_1.default.parseCaller(context), this.chartName),
+                },
+            },
+        };
+    }
+    async handleSmartChart(context) {
+        // Smart charts need the data to be unformatted
+        context.response.body = await this.dataSource.renderChart(query_string_1.default.parseCaller(context), this.chartName);
+    }
+}
+exports.default = ApiChartRoute;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXBpLWNoYXJ0LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3JvdXRlcy9hY2Nlc3MvYXBpLWNoYXJ0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7O0FBRUEsK0JBQW9DO0FBRXBDLGdEQUF3QjtBQUV4Qix1Q0FBa0U7QUFFbEUsK0RBQXNDO0FBQ3RDLDRFQUF5RDtBQUV6RCxNQUFxQixhQUFjLFNBQVEsb0JBQVM7SUFNbEQsWUFDRSxRQUF1QyxFQUN2QyxPQUFpQyxFQUNqQyxVQUFzQixFQUN0QixTQUFpQjtRQUVqQixLQUFLLENBQUMsUUFBUSxFQUFFLE9BQU8sQ0FBQyxDQUFDO1FBWGxCLFNBQUksR0FBRyxpQkFBUyxDQUFDLFlBQVksQ0FBQztRQWFyQyxJQUFJLENBQUMsVUFBVSxHQUFHLFVBQVUsQ0FBQztRQUM3QixJQUFJLENBQUMsU0FBUyxHQUFHLFNBQVMsQ0FBQztJQUM3QixDQUFDO0lBRUQsV0FBVyxDQUFDLE1BQWM7UUFDeEIsa0VBQWtFO1FBQ2xFLE1BQU0sTUFBTSxHQUFHLFlBQVksSUFBSSxDQUFDLFNBQVMsRUFBRSxDQUFDO1FBQzVDLE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQztRQUNyRCxNQUFNLENBQUMsSUFBSSxDQUFDLE1BQU0sRUFBRSxJQUFJLENBQUMsY0FBYyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDO1FBRXBELGtFQUFrRTtRQUNsRSxJQUFJLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxZQUFZLEVBQUU7WUFDOUIsTUFBTSxHQUFHLEdBQUcsY0FBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsR0FBRyxFQUFFLElBQUksQ0FBQyxPQUFPLENBQUMsTUFBTSxFQUFFLFFBQVEsRUFBRSxNQUFNLENBQUMsQ0FBQztZQUN4RSxJQUFJLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxNQUFNLEVBQUUsVUFBVSxJQUFJLENBQUMsU0FBUyxxQkFBcUIsR0FBRyxHQUFHLENBQUMsQ0FBQztTQUNsRjtJQUNILENBQUM7SUFFTyxLQUFLLENBQUMsY0FBYyxDQUFDLE9BQWdCO1FBQzNDLHVEQUF1RDtRQUN2RCxPQUFPLENBQUMsUUFBUSxDQUFDLElBQUksR0FBRztZQUN0QixJQUFJLEVBQUU7Z0JBQ0osRUFBRSxFQUFFLElBQUEsU0FBTSxHQUFFO2dCQUNaLElBQUksRUFBRSxPQUFPO2dCQUNiLFVBQVUsRUFBRTtvQkFDVixLQUFLLEVBQUUsTUFBTSxJQUFJLENBQUMsVUFBVSxDQUFDLFdBQVcsQ0FDdEMsc0JBQWlCLENBQUMsV0FBVyxDQUFDLE9BQU8sQ0FBQyxFQUN0QyxJQUFJLENBQUMsU0FBUyxDQUNmO2lCQUNGO2FBQ0Y7U0FDRixDQUFDO0lBQ0osQ0FBQztJQUVPLEtBQUssQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFnQjtRQUM3QywrQ0FBK0M7UUFDL0MsT0FBTyxDQUFDLFFBQVEsQ0FBQyxJQUFJLEdBQUcsTUFBTSxJQUFJLENBQUMsVUFBVSxDQUFDLFdBQVcsQ0FDdkQsc0JBQWlCLENBQUMsV0FBVyxDQUFDLE9BQU8sQ0FBQyxFQUN0QyxJQUFJLENBQUMsU0FBUyxDQUNmLENBQUM7SUFDSixDQUFDO0NBQ0Y7QUF0REQsZ0NBc0RDIn0=

package/dist/routes/modification/action.d.ts

@@ -0,0 +1,16 @@
+/// <reference types="koa__router" />
+import { DataSource } from '@forestadmin/datasource-toolkit';
+import Router from '@koa/router';
+import { ForestAdminHttpDriverServices } from '../../services';
+import { AgentOptionsWithDefaults } from '../../types';
+import CollectionRoute from '../collection-route';
+export default class ActionRoute extends CollectionRoute {
+    private readonly actionName;
+    constructor(services: ForestAdminHttpDriverServices, options: AgentOptionsWithDefaults, dataSource: DataSource, collectionName: string, actionName: string);
+    setupRoutes(router: Router): void;
+    private handleExecute;
+    private handleHook;
+    private middlewareCustomActionApprovalRequestData;
+    private getRecordSelection;
+}
+//# sourceMappingURL=action.d.ts.map

package/dist/routes/modification/action.js

@@ -0,0 +1,121 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const datasource_toolkit_1 = require("@forestadmin/datasource-toolkit");
+const types_1 = require("../../types");
+const body_parser_1 = __importDefault(require("../../utils/body-parser"));
+const context_filter_factory_1 = __importDefault(require("../../utils/context-filter-factory"));
+const action_values_1 = __importDefault(require("../../utils/forest-schema/action-values"));
+const generator_actions_1 = __importDefault(require("../../utils/forest-schema/generator-actions"));
+const id_1 = __importDefault(require("../../utils/id"));
+const query_string_1 = __importDefault(require("../../utils/query-string"));
+const collection_route_1 = __importDefault(require("../collection-route"));
+class ActionRoute extends collection_route_1.default {
+    constructor(services, options, dataSource, collectionName, actionName) {
+        super(services, options, dataSource, collectionName);
+        this.actionName = actionName;
+    }
+    setupRoutes(router) {
+        const actionIndex = Object.keys(this.collection.schema.actions).indexOf(this.actionName);
+        const path = `/_actions/${this.collection.name}/${actionIndex}`;
+        router.post(`${path}/:slug`, this.middlewareCustomActionApprovalRequestData.bind(this), this.handleExecute.bind(this));
+        router.post(`${path}/:slug/hooks/load`, this.handleHook.bind(this));
+        router.post(`${path}/:slug/hooks/change`, this.handleHook.bind(this));
+    }
+    async handleExecute(context) {
+        const { dataSource } = this.collection;
+        const caller = query_string_1.default.parseCaller(context);
+        const filter = await this.getRecordSelection(context);
+        const rawData = context.request.body.data.attributes.values;
+        // As forms are dynamic, we don't have any way to ensure that we're parsing the data correctly
+        // => better send invalid data to the getForm() customer handler than to the execute() one.
+        const unsafeData = action_values_1.default.makeFormDataUnsafe(rawData);
+        const fields = await this.collection.getForm(caller, this.actionName, unsafeData, filter);
+        // Now that we have the field list, we can parse the data again.
+        const data = action_values_1.default.makeFormData(dataSource, rawData, fields);
+        const result = await this.collection.execute(caller, this.actionName, data, filter);
+        if (result?.type === 'Error') {
+            context.response.status = types_1.HttpCode.BadRequest;
+            context.response.body = { error: result.message, html: result.html };
+        }
+        else if (result?.type === 'Success') {
+            context.response.body = {
+                success: result.message,
+                html: result.html,
+                refresh: { relationships: [...result.invalidated] },
+            };
+        }
+        else if (result?.type === 'Webhook') {
+            const { url, method, headers, body } = result;
+            context.response.body = { webhook: { url, method, headers, body } };
+        }
+        else if (result?.type === 'Redirect') {
+            context.response.body = { redirectTo: result.path };
+        }
+        else if (result?.type === 'File') {
+            context.response.attachment(result.name);
+            context.response.set('Access-Control-Expose-Headers', 'Content-Disposition');
+            context.response.type = result.mimeType;
+            context.response.body = result.stream;
+        }
+        else {
+            throw new Error('Unexpected Action result.');
+        }
+    }
+    async handleHook(context) {
+        await this.services.authorization.assertCanRequestCustomActionParameters(context, this.actionName, this.collection.name);
+        const { dataSource } = this.collection;
+        const forestFields = context.request.body?.data?.attributes?.fields;
+        const data = forestFields
+            ? action_values_1.default.makeFormDataFromFields(dataSource, forestFields)
+            : null;
+        const caller = query_string_1.default.parseCaller(context);
+        const filter = await this.getRecordSelection(context);
+        const fields = await this.collection.getForm(caller, this.actionName, data, filter);
+        context.response.body = {
+            fields: fields.map(field => generator_actions_1.default.buildFieldSchema(this.collection.dataSource, field)),
+        };
+    }
+    async middlewareCustomActionApprovalRequestData(context, next) {
+        const requestBody = context.request.body;
+        if (requestBody?.data?.attributes?.signed_approval_request) {
+            const signedParameters = this.services.authorization.verifySignedActionParameters(requestBody.data.attributes.signed_approval_request);
+            await this.services.authorization.assertCanApproveCustomAction({
+                context,
+                customActionName: this.actionName,
+                collectionName: this.collection.name,
+                requesterId: signedParameters?.data?.attributes?.requester_id,
+            });
+            context.request.body = signedParameters;
+        }
+        else {
+            await this.services.authorization.assertCanTriggerCustomAction({
+                context,
+                customActionName: this.actionName,
+                collectionName: this.collection.name,
+            });
+        }
+        return next();
+    }
+    async getRecordSelection(context) {
+        const selectionIds = body_parser_1.default.parseSelectionIds(this.collection.schema, context);
+        let selectedIds = datasource_toolkit_1.ConditionTreeFactory.matchIds(this.collection.schema, selectionIds.ids);
+        if (selectionIds.areExcluded)
+            selectedIds = selectedIds.inverse();
+        const conditionTree = datasource_toolkit_1.ConditionTreeFactory.intersect(selectedIds, query_string_1.default.parseConditionTree(this.collection, context), await this.services.authorization.getScope(this.collection, context));
+        const caller = query_string_1.default.parseCaller(context);
+        const filter = context_filter_factory_1.default.build(this.collection, context, null, { conditionTree });
+        const attributes = context.request?.body?.data?.attributes;
+        if (attributes?.parent_association_name) {
+            const relation = attributes?.parent_association_name;
+            const parentCollection = this.dataSource.getCollection(attributes.parent_collection_name);
+            const parentId = id_1.default.unpackId(parentCollection.schema, attributes.parent_collection_id);
+            return datasource_toolkit_1.FilterFactory.makeForeignFilter(parentCollection, parentId, relation, caller, filter);
+        }
+        return filter;
+    }
+}
+exports.default = ActionRoute;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWN0aW9uLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3JvdXRlcy9tb2RpZmljYXRpb24vYWN0aW9uLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7O0FBQUEsd0VBS3lDO0FBU3pDLHVDQUFpRTtBQUNqRSwwRUFBaUQ7QUFDakQsZ0dBQXNFO0FBQ3RFLDRGQUEyRTtBQUMzRSxvR0FBaUY7QUFDakYsd0RBQXFDO0FBQ3JDLDRFQUF5RDtBQUN6RCwyRUFBa0Q7QUFFbEQsTUFBcUIsV0FBWSxTQUFRLDBCQUFlO0lBR3RELFlBQ0UsUUFBdUMsRUFDdkMsT0FBaUMsRUFDakMsVUFBc0IsRUFDdEIsY0FBc0IsRUFDdEIsVUFBa0I7UUFFbEIsS0FBSyxDQUFDLFFBQVEsRUFBRSxPQUFPLEVBQUUsVUFBVSxFQUFFLGNBQWMsQ0FBQyxDQUFDO1FBQ3JELElBQUksQ0FBQyxVQUFVLEdBQUcsVUFBVSxDQUFDO0lBQy9CLENBQUM7SUFFRCxXQUFXLENBQUMsTUFBYztRQUN4QixNQUFNLFdBQVcsR0FBRyxNQUFNLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLENBQUM7UUFDekYsTUFBTSxJQUFJLEdBQUcsYUFBYSxJQUFJLENBQUMsVUFBVSxDQUFDLElBQUksSUFBSSxXQUFXLEVBQUUsQ0FBQztRQUVoRSxNQUFNLENBQUMsSUFBSSxDQUNULEdBQUcsSUFBSSxRQUFRLEVBQ2YsSUFBSSxDQUFDLHlDQUF5QyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsRUFDekQsSUFBSSxDQUFDLGFBQWEsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQzlCLENBQUM7UUFDRixNQUFNLENBQUMsSUFBSSxDQUFDLEdBQUcsSUFBSSxtQkFBbUIsRUFBRSxJQUFJLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDO1FBQ3BFLE1BQU0sQ0FBQyxJQUFJLENBQUMsR0FBRyxJQUFJLHFCQUFxQixFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUM7SUFDeEUsQ0FBQztJQUVPLEtBQUssQ0FBQyxhQUFhLENBQUMsT0FBZ0I7UUFDMUMsTUFBTSxFQUFFLFVBQVUsRUFBRSxHQUFHLElBQUksQ0FBQyxVQUFVLENBQUM7UUFDdkMsTUFBTSxNQUFNLEdBQUcsc0JBQWlCLENBQUMsV0FBVyxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQ3RELE1BQU0sTUFBTSxHQUFHLE1BQU0sSUFBSSxDQUFDLGtCQUFrQixDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQ3RELE1BQU0sT0FBTyxHQUFHLE9BQU8sQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDO1FBRTVELDhGQUE4RjtRQUM5RiwyRkFBMkY7UUFDM0YsTUFBTSxVQUFVLEdBQUcsdUJBQW9CLENBQUMsa0JBQWtCLENBQUMsT0FBTyxDQUFDLENBQUM7UUFDcEUsTUFBTSxNQUFNLEdBQUcsTUFBTSxJQUFJLENBQUMsVUFBVSxDQUFDLE9BQU8sQ0FBQyxNQUFNLEVBQUUsSUFBSSxDQUFDLFVBQVUsRUFBRSxVQUFVLEVBQUUsTUFBTSxDQUFDLENBQUM7UUFFMUYsZ0VBQWdFO1FBQ2hFLE1BQU0sSUFBSSxHQUFHLHVCQUFvQixDQUFDLFlBQVksQ0FBQyxVQUFVLEVBQUUsT0FBTyxFQUFFLE1BQU0sQ0FBQyxDQUFDO1FBQzVFLE1BQU0sTUFBTSxHQUFHLE1BQU0sSUFBSSxDQUFDLFVBQVUsQ0FBQyxPQUFPLENBQUMsTUFBTSxFQUFFLElBQUksQ0FBQyxVQUFVLEVBQUUsSUFBSSxFQUFFLE1BQU0sQ0FBQyxDQUFDO1FBRXBGLElBQUksTUFBTSxFQUFFLElBQUksS0FBSyxPQUFPLEVBQUU7WUFDNUIsT0FBTyxDQUFDLFFBQVEsQ0FBQyxNQUFNLEdBQUcsZ0JBQVEsQ0FBQyxVQUFVLENBQUM7WUFDOUMsT0FBTyxDQUFDLFFBQVEsQ0FBQyxJQUFJLEdBQUcsRUFBRSxLQUFLLEVBQUUsTUFBTSxDQUFDLE9BQU8sRUFBRSxJQUFJLEVBQUUsTUFBTSxDQUFDLElBQUksRUFBRSxDQUFDO1NBQ3RFO2FBQU0sSUFBSSxNQUFNLEVBQUUsSUFBSSxLQUFLLFNBQVMsRUFBRTtZQUNyQyxPQUFPLENBQUMsUUFBUSxDQUFDLElBQUksR0FBRztnQkFDdEIsT0FBTyxFQUFFLE1BQU0sQ0FBQyxPQUFPO2dCQUN2QixJQUFJLEVBQUUsTUFBTSxDQUFDLElBQUk7Z0JBQ2pCLE9BQU8sRUFBRSxFQUFFLGFBQWEsRUFBRSxDQUFDLEdBQUcsTUFBTSxDQUFDLFdBQVcsQ0FBQyxFQUFFO2FBQ3BELENBQUM7U0FDSDthQUFNLElBQUksTUFBTSxFQUFFLElBQUksS0FBSyxTQUFTLEVBQUU7WUFDckMsTUFBTSxFQUFFLEdBQUcsRUFBRSxNQUFNLEVBQUUsT0FBTyxFQUFFLElBQUksRUFBRSxHQUFHLE1BQU0sQ0FBQztZQUM5QyxPQUFPLENBQUMsUUFBUSxDQUFDLElBQUksR0FBRyxFQUFFLE9BQU8sRUFBRSxFQUFFLEdBQUcsRUFBRSxNQUFNLEVBQUUsT0FBTyxFQUFFLElBQUksRUFBRSxFQUFFLENBQUM7U0FDckU7YUFBTSxJQUFJLE1BQU0sRUFBRSxJQUFJLEtBQUssVUFBVSxFQUFFO1lBQ3RDLE9BQU8sQ0FBQyxRQUFRLENBQUMsSUFBSSxHQUFHLEVBQUUsVUFBVSxFQUFFLE1BQU0sQ0FBQyxJQUFJLEVBQUUsQ0FBQztTQUNyRDthQUFNLElBQUksTUFBTSxFQUFFLElBQUksS0FBSyxNQUFNLEVBQUU7WUFDbEMsT0FBTyxDQUFDLFFBQVEsQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxDQUFDO1lBQ3pDLE9BQU8sQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDLCtCQUErQixFQUFFLHFCQUFxQixDQUFDLENBQUM7WUFDN0UsT0FBTyxDQUFDLFFBQVEsQ0FBQyxJQUFJLEdBQUcsTUFBTSxDQUFDLFFBQVEsQ0FBQztZQUN4QyxPQUFPLENBQUMsUUFBUSxDQUFDLElBQUksR0FBRyxNQUFNLENBQUMsTUFBTSxDQUFDO1NBQ3ZDO2FBQU07WUFDTCxNQUFNLElBQUksS0FBSyxDQUFDLDJCQUEyQixDQUFDLENBQUM7U0FDOUM7SUFDSCxDQUFDO0lBRU8sS0FBSyxDQUFDLFVBQVUsQ0FBQyxPQUFnQjtRQUN2QyxNQUFNLElBQUksQ0FBQyxRQUFRLENBQUMsYUFBYSxDQUFDLHNDQUFzQyxDQUN0RSxPQUFPLEVBQ1AsSUFBSSxDQUFDLFVBQVUsRUFDZixJQUFJLENBQUMsVUFBVSxDQUFDLElBQUksQ0FDckIsQ0FBQztRQUVGLE1BQU0sRUFBRSxVQUFVLEVBQUUsR0FBRyxJQUFJLENBQUMsVUFBVSxDQUFDO1FBQ3ZDLE1BQU0sWUFBWSxHQUFHLE9BQU8sQ0FBQyxPQUFPLENBQUMsSUFBSSxFQUFFLElBQUksRUFBRSxVQUFVLEVBQUUsTUFBTSxDQUFDO1FBQ3BFLE1BQU0sSUFBSSxHQUFHLFlBQVk7WUFDdkIsQ0FBQyxDQUFDLHVCQUFvQixDQUFDLHNCQUFzQixDQUFDLFVBQVUsRUFBRSxZQUFZLENBQUM7WUFDdkUsQ0FBQyxDQUFDLElBQUksQ0FBQztRQUVULE1BQU0sTUFBTSxHQUFHLHNCQUFpQixDQUFDLFdBQVcsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUN0RCxNQUFNLE1BQU0sR0FBRyxNQUFNLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUN0RCxNQUFNLE1BQU0sR0FBRyxNQUFNLElBQUksQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLE1BQU0sRUFBRSxJQUFJLENBQUMsVUFBVSxFQUFFLElBQUksRUFBRSxNQUFNLENBQUMsQ0FBQztRQUVwRixPQUFPLENBQUMsUUFBUSxDQUFDLElBQUksR0FBRztZQUN0QixNQUFNLEVBQUUsTUFBTSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUN6QiwyQkFBc0IsQ0FBQyxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLFVBQVUsRUFBRSxLQUFLLENBQUMsQ0FDM0U7U0FDRixDQUFDO0lBQ0osQ0FBQztJQUVPLEtBQUssQ0FBQyx5Q0FBeUMsQ0FBQyxPQUFnQixFQUFFLElBQVU7UUFDbEYsTUFBTSxXQUFXLEdBQUcsT0FBTyxDQUFDLE9BQU8sQ0FBQyxJQUFzQyxDQUFDO1FBRTNFLElBQUksV0FBVyxFQUFFLElBQUksRUFBRSxVQUFVLEVBQUUsdUJBQXVCLEVBQUU7WUFDMUQsTUFBTSxnQkFBZ0IsR0FDcEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxhQUFhLENBQUMsNEJBQTRCLENBQ3RELFdBQVcsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLHVCQUF1QixDQUNwRCxDQUFDO1lBQ0osTUFBTSxJQUFJLENBQUMsUUFBUSxDQUFDLGFBQWEsQ0FBQyw0QkFBNEIsQ0FBQztnQkFDN0QsT0FBTztnQkFDUCxnQkFBZ0IsRUFBRSxJQUFJLENBQUMsVUFBVTtnQkFDakMsY0FBYyxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsSUFBSTtnQkFDcEMsV0FBVyxFQUFFLGdCQUFnQixFQUFFLElBQUksRUFBRSxVQUFVLEVBQUUsWUFBWTthQUM5RCxDQUFDLENBQUM7WUFDSCxPQUFPLENBQUMsT0FBTyxDQUFDLElBQUksR0FBRyxnQkFBZ0IsQ0FBQztTQUN6QzthQUFNO1lBQ0wsTUFBTSxJQUFJLENBQUMsUUFBUSxDQUFDLGFBQWEsQ0FBQyw0QkFBNEIsQ0FBQztnQkFDN0QsT0FBTztnQkFDUCxnQkFBZ0IsRUFBRSxJQUFJLENBQUMsVUFBVTtnQkFDakMsY0FBYyxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsSUFBSTthQUNyQyxDQUFDLENBQUM7U0FDSjtRQUVELE9BQU8sSUFBSSxFQUFFLENBQUM7SUFDaEIsQ0FBQztJQUVPLEtBQUssQ0FBQyxrQkFBa0IsQ0FBQyxPQUFnQjtRQUMvQyxNQUFNLFlBQVksR0FBRyxxQkFBVSxDQUFDLGlCQUFpQixDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsTUFBTSxFQUFFLE9BQU8sQ0FBQyxDQUFDO1FBQ25GLElBQUksV0FBVyxHQUFHLHlDQUFvQixDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLE1BQU0sRUFBRSxZQUFZLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDMUYsSUFBSSxZQUFZLENBQUMsV0FBVztZQUFFLFdBQVcsR0FBRyxXQUFXLENBQUMsT0FBTyxFQUFFLENBQUM7UUFFbEUsTUFBTSxhQUFhLEdBQUcseUNBQW9CLENBQUMsU0FBUyxDQUNsRCxXQUFXLEVBQ1gsc0JBQWlCLENBQUMsa0JBQWtCLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxPQUFPLENBQUMsRUFDOUQsTUFBTSxJQUFJLENBQUMsUUFBUSxDQUFDLGFBQWEsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxPQUFPLENBQUMsQ0FDckUsQ0FBQztRQUVGLE1BQU0sTUFBTSxHQUFHLHNCQUFpQixDQUFDLFdBQVcsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUN0RCxNQUFNLE1BQU0sR0FBRyxnQ0FBb0IsQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxPQUFPLEVBQUUsSUFBSSxFQUFFLEVBQUUsYUFBYSxFQUFFLENBQUMsQ0FBQztRQUM3RixNQUFNLFVBQVUsR0FBRyxPQUFPLENBQUMsT0FBTyxFQUFFLElBQUksRUFBRSxJQUFJLEVBQUUsVUFBVSxDQUFDO1FBRTNELElBQUksVUFBVSxFQUFFLHVCQUF1QixFQUFFO1lBQ3ZDLE1BQU0sUUFBUSxHQUFHLFVBQVUsRUFBRSx1QkFBdUIsQ0FBQztZQUNyRCxNQUFNLGdCQUFnQixHQUFHLElBQUksQ0FBQyxVQUFVLENBQUMsYUFBYSxDQUFDLFVBQVUsQ0FBQyxzQkFBc0IsQ0FBQyxDQUFDO1lBQzFGLE1BQU0sUUFBUSxHQUFHLFlBQU8sQ0FBQyxRQUFRLENBQUMsZ0JBQWdCLENBQUMsTUFBTSxFQUFFLFVBQVUsQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO1lBRTVGLE9BQU8sa0NBQWEsQ0FBQyxpQkFBaUIsQ0FBQyxnQkFBZ0IsRUFBRSxRQUFRLEVBQUUsUUFBUSxFQUFFLE1BQU0sRUFBRSxNQUFNLENBQUMsQ0FBQztTQUM5RjtRQUVELE9BQU8sTUFBTSxDQUFDO0lBQ2hCLENBQUM7Q0FDRjtBQTdJRCw4QkE2SUMifQ==

package/dist/services/authorization/internal/action-permission.d.ts

@@ -0,0 +1,20 @@
+import { AgentOptionsWithDefaults } from '../../../types';
+
+export declare type ActionPermissionOptions = Pick<
+  AgentOptionsWithDefaults,
+  'forestServerUrl' | 'envSecret' | 'isProduction' | 'permissionsCacheDurationInSeconds' | 'logger'
+>;
+export default class ActionPermissionService {
+  private readonly options;
+  private permissionsPromise;
+  private permissionExpirationTimestamp;
+  constructor(options: ActionPermissionOptions);
+  canOneOf(userId: string, actionNames: string[]): Promise<boolean>;
+  can(userId: string, actionName: string): Promise<boolean>;
+  private hasPermissionOrRefetch;
+  private isAllowedOneOf;
+  private isAllowed;
+  private getPermissions;
+  private fetchEnvironmentPermissions;
+}
+// # sourceMappingURL=action-permission.d.ts.map

package/dist/services/authorization/internal/action-permission.js

@@ -0,0 +1,98 @@
+const __importDefault =
+  (this && this.__importDefault) ||
+  function (mod) {
+    return mod && mod.__esModule ? mod : { default: mod };
+  };
+
+Object.defineProperty(exports, '__esModule', { value: true });
+const forest_http_api_1 = __importDefault(require('../../../utils/forest-http-api'));
+const generate_actions_from_permissions_1 = __importDefault(
+  require('./generate-actions-from-permissions'),
+);
+
+class ActionPermissionService {
+  constructor(options) {
+    this.options = options;
+  }
+
+  canOneOf(userId, actionNames) {
+    return this.hasPermissionOrRefetch({
+      userId,
+      actionNames,
+      allowRefetch: true,
+    });
+  }
+
+  can(userId, actionName) {
+    return this.hasPermissionOrRefetch({
+      userId,
+      actionNames: [actionName],
+      allowRefetch: true,
+    });
+  }
+
+  async hasPermissionOrRefetch({ userId, actionNames, allowRefetch }) {
+    const permissions = await this.getPermissions();
+    const isAllowed = this.isAllowedOneOf({ permissions, actionNames, userId });
+
+    if (!isAllowed && allowRefetch) {
+      this.permissionsPromise = undefined;
+      this.permissionExpirationTimestamp = undefined;
+
+      return this.hasPermissionOrRefetch({
+        userId,
+        actionNames,
+        allowRefetch: false,
+      });
+    }
+
+    this.options.logger(
+      'Debug',
+      `User ${userId} is ${isAllowed ? '' : 'not '}allowed to perform ${
+        actionNames.length > 1 ? ' one of ' : ''
+      }${actionNames.join(', ')}`,
+    );
+
+    return isAllowed;
+  }
+
+  isAllowedOneOf({ permissions, actionNames, userId }) {
+    return actionNames.some(actionName => this.isAllowed({ permissions, actionName, userId }));
+  }
+
+  isAllowed({ permissions, actionName, userId }) {
+    return (
+      permissions.everythingAllowed ||
+      permissions.actionsGloballyAllowed.has(actionName) ||
+      permissions.actionsAllowedByUser.get(actionName)?.has(userId)
+    );
+  }
+
+  async getPermissions() {
+    if (
+      this.permissionsPromise &&
+      this.permissionExpirationTimestamp &&
+      this.permissionExpirationTimestamp > Date.now()
+    ) {
+      return this.permissionsPromise;
+    }
+
+    this.permissionsPromise = this.fetchEnvironmentPermissions();
+    this.permissionExpirationTimestamp =
+      Date.now() + this.options.permissionsCacheDurationInSeconds * 1000;
+
+    return this.permissionsPromise;
+  }
+
+  async fetchEnvironmentPermissions() {
+    this.options.logger('Debug', 'Fetching environment permissions');
+    const [rawPermissions, users] = await Promise.all([
+      forest_http_api_1.default.getEnvironmentPermissions(this.options),
+      forest_http_api_1.default.getUsers(this.options),
+    ]);
+
+    return (0, generate_actions_from_permissions_1.default)(rawPermissions, users);
+  }
+}
+exports.default = ActionPermissionService;
+// # sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWN0aW9uLXBlcm1pc3Npb24uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvc2VydmljZXMvYXV0aG9yaXphdGlvbi9pbnRlcm5hbC9hY3Rpb24tcGVybWlzc2lvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7OztBQUNBLHFGQUEyRDtBQUMzRCw0R0FFNkM7QUFPN0MsTUFBcUIsdUJBQXVCO0lBSTFDLFlBQTZCLE9BQWdDO1FBQWhDLFlBQU8sR0FBUCxPQUFPLENBQXlCO0lBQUcsQ0FBQztJQUUxRCxRQUFRLENBQUMsTUFBYyxFQUFFLFdBQXFCO1FBQ25ELE9BQU8sSUFBSSxDQUFDLHNCQUFzQixDQUFDO1lBQ2pDLE1BQU07WUFDTixXQUFXO1lBQ1gsWUFBWSxFQUFFLElBQUk7U0FDbkIsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVNLEdBQUcsQ0FBQyxNQUFjLEVBQUUsVUFBa0I7UUFDM0MsT0FBTyxJQUFJLENBQUMsc0JBQXNCLENBQUM7WUFDakMsTUFBTTtZQUNOLFdBQVcsRUFBRSxDQUFDLFVBQVUsQ0FBQztZQUN6QixZQUFZLEVBQUUsSUFBSTtTQUNuQixDQUFDLENBQUM7SUFDTCxDQUFDO0lBRU8sS0FBSyxDQUFDLHNCQUFzQixDQUFDLEVBQ25DLE1BQU0sRUFDTixXQUFXLEVBQ1gsWUFBWSxHQUtiO1FBQ0MsTUFBTSxXQUFXLEdBQUcsTUFBTSxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUM7UUFDaEQsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLGNBQWMsQ0FBQyxFQUFFLFdBQVcsRUFBRSxXQUFXLEVBQUUsTUFBTSxFQUFFLENBQUMsQ0FBQztRQUU1RSxJQUFJLENBQUMsU0FBUyxJQUFJLFlBQVksRUFBRTtZQUM5QixJQUFJLENBQUMsa0JBQWtCLEdBQUcsU0FBUyxDQUFDO1lBQ3BDLElBQUksQ0FBQyw2QkFBNkIsR0FBRyxTQUFTLENBQUM7WUFFL0MsT0FBTyxJQUFJLENBQUMsc0JBQXNCLENBQUM7Z0JBQ2pDLE1BQU07Z0JBQ04sV0FBVztnQkFDWCxZQUFZLEVBQUUsS0FBSzthQUNwQixDQUFDLENBQUM7U0FDSjtRQUVELElBQUksQ0FBQyxPQUFPLENBQUMsTUFBTSxDQUNqQixPQUFPLEVBQ1AsUUFBUSxNQUFNLE9BQU8sU0FBUyxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLE1BQU0sc0JBQzFDLFdBQVcsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLEVBQ3hDLEdBQUcsV0FBVyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUM1QixDQUFDO1FBRUYsT0FBTyxTQUFTLENBQUM7SUFDbkIsQ0FBQztJQUVPLGNBQWMsQ0FBQyxFQUNyQixXQUFXLEVBQ1gsV0FBVyxFQUNYLE1BQU0sR0FLUDtRQUNDLE9BQU8sV0FBVyxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsRUFBRSxXQUFXLEVBQUUsVUFBVSxFQUFFLE1BQU0sRUFBRSxDQUFDLENBQUMsQ0FBQztJQUM3RixDQUFDO0lBRU8sU0FBUyxDQUFDLEVBQ2hCLFdBQVcsRUFDWCxVQUFVLEVBQ1YsTUFBTSxHQUtQO1FBQ0MsT0FBTyxDQUNMLFdBQVcsQ0FBQyxpQkFBaUI7WUFDN0IsV0FBVyxDQUFDLHNCQUFzQixDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUM7WUFDbEQsV0FBVyxDQUFDLG9CQUFvQixDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUMsRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLENBQzlELENBQUM7SUFDSixDQUFDO0lBRU8sS0FBSyxDQUFDLGNBQWM7UUFDMUIsSUFDRSxJQUFJLENBQUMsa0JBQWtCO1lBQ3ZCLElBQUksQ0FBQyw2QkFBNkI7WUFDbEMsSUFBSSxDQUFDLDZCQUE2QixHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsRUFDL0M7WUFDQSxPQUFPLElBQUksQ0FBQyxrQkFBa0IsQ0FBQztTQUNoQztRQUVELElBQUksQ0FBQyxrQkFBa0IsR0FBRyxJQUFJLENBQUMsMkJBQTJCLEVBQUUsQ0FBQztRQUM3RCxJQUFJLENBQUMsNkJBQTZCO1lBQ2hDLElBQUksQ0FBQyxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUMsT0FBTyxDQUFDLGlDQUFpQyxHQUFHLElBQUksQ0FBQztRQUVyRSxPQUFPLElBQUksQ0FBQyxrQkFBa0IsQ0FBQztJQUNqQyxDQUFDO0lBRU8sS0FBSyxDQUFDLDJCQUEyQjtRQUN2QyxJQUFJLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxPQUFPLEVBQUUsa0NBQWtDLENBQUMsQ0FBQztRQUVqRSxNQUFNLENBQUMsY0FBYyxFQUFFLEtBQUssQ0FBQyxHQUFHLE1BQU0sT0FBTyxDQUFDLEdBQUcsQ0FBQztZQUNoRCx5QkFBYSxDQUFDLHlCQUF5QixDQUFDLElBQUksQ0FBQyxPQUFPLENBQUM7WUFDckQseUJBQWEsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQztTQUNyQyxDQUFDLENBQUM7UUFFSCxPQUFPLElBQUEsMkNBQThCLEVBQUMsY0FBYyxFQUFFLEtBQUssQ0FBQyxDQUFDO0lBQy9ELENBQUM7Q0FDRjtBQTdHRCwwQ0E2R0MifQ==

package/dist/services/authorization/internal/generate-action-identifier.d.ts

@@ -0,0 +1,12 @@
+import { CollectionActionEvent, CustomActionEvent } from './types';
+
+export declare function generateCustomActionIdentifier(
+  actionEventName: CustomActionEvent,
+  customActionName: string,
+  collectionName: string,
+): string;
+export declare function generateCollectionActionIdentifier(
+  action: CollectionActionEvent,
+  collectionName: string,
+): string;
+// # sourceMappingURL=generate-action-identifier.d.ts.map

package/dist/services/authorization/internal/generate-action-identifier.js

@@ -0,0 +1,15 @@
+Object.defineProperty(exports, '__esModule', { value: true });
+exports.generateCollectionActionIdentifier = exports.generateCustomActionIdentifier = void 0;
+
+function generateCustomActionIdentifier(actionEventName, customActionName, collectionName) {
+  return `custom:${collectionName}:${customActionName}:${actionEventName}`;
+}
+
+exports.generateCustomActionIdentifier = generateCustomActionIdentifier;
+
+function generateCollectionActionIdentifier(action, collectionName) {
+  return `collection:${collectionName}:${action}`;
+}
+
+exports.generateCollectionActionIdentifier = generateCollectionActionIdentifier;
+// # sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZ2VuZXJhdGUtYWN0aW9uLWlkZW50aWZpZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvc2VydmljZXMvYXV0aG9yaXphdGlvbi9pbnRlcm5hbC9nZW5lcmF0ZS1hY3Rpb24taWRlbnRpZmllci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFFQSxTQUFnQiw4QkFBOEIsQ0FDNUMsZUFBa0MsRUFDbEMsZ0JBQXdCLEVBQ3hCLGNBQXNCO0lBRXRCLE9BQU8sVUFBVSxjQUFjLElBQUksZ0JBQWdCLElBQUksZUFBZSxFQUFFLENBQUM7QUFDM0UsQ0FBQztBQU5ELHdFQU1DO0FBRUQsU0FBZ0Isa0NBQWtDLENBQ2hELE1BQTZCLEVBQzdCLGNBQXNCO0lBRXRCLE9BQU8sY0FBYyxjQUFjLElBQUksTUFBTSxFQUFFLENBQUM7QUFDbEQsQ0FBQztBQUxELGdGQUtDIn0=

package/dist/services/authorization/internal/generate-actions-from-permissions.d.ts

@@ -0,0 +1,12 @@
+import { EnvironmentPermissionsV4, UserPermissionV4 } from './types';
+
+export declare type ActionPermissions = {
+  everythingAllowed: boolean;
+  actionsGloballyAllowed: Set<string>;
+  actionsAllowedByUser: Map<string, Set<string>>;
+};
+export default function generateActionsFromPermissions(
+  environmentPermissions: EnvironmentPermissionsV4,
+  users: UserPermissionV4[],
+): ActionPermissions;
+// # sourceMappingURL=generate-actions-from-permissions.d.ts.map