@klerick/acl-json-api-nestjs 0.1.0

package/src/lib/utils/orm-proxy/extract-field-paths.js

@@ -0,0 +1,155 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ExtractFieldPaths = void 0;
+exports.getCurrentEntityAndParamMap = getCurrentEntityAndParamMap;
+exports.extractFieldsForCheck = extractFieldsForCheck;
+const json_api_nestjs_1 = require("@klerick/json-api-nestjs");
+const remove_acl_added_fields_1 = require("./remove-acl-added-fields");
+const handle_acl_query_error_1 = require("./handle-acl-query-error");
+/**
+ * Singleton class for extracting field paths from entity objects
+ *
+ * Features:
+ * - Skips primary keys (they are always accessible, no ACL check needed)
+ * - Recursively processes relationships
+ * - Returns flat array of dot-notation paths
+ * - Handles one-to-many (arrays) and one-to-one (objects) relationships
+ *
+ * @example
+ * const extractor = ExtractFieldPaths.getInstance(entityParamMap);
+ * const obj = {
+ *   id: 1,  // primary key - will be skipped
+ *   login: 'user',
+ *   profile: { id: 10, phone: '123' }  // profile.id also skipped
+ * };
+ *
+ * const paths = extractor.fields(obj, User);
+ * // Returns: ['login', 'profile.phone']
+ */
+class ExtractFieldPaths {
+    entityParamMap;
+    constructor(entityParamMap) {
+        this.entityParamMap = entityParamMap;
+    }
+    extractField(obj, nameEntity, prefix = '') {
+        const fields = [];
+        const entityParam = this.entityParamMap.get(nameEntity);
+        if (!entityParam) {
+            throw new Error(`Entity ${nameEntity.name} not found in EntityParamMap`);
+        }
+        // Add all properties (fields)
+        for (const prop of entityParam.props) {
+            if (!(prop in obj) || entityParam.primaryColumnName === prop) {
+                continue;
+            }
+            const path = (prefix ? `${prefix}.${prop.toString()}` : prop).toString();
+            fields.push(path);
+        }
+        for (const relation of entityParam.relations) {
+            const value = obj[relation];
+            const path = (prefix ? `${prefix}.${relation.toString()}` : relation).toString();
+            if (value === null || value === undefined) {
+                continue;
+            }
+            // Get relation metadata
+            const relationMeta = entityParam.relationProperty[relation];
+            if (!relationMeta || !('entityClass' in relationMeta)) {
+                continue;
+            }
+            // Handle arrays (one-to-many)
+            if (Array.isArray(value)) {
+                if (value.length > 0 &&
+                    typeof value[0] === 'object' &&
+                    value[0] !== null) {
+                    const relObject = value[0];
+                    fields.push(...this.extractField(relObject, relationMeta.entityClass, path));
+                }
+                continue;
+            }
+            // Handle single object (one-to-one, many-to-one)
+            if (typeof value === 'object') {
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                fields.push(...this.extractField(value, relationMeta.entityClass, path));
+            }
+        }
+        return fields;
+    }
+    fields(obj, entityClass) {
+        return this.extractField(obj, entityClass);
+    }
+    /**
+     * Extracts only props (entity fields) from object, excluding relationships and primary key
+     * Skips primary key (same as fields() method)
+     *
+     * Use case: Create merged entity with only base fields for ACL checks
+     *
+     * @param obj - Source entity object (may contain loaded relationships)
+     * @param entityClass - Entity class
+     * @returns New object with only entity props (no relationships, no primary key)
+     *
+     * @example
+     * const entity = { id: 1, login: 'user', role: 'admin', profile: { phone: '123' } };
+     * const propsOnly = extractor.props(entity, User);
+     * // Returns: { login: 'user', role: 'admin' }
+     * // Note: id (primary key) and profile (relationship) excluded
+     */
+    props(obj, entityClass) {
+        const entityParam = this.entityParamMap.get(entityClass);
+        if (!entityParam) {
+            throw new Error(`Entity ${entityClass.name} not found in EntityParamMap`);
+        }
+        const propsOnly = {};
+        // Copy all props (excluding primary key)
+        for (const prop of entityParam.props) {
+            // Skip if prop not in object OR prop is primary key
+            if (!(prop in obj) || entityParam.primaryColumnName === prop) {
+                continue;
+            }
+            propsOnly[prop] = obj[prop];
+        }
+        return propsOnly;
+    }
+    static instance;
+    static getInstance(entityParamMap) {
+        if (!ExtractFieldPaths.instance) {
+            ExtractFieldPaths.instance = new ExtractFieldPaths(entityParamMap);
+        }
+        return ExtractFieldPaths.instance;
+    }
+}
+exports.ExtractFieldPaths = ExtractFieldPaths;
+function getCurrentEntityAndParamMap(moduleRef) {
+    const currentEntity = moduleRef.get(json_api_nestjs_1.CURRENT_ENTITY);
+    const entityParamMapService = moduleRef.get(json_api_nestjs_1.ENTITY_PARAM_MAP, {
+        strict: false,
+    });
+    const entityParamMap = entityParamMapService.get(currentEntity);
+    if (!entityParamMap) {
+        throw (0, handle_acl_query_error_1.handleAclQueryError)(new Error(`EntityParamMap not found for ${currentEntity.name}`), currentEntity.name, 'extractFieldsForCheck');
+    }
+    return { currentEntity, entityParamMap, entityParamMapService };
+}
+/**
+ * Extracts field paths for ACL checking
+ *
+ * This function:
+ * 1. Gets entity metadata from moduleRef
+ * 2. Clones the sample item
+ * 3. Removes ACL-added fields that weren't requested by user
+ * 4. Extracts field paths for checking
+ *
+ * @param moduleRef - NestJS module reference
+ * @param sampleItem - Sample entity item (first item for getAll, result for getOne)
+ * @param userQuery - Original user query
+ * @param aclQueryData - ACL query data (fields and include that were added by ACL)
+ * @returns Array of field paths to check
+ */
+function extractFieldsForCheck(moduleRef, sampleItem, userQuery, aclQueryData) {
+    const { currentEntity, entityParamMapService } = getCurrentEntityAndParamMap(moduleRef);
+    const copyItemForGetFieldCheck = structuredClone(sampleItem);
+    if (aclQueryData) {
+        (0, remove_acl_added_fields_1.removeAclAddedFields)(copyItemForGetFieldCheck, userQuery['fields'], aclQueryData.fields, userQuery['include'], aclQueryData.include);
+    }
+    return ExtractFieldPaths.getInstance(entityParamMapService).fields(copyItemForGetFieldCheck, currentEntity);
+}
+//# sourceMappingURL=extract-field-paths.js.map

package/src/lib/utils/orm-proxy/extract-field-paths.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"extract-field-paths.js","sourceRoot":"","sources":["../../../../../../../../libs/acl-permissions/nestjs-acl-permissions/src/lib/utils/orm-proxy/extract-field-paths.ts"],"names":[],"mappings":";;;AAmKA,kEAkBC;AAiBD,sDA+BC;AAhOD,8DAOkC;AAElC,uEAAiE;AACjE,qEAA+D;AAE/D;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAa,iBAAiB;IAElB;IADV,YACU,cAAsD;QAAtD,mBAAc,GAAd,cAAc,CAAwC;IAC7D,CAAC;IAEI,YAAY,CAClB,GAAM,EACN,UAA0B,EAC1B,MAAM,GAAG,EAAE;QAEX,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,UAAU,CAEzC,CAAC;QACd,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,UAAU,UAAU,CAAC,IAAI,8BAA8B,CAAC,CAAC;QAC3E,CAAC;QAED,8BAA8B;QAC9B,KAAK,MAAM,IAAI,IAAI,WAAW,CAAC,KAAoB,EAAE,CAAC;YACpD,IAAI,CAAC,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,WAAW,CAAC,iBAAiB,KAAK,IAAI,EAAE,CAAC;gBAC7D,SAAS;YACX,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;YACzE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC;QAED,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,SAAyD,EAAE,CAAC;YAC7F,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC5B,MAAM,IAAI,GAAG,CACX,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CACvD,CAAC,QAAQ,EAAE,CAAC;YAEb,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBAC1C,SAAS;YACX,CAAC;YAED,wBAAwB;YACxB,MAAM,YAAY,GAAG,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;YAC5D,IAAI,CAAC,YAAY,IAAI,CAAC,CAAC,aAAa,IAAI,YAAY,CAAC,EAAE,CAAC;gBACtD,SAAS;YACX,CAAC;YAED,8BAA8B;YAC9B,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,IACE,KAAK,CAAC,MAAM,GAAG,CAAC;oBAChB,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ;oBAC5B,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,EACjB,CAAC;oBACD,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBAC3B,MAAM,CAAC,IAAI,CACT,GAAG,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,YAAY,CAAC,WAAW,EAAE,IAAI,CAAC,CAChE,CAAC;gBACJ,CAAC;gBACD,SAAS;YACX,CAAC;YAED,iDAAiD;YACjD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,8DAA8D;gBAC9D,MAAM,CAAC,IAAI,CACT,GAAG,IAAI,CAAC,YAAY,CAAC,KAAY,EAAE,YAAY,CAAC,WAAW,EAAE,IAAI,CAAC,CACnE,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,CAAmB,GAAM,EAAE,WAA2B;QAC1D,OAAO,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IAC7C,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH,KAAK,CAAmB,GAAM,EAAE,WAA2B;QACzD,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,WAAW,CAE1C,CAAC;QAEd,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,UAAU,WAAW,CAAC,IAAI,8BAA8B,CAAC,CAAC;QAC5E,CAAC;QAED,MAAM,SAAS,GAAe,EAAE,CAAC;QAEjC,yCAAyC;QACzC,KAAK,MAAM,IAAI,IAAI,WAAW,CAAC,KAAoB,EAAE,CAAC;YACpD,oDAAoD;YACpD,IAAI,CAAC,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,WAAW,CAAC,iBAAiB,KAAK,IAAI,EAAE,CAAC;gBAC7D,SAAS;YACX,CAAC;YAED,SAAS,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC;QAC9B,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,MAAM,CAAC,QAAQ,CAAgC;IACvD,MAAM,CAAC,WAAW,CAChB,cAAsD;QAEtD,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,CAAC;YAChC,iBAAiB,CAAC,QAAQ,GAAG,IAAI,iBAAiB,CAAC,cAAc,CAAC,CAAC;QACrE,CAAC;QACD,OAAO,iBAAiB,CAAC,QAAQ,CAAC;IACpC,CAAC;CACF;AA5HD,8CA4HC;AAED,SAAgB,2BAA2B,CAAmB,SAAoB;IAChF,MAAM,aAAa,GAAG,SAAS,CAAC,GAAG,CAAiB,gCAAc,CAAC,CAAC;IACpE,MAAM,qBAAqB,GAAG,SAAS,CAAC,GAAG,CAEzC,kCAAgB,EAAE;QAClB,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IACH,MAAM,cAAc,GAAG,qBAAqB,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAEhE,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAA,4CAAmB,EACvB,IAAI,KAAK,CAAC,gCAAgC,aAAa,CAAC,IAAI,EAAE,CAAC,EAC/D,aAAa,CAAC,IAAI,EAClB,uBAAuB,CACxB,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,qBAAqB,EAAW,CAAC;AAC3E,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAgB,qBAAqB,CAKnC,SAAoB,EACpB,UAAa,EACb,SAAY,EACZ,YAIC;IAED,MAAM,EAAE,aAAa,EAAE,qBAAqB,EAAE,GAAG,2BAA2B,CAAC,SAAS,CAAC,CAAC;IACxF,MAAM,wBAAwB,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAE7D,IAAI,YAAY,EAAE,CAAC;QACjB,IAAA,8CAAoB,EAClB,wBAAwB,EACxB,SAAS,CAAC,QAAQ,CAAC,EACnB,YAAY,CAAC,MAAM,EACnB,SAAS,CAAC,SAAS,CAAC,EACpB,YAAY,CAAC,OAAO,CACrB,CAAC;IACJ,CAAC;IAED,OAAO,iBAAiB,CAAC,WAAW,CAAC,qBAAqB,CAAC,CAAC,MAAM,CAChE,wBAAwB,EACxB,aAAa,CACd,CAAC;AACJ,CAAC"}

package/src/lib/utils/orm-proxy/handle-acl-query-error.d.ts

@@ -0,0 +1,19 @@
+import { HttpException } from '@nestjs/common/exceptions/http.exception';
+/**
+ * Handles errors that occur during ACL query execution
+ *
+ * In development mode:
+ * - Logs detailed error information
+ * - Throws InternalServerErrorException with error details
+ *
+ * In production mode:
+ * - Logs error without details
+ * - Throws ForbiddenException without revealing ACL logic
+ *
+ * @param error - The error that occurred
+ * @param subject - The subject (entity name) being queried
+ * @param methodName - The proxy method name (for logging context)
+ * @return {InternalServerErrorException} In development mode
+ * @return {ForbiddenException} In production mode
+ */
+export declare function handleAclQueryError(error: unknown, subject: string, methodName: string): HttpException;

package/src/lib/utils/orm-proxy/handle-acl-query-error.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleAclQueryError = handleAclQueryError;
+const common_1 = require("@nestjs/common");
+const http_exception_1 = require("@nestjs/common/exceptions/http.exception");
+/**
+ * Handles errors that occur during ACL query execution
+ *
+ * In development mode:
+ * - Logs detailed error information
+ * - Throws InternalServerErrorException with error details
+ *
+ * In production mode:
+ * - Logs error without details
+ * - Throws ForbiddenException without revealing ACL logic
+ *
+ * @param error - The error that occurred
+ * @param subject - The subject (entity name) being queried
+ * @param methodName - The proxy method name (for logging context)
+ * @return {InternalServerErrorException} In development mode
+ * @return {ForbiddenException} In production mode
+ */
+function handleAclQueryError(error, subject, methodName) {
+    const isDevelopment = process.env['NODE_ENV'] === 'development';
+    // Log error for debugging
+    common_1.Logger.error(`ACL query execution failed for subject "${subject}": ${error instanceof Error ? error.message : String(error)}`, error instanceof Error ? error.stack : undefined, methodName);
+    if (error instanceof http_exception_1.HttpException) {
+        throw error;
+    }
+    if (isDevelopment) {
+        // Development: 500 with error details for debugging
+        return new common_1.InternalServerErrorException([
+            {
+                code: 'internal_server_error',
+                message: `ACL query failed: ${error instanceof Error ? error.message : 'unknown error'}`,
+                path: [],
+            },
+        ], {
+            description: `Failed to execute ACL query for subject "${subject}"`,
+        });
+    }
+    // Production: 403 without details to avoid leaking ACL logic
+    return new common_1.ForbiddenException([
+        {
+            code: 'forbidden',
+            message: 'not allow access',
+            path: [],
+        },
+    ], {
+        description: `Access denied for subject "${subject}"`,
+    });
+}
+//# sourceMappingURL=handle-acl-query-error.js.map

package/src/lib/utils/orm-proxy/handle-acl-query-error.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handle-acl-query-error.js","sourceRoot":"","sources":["../../../../../../../../libs/acl-permissions/nestjs-acl-permissions/src/lib/utils/orm-proxy/handle-acl-query-error.ts"],"names":[],"mappings":";;AAwBA,kDAmDC;AA3ED,2CAIwB;AACxB,6EAAyE;AAEzE;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,mBAAmB,CACjC,KAAc,EACd,OAAe,EACf,UAAkB;IAElB,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,aAAa,CAAC;IAEhE,0BAA0B;IAC1B,eAAM,CAAC,KAAK,CACV,2CAA2C,OAAO,MAChD,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,EAChD,UAAU,CACX,CAAC;IAEF,IAAI,KAAK,YAAY,8BAAa,EAAE,CAAC;QACnC,MAAM,KAAK,CAAA;IACb,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,oDAAoD;QACpD,OAAO,IAAI,qCAA4B,CACrC;YACE;gBACE,IAAI,EAAE,uBAAuB;gBAC7B,OAAO,EAAE,qBACP,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAC3C,EAAE;gBACF,IAAI,EAAE,EAAE;aACT;SACF,EACD;YACE,WAAW,EAAE,4CAA4C,OAAO,GAAG;SACpE,CACF,CAAC;IACJ,CAAC;IAED,6DAA6D;IAC7D,OAAO,IAAI,2BAAkB,CAC3B;QACE;YACE,IAAI,EAAE,WAAW;YACjB,OAAO,EAAE,kBAAkB;YAC3B,IAAI,EAAE,EAAE;SACT;KACF,EACD;QACE,WAAW,EAAE,8BAA8B,OAAO,GAAG;KACtD,CACF,CAAC;AACJ,CAAC"}

package/src/lib/utils/orm-proxy/index.d.ts

@@ -0,0 +1,9 @@
+export { unsetDeep } from './unset-deep';
+export { mergeQueryWithAclData } from './merge-query-with-acl-data';
+export { removeAclAddedFields } from './remove-acl-added-fields';
+export { ExtractFieldPaths, extractFieldsForCheck, getCurrentEntityAndParamMap } from './extract-field-paths';
+export { handleAclQueryError } from './handle-acl-query-error';
+export { prepareAclQuery } from './prepare-acl-query';
+export { processItemFieldRestrictions } from './process-item-field-restrictions';
+export { validateRulesForORM } from './validate-rules-for-orm';
+export { validateNoCurrentInRules } from './validate-no-current-in-rules';

package/src/lib/utils/orm-proxy/index.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateNoCurrentInRules = exports.validateRulesForORM = exports.processItemFieldRestrictions = exports.prepareAclQuery = exports.handleAclQueryError = exports.getCurrentEntityAndParamMap = exports.extractFieldsForCheck = exports.ExtractFieldPaths = exports.removeAclAddedFields = exports.mergeQueryWithAclData = exports.unsetDeep = void 0;
+var unset_deep_1 = require("./unset-deep");
+Object.defineProperty(exports, "unsetDeep", { enumerable: true, get: function () { return unset_deep_1.unsetDeep; } });
+var merge_query_with_acl_data_1 = require("./merge-query-with-acl-data");
+Object.defineProperty(exports, "mergeQueryWithAclData", { enumerable: true, get: function () { return merge_query_with_acl_data_1.mergeQueryWithAclData; } });
+var remove_acl_added_fields_1 = require("./remove-acl-added-fields");
+Object.defineProperty(exports, "removeAclAddedFields", { enumerable: true, get: function () { return remove_acl_added_fields_1.removeAclAddedFields; } });
+var extract_field_paths_1 = require("./extract-field-paths");
+Object.defineProperty(exports, "ExtractFieldPaths", { enumerable: true, get: function () { return extract_field_paths_1.ExtractFieldPaths; } });
+Object.defineProperty(exports, "extractFieldsForCheck", { enumerable: true, get: function () { return extract_field_paths_1.extractFieldsForCheck; } });
+Object.defineProperty(exports, "getCurrentEntityAndParamMap", { enumerable: true, get: function () { return extract_field_paths_1.getCurrentEntityAndParamMap; } });
+var handle_acl_query_error_1 = require("./handle-acl-query-error");
+Object.defineProperty(exports, "handleAclQueryError", { enumerable: true, get: function () { return handle_acl_query_error_1.handleAclQueryError; } });
+var prepare_acl_query_1 = require("./prepare-acl-query");
+Object.defineProperty(exports, "prepareAclQuery", { enumerable: true, get: function () { return prepare_acl_query_1.prepareAclQuery; } });
+var process_item_field_restrictions_1 = require("./process-item-field-restrictions");
+Object.defineProperty(exports, "processItemFieldRestrictions", { enumerable: true, get: function () { return process_item_field_restrictions_1.processItemFieldRestrictions; } });
+var validate_rules_for_orm_1 = require("./validate-rules-for-orm");
+Object.defineProperty(exports, "validateRulesForORM", { enumerable: true, get: function () { return validate_rules_for_orm_1.validateRulesForORM; } });
+var validate_no_current_in_rules_1 = require("./validate-no-current-in-rules");
+Object.defineProperty(exports, "validateNoCurrentInRules", { enumerable: true, get: function () { return validate_no_current_in_rules_1.validateNoCurrentInRules; } });
+//# sourceMappingURL=index.js.map

package/src/lib/utils/orm-proxy/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../../../libs/acl-permissions/nestjs-acl-permissions/src/lib/utils/orm-proxy/index.ts"],"names":[],"mappings":";;;AAAA,2CAAyC;AAAhC,uGAAA,SAAS,OAAA;AAClB,yEAAoE;AAA3D,kIAAA,qBAAqB,OAAA;AAC9B,qEAAiE;AAAxD,+HAAA,oBAAoB,OAAA;AAC7B,6DAA8G;AAArG,wHAAA,iBAAiB,OAAA;AAAE,4HAAA,qBAAqB,OAAA;AAAE,kIAAA,2BAA2B,OAAA;AAC9E,mEAA+D;AAAtD,6HAAA,mBAAmB,OAAA;AAC5B,yDAAsD;AAA7C,oHAAA,eAAe,OAAA;AACxB,qFAAiF;AAAxE,+IAAA,4BAA4B,OAAA;AACrC,mEAA+D;AAAtD,6HAAA,mBAAmB,OAAA;AAC5B,+EAA0E;AAAjE,wIAAA,wBAAwB,OAAA"}

package/src/lib/utils/orm-proxy/merge-query-with-acl-data.d.ts

@@ -0,0 +1,27 @@
+import { Query, QueryOne } from '@klerick/json-api-nestjs';
+import { QueryField } from '@klerick/json-api-nestjs-shared';
+/**
+ * Merges user query with ACL fields and includes
+ *
+ * IMPORTANT: fields: null or missing relation key means "select ALL fields"
+ * We should NOT add ACL fields in such cases to avoid turning "all fields" into "specific fields"
+ *
+ * @param query - Original user query
+ * @param aclFields - ACL fields to add (fields structure with target and relations)
+ * @param aclInclude - ACL includes to add
+ * @returns Merged query
+ *
+ * @example
+ * // Case 1: fields: null → select all, don't add ACL fields
+ * mergeQueryWithAclData({ fields: null }, { target: ['role'] })
+ * // → { fields: null } (unchanged)
+ *
+ * // Case 2: fields: { target: ['id'] } → add ACL fields to target
+ * mergeQueryWithAclData({ fields: { target: ['id'] } }, { target: ['role'] })
+ * // → { fields: { target: ['id', 'role'] } }
+ *
+ * // Case 3: fields: { target: ['id'] } + ACL needs profile → don't add profile fields
+ * mergeQueryWithAclData({ fields: { target: ['id'] } }, { profile: ['isPublic'] })
+ * // → { fields: { target: ['id'] } } (profile missing = all fields)
+ */
+export declare function mergeQueryWithAclData<E extends object, IdKey extends string, Q extends QueryOne<E, IdKey> | Query<E, IdKey>>(query: Q, aclFields?: Q[QueryField.fields], aclInclude?: Q[QueryField.include]): Q;

package/src/lib/utils/orm-proxy/merge-query-with-acl-data.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.mergeQueryWithAclData = mergeQueryWithAclData;
+/**
+ * Merges user query with ACL fields and includes
+ *
+ * IMPORTANT: fields: null or missing relation key means "select ALL fields"
+ * We should NOT add ACL fields in such cases to avoid turning "all fields" into "specific fields"
+ *
+ * @param query - Original user query
+ * @param aclFields - ACL fields to add (fields structure with target and relations)
+ * @param aclInclude - ACL includes to add
+ * @returns Merged query
+ *
+ * @example
+ * // Case 1: fields: null → select all, don't add ACL fields
+ * mergeQueryWithAclData({ fields: null }, { target: ['role'] })
+ * // → { fields: null } (unchanged)
+ *
+ * // Case 2: fields: { target: ['id'] } → add ACL fields to target
+ * mergeQueryWithAclData({ fields: { target: ['id'] } }, { target: ['role'] })
+ * // → { fields: { target: ['id', 'role'] } }
+ *
+ * // Case 3: fields: { target: ['id'] } + ACL needs profile → don't add profile fields
+ * mergeQueryWithAclData({ fields: { target: ['id'] } }, { profile: ['isPublic'] })
+ * // → { fields: { target: ['id'] } } (profile missing = all fields)
+ */
+function mergeQueryWithAclData(query, aclFields, aclInclude) {
+    // Start with merged query
+    const mergedQuery = { ...query };
+    // 1. Always merge includes (add ACL includes to user includes)
+    if (aclInclude &&
+        'length' in aclInclude &&
+        parseInt(`${aclInclude.length}`) > 0) {
+        const userInclude = Array.isArray(query.include) ? query.include : [];
+        const aclIncludeArray = Array.isArray(aclInclude) ? aclInclude : [];
+        mergedQuery.include = Array.from(new Set([...userInclude, ...aclIncludeArray]));
+    }
+    // 2. Merge fields (complex logic for null/undefined handling)
+    if (!aclFields) {
+        return mergedQuery; // No ACL fields to merge
+    }
+    // CASE 1: fields === null → "select ALL fields everywhere"
+    if (query.fields === null) {
+        return mergedQuery; // Don't modify, null already includes all ACL fields
+    }
+    // CASE 2: fields === undefined → "select ALL fields everywhere"
+    if (query.fields === undefined) {
+        return mergedQuery; // Don't modify
+    }
+    // CASE 3: fields === {} (empty object) → "select ALL fields everywhere"
+    if (Object.keys(query.fields).length === 0) {
+        return mergedQuery; // Don't modify
+    }
+    // CASE 4: fields is object with keys → merge selectively
+    mergedQuery.fields = { ...query.fields };
+    for (const [relation, aclFieldsList] of Object.entries(aclFields)) {
+        if (!Array.isArray(aclFieldsList)) {
+            continue; // Skip invalid ACL fields
+        }
+        const userFieldsList = query.fields[relation];
+        // Sub-case 1: relation key missing in user fields → "all fields for this relation"
+        if (userFieldsList === undefined) {
+            continue; // Don't add ACL fields, user wants all fields for this relation
+        }
+        // Sub-case 2: relation: null → "all fields for this relation"
+        if (userFieldsList === null) {
+            continue; // Don't add ACL fields
+        }
+        // Sub-case 3: relation is array → merge with ACL fields
+        if (Array.isArray(userFieldsList)) {
+            const merged = [...new Set([...userFieldsList, ...aclFieldsList])];
+            mergedQuery.fields[relation] = merged;
+        }
+    }
+    return mergedQuery;
+}
+//# sourceMappingURL=merge-query-with-acl-data.js.map

package/src/lib/utils/orm-proxy/merge-query-with-acl-data.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"merge-query-with-acl-data.js","sourceRoot":"","sources":["../../../../../../../../libs/acl-permissions/nestjs-acl-permissions/src/lib/utils/orm-proxy/merge-query-with-acl-data.ts"],"names":[],"mappings":";;AA0BA,sDAyEC;AAjGD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,SAAgB,qBAAqB,CAKnC,KAAQ,EACR,SAAgC,EAChC,UAAkC;IAElC,0BAA0B;IAC1B,MAAM,WAAW,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC;IAEjC,+DAA+D;IAC/D,IACE,UAAU;QACV,QAAQ,IAAI,UAAU;QACtB,QAAQ,CAAC,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EACpC,CAAC;QACD,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;QACtE,MAAM,eAAe,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;QACpE,WAAW,CAAC,OAAO,GAAG,KAAK,CAAC,IAAI,CAC9B,IAAI,GAAG,CAAC,CAAC,GAAG,WAAW,EAAE,GAAG,eAAe,CAAC,CAAC,CACvC,CAAC;IACX,CAAC;IAED,8DAA8D;IAC9D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,WAAW,CAAC,CAAC,yBAAyB;IAC/C,CAAC;IAED,2DAA2D;IAC3D,IAAI,KAAK,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;QAC1B,OAAO,WAAW,CAAC,CAAC,qDAAqD;IAC3E,CAAC;IAED,gEAAgE;IAChE,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC/B,OAAO,WAAW,CAAC,CAAC,eAAe;IACrC,CAAC;IAED,wEAAwE;IACxE,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3C,OAAO,WAAW,CAAC,CAAC,eAAe;IACrC,CAAC;IAED,yDAAyD;IACzD,WAAW,CAAC,MAAM,GAAG,EAAE,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;IAEzC,KAAK,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QAClE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAClC,SAAS,CAAC,0BAA0B;QACtC,CAAC;QAED,MAAM,cAAc,GAAI,KAAK,CAAC,MAAc,CAAC,QAAQ,CAAC,CAAC;QAEvD,mFAAmF;QACnF,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;YACjC,SAAS,CAAC,gEAAgE;QAC5E,CAAC;QAED,8DAA8D;QAC9D,IAAI,cAAc,KAAK,IAAI,EAAE,CAAC;YAC5B,SAAS,CAAC,uBAAuB;QACnC,CAAC;QAED,wDAAwD;QACxD,IAAI,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAClC,MAAM,MAAM,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,cAAc,EAAE,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;YAClE,WAAW,CAAC,MAAc,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC;QACjD,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC"}

package/src/lib/utils/orm-proxy/prepare-acl-query.d.ts

@@ -0,0 +1,11 @@
+import { ExtendAbility } from '../../factories';
+import { Query, QueryOne } from '@klerick/json-api-nestjs';
+export declare function prepareAclQuery<E extends object, IdKey extends string, Q extends QueryOne<E, IdKey> | Query<E, IdKey>>(extendAbility: ExtendAbility, query: Q, needValidateRules?: boolean): {
+    transformToJsonApi: boolean;
+    aclQueryData: {
+        fields?: Q[import("dist/libs/json-api/json-api-nestjs-shared/cjs/src").QueryField.fields] | undefined;
+        include?: Q[import("dist/libs/json-api/json-api-nestjs-shared/cjs/src").QueryField.include] | undefined;
+        rulesForQuery?: Record<string, unknown>;
+    } | undefined;
+    mergedQuery: Q;
+} | null;

package/src/lib/utils/orm-proxy/prepare-acl-query.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.prepareAclQuery = prepareAclQuery;
+const merge_query_with_acl_data_1 = require("./merge-query-with-acl-data");
+const validate_rules_for_orm_1 = require("./validate-rules-for-orm");
+function prepareAclQuery(extendAbility, query, needValidateRules = true) {
+    // Fast path: no rules or no restrictions
+    if (!extendAbility ||
+        extendAbility.rules.length === 0 ||
+        (!extendAbility.hasConditions && !extendAbility.hasFields)) {
+        return null;
+    }
+    // Determine strategy
+    const hasConditions = extendAbility.hasConditions;
+    const hasFields = extendAbility.hasFields;
+    const transformToJsonApi = hasConditions && !hasFields;
+    // Validate rules for ORM compatibility if there are conditions
+    if (needValidateRules && hasConditions) {
+        (0, validate_rules_for_orm_1.validateRulesForORM)(extendAbility);
+    }
+    // Fetch with ACL query
+    const aclQueryData = hasConditions
+        ? extendAbility.getQueryObject()
+        : undefined;
+    // Merge ACL query with user query
+    const mergedQuery = aclQueryData
+        ? (0, merge_query_with_acl_data_1.mergeQueryWithAclData)(query, aclQueryData.fields, aclQueryData.include)
+        : query;
+    return {
+        transformToJsonApi,
+        aclQueryData,
+        mergedQuery,
+    };
+}
+//# sourceMappingURL=prepare-acl-query.js.map

package/src/lib/utils/orm-proxy/prepare-acl-query.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prepare-acl-query.js","sourceRoot":"","sources":["../../../../../../../../libs/acl-permissions/nestjs-acl-permissions/src/lib/utils/orm-proxy/prepare-acl-query.ts"],"names":[],"mappings":";;AAKA,0CA2CC;AA/CD,2EAAoE;AACpE,qEAA+D;AAG/D,SAAgB,eAAe,CAC7B,aAA4B,EAC5B,KAAQ,EACR,iBAAiB,GAAG,IAAI;IAExB,yCAAyC;IACzC,IACE,CAAC,aAAa;QACd,aAAa,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC;QAChC,CAAC,CAAC,aAAa,CAAC,aAAa,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,EAC1D,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,qBAAqB;IACrB,MAAM,aAAa,GAAG,aAAa,CAAC,aAAa,CAAC;IAClD,MAAM,SAAS,GAAG,aAAa,CAAC,SAAS,CAAC;IAC1C,MAAM,kBAAkB,GAAG,aAAa,IAAI,CAAC,SAAS,CAAC;IAEvD,+DAA+D;IAC/D,IAAI,iBAAiB,IAAI,aAAa,EAAE,CAAC;QACvC,IAAA,4CAAmB,EAAC,aAAa,CAAC,CAAC;IACrC,CAAC;IAED,uBAAuB;IACvB,MAAM,YAAY,GAAG,aAAa;QAChC,CAAC,CAAC,aAAa,CAAC,cAAc,EAAe;QAC7C,CAAC,CAAC,SAAS,CAAC;IAEd,kCAAkC;IAClC,MAAM,WAAW,GAAG,YAAY;QAC9B,CAAC,CAAC,IAAA,iDAAqB,EACnB,KAAK,EACL,YAAY,CAAC,MAAM,EACnB,YAAY,CAAC,OAAO,CACrB;QACH,CAAC,CAAC,KAAK,CAAC;IAEV,OAAO;QACL,kBAAkB;QAClB,YAAY;QACZ,WAAW;KACZ,CAAC;AACJ,CAAC"}

package/src/lib/utils/orm-proxy/process-item-field-restrictions.d.ts

@@ -0,0 +1,24 @@
+import { ExtendAbility } from '../../factories';
+import { QueryField } from '@klerick/json-api-nestjs-shared';
+import { Query, QueryOne } from '@klerick/json-api-nestjs';
+/**
+ * Processes field restrictions for a single item
+ *
+ * This function:
+ * 1. Updates ability with item data for @input templates
+ * 2. Checks each field against ACL rules
+ * 3. Removes restricted fields from the item
+ * 4. Removes ACL-added fields that weren't requested by user
+ *
+ * @param item - Entity item to process (mutated in place)
+ * @param fieldsForCheck - Array of field paths to check
+ * @param extendAbility - ExtendAbility instance for permission checking
+ * @param query - Original user query
+ * @param aclQueryData - ACL query data (fields and include added by ACL)
+ * @returns Array of restricted field names
+ */
+export declare function processItemFieldRestrictions<E extends object, IdKey extends string, Q extends QueryOne<E, IdKey> | Query<E, IdKey>>(item: E, fieldsForCheck: string[], extendAbility: ExtendAbility, query: Q, aclQueryData?: {
+    fields?: Q[QueryField.fields];
+    include?: Q[QueryField.include];
+    rulesForQuery?: Record<string, unknown>;
+}): string[];

package/src/lib/utils/orm-proxy/process-item-field-restrictions.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.processItemFieldRestrictions = processItemFieldRestrictions;
+const ability_1 = require("@casl/ability");
+const unset_deep_1 = require("./unset-deep");
+const remove_acl_added_fields_1 = require("./remove-acl-added-fields");
+/**
+ * Processes field restrictions for a single item
+ *
+ * This function:
+ * 1. Updates ability with item data for @input templates
+ * 2. Checks each field against ACL rules
+ * 3. Removes restricted fields from the item
+ * 4. Removes ACL-added fields that weren't requested by user
+ *
+ * @param item - Entity item to process (mutated in place)
+ * @param fieldsForCheck - Array of field paths to check
+ * @param extendAbility - ExtendAbility instance for permission checking
+ * @param query - Original user query
+ * @param aclQueryData - ACL query data (fields and include added by ACL)
+ * @returns Array of restricted field names
+ */
+function processItemFieldRestrictions(item, fieldsForCheck, extendAbility, query, aclQueryData) {
+    // Update ability with item data for @input templates
+    extendAbility.updateWithInput(item);
+    const currentAction = extendAbility.action;
+    const restrictedFieldsForItem = [];
+    // Check each field
+    for (const field of fieldsForCheck) {
+        if (!extendAbility.can(currentAction, (0, ability_1.subject)(extendAbility.subject, item), field)) {
+            // Remove field from item
+            (0, unset_deep_1.unsetDeep)(item, field);
+            restrictedFieldsForItem.push(field);
+        }
+    }
+    // Remove ACL-added fields and relations that were not requested by user
+    if (aclQueryData) {
+        (0, remove_acl_added_fields_1.removeAclAddedFields)(item, query['fields'], aclQueryData.fields, query['include'], aclQueryData.include);
+    }
+    return restrictedFieldsForItem;
+}
+//# sourceMappingURL=process-item-field-restrictions.js.map

package/src/lib/utils/orm-proxy/process-item-field-restrictions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"process-item-field-restrictions.js","sourceRoot":"","sources":["../../../../../../../../libs/acl-permissions/nestjs-acl-permissions/src/lib/utils/orm-proxy/process-item-field-restrictions.ts"],"names":[],"mappings":";;AAuBA,oEAgDC;AAvED,2CAA0D;AAE1D,6CAAyC;AACzC,uEAAiE;AAIjE;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,4BAA4B,CAK1C,IAAO,EACP,cAAwB,EACxB,aAA4B,EAC5B,KAAQ,EACR,YAIC;IAED,qDAAqD;IACrD,aAAa,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IAEpC,MAAM,aAAa,GAAG,aAAa,CAAC,MAAM,CAAC;IAC3C,MAAM,uBAAuB,GAAa,EAAE,CAAC;IAE7C,mBAAmB;IACnB,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;QACnC,IACE,CAAC,aAAa,CAAC,GAAG,CAChB,aAAa,EACb,IAAA,iBAAc,EAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,EAC3C,KAAK,CACN,EACD,CAAC;YACD,yBAAyB;YACzB,IAAA,sBAAS,EAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YACvB,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,IAAI,YAAY,EAAE,CAAC;QACjB,IAAA,8CAAoB,EAClB,IAAI,EACJ,KAAK,CAAC,QAAQ,CAAC,EACf,YAAY,CAAC,MAAM,EACnB,KAAK,CAAC,SAAS,CAAC,EAChB,YAAY,CAAC,OAAO,CACrB,CAAC;IACJ,CAAC;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC"}

package/src/lib/utils/orm-proxy/remove-acl-added-fields.d.ts

@@ -0,0 +1,31 @@
+import { Query, QueryOne } from '@klerick/json-api-nestjs';
+import { QueryField } from '@klerick/json-api-nestjs-shared';
+/**
+ * Removes ACL-added fields and relations from item that were not requested by user
+ *
+ * IMPORTANT: Must match the logic of mergeQueryWithAclData!
+ * Only removes fields/relations that were ACTUALLY ADDED by mergeQueryWithAclData.
+ *
+ * mergeQueryWithAclData adds ACL fields ONLY when userFields[relation] is an array.
+ * It does NOT add when: null, undefined, {}, missing key, or relation: null.
+ *
+ * @param item - Entity item to clean
+ * @param userFields - Fields requested by user (query.fields)
+ * @param aclFields - Fields added by ACL (aclQueryData.fields)
+ * @param userInclude - Relations requested by user (query.include)
+ * @param aclInclude - Relations added by ACL (aclQueryData.include)
+ *
+ * @example
+ * // Case 1: userFields: null → ACL didn't add fields, don't remove
+ * removeAclAddedFields(item, null, { target: ['role'] })
+ * // → nothing removed (null = all fields requested)
+ *
+ * // Case 2: userFields: { target: ['id'] } → ACL added 'role', remove it
+ * removeAclAddedFields(item, { target: ['id'] }, { target: ['role'] })
+ * // → removes 'role' from item
+ *
+ * // Case 3: ACL added include → remove entire relation
+ * removeAclAddedFields(item, null, null, [], ['profile'])
+ * // → removes profile relation (not requested by user)
+ */
+export declare function removeAclAddedFields<E extends object, IdKey extends string, Q extends QueryOne<E, IdKey> | Query<E, IdKey>>(item: E, userFields?: Q[QueryField.fields], aclFields?: Q[QueryField.fields], userInclude?: Q[QueryField.include], aclInclude?: Q[QueryField.include]): void;