@lenne.tech/nest-server 11.4.7 → 11.4.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/core/common/decorators/restricted.decorator.d.ts +2 -0
- package/dist/core/common/decorators/restricted.decorator.js +17 -16
- package/dist/core/common/decorators/restricted.decorator.js.map +1 -1
- package/dist/core/common/enums/role.enum.d.ts +1 -0
- package/dist/core/common/enums/role.enum.js +1 -0
- package/dist/core/common/enums/role.enum.js.map +1 -1
- package/dist/core/common/helpers/input.helper.d.ts +2 -0
- package/dist/core/common/helpers/input.helper.js +2 -1
- package/dist/core/common/helpers/input.helper.js.map +1 -1
- package/dist/tsconfig.build.tsbuildinfo +1 -1
- package/package.json +1 -1
- package/src/core/common/decorators/restricted.decorator.ts +18 -17
- package/src/core/common/enums/role.enum.ts +5 -1
- package/src/core/common/helpers/input.helper.ts +4 -2
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@lenne.tech/nest-server",
|
|
3
|
-
"version": "11.4.
|
|
3
|
+
"version": "11.4.8",
|
|
4
4
|
"description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"node",
|
|
@@ -61,7 +61,7 @@ export const getRestricted = (object: unknown, propertyKey?: string): Restricted
|
|
|
61
61
|
*/
|
|
62
62
|
export const checkRestricted = (
|
|
63
63
|
data: any,
|
|
64
|
-
user: { hasRole: (roles: string[]) => boolean; id: any },
|
|
64
|
+
user: { hasRole: (roles: string[]) => boolean; id: any; verified?: any; verifiedAt?: any },
|
|
65
65
|
options: {
|
|
66
66
|
allowCreatorOfParent?: boolean;
|
|
67
67
|
checkObjectItself?: boolean;
|
|
@@ -108,9 +108,9 @@ export const checkRestricted = (
|
|
|
108
108
|
// Array
|
|
109
109
|
if (Array.isArray(data)) {
|
|
110
110
|
// Check array items
|
|
111
|
-
let result = data.map(item => checkRestricted(item, user, config, processedObjects));
|
|
111
|
+
let result = data.map((item) => checkRestricted(item, user, config, processedObjects));
|
|
112
112
|
if (!config.throwError && config.removeUndefinedFromResultArray) {
|
|
113
|
-
result = result.filter(item => item !== undefined);
|
|
113
|
+
result = result.filter((item) => item !== undefined);
|
|
114
114
|
}
|
|
115
115
|
return result;
|
|
116
116
|
}
|
|
@@ -134,8 +134,8 @@ export const checkRestricted = (
|
|
|
134
134
|
if (typeof item === 'string') {
|
|
135
135
|
roles.push(item);
|
|
136
136
|
} else if (
|
|
137
|
-
item?.roles?.length
|
|
138
|
-
|
|
137
|
+
item?.roles?.length &&
|
|
138
|
+
(config.processType && item.processType ? config.processType === item.processType : true)
|
|
139
139
|
) {
|
|
140
140
|
if (Array.isArray(item.roles)) {
|
|
141
141
|
roles.push(...item.roles);
|
|
@@ -156,13 +156,14 @@ export const checkRestricted = (
|
|
|
156
156
|
|
|
157
157
|
// Check access rights
|
|
158
158
|
if (
|
|
159
|
-
roles.includes(RoleEnum.S_EVERYONE)
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
159
|
+
roles.includes(RoleEnum.S_EVERYONE) ||
|
|
160
|
+
user?.hasRole?.(roles) ||
|
|
161
|
+
(user?.id && roles.includes(RoleEnum.S_USER)) ||
|
|
162
|
+
(roles.includes(RoleEnum.S_SELF) && equalIds(data, user)) ||
|
|
163
|
+
(roles.includes(RoleEnum.S_CREATOR) &&
|
|
164
|
+
(('createdBy' in data && equalIds(data.createdBy, user)) ||
|
|
165
|
+
(config.allowCreatorOfParent && !('createdBy' in data) && config.isCreatorOfParent))) ||
|
|
166
|
+
(roles.includes(RoleEnum.S_VERIFIED) && (user?.verified || user?.verifiedAt))
|
|
166
167
|
) {
|
|
167
168
|
valid = true;
|
|
168
169
|
}
|
|
@@ -172,11 +173,11 @@ export const checkRestricted = (
|
|
|
172
173
|
// Get groups
|
|
173
174
|
const groups = restricted.filter((item) => {
|
|
174
175
|
return (
|
|
175
|
-
typeof item === 'object'
|
|
176
|
+
typeof item === 'object' &&
|
|
176
177
|
// Check if object is valid
|
|
177
|
-
|
|
178
|
+
item.memberOf?.length &&
|
|
178
179
|
// Check if processType is specified and is valid for current process
|
|
179
|
-
|
|
180
|
+
(config.processType && item.processType ? config.processType === item.processType : true)
|
|
180
181
|
);
|
|
181
182
|
}) as { memberOf: string | string[] }[];
|
|
182
183
|
|
|
@@ -252,8 +253,8 @@ export const checkRestricted = (
|
|
|
252
253
|
// Check rights
|
|
253
254
|
if (valid) {
|
|
254
255
|
// Check if data is user or user is creator of data (for nested plain objects)
|
|
255
|
-
config.isCreatorOfParent
|
|
256
|
-
|
|
256
|
+
config.isCreatorOfParent =
|
|
257
|
+
equalIds(data, user) || ('createdBy' in data ? equalIds(data.createdBy, user) : config.isCreatorOfParent);
|
|
257
258
|
|
|
258
259
|
// Check deep
|
|
259
260
|
data[propertyKey] = checkRestricted(data[propertyKey], user, config, processedObjects);
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
/* eslint-disable perfectionist/sort-enums */
|
|
1
2
|
/**
|
|
2
3
|
* Enums for Resolver @Role and Model @Restricted decorator and for roles property in ServiceOptions
|
|
3
4
|
*
|
|
@@ -42,9 +43,12 @@ export enum RoleEnum {
|
|
|
42
43
|
// Everyone, including users who are not logged in, can access (see context user, e.g. @CurrentUser)
|
|
43
44
|
S_EVERYONE = 's_everyone',
|
|
44
45
|
|
|
45
|
-
// No one has access, not even administrators
|
|
46
|
+
// No one has access, not even administrators (regardless of which roles are still set, access will always be denied)
|
|
46
47
|
S_NO_ONE = 's_no_one',
|
|
47
48
|
|
|
49
|
+
// User must be verified (see verified or verifiedAt property of user)
|
|
50
|
+
S_VERIFIED = 's_verified',
|
|
51
|
+
|
|
48
52
|
// ===================================================================================================================
|
|
49
53
|
// Special system roles that check rights for DB objects and can be used via @Restricted for Models
|
|
50
54
|
// (classes and properties) and via ServiceOptions for Resolver methods. These roles should not be integrated in
|
|
@@ -209,7 +209,7 @@ export function assignPlain(target: Record<any, any>, ...args: Record<any, any>[
|
|
|
209
209
|
*/
|
|
210
210
|
export async function check(
|
|
211
211
|
value: any,
|
|
212
|
-
user: { hasRole: (roles: string[]) => boolean; id: any },
|
|
212
|
+
user: { hasRole: (roles: string[]) => boolean; id: any; verified?: any; verifiedAt?: any },
|
|
213
213
|
options?: {
|
|
214
214
|
allowCreatorOfParent?: boolean;
|
|
215
215
|
dbObject?: any;
|
|
@@ -262,7 +262,9 @@ export async function check(
|
|
|
262
262
|
(config.allowCreatorOfParent &&
|
|
263
263
|
config.dbObject &&
|
|
264
264
|
!('createdBy' in config.dbObject) &&
|
|
265
|
-
config.isCreatorOfParent)))
|
|
265
|
+
config.isCreatorOfParent))) ||
|
|
266
|
+
// check if the is verified
|
|
267
|
+
(roles.includes(RoleEnum.S_VERIFIED) && (user?.verified || user?.verifiedAt))
|
|
266
268
|
) {
|
|
267
269
|
valid = true;
|
|
268
270
|
}
|