@nocobase/acl 0.8.1-alpha.3 → 0.9.0-alpha.1

package/lib/acl-available-strategy.js

@@ -78,7 +78,7 @@ class ACLAvailableStrategy {
       const predicateName = this.actionsAsObject[actionName];
 
       if (predicateName) {
-        return predicate[predicateName];
+        return _lodash().default.cloneDeep(predicate[predicateName]);
       }
 
       return true;
@@ -88,10 +88,6 @@ class ACLAvailableStrategy {
   }
 
   allow(resourceName, actionName) {
-    if (this.acl.isConfigResource(resourceName) && this.allowConfigure) {
-      return true;
-    }
-
     return this.matchAction(this.acl.resolveActionAlias(actionName));
   }
 

package/lib/acl-role.d.ts

@@ -1,5 +1,5 @@
 import { ACL, DefineOptions } from './acl';
-import { AvailableStrategyOptions } from './acl-available-strategy';
+import { ACLAvailableStrategy, AvailableStrategyOptions } from './acl-available-strategy';
 import { ACLResource } from './acl-resource';
 export interface RoleActionParams {
     fields?: string[];
@@ -17,14 +17,21 @@ export declare class ACLRole {
     name: string;
     strategy: string | AvailableStrategyOptions;
     resources: Map<string, ACLResource>;
+    snippets: Set<string>;
     constructor(acl: ACL, name: string);
     getResource(name: string): ACLResource | undefined;
     setStrategy(value: string | AvailableStrategyOptions): void;
+    getStrategy(): ACLAvailableStrategy;
     getResourceActionsParams(resourceName: string): {};
     revokeResource(resourceName: string): void;
     grantAction(path: string, options?: RoleActionParams): void;
     getActionParams(path: string): RoleActionParams;
     revokeAction(path: string): void;
+    effectiveSnippets(): {
+        allowed: Array<string>;
+        rejected: Array<string>;
+    };
+    snippetAllowed(actionPath: string): boolean;
     toJSON(): DefineOptions;
     protected getResourceActionFromPath(path: string): {
         resourceName: string;

package/lib/acl-role.js

@@ -5,8 +5,32 @@ Object.defineProperty(exports, "__esModule", {
 });
 exports.ACLRole = void 0;
 
+var _aclAvailableStrategy = require("./acl-available-strategy");
+
 var _aclResource = require("./acl-resource");
 
+function _lodash() {
+  const data = _interopRequireDefault(require("lodash"));
+
+  _lodash = function _lodash() {
+    return data;
+  };
+
+  return data;
+}
+
+function _minimatch() {
+  const data = _interopRequireDefault(require("minimatch"));
+
+  _minimatch = function _minimatch() {
+    return data;
+  };
+
+  return data;
+}
+
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+
 function _slicedToArray(arr, i) { return _arrayWithHoles(arr) || _iterableToArrayLimit(arr, i) || _unsupportedIterableToArray(arr, i) || _nonIterableRest(); }
 
 function _nonIterableRest() { throw new TypeError("Invalid attempt to destructure non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); }
@@ -27,6 +51,7 @@ class ACLRole {
     this.name = void 0;
     this.strategy = void 0;
     this.resources = new Map();
+    this.snippets = new Set();
     this.acl = acl;
     this.name = name;
   }
@@ -39,6 +64,14 @@ class ACLRole {
     this.strategy = value;
   }
 
+  getStrategy() {
+    if (!this.strategy) {
+      return null;
+    }
+
+    return _lodash().default.isString(this.strategy) ? this.acl.availableStrategy.get(this.strategy) : new _aclAvailableStrategy.ACLAvailableStrategy(this.acl, this.strategy);
+  }
+
   getResourceActionsParams(resourceName) {
     const resource = this.getResource(resourceName);
     return resource.getActions();
@@ -86,15 +119,117 @@ class ACLRole {
     resource.removeAction(actionName);
   }
 
-  toJSON() {
-    const actions = {};
+  effectiveSnippets() {
+    const allowedSnippets = new Set();
+    const rejectedSnippets = new Set();
+    const availableSnippets = this.acl.snippetManager.snippets;
 
-    var _iterator = _createForOfIteratorHelper(this.resources.keys()),
+    var _iterator = _createForOfIteratorHelper(this.snippets),
         _step;
 
     try {
       for (_iterator.s(); !(_step = _iterator.n()).done;) {
-        const resourceName = _step.value;
+        let snippetRule = _step.value;
+        const negated = snippetRule.startsWith('!');
+        snippetRule = negated ? snippetRule.slice(1) : snippetRule;
+
+        var _iterator2 = _createForOfIteratorHelper(availableSnippets),
+            _step2;
+
+        try {
+          for (_iterator2.s(); !(_step2 = _iterator2.n()).done;) {
+            const _step2$value = _slicedToArray(_step2.value, 2),
+                  _ = _step2$value[0],
+                  availableSnippet = _step2$value[1];
+
+            if ((0, _minimatch().default)(availableSnippet.name, snippetRule)) {
+              if (negated) {
+                rejectedSnippets.add(availableSnippet.name);
+              } else {
+                allowedSnippets.add(availableSnippet.name);
+              }
+            }
+          }
+        } catch (err) {
+          _iterator2.e(err);
+        } finally {
+          _iterator2.f();
+        }
+      } // get difference of allowed and rejected snippets
+
+    } catch (err) {
+      _iterator.e(err);
+    } finally {
+      _iterator.f();
+    }
+
+    const effectiveSnippets = new Set([...allowedSnippets].filter(x => !rejectedSnippets.has(x)));
+    return {
+      allowed: [...effectiveSnippets],
+      rejected: [...rejectedSnippets]
+    };
+  }
+
+  snippetAllowed(actionPath) {
+    const effectiveSnippets = this.effectiveSnippets();
+
+    const getActions = snippets => {
+      return snippets.map(snippetName => this.acl.snippetManager.snippets.get(snippetName).actions).flat();
+    };
+
+    const allowedActions = getActions(effectiveSnippets.allowed);
+    const rejectedActions = getActions(effectiveSnippets.rejected);
+
+    const actionMatched = (actionPath, actionRule) => {
+      return (0, _minimatch().default)(actionPath, actionRule);
+    };
+
+    var _iterator3 = _createForOfIteratorHelper(allowedActions),
+        _step3;
+
+    try {
+      for (_iterator3.s(); !(_step3 = _iterator3.n()).done;) {
+        const action = _step3.value;
+
+        if (actionMatched(actionPath, action)) {
+          return true;
+        }
+      }
+    } catch (err) {
+      _iterator3.e(err);
+    } finally {
+      _iterator3.f();
+    }
+
+    var _iterator4 = _createForOfIteratorHelper(rejectedActions),
+        _step4;
+
+    try {
+      for (_iterator4.s(); !(_step4 = _iterator4.n()).done;) {
+        const action = _step4.value;
+
+        if (actionMatched(actionPath, action)) {
+          return false;
+        }
+      }
+    } catch (err) {
+      _iterator4.e(err);
+    } finally {
+      _iterator4.f();
+    }
+
+    return null;
+  }
+
+  toJSON() {
+    const actions = {};
+
+    var _iterator5 = _createForOfIteratorHelper(this.resources.keys()),
+        _step5;
+
+    try {
+      for (_iterator5.s(); !(_step5 = _iterator5.n()).done;) {
+        const resourceName = _step5.value;
         const resourceActions = this.getResourceActionsParams(resourceName);
 
         for (var _i2 = 0, _Object$keys = Object.keys(resourceActions); _i2 < _Object$keys.length; _i2++) {
@@ -103,15 +238,16 @@ class ACLRole {
         }
       }
     } catch (err) {
-      _iterator.e(err);
+      _iterator5.e(err);
     } finally {
-      _iterator.f();
+      _iterator5.f();
     }
 
     return {
       role: this.name,
       strategy: this.strategy,
-      actions
+      actions,
+      snippets: Array.from(this.snippets)
     };
   }
 

package/lib/acl.d.ts

@@ -5,6 +5,8 @@ import { ACLAvailableAction, AvailableActionOptions } from './acl-available-acti
 import { ACLAvailableStrategy, AvailableStrategyOptions } from './acl-available-strategy';
 import { ACLRole, ResourceActionsOptions, RoleActionParams } from './acl-role';
 import { AllowManager, ConditionFunc } from './allow-manager';
+import FixedParamsManager, { Merger } from './fixed-params-manager';
+import SnippetManager, { SnippetOptions } from './snippet-manager';
 interface CanResult {
     role: string;
     resource: string;
@@ -17,6 +19,7 @@ export interface DefineOptions {
     strategy?: string | AvailableStrategyOptions;
     actions?: ResourceActionsOptions;
     routes?: any;
+    snippets?: string[];
 }
 export interface ListenerContext {
     acl: ACL;
@@ -31,16 +34,20 @@ interface CanArgs {
     role: string;
     resource: string;
     action: string;
+    ctx?: any;
 }
 export declare class ACL extends EventEmitter {
     protected availableActions: Map<string, ACLAvailableAction>;
-    protected availableStrategy: Map<string, ACLAvailableStrategy>;
+    availableStrategy: Map<string, ACLAvailableStrategy>;
+    protected fixedParamsManager: FixedParamsManager;
     protected middlewares: Toposort<any>;
     allowManager: AllowManager;
+    snippetManager: SnippetManager;
     roles: Map<string, ACLRole>;
     actionAlias: Map<string, string>;
     configResources: string[];
     constructor();
+    protected addCoreMiddleware(): void;
     define(options: DefineOptions): ACLRole;
     getRole(name: string): ACLRole;
     removeRole(name: string): boolean;
@@ -57,7 +64,11 @@ export declare class ACL extends EventEmitter {
     resolveActionAlias(action: string): string;
     use(fn: any, options?: ToposortOptions): void;
     allow(resourceName: string, actionNames: string[] | string, condition?: string | ConditionFunc): void;
+    skip(resourceName: string, actionNames: string[] | string, condition?: string | ConditionFunc): void;
     parseJsonTemplate(json: any, ctx: any): any;
     middleware(): (ctx: any, next: any) => Promise<void>;
+    getActionParams(ctx: any): Promise<void>;
+    addFixedParams(resource: string, action: string, merger: Merger): void;
+    registerSnippet(snippet: SnippetOptions): void;
 }
 export {};

package/lib/acl.js

@@ -63,11 +63,11 @@ var _aclRole = require("./acl-role");
 
 var _allowManager = require("./allow-manager");
 
-function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+var _fixedParamsManager = _interopRequireDefault(require("./fixed-params-manager"));
 
-function asyncGeneratorStep(gen, resolve, reject, _next, _throw, key, arg) { try { var info = gen[key](arg); var value = info.value; } catch (error) { reject(error); return; } if (info.done) { resolve(value); } else { Promise.resolve(value).then(_next, _throw); } }
+var _snippetManager = _interopRequireDefault(require("./snippet-manager"));
 
-function _asyncToGenerator(fn) { return function () { var self = this, args = arguments; return new Promise(function (resolve, reject) { var gen = fn.apply(self, args); function _next(value) { asyncGeneratorStep(gen, resolve, reject, _next, _throw, "next", value); } function _throw(err) { asyncGeneratorStep(gen, resolve, reject, _next, _throw, "throw", err); } _next(undefined); }); }; }
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
 
 function _createForOfIteratorHelper(o, allowArrayLike) { var it = typeof Symbol !== "undefined" && o[Symbol.iterator] || o["@@iterator"]; if (!it) { if (Array.isArray(o) || (it = _unsupportedIterableToArray(o)) || allowArrayLike && o && typeof o.length === "number") { if (it) o = it; var i = 0; var F = function F() {}; return { s: F, n: function n() { if (i >= o.length) return { done: true }; return { done: false, value: o[i++] }; }, e: function e(_e2) { throw _e2; }, f: F }; } throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); } var normalCompletion = true, didErr = false, err; return { s: function s() { it = it.call(o); }, n: function n() { var step = it.next(); normalCompletion = step.done; return step; }, e: function e(_e3) { didErr = true; err = _e3; }, f: function f() { try { if (!normalCompletion && it.return != null) it.return(); } finally { if (didErr) throw err; } } }; }
 
@@ -83,6 +83,10 @@ function _iterableToArrayLimit(arr, i) { var _i = arr == null ? null : typeof Sy
 
 function _arrayWithHoles(arr) { if (Array.isArray(arr)) return arr; }
 
+function asyncGeneratorStep(gen, resolve, reject, _next, _throw, key, arg) { try { var info = gen[key](arg); var value = info.value; } catch (error) { reject(error); return; } if (info.done) { resolve(value); } else { Promise.resolve(value).then(_next, _throw); } }
+
+function _asyncToGenerator(fn) { return function () { var self = this, args = arguments; return new Promise(function (resolve, reject) { var gen = fn.apply(self, args); function _next(value) { asyncGeneratorStep(gen, resolve, reject, _next, _throw, "next", value); } function _throw(err) { asyncGeneratorStep(gen, resolve, reject, _next, _throw, "throw", err); } _next(undefined); }); }; }
+
 function ownKeys(object, enumerableOnly) { var keys = Object.keys(object); if (Object.getOwnPropertySymbols) { var symbols = Object.getOwnPropertySymbols(object); enumerableOnly && (symbols = symbols.filter(function (sym) { return Object.getOwnPropertyDescriptor(object, sym).enumerable; })), keys.push.apply(keys, symbols); } return keys; }
 
 function _objectSpread(target) { for (var i = 1; i < arguments.length; i++) { var source = null != arguments[i] ? arguments[i] : {}; i % 2 ? ownKeys(Object(source), !0).forEach(function (key) { _defineProperty(target, key, source[key]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(target, Object.getOwnPropertyDescriptors(source)) : ownKeys(Object(source)).forEach(function (key) { Object.defineProperty(target, key, Object.getOwnPropertyDescriptor(source, key)); }); } return target; }
@@ -94,8 +98,10 @@ class ACL extends _events().default {
     super();
     this.availableActions = new Map();
     this.availableStrategy = new Map();
+    this.fixedParamsManager = new _fixedParamsManager.default();
     this.middlewares = void 0;
     this.allowManager = new _allowManager.AllowManager(this);
+    this.snippetManager = new _snippetManager.default();
     this.roles = new Map();
     this.actionAlias = new Map();
     this.configResources = [];
@@ -123,7 +129,73 @@ class ACL extends _events().default {
         }
       }
     });
-    this.middlewares.add(this.allowManager.aclMiddleware());
+    this.use(this.allowManager.aclMiddleware(), {
+      tag: 'allow-manager',
+      before: 'core'
+    });
+    this.addCoreMiddleware();
+  }
+
+  addCoreMiddleware() {
+    const acl = this;
+
+    const filterParams = (ctx, resourceName, params) => {
+      var _params$filter;
+
+      if (params === null || params === void 0 ? void 0 : (_params$filter = params.filter) === null || _params$filter === void 0 ? void 0 : _params$filter.createdById) {
+        const collection = ctx.db.getCollection(resourceName);
+
+        if (!collection || !collection.getField('createdById')) {
+          return _lodash().default.omit(params, 'filter.createdById');
+        }
+      }
+
+      return params;
+    };
+
+    this.middlewares.add( /*#__PURE__*/function () {
+      var _ref = _asyncToGenerator(function* (ctx, next) {
+        var _ctx$log, _permission$can, _ctx$log2;
+
+        const resourcerAction = ctx.action;
+        const _ctx$action = ctx.action,
+              resourceName = _ctx$action.resourceName,
+              actionName = _ctx$action.actionName;
+        const permission = ctx.permission;
+        ((_ctx$log = ctx.log) === null || _ctx$log === void 0 ? void 0 : _ctx$log.info) && ctx.log.info('ctx permission', permission);
+
+        if ((!permission.can || typeof permission.can !== 'object') && !permission.skip) {
+          ctx.throw(403, 'No permissions');
+          return;
+        }
+
+        const params = ((_permission$can = permission.can) === null || _permission$can === void 0 ? void 0 : _permission$can.params) || acl.fixedParamsManager.getParams(resourceName, actionName);
+        ((_ctx$log2 = ctx.log) === null || _ctx$log2 === void 0 ? void 0 : _ctx$log2.info) && ctx.log.info('acl params', params);
+
+        if (params && resourcerAction.mergeParams) {
+          var _ctx$log3;
+
+          const filteredParams = filterParams(ctx, resourceName, params);
+          const parsedParams = acl.parseJsonTemplate(filteredParams, ctx);
+          ctx.permission.parsedParams = parsedParams;
+          ((_ctx$log3 = ctx.log) === null || _ctx$log3 === void 0 ? void 0 : _ctx$log3.info) && ctx.log.info('acl parsedParams', parsedParams);
+          ctx.permission.rawParams = _lodash().default.cloneDeep(resourcerAction.params);
+          resourcerAction.mergeParams(parsedParams, {
+            appends: (x, y) => _lodash().default.intersection(x, y)
+          });
+          ctx.permission.mergedParams = _lodash().default.cloneDeep(resourcerAction.params);
+        }
+
+        yield next();
+      });
+
+      return function (_x, _x2) {
+        return _ref.apply(this, arguments);
+      };
+    }(), {
+      tag: 'core',
+      group: 'core'
+    });
   }
 
   define(options) {
@@ -217,6 +289,27 @@ class ACL extends _events().default {
       return null;
     }
 
+    const snippetAllowed = aclRole.snippetAllowed(`${resource}:${action}`);
+
+    if (snippetAllowed === false) {
+      return null;
+    }
+
+    const fixedParams = this.fixedParamsManager.getParams(resource, action);
+
+    const mergeParams = result => {
+      const params = result['params'] || {};
+      const mergedParams = (0, _utils().assign)(params, fixedParams);
+
+      if (Object.keys(mergedParams).length) {
+        result['params'] = mergedParams;
+      } else {
+        delete result['params'];
+      }
+
+      return result;
+    };
+
     const aclResource = aclRole.getResource(resource);
 
     if (aclResource) {
@@ -224,41 +317,42 @@ class ACL extends _events().default {
 
       if (actionParams) {
         // handle single action config
-        return {
+        return mergeParams({
           role,
           resource,
           action,
           params: actionParams
-        };
+        });
       } else {
         return null;
       }
     }
 
-    if (!aclRole.strategy) {
+    const roleStrategy = aclRole.getStrategy();
+
+    if (!roleStrategy && !snippetAllowed) {
       return null;
     }
 
-    const roleStrategy = _lodash().default.isString(aclRole.strategy) ? this.availableStrategy.get(aclRole.strategy) : new _aclAvailableStrategy.ACLAvailableStrategy(this, aclRole.strategy);
+    let roleStrategyParams = roleStrategy === null || roleStrategy === void 0 ? void 0 : roleStrategy.allow(resource, this.resolveActionAlias(action));
 
-    if (!roleStrategy) {
-      return null;
+    if (!roleStrategyParams && snippetAllowed) {
+      roleStrategyParams = {};
     }
 
-    const roleStrategyParams = roleStrategy.allow(resource, this.resolveActionAlias(action));
-
     if (roleStrategyParams) {
       const result = {
         role,
         resource,
-        action
+        action,
+        params: {}
       };
 
       if (_lodash().default.isPlainObject(roleStrategyParams)) {
         result['params'] = roleStrategyParams;
       }
 
-      return result;
+      return mergeParams(result);
     }
 
     return null;
@@ -273,10 +367,16 @@ class ACL extends _events().default {
   }
 
   use(fn, options) {
-    this.middlewares.add(fn, options);
+    this.middlewares.add(fn, _objectSpread({
+      group: 'prep'
+    }, options));
   }
 
   allow(resourceName, actionNames, condition) {
+    return this.skip(resourceName, actionNames, condition);
+  }
+
+  skip(resourceName, actionNames, condition) {
     if (!Array.isArray(actionNames)) {
       actionNames = [actionNames];
     }
@@ -306,28 +406,12 @@ class ACL extends _events().default {
 
   middleware() {
     const acl = this;
-
-    const filterParams = (ctx, resourceName, params) => {
-      var _params$filter;
-
-      if (params === null || params === void 0 ? void 0 : (_params$filter = params.filter) === null || _params$filter === void 0 ? void 0 : _params$filter.createdById) {
-        const collection = ctx.db.getCollection(resourceName);
-
-        if (collection && !collection.getField('createdById')) {
-          return _lodash().default.omit(params, 'filter.createdById');
-        }
-      }
-
-      return params;
-    };
-
     return /*#__PURE__*/function () {
       var _ACLMiddleware = _asyncToGenerator(function* (ctx, next) {
         const roleName = ctx.state.currentRole || 'anonymous';
-        const _ctx$action = ctx.action,
-              resourceName = _ctx$action.resourceName,
-              actionName = _ctx$action.actionName;
-        const resourcerAction = ctx.action;
+        const _ctx$action2 = ctx.action,
+              resourceName = _ctx$action2.resourceName,
+              actionName = _ctx$action2.actionName;
 
         ctx.can = options => {
           return acl.can(_objectSpread({
@@ -341,31 +425,10 @@ class ACL extends _events().default {
             action: actionName
           })
         };
-        return (0, _koaCompose().default)(acl.middlewares.nodes)(ctx, /*#__PURE__*/_asyncToGenerator(function* () {
-          const permission = ctx.permission;
-
-          if (permission.skip) {
-            return next();
-          }
-
-          if (!permission.can || typeof permission.can !== 'object') {
-            ctx.throw(403, 'No permissions');
-            return;
-          }
-
-          const params = permission.can.params;
-
-          if (params) {
-            const filteredParams = filterParams(ctx, resourceName, params);
-            const parsedParams = acl.parseJsonTemplate(filteredParams, ctx);
-            resourcerAction.mergeParams(parsedParams);
-          }
-
-          yield next();
-        }));
+        return (0, _koaCompose().default)(acl.middlewares.nodes)(ctx, next);
       });
 
-      function ACLMiddleware(_x, _x2) {
+      function ACLMiddleware(_x3, _x4) {
         return _ACLMiddleware.apply(this, arguments);
       }
 
@@ -373,6 +436,39 @@ class ACL extends _events().default {
     }();
   }
 
+  getActionParams(ctx) {
+    var _this = this;
+
+    return _asyncToGenerator(function* () {
+      const roleName = ctx.state.currentRole || 'anonymous';
+      const _ctx$action3 = ctx.action,
+            resourceName = _ctx$action3.resourceName,
+            actionName = _ctx$action3.actionName;
+
+      ctx.can = options => {
+        return _this.can(_objectSpread({
+          role: roleName
+        }, options));
+      };
+
+      ctx.permission = {
+        can: ctx.can({
+          resource: resourceName,
+          action: actionName
+        })
+      };
+      yield (0, _koaCompose().default)(_this.middlewares.nodes)(ctx, /*#__PURE__*/_asyncToGenerator(function* () {}));
+    })();
+  }
+
+  addFixedParams(resource, action, merger) {
+    this.fixedParamsManager.addParams(resource, action, merger);
+  }
+
+  registerSnippet(snippet) {
+    this.snippetManager.register(snippet);
+  }
+
 }
 
 exports.ACL = ACL;

package/lib/allow-manager.d.ts

@@ -8,5 +8,6 @@ export declare class AllowManager {
     allow(resourceName: string, actionName: string, condition?: string | ConditionFunc): void;
     getAllowedConditions(resourceName: string, actionName: string): Array<ConditionFunc | true>;
     registerAllowCondition(name: string, condition: ConditionFunc): void;
+    isAllowed(resourceName: string, actionName: string, ctx: any): Promise<boolean>;
     aclMiddleware(): (ctx: any, next: any) => Promise<void>;
 }

package/lib/allow-manager.js

@@ -5,6 +5,12 @@ Object.defineProperty(exports, "__esModule", {
 });
 exports.AllowManager = void 0;
 
+function ownKeys(object, enumerableOnly) { var keys = Object.keys(object); if (Object.getOwnPropertySymbols) { var symbols = Object.getOwnPropertySymbols(object); enumerableOnly && (symbols = symbols.filter(function (sym) { return Object.getOwnPropertyDescriptor(object, sym).enumerable; })), keys.push.apply(keys, symbols); } return keys; }
+
+function _objectSpread(target) { for (var i = 1; i < arguments.length; i++) { var source = null != arguments[i] ? arguments[i] : {}; i % 2 ? ownKeys(Object(source), !0).forEach(function (key) { _defineProperty(target, key, source[key]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(target, Object.getOwnPropertyDescriptors(source)) : ownKeys(Object(source)).forEach(function (key) { Object.defineProperty(target, key, Object.getOwnPropertyDescriptor(source, key)); }); } return target; }
+
+function _defineProperty(obj, key, value) { if (key in obj) { Object.defineProperty(obj, key, { value: value, enumerable: true, configurable: true, writable: true }); } else { obj[key] = value; } return obj; }
+
 function _createForOfIteratorHelper(o, allowArrayLike) { var it = typeof Symbol !== "undefined" && o[Symbol.iterator] || o["@@iterator"]; if (!it) { if (Array.isArray(o) || (it = _unsupportedIterableToArray(o)) || allowArrayLike && o && typeof o.length === "number") { if (it) o = it; var i = 0; var F = function F() {}; return { s: F, n: function n() { if (i >= o.length) return { done: true }; return { done: false, value: o[i++] }; }, e: function e(_e) { throw _e; }, f: F }; } throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); } var normalCompletion = true, didErr = false, err; return { s: function s() { it = it.call(o); }, n: function n() { var step = it.next(); normalCompletion = step.done; return step; }, e: function e(_e2) { didErr = true; err = _e2; }, f: function f() { try { if (!normalCompletion && it.return != null) it.return(); } finally { if (didErr) throw err; } } }; }
 
 function _unsupportedIterableToArray(o, minLen) { if (!o) return; if (typeof o === "string") return _arrayLikeToArray(o, minLen); var n = Object.prototype.toString.call(o).slice(8, -1); if (n === "Object" && o.constructor) n = o.constructor.name; if (n === "Map" || n === "Set") return Array.from(o); if (n === "Arguments" || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _arrayLikeToArray(o, minLen); }
@@ -24,20 +30,26 @@ class AllowManager {
     this.registerAllowCondition('loggedIn', ctx => {
       return ctx.state.currentUser;
     });
+    this.registerAllowCondition('public', ctx => {
+      return true;
+    });
     this.registerAllowCondition('allowConfigure', /*#__PURE__*/function () {
       var _ref = _asyncToGenerator(function* (ctx) {
+        var _role$getStrategy;
+
         const roleName = ctx.state.currentRole;
 
         if (!roleName) {
           return false;
         }
 
-        const roleInstance = yield ctx.db.getRepository('roles').findOne({
-          filter: {
-            name: roleName
-          }
-        });
-        return roleInstance === null || roleInstance === void 0 ? void 0 : roleInstance.get('allowConfigure');
+        const role = acl.getRole(roleName);
+
+        if (!role) {
+          return false;
+        }
+
+        return (_role$getStrategy = role.getStrategy()) === null || _role$getStrategy === void 0 ? void 0 : _role$getStrategy.allowConfigure;
       });
 
       return function (_x) {
@@ -61,10 +73,13 @@ class AllowManager {
       const resource = this.skipActions.get(fetchActionStep);
 
       if (resource) {
-        const condition = resource.get('*') || resource.get(actionName);
+        for (var _i2 = 0, _arr = ['*', actionName]; _i2 < _arr.length; _i2++) {
+          const fetchActionStep = _arr[_i2];
+          const condition = resource.get(fetchActionStep);
 
-        if (condition) {
-          results.push(typeof condition === 'string' ? this.registeredCondition.get(condition) : condition);
+          if (condition) {
+            results.push(typeof condition === 'string' ? this.registeredCondition.get(condition) : condition);
+          }
         }
       }
     }
@@ -76,47 +91,57 @@ class AllowManager {
     this.registeredCondition.set(name, condition);
   }
 
-  aclMiddleware() {
-    return /*#__PURE__*/function () {
-      var _ref2 = _asyncToGenerator(function* (ctx, next) {
-        const _ctx$action = ctx.action,
-              resourceName = _ctx$action.resourceName,
-              actionName = _ctx$action.actionName;
-        const skippedConditions = ctx.app.acl.allowManager.getAllowedConditions(resourceName, actionName);
-        let skip = false;
+  isAllowed(resourceName, actionName, ctx) {
+    var _this = this;
 
-        var _iterator = _createForOfIteratorHelper(skippedConditions),
-            _step;
+    return _asyncToGenerator(function* () {
+      const skippedConditions = _this.getAllowedConditions(resourceName, actionName);
 
-        try {
-          for (_iterator.s(); !(_step = _iterator.n()).done;) {
-            const skippedCondition = _step.value;
+      var _iterator = _createForOfIteratorHelper(skippedConditions),
+          _step;
 
-            if (skippedCondition) {
-              let skipResult = false;
+      try {
+        for (_iterator.s(); !(_step = _iterator.n()).done;) {
+          const skippedCondition = _step.value;
 
-              if (typeof skippedCondition === 'function') {
-                skipResult = yield skippedCondition(ctx);
-              } else if (skippedCondition) {
-                skipResult = true;
-              }
+          if (skippedCondition) {
+            let skipResult = false;
+
+            if (typeof skippedCondition === 'function') {
+              skipResult = yield skippedCondition(ctx);
+            } else if (skippedCondition) {
+              skipResult = true;
+            }
 
-              if (skipResult) {
-                skip = true;
-                break;
-              }
+            if (skipResult) {
+              return true;
             }
           }
-        } catch (err) {
-          _iterator.e(err);
-        } finally {
-          _iterator.f();
         }
+      } catch (err) {
+        _iterator.e(err);
+      } finally {
+        _iterator.f();
+      }
+
+      return false;
+    })();
+  }
+
+  aclMiddleware() {
+    var _this2 = this;
+
+    return /*#__PURE__*/function () {
+      var _ref2 = _asyncToGenerator(function* (ctx, next) {
+        const _ctx$action = ctx.action,
+              resourceName = _ctx$action.resourceName,
+              actionName = _ctx$action.actionName;
+        let skip = yield _this2.acl.allowManager.isAllowed(resourceName, actionName, ctx);
 
         if (skip) {
-          ctx.permission = {
+          ctx.permission = _objectSpread(_objectSpread({}, ctx.permission || {}), {}, {
             skip: true
-          };
+          });
         }
 
         yield next();

package/lib/fixed-params-manager.d.ts

@@ -0,0 +1,10 @@
+export declare type Merger = () => object;
+export declare type ActionPath = string;
+export default class FixedParamsManager {
+    merger: Map<string, Merger[]>;
+    addParams(resource: string, action: string, merger: Merger): void;
+    getParamsMerger(resource: string, action: string): Merger[];
+    protected getActionPath(resource: string, action: string): string;
+    getParams(resource: string, action: string, extraParams?: any): {};
+    static mergeParams(a: any, b: any): void;
+}

package/lib/fixed-params-manager.js

@@ -0,0 +1,83 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.default = void 0;
+
+function _utils() {
+  const data = require("@nocobase/utils");
+
+  _utils = function _utils() {
+    return data;
+  };
+
+  return data;
+}
+
+function _createForOfIteratorHelper(o, allowArrayLike) { var it = typeof Symbol !== "undefined" && o[Symbol.iterator] || o["@@iterator"]; if (!it) { if (Array.isArray(o) || (it = _unsupportedIterableToArray(o)) || allowArrayLike && o && typeof o.length === "number") { if (it) o = it; var i = 0; var F = function F() {}; return { s: F, n: function n() { if (i >= o.length) return { done: true }; return { done: false, value: o[i++] }; }, e: function e(_e) { throw _e; }, f: F }; } throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); } var normalCompletion = true, didErr = false, err; return { s: function s() { it = it.call(o); }, n: function n() { var step = it.next(); normalCompletion = step.done; return step; }, e: function e(_e2) { didErr = true; err = _e2; }, f: function f() { try { if (!normalCompletion && it.return != null) it.return(); } finally { if (didErr) throw err; } } }; }
+
+function _unsupportedIterableToArray(o, minLen) { if (!o) return; if (typeof o === "string") return _arrayLikeToArray(o, minLen); var n = Object.prototype.toString.call(o).slice(8, -1); if (n === "Object" && o.constructor) n = o.constructor.name; if (n === "Map" || n === "Set") return Array.from(o); if (n === "Arguments" || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _arrayLikeToArray(o, minLen); }
+
+function _arrayLikeToArray(arr, len) { if (len == null || len > arr.length) len = arr.length; for (var i = 0, arr2 = new Array(len); i < len; i++) arr2[i] = arr[i]; return arr2; }
+
+const SPLIT = ':';
+
+class FixedParamsManager {
+  constructor() {
+    this.merger = new Map();
+  }
+
+  addParams(resource, action, merger) {
+    const path = this.getActionPath(resource, action);
+    this.merger.set(path, [...this.getParamsMerger(resource, action), merger]);
+  }
+
+  getParamsMerger(resource, action) {
+    const path = this.getActionPath(resource, action);
+    return this.merger.get(path) || [];
+  }
+
+  getActionPath(resource, action) {
+    return `${resource}${SPLIT}${action}`;
+  }
+
+  getParams(resource, action, extraParams = {}) {
+    const results = {};
+
+    var _iterator = _createForOfIteratorHelper(this.getParamsMerger(resource, action)),
+        _step;
+
+    try {
+      for (_iterator.s(); !(_step = _iterator.n()).done;) {
+        const merger = _step.value;
+        FixedParamsManager.mergeParams(results, merger());
+      }
+    } catch (err) {
+      _iterator.e(err);
+    } finally {
+      _iterator.f();
+    }
+
+    if (extraParams) {
+      FixedParamsManager.mergeParams(results, extraParams);
+    }
+
+    return results;
+  }
+
+  static mergeParams(a, b) {
+    (0, _utils().assign)(a, b, {
+      filter: 'andMerge',
+      fields: 'intersect',
+      appends: 'union',
+      except: 'union',
+      whitelist: 'intersect',
+      blacklist: 'intersect',
+      sort: 'overwrite'
+    });
+  }
+
+}
+
+exports.default = FixedParamsManager;

package/lib/index.d.ts

@@ -3,4 +3,5 @@ export * from './acl-available-action';
 export * from './acl-available-strategy';
 export * from './acl-resource';
 export * from './acl-role';
+export * from './no-permission-error';
 export * from './skip-middleware';

package/lib/index.js

@@ -69,6 +69,19 @@ Object.keys(_aclRole).forEach(function (key) {
   });
 });
 
+var _noPermissionError = require("./no-permission-error");
+
+Object.keys(_noPermissionError).forEach(function (key) {
+  if (key === "default" || key === "__esModule") return;
+  if (key in exports && exports[key] === _noPermissionError[key]) return;
+  Object.defineProperty(exports, key, {
+    enumerable: true,
+    get: function get() {
+      return _noPermissionError[key];
+    }
+  });
+});
+
 var _skipMiddleware = require("./skip-middleware");
 
 Object.keys(_skipMiddleware).forEach(function (key) {

package/lib/no-permission-error.d.ts

@@ -0,0 +1,4 @@
+declare class NoPermissionError extends Error {
+    constructor(...args: any[]);
+}
+export { NoPermissionError };

package/lib/no-permission-error.js

@@ -0,0 +1,15 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.NoPermissionError = void 0;
+
+class NoPermissionError extends Error {
+  constructor(...args) {
+    super(...args);
+  }
+
+}
+
+exports.NoPermissionError = NoPermissionError;

package/lib/snippet-manager.d.ts

@@ -0,0 +1,19 @@
+export declare type SnippetOptions = {
+    name: string;
+    actions: Array<string>;
+};
+declare class Snippet {
+    name: string;
+    actions: Array<string>;
+    constructor(name: string, actions: Array<string>);
+}
+export declare type SnippetGroup = {
+    name: string;
+    snippets: SnippetOptions[];
+};
+declare class SnippetManager {
+    snippets: Map<string, Snippet>;
+    register(snippet: SnippetOptions): void;
+    allow(actionPath: string, snippetName: string): boolean;
+}
+export default SnippetManager;

package/lib/snippet-manager.js

@@ -0,0 +1,60 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.default = void 0;
+
+function _minimatch() {
+  const data = _interopRequireDefault(require("minimatch"));
+
+  _minimatch = function _minimatch() {
+    return data;
+  };
+
+  return data;
+}
+
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+
+class Snippet {
+  constructor(name, actions) {
+    this.name = void 0;
+    this.actions = void 0;
+    this.name = name;
+    this.actions = actions;
+  }
+
+}
+
+class SnippetManager {
+  constructor() {
+    this.snippets = new Map();
+  }
+
+  register(snippet) {
+    this.snippets.set(snippet.name, snippet);
+  }
+
+  allow(actionPath, snippetName) {
+    const negated = snippetName.startsWith('!');
+    snippetName = negated ? snippetName.slice(1) : snippetName;
+    const snippet = this.snippets.get(snippetName);
+
+    if (!snippet) {
+      throw new Error(`Snippet ${snippetName} not found`);
+    }
+
+    const matched = snippet.actions.some(action => (0, _minimatch().default)(actionPath, action));
+
+    if (matched) {
+      return negated ? false : true;
+    }
+
+    return null;
+  }
+
+}
+
+var _default = SnippetManager;
+exports.default = _default;

package/package.json

@@ -1,24 +1,20 @@
 {
   "name": "@nocobase/acl",
-  "version": "0.8.1-alpha.3",
+  "version": "0.9.0-alpha.1",
   "description": "",
   "license": "Apache-2.0",
-  "licenses": [
-    {
-      "type": "Apache-2.0",
-      "url": "http://www.apache.org/licenses/LICENSE-2.0"
-    }
-  ],
   "main": "./lib/index.js",
   "types": "./lib/index.d.ts",
   "dependencies": {
-    "@nocobase/resourcer": "0.8.1-alpha.3",
-    "json-templates": "^4.2.0"
+    "@nocobase/resourcer": "0.9.0-alpha.1",
+    "@nocobase/utils": "0.9.0-alpha.1",
+    "json-templates": "^4.2.0",
+    "minimatch": "^5.1.1"
   },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/nocobase/nocobase.git",
     "directory": "packages/acl"
   },
-  "gitHead": "e03df3df5962b99d9fbf5b6e33fbe2b23f14f3d3"
+  "gitHead": "d84c2a47c42c2ffec4fbf317d53268952fbd58d7"
 }