@nocobase/acl 1.7.0-beta.8 → 1.8.0-beta.1

package/lib/acl-role.js

@@ -40,10 +40,10 @@ __export(acl_role_exports, {
   ACLRole: () => ACLRole
 });
 module.exports = __toCommonJS(acl_role_exports);
-var import_acl_available_strategy = require("./acl-available-strategy");
-var import_acl_resource = require("./acl-resource");
 var import_lodash = __toESM(require("lodash"));
 var import_minimatch = __toESM(require("minimatch"));
+var import_acl_available_strategy = require("./acl-available-strategy");
+var import_acl_resource = require("./acl-resource");
 const _ACLRole = class _ACLRole {
   constructor(acl, name) {
     this.acl = acl;
@@ -113,7 +113,7 @@ const _ACLRole = class _ACLRole {
     for (let snippetRule of this.snippets) {
       const negated = snippetRule.startsWith("!");
       snippetRule = negated ? snippetRule.slice(1) : snippetRule;
-      for (const [_, availableSnippet] of availableSnippets) {
+      for (const [_2, availableSnippet] of availableSnippets) {
         if ((0, import_minimatch.default)(availableSnippet.name, snippetRule)) {
           if (negated) {
             rejectedSnippets.add(availableSnippet.name);
@@ -163,12 +163,12 @@ const _ACLRole = class _ACLRole {
         actions[`${resourceName}:${actionName}`] = resourceActions[actionName];
       }
     }
-    return {
+    return import_lodash.default.cloneDeep({
       role: this.name,
       strategy: this.strategy,
       actions,
       snippets: Array.from(this.snippets)
-    };
+    });
   }
   getResourceActionFromPath(path) {
     const [resourceName, actionName] = path.split(":");

package/lib/acl.d.ts

@@ -45,11 +45,12 @@ export interface ListenerContext {
 }
 type Listener = (ctx: ListenerContext) => void;
 interface CanArgs {
-    role: string;
+    role?: string;
     resource: string;
     action: string;
     rawResourceName?: string;
     ctx?: any;
+    roles?: string[];
 }
 export declare class ACL extends EventEmitter {
     /**
@@ -83,6 +84,7 @@ export declare class ACL extends EventEmitter {
     removeStrategyResource(resource: string): void;
     define(options: DefineOptions): ACLRole;
     getRole(name: string): ACLRole;
+    getRoles(names: string[]): ACLRole[];
     removeRole(name: string): boolean;
     setAvailableAction(name: string, options?: AvailableActionOptions): void;
     getAvailableAction(name: string): ACLAvailableAction;
@@ -90,6 +92,8 @@ export declare class ACL extends EventEmitter {
     setAvailableStrategy(name: string, options: AvailableStrategyOptions): void;
     beforeGrantAction(listener?: Listener): void;
     can(options: CanArgs): CanResult | null;
+    private getCanByRoles;
+    private getCanByRole;
     /**
      * @internal
      */

package/lib/acl.js

@@ -51,6 +51,7 @@ var import_allow_manager = require("./allow-manager");
 var import_fixed_params_manager = __toESM(require("./fixed-params-manager"));
 var import_snippet_manager = __toESM(require("./snippet-manager"));
 var import_no_permission_error = require("./errors/no-permission-error");
+var import_utils2 = require("./utils");
 const _ACL = class _ACL extends import_events.default {
   /**
    * @internal
@@ -132,6 +133,9 @@ const _ACL = class _ACL extends import_events.default {
   getRole(name) {
     return this.roles.get(name);
   }
+  getRoles(names) {
+    return names.map((name) => this.getRole(name)).filter((x) => Boolean(x));
+  }
   removeRole(name) {
     return this.roles.delete(name);
   }
@@ -158,6 +162,32 @@ const _ACL = class _ACL extends import_events.default {
     this.addListener("beforeGrantAction", listener);
   }
   can(options) {
+    var _a;
+    if (options.role) {
+      return import_lodash.default.cloneDeep(this.getCanByRole(options));
+    }
+    if ((_a = options.roles) == null ? void 0 : _a.length) {
+      return import_lodash.default.cloneDeep(this.getCanByRoles(options));
+    }
+    return null;
+  }
+  getCanByRoles(options) {
+    let canResult = null;
+    for (const role of options.roles) {
+      const result = this.getCanByRole({
+        role,
+        ...options
+      });
+      if (!canResult) {
+        canResult = result;
+        canResult && (0, import_utils2.removeEmptyParams)(canResult.params);
+      } else if (canResult && result) {
+        canResult.params = (0, import_utils2.mergeAclActionParams)(canResult.params, result.params);
+      }
+    }
+    return canResult;
+  }
+  getCanByRole(options) {
     const { role, resource, action, rawResourceName } = options;
     const aclRole = this.roles.get(role);
     if (!aclRole) {
@@ -277,8 +307,12 @@ const _ACL = class _ACL extends import_events.default {
         }
       }
       ctx.can = (options) => {
-        const canResult = acl.can({ role: roleName, ...options });
-        return canResult;
+        const roles = ctx.state.currentRoles || [roleName];
+        const can = acl.can({ roles, ...options });
+        if (!can) {
+          return null;
+        }
+        return can;
       };
       ctx.permission = {
         can: ctx.can({ resource: resourceName, action: actionName, rawResourceName }),
@@ -292,7 +326,8 @@ const _ACL = class _ACL extends import_events.default {
    * @internal
    */
   async getActionParams(ctx) {
-    const roleName = ctx.state.currentRole || "anonymous";
+    var _a;
+    const roleNames = ((_a = ctx.state.currentRoles) == null ? void 0 : _a.length) ? ctx.state.currentRoles : "anonymous";
     const { resourceName: rawResourceName, actionName } = ctx.action;
     let resourceName = rawResourceName;
     if (rawResourceName.includes(".")) {
@@ -305,11 +340,11 @@ const _ACL = class _ACL extends import_events.default {
       }
     }
     ctx.can = (options) => {
-      const can = this.can({ role: roleName, ...options });
-      if (!can) {
-        return null;
+      const can = this.can({ roles: roleNames, ...options });
+      if (can) {
+        return import_lodash.default.cloneDeep(can);
       }
-      return import_lodash.default.cloneDeep(can);
+      return null;
     };
     ctx.permission = {
       can: ctx.can({ resource: resourceName, action: actionName, rawResourceName }),
@@ -329,13 +364,29 @@ const _ACL = class _ACL extends import_events.default {
    * @internal
    */
   filterParams(ctx, resourceName, params) {
-    var _a;
+    var _a, _b, _c;
     if ((_a = params == null ? void 0 : params.filter) == null ? void 0 : _a.createdById) {
       const collection = ctx.db.getCollection(resourceName);
       if (!collection || !collection.getField("createdById")) {
         throw new import_no_permission_error.NoPermissionError("createdById field not found");
       }
     }
+    if ((_c = (_b = params == null ? void 0 : params.filter) == null ? void 0 : _b.$or) == null ? void 0 : _c.length) {
+      const checkCreatedById = /* @__PURE__ */ __name((items) => {
+        return items.some(
+          (x) => {
+            var _a2, _b2;
+            return "createdById" in x || ((_a2 = x.$or) == null ? void 0 : _a2.some((y) => "createdById" in y)) || ((_b2 = x.$and) == null ? void 0 : _b2.some((y) => "createdById" in y));
+          }
+        );
+      }, "checkCreatedById");
+      if (checkCreatedById(params.filter.$or)) {
+        const collection = ctx.db.getCollection(resourceName);
+        if (!collection || !collection.getField("createdById")) {
+          throw new import_no_permission_error.NoPermissionError("createdById field not found");
+        }
+      }
+    }
     return params;
   }
   addCoreMiddleware() {

package/lib/index.d.ts

@@ -13,3 +13,4 @@ export * from './acl-resource';
 export * from './acl-role';
 export * from './skip-middleware';
 export * from './errors';
+export * from './utils';

package/lib/index.js

@@ -30,6 +30,7 @@ __reExport(src_exports, require("./acl-resource"), module.exports);
 __reExport(src_exports, require("./acl-role"), module.exports);
 __reExport(src_exports, require("./skip-middleware"), module.exports);
 __reExport(src_exports, require("./errors"), module.exports);
+__reExport(src_exports, require("./utils"), module.exports);
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ...require("./acl"),
@@ -38,5 +39,6 @@ __reExport(src_exports, require("./errors"), module.exports);
   ...require("./acl-resource"),
   ...require("./acl-role"),
   ...require("./skip-middleware"),
-  ...require("./errors")
+  ...require("./errors"),
+  ...require("./utils")
 });

package/lib/utils/acl-role.d.ts

@@ -0,0 +1,4 @@
+import { ACLRole } from '../acl-role';
+export declare function mergeRole(roles: ACLRole[]): Record<string, any>;
+export declare function mergeAclActionParams(sourceParams: any, targetParams: any): any;
+export declare function removeEmptyParams(params: any): void;

package/lib/utils/acl-role.js

@@ -0,0 +1,257 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var acl_role_exports = {};
+__export(acl_role_exports, {
+  mergeAclActionParams: () => mergeAclActionParams,
+  mergeRole: () => mergeRole,
+  removeEmptyParams: () => removeEmptyParams
+});
+module.exports = __toCommonJS(acl_role_exports);
+var import_utils = require("@nocobase/utils");
+var import_lodash = __toESM(require("lodash"));
+function mergeRole(roles) {
+  const result = {
+    roles: [],
+    strategy: {},
+    actions: null,
+    snippets: [],
+    resources: null
+  };
+  const allSnippets = [];
+  for (const role of roles) {
+    const jsonRole = role.toJSON();
+    result.roles = mergeRoleNames(result.roles, jsonRole.role);
+    result.strategy = mergeRoleStrategy(result.strategy, jsonRole.strategy);
+    result.actions = mergeRoleActions(result.actions, jsonRole.actions);
+    result.resources = mergeRoleResources(result.resources, [...role.resources.keys()]);
+    if (import_lodash.default.isArray(jsonRole.snippets)) {
+      allSnippets.push(jsonRole.snippets);
+    }
+  }
+  result.snippets = mergeRoleSnippets(allSnippets);
+  adjustActionByStrategy(roles, result);
+  return result;
+}
+__name(mergeRole, "mergeRole");
+function adjustActionByStrategy(roles, result) {
+  const { actions, strategy } = result;
+  const actionSet = getAdjustActions(roles);
+  if (!import_lodash.default.isEmpty(actions) && !import_lodash.default.isEmpty(strategy == null ? void 0 : strategy.actions) && !import_lodash.default.isEmpty(result.resources)) {
+    for (const resource of result.resources) {
+      for (const action of strategy.actions) {
+        if (actionSet.has(action)) {
+          actions[`${resource}:${action}`] = {};
+        }
+      }
+    }
+  }
+}
+__name(adjustActionByStrategy, "adjustActionByStrategy");
+function getAdjustActions(roles) {
+  var _a;
+  const actionSet = /* @__PURE__ */ new Set();
+  for (const role of roles) {
+    const jsonRole = role.toJSON();
+    if (!import_lodash.default.isEmpty((_a = jsonRole.strategy) == null ? void 0 : _a["actions"]) && import_lodash.default.isEmpty(jsonRole.actions)) {
+      jsonRole.strategy["actions"].forEach((x) => !x.includes("own") && actionSet.add(x));
+    }
+  }
+  return actionSet;
+}
+__name(getAdjustActions, "getAdjustActions");
+function mergeRoleNames(sourceRoleNames, newRoleName) {
+  return newRoleName ? sourceRoleNames.concat(newRoleName) : sourceRoleNames;
+}
+__name(mergeRoleNames, "mergeRoleNames");
+function mergeRoleStrategy(sourceStrategy, newStrategy) {
+  if (!newStrategy) {
+    return sourceStrategy;
+  }
+  if (import_lodash.default.isArray(newStrategy.actions)) {
+    if (!sourceStrategy.actions) {
+      sourceStrategy.actions = newStrategy.actions;
+    } else {
+      const actions = sourceStrategy.actions.concat(newStrategy.actions);
+      return {
+        ...sourceStrategy,
+        actions: [...new Set(actions)]
+      };
+    }
+  }
+  return sourceStrategy;
+}
+__name(mergeRoleStrategy, "mergeRoleStrategy");
+function mergeRoleActions(sourceActions, newActions) {
+  if (import_lodash.default.isEmpty(sourceActions)) return newActions;
+  if (import_lodash.default.isEmpty(newActions)) return sourceActions;
+  const result = {};
+  [...new Set(Reflect.ownKeys(sourceActions).concat(Reflect.ownKeys(newActions)))].forEach((key) => {
+    if (import_lodash.default.has(sourceActions, key) && import_lodash.default.has(newActions, key)) {
+      result[key] = mergeAclActionParams(sourceActions[key], newActions[key]);
+      return;
+    }
+    result[key] = import_lodash.default.has(sourceActions, key) ? sourceActions[key] : newActions[key];
+  });
+  return result;
+}
+__name(mergeRoleActions, "mergeRoleActions");
+function mergeRoleSnippets(allRoleSnippets) {
+  if (!allRoleSnippets.length) {
+    return [];
+  }
+  const allSnippets = allRoleSnippets.flat();
+  const isExclusion = /* @__PURE__ */ __name((value) => value.startsWith("!"), "isExclusion");
+  const includes = new Set(allSnippets.filter((x) => !isExclusion(x)));
+  const excludes = new Set(allSnippets.filter(isExclusion));
+  const domainRoleMap = /* @__PURE__ */ new Map();
+  allRoleSnippets.forEach((roleSnippets, i) => {
+    roleSnippets.filter((x) => x.endsWith(".*") && !isExclusion(x)).forEach((include) => {
+      const domain = include.slice(0, -1);
+      if (!domainRoleMap.has(domain)) {
+        domainRoleMap.set(domain, /* @__PURE__ */ new Set());
+      }
+      domainRoleMap.get(domain).add(i);
+    });
+  });
+  const excludesSet = /* @__PURE__ */ new Set();
+  for (const snippet of excludes) {
+    if (allRoleSnippets.every((x) => x.includes(snippet))) {
+      excludesSet.add(snippet);
+    }
+  }
+  for (const [domain, indexes] of domainRoleMap.entries()) {
+    const fullDomain = `${domain}.*`;
+    if (includes.has(fullDomain)) {
+      excludesSet.delete(`!${fullDomain}`);
+    }
+    for (const roleIndex of indexes) {
+      for (const exclude of allRoleSnippets[roleIndex]) {
+        if (exclude.startsWith(`!${domain}`) && exclude !== `!${fullDomain}`) {
+          if ([...indexes].every((i) => allRoleSnippets[i].includes(exclude))) {
+            excludesSet.add(exclude);
+          }
+        }
+      }
+    }
+  }
+  if (includes.size > 0) {
+    for (const x of [...excludesSet]) {
+      const exactMatch = x.slice(1);
+      const segments = exactMatch.split(".");
+      if (segments.length > 1 && segments[1] !== "*") {
+        const parentDomain = segments[0] + ".*";
+        if (!includes.has(parentDomain)) {
+          excludesSet.delete(x);
+        }
+      }
+    }
+  }
+  return [...includes, ...excludesSet];
+}
+__name(mergeRoleSnippets, "mergeRoleSnippets");
+function mergeRoleResources(sourceResources, newResources) {
+  if (sourceResources === null) {
+    return newResources;
+  }
+  return [...new Set(sourceResources.concat(newResources))];
+}
+__name(mergeRoleResources, "mergeRoleResources");
+function mergeAclActionParams(sourceParams, targetParams) {
+  if (import_lodash.default.isEmpty(sourceParams) || import_lodash.default.isEmpty(targetParams)) {
+    return {};
+  }
+  removeUnmatchedParams(sourceParams, targetParams, ["fields", "whitelist", "appends"]);
+  const andMerge = /* @__PURE__ */ __name((x, y) => {
+    if (import_lodash.default.isEmpty(x) || import_lodash.default.isEmpty(y)) {
+      return [];
+    }
+    return import_lodash.default.uniq(x.concat(y)).filter(Boolean);
+  }, "andMerge");
+  const mergedParams = (0, import_utils.assign)(targetParams, sourceParams, {
+    own: /* @__PURE__ */ __name((x, y) => x || y, "own"),
+    filter: /* @__PURE__ */ __name((x, y) => {
+      if (import_lodash.default.isEmpty(x) || import_lodash.default.isEmpty(y)) {
+        return {};
+      }
+      const xHasOr = import_lodash.default.has(x, "$or"), yHasOr = import_lodash.default.has(y, "$or");
+      let $or = [x, y];
+      if (xHasOr && !yHasOr) {
+        $or = [...x.$or, y];
+      } else if (!xHasOr && yHasOr) {
+        $or = [x, ...y.$or];
+      } else if (xHasOr && yHasOr) {
+        $or = [...x.$or, ...y.$or];
+      }
+      return { $or: import_lodash.default.uniqWith($or, import_lodash.default.isEqual) };
+    }, "filter"),
+    fields: andMerge,
+    whitelist: andMerge,
+    appends: "union"
+  });
+  removeEmptyParams(mergedParams);
+  return mergedParams;
+}
+__name(mergeAclActionParams, "mergeAclActionParams");
+function removeEmptyParams(params) {
+  if (!import_lodash.default.isObject(params)) {
+    return;
+  }
+  Object.keys(params).forEach((key) => {
+    if (import_lodash.default.isEmpty(params[key])) {
+      delete params[key];
+    }
+  });
+}
+__name(removeEmptyParams, "removeEmptyParams");
+function removeUnmatchedParams(source, target, keys) {
+  for (const key of keys) {
+    if (import_lodash.default.has(source, key) && !import_lodash.default.has(target, key)) {
+      delete source[key];
+    }
+    if (!import_lodash.default.has(source, key) && import_lodash.default.has(target, key)) {
+      delete target[key];
+    }
+  }
+}
+__name(removeUnmatchedParams, "removeUnmatchedParams");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  mergeAclActionParams,
+  mergeRole,
+  removeEmptyParams
+});

package/lib/utils/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+export * from './acl-role';

package/lib/utils/index.js

@@ -0,0 +1,30 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var utils_exports = {};
+module.exports = __toCommonJS(utils_exports);
+__reExport(utils_exports, require("./acl-role"), module.exports);
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ...require("./acl-role")
+});

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "@nocobase/acl",
-  "version": "1.7.0-beta.8",
+  "version": "1.8.0-beta.1",
   "description": "",
   "license": "AGPL-3.0",
   "main": "./lib/index.js",
   "types": "./lib/index.d.ts",
   "dependencies": {
-    "@nocobase/resourcer": "1.7.0-beta.8",
-    "@nocobase/utils": "1.7.0-beta.8",
+    "@nocobase/resourcer": "1.8.0-beta.1",
+    "@nocobase/utils": "1.8.0-beta.1",
     "minimatch": "^5.1.1"
   },
   "repository": {
@@ -15,5 +15,5 @@
     "url": "git+https://github.com/nocobase/nocobase.git",
     "directory": "packages/acl"
   },
-  "gitHead": "9ad35ee90db98d95dfa660645d155f4f4e81b47c"
+  "gitHead": "103935669123174f2942247202e3d9ff15f0d4ed"
 }