@nocobase/acl 1.9.47 → 1.9.49

package/lib/acl.d.ts

@@ -15,6 +15,7 @@ import { ACLRole, ResourceActionsOptions, RoleActionParams } from './acl-role';
 import { AllowManager, ConditionFunc } from './allow-manager';
 import FixedParamsManager, { Merger } from './fixed-params-manager';
 import SnippetManager, { SnippetOptions } from './snippet-manager';
+import Database, { Collection } from '@nocobase/database';
 export interface CanResult {
     role: string;
     resource: string;
@@ -44,6 +45,14 @@ export interface ListenerContext {
     params: RoleActionParams;
 }
 type Listener = (ctx: ListenerContext) => void;
+export type UserProvider = (args: {
+    fields: string[];
+}) => Promise<any>;
+export interface ParseJsonTemplateOptions {
+    timezone?: string;
+    state?: any;
+    userProvider?: UserProvider;
+}
 interface CanArgs {
     role?: string;
     resource: string;
@@ -104,10 +113,6 @@ export declare class ACL extends EventEmitter {
      * @deprecated
      */
     skip(resourceName: string, actionNames: string[] | string, condition?: string | ConditionFunc): void;
-    /**
-     * @internal
-     */
-    parseJsonTemplate(json: any, ctx: any): Promise<any>;
     middleware(): (ctx: any, next: any) => Promise<void>;
     /**
      * @internal
@@ -115,11 +120,20 @@ export declare class ACL extends EventEmitter {
     getActionParams(ctx: any): Promise<void>;
     addFixedParams(resource: string, action: string, merger: Merger): void;
     registerSnippet(snippet: SnippetOptions): void;
-    /**
-     * @internal
-     */
-    filterParams(ctx: any, resourceName: any, params: any): any;
     protected addCoreMiddleware(): void;
     protected isAvailableAction(actionName: string): boolean;
 }
+export declare function createUserProvider(options: {
+    db?: Database;
+    dataSourceManager?: any;
+    currentUser?: any;
+}): UserProvider;
+/**
+ * @internal
+ */
+export declare function parseJsonTemplate(filter: any, options: ParseJsonTemplateOptions): Promise<any>;
+/**
+ * @internal
+ */
+export declare function checkFilterParams(collection: Collection, filter: any): void;
 export {};

package/lib/acl.js

@@ -37,7 +37,10 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var acl_exports = {};
 __export(acl_exports, {
-  ACL: () => ACL
+  ACL: () => ACL,
+  checkFilterParams: () => checkFilterParams,
+  createUserProvider: () => createUserProvider,
+  parseJsonTemplate: () => parseJsonTemplate
 });
 module.exports = __toCommonJS(acl_exports);
 var import_utils = require("@nocobase/utils");
@@ -276,31 +279,6 @@ const _ACL = class _ACL extends import_events.default {
       this.allowManager.allow(resourceName, actionName, condition);
     }
   }
-  /**
-   * @internal
-   */
-  async parseJsonTemplate(json, ctx) {
-    var _a, _b, _c, _d, _e;
-    if (json.filter) {
-      (_b = (_a = ctx.logger) == null ? void 0 : _a.info) == null ? void 0 : _b.call(_a, "parseJsonTemplate.raw", JSON.parse(JSON.stringify(json.filter)));
-      const timezone = (_c = ctx == null ? void 0 : ctx.get) == null ? void 0 : _c.call(ctx, "x-timezone");
-      const state = JSON.parse(JSON.stringify(ctx.state));
-      const filter = await (0, import_utils.parseFilter)(json.filter, {
-        timezone,
-        now: (/* @__PURE__ */ new Date()).toISOString(),
-        vars: {
-          ctx: {
-            state
-          },
-          $user: getUser(ctx),
-          $nRole: /* @__PURE__ */ __name(() => state.currentRole, "$nRole")
-        }
-      });
-      json.filter = filter;
-      (_e = (_d = ctx.logger) == null ? void 0 : _d.info) == null ? void 0 : _e.call(_d, "parseJsonTemplate.parsed", filter);
-    }
-    return json;
-  }
   middleware() {
     const acl = this;
     return /* @__PURE__ */ __name(async function ACLMiddleware(ctx, next) {
@@ -371,40 +349,11 @@ const _ACL = class _ACL extends import_events.default {
   registerSnippet(snippet) {
     this.snippetManager.register(snippet);
   }
-  /**
-   * @internal
-   */
-  filterParams(ctx, resourceName, params) {
-    var _a, _b, _c;
-    if ((_a = params == null ? void 0 : params.filter) == null ? void 0 : _a.createdById) {
-      const collection = ctx.db.getCollection(resourceName);
-      if (!collection || !collection.getField("createdById")) {
-        throw new import_no_permission_error.NoPermissionError("createdById field not found");
-      }
-    }
-    if ((_c = (_b = params == null ? void 0 : params.filter) == null ? void 0 : _b.$or) == null ? void 0 : _c.length) {
-      const checkCreatedById = /* @__PURE__ */ __name((items) => {
-        return items.some(
-          (x) => {
-            var _a2, _b2;
-            return "createdById" in x || ((_a2 = x.$or) == null ? void 0 : _a2.some((y) => "createdById" in y)) || ((_b2 = x.$and) == null ? void 0 : _b2.some((y) => "createdById" in y));
-          }
-        );
-      }, "checkCreatedById");
-      if (checkCreatedById(params.filter.$or)) {
-        const collection = ctx.db.getCollection(resourceName);
-        if (!collection || !collection.getField("createdById")) {
-          throw new import_no_permission_error.NoPermissionError("createdById field not found");
-        }
-      }
-    }
-    return params;
-  }
   addCoreMiddleware() {
     const acl = this;
     this.middlewares.add(
       async (ctx, next) => {
-        var _a, _b, _c, _d;
+        var _a, _b, _c, _d, _e, _f;
         const resourcerAction = ctx.action;
         const { resourceName, actionName } = ctx.permission;
         const permission = ctx.permission;
@@ -417,10 +366,20 @@ const _ACL = class _ACL extends import_events.default {
         ((_c = ctx.log) == null ? void 0 : _c.debug) && ctx.log.debug("acl params", params);
         try {
           if (params && resourcerAction.mergeParams) {
-            const filteredParams = acl.filterParams(ctx, resourceName, params);
-            const parsedParams = await acl.parseJsonTemplate(filteredParams, ctx);
+            const db = ctx.database ?? ctx.db;
+            const collection = (_d = db == null ? void 0 : db.getCollection) == null ? void 0 : _d.call(db, resourceName);
+            checkFilterParams(collection, params == null ? void 0 : params.filter);
+            const parsedFilter = await parseJsonTemplate(params.filter, {
+              state: ctx.state,
+              timezone: getTimezone(ctx),
+              userProvider: createUserProvider({
+                db: ctx.db,
+                currentUser: (_e = ctx.state) == null ? void 0 : _e.currentUser
+              })
+            });
+            const parsedParams = params.filter ? { ...params, filter: parsedFilter ?? params.filter } : params;
             ctx.permission.parsedParams = parsedParams;
-            ((_d = ctx.log) == null ? void 0 : _d.debug) && ctx.log.debug("acl parsedParams", parsedParams);
+            ((_f = ctx.log) == null ? void 0 : _f.debug) && ctx.log.debug("acl parsedParams", parsedParams);
             ctx.permission.rawParams = import_lodash.default.cloneDeep(resourcerAction.params);
             if (parsedParams.appends && resourcerAction.params.fields) {
               for (const queryField of resourcerAction.params.fields) {
@@ -471,31 +430,99 @@ const _ACL = class _ACL extends import_events.default {
 };
 __name(_ACL, "ACL");
 let ACL = _ACL;
-function getUser(ctx) {
-  const dataSource = ctx.app.dataSourceManager.dataSources.get("main");
-  const db = dataSource.collectionManager.db;
+function getTimezone(ctx) {
+  var _a, _b, _c, _d, _e, _f;
+  return ((_b = (_a = ctx == null ? void 0 : ctx.request) == null ? void 0 : _a.get) == null ? void 0 : _b.call(_a, "x-timezone")) ?? ((_d = (_c = ctx == null ? void 0 : ctx.request) == null ? void 0 : _c.header) == null ? void 0 : _d["x-timezone"]) ?? ((_f = (_e = ctx == null ? void 0 : ctx.req) == null ? void 0 : _e.headers) == null ? void 0 : _f["x-timezone"]);
+}
+__name(getTimezone, "getTimezone");
+function createUserProvider(options) {
+  var _a, _b, _c, _d, _e;
+  const db = options.db ?? ((_e = (_d = (_c = (_b = (_a = options.dataSourceManager) == null ? void 0 : _a.dataSources) == null ? void 0 : _b.get) == null ? void 0 : _c.call(_b, "main")) == null ? void 0 : _d.collectionManager) == null ? void 0 : _e.db);
+  const currentUser = options.currentUser;
   return async ({ fields }) => {
-    var _a, _b;
-    const userFields = fields.filter((f) => f && db.getFieldByPath("users." + f));
-    (_a = ctx.logger) == null ? void 0 : _a.info("filter-parse: ", { userFields });
-    if (!ctx.state.currentUser) {
+    if (!db) {
       return;
     }
+    if (!currentUser) {
+      return;
+    }
+    const userFields = fields.filter((f) => f && db.getFieldByPath("users." + f));
     if (!userFields.length) {
       return;
     }
     const user = await db.getRepository("users").findOne({
-      filterByTk: ctx.state.currentUser.id,
+      filterByTk: currentUser.id,
       fields: userFields
     });
-    (_b = ctx.logger) == null ? void 0 : _b.info("filter-parse: ", {
-      $user: user == null ? void 0 : user.toJSON()
-    });
     return user;
   };
 }
-__name(getUser, "getUser");
+__name(createUserProvider, "createUserProvider");
+function containsCreatedByIdFilter(input, seen = /* @__PURE__ */ new Set()) {
+  if (!input) {
+    return false;
+  }
+  if (Array.isArray(input)) {
+    return input.some((item) => containsCreatedByIdFilter(item, seen));
+  }
+  if (!import_lodash.default.isPlainObject(input)) {
+    return false;
+  }
+  if (seen.has(input)) {
+    return false;
+  }
+  seen.add(input);
+  for (const [key, value] of Object.entries(input)) {
+    if (isCreatedByIdKey(key)) {
+      return true;
+    }
+    if (containsCreatedByIdFilter(value, seen)) {
+      return true;
+    }
+  }
+  return false;
+}
+__name(containsCreatedByIdFilter, "containsCreatedByIdFilter");
+function isCreatedByIdKey(key) {
+  return key === "createdById" || key.startsWith("createdById.") || key.startsWith("createdById$");
+}
+__name(isCreatedByIdKey, "isCreatedByIdKey");
+async function parseJsonTemplate(filter, options) {
+  if (!filter) {
+    return filter;
+  }
+  const timezone = options == null ? void 0 : options.timezone;
+  const state = JSON.parse(JSON.stringify((options == null ? void 0 : options.state) || {}));
+  const parsedFilter = await (0, import_utils.parseFilter)(filter, {
+    timezone,
+    now: (/* @__PURE__ */ new Date()).toISOString(),
+    vars: {
+      ctx: {
+        state
+      },
+      $user: (options == null ? void 0 : options.userProvider) || (async () => void 0),
+      $nRole: /* @__PURE__ */ __name(() => state.currentRole, "$nRole")
+    }
+  });
+  return parsedFilter;
+}
+__name(parseJsonTemplate, "parseJsonTemplate");
+function checkFilterParams(collection, filter) {
+  if (!filter) {
+    return;
+  }
+  if (!containsCreatedByIdFilter(filter)) {
+    return;
+  }
+  if (!collection || !collection.getField("createdById")) {
+    throw new import_no_permission_error.NoPermissionError("createdById field not found");
+  }
+}
+__name(checkFilterParams, "checkFilterParams");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  ACL
+  ACL,
+  checkFilterParams,
+  createUserProvider,
+  parseJsonTemplate
 });

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "@nocobase/acl",
-  "version": "1.9.47",
+  "version": "1.9.49",
   "description": "",
   "license": "AGPL-3.0",
   "main": "./lib/index.js",
   "types": "./lib/index.d.ts",
   "dependencies": {
-    "@nocobase/resourcer": "1.9.47",
-    "@nocobase/utils": "1.9.47",
+    "@nocobase/resourcer": "1.9.49",
+    "@nocobase/utils": "1.9.49",
     "minimatch": "^5.1.1"
   },
   "repository": {
@@ -15,5 +15,5 @@
     "url": "git+https://github.com/nocobase/nocobase.git",
     "directory": "packages/acl"
   },
-  "gitHead": "bc3787003d581cc1453444de53d23c7c41b862d8"
+  "gitHead": "b90fa583f837a84067c354a72574e738cc6c3281"
 }