@nocobase/plugin-acl 0.10.0-alpha.5 → 0.11.0-alpha.1

package/src/server/__tests__/list-action.test.ts

@@ -0,0 +1,446 @@
+import { Database } from '@nocobase/database';
+import { MockServer } from '@nocobase/test';
+import { prepareApp } from './prepare';
+
+describe('list action with acl', () => {
+  let app: MockServer;
+
+  let Post;
+
+  beforeEach(async () => {
+    app = await prepareApp();
+
+    Post = app.db.collection({
+      name: 'posts',
+      fields: [
+        { type: 'string', name: 'title' },
+        {
+          type: 'bigInt',
+          name: 'createdById',
+        },
+        {
+          type: 'belongsTo',
+          name: 'createdBy',
+          target: 'users',
+        },
+      ],
+    });
+
+    await app.db.sync();
+  });
+
+  afterEach(async () => {
+    await app.destroy();
+  });
+
+  it('should list with meta permission that has difference primary key', async () => {
+    const userRole = app.acl.define({
+      role: 'user',
+    });
+
+    app.acl.addFixedParams('tests', 'destroy', () => {
+      return {
+        filter: {
+          $and: [{ 'name.$ne': 't1' }, { 'name.$ne': 't2' }],
+        },
+      };
+    });
+
+    userRole.grantAction('tests:view', {});
+
+    userRole.grantAction('tests:update', {
+      own: true,
+    });
+
+    userRole.grantAction('tests:destroy', {});
+
+    const Test = app.db.collection({
+      name: 'tests',
+      fields: [
+        { type: 'string', name: 'name', primaryKey: true },
+        {
+          type: 'bigInt',
+          name: 'createdById',
+        },
+      ],
+      autoGenId: false,
+      filterTargetKey: 'name',
+    });
+
+    await app.db.sync();
+
+    await Test.repository.create({
+      values: [
+        { name: 't1', createdById: 1 },
+        { name: 't2', createdById: 1 },
+        { name: 't3', createdById: 2 },
+      ],
+    });
+
+    app.resourcer.use(
+      (ctx, next) => {
+        ctx.state.currentRole = 'user';
+        ctx.state.currentUser = {
+          id: 1,
+        };
+
+        return next();
+      },
+      {
+        before: 'acl',
+      },
+    );
+
+    //@ts-ignore
+    const response = await app.agent().set('X-With-ACL-Meta', true).resource('tests').list({});
+
+    const data = response.body;
+    expect(data.meta.allowedActions.view).toEqual(['t1', 't2', 't3']);
+    expect(data.meta.allowedActions.update).toEqual(['t1', 't2']);
+    expect(data.meta.allowedActions.destroy).toEqual(['t3']);
+  });
+
+  it('should list items meta permissions by association field', async () => {
+    const userRole = app.acl.define({
+      role: 'user',
+    });
+
+    userRole.grantAction('posts:view', {});
+
+    userRole.grantAction('posts:update', {
+      filter: {
+        'createdBy.id': '{{ ctx.state.currentUser.id }}',
+      },
+    });
+
+    await Post.repository.create({
+      values: [
+        { title: 'p1', createdById: 1 },
+        { title: 'p2', createdById: 1 },
+        { title: 'p3', createdById: 2 },
+      ],
+    });
+
+    app.resourcer.use(
+      (ctx, next) => {
+        ctx.state.currentRole = 'user';
+        ctx.state.currentUser = {
+          id: 1,
+        };
+
+        return next();
+      },
+      {
+        before: 'acl',
+      },
+    );
+
+    const response = await (app as any).agent().set('X-With-ACL-Meta', true).resource('posts').list();
+    const data = response.body;
+    expect(data.meta.allowedActions.view).toEqual([1, 2, 3]);
+    expect(data.meta.allowedActions.update).toEqual([1, 2]);
+    expect(data.meta.allowedActions.destroy).toEqual([]);
+  });
+
+  it('should list items with meta permission', async () => {
+    const userRole = app.acl.define({
+      role: 'user',
+    });
+
+    userRole.grantAction('posts:view', {});
+
+    userRole.grantAction('posts:update', {
+      own: true,
+    });
+
+    await Post.repository.create({
+      values: [
+        { title: 'p1', createdById: 1 },
+        { title: 'p2', createdById: 1 },
+        { title: 'p3', createdById: 2 },
+      ],
+    });
+
+    app.resourcer.use(
+      (ctx, next) => {
+        ctx.state.currentRole = 'user';
+        ctx.state.currentUser = {
+          id: 1,
+        };
+
+        return next();
+      },
+      {
+        before: 'acl',
+      },
+    );
+
+    // @ts-ignore
+    const response = await app.agent().set('X-With-ACL-Meta', true).resource('posts').list({});
+
+    const data = response.body;
+    expect(data.meta.allowedActions.view).toEqual([1, 2, 3]);
+    expect(data.meta.allowedActions.update).toEqual([1, 2]);
+    expect(data.meta.allowedActions.destroy).toEqual([]);
+  });
+
+  it('should response item permission when request get action', async () => {
+    const userRole = app.acl.define({
+      role: 'user',
+    });
+
+    userRole.grantAction('posts:view', {});
+
+    userRole.grantAction('posts:update', {
+      own: true,
+    });
+
+    await Post.repository.create({
+      values: [
+        { title: 'p1', createdById: 1 },
+        { title: 'p2', createdById: 1 },
+        { title: 'p3', createdById: 2 },
+      ],
+    });
+
+    app.resourcer.use(
+      (ctx, next) => {
+        ctx.state.currentRole = 'user';
+        ctx.state.currentUser = {
+          id: 1,
+        };
+
+        return next();
+      },
+      {
+        before: 'acl',
+      },
+    );
+
+    // @ts-ignore
+    const getResponse = await app.agent().set('X-With-ACL-Meta', true).resource('posts').get({
+      filterByTk: 1,
+    });
+
+    const getBody = getResponse.body;
+
+    expect(getBody.meta.allowedActions).toBeDefined();
+  });
+});
+
+describe('list association action with acl', () => {
+  let app;
+  let db: Database;
+
+  afterEach(async () => {
+    await app.destroy();
+  });
+
+  beforeEach(async () => {
+    app = await prepareApp();
+    db = app.db;
+
+    app.db.collection({
+      name: 'posts',
+      fields: [
+        {
+          type: 'string',
+          name: 'title',
+        },
+        {
+          type: 'hasMany',
+          name: 'comments',
+        },
+      ],
+    });
+
+    app.db.collection({
+      name: 'comments',
+      fields: [
+        {
+          type: 'string',
+          name: 'content',
+        },
+        {
+          type: 'belongsTo',
+          name: 'post',
+        },
+      ],
+    });
+
+    await app.db.sync();
+  });
+
+  it('should list allowedActions', async () => {
+    await db.getRepository('roles').create({
+      values: {
+        name: 'newRole',
+      },
+    });
+
+    const user = await db.getRepository('users').create({
+      values: {
+        roles: ['newRole'],
+      },
+    });
+
+    await db.getRepository('roles.resources', 'newRole').create({
+      values: {
+        name: 'posts',
+        usingActionConfig: true,
+        actions: [
+          {
+            name: 'view',
+            fields: ['title', 'comments'],
+          },
+          {
+            name: 'create',
+            fields: ['title', 'comments'],
+          },
+        ],
+      },
+    });
+
+    const userPlugin = app.getPlugin('users');
+    const userAgent = app.agent().login(user).set('X-With-ACL-Meta', true);
+
+    await userAgent.resource('posts').create({
+      values: {
+        title: 'post1',
+        comments: [{ content: 'comment1' }, { content: 'comment2' }],
+      },
+    });
+
+    const response = await userAgent.resource('posts').list({});
+    expect(response.statusCode).toEqual(200);
+
+    const commentsResponse = await userAgent.resource('posts.comments', 1).list({});
+    const data = commentsResponse.body;
+
+    /**
+     * allowedActions.view == [1]
+     * allowedActions.update = []
+     * allowedActions.destroy = []
+     */
+    expect(data['meta']['allowedActions']).toBeDefined();
+    expect(data['meta']['allowedActions'].view).toContain(1);
+    expect(data['meta']['allowedActions'].view).toContain(2);
+  });
+
+  it('tree list action allowActions', async () => {
+    await db.getRepository('roles').create({
+      values: {
+        name: 'newRole',
+      },
+    });
+
+    const user = await db.getRepository('users').create({
+      values: {
+        roles: ['newRole'],
+      },
+    });
+
+    const userPlugin = app.getPlugin('users');
+    const agent = app.agent().login(user).set('X-With-ACL-Meta', true);
+    app.acl.allow('table_a', ['*']);
+    app.acl.allow('collections', ['*']);
+
+    await agent.resource('collections').create({
+      values: {
+        autoGenId: true,
+        createdBy: false,
+        updatedBy: false,
+        createdAt: false,
+        updatedAt: false,
+        sortable: false,
+        name: 'table_a',
+        template: 'tree',
+        tree: 'adjacency-list',
+        fields: [
+          {
+            interface: 'integer',
+            name: 'parentId',
+            type: 'bigInt',
+            isForeignKey: true,
+            uiSchema: {
+              type: 'number',
+              title: '{{t("Parent ID")}}',
+              'x-component': 'InputNumber',
+              'x-read-pretty': true,
+            },
+            target: 'table_a',
+          },
+          {
+            interface: 'm2o',
+            type: 'belongsTo',
+            name: 'parent',
+            treeParent: true,
+            foreignKey: 'parentId',
+            uiSchema: {
+              title: '{{t("Parent")}}',
+              'x-component': 'AssociationField',
+              'x-component-props': { multiple: false, fieldNames: { label: 'id', value: 'id' } },
+            },
+            target: 'table_a',
+          },
+          {
+            interface: 'o2m',
+            type: 'hasMany',
+            name: 'children',
+            foreignKey: 'parentId',
+            uiSchema: {
+              title: '{{t("Children")}}',
+              'x-component': 'RecordPicker',
+              'x-component-props': { multiple: true, fieldNames: { label: 'id', value: 'id' } },
+            },
+            treeChildren: true,
+            target: 'table_a',
+          },
+          {
+            name: 'id',
+            type: 'bigInt',
+            autoIncrement: true,
+            primaryKey: true,
+            allowNull: false,
+            uiSchema: { type: 'number', title: '{{t("ID")}}', 'x-component': 'InputNumber', 'x-read-pretty': true },
+            interface: 'id',
+          },
+        ],
+        title: 'table_a',
+      },
+    });
+
+    await agent.resource('table_a').create({
+      values: {},
+    });
+
+    await agent.resource('table_a').create({
+      values: {
+        parent: {
+          id: 1,
+        },
+      },
+    });
+
+    await agent.resource('table_a').create({
+      values: {},
+    });
+
+    await agent.resource('table_a').create({
+      values: {
+        parent: {
+          id: 3,
+        },
+      },
+    });
+
+    const res = await agent.resource('table_a').list({
+      filter: JSON.stringify({
+        parentId: null,
+      }),
+      tree: true,
+    });
+
+    expect(res.body.meta.allowedActions.view.sort()).toMatchObject([1, 2, 3, 4]);
+  });
+});

package/src/server/__tests__/middleware.test.ts

@@ -0,0 +1,210 @@
+import { ACL } from '@nocobase/acl';
+import { Database, Model } from '@nocobase/database';
+import UsersPlugin from '@nocobase/plugin-users';
+import { MockServer } from '@nocobase/test';
+import { prepareApp } from './prepare';
+
+describe('middleware', () => {
+  let app: MockServer;
+  let role: Model;
+  let db: Database;
+  let acl: ACL;
+  let admin;
+  let adminAgent;
+
+  beforeEach(async () => {
+    app = await prepareApp();
+    db = app.db;
+    acl = app.acl;
+
+    role = await db.getRepository('roles').findOne({
+      filter: {
+        name: 'admin',
+      },
+    });
+
+    const UserRepo = db.getCollection('users').repository;
+    admin = await UserRepo.create({
+      values: {
+        roles: ['admin'],
+      },
+    });
+
+    const userPlugin = app.getPlugin('users') as UsersPlugin;
+    adminAgent = app.agent().login(admin);
+
+    await db.getRepository('collections').create({
+      values: {
+        name: 'posts',
+      },
+      context: {},
+    });
+
+    await db.getRepository('collections.fields', 'posts').create({
+      values: {
+        name: 'title',
+        type: 'string',
+      },
+      context: {},
+    });
+
+    await db.getRepository('collections.fields', 'posts').create({
+      values: {
+        name: 'description',
+        type: 'string',
+      },
+      context: {},
+    });
+
+    await db.getRepository('collections.fields', 'posts').create({
+      values: {
+        name: 'createdById',
+        type: 'integer',
+      },
+      context: {},
+    });
+  });
+
+  afterEach(async () => {
+    await app.destroy();
+  });
+
+  it('should throw 403 when no permission', async () => {
+    const response = await app.agent().resource('posts').create({
+      values: {},
+    });
+
+    expect(response.statusCode).toEqual(403);
+  });
+
+  it('should return 200 when role has permission', async () => {
+    await db.getRepository('roles').update({
+      filterByTk: 'admin',
+      values: {
+        strategy: {
+          actions: ['create:all'],
+        },
+      },
+    });
+
+    const response = await adminAgent.resource('posts').create({
+      values: {},
+    });
+
+    expect(response.statusCode).toEqual(200);
+  });
+
+  it('should limit fields on view actions', async () => {
+    await adminAgent.resource('roles.resources', role.get('name')).create({
+      values: {
+        name: 'posts',
+        usingActionsConfig: true,
+        actions: [
+          {
+            name: 'create',
+            fields: ['title', 'description'],
+          },
+          {
+            name: 'view',
+            fields: ['title'],
+          },
+        ],
+      },
+    });
+
+    await adminAgent.resource('posts').create({
+      values: {
+        title: 'post-title',
+        description: 'post-description',
+      },
+    });
+
+    const post = await db.getRepository('posts').findOne();
+    expect(post.get('title')).toEqual('post-title');
+    expect(post.get('description')).toEqual('post-description');
+
+    const response = await adminAgent.resource('posts').list({});
+    expect(response.statusCode).toEqual(200);
+
+    const [data] = response.body.data;
+
+    expect(data['id']).not.toBeUndefined();
+    expect(data['title']).toEqual('post-title');
+    expect(data['description']).toBeUndefined();
+  });
+
+  it('should parse template value on action params', async () => {
+    const res = await adminAgent.resource('rolesResourcesScopes').create({
+      values: {
+        name: 'own',
+        scope: {
+          createdById: '{{ ctx.state.currentUser.id }}',
+        },
+      },
+    });
+
+    await adminAgent.resource('roles.resources', role.get('name')).create({
+      values: {
+        name: 'posts',
+        usingActionsConfig: true,
+        actions: [
+          {
+            name: 'create',
+            fields: ['title', 'description', 'createdById'],
+          },
+          {
+            name: 'view',
+            fields: ['title'],
+            scope: res.body.data.id,
+          },
+        ],
+      },
+    });
+
+    await adminAgent.resource('posts').create({
+      values: {
+        title: 't1',
+        description: 'd1',
+        createdById: 1,
+      },
+    });
+
+    await adminAgent.resource('posts').create({
+      values: {
+        title: 't2',
+        description: 'p2',
+        createdById: 2,
+      },
+    });
+
+    const response = await adminAgent.resource('posts').list();
+    const data = response.body.data;
+    expect(data.length).toEqual(1);
+  });
+
+  it('should change fields params to whitelist in create action', async () => {
+    await adminAgent.resource('roles.resources', role.get('name')).create({
+      values: {
+        name: 'posts',
+        usingActionsConfig: true,
+        actions: [
+          {
+            name: 'create',
+            fields: ['title'],
+          },
+        ],
+      },
+    });
+
+    await adminAgent.resource('posts').create({
+      values: {
+        title: 'post-title',
+        description: 'post-description',
+      },
+    });
+
+    const post = await db.getRepository('posts').findOne();
+    expect(post.get('title')).toEqual('post-title');
+    expect(post.get('description')).toBeNull();
+  });
+});