@nocobase/plugin-acl 0.11.1-alpha.5 → 0.12.0-alpha.2

package/dist/server/server.js

@@ -0,0 +1,709 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var acl = require('@nocobase/acl');
+var actions = require('@nocobase/actions');
+var database = require('@nocobase/database');
+var server = require('@nocobase/server');
+var lodash = require('lodash');
+var path = require('path');
+var availableActions = require('./actions/available-actions');
+var roleCheck = require('./actions/role-check');
+var roleCollections = require('./actions/role-collections');
+var userSetDefaultRole = require('./actions/user-setDefaultRole');
+var setCurrentRole = require('./middlewares/setCurrentRole');
+var RoleModel = require('./model/RoleModel');
+var RoleResourceActionModel = require('./model/RoleResourceActionModel');
+var RoleResourceModel = require('./model/RoleResourceModel');
+
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
+var lodash__default = /*#__PURE__*/_interopDefault(lodash);
+
+class GrantHelper {
+  resourceTargetActionMap = /* @__PURE__ */ new Map();
+  targetActionResourceMap = /* @__PURE__ */ new Map();
+  constructor() {
+  }
+}
+class PluginACL extends server.Plugin {
+  // association field actions config
+  associationFieldsActions = {};
+  grantHelper = new GrantHelper();
+  get acl() {
+    return this.app.acl;
+  }
+  registerAssociationFieldAction(associationType, value) {
+    this.associationFieldsActions[associationType] = value;
+  }
+  registerAssociationFieldsActions() {
+    this.registerAssociationFieldAction("hasOne", {
+      view: {
+        associationActions: ["list", "get", "view"]
+      },
+      create: {
+        associationActions: ["create", "set"]
+      },
+      update: {
+        associationActions: ["update", "remove", "set"]
+      }
+    });
+    this.registerAssociationFieldAction("hasMany", {
+      view: {
+        associationActions: ["list", "get", "view"]
+      },
+      create: {
+        associationActions: ["create", "set", "add"]
+      },
+      update: {
+        associationActions: ["update", "remove", "set"]
+      }
+    });
+    this.registerAssociationFieldAction("belongsTo", {
+      view: {
+        associationActions: ["list", "get", "view"]
+      },
+      create: {
+        associationActions: ["create", "set"]
+      },
+      update: {
+        associationActions: ["update", "remove", "set"]
+      }
+    });
+    this.registerAssociationFieldAction("belongsToMany", {
+      view: {
+        associationActions: ["list", "get", "view"]
+      },
+      create: {
+        associationActions: ["create", "set", "add"]
+      },
+      update: {
+        associationActions: ["update", "remove", "set", "toggle"]
+      }
+    });
+  }
+  async writeResourceToACL(resourceModel, transaction) {
+    await resourceModel.writeToACL({
+      acl: this.acl,
+      associationFieldsActions: this.associationFieldsActions,
+      transaction,
+      grantHelper: this.grantHelper
+    });
+  }
+  async writeActionToACL(actionModel, transaction) {
+    const resource = actionModel.get("resource");
+    const role = this.acl.getRole(resource.get("roleName"));
+    await actionModel.writeToACL({
+      acl: this.acl,
+      role,
+      resourceName: resource.get("name"),
+      associationFieldsActions: this.associationFieldsActions,
+      grantHelper: this.grantHelper
+    });
+  }
+  async writeRolesToACL() {
+    const roles = await this.app.db.getRepository("roles").find({
+      appends: ["resources", "resources.actions"]
+    });
+    for (const role of roles) {
+      await this.writeRoleToACL(role);
+    }
+  }
+  async writeRoleToACL(role, transaction = null) {
+    role.writeToAcl({ acl: this.acl });
+    let resources = role.get("resources");
+    if (!resources) {
+      resources = await role.getResources({ transaction });
+    }
+    for (const resource of resources) {
+      await this.writeResourceToACL(resource, transaction);
+    }
+  }
+  async beforeLoad() {
+    this.db.addMigrations({
+      namespace: this.name,
+      directory: path.resolve(__dirname, "./migrations"),
+      context: {
+        plugin: this
+      }
+    });
+    this.app.db.registerModels({
+      RoleResourceActionModel: RoleResourceActionModel.RoleResourceActionModel,
+      RoleResourceModel: RoleResourceModel.RoleResourceModel,
+      RoleModel: RoleModel.RoleModel
+    });
+    this.app.acl.registerSnippet({
+      name: `pm.${this.name}.roles`,
+      actions: [
+        "roles:*",
+        "roles.snippets:*",
+        "availableActions:list",
+        "roles.collections:list",
+        "roles.resources:*",
+        "uiSchemas:getProperties",
+        "roles.menuUiSchemas:*"
+      ]
+    });
+    this.app.acl.beforeGrantAction((ctx) => {
+      const actionName = this.app.acl.resolveActionAlias(ctx.actionName);
+      const collection = this.app.db.getCollection(ctx.resourceName);
+      if (!collection) {
+        return;
+      }
+      const fieldsParams = ctx.params.fields;
+      if (!fieldsParams) {
+        return;
+      }
+      if (actionName == "view" || actionName == "export") {
+        const associationsFields = fieldsParams.filter((fieldName) => {
+          const field = collection.getField(fieldName);
+          return field instanceof database.RelationField;
+        });
+        ctx.params = {
+          ...ctx.params,
+          fields: lodash__default.default.difference(fieldsParams, associationsFields),
+          appends: associationsFields
+        };
+      }
+    });
+    this.registerAssociationFieldsActions();
+    this.app.resourcer.define(availableActions.availableActionResource);
+    this.app.resourcer.define(roleCollections.roleCollectionsResource);
+    this.app.resourcer.registerActionHandler("roles:check", roleCheck.checkAction);
+    this.app.resourcer.registerActionHandler(`users:setDefaultRole`, userSetDefaultRole.setDefaultRole);
+    this.db.on("users.afterCreateWithAssociations", async (model, options) => {
+      const { transaction } = options;
+      const repository = this.app.db.getRepository("roles");
+      const defaultRole = await repository.findOne({
+        filter: {
+          default: true
+        },
+        transaction
+      });
+      if (defaultRole && await model.countRoles({ transaction }) == 0) {
+        await model.addRoles(defaultRole, { transaction });
+      }
+    });
+    this.app.on("acl:writeRoleToACL", async (roleModel) => {
+      await this.writeRoleToACL(roleModel);
+    });
+    this.app.db.on("roles.afterSaveWithAssociations", async (model, options) => {
+      const { transaction } = options;
+      await this.writeRoleToACL(model, transaction);
+      if (model.get("default")) {
+        await this.app.db.getRepository("roles").update({
+          values: {
+            default: false
+          },
+          filter: {
+            "name.$ne": model.get("name")
+          },
+          hooks: false,
+          transaction
+        });
+      }
+    });
+    this.app.db.on("roles.afterDestroy", (model) => {
+      const roleName = model.get("name");
+      this.acl.removeRole(roleName);
+    });
+    this.app.db.on("rolesResources.afterSaveWithAssociations", async (model, options) => {
+      await this.writeResourceToACL(model, options.transaction);
+    });
+    this.app.db.on("rolesResourcesActions.afterUpdateWithAssociations", async (model, options) => {
+      const { transaction } = options;
+      const resource = await model.getResource({
+        transaction
+      });
+      await this.writeResourceToACL(resource, transaction);
+    });
+    this.app.db.on("rolesResources.afterDestroy", async (model, options) => {
+      const role = this.acl.getRole(model.get("roleName"));
+      if (role) {
+        role.revokeResource(model.get("name"));
+      }
+    });
+    this.app.db.on("collections.afterDestroy", async (model, options) => {
+      const { transaction } = options;
+      await this.app.db.getRepository("rolesResources").destroy({
+        filter: {
+          name: model.get("name")
+        },
+        transaction
+      });
+    });
+    this.app.db.on("fields.afterCreate", async (model, options) => {
+      const { transaction } = options;
+      const collectionName = model.get("collectionName");
+      const fieldName = model.get("name");
+      const resourceActions = await this.app.db.getRepository("rolesResourcesActions").find({
+        filter: {
+          "resource.name": collectionName
+        },
+        transaction,
+        appends: ["resource"]
+      });
+      for (const resourceAction of resourceActions) {
+        const fields = resourceAction.get("fields");
+        const newFields = [...fields, fieldName];
+        await this.app.db.getRepository("rolesResourcesActions").update({
+          filterByTk: resourceAction.get("id"),
+          values: {
+            fields: newFields
+          },
+          transaction
+        });
+      }
+    });
+    this.app.db.on("fields.afterDestroy", async (model, options) => {
+      const collectionName = model.get("collectionName");
+      const fieldName = model.get("name");
+      const resourceActions = await this.app.db.getRepository("rolesResourcesActions").find({
+        filter: {
+          "resource.name": collectionName,
+          "fields.$anyOf": [fieldName]
+        },
+        transaction: options.transaction
+      });
+      for (const resourceAction of resourceActions) {
+        const fields = resourceAction.get("fields");
+        const newFields = fields.filter((field) => field != fieldName);
+        await this.app.db.getRepository("rolesResourcesActions").update({
+          filterByTk: resourceAction.get("id"),
+          values: {
+            fields: newFields
+          },
+          transaction: options.transaction
+        });
+      }
+    });
+    this.app.on("afterLoad", async (app, options) => {
+      if ((options == null ? void 0 : options.method) === "install" || (options == null ? void 0 : options.method) === "upgrade") {
+        return;
+      }
+      const exists = await this.app.db.collectionExistsInDb("roles");
+      if (exists) {
+        await this.writeRolesToACL();
+      }
+    });
+    this.app.on("afterInstall", async (app, options) => {
+      const exists = await this.app.db.collectionExistsInDb("roles");
+      if (exists) {
+        await this.writeRolesToACL();
+      }
+    });
+    this.app.on("afterInstallPlugin", async (plugin) => {
+      if (plugin.getName() !== "users") {
+        return;
+      }
+      const User = this.db.getCollection("users");
+      await User.repository.update({
+        values: {
+          roles: ["root", "admin", "member"]
+        },
+        forceUpdate: true
+      });
+      const RolesUsers = this.db.getCollection("rolesUsers");
+      await RolesUsers.repository.update({
+        filter: {
+          userId: 1,
+          roleName: "root"
+        },
+        values: {
+          default: true
+        }
+      });
+    });
+    this.app.on("beforeInstallPlugin", async (plugin) => {
+      if (plugin.getName() !== "users") {
+        return;
+      }
+      const roles = this.app.db.getRepository("roles");
+      await roles.createMany({
+        records: [
+          {
+            name: "root",
+            title: '{{t("Root")}}',
+            hidden: true,
+            snippets: ["ui.*", "pm", "pm.*"]
+          },
+          {
+            name: "admin",
+            title: '{{t("Admin")}}',
+            allowConfigure: true,
+            allowNewMenu: true,
+            strategy: { actions: ["create", "view", "update", "destroy"] },
+            snippets: ["ui.*", "pm", "pm.*"]
+          },
+          {
+            name: "member",
+            title: '{{t("Member")}}',
+            allowNewMenu: true,
+            strategy: { actions: ["view", "update:own", "destroy:own", "create"] },
+            default: true,
+            snippets: ["!ui.*", "!pm", "!pm.*"]
+          }
+        ]
+      });
+      const rolesResourcesScopes = this.app.db.getRepository("rolesResourcesScopes");
+      await rolesResourcesScopes.createMany({
+        records: [
+          {
+            key: "all",
+            name: '{{t("All records")}}',
+            scope: {}
+          },
+          {
+            key: "own",
+            name: '{{t("Own records")}}',
+            scope: {
+              createdById: "{{ ctx.state.currentUser.id }}"
+            }
+          }
+        ]
+      });
+    });
+    this.app.resourcer.use(setCurrentRole.setCurrentRole, { tag: "setCurrentRole", before: "acl", after: "auth" });
+    this.app.acl.allow("users", "setDefaultRole", "loggedIn");
+    this.app.acl.allow("roles", "check", "loggedIn");
+    this.app.acl.allow("*", "*", (ctx) => {
+      return ctx.state.currentRole === "root";
+    });
+    this.app.acl.addFixedParams("collections", "destroy", () => {
+      return {
+        filter: {
+          $and: [{ "name.$ne": "roles" }, { "name.$ne": "rolesUsers" }]
+        }
+      };
+    });
+    this.app.acl.addFixedParams("rolesResourcesScopes", "destroy", () => {
+      return {
+        filter: {
+          $and: [{ "key.$ne": "all" }, { "key.$ne": "own" }]
+        }
+      };
+    });
+    this.app.acl.addFixedParams("rolesResourcesScopes", "update", () => {
+      return {
+        filter: {
+          $and: [{ "key.$ne": "all" }, { "key.$ne": "own" }]
+        }
+      };
+    });
+    this.app.acl.addFixedParams("roles", "destroy", () => {
+      return {
+        filter: {
+          $and: [{ "name.$ne": "root" }, { "name.$ne": "admin" }, { "name.$ne": "member" }]
+        }
+      };
+    });
+    this.app.resourcer.use(async (ctx, next) => {
+      const { actionName, resourceName, params } = ctx.action;
+      const { showAnonymous } = params || {};
+      if (actionName === "list" && resourceName === "roles") {
+        if (!showAnonymous) {
+          ctx.action.mergeParams({
+            filter: {
+              "name.$ne": "anonymous"
+            }
+          });
+        }
+      }
+      if (actionName === "update" && resourceName === "roles.resources") {
+        ctx.action.mergeParams({
+          updateAssociationValues: ["actions"]
+        });
+      }
+      await next();
+    });
+    this.app.acl.use(async (ctx, next) => {
+      var _a, _b, _c, _d, _e;
+      const { actionName, resourceName } = ctx.action;
+      if (actionName === "get" || actionName === "list") {
+        if (!Array.isArray((_c = (_b = (_a = ctx == null ? void 0 : ctx.permission) == null ? void 0 : _a.can) == null ? void 0 : _b.params) == null ? void 0 : _c.fields)) {
+          return next();
+        }
+        let collection;
+        if (resourceName.includes(".")) {
+          const [collectionName, associationName] = resourceName.split(".");
+          const field = (_e = (_d = ctx.db.getCollection(collectionName)) == null ? void 0 : _d.getField) == null ? void 0 : _e.call(_d, associationName);
+          if (field.target) {
+            collection = ctx.db.getCollection(field.target);
+          }
+        } else {
+          collection = ctx.db.getCollection(resourceName);
+        }
+        if (collection && collection.hasField("createdById")) {
+          ctx.permission.can.params.fields.push("createdById");
+        }
+      }
+      return next();
+    });
+    const parseJsonTemplate = this.app.acl.parseJsonTemplate;
+    this.app.acl.use(
+      async (ctx, next) => {
+        var _a, _b, _c, _d;
+        const { actionName, resourceName, resourceOf } = ctx.action;
+        if (resourceName.includes(".") && resourceOf) {
+          if (!((_b = (_a = ctx == null ? void 0 : ctx.permission) == null ? void 0 : _a.can) == null ? void 0 : _b.params)) {
+            return next();
+          }
+          delete ctx.permission.can.params.filter;
+          const [collectionName] = resourceName.split(".");
+          const action = ctx.can({ resource: collectionName, action: actionName });
+          const availableAction = this.app.acl.getAvailableAction(actionName);
+          if ((_c = availableAction == null ? void 0 : availableAction.options) == null ? void 0 : _c.onNewRecord) {
+            if (action) {
+              ctx.permission.skip = true;
+            } else {
+              ctx.permission.can = false;
+            }
+          } else {
+            const filter = await parseJsonTemplate(((_d = action == null ? void 0 : action.params) == null ? void 0 : _d.filter) || {}, ctx);
+            const sourceInstance = await ctx.db.getRepository(collectionName).findOne({
+              filterByTk: resourceOf,
+              filter
+            });
+            if (!sourceInstance) {
+              ctx.permission.can = false;
+            }
+          }
+        }
+        await next();
+      },
+      {
+        before: "core"
+      }
+    );
+    this.app.acl.use(
+      async (ctx, next) => {
+        var _a, _b;
+        const action = (_b = (_a = ctx.permission) == null ? void 0 : _a.can) == null ? void 0 : _b.action;
+        if (action == "destroy" && !ctx.action.resourceName.includes(".")) {
+          const repository = actions.utils.getRepositoryFromParams(ctx);
+          const filteredCount = await repository.count(ctx.permission.mergedParams);
+          const queryCount = await repository.count(ctx.permission.rawParams);
+          if (queryCount > filteredCount) {
+            ctx.throw(403, "No permissions");
+            return;
+          }
+        }
+        await next();
+      },
+      {
+        after: "core",
+        group: "after"
+      }
+    );
+    const withACLMeta = async (ctx, next) => {
+      var _a, _b, _c;
+      await next();
+      if (!ctx.action || !ctx.get("X-With-ACL-Meta") || ctx.status !== 200) {
+        return;
+      }
+      const { resourceName, actionName } = ctx.action;
+      if (!["list", "get"].includes(actionName)) {
+        return;
+      }
+      const collection = ctx.db.getCollection(resourceName);
+      if (!collection) {
+        return;
+      }
+      const Model = collection.model;
+      const primaryKeyField = Model.primaryKeyField || Model.primaryKeyAttribute;
+      const dataPath = ((_a = ctx.body) == null ? void 0 : _a.rows) ? "body.rows" : "body";
+      let listData = lodash__default.default.get(ctx, dataPath);
+      if (actionName == "get") {
+        listData = lodash__default.default.castArray(listData);
+      }
+      const inspectActions = ["view", "update", "destroy"];
+      const actionsParams = [];
+      for (const action of inspectActions) {
+        const actionCtx = {
+          db: ctx.db,
+          action: {
+            actionName: action,
+            name: action,
+            params: {},
+            resourceName: ctx.action.resourceName,
+            resourceOf: ctx.action.resourceOf,
+            mergeParams() {
+            }
+          },
+          state: {
+            currentRole: ctx.state.currentRole,
+            currentUser: (() => {
+              var _a2;
+              if (!ctx.state.currentUser) {
+                return null;
+              }
+              if (ctx.state.currentUser.toJSON) {
+                return (_a2 = ctx.state.currentUser) == null ? void 0 : _a2.toJSON();
+              }
+              return ctx.state.currentUser;
+            })()
+          },
+          permission: {},
+          throw(...args) {
+            throw new acl.NoPermissionError(...args);
+          }
+        };
+        try {
+          await this.app.acl.getActionParams(actionCtx);
+        } catch (e) {
+          if (e instanceof acl.NoPermissionError) {
+            continue;
+          }
+          throw e;
+        }
+        actionsParams.push([
+          action,
+          ((_b = actionCtx.permission) == null ? void 0 : _b.can) === null && !actionCtx.permission.skip ? null : ((_c = actionCtx.permission) == null ? void 0 : _c.parsedParams) || {},
+          actionCtx
+        ]);
+      }
+      const ids = (() => {
+        if (collection.options.tree) {
+          if (listData.length == 0)
+            return [];
+          const getAllNodeIds = (data) => [data[primaryKeyField], ...(data.children || []).flatMap(getAllNodeIds)];
+          return listData.map((tree) => getAllNodeIds(tree.toJSON())).flat();
+        }
+        return listData.map((item) => item[primaryKeyField]);
+      })();
+      const conditions = [];
+      const allAllowed = [];
+      for (const [action, params, actionCtx] of actionsParams) {
+        if (!params) {
+          continue;
+        }
+        if (lodash__default.default.isEmpty(params) || lodash__default.default.isEmpty(params.filter)) {
+          allAllowed.push(action);
+          continue;
+        }
+        const queryParams = collection.repository.buildQueryOptions({
+          ...params,
+          context: actionCtx
+        });
+        const actionSql = ctx.db.sequelize.queryInterface.queryGenerator.selectQuery(
+          Model.getTableName(),
+          {
+            where: (() => {
+              const filterObj = queryParams.where;
+              if (!this.db.options.underscored) {
+                return filterObj;
+              }
+              const isAssociationKey = (key) => {
+                return key.startsWith("$") && key.endsWith("$");
+              };
+              const iterate = (rootObj, path = []) => {
+                const obj = path.length == 0 ? rootObj : lodash__default.default.get(rootObj, path);
+                if (Array.isArray(obj)) {
+                  for (let i = 0; i < obj.length; i++) {
+                    if (obj[i] === null) {
+                      continue;
+                    }
+                    if (typeof obj[i] === "object") {
+                      iterate(rootObj, [...path, i]);
+                    }
+                  }
+                  return;
+                }
+                Reflect.ownKeys(obj).forEach((key) => {
+                  if (Array.isArray(obj) && key == "length") {
+                    return;
+                  }
+                  if (typeof obj[key] === "object" && obj[key] !== null || typeof obj[key] === "symbol") {
+                    iterate(rootObj, [...path, key]);
+                  }
+                  if (typeof key === "string" && key !== database.snakeCase(key)) {
+                    const setKey = isAssociationKey(key) ? (() => {
+                      const parts = key.split(".");
+                      parts[parts.length - 1] = lodash__default.default.snakeCase(parts[parts.length - 1]);
+                      const result = parts.join(".");
+                      return result.endsWith("$") ? result : `${result}$`;
+                    })() : database.snakeCase(key);
+                    const setValue = lodash__default.default.cloneDeep(obj[key]);
+                    lodash__default.default.unset(rootObj, [...path, key]);
+                    lodash__default.default.set(rootObj, [...path, setKey], setValue);
+                  }
+                });
+              };
+              iterate(filterObj);
+              return filterObj;
+            })(),
+            attributes: [primaryKeyField],
+            includeIgnoreAttributes: false
+          },
+          Model
+        );
+        const whereCase = actionSql.match(/WHERE (.*?);/)[1];
+        conditions.push({
+          whereCase,
+          action,
+          include: queryParams.include
+        });
+      }
+      const results = await collection.model.findAll({
+        where: {
+          [primaryKeyField]: ids
+        },
+        attributes: [
+          primaryKeyField,
+          ...conditions.map((condition) => {
+            return [ctx.db.sequelize.literal(`CASE WHEN ${condition.whereCase} THEN 1 ELSE 0 END`), condition.action];
+          })
+        ],
+        include: conditions.map((condition) => condition.include).flat()
+      });
+      const allowedActions = inspectActions.map((action) => {
+        if (allAllowed.includes(action)) {
+          return [action, ids];
+        }
+        return [action, results.filter((item) => Boolean(item.get(action))).map((item) => item.get(primaryKeyField))];
+      }).reduce((acc, [action, ids2]) => {
+        acc[action] = ids2;
+        return acc;
+      }, {});
+      if (actionName == "get") {
+        ctx.bodyMeta = {
+          ...ctx.bodyMeta || {},
+          allowedActions
+        };
+      }
+      if (actionName == "list") {
+        ctx.body.allowedActions = allowedActions;
+      }
+    };
+    this.app.use(
+      async (ctx, next) => {
+        try {
+          await withACLMeta(ctx, next);
+        } catch (error) {
+          ctx.logger.error(error);
+        }
+      },
+      { after: "restApi", group: "after" }
+    );
+  }
+  async install() {
+    const repo = this.db.getRepository("collections");
+    if (repo) {
+      await repo.db2cm("roles");
+    }
+  }
+  async load() {
+    await this.importCollections(path.resolve(__dirname, "collections"));
+    this.db.extendCollection({
+      name: "rolesUischemas",
+      namespace: "acl.acl",
+      duplicator: "required"
+    });
+  }
+}
+var server_default = PluginACL;
+
+exports.GrantHelper = GrantHelper;
+exports.PluginACL = PluginACL;
+exports.default = server_default;