@nocobase/plugin-acl 0.7.0-alpha.1

package/src/__tests__/association-field.test.ts

@@ -0,0 +1,297 @@
+import { ACL } from '@nocobase/acl';
+import { Database, HasManyRepository, Model } from '@nocobase/database';
+import { MockServer } from '@nocobase/test';
+import { prepareApp } from './prepare';
+
+describe('association field acl', () => {
+  let app: MockServer;
+  let db: Database;
+  let acl: ACL;
+
+  let role: Model;
+
+  afterEach(async () => {
+    await app.destroy();
+  });
+
+  beforeEach(async () => {
+    app = await prepareApp();
+    db = app.db;
+    acl = app.acl;
+
+    role = await db.getRepository('roles').create({
+      values: {
+        name: 'admin',
+        title: 'Admin User',
+        allowConfigure: true,
+      },
+    });
+
+    await db.getRepository('collections').create({
+      values: {
+        name: 'users',
+      },
+      context: {},
+    });
+
+    await db.getRepository('collections').create({
+      values: {
+        name: 'orders',
+      },
+      context: {},
+    });
+
+    await db.getRepository('collections.fields', 'users').create({
+      values: {
+        name: 'name',
+        type: 'string',
+      },
+      context: {},
+    });
+
+    await db.getRepository('collections.fields', 'users').create({
+      values: {
+        name: 'age',
+        type: 'integer',
+      },
+      context: {},
+    });
+
+    await db.getRepository('collections.fields', 'users').create({
+      values: {
+        interface: 'linkTo',
+        name: 'orders',
+        type: 'hasMany',
+        target: 'orders',
+      },
+      context: {},
+    });
+
+    await db.getRepository('collections.fields', 'orders').create({
+      values: {
+        name: 'content',
+        type: 'string',
+      },
+      context: {},
+    });
+
+    await app
+      .agent()
+      .resource('roles.resources')
+      .create({
+        associatedIndex: 'admin',
+        values: {
+          name: 'users',
+          usingActionsConfig: true,
+          actions: [
+            {
+              name: 'create',
+              fields: ['orders'],
+            },
+            {
+              name: 'view',
+              fields: ['orders'],
+            },
+          ],
+        },
+      });
+  });
+
+  it('should revoke target action on association action revoke', async () => {
+    expect(
+      acl.can({
+        role: 'admin',
+        resource: 'orders',
+        action: 'list',
+      }),
+    ).toMatchObject({
+      role: 'admin',
+      resource: 'orders',
+      action: 'list',
+    });
+
+    await app
+      .agent()
+      .resource('roles.resources')
+      .update({
+        associatedIndex: 'admin',
+        values: {
+          name: 'users',
+          usingActionsConfig: true,
+          actions: [],
+        },
+      });
+
+    expect(
+      acl.can({
+        role: 'admin',
+        resource: 'orders',
+        action: 'list',
+      }),
+    ).toBeNull();
+  });
+
+  it('should revoke association action on action revoke', async () => {
+    expect(
+      acl.can({
+        role: 'admin',
+        resource: 'users.orders',
+        action: 'add',
+      }),
+    ).toMatchObject({
+      role: 'admin',
+      resource: 'users.orders',
+      action: 'add',
+    });
+
+    const viewAction = await db.getRepository('rolesResourcesActions').findOne({
+      filter: {
+        name: 'view',
+      },
+    });
+
+    const actionId = viewAction.get('id') as number;
+
+    const response = await app
+      .agent()
+      .resource('roles.resources')
+      .update({
+        associatedIndex: 'admin',
+        values: {
+          name: 'users',
+          usingActionsConfig: true,
+          actions: [
+            {
+              id: actionId,
+            },
+          ],
+        },
+      });
+
+    expect(response.statusCode).toEqual(200);
+
+    expect(
+      acl.can({
+        role: 'admin',
+        resource: 'users.orders',
+        action: 'add',
+      }),
+    ).toBeNull();
+  });
+
+  it('should revoke association action on field deleted', async () => {
+    await app
+      .agent()
+      .resource('roles.resources')
+      .update({
+        associatedIndex: 'admin',
+        values: {
+          name: 'users',
+          usingActionsConfig: true,
+          actions: [
+            {
+              name: 'create',
+              fields: ['name', 'age'],
+            },
+          ],
+        },
+      });
+    expect(
+      acl.can({
+        role: 'admin',
+        resource: 'users',
+        action: 'create',
+      }),
+    ).toMatchObject({
+      role: 'admin',
+      resource: 'users',
+      action: 'create',
+      params: {
+        whitelist: ['age', 'name'],
+      },
+    });
+    const roleResource = await db.getRepository('rolesResources').findOne({
+      filter: {
+        name: 'users',
+      },
+    });
+
+    const action = await db
+      .getRepository<HasManyRepository>('rolesResources.actions', roleResource.get('id') as string)
+      .findOne({
+        filter: {
+          name: 'create',
+        },
+      });
+
+    expect(action.get('fields').includes('name')).toBeTruthy();
+
+    // remove field
+    await db.getRepository<HasManyRepository>('collections.fields', 'users').destroy({
+      filter: {
+        name: 'name',
+      },
+      context: {},
+    });
+
+    expect(
+      acl.can({
+        role: 'admin',
+        resource: 'users',
+        action: 'create',
+      }),
+    ).toMatchObject({
+      role: 'admin',
+      resource: 'users',
+      action: 'create',
+      params: {
+        whitelist: ['age'],
+      },
+    });
+  });
+
+  it('should allow association fields access', async () => {
+    const createResponse = await app
+      .agent()
+      .resource('users')
+      .create({
+        values: {
+          orders: [
+            {
+              content: 'apple',
+            },
+          ],
+        },
+      });
+
+    expect(createResponse.statusCode).toEqual(200);
+
+    const user = await db.getRepository('users').findOne();
+    // @ts-ignore
+    expect(await user.countOrders()).toEqual(1);
+
+    expect(
+      acl.can({
+        role: 'admin',
+        resource: 'users.orders',
+        action: 'list',
+      }),
+    ).toMatchObject({
+      role: 'admin',
+      resource: 'users.orders',
+      action: 'list',
+    });
+
+    expect(
+      acl.can({
+        role: 'admin',
+        resource: 'orders',
+        action: 'list',
+      }),
+    ).toMatchObject({
+      role: 'admin',
+      resource: 'orders',
+      action: 'list',
+    });
+  });
+});

package/src/__tests__/configuration.test.ts

@@ -0,0 +1,45 @@
+import { MockServer } from '@nocobase/test';
+import { Database } from '@nocobase/database';
+import { ACL } from '@nocobase/acl';
+import { UiSchemaRepository } from '@nocobase/plugin-ui-schema-storage';
+import { changeMockRole, prepareApp } from './prepare';
+
+describe('configuration', () => {
+  let app: MockServer;
+  let db: Database;
+  let acl: ACL;
+
+  let uiSchemaRepository: UiSchemaRepository;
+
+  afterEach(async () => {
+    await app.destroy();
+  });
+
+  beforeEach(async () => {
+    app = await prepareApp();
+    db = app.db;
+    acl = app.acl;
+
+    uiSchemaRepository = db.getRepository('uiSchemas');
+  });
+
+  it('should list collections', async () => {
+    expect((await app.agent().resource('collections').create()).statusCode).toEqual(403);
+    expect((await app.agent().resource('collections').list()).statusCode).toEqual(200);
+  });
+
+  it('should allow when role has allowConfigure with true value', async () => {
+    await db.getRepository('roles').create({
+      values: {
+        name: 'admin1',
+        title: 'admin allowConfigure',
+        allowConfigure: true,
+      },
+    });
+
+    changeMockRole('admin1');
+
+    expect((await app.agent().resource('collections').create()).statusCode).toEqual(200);
+    expect((await app.agent().resource('collections').list()).statusCode).toEqual(200);
+  });
+});

package/src/__tests__/middleware.test.ts

@@ -0,0 +1,233 @@
+import { ACL } from '@nocobase/acl';
+import { Database, Model } from '@nocobase/database';
+import { MockServer } from '@nocobase/test';
+import { changeMockUser, prepareApp } from './prepare';
+
+describe('middleware', () => {
+  let app: MockServer;
+  let role: Model;
+  let db: Database;
+  let acl: ACL;
+
+  beforeEach(async () => {
+    app = await prepareApp();
+    db = app.db;
+    acl = app.acl;
+
+    await db.getRepository('roles').create({
+      values: {
+        name: 'admin',
+        title: 'Admin User',
+        allowConfigure: true,
+      },
+    });
+
+    role = await db.getRepository('roles').findOne({
+      filter: {
+        name: 'admin',
+      },
+    });
+
+    await db.getRepository('collections').create({
+      values: {
+        name: 'posts',
+      },
+      context: {},
+    });
+
+    await db.getRepository('collections.fields', 'posts').create({
+      values: {
+        name: 'title',
+        type: 'string',
+      },
+      context: {},
+    });
+
+    await db.getRepository('collections.fields', 'posts').create({
+      values: {
+        name: 'description',
+        type: 'string',
+      },
+      context: {},
+    });
+
+    await db.getRepository('collections.fields', 'posts').create({
+      values: {
+        name: 'createdById',
+        type: 'integer',
+      },
+      context: {},
+    });
+  });
+
+  afterEach(async () => {
+    await app.destroy();
+  });
+
+  it('should throw 403 when no permission', async () => {
+    const response = await app.agent().resource('posts').create({
+      values: {},
+    });
+
+    expect(response.statusCode).toEqual(403);
+  });
+
+  it('should return 200 when role has permission', async () => {
+    await db.getRepository('roles').update({
+      filterByTk: 'admin',
+      values: {
+        strategy: {
+          actions: ['create:all'],
+        },
+      },
+    });
+
+    const response = await app.agent().resource('posts').create({
+      values: {},
+    });
+
+    expect(response.statusCode).toEqual(200);
+  });
+
+  it('should limit fields on view actions', async () => {
+    await app
+      .agent()
+      .resource('roles.resources', role.get('name'))
+      .create({
+        values: {
+          name: 'posts',
+          usingActionsConfig: true,
+          actions: [
+            {
+              name: 'create',
+              fields: ['title', 'description'],
+            },
+            {
+              name: 'view',
+              fields: ['title'],
+            },
+          ],
+        },
+      });
+
+    await app
+      .agent()
+      .resource('posts')
+      .create({
+        values: {
+          title: 'post-title',
+          description: 'post-description',
+        },
+      });
+
+    const post = await db.getRepository('posts').findOne();
+    expect(post.get('title')).toEqual('post-title');
+    expect(post.get('description')).toEqual('post-description');
+
+    const response = await app.agent().resource('posts').list({});
+    expect(response.statusCode).toEqual(200);
+
+    const data = response.body.data[0];
+
+    expect(data['id']).not.toBeUndefined();
+    expect(data['title']).toEqual('post-title');
+    expect(data['description']).toBeUndefined();
+  });
+
+  it('should parse template value on action params', async () => {
+    changeMockUser({
+      id: 2,
+    });
+
+    const res = await app
+      .agent()
+      .resource('rolesResourcesScopes')
+      .create({
+        values: {
+          name: 'own',
+          scope: {
+            createdById: '{{ ctx.state.currentUser.id }}',
+          },
+        },
+      });
+
+    await app
+      .agent()
+      .resource('roles.resources', role.get('name'))
+      .create({
+        values: {
+          name: 'posts',
+          usingActionsConfig: true,
+          actions: [
+            {
+              name: 'create',
+              fields: ['title', 'description', 'createdById'],
+            },
+            {
+              name: 'view',
+              fields: ['title'],
+              scope: res.body.data.id,
+            },
+          ],
+        },
+      });
+
+    await app
+      .agent()
+      .resource('posts')
+      .create({
+        values: {
+          title: 't1',
+          description: 'd1',
+          createdById: 1,
+        },
+      });
+
+    await app
+      .agent()
+      .resource('posts')
+      .create({
+        values: {
+          title: 't2',
+          description: 'p2',
+          createdById: 2,
+        },
+      });
+
+    const response = await app.agent().resource('posts').list();
+    const data = response.body.data;
+    expect(data.length).toEqual(1);
+  });
+
+  it('should change fields params to whitelist in create action', async () => {
+    await app
+      .agent()
+      .resource('roles.resources', role.get('name'))
+      .create({
+        values: {
+          name: 'posts',
+          usingActionsConfig: true,
+          actions: [
+            {
+              name: 'create',
+              fields: ['title'],
+            },
+          ],
+        },
+      });
+
+    await app
+      .agent()
+      .resource('posts')
+      .create({
+        values: {
+          title: 'post-title',
+          description: 'post-description',
+        },
+      });
+
+    const post = await db.getRepository('posts').findOne();
+    expect(post.get('title')).toEqual('post-title');
+    expect(post.get('description')).toBeNull();
+  });
+});

package/src/__tests__/own.test.ts

@@ -0,0 +1,140 @@
+import { mockServer, MockServer } from '@nocobase/test';
+import { Database } from '@nocobase/database';
+import { ACL } from '@nocobase/acl';
+import { UiSchemaRepository } from '@nocobase/plugin-ui-schema-storage';
+import PluginUiSchema from '@nocobase/plugin-ui-schema-storage';
+import PluginCollectionManager from '@nocobase/plugin-collection-manager';
+import PluginACL from '@nocobase/plugin-acl';
+import PluginUser from '@nocobase/plugin-users';
+import supertest from 'supertest';
+
+describe('own test', () => {
+  let app: MockServer;
+  let db: Database;
+  let acl: ACL;
+
+  let pluginUser: PluginUser;
+  let adminToken: string;
+  let userToken: string;
+
+  let admin;
+  let user;
+
+  let role;
+  let agent;
+
+  afterEach(async () => {
+    await app.destroy();
+  });
+
+  beforeEach(async () => {
+    app = mockServer({
+      registerActions: true,
+    });
+
+    await app.cleanDb();
+
+    app.plugin(PluginUiSchema);
+    app.plugin(PluginCollectionManager);
+    app.plugin(PluginUser, {
+      jwt: {
+        secret: process.env.JWT_SECRET || '09f26e402586e2faa8da4c98a35f1b20d6b033c60',
+      },
+    });
+
+    app.plugin(PluginACL);
+    await app.loadAndInstall();
+    db = app.db;
+
+    const PostCollection = db.collection({
+      name: 'posts',
+      fields: [
+        { type: 'string', name: 'title' },
+        { type: 'belongsToMany', name: 'tags' },
+      ],
+      createdBy: true,
+    });
+
+    const TagCollection = db.collection({
+      name: 'tags',
+      fields: [
+        { type: 'string', name: 'name' },
+        { type: 'belongsToMany', name: 'posts' },
+      ],
+      createdBy: true,
+    });
+
+    const TestCollection = db.collection({
+      name: 'tests',
+      fields: [{ type: 'string', name: 'name' }],
+    });
+
+    await app.db.sync();
+
+    agent = supertest.agent(app.callback());
+
+    acl = app.acl;
+
+    role = await db.getRepository('roles').findOne({
+      filter: {
+        name: 'admin',
+      },
+    });
+
+    admin = await db.getRepository('users').findOne();
+
+    pluginUser = app.getPlugin('@nocobase/plugin-users');
+
+    adminToken = pluginUser.jwtService.sign({ userId: admin.get('id') });
+
+    user = await db.getRepository('users').create({
+      values: {
+        nickname: 'test',
+        roles: ['admin'],
+      },
+    });
+
+    userToken = pluginUser.jwtService.sign({ userId: user.get('id') });
+  });
+
+  it('should list without createBy', async () => {
+    let response = await agent
+      .patch('/roles/admin')
+      .send({
+        strategy: {
+          actions: ['view:own'],
+        },
+      })
+      .set({ Authorization: 'Bearer ' + adminToken });
+
+    response = await agent.get('/tests:list').set({ Authorization: 'Bearer ' + userToken });
+    expect(response.statusCode).toEqual(200);
+  });
+
+  it('should delete with createdBy', async () => {
+    let response = await agent
+      .patch('/roles/admin')
+      .send({
+        strategy: {
+          actions: ['view:own', 'create', 'destroy:own'],
+        },
+      })
+      .set({ Authorization: 'Bearer ' + adminToken });
+
+    response = await agent
+      .get('/posts:create')
+      .send({
+        title: 't1',
+      })
+      .set({ Authorization: 'Bearer ' + userToken });
+
+    expect(response.statusCode).toEqual(200);
+
+    const data = response.body;
+    const id = data.data['id'];
+
+    response = await agent.delete(`/posts/${id}`).set({ Authorization: 'Bearer ' + userToken });
+    expect(response.statusCode).toEqual(200);
+    expect(await db.getRepository('posts').count()).toEqual(0);
+  });
+});