npm - @nocobase/plugin-acl - Versions diffs - 0.7.0-alpha.1 - Mend

@nocobase/plugin-acl 0.7.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (98) hide show

package/LICENSE +201 -0
package/esm/actions/available-actions.d.ts +7 -0
package/esm/actions/available-actions.js +26 -0
package/esm/actions/available-actions.js.map +1 -0
package/esm/actions/role-check.d.ts +1 -0
package/esm/actions/role-check.js +38 -0
package/esm/actions/role-check.js.map +1 -0
package/esm/actions/role-collections.d.ts +7 -0
package/esm/actions/role-collections.js +54 -0
package/esm/actions/role-collections.js.map +1 -0
package/esm/collections/roles.d.ts +3 -0
package/esm/collections/roles.js +78 -0
package/esm/collections/roles.js.map +1 -0
package/esm/collections/rolesResources.d.ts +3 -0
package/esm/collections/rolesResources.js +30 -0
package/esm/collections/rolesResources.js.map +1 -0
package/esm/collections/rolesResourcesActions.d.ts +3 -0
package/esm/collections/rolesResourcesActions.js +27 -0
package/esm/collections/rolesResourcesActions.js.map +1 -0
package/esm/collections/rolesResourcesScopes.d.ts +3 -0
package/esm/collections/rolesResourcesScopes.js +22 -0
package/esm/collections/rolesResourcesScopes.js.map +1 -0
package/esm/index.d.ts +1 -0
package/esm/index.js +2 -0
package/esm/index.js.map +1 -0
package/esm/model/RoleModel.d.ts +7 -0
package/esm/model/RoleModel.js +15 -0
package/esm/model/RoleModel.js.map +1 -0
package/esm/model/RoleResourceActionModel.d.ts +12 -0
package/esm/model/RoleResourceActionModel.js +65 -0
package/esm/model/RoleResourceActionModel.js.map +1 -0
package/esm/model/RoleResourceModel.d.ts +16 -0
package/esm/model/RoleResourceModel.js +55 -0
package/esm/model/RoleResourceModel.js.map +1 -0
package/esm/server.d.ts +33 -0
package/esm/server.js +366 -0
package/esm/server.js.map +1 -0
package/lib/actions/available-actions.d.ts +7 -0
package/lib/actions/available-actions.js +29 -0
package/lib/actions/available-actions.js.map +1 -0
package/lib/actions/role-check.d.ts +1 -0
package/lib/actions/role-check.js +42 -0
package/lib/actions/role-check.js.map +1 -0
package/lib/actions/role-collections.d.ts +7 -0
package/lib/actions/role-collections.js +57 -0
package/lib/actions/role-collections.js.map +1 -0
package/lib/collections/roles.d.ts +3 -0
package/lib/collections/roles.js +80 -0
package/lib/collections/roles.js.map +1 -0
package/lib/collections/rolesResources.d.ts +3 -0
package/lib/collections/rolesResources.js +32 -0
package/lib/collections/rolesResources.js.map +1 -0
package/lib/collections/rolesResourcesActions.d.ts +3 -0
package/lib/collections/rolesResourcesActions.js +29 -0
package/lib/collections/rolesResourcesActions.js.map +1 -0
package/lib/collections/rolesResourcesScopes.d.ts +3 -0
package/lib/collections/rolesResourcesScopes.js +24 -0
package/lib/collections/rolesResourcesScopes.js.map +1 -0
package/lib/index.d.ts +1 -0
package/lib/index.js +9 -0
package/lib/index.js.map +1 -0
package/lib/model/RoleModel.d.ts +7 -0
package/lib/model/RoleModel.js +19 -0
package/lib/model/RoleModel.js.map +1 -0
package/lib/model/RoleResourceActionModel.d.ts +12 -0
package/lib/model/RoleResourceActionModel.js +69 -0
package/lib/model/RoleResourceActionModel.js.map +1 -0
package/lib/model/RoleResourceModel.d.ts +16 -0
package/lib/model/RoleResourceModel.js +59 -0
package/lib/model/RoleResourceModel.js.map +1 -0
package/lib/server.d.ts +33 -0
package/lib/server.js +371 -0
package/lib/server.js.map +1 -0
package/package.json +30 -0
package/src/__tests__/acl.test.ts +533 -0
package/src/__tests__/association-field.test.ts +297 -0
package/src/__tests__/configuration.test.ts +45 -0
package/src/__tests__/middleware.test.ts +233 -0
package/src/__tests__/own.test.ts +140 -0
package/src/__tests__/prepare.ts +39 -0
package/src/__tests__/role-check.test.ts +35 -0
package/src/__tests__/role-resource.test.ts +187 -0
package/src/__tests__/role.test.ts +92 -0
package/src/__tests__/scope.test.ts +51 -0
package/src/actions/available-actions.ts +18 -0
package/src/actions/role-check.ts +39 -0
package/src/actions/role-collections.ts +55 -0
package/src/collections/roles.ts +79 -0
package/src/collections/rolesResources.ts +31 -0
package/src/collections/rolesResourcesActions.ts +28 -0
package/src/collections/rolesResourcesScopes.ts +23 -0
package/src/index.ts +2 -0
package/src/model/RoleModel.ts +21 -0
package/src/model/RoleResourceActionModel.ts +80 -0
package/src/model/RoleResourceModel.ts +61 -0
package/src/server.ts +398 -0
package/tsconfig.build.json +9 -0
package/tsconfig.json +5 -0

package/src/model/RoleModel.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import { Model } from '@nocobase/database';
+import { ACL } from '@nocobase/acl';
+export class RoleModel extends Model {
+  writeToAcl(options: { acl: ACL }) {
+    const { acl } = options;
+    const roleName = this.get('name') as string;
+    let role = acl.getRole(roleName);
+    if (!role) {
+      role = acl.define({
+        role: roleName,
+      });
+    }
+    role.setStrategy({
+      ...((this.get('strategy') as object) || {}),
+      allowConfigure: this.get('allowConfigure') as boolean,
+    });
+  }
+}

package/src/model/RoleResourceActionModel.ts ADDED Viewed

@@ -0,0 +1,80 @@
+import { ACL, ACLRole } from '@nocobase/acl';
+import { Database, Model } from '@nocobase/database';
+import { AssociationFieldAction, AssociationFieldsActions, GrantHelper } from '../server';
+export class RoleResourceActionModel extends Model {
+  async writeToACL(options: {
+    acl: ACL;
+    role: ACLRole;
+    resourceName: string;
+    associationFieldsActions: AssociationFieldsActions;
+    grantHelper: GrantHelper;
+  }) {
+    // @ts-ignore
+    const db: Database = this.constructor.database;
+    const { resourceName, role, acl, associationFieldsActions, grantHelper } = options;
+    const actionName = this.get('name') as string;
+    const fields = this.get('fields') as any;
+    const actionPath = `${resourceName}:${actionName}`;
+    const actionParams = {
+      fields,
+    };
+    // @ts-ignore
+    const scope = await this.getScope();
+    if (scope) {
+      actionParams['own'] = scope.get('key') === 'own';
+      actionParams['filter'] = scope.get('scope');
+    }
+    role.grantAction(actionPath, actionParams);
+    const collection = db.getCollection(resourceName);
+    if (!collection) {
+      return;
+    }
+    const availableAction = acl.resolveActionAlias(actionName);
+    for (const field of fields) {
+      const collectionField = collection.getField(field);
+      const fieldType = collectionField.get('interface') as string;
+      const fieldActions: AssociationFieldAction = associationFieldsActions?.[fieldType]?.[availableAction];
+      const fieldTarget = collectionField.get('target');
+      if (fieldActions) {
+        const associationActions = fieldActions.associationActions || [];
+        associationActions.forEach((associationAction) => {
+          const actionName = `${resourceName}.${fieldTarget}:${associationAction}`;
+          role.grantAction(actionName);
+        });
+        const targetActions = fieldActions.targetActions || [];
+        targetActions.forEach((targetAction) => {
+          const targetActionPath = `${fieldTarget}:${targetAction}`;
+          grantHelper.resourceTargetActionMap.set(resourceName, [
+            ...(grantHelper.resourceTargetActionMap.get(resourceName) || []),
+            targetActionPath,
+          ]);
+          grantHelper.targetActionResourceMap.set(targetActionPath, [
+            ...(grantHelper.targetActionResourceMap.get(targetActionPath) || []),
+            resourceName,
+          ]);
+          role.grantAction(targetActionPath);
+        });
+      }
+    }
+  }
+}

package/src/model/RoleResourceModel.ts ADDED Viewed

@@ -0,0 +1,61 @@
+import { Database, Model } from '@nocobase/database';
+import { ACL, ACLRole } from '@nocobase/acl';
+import { RoleResourceActionModel } from './RoleResourceActionModel';
+import { AssociationFieldsActions, GrantHelper } from '../server';
+export class RoleResourceModel extends Model {
+  async revoke(options: { role: ACLRole; resourceName: string; grantHelper: GrantHelper }) {
+    const { role, resourceName, grantHelper } = options;
+    role.revokeResource(resourceName);
+    const targetActions = grantHelper.resourceTargetActionMap.get(resourceName) || [];
+    for (const targetAction of targetActions) {
+      const targetActionResource = (grantHelper.targetActionResourceMap.get(targetAction) || []).filter(
+        (item) => resourceName !== item,
+      );
+      grantHelper.targetActionResourceMap.set(targetAction, targetActionResource);
+      if (targetActionResource.length == 0) {
+        role.revokeAction(targetAction);
+      }
+    }
+    grantHelper.resourceTargetActionMap.set(resourceName, []);
+  }
+  async writeToACL(options: {
+    acl: ACL;
+    associationFieldsActions: AssociationFieldsActions;
+    grantHelper: GrantHelper;
+    transaction: any;
+  }) {
+    const { acl, associationFieldsActions, grantHelper } = options;
+    const resourceName = this.get('name') as string;
+    const roleName = this.get('roleName') as string;
+    const role = acl.getRole(roleName);
+    // revoke resource of role
+    await this.revoke({ role, resourceName, grantHelper });
+    // @ts-ignore
+    if (this.usingActionsConfig === false) {
+      return;
+    }
+    // @ts-ignore
+    const actions: RoleResourceActionModel[] = await this.getActions({
+      transaction: options.transaction,
+    });
+    for (const action of actions) {
+      await action.writeToACL({
+        acl,
+        role,
+        resourceName,
+        associationFieldsActions,
+        grantHelper: options.grantHelper,
+      });
+    }
+  }
+}

package/src/server.ts ADDED Viewed

@@ -0,0 +1,398 @@
+import { Context } from '@nocobase/actions';
+import { Collection } from '@nocobase/database';
+import { Plugin } from '@nocobase/server';
+import { resolve } from 'path';
+import { availableActionResource } from './actions/available-actions';
+import { checkAction } from './actions/role-check';
+import { roleCollectionsResource } from './actions/role-collections';
+import { RoleModel } from './model/RoleModel';
+import { RoleResourceActionModel } from './model/RoleResourceActionModel';
+import { RoleResourceModel } from './model/RoleResourceModel';
+export interface AssociationFieldAction {
+  associationActions: string[];
+  targetActions?: string[];
+}
+interface AssociationFieldActions {
+  [availableActionName: string]: AssociationFieldAction;
+}
+export interface AssociationFieldsActions {
+  [associationType: string]: AssociationFieldActions;
+}
+export class GrantHelper {
+  resourceTargetActionMap = new Map<string, string[]>();
+  targetActionResourceMap = new Map<string, string[]>();
+  constructor() {}
+}
+export class PluginACL extends Plugin {
+  associationFieldsActions: AssociationFieldsActions = {};
+  grantHelper = new GrantHelper();
+  get acl() {
+    return this.app.acl;
+  }
+  registerAssociationFieldAction(associationType: string, value: AssociationFieldActions) {
+    this.associationFieldsActions[associationType] = value;
+  }
+  registerAssociationFieldsActions() {
+    this.registerAssociationFieldAction('linkTo', {
+      view: {
+        associationActions: ['list', 'get'],
+      },
+      create: {
+        associationActions: ['add'],
+        targetActions: ['view'],
+      },
+      update: {
+        associationActions: ['add', 'remove', 'toggle'],
+        targetActions: ['view'],
+      },
+    });
+    this.registerAssociationFieldAction('attachments', {
+      view: {
+        associationActions: ['list', 'get'],
+      },
+      add: {
+        associationActions: ['upload', 'add'],
+      },
+      update: {
+        associationActions: ['update', 'add', 'remove', 'toggle'],
+      },
+    });
+    this.registerAssociationFieldAction('subTable', {
+      view: {
+        associationActions: ['list', 'get'],
+      },
+      create: {
+        associationActions: ['create'],
+      },
+      update: {
+        associationActions: ['update', 'destroy'],
+      },
+    });
+  }
+  async writeResourceToACL(resourceModel: RoleResourceModel, transaction) {
+    await resourceModel.writeToACL({
+      acl: this.acl,
+      associationFieldsActions: this.associationFieldsActions,
+      transaction: transaction,
+      grantHelper: this.grantHelper,
+    });
+  }
+  async writeActionToACL(actionModel: RoleResourceActionModel, transaction) {
+    const resource = actionModel.get('resource') as RoleResourceModel;
+    const role = this.acl.getRole(resource.get('roleName') as string);
+    await actionModel.writeToACL({
+      acl: this.acl,
+      role,
+      resourceName: resource.get('name') as string,
+      associationFieldsActions: this.associationFieldsActions,
+      grantHelper: this.grantHelper,
+    });
+  }
+  async writeRolesToACL() {
+    const roles = (await this.app.db.getRepository('roles').find({
+      appends: ['resources', 'resources.actions'],
+    })) as RoleModel[];
+    for (const role of roles) {
+      role.writeToAcl({ acl: this.acl });
+      for (const resource of role.get('resources') as RoleResourceModel[]) {
+        await this.writeResourceToACL(resource, null);
+      }
+    }
+  }
+  async beforeLoad() {
+    this.app.db.registerModels({
+      RoleResourceActionModel,
+      RoleResourceModel,
+      RoleModel,
+    });
+    this.registerAssociationFieldsActions();
+    this.app.resourcer.define(availableActionResource);
+    this.app.resourcer.define(roleCollectionsResource);
+    this.app.resourcer.registerActionHandler('roles:check', checkAction);
+    this.app.db.on('roles.afterSaveWithAssociations', async (model, options) => {
+      const { transaction } = options;
+      model.writeToAcl({
+        acl: this.acl,
+      });
+      for (const resource of (await model.getResources({ transaction })) as RoleResourceModel[]) {
+        await this.writeResourceToACL(resource, transaction);
+      }
+      // model is default
+      if (model.get('default')) {
+        await this.app.db.getRepository('roles').update({
+          values: {
+            default: false,
+          },
+          filter: {
+            'name.$ne': model.get('name'),
+          },
+          hooks: false,
+          transaction,
+        });
+      }
+    });
+    this.app.db.on('roles.afterDestroy', (model) => {
+      const roleName = model.get('name');
+      this.acl.removeRole(roleName);
+    });
+    this.app.db.on('rolesResources.afterSaveWithAssociations', async (model: RoleResourceModel, options) => {
+      await this.writeResourceToACL(model, options.transaction);
+    });
+    this.app.db.on('rolesResourcesActions.afterUpdateWithAssociations', async (model, options) => {
+      const { transaction } = options;
+      const resource = await model.getResource({
+        transaction,
+      });
+      await this.writeResourceToACL(resource, transaction);
+    });
+    this.app.db.on('rolesResources.afterDestroy', async (model, options) => {
+      const role = this.acl.getRole(model.get('roleName'));
+      role.revokeResource(model.get('name'));
+    });
+    this.app.db.on('collections.afterDestroy', async (model, options) => {
+      const { transaction } = options;
+      await this.app.db.getRepository('rolesResources').destroy({
+        filter: {
+          name: model.get('name'),
+        },
+        transaction,
+      });
+    });
+    this.app.db.on('fields.afterCreate', async (model, options) => {
+      const { transaction } = options;
+      const collectionName = model.get('collectionName');
+      const fieldName = model.get('name');
+      const resourceActions = (await this.app.db.getRepository('rolesResourcesActions').find({
+        filter: {
+          'resource.name': collectionName,
+        },
+        transaction,
+        appends: ['resource'],
+      })) as RoleResourceActionModel[];
+      for (const resourceAction of resourceActions) {
+        const fields = resourceAction.get('fields') as string[];
+        const newFields = [...fields, fieldName];
+        await this.app.db.getRepository('rolesResourcesActions').update({
+          filterByTk: resourceAction.get('id') as number,
+          values: {
+            fields: newFields,
+          },
+          transaction,
+        });
+      }
+    });
+    this.app.db.on('fields.afterDestroy', async (model, options) => {
+      const collectionName = model.get('collectionName');
+      const fieldName = model.get('name');
+      const resourceActions = await this.app.db.getRepository('rolesResourcesActions').find({
+        filter: {
+          'resource.name': collectionName,
+          'fields.$anyOf': [fieldName],
+        },
+        transaction: options.transaction,
+      });
+      for (const resourceAction of resourceActions) {
+        const fields = resourceAction.get('fields') as string[];
+        const newFields = fields.filter((field) => field != fieldName);
+        await this.app.db.getRepository('rolesResourcesActions').update({
+          filterByTk: resourceAction.get('id') as number,
+          values: {
+            fields: newFields,
+          },
+          transaction: options.transaction,
+        });
+      }
+    });
+    // sync database role data to acl
+    this.app.on('beforeStart', async () => {
+      await this.writeRolesToACL();
+    });
+    this.app.on('beforeInstallPlugin', async (plugin) => {
+      if (plugin.constructor.name !== 'UsersPlugin') {
+        return;
+      }
+      const roles = this.app.db.getRepository('roles');
+      await roles.createMany({
+        records: [
+          {
+            name: 'root',
+            title: '{{t("Root")}}',
+            hidden: true,
+          },
+          {
+            name: 'admin',
+            title: '{{t("Admin")}}',
+            allowConfigure: true,
+            allowNewMenu: true,
+            strategy: { actions: ['create', 'export', 'view', 'update', 'destroy'] },
+          },
+          {
+            name: 'member',
+            title: '{{t("Member")}}',
+            allowNewMenu: true,
+            strategy: { actions: ['view', 'update:own', 'destroy:own', 'create'] },
+            default: true,
+          },
+        ],
+      });
+      const rolesResourcesScopes = this.app.db.getRepository('rolesResourcesScopes');
+      await rolesResourcesScopes.createMany({
+        records: [
+          {
+            key: 'all',
+            name: '{{t("All records")}}',
+            scope: {},
+          },
+          {
+            key: 'own',
+            name: '{{t("Own records")}}',
+            scope: {
+              createdById: '{{ ctx.state.currentUser.id }}',
+            },
+          },
+        ],
+      });
+    });
+    this.app.acl.allow('roles', 'check', 'loggedIn');
+    this.app.acl.allow('roles', ['create', 'update', 'destroy'], 'allowConfigure');
+    this.app.acl.allow('roles.menuUiSchemas', ['set', 'toggle', 'list'], 'allowConfigure');
+    this.app.acl.allow('*', '*', (ctx) => {
+      return ctx.state.currentRole === 'root';
+    });
+    this.app.resourcer.use(async (ctx, next) => {
+      const { actionName, resourceName, params } = ctx.action;
+      const { showAnonymous } = params || {};
+      if (actionName === 'list' && resourceName === 'roles') {
+        if (!showAnonymous) {
+          ctx.action.mergeParams({
+            filter: {
+              'name.$ne': 'anonymous',
+            },
+          });
+        }
+      }
+      await next();
+    });
+    this.app.acl.use(async (ctx: Context, next) => {
+      const { actionName, resourceName } = ctx.action;
+      if (actionName === 'get' || actionName === 'list') {
+        if (!Array.isArray(ctx?.permission?.can?.params?.fields)) {
+          return next();
+        }
+        let collection: Collection;
+        if (resourceName.includes('.')) {
+          const [collectionName, associationName] = resourceName.split('.');
+          const field = ctx.db.getCollection(collectionName)?.getField?.(associationName);
+          if (field.target) {
+            collection = ctx.db.getCollection(field.target);
+          }
+        } else {
+          collection = ctx.db.getCollection(resourceName);
+        }
+        if (collection && collection.hasField('createdById')) {
+          ctx.permission.can.params.fields.push('createdById');
+        }
+      }
+      return next();
+    });
+    const parseJsonTemplate = this.app.acl.parseJsonTemplate;
+    this.app.acl.use(async (ctx: Context, next) => {
+      const { actionName, resourceName, resourceOf } = ctx.action;
+      if (resourceName.includes('.') && resourceOf) {
+        if (!ctx?.permission?.can?.params) {
+          return next();
+        }
+        // 关联数据去掉 filter
+        delete ctx.permission.can.params.filter;
+        // 关联数据能不能处理取决于 source 是否有权限
+        const [collectionName] = resourceName.split('.');
+        const action = ctx.can({ resource: collectionName, action: actionName });
+        const availableAction = this.app.acl.getAvailableAction(actionName);
+        if (availableAction?.options?.onNewRecord) {
+          if (action) {
+            ctx.permission.skip = true;
+          } else {
+            ctx.permission.can = false;
+          }
+        } else {
+          const filter = parseJsonTemplate(action?.params?.filter || {}, ctx);
+          const sourceInstance = await ctx.db.getRepository(collectionName).findOne({
+            filterByTk: resourceOf,
+            filter,
+          });
+          if (!sourceInstance) {
+            ctx.permission.can = false;
+          }
+        }
+      }
+      await next();
+    });
+  }
+  async install() {
+    const repo = this.db.getRepository<any>('collections');
+    if (repo) {
+      await repo.db2cm('roles');
+    }
+  }
+  async load() {
+    await this.app.db.import({
+      directory: resolve(__dirname, 'collections'),
+    });
+    this.app.resourcer.use(this.acl.middleware());
+  }
+  getName(): string {
+    return this.getPackageName(__dirname);
+  }
+}
+export default PluginACL;

package/tsconfig.build.json ADDED Viewed

@@ -0,0 +1,9 @@
+{
+  "extends": "../../../tsconfig.build.json",
+  "compilerOptions": {
+    "outDir": "./lib",
+    "declaration": true
+  },
+  "include": ["./src/**/*.ts", "./src/**/*.tsx"],
+  "exclude": ["./src/__tests__/*", "./esm/*", "./lib/*"]
+}

package/tsconfig.json ADDED Viewed

@@ -0,0 +1,5 @@
+{
+  "extends": "../../../tsconfig.json",
+  "include": ["./src/**/*.ts", "./src/**/*.tsx"],
+  "exclude": ["./esm/*", "./lib/*"]
+}