@nocobase/plugin-acl 1.9.0-beta.15 → 1.9.0-beta.17

package/dist/externalVersion.js

@@ -8,7 +8,7 @@
  */
 
 module.exports = {
-  "@nocobase/client": "1.9.0-beta.15",
+  "@nocobase/client": "1.9.0-beta.17",
   "antd": "5.24.2",
   "react": "18.2.0",
   "react-i18next": "11.18.6",
@@ -17,14 +17,14 @@ module.exports = {
   "@formily/react": "2.3.0",
   "@ant-design/icons": "5.6.1",
   "lodash": "4.17.21",
-  "@nocobase/utils": "1.9.0-beta.15",
-  "@nocobase/actions": "1.9.0-beta.15",
-  "@nocobase/cache": "1.9.0-beta.15",
-  "@nocobase/database": "1.9.0-beta.15",
-  "@nocobase/server": "1.9.0-beta.15",
-  "@nocobase/test": "1.9.0-beta.15",
+  "@nocobase/utils": "1.9.0-beta.17",
+  "@nocobase/actions": "1.9.0-beta.17",
+  "@nocobase/cache": "1.9.0-beta.17",
+  "@nocobase/database": "1.9.0-beta.17",
+  "@nocobase/server": "1.9.0-beta.17",
+  "@nocobase/test": "1.9.0-beta.17",
   "@formily/core": "2.3.0",
   "@formily/antd-v5": "1.2.3",
   "antd-style": "3.7.1",
-  "@nocobase/acl": "1.9.0-beta.15"
+  "@nocobase/acl": "1.9.0-beta.17"
 };

package/dist/locale/ru-RU.json

@@ -0,0 +1,18 @@
+{
+  "The current user has no roles. Please try another account.": "У текущего пользователя нет ролей. Попробуйте другой аккаунт.",
+  "The user role does not exist. Please try signing in again": "Роль пользователя не существует. Попробуйте войти снова.",
+  "New role": "Новая роль",
+  "Permissions": "Права доступа",
+  "Desktop menu": "Меню рабочего стола",
+  "Independent roles": "Независимые роли",
+  "Allow roles union": "Разрешить объединение ролей",
+  "Roles union only": "Только объединение ролей",
+  "Role mode": "Режим ролей",
+  "Saved successfully": "Успешно сохранено",
+  "Please select role mode": "Пожалуйста, выберите режим ролей",
+  "Full permissions": "Полные права",
+  "Role mode doc": "https://docs.nocobase.com/handbook/acl/manual",
+  "Do not use role union. Users need to switch between their roles individually.": "Не использовать объединение ролей. Пользователям нужно переключаться между ролями по отдельности.",
+  "Allow users to use role union, which means they can use permissions from all their roles simultaneously, or switch between individual roles.": "Разрешить пользователям использовать объединение ролей, то есть они могут одновременно использовать права всех своих ролей или переключаться между отдельными ролями.",
+  "Force users to use only role union. They cannot switch between individual roles.": "Принудительно использовать только объединение ролей. Переключение между отдельными ролями недоступно."
+}

package/dist/server/middlewares/check-association-operate.d.ts

@@ -0,0 +1,10 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { Context, Next } from '@nocobase/actions';
+export declare function checkAssociationOperate(ctx: Context, next: Next): Promise<any>;

package/dist/server/middlewares/check-association-operate.js

@@ -0,0 +1,88 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var check_association_operate_exports = {};
+__export(check_association_operate_exports, {
+  checkAssociationOperate: () => checkAssociationOperate
+});
+module.exports = __toCommonJS(check_association_operate_exports);
+var import_acl = require("@nocobase/acl");
+async function checkAssociationOperate(ctx, next) {
+  var _a;
+  const { actionName, resourceName, sourceId } = ctx.action;
+  if (!(resourceName.includes(".") && ["add", "set", "remove", "toggle"].includes(actionName))) {
+    return next();
+  }
+  const acl = ctx.acl;
+  const roles = ctx.state.currentRoles;
+  for (const role of roles) {
+    const aclRole = acl.getRole(role);
+    if (aclRole.snippetAllowed(`${resourceName}:${actionName}`)) {
+      return next();
+    }
+  }
+  const [resource, association] = resourceName.split(".");
+  const result = ctx.can({
+    roles,
+    resource,
+    action: "update"
+  });
+  if (!result) {
+    ctx.throw(403, "No permissions");
+  }
+  const params = result.params || ctx.acl.fixedParamsManager.getParams(resourceName, actionName);
+  if (params.whitelist && !((_a = params.whitelist) == null ? void 0 : _a.includes(association))) {
+    ctx.throw(403, "No permissions");
+  }
+  if (params.filter) {
+    try {
+      const filteredParams = ctx.acl.filterParams(ctx, resource, params);
+      const parsedParams = await ctx.acl.parseJsonTemplate(filteredParams, ctx);
+      const repo = ctx.db.getRepository(resource);
+      const record = await repo.findOne({
+        filterByTk: sourceId,
+        filter: parsedParams.filter
+      });
+      if (!record) {
+        ctx.throw(403, "No permissions");
+      }
+    } catch (e) {
+      if (e instanceof import_acl.NoPermissionError) {
+        ctx.throw(403, "No permissions");
+      }
+      throw e;
+    }
+  }
+  ctx.permission = {
+    ...ctx.permission,
+    skip: true
+  };
+  await next();
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  checkAssociationOperate
+});

package/dist/server/migrations/20251119225252-update-member-default-permission.d.ts

@@ -0,0 +1,14 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { Migration } from '@nocobase/server';
+export default class extends Migration {
+    on: string;
+    appVersion: string;
+    up(): Promise<void>;
+}

package/dist/server/migrations/20251119225252-update-member-default-permission.js

@@ -0,0 +1,59 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var update_member_default_permission_exports = {};
+__export(update_member_default_permission_exports, {
+  default: () => update_member_default_permission_default
+});
+module.exports = __toCommonJS(update_member_default_permission_exports);
+var import_server = require("@nocobase/server");
+class update_member_default_permission_default extends import_server.Migration {
+  on = "afterLoad";
+  // 'beforeLoad' or 'afterLoad'
+  appVersion = "<2.0.0";
+  async up() {
+    const repo = this.db.getRepository("roles");
+    const role = await repo.findOne({
+      filter: {
+        name: "member"
+      }
+    });
+    if (!role) {
+      return;
+    }
+    await repo.update({
+      filter: {
+        name: role.name
+      },
+      values: {
+        strategy: {
+          ...role.strategy,
+          actions: ["view:own"]
+        }
+      }
+    });
+  }
+}

package/dist/server/server.js

@@ -55,6 +55,7 @@ var import_RoleModel = require("./model/RoleModel");
 var import_RoleResourceActionModel = require("./model/RoleResourceActionModel");
 var import_RoleResourceModel = require("./model/RoleResourceModel");
 var import_union_role = require("./actions/union-role");
+var import_check_association_operate = require("./middlewares/check-association-operate");
 class PluginACLServer extends import_server.Plugin {
   get acl() {
     return this.app.acl;
@@ -387,7 +388,7 @@ class PluginACLServer extends import_server.Plugin {
             name: "member",
             title: '{{t("Member")}}',
             allowNewMenu: true,
-            strategy: { actions: ["view", "update:own", "destroy:own", "create"] },
+            strategy: { actions: ["view:own"] },
             default: true,
             snippets: ["!ui.*", "!pm", "!pm.*"]
           }
@@ -485,8 +486,9 @@ class PluginACLServer extends import_server.Plugin {
         } else {
           collection = ctx.db.getCollection(resourceName);
         }
-        if (collection && collection.hasField("createdById")) {
-          ctx.permission.can.params.fields.push("createdById");
+        const fields = ctx.permission.can.params.fields;
+        if (collection && collection.hasField("createdById") && !fields.includes("createdById")) {
+          fields.push("createdById");
         }
       }
       return next();
@@ -559,6 +561,9 @@ class PluginACLServer extends import_server.Plugin {
       },
       { after: "dataSource", group: "with-acl-meta" }
     );
+    this.app.acl.use(import_check_association_operate.checkAssociationOperate, {
+      before: "core"
+    });
     this.db.on("afterUpdateCollection", async (collection) => {
       if (collection.options.loadedFromCollectionManager || collection.options.asStrategyResource) {
         this.app.acl.appendStrategyResource(collection.name);

package/package.json

@@ -1,13 +1,16 @@
 {
   "name": "@nocobase/plugin-acl",
   "displayName": "Access control",
+  "displayName.ru-RU": "Контроль доступа",
   "displayName.zh-CN": "权限控制",
   "description": "Based on roles, resources, and actions, access control can precisely manage interface configuration permissions, data operation permissions, menu access permissions, and plugin permissions.",
+  "description.ru-RU": "На основе ролей, ресурсов и действий система контроля доступа может точно управлять разрешениями на изменение интерфейса, работу с данными, доступ к меню и разрешениями для подключаемых модулей.",
   "description.zh-CN": "基于角色、资源和操作的权限控制，可以精确控制界面配置权限、数据操作权限、菜单访问权限、插件权限。",
-  "version": "1.9.0-beta.15",
+  "version": "1.9.0-beta.17",
   "license": "AGPL-3.0",
   "main": "./dist/server/index.js",
   "homepage": "https://docs.nocobase.com/handbook/acl",
+  "homepage.ru-RU": "https://docs-ru.nocobase.com/handbook/acl",
   "homepage.zh-CN": "https://docs-cn.nocobase.com/handbook/acl",
   "keywords": [
     "Users & permissions"
@@ -33,5 +36,5 @@
     "url": "git+https://github.com/nocobase/nocobase.git",
     "directory": "packages/plugins/acl"
   },
-  "gitHead": "f7285eff753fd268350cfd65cd079a35b8957f0e"
+  "gitHead": "4f95b676235fa3f7583493412279d8132a20c4d0"
 }