@nocobase/plugin-acl 2.0.0-alpha.60 → 2.0.0-alpha.62

package/dist/externalVersion.js

@@ -8,7 +8,7 @@
  */
 
 module.exports = {
-  "@nocobase/client": "2.0.0-alpha.60",
+  "@nocobase/client": "2.0.0-alpha.62",
   "antd": "5.24.2",
   "react": "18.2.0",
   "react-i18next": "11.18.6",
@@ -17,14 +17,14 @@ module.exports = {
   "@formily/react": "2.3.7",
   "@ant-design/icons": "5.6.1",
   "lodash": "4.17.21",
-  "@nocobase/utils": "2.0.0-alpha.60",
-  "@nocobase/actions": "2.0.0-alpha.60",
-  "@nocobase/cache": "2.0.0-alpha.60",
-  "@nocobase/database": "2.0.0-alpha.60",
-  "@nocobase/server": "2.0.0-alpha.60",
-  "@nocobase/test": "2.0.0-alpha.60",
+  "@nocobase/utils": "2.0.0-alpha.62",
+  "@nocobase/actions": "2.0.0-alpha.62",
+  "@nocobase/cache": "2.0.0-alpha.62",
+  "@nocobase/database": "2.0.0-alpha.62",
+  "@nocobase/server": "2.0.0-alpha.62",
+  "@nocobase/test": "2.0.0-alpha.62",
   "@formily/core": "2.3.7",
   "@formily/antd-v5": "1.2.3",
   "antd-style": "3.7.1",
-  "@nocobase/acl": "2.0.0-alpha.60"
+  "@nocobase/acl": "2.0.0-alpha.62"
 };

package/dist/server/middlewares/check-change-with-association.d.ts

@@ -0,0 +1,10 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { Context, Next } from '@nocobase/actions';
+export declare const checkChangesWithAssociation: (ctx: Context, next: Next) => Promise<any>;

package/dist/server/middlewares/check-change-with-association.js

@@ -0,0 +1,389 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var check_change_with_association_exports = {};
+__export(check_change_with_association_exports, {
+  checkChangesWithAssociation: () => checkChangesWithAssociation
+});
+module.exports = __toCommonJS(check_change_with_association_exports);
+var import_acl = require("@nocobase/acl");
+var import_lodash = __toESM(require("lodash"));
+function normalizeAssociationValue(value, recordKey) {
+  if (!value) {
+    return value;
+  }
+  if (Array.isArray(value)) {
+    const result = value.map((v) => v[recordKey]).filter((v) => v !== null && v !== void 0);
+    return result.length > 0 ? result : void 0;
+  } else {
+    return value[recordKey];
+  }
+}
+async function resolveScopeFilter(ctx, target, params) {
+  if (!params) {
+    return {};
+  }
+  const filteredParams = ctx.acl.filterParams(ctx, target, params);
+  const parsedParams = await ctx.acl.parseJsonTemplate(filteredParams, ctx);
+  return parsedParams.filter || {};
+}
+async function collectAllowedRecordKeys(ctx, items, recordKey, updateParams, target) {
+  const repo = ctx.db.getRepository(target);
+  if (!repo) {
+    return void 0;
+  }
+  const keys = items.map((item) => import_lodash.default.isPlainObject(item) ? item[recordKey] : void 0).filter((key) => key !== void 0 && key !== null);
+  if (!keys.length) {
+    return void 0;
+  }
+  try {
+    const scopedFilter = await resolveScopeFilter(ctx, target, updateParams == null ? void 0 : updateParams.params);
+    const records = await repo.find({
+      filter: {
+        ...scopedFilter,
+        [`${recordKey}.$in`]: keys
+      }
+    });
+    const allowedKeys = /* @__PURE__ */ new Set();
+    for (const record of records) {
+      const key = typeof record.get === "function" ? record.get(recordKey) : record[recordKey];
+      if (key !== void 0 && key !== null) {
+        allowedKeys.add(key);
+      }
+    }
+    const missingKeys = new Set(keys.filter((key) => !allowedKeys.has(key)));
+    return { allowedKeys, missingKeys };
+  } catch (e) {
+    if (e instanceof import_acl.NoPermissionError) {
+      return {
+        allowedKeys: /* @__PURE__ */ new Set(),
+        missingKeys: new Set(keys)
+      };
+    }
+    throw e;
+  }
+}
+async function collectExistingRecordKeys(ctx, recordKey, target, keys) {
+  const repo = ctx.db.getRepository(target);
+  if (!repo) {
+    return /* @__PURE__ */ new Set();
+  }
+  const keyList = Array.from(keys);
+  if (!keyList.length) {
+    return /* @__PURE__ */ new Set();
+  }
+  const records = await repo.find({
+    filter: {
+      [`${recordKey}.$in`]: keyList
+    }
+  });
+  const existingKeys = /* @__PURE__ */ new Set();
+  for (const record of records) {
+    const key = typeof record.get === "function" ? record.get(recordKey) : record[recordKey];
+    if (key !== void 0 && key !== null) {
+      existingKeys.add(key);
+    }
+  }
+  return existingKeys;
+}
+async function recordExistsWithoutScope(ctx, target, recordKey, keyValue) {
+  const repo = ctx.db.getRepository(target);
+  if (!repo) {
+    return false;
+  }
+  const record = await repo.findOne({
+    filter: {
+      [recordKey]: keyValue
+    }
+  });
+  return Boolean(record);
+}
+async function processAssociationChild(ctx, value, recordKey, updateAssociationValues, createParams, updateParams, target, fieldPath, allowedRecordKeys, existingRecordKeys) {
+  const keyValue = value == null ? void 0 : value[recordKey];
+  const fallbackToCreate = async () => {
+    if (!createParams) {
+      return keyValue;
+    }
+    ctx.log.debug(`Association record missing, fallback to create`, {
+      fieldPath,
+      value,
+      target
+    });
+    return await processValues(ctx, value, updateAssociationValues, createParams.params, target, fieldPath, []);
+  };
+  const tryFallbackToCreate = async (reason, knownExists) => {
+    if (!createParams) {
+      return void 0;
+    }
+    const recordExists = typeof knownExists === "boolean" ? knownExists : await recordExistsWithoutScope(ctx, target, recordKey, keyValue);
+    if (!recordExists) {
+      ctx.log.debug(reason, {
+        fieldPath,
+        value,
+        createParams,
+        updateParams
+      });
+      return await fallbackToCreate();
+    }
+    return void 0;
+  };
+  if (keyValue !== void 0 && keyValue !== null) {
+    if (!updateParams) {
+      const created = await tryFallbackToCreate(`No permission to update association, try create not exist record`);
+      if (created !== void 0) {
+        return created;
+      }
+      ctx.log.debug(`No permission to update association`, { fieldPath, value, updateParams });
+      return keyValue;
+    } else {
+      const repo = ctx.db.getRepository(target);
+      if (!repo) {
+        return keyValue;
+      }
+      try {
+        if (allowedRecordKeys) {
+          if (!allowedRecordKeys.has(keyValue)) {
+            const created = await tryFallbackToCreate(
+              `No permission to update association due to scope, try create not exist record`,
+              existingRecordKeys ? existingRecordKeys.has(keyValue) : void 0
+            );
+            if (created !== void 0) {
+              return created;
+            }
+            ctx.log.debug(`No permission to update association due to scope`, { fieldPath, value, updateParams });
+            return keyValue;
+          }
+        } else {
+          const filter = await resolveScopeFilter(ctx, target, updateParams.params);
+          const record = await repo.findOne({
+            filter: {
+              ...filter,
+              [recordKey]: keyValue
+            }
+          });
+          if (!record) {
+            const created = await tryFallbackToCreate(
+              `No permission to update association due to scope, try create not exist record`
+            );
+            if (created !== void 0) {
+              return created;
+            }
+            ctx.log.debug(`No permission to update association due to scope`, { fieldPath, value, updateParams });
+            return keyValue;
+          }
+        }
+        return await processValues(ctx, value, updateAssociationValues, updateParams.params, target, fieldPath, []);
+      } catch (e) {
+        if (e instanceof import_acl.NoPermissionError) {
+          return keyValue;
+        }
+        throw e;
+      }
+    }
+  }
+  if (createParams) {
+    return await processValues(ctx, value, updateAssociationValues, createParams.params, target, fieldPath, []);
+  }
+  ctx.log.debug(`No permission to create association`, { fieldPath, value, createParams });
+  return null;
+}
+async function processValues(ctx, values, updateAssociationValues, aclParams, collectionName, lastFieldPath = "", protectedKeys = []) {
+  var _a;
+  if (Array.isArray(values)) {
+    const result = [];
+    for (const item of values) {
+      if (!import_lodash.default.isPlainObject(item)) {
+        result.push(item);
+        continue;
+      }
+      const processed = await processValues(
+        ctx,
+        item,
+        updateAssociationValues,
+        aclParams,
+        collectionName,
+        lastFieldPath,
+        protectedKeys
+      );
+      if (processed !== null && processed !== void 0) {
+        result.push(processed);
+      }
+    }
+    return result;
+  }
+  if (!values || !import_lodash.default.isPlainObject(values)) {
+    return values;
+  }
+  const db = ctx.database;
+  const collection = db.getCollection(collectionName);
+  if (!collection) {
+    return values;
+  }
+  if (aclParams == null ? void 0 : aclParams.whitelist) {
+    const combined = import_lodash.default.uniq([...aclParams.whitelist, ...protectedKeys]);
+    values = import_lodash.default.pick(values, combined);
+  }
+  for (const [fieldName, fieldValue] of Object.entries(values)) {
+    if (protectedKeys.includes(fieldName)) {
+      continue;
+    }
+    const field = collection.getField(fieldName);
+    const isAssociation = field && ["hasOne", "hasMany", "belongsTo", "belongsToMany", "belongsToArray"].includes(field.type);
+    if (!isAssociation) {
+      continue;
+    }
+    const targetCollection = db.getCollection(field.target);
+    if (!targetCollection) {
+      delete values[fieldName];
+      continue;
+    }
+    const fieldPath = lastFieldPath ? `${lastFieldPath}.${fieldName}` : fieldName;
+    const recordKey = field.type === "hasOne" ? targetCollection.model.primaryKeyAttribute : field.targetKey;
+    const canUpdateAssociation = updateAssociationValues.includes(fieldPath);
+    if (!canUpdateAssociation) {
+      const normalized = normalizeAssociationValue(fieldValue, recordKey);
+      if (normalized === void 0 && !protectedKeys.includes(fieldName)) {
+        delete values[fieldName];
+      } else {
+        values[fieldName] = normalized;
+      }
+      ctx.log.debug(`Not allow to update association, only keep keys`, {
+        fieldPath,
+        fieldValue,
+        updateAssociationValues,
+        recordKey,
+        normalizedValue: values[fieldName]
+      });
+      continue;
+    }
+    const createParams = ctx.can({
+      roles: ctx.state.currentRoles,
+      resource: field.target,
+      action: "create"
+    });
+    const updateParams = ctx.can({
+      roles: ctx.state.currentRoles,
+      resource: field.target,
+      action: "update"
+    });
+    if (Array.isArray(fieldValue)) {
+      const processed = [];
+      let allowedRecordKeys;
+      let existingRecordKeys;
+      if (updateParams) {
+        const allowedResult = await collectAllowedRecordKeys(ctx, fieldValue, recordKey, updateParams, field.target);
+        allowedRecordKeys = allowedResult == null ? void 0 : allowedResult.allowedKeys;
+        if (createParams && ((_a = allowedResult == null ? void 0 : allowedResult.missingKeys) == null ? void 0 : _a.size)) {
+          existingRecordKeys = await collectExistingRecordKeys(ctx, recordKey, field.target, allowedResult.missingKeys);
+        }
+      }
+      for (const item of fieldValue) {
+        const r2 = await processAssociationChild(
+          ctx,
+          item,
+          recordKey,
+          updateAssociationValues,
+          createParams,
+          updateParams,
+          field.target,
+          fieldPath,
+          allowedRecordKeys,
+          existingRecordKeys
+        );
+        if (r2 !== null && r2 !== void 0) {
+          processed.push(r2);
+        }
+      }
+      values[fieldName] = processed;
+      continue;
+    }
+    const r = await processAssociationChild(
+      ctx,
+      fieldValue,
+      recordKey,
+      updateAssociationValues,
+      createParams,
+      updateParams,
+      field.target,
+      fieldPath
+    );
+    values[fieldName] = r;
+  }
+  return values;
+}
+const checkChangesWithAssociation = async (ctx, next) => {
+  var _a, _b;
+  const { resourceName, actionName } = ctx.action;
+  if (!["create", "firstOrCreate", "updateOrCreate", "update"].includes(actionName)) {
+    return next();
+  }
+  if ((_a = ctx.permission) == null ? void 0 : _a.skip) {
+    return next();
+  }
+  const roles = ctx.state.currentRoles;
+  if (roles.includes("root")) {
+    return next();
+  }
+  const acl = ctx.acl;
+  for (const role of roles) {
+    const aclRole = acl.getRole(role);
+    if (aclRole.snippetAllowed(`${resourceName}:${actionName}`)) {
+      return next();
+    }
+  }
+  const params = ctx.action.params || {};
+  const rawValues = params.values;
+  if (import_lodash.default.isEmpty(rawValues)) {
+    return next();
+  }
+  const protectedKeys = ["firstOrCreate", "updateOrCreate"].includes(actionName) ? params.filterKeys || [] : [];
+  const aclParams = ((_b = ctx.permission.can) == null ? void 0 : _b.params) || ctx.acl.fixedParamsManager.getParams(resourceName, actionName);
+  const processed = await processValues(
+    ctx,
+    rawValues,
+    params.updateAssociationValues || [],
+    aclParams,
+    resourceName,
+    "",
+    protectedKeys
+  );
+  ctx.action.params.values = processed;
+  await next();
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  checkChangesWithAssociation
+});

package/dist/server/server.js

@@ -56,6 +56,7 @@ var import_RoleResourceActionModel = require("./model/RoleResourceActionModel");
 var import_RoleResourceModel = require("./model/RoleResourceModel");
 var import_union_role = require("./actions/union-role");
 var import_check_association_operate = require("./middlewares/check-association-operate");
+var import_check_change_with_association = require("./middlewares/check-change-with-association");
 class PluginACLServer extends import_server.Plugin {
   get acl() {
     return this.app.acl;
@@ -144,6 +145,7 @@ class PluginACLServer extends import_server.Plugin {
         "roles.dataSourcesCollections:*",
         "roles.dataSourceResources:*",
         "dataSourcesRolesResourcesScopes:*",
+        "dataSourcesRolesResourcesActions:*",
         "rolesResourcesScopes:*"
       ]
     });
@@ -575,6 +577,12 @@ class PluginACLServer extends import_server.Plugin {
       dataSource.acl.use(import_check_association_operate.checkAssociationOperate, {
         before: "core"
       });
+      if (dataSource.options.acl !== false && dataSource.options.useACL !== false) {
+        dataSource.resourceManager.registerPreActionHandler("create", import_check_change_with_association.checkChangesWithAssociation);
+        dataSource.resourceManager.registerPreActionHandler("firstOrCreate", import_check_change_with_association.checkChangesWithAssociation);
+        dataSource.resourceManager.registerPreActionHandler("updateOrCreate", import_check_change_with_association.checkChangesWithAssociation);
+        dataSource.resourceManager.registerPreActionHandler("update", import_check_change_with_association.checkChangesWithAssociation);
+      }
     });
     this.db.on("afterUpdateCollection", async (collection) => {
       if (collection.options.loadedFromCollectionManager || collection.options.asStrategyResource) {

package/package.json

@@ -6,7 +6,7 @@
   "description": "Based on roles, resources, and actions, access control can precisely manage interface configuration permissions, data operation permissions, menu access permissions, and plugin permissions.",
   "description.ru-RU": "На основе ролей, ресурсов и действий система контроля доступа может точно управлять разрешениями на изменение интерфейса, работу с данными, доступ к меню и разрешениями для подключаемых модулей.",
   "description.zh-CN": "基于角色、资源和操作的权限控制，可以精确控制界面配置权限、数据操作权限、菜单访问权限、插件权限。",
-  "version": "2.0.0-alpha.60",
+  "version": "2.0.0-alpha.62",
   "license": "AGPL-3.0",
   "main": "./dist/server/index.js",
   "homepage": "https://docs.nocobase.com/handbook/acl",
@@ -39,5 +39,5 @@
     "url": "git+https://github.com/nocobase/nocobase.git",
     "directory": "packages/plugins/acl"
   },
-  "gitHead": "9113d61ce85b60b7ba3d0e5ca64182d92a15ece4"
+  "gitHead": "a6e543098afba0edc2189edc04f27c1726fff564"
 }