@nocobase/plugin-acl 2.0.0-alpha.9 → 2.0.0-beta.10

package/dist/locale/uk-UA.json

@@ -0,0 +1,22 @@
+{
+  "Allow roles union": "Allow roles union",
+  "Allow users to use role union, which means they can use permissions from all their roles simultaneously, or switch between individual roles.": "Allow users to use role union, which means they can use permissions from all their roles simultaneously, or switch between individual roles.",
+  "Data sources": "Data sources",
+  "Desktop menu": "Desktop menu",
+  "Do not use role union. Users need to switch between their roles individually.": "Do not use role union. Users need to switch between their roles individually.",
+  "Force users to use only role union. They cannot switch between individual roles.": "Force users to use only role union. They cannot switch between individual roles.",
+  "Full permissions": "Full permissions",
+  "General": "General",
+  "Independent roles": "Independent roles",
+  "New role": "New role",
+  "Permissions": "Permissions",
+  "Please select role mode": "Please select role mode",
+  "Plugin settings": "Plugin settings",
+  "Role mode": "Role mode",
+  "Role mode doc": "https://docs.nocobase.com/handbook/acl/manual",
+  "Roles & Permissions": "Roles & Permissions",
+  "Roles union only": "Roles union only",
+  "Saved successfully": "Saved successfully",
+  "The current user has no roles. Please try another account.": "The current user has no roles. Please try another account.",
+  "The user role does not exist. Please try signing in again": "The user role does not exist. Please try signing in again"
+}

package/dist/locale/vi-VN.json

@@ -0,0 +1,22 @@
+{
+  "Allow roles union": "Allow roles union",
+  "Allow users to use role union, which means they can use permissions from all their roles simultaneously, or switch between individual roles.": "Allow users to use role union, which means they can use permissions from all their roles simultaneously, or switch between individual roles.",
+  "Data sources": "Data sources",
+  "Desktop menu": "Desktop menu",
+  "Do not use role union. Users need to switch between their roles individually.": "Do not use role union. Users need to switch between their roles individually.",
+  "Force users to use only role union. They cannot switch between individual roles.": "Force users to use only role union. They cannot switch between individual roles.",
+  "Full permissions": "Full permissions",
+  "General": "Tổng quát",
+  "Independent roles": "Independent roles",
+  "New role": "New role",
+  "Permissions": "Quyền",
+  "Please select role mode": "Please select role mode",
+  "Plugin settings": "Plugin settings",
+  "Role mode": "Role mode",
+  "Role mode doc": "https://docs.nocobase.com/handbook/acl/manual",
+  "Roles & Permissions": "Roles & Permissions",
+  "Roles union only": "Roles union only",
+  "Saved successfully": "Saved successfully",
+  "The current user has no roles. Please try another account.": "The current user has no roles. Please try another account.",
+  "The user role does not exist. Please try signing in again": "The user role does not exist. Please try signing in again"
+}

package/dist/locale/zh-CN.json

@@ -1,22 +1,22 @@
 {
-  "The current user has no roles. Please try another account.": "当前用户没有角色，请使用其他账号。",
-  "The user role does not exist. Please try signing in again": "用户角色不存在，请尝试重新登录。",
+  "Allow roles union": "允许角色并集",
+  "Allow users to use role union, which means they can use permissions from all their roles simultaneously, or switch between individual roles.": "允许用户使用角色并集，即可以同时使用自己拥有的所有角色的权限，也允许用户逐个切换自己的角色。",
+  "Data sources": "数据源",
+  "Desktop menu": "桌面端菜单",
+  "Do not use role union. Users need to switch between their roles individually.": "不使用角色并集，用户需要逐个切换自己拥有的角色。",
+  "Force users to use only role union. They cannot switch between individual roles.": "强制用户仅能使用角色并集，不能逐个切换角色。",
+  "Full permissions": "全部权限",
+  "General": "通用",
+  "Independent roles": "独立角色",
   "New role": "新建角色",
   "Permissions": "权限",
-  "Roles & Permissions": "角色和权限",
-  "General": "通用",
-  "Desktop menu": "桌面端菜单",
+  "Please select role mode": "请选择角色模式",
   "Plugin settings": "插件设置",
-  "Data sources": "数据源",
-  "Independent roles": "独立角色",
-  "Allow roles union": "允许角色并集",
-  "Roles union only": "仅角色并集",
   "Role mode": "角色模式",
-  "Saved successfully": "保存成功",
-  "Please select role mode": "请选择角色模式",
-  "Full permissions": "全部权限",
   "Role mode doc": "https://docs-cn.nocobase.com/handbook/acl/manual",
-  "Do not use role union. Users need to switch between their roles individually.": "不使用角色并集，用户需要逐个切换自己拥有的角色。",
-  "Allow users to use role union, which means they can use permissions from all their roles simultaneously, or switch between individual roles.": "允许用户使用角色并集，即可以同时使用自己拥有的所有角色的权限，也允许用户逐个切换自己的角色。",
-  "Force users to use only role union. They cannot switch between individual roles.": "强制用户仅能使用角色并集，不能逐个切换角色。"
+  "Roles & Permissions": "角色和权限",
+  "Roles union only": "仅角色并集",
+  "Saved successfully": "保存成功",
+  "The current user has no roles. Please try another account.": "当前用户没有角色，请使用其他账号。",
+  "The user role does not exist. Please try signing in again": "用户角色不存在，请尝试重新登录。"
 }

package/dist/locale/zh-TW.json

@@ -0,0 +1,22 @@
+{
+  "Allow roles union": "Allow roles union",
+  "Allow users to use role union, which means they can use permissions from all their roles simultaneously, or switch between individual roles.": "Allow users to use role union, which means they can use permissions from all their roles simultaneously, or switch between individual roles.",
+  "Data sources": "Data sources",
+  "Desktop menu": "Desktop menu",
+  "Do not use role union. Users need to switch between their roles individually.": "Do not use role union. Users need to switch between their roles individually.",
+  "Force users to use only role union. They cannot switch between individual roles.": "Force users to use only role union. They cannot switch between individual roles.",
+  "Full permissions": "Full permissions",
+  "General": "General",
+  "Independent roles": "Independent roles",
+  "New role": "New role",
+  "Permissions": "Permissions",
+  "Please select role mode": "Please select role mode",
+  "Plugin settings": "Plugin settings",
+  "Role mode": "Role mode",
+  "Role mode doc": "https://docs.nocobase.com/handbook/acl/manual",
+  "Roles & Permissions": "Roles & Permissions",
+  "Roles union only": "Roles union only",
+  "Saved successfully": "Saved successfully",
+  "The current user has no roles. Please try another account.": "The current user has no roles. Please try another account.",
+  "The user role does not exist. Please try signing in again": "The user role does not exist. Please try signing in again"
+}

package/dist/server/actions/user-setDefaultRole.js

@@ -29,6 +29,7 @@ __export(user_setDefaultRole_exports, {
   setDefaultRole: () => setDefaultRole
 });
 module.exports = __toCommonJS(user_setDefaultRole_exports);
+var import_constants = require("../constants");
 async function setDefaultRole(ctx, next) {
   const {
     values: { roleName }
@@ -72,7 +73,7 @@ async function setDefaultRole(ctx, next) {
     if (targetUserRole) {
       await repository.model.update({ default: true }, { where: { userId: currentUser.id, roleName }, transaction });
       model = targetUserRole.set("default", true);
-    } else {
+    } else if (roleName === import_constants.UNION_ROLE_KEY) {
       model = await repository.create({
         values: {
           userId: currentUser.id,
@@ -82,7 +83,9 @@ async function setDefaultRole(ctx, next) {
         transaction
       });
     }
-    db.emitAsync("rolesUsers.afterSave", model);
+    if (model) {
+      db.emitAsync("rolesUsers.afterSave", model);
+    }
   });
   ctx.body = "ok";
   await next();

package/dist/server/collections/roles.js

@@ -40,6 +40,7 @@ var roles_default = (0, import_database.defineCollection)({
   autoGenId: false,
   model: "RoleModel",
   filterTargetKey: "name",
+  titleField: "title",
   // targetKey: 'name',
   sortable: true,
   fields: [

package/dist/server/middlewares/check-association-operate.d.ts

@@ -0,0 +1,10 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { Context, Next } from '@nocobase/actions';
+export declare function checkAssociationOperate(ctx: Context, next: Next): Promise<any>;

package/dist/server/middlewares/check-association-operate.js

@@ -0,0 +1,88 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var check_association_operate_exports = {};
+__export(check_association_operate_exports, {
+  checkAssociationOperate: () => checkAssociationOperate
+});
+module.exports = __toCommonJS(check_association_operate_exports);
+var import_acl = require("@nocobase/acl");
+async function checkAssociationOperate(ctx, next) {
+  var _a;
+  const { actionName, resourceName, sourceId } = ctx.action;
+  if (!(resourceName.includes(".") && ["add", "set", "remove", "toggle"].includes(actionName))) {
+    return next();
+  }
+  const acl = ctx.acl;
+  const roles = ctx.state.currentRoles;
+  for (const role of roles) {
+    const aclRole = acl.getRole(role);
+    if (aclRole.snippetAllowed(`${resourceName}:${actionName}`)) {
+      return next();
+    }
+  }
+  const [resource, association] = resourceName.split(".");
+  const result = ctx.can({
+    roles,
+    resource,
+    action: "update"
+  });
+  if (!result) {
+    ctx.throw(403, "No permissions");
+  }
+  const params = result.params || ctx.acl.fixedParamsManager.getParams(resourceName, actionName);
+  if (params.whitelist && !((_a = params.whitelist) == null ? void 0 : _a.includes(association))) {
+    ctx.throw(403, "No permissions");
+  }
+  if (params.filter) {
+    try {
+      const filteredParams = ctx.acl.filterParams(ctx, resource, params);
+      const parsedParams = await ctx.acl.parseJsonTemplate(filteredParams, ctx);
+      const repo = ctx.db.getRepository(resource);
+      const record = await repo.findOne({
+        filterByTk: sourceId,
+        filter: parsedParams.filter
+      });
+      if (!record) {
+        ctx.throw(403, "No permissions");
+      }
+    } catch (e) {
+      if (e instanceof import_acl.NoPermissionError) {
+        ctx.throw(403, "No permissions");
+      }
+      throw e;
+    }
+  }
+  ctx.permission = {
+    ...ctx.permission,
+    skip: true
+  };
+  await next();
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  checkAssociationOperate
+});

package/dist/server/middlewares/check-change-with-association.d.ts

@@ -0,0 +1,10 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { Context, Next } from '@nocobase/actions';
+export declare const checkChangesWithAssociation: (ctx: Context, next: Next) => Promise<any>;

package/dist/server/middlewares/check-change-with-association.js

@@ -0,0 +1,390 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var check_change_with_association_exports = {};
+__export(check_change_with_association_exports, {
+  checkChangesWithAssociation: () => checkChangesWithAssociation
+});
+module.exports = __toCommonJS(check_change_with_association_exports);
+var import_acl = require("@nocobase/acl");
+var import_lodash = __toESM(require("lodash"));
+function normalizeAssociationValue(value, recordKey) {
+  if (!value) {
+    return value;
+  }
+  if (Array.isArray(value)) {
+    const result = value.map((v) => typeof v === "number" || typeof v === "string" ? v : v[recordKey]).filter((v) => v !== null && v !== void 0);
+    return result.length > 0 ? result : void 0;
+  } else {
+    return typeof value === "number" || typeof value === "string" ? value : value[recordKey];
+  }
+}
+async function resolveScopeFilter(ctx, target, params) {
+  if (!params) {
+    return {};
+  }
+  const filteredParams = ctx.acl.filterParams(ctx, target, params);
+  const parsedParams = await ctx.acl.parseJsonTemplate(filteredParams, ctx);
+  return parsedParams.filter || {};
+}
+async function collectAllowedRecordKeys(ctx, items, recordKey, updateParams, target) {
+  const repo = ctx.database.getRepository(target);
+  if (!repo) {
+    return void 0;
+  }
+  const keys = items.map((item) => import_lodash.default.isPlainObject(item) ? item[recordKey] : void 0).filter((key) => key !== void 0 && key !== null);
+  if (!keys.length) {
+    return void 0;
+  }
+  try {
+    const scopedFilter = await resolveScopeFilter(ctx, target, updateParams == null ? void 0 : updateParams.params);
+    const records = await repo.find({
+      filter: {
+        ...scopedFilter,
+        [`${recordKey}.$in`]: keys
+      }
+    });
+    const allowedKeys = /* @__PURE__ */ new Set();
+    for (const record of records) {
+      const key = typeof record.get === "function" ? record.get(recordKey) : record[recordKey];
+      if (key !== void 0 && key !== null) {
+        allowedKeys.add(key);
+      }
+    }
+    const missingKeys = new Set(keys.filter((key) => !allowedKeys.has(key)));
+    return { allowedKeys, missingKeys };
+  } catch (e) {
+    if (e instanceof import_acl.NoPermissionError) {
+      return {
+        allowedKeys: /* @__PURE__ */ new Set(),
+        missingKeys: new Set(keys)
+      };
+    }
+    throw e;
+  }
+}
+async function collectExistingRecordKeys(ctx, recordKey, target, keys) {
+  const repo = ctx.database.getRepository(target);
+  if (!repo) {
+    return /* @__PURE__ */ new Set();
+  }
+  const keyList = Array.from(keys);
+  if (!keyList.length) {
+    return /* @__PURE__ */ new Set();
+  }
+  const records = await repo.find({
+    filter: {
+      [`${recordKey}.$in`]: keyList
+    }
+  });
+  const existingKeys = /* @__PURE__ */ new Set();
+  for (const record of records) {
+    const key = typeof record.get === "function" ? record.get(recordKey) : record[recordKey];
+    if (key !== void 0 && key !== null) {
+      existingKeys.add(key);
+    }
+  }
+  return existingKeys;
+}
+async function recordExistsWithoutScope(ctx, target, recordKey, keyValue) {
+  const repo = ctx.database.getRepository(target);
+  if (!repo) {
+    return false;
+  }
+  const record = await repo.findOne({
+    filter: {
+      [recordKey]: keyValue
+    }
+  });
+  return Boolean(record);
+}
+async function processAssociationChild(ctx, value, recordKey, updateAssociationValues, createParams, updateParams, target, fieldPath, allowedRecordKeys, existingRecordKeys) {
+  const keyValue = value == null ? void 0 : value[recordKey];
+  const fallbackToCreate = async () => {
+    if (!createParams) {
+      return keyValue;
+    }
+    ctx.log.debug(`Association record missing, fallback to create`, {
+      fieldPath,
+      value,
+      target
+    });
+    return await processValues(ctx, value, updateAssociationValues, createParams.params, target, fieldPath, []);
+  };
+  const tryFallbackToCreate = async (reason, knownExists) => {
+    if (!createParams) {
+      return void 0;
+    }
+    const recordExists = typeof knownExists === "boolean" ? knownExists : await recordExistsWithoutScope(ctx, target, recordKey, keyValue);
+    if (!recordExists) {
+      ctx.log.debug(reason, {
+        fieldPath,
+        value,
+        createParams,
+        updateParams
+      });
+      return await fallbackToCreate();
+    }
+    return void 0;
+  };
+  if (keyValue !== void 0 && keyValue !== null) {
+    if (!updateParams) {
+      const created = await tryFallbackToCreate(`No permission to update association, try create not exist record`);
+      if (created !== void 0) {
+        return created;
+      }
+      ctx.log.debug(`No permission to update association`, { fieldPath, value, updateParams });
+      return keyValue;
+    } else {
+      const repo = ctx.database.getRepository(target);
+      if (!repo) {
+        ctx.log.debug(`Repository not found for association target`, { fieldPath, target });
+        return keyValue;
+      }
+      try {
+        if (allowedRecordKeys) {
+          if (!allowedRecordKeys.has(keyValue)) {
+            const created = await tryFallbackToCreate(
+              `No permission to update association due to scope, try create not exist record`,
+              existingRecordKeys ? existingRecordKeys.has(keyValue) : void 0
+            );
+            if (created !== void 0) {
+              return created;
+            }
+            ctx.log.debug(`No permission to update association due to scope`, { fieldPath, value, updateParams });
+            return keyValue;
+          }
+        } else {
+          const filter = await resolveScopeFilter(ctx, target, updateParams.params);
+          const record = await repo.findOne({
+            filter: {
+              ...filter,
+              [recordKey]: keyValue
+            }
+          });
+          if (!record) {
+            const created = await tryFallbackToCreate(
+              `No permission to update association due to scope, try create not exist record`
+            );
+            if (created !== void 0) {
+              return created;
+            }
+            ctx.log.debug(`No permission to update association due to scope`, { fieldPath, value, updateParams });
+            return keyValue;
+          }
+        }
+        return await processValues(ctx, value, updateAssociationValues, updateParams.params, target, fieldPath, []);
+      } catch (e) {
+        if (e instanceof import_acl.NoPermissionError) {
+          return keyValue;
+        }
+        throw e;
+      }
+    }
+  }
+  if (createParams) {
+    return await processValues(ctx, value, updateAssociationValues, createParams.params, target, fieldPath, []);
+  }
+  ctx.log.debug(`No permission to create association`, { fieldPath, value, createParams });
+  return null;
+}
+async function processValues(ctx, values, updateAssociationValues, aclParams, collectionName, lastFieldPath = "", protectedKeys = []) {
+  var _a;
+  if (Array.isArray(values)) {
+    const result = [];
+    for (const item of values) {
+      if (!import_lodash.default.isPlainObject(item)) {
+        result.push(item);
+        continue;
+      }
+      const processed = await processValues(
+        ctx,
+        item,
+        updateAssociationValues,
+        aclParams,
+        collectionName,
+        lastFieldPath,
+        protectedKeys
+      );
+      if (processed !== null && processed !== void 0) {
+        result.push(processed);
+      }
+    }
+    return result;
+  }
+  if (!values || !import_lodash.default.isPlainObject(values)) {
+    return values;
+  }
+  const db = ctx.database;
+  const collection = db.getCollection(collectionName);
+  if (!collection) {
+    return values;
+  }
+  if (aclParams == null ? void 0 : aclParams.whitelist) {
+    const combined = import_lodash.default.uniq([...aclParams.whitelist, ...protectedKeys]);
+    values = import_lodash.default.pick(values, combined);
+  }
+  for (const [fieldName, fieldValue] of Object.entries(values)) {
+    if (protectedKeys.includes(fieldName)) {
+      continue;
+    }
+    const field = collection.getField(fieldName);
+    const isAssociation = field && ["hasOne", "hasMany", "belongsTo", "belongsToMany", "belongsToArray"].includes(field.type);
+    if (!isAssociation) {
+      continue;
+    }
+    const targetCollection = db.getCollection(field.target);
+    if (!targetCollection) {
+      delete values[fieldName];
+      continue;
+    }
+    const fieldPath = lastFieldPath ? `${lastFieldPath}.${fieldName}` : fieldName;
+    const recordKey = field.type === "hasOne" ? targetCollection.model.primaryKeyAttribute : field.targetKey;
+    const canUpdateAssociation = updateAssociationValues.includes(fieldPath);
+    if (!canUpdateAssociation) {
+      const normalized = normalizeAssociationValue(fieldValue, recordKey);
+      if (normalized === void 0 && !protectedKeys.includes(fieldName)) {
+        delete values[fieldName];
+      } else {
+        values[fieldName] = normalized;
+      }
+      ctx.log.debug(`Not allow to update association, only keep keys`, {
+        fieldPath,
+        fieldValue,
+        updateAssociationValues,
+        recordKey,
+        normalizedValue: values[fieldName]
+      });
+      continue;
+    }
+    const createParams = ctx.can({
+      roles: ctx.state.currentRoles,
+      resource: field.target,
+      action: "create"
+    });
+    const updateParams = ctx.can({
+      roles: ctx.state.currentRoles,
+      resource: field.target,
+      action: "update"
+    });
+    if (Array.isArray(fieldValue)) {
+      const processed = [];
+      let allowedRecordKeys;
+      let existingRecordKeys;
+      if (updateParams) {
+        const allowedResult = await collectAllowedRecordKeys(ctx, fieldValue, recordKey, updateParams, field.target);
+        allowedRecordKeys = allowedResult == null ? void 0 : allowedResult.allowedKeys;
+        if (createParams && ((_a = allowedResult == null ? void 0 : allowedResult.missingKeys) == null ? void 0 : _a.size)) {
+          existingRecordKeys = await collectExistingRecordKeys(ctx, recordKey, field.target, allowedResult.missingKeys);
+        }
+      }
+      for (const item of fieldValue) {
+        const r2 = await processAssociationChild(
+          ctx,
+          item,
+          recordKey,
+          updateAssociationValues,
+          createParams,
+          updateParams,
+          field.target,
+          fieldPath,
+          allowedRecordKeys,
+          existingRecordKeys
+        );
+        if (r2 !== null && r2 !== void 0) {
+          processed.push(r2);
+        }
+      }
+      values[fieldName] = processed;
+      continue;
+    }
+    const r = await processAssociationChild(
+      ctx,
+      fieldValue,
+      recordKey,
+      updateAssociationValues,
+      createParams,
+      updateParams,
+      field.target,
+      fieldPath
+    );
+    values[fieldName] = r;
+  }
+  return values;
+}
+const checkChangesWithAssociation = async (ctx, next) => {
+  var _a, _b;
+  const { resourceName, actionName } = ctx.action;
+  if (!["create", "firstOrCreate", "updateOrCreate", "update"].includes(actionName)) {
+    return next();
+  }
+  if ((_a = ctx.permission) == null ? void 0 : _a.skip) {
+    return next();
+  }
+  const roles = ctx.state.currentRoles;
+  if (roles.includes("root")) {
+    return next();
+  }
+  const acl = ctx.acl;
+  for (const role of roles) {
+    const aclRole = acl.getRole(role);
+    if (aclRole.snippetAllowed(`${resourceName}:${actionName}`)) {
+      return next();
+    }
+  }
+  const params = ctx.action.params || {};
+  const rawValues = params.values;
+  if (import_lodash.default.isEmpty(rawValues)) {
+    return next();
+  }
+  const protectedKeys = ["firstOrCreate", "updateOrCreate"].includes(actionName) ? params.filterKeys || [] : [];
+  const aclParams = ((_b = ctx.permission.can) == null ? void 0 : _b.params) || ctx.acl.fixedParamsManager.getParams(resourceName, actionName);
+  const processed = await processValues(
+    ctx,
+    rawValues,
+    params.updateAssociationValues || [],
+    aclParams,
+    resourceName,
+    "",
+    protectedKeys
+  );
+  ctx.action.params.values = processed;
+  await next();
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  checkChangesWithAssociation
+});

package/dist/server/middlewares/with-acl-meta.js

@@ -95,10 +95,13 @@ function createWithACLMetaMiddleware() {
           return void 0;
         },
         app: {
+          dataSourceManager: ctx.app.dataSourceManager,
           getDb() {
             return db;
           }
         },
+        log: ctx.log,
+        logger: ctx.logger,
         getCurrentRepository: ctx.getCurrentRepository,
         action: {
           actionName: action,

package/dist/server/migrations/20251119225252-update-member-default-permission.d.ts

@@ -0,0 +1,14 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { Migration } from '@nocobase/server';
+export default class extends Migration {
+    on: string;
+    appVersion: string;
+    up(): Promise<void>;
+}