@nocobase/plugin-acl 2.1.0-alpha.1 → 2.1.0-alpha.11

package/dist/server/middlewares/check-association-operate.js

@@ -31,7 +31,7 @@ __export(check_association_operate_exports, {
 module.exports = __toCommonJS(check_association_operate_exports);
 var import_acl = require("@nocobase/acl");
 async function checkAssociationOperate(ctx, next) {
-  var _a;
+  var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j;
   const { actionName, resourceName, sourceId } = ctx.action;
   if (!(resourceName.includes(".") && ["add", "set", "remove", "toggle"].includes(actionName))) {
     return next();
@@ -59,12 +59,21 @@ async function checkAssociationOperate(ctx, next) {
   }
   if (params.filter) {
     try {
-      const filteredParams = ctx.acl.filterParams(ctx, resource, params);
-      const parsedParams = await ctx.acl.parseJsonTemplate(filteredParams, ctx);
-      const repo = ctx.db.getRepository(resource);
+      const timezone = ((_c = (_b = ctx.request) == null ? void 0 : _b.get) == null ? void 0 : _c.call(_b, "x-timezone")) ?? ((_e = (_d = ctx.request) == null ? void 0 : _d.header) == null ? void 0 : _e["x-timezone"]) ?? ((_g = (_f = ctx.req) == null ? void 0 : _f.headers) == null ? void 0 : _g["x-timezone"]);
+      const collection = (_i = (_h = ctx.database) == null ? void 0 : _h.getCollection) == null ? void 0 : _i.call(_h, resource);
+      (0, import_acl.checkFilterParams)(collection, params.filter);
+      const parsedFilter = await (0, import_acl.parseJsonTemplate)(params.filter, {
+        state: ctx.state,
+        timezone,
+        userProvider: (0, import_acl.createUserProvider)({
+          db: ctx.db,
+          currentUser: (_j = ctx.state) == null ? void 0 : _j.currentUser
+        })
+      });
+      const repo = ctx.database.getRepository(resource);
       const record = await repo.findOne({
         filterByTk: sourceId,
-        filter: parsedParams.filter
+        filter: parsedFilter ?? params.filter
       });
       if (!record) {
         ctx.throw(403, "No permissions");

package/dist/server/middlewares/check-change-with-association.d.ts

@@ -0,0 +1,30 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { ACL, UserProvider } from '@nocobase/acl';
+import { Context, Next } from '@nocobase/actions';
+import { Collection } from '@nocobase/database';
+export type SanitizeAssociationValuesOptions = {
+    acl?: ACL;
+    resourceName: string;
+    actionName: string;
+    values: any;
+    updateAssociationValues?: string[];
+    protectedKeys?: string[];
+    aclParams?: any;
+    roles?: string[];
+    currentRole?: string;
+    currentUser?: any;
+    collection?: Collection;
+    db?: any;
+    database?: any;
+    timezone?: string;
+    userProvider?: UserProvider;
+};
+export declare function sanitizeAssociationValues(options: SanitizeAssociationValuesOptions): Promise<any>;
+export declare const checkChangesWithAssociation: (ctx: Context, next: Next) => Promise<any>;

package/dist/server/middlewares/check-change-with-association.js

@@ -0,0 +1,469 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var check_change_with_association_exports = {};
+__export(check_change_with_association_exports, {
+  checkChangesWithAssociation: () => checkChangesWithAssociation,
+  sanitizeAssociationValues: () => sanitizeAssociationValues
+});
+module.exports = __toCommonJS(check_change_with_association_exports);
+var import_acl = require("@nocobase/acl");
+var import_lodash = __toESM(require("lodash"));
+async function sanitizeAssociationValues(options) {
+  var _a, _b, _c;
+  const {
+    acl,
+    resourceName,
+    actionName,
+    values,
+    updateAssociationValues = [],
+    protectedKeys = [],
+    aclParams
+  } = options;
+  if (import_lodash.default.isEmpty(values)) {
+    return values;
+  }
+  const collection = options.collection ?? ((_b = (_a = options.database ?? options.db) == null ? void 0 : _a.getCollection) == null ? void 0 : _b.call(_a, resourceName));
+  if (!collection) {
+    return values;
+  }
+  const params = aclParams ?? (acl ? (_c = acl.fixedParamsManager) == null ? void 0 : _c.getParams(resourceName, actionName) : void 0);
+  const roles = options.roles;
+  const can = (canOptions) => (acl == null ? void 0 : acl.can({ roles: (roles == null ? void 0 : roles.length) ? roles : ["anonymous"], ...canOptions })) ?? null;
+  const parseOptions = {
+    timezone: options.timezone,
+    userProvider: options.userProvider,
+    state: {
+      currentRole: options.currentRole,
+      currentRoles: options.roles,
+      currentUser: options.currentUser
+    }
+  };
+  return await processValues({
+    values,
+    updateAssociationValues,
+    aclParams: params,
+    collection,
+    lastFieldPath: "",
+    protectedKeys,
+    can,
+    parseOptions
+  });
+}
+const checkChangesWithAssociation = async (ctx, next) => {
+  var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m;
+  const timezone = ((_b = (_a = ctx.request) == null ? void 0 : _a.get) == null ? void 0 : _b.call(_a, "x-timezone")) ?? ((_d = (_c = ctx.request) == null ? void 0 : _c.header) == null ? void 0 : _d["x-timezone"]) ?? ((_f = (_e = ctx.req) == null ? void 0 : _e.headers) == null ? void 0 : _f["x-timezone"]);
+  const { resourceName, actionName } = ctx.action;
+  if (!["create", "firstOrCreate", "updateOrCreate", "update"].includes(actionName)) {
+    return next();
+  }
+  if ((_g = ctx.permission) == null ? void 0 : _g.skip) {
+    return next();
+  }
+  const roles = ctx.state.currentRoles;
+  if (roles.includes("root")) {
+    return next();
+  }
+  const acl = ctx.acl;
+  for (const role of roles) {
+    const aclRole = acl.getRole(role);
+    if (aclRole == null ? void 0 : aclRole.snippetAllowed(`${resourceName}:${actionName}`)) {
+      return next();
+    }
+  }
+  const params = ctx.action.params || {};
+  const rawValues = params.values;
+  if (import_lodash.default.isEmpty(rawValues)) {
+    return next();
+  }
+  const protectedKeys = ["firstOrCreate", "updateOrCreate"].includes(actionName) ? params.filterKeys || [] : [];
+  const collection = (_i = (_h = ctx.database ?? ctx.db) == null ? void 0 : _h.getCollection) == null ? void 0 : _i.call(_h, resourceName);
+  const processed = await sanitizeAssociationValues({
+    acl,
+    collection,
+    resourceName,
+    actionName,
+    values: rawValues,
+    updateAssociationValues: params.updateAssociationValues || [],
+    protectedKeys,
+    roles,
+    currentRole: ctx.state.currentRole,
+    currentUser: ctx.state.currentUser,
+    aclParams: (_k = (_j = ctx.permission) == null ? void 0 : _j.can) == null ? void 0 : _k.params,
+    timezone,
+    userProvider: (0, import_acl.createUserProvider)({
+      dataSourceManager: (_l = ctx.app) == null ? void 0 : _l.dataSourceManager,
+      currentUser: (_m = ctx.state) == null ? void 0 : _m.currentUser
+    })
+  });
+  ctx.action.params.values = processed;
+  await next();
+};
+async function processValues(options) {
+  var _a, _b;
+  const {
+    values,
+    updateAssociationValues,
+    aclParams,
+    collection,
+    lastFieldPath = "",
+    protectedKeys = [],
+    can,
+    parseOptions
+  } = options;
+  if (Array.isArray(values)) {
+    const result = [];
+    for (const item of values) {
+      if (!import_lodash.default.isPlainObject(item)) {
+        result.push(item);
+        continue;
+      }
+      const processed = await processValues({
+        values: item,
+        updateAssociationValues,
+        aclParams,
+        collection,
+        lastFieldPath,
+        protectedKeys,
+        can,
+        parseOptions
+      });
+      if (processed !== null && processed !== void 0) {
+        result.push(processed);
+      }
+    }
+    return result;
+  }
+  if (!values || !import_lodash.default.isPlainObject(values)) {
+    return values;
+  }
+  if (!collection) {
+    return values;
+  }
+  let v = values;
+  if (aclParams == null ? void 0 : aclParams.whitelist) {
+    const combined = import_lodash.default.uniq([...aclParams.whitelist, ...protectedKeys]);
+    v = import_lodash.default.pick(values, combined);
+  }
+  for (const [fieldName, fieldValue] of Object.entries(v)) {
+    if (protectedKeys.includes(fieldName)) {
+      continue;
+    }
+    const field = collection.getField(fieldName);
+    const isAssociation = field && ["hasOne", "hasMany", "belongsTo", "belongsToMany", "belongsToArray"].includes(field.type);
+    if (!isAssociation) {
+      continue;
+    }
+    const targetCollection = collection.db.getCollection(field.target);
+    if (!targetCollection) {
+      delete v[fieldName];
+      continue;
+    }
+    const fieldPath = lastFieldPath ? `${lastFieldPath}.${fieldName}` : fieldName;
+    const recordKey = field.type === "hasOne" ? targetCollection.model.primaryKeyAttribute : field.targetKey;
+    const canUpdateAssociation = updateAssociationValues.includes(fieldPath);
+    if (!canUpdateAssociation) {
+      const normalized = normalizeAssociationValue(fieldValue, recordKey);
+      if (normalized === void 0 && !protectedKeys.includes(fieldName)) {
+        delete v[fieldName];
+      } else {
+        v[fieldName] = normalized;
+      }
+      continue;
+    }
+    const createParams = can == null ? void 0 : can({
+      resource: field.target,
+      action: "create"
+    });
+    const updateParams = can == null ? void 0 : can({
+      resource: field.target,
+      action: "update"
+    });
+    if (Array.isArray(fieldValue)) {
+      const processed = [];
+      let allowedRecordKeys;
+      let existingRecordKeys;
+      if (updateParams) {
+        const allowedResult = await collectAllowedRecordKeys(
+          fieldValue,
+          recordKey,
+          (_a = updateParams == null ? void 0 : updateParams.params) == null ? void 0 : _a.filter,
+          targetCollection,
+          parseOptions
+        );
+        allowedRecordKeys = allowedResult == null ? void 0 : allowedResult.allowedKeys;
+        if (createParams && ((_b = allowedResult == null ? void 0 : allowedResult.missingKeys) == null ? void 0 : _b.size)) {
+          existingRecordKeys = await collectExistingRecordKeys(recordKey, targetCollection, allowedResult.missingKeys);
+        }
+      }
+      for (const item of fieldValue) {
+        const r2 = await processAssociationChild({
+          value: item,
+          recordKey,
+          updateAssociationValues,
+          createParams,
+          updateParams,
+          target: targetCollection,
+          fieldPath,
+          allowedRecordKeys,
+          existingRecordKeys,
+          can,
+          parseOptions
+        });
+        if (r2 !== null && r2 !== void 0) {
+          processed.push(r2);
+        }
+      }
+      v[fieldName] = processed;
+      continue;
+    }
+    const r = await processAssociationChild({
+      value: fieldValue,
+      recordKey,
+      updateAssociationValues,
+      createParams,
+      updateParams,
+      target: targetCollection,
+      fieldPath,
+      can,
+      parseOptions
+    });
+    v[fieldName] = r;
+  }
+  return v;
+}
+function normalizeAssociationValue(value, recordKey) {
+  if (!value) {
+    return value;
+  }
+  if (Array.isArray(value)) {
+    const result = value.map((v) => typeof v === "number" || typeof v === "string" ? v : v[recordKey]).filter((v) => v !== null && v !== void 0);
+    return result.length > 0 ? result : void 0;
+  }
+  return typeof value === "number" || typeof value === "string" ? value : value[recordKey];
+}
+async function collectAllowedRecordKeys(items, recordKey, filter, collection, parseOptions) {
+  if (!collection) {
+    return;
+  }
+  const { repository } = collection;
+  const keys = items.map((item) => import_lodash.default.isPlainObject(item) ? item[recordKey] : void 0).filter((key) => key !== void 0 && key !== null);
+  if (!keys.length) {
+    return;
+  }
+  try {
+    (0, import_acl.checkFilterParams)(collection, filter);
+    const scopedFilter = filter ? await (0, import_acl.parseJsonTemplate)(filter, parseOptions) : {};
+    const records = await repository.find({
+      filter: {
+        ...scopedFilter,
+        [`${recordKey}.$in`]: keys
+      }
+    });
+    const allowedKeys = /* @__PURE__ */ new Set();
+    for (const record of records) {
+      const key = typeof record.get === "function" ? record.get(recordKey) : record[recordKey];
+      if (key !== void 0 && key !== null) {
+        allowedKeys.add(key);
+      }
+    }
+    const missingKeys = new Set(keys.filter((key) => !allowedKeys.has(key)));
+    return { allowedKeys, missingKeys };
+  } catch (e) {
+    if (e instanceof import_acl.NoPermissionError) {
+      return {
+        allowedKeys: /* @__PURE__ */ new Set(),
+        missingKeys: new Set(keys)
+      };
+    }
+    throw e;
+  }
+}
+async function collectExistingRecordKeys(recordKey, collection, keys) {
+  const { repository } = collection;
+  if (!repository) {
+    return /* @__PURE__ */ new Set();
+  }
+  const keyList = Array.from(keys);
+  if (!keyList.length) {
+    return /* @__PURE__ */ new Set();
+  }
+  const records = await repository.find({
+    filter: {
+      [`${recordKey}.$in`]: keyList
+    }
+  });
+  const existingKeys = /* @__PURE__ */ new Set();
+  for (const record of records) {
+    const key = typeof record.get === "function" ? record.get(recordKey) : record[recordKey];
+    if (key !== void 0 && key !== null) {
+      existingKeys.add(key);
+    }
+  }
+  return existingKeys;
+}
+async function recordExistsWithoutScope(collection, recordKey, keyValue) {
+  const { repository } = collection;
+  if (!repository) {
+    return false;
+  }
+  const record = await repository.findOne({
+    filter: {
+      [recordKey]: keyValue
+    }
+  });
+  return Boolean(record);
+}
+async function processAssociationChild(options) {
+  var _a, _b;
+  const {
+    value,
+    recordKey,
+    updateAssociationValues,
+    createParams,
+    updateParams,
+    target,
+    fieldPath,
+    allowedRecordKeys,
+    existingRecordKeys,
+    can,
+    parseOptions
+  } = options;
+  const keyValue = value == null ? void 0 : value[recordKey];
+  const fallbackToCreate = async () => {
+    if (!createParams) {
+      return keyValue;
+    }
+    return await processValues({
+      values: value,
+      updateAssociationValues,
+      aclParams: createParams.params,
+      collection: target,
+      lastFieldPath: fieldPath,
+      protectedKeys: [],
+      can,
+      parseOptions
+    });
+  };
+  const tryFallbackToCreate = async (reason, knownExists) => {
+    if (!createParams) {
+      return void 0;
+    }
+    const recordExists = typeof knownExists === "boolean" ? knownExists : await recordExistsWithoutScope(target, recordKey, keyValue);
+    if (!recordExists) {
+      return await fallbackToCreate();
+    }
+    return void 0;
+  };
+  if (keyValue !== void 0 && keyValue !== null) {
+    if (!updateParams) {
+      const created = await tryFallbackToCreate(`No permission to update association, try create not exist record`);
+      if (created !== void 0) {
+        return created;
+      }
+      return keyValue;
+    }
+    const { repository } = target;
+    if (!repository) {
+      return keyValue;
+    }
+    try {
+      if (allowedRecordKeys) {
+        if (!allowedRecordKeys.has(keyValue)) {
+          const created = await tryFallbackToCreate(
+            `No permission to update association due to scope, try create not exist record`,
+            existingRecordKeys ? existingRecordKeys.has(keyValue) : void 0
+          );
+          if (created !== void 0) {
+            return created;
+          }
+          return keyValue;
+        }
+      } else {
+        (0, import_acl.checkFilterParams)(target, (_a = updateParams.params) == null ? void 0 : _a.filter);
+        const filter = await (0, import_acl.parseJsonTemplate)((_b = updateParams.params) == null ? void 0 : _b.filter, parseOptions);
+        const record = await repository.findOne({
+          filter: {
+            ...filter,
+            [recordKey]: keyValue
+          }
+        });
+        if (!record) {
+          const created = await tryFallbackToCreate(
+            `No permission to update association due to scope, try create not exist record`
+          );
+          if (created !== void 0) {
+            return created;
+          }
+          return keyValue;
+        }
+      }
+      return await processValues({
+        values: value,
+        updateAssociationValues,
+        aclParams: updateParams.params,
+        collection: target,
+        lastFieldPath: fieldPath,
+        protectedKeys: [],
+        can,
+        parseOptions
+      });
+    } catch (e) {
+      if (e instanceof import_acl.NoPermissionError) {
+        return keyValue;
+      }
+      throw e;
+    }
+  }
+  if (createParams) {
+    return await processValues({
+      values: value,
+      updateAssociationValues,
+      aclParams: createParams.params,
+      collection: target,
+      lastFieldPath: fieldPath,
+      protectedKeys: [],
+      can,
+      parseOptions
+    });
+  }
+  return null;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  checkChangesWithAssociation,
+  sanitizeAssociationValues
+});

package/dist/server/middlewares/with-acl-meta.js

@@ -71,7 +71,11 @@ function createWithACLMetaMiddleware() {
     if (collection.isMultiFilterTargetKey()) {
       return;
     }
-    const primaryKeyField = Model.primaryKeyField || Model.primaryKeyAttribute;
+    const filterTargetKey = collection.filterTargetKey;
+    if (!filterTargetKey || typeof filterTargetKey !== "string") {
+      return;
+    }
+    const primaryKeyField = filterTargetKey;
     let listData;
     if ((_a = ctx.body) == null ? void 0 : _a.data) {
       listData = ctx.data;
@@ -90,7 +94,8 @@ function createWithACLMetaMiddleware() {
     const actionsParams = [];
     for (const action of inspectActions) {
       const actionCtx = {
-        db,
+        db: ctx.db,
+        database: db,
         get: () => {
           return void 0;
         },
@@ -113,6 +118,7 @@ function createWithACLMetaMiddleware() {
           }
         },
         state: {
+          ...ctx.state,
           currentRole: ctx.state.currentRole,
           currentRoles: ctx.state.currentRoles,
           currentUser: (() => {

package/dist/server/migrations/20251119225252-update-member-default-permission.js

@@ -33,7 +33,7 @@ var import_server = require("@nocobase/server");
 class update_member_default_permission_default extends import_server.Migration {
   on = "afterLoad";
   // 'beforeLoad' or 'afterLoad'
-  appVersion = "<2.0.0";
+  appVersion = "<2.1.0";
   async up() {
     const repo = this.db.getRepository("roles");
     const role = await repo.findOne({

package/dist/server/server.d.ts

@@ -11,8 +11,13 @@ import { Plugin } from '@nocobase/server';
 import { RoleModel } from './model/RoleModel';
 import { RoleResourceActionModel } from './model/RoleResourceActionModel';
 import { RoleResourceModel } from './model/RoleResourceModel';
+import { SanitizeAssociationValuesOptions } from './middlewares/check-change-with-association';
+import type { ACL } from '@nocobase/acl';
 export declare class PluginACLServer extends Plugin {
-    get acl(): import("@nocobase/acl").ACL;
+    get acl(): ACL;
+    sanitizeAssociationValues(options: SanitizeAssociationValuesOptions & {
+        acl?: ACL;
+    }): Promise<any>;
     writeResourceToACL(resourceModel: RoleResourceModel, transaction: Transaction): Promise<void>;
     writeActionToACL(actionModel: RoleResourceActionModel, transaction: Transaction): Promise<void>;
     handleSyncMessage(message: any): Promise<void>;

package/dist/server/server.js

@@ -56,10 +56,17 @@ var import_RoleResourceActionModel = require("./model/RoleResourceActionModel");
 var import_RoleResourceModel = require("./model/RoleResourceModel");
 var import_union_role = require("./actions/union-role");
 var import_check_association_operate = require("./middlewares/check-association-operate");
+var import_check_change_with_association = require("./middlewares/check-change-with-association");
 class PluginACLServer extends import_server.Plugin {
   get acl() {
     return this.app.acl;
   }
+  async sanitizeAssociationValues(options) {
+    return (0, import_check_change_with_association.sanitizeAssociationValues)({
+      ...options,
+      acl: options.acl ?? this.acl
+    });
+  }
   async writeResourceToACL(resourceModel, transaction) {
     await resourceModel.writeToACL({
       acl: this.acl,
@@ -144,6 +151,7 @@ class PluginACLServer extends import_server.Plugin {
         "roles.dataSourcesCollections:*",
         "roles.dataSourceResources:*",
         "dataSourcesRolesResourcesScopes:*",
+        "dataSourcesRolesResourcesActions:*",
         "rolesResourcesScopes:*"
       ]
     });
@@ -503,7 +511,6 @@ class PluginACLServer extends import_server.Plugin {
       }
       return next();
     });
-    const parseJsonTemplate = this.app.acl.parseJsonTemplate;
     this.app.acl.beforeGrantAction(async (ctx) => {
       const actionName = this.app.acl.resolveActionAlias(ctx.actionName);
       if (import_lodash.default.isPlainObject(ctx.params)) {
@@ -575,6 +582,12 @@ class PluginACLServer extends import_server.Plugin {
       dataSource.acl.use(import_check_association_operate.checkAssociationOperate, {
         before: "core"
       });
+      if (dataSource.options.acl !== false && dataSource.options.useACL !== false) {
+        dataSource.resourceManager.registerPreActionHandler("create", import_check_change_with_association.checkChangesWithAssociation);
+        dataSource.resourceManager.registerPreActionHandler("firstOrCreate", import_check_change_with_association.checkChangesWithAssociation);
+        dataSource.resourceManager.registerPreActionHandler("updateOrCreate", import_check_change_with_association.checkChangesWithAssociation);
+        dataSource.resourceManager.registerPreActionHandler("update", import_check_change_with_association.checkChangesWithAssociation);
+      }
     });
     this.db.on("afterUpdateCollection", async (collection) => {
       if (collection.options.loadedFromCollectionManager || collection.options.asStrategyResource) {