@nocobase/plugin-acl 2.1.0-alpha.1 → 2.1.0-alpha.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/LICENSE +201 -661
  2. package/README.md +79 -10
  3. package/client-v2.d.ts +2 -0
  4. package/client-v2.js +1 -0
  5. package/dist/client/a8ee1085b1883873.js +10 -0
  6. package/dist/client/d4b1aca44e7fa5bc.js +10 -0
  7. package/dist/client/index.js +1 -1
  8. package/dist/client-v2/2d20c90fbb39ce2a.js +10 -0
  9. package/dist/client-v2/809ab4bace5cbbcf.js +10 -0
  10. package/dist/client-v2/90be8e43cfaeafd9.js +10 -0
  11. package/dist/client-v2/9b3f3766358e320c.js +10 -0
  12. package/dist/client-v2/index.d.ts +9 -0
  13. package/dist/client-v2/index.js +10 -0
  14. package/dist/client-v2/plugin.d.ts +5 -0
  15. package/dist/client-v2/routes/AppInfoDemoRoute.d.ts +10 -0
  16. package/dist/client-v2/routes/DemoHomepageRoute.d.ts +10 -0
  17. package/dist/client-v2/routes/FlowSettingsComponentLoaderDemoRoute.d.ts +2 -0
  18. package/dist/client-v2/settings/DemoFlowSettingsLazyField.d.ts +10 -0
  19. package/dist/externalVersion.js +10 -8
  20. package/dist/server/middlewares/check-association-operate.js +14 -5
  21. package/dist/server/middlewares/check-change-with-association.d.ts +30 -0
  22. package/dist/server/middlewares/check-change-with-association.js +469 -0
  23. package/dist/server/middlewares/with-acl-meta.js +8 -2
  24. package/dist/server/migrations/20251119225252-update-member-default-permission.js +1 -1
  25. package/dist/server/server.d.ts +6 -1
  26. package/dist/server/server.js +14 -1
  27. package/dist/swagger/index.d.ts +795 -149
  28. package/dist/swagger/index.js +670 -183
  29. package/package.json +11 -4
  30. package/dist/client/0655d5ded9f45bb1.js +0 -10
  31. package/dist/client/50204a14518b3a0d.js +0 -10
package/dist/swagger/index.js CHANGED
@@ -32,23 +32,23 @@ module.exports = __toCommonJS(swagger_exports);
32
32
  var swagger_default = {
33
33
  openapi: "3.0.2",
34
34
  info: {
35
- title: "NocoBase API - ACL plugin"
35
+ title: "NocoBase API - ACL plugin",
36
+ version: "1.0.0"
36
37
  },
37
38
  paths: {
38
39
  "/roles:list": {
39
40
  get: {
40
41
  tags: ["roles"],
41
- description: "",
42
- parameters: [],
42
+ summary: "List roles",
43
43
  responses: {
44
44
  200: {
45
- description: "ok",
45
+ description: "OK",
46
46
  content: {
47
47
  "application/json": {
48
48
  schema: {
49
49
  type: "array",
50
50
  items: {
51
- $ref: "#/components/schemas/role"
51
+ $ref: "#/components/schemas/Role"
52
52
  }
53
53
  }
54
54
  }
@@ -60,25 +60,15 @@ var swagger_default = {
60
60
  "/roles:get": {
61
61
  get: {
62
62
  tags: ["roles"],
63
- description: "",
64
- parameters: [
65
- {
66
- name: "filterByTk",
67
- in: "query",
68
- description: "role name",
69
- required: true,
70
- schema: {
71
- type: "string"
72
- }
73
- }
74
- ],
63
+ summary: "Get a role",
64
+ parameters: [{ $ref: "#/components/parameters/RoleNameQuery" }],
75
65
  responses: {
76
66
  200: {
77
- description: "ok",
67
+ description: "OK",
78
68
  content: {
79
69
  "application/json": {
80
70
  schema: {
81
- $ref: "#/components/schemas/role"
71
+ $ref: "#/components/schemas/Role"
82
72
  }
83
73
  }
84
74
  }
@@ -89,23 +79,25 @@ var swagger_default = {
89
79
  "/roles:create": {
90
80
  post: {
91
81
  tags: ["roles"],
92
- description: "",
82
+ summary: "Create a role",
83
+ description: "Create a role. Request body uses direct role values.",
93
84
  requestBody: {
85
+ required: true,
94
86
  content: {
95
87
  "application/json": {
96
88
  schema: {
97
- $ref: "#/components/schemas/role"
89
+ $ref: "#/components/schemas/RoleWrite"
98
90
  }
99
91
  }
100
92
  }
101
93
  },
102
94
  responses: {
103
- "200": {
95
+ 200: {
104
96
  description: "OK",
105
97
  content: {
106
98
  "application/json": {
107
99
  schema: {
108
- $ref: "#/components/schemas/role"
100
+ $ref: "#/components/schemas/Role"
109
101
  }
110
102
  }
111
103
  }
@@ -116,34 +108,26 @@ var swagger_default = {
116
108
  "/roles:update": {
117
109
  post: {
118
110
  tags: ["roles"],
119
- description: "",
120
- parameters: [
121
- {
122
- name: "filterByTk",
123
- in: "query",
124
- description: "role name",
125
- required: true,
126
- schema: {
127
- type: "string"
128
- }
129
- }
130
- ],
111
+ summary: "Update a role",
112
+ description: "Update a role by role name (`filterByTk`). Commonly used for role metadata and system permission snippets.",
113
+ parameters: [{ $ref: "#/components/parameters/RoleNameQuery" }],
131
114
  requestBody: {
115
+ required: true,
132
116
  content: {
133
117
  "application/json": {
134
118
  schema: {
135
- $ref: "#/components/schemas/role"
119
+ $ref: "#/components/schemas/RoleWrite"
136
120
  }
137
121
  }
138
122
  }
139
123
  },
140
124
  responses: {
141
125
  200: {
142
- description: "ok",
126
+ description: "OK",
143
127
  content: {
144
128
  "application/json": {
145
129
  schema: {
146
- $ref: "#/components/schemas/role"
130
+ $ref: "#/components/schemas/Role"
147
131
  }
148
132
  }
149
133
  }
@@ -154,20 +138,10 @@ var swagger_default = {
154
138
  "/roles:destroy": {
155
139
  post: {
156
140
  tags: ["roles"],
157
- description: "",
158
- parameters: [
159
- {
160
- name: "filterByTk",
161
- in: "query",
162
- description: "role name",
163
- required: true,
164
- schema: {
165
- type: "string"
166
- }
167
- }
168
- ],
141
+ summary: "Destroy a role",
142
+ parameters: [{ $ref: "#/components/parameters/RoleNameQuery" }],
169
143
  responses: {
170
- "200": {
144
+ 200: {
171
145
  description: "OK"
172
146
  }
173
147
  }
@@ -176,14 +150,15 @@ var swagger_default = {
176
150
  "/roles:check": {
177
151
  get: {
178
152
  tags: ["roles"],
179
- description: "return current user role",
153
+ summary: "Check current role context",
154
+ description: "Return the current effective role context, including role mode and resolved ACL action map for the current user.",
180
155
  responses: {
181
156
  200: {
182
- description: "ok",
157
+ description: "OK",
183
158
  content: {
184
159
  "application/json": {
185
160
  schema: {
186
- $ref: "#/components/schemas/role"
161
+ $ref: "#/components/schemas/RoleCheck"
187
162
  }
188
163
  }
189
164
  }
@@ -194,82 +169,298 @@ var swagger_default = {
194
169
  "/roles:setDefaultRole": {
195
170
  post: {
196
171
  tags: ["roles"],
197
- description: "set default role for new user",
172
+ summary: "Set default role for new users",
198
173
  requestBody: {
174
+ required: true,
199
175
  content: {
200
176
  "application/json": {
201
177
  schema: {
202
178
  type: "object",
203
179
  properties: {
204
- roleName: {
205
- type: "string"
180
+ roleName: { type: "string" }
181
+ },
182
+ required: ["roleName"]
183
+ }
184
+ }
185
+ }
186
+ },
187
+ responses: {
188
+ 200: {
189
+ description: "OK"
190
+ }
191
+ }
192
+ }
193
+ },
194
+ "/roles:setSystemRoleMode": {
195
+ post: {
196
+ tags: ["roles"],
197
+ summary: "Set system role mode",
198
+ description: "Set the system role mode. Valid values are `default`, `allow-use-union`, and `only-use-union`.",
199
+ requestBody: {
200
+ required: true,
201
+ content: {
202
+ "application/json": {
203
+ schema: {
204
+ $ref: "#/components/schemas/RoleModeWrite"
205
+ }
206
+ }
207
+ }
208
+ },
209
+ responses: {
210
+ 200: {
211
+ description: "OK"
212
+ }
213
+ }
214
+ }
215
+ },
216
+ "/dataSources/{dataSourceKey}/roles:update": {
217
+ post: {
218
+ tags: ["dataSources.roles"],
219
+ summary: "Update global ACL strategy for a role in a data source",
220
+ description: "Configure global table permissions for a role inside a data source. Request body typically includes `roleName`, `dataSourceKey`, and `strategy.actions`.",
221
+ parameters: [
222
+ { $ref: "#/components/parameters/DataSourceKeyPath" },
223
+ { $ref: "#/components/parameters/RoleNameQuery" }
224
+ ],
225
+ requestBody: {
226
+ required: true,
227
+ content: {
228
+ "application/json": {
229
+ schema: {
230
+ $ref: "#/components/schemas/DataSourceRole"
231
+ }
232
+ }
233
+ }
234
+ },
235
+ responses: {
236
+ 200: {
237
+ description: "OK",
238
+ content: {
239
+ "application/json": {
240
+ schema: {
241
+ $ref: "#/components/schemas/DataSourceRole"
242
+ }
243
+ }
244
+ }
245
+ }
246
+ }
247
+ }
248
+ },
249
+ "/dataSources/{dataSourceKey}/roles:get": {
250
+ get: {
251
+ tags: ["dataSources.roles"],
252
+ summary: "Get global ACL strategy for a role in a data source",
253
+ parameters: [
254
+ { $ref: "#/components/parameters/DataSourceKeyPath" },
255
+ { $ref: "#/components/parameters/RoleNameQuery" }
256
+ ],
257
+ responses: {
258
+ 200: {
259
+ description: "OK",
260
+ content: {
261
+ "application/json": {
262
+ schema: {
263
+ $ref: "#/components/schemas/DataSourceRole"
264
+ }
265
+ }
266
+ }
267
+ }
268
+ }
269
+ }
270
+ },
271
+ "/roles/{roleName}/dataSourcesCollections:list": {
272
+ get: {
273
+ tags: ["roles.dataSourcesCollections"],
274
+ summary: "List data-source collections in role permission configuration",
275
+ description: "List collections in the target data source for the given role and indicate whether they use global permissions or collection-level independent permissions.",
276
+ parameters: [
277
+ { $ref: "#/components/parameters/RoleNamePath" },
278
+ { $ref: "#/components/parameters/PageQuery" },
279
+ { $ref: "#/components/parameters/PageSizeQuery" },
280
+ { $ref: "#/components/parameters/SortQuery" },
281
+ { $ref: "#/components/parameters/AppendsQuery" },
282
+ { $ref: "#/components/parameters/FilterQuery" }
283
+ ],
284
+ responses: {
285
+ 200: {
286
+ description: "OK",
287
+ content: {
288
+ "application/json": {
289
+ schema: {
290
+ type: "object",
291
+ properties: {
292
+ count: { type: "integer" },
293
+ rows: {
294
+ type: "array",
295
+ items: { $ref: "#/components/schemas/RoleCollectionPermissionRow" }
296
+ },
297
+ page: { type: "integer" },
298
+ pageSize: { type: "integer" },
299
+ totalPage: { type: "integer" }
206
300
  }
207
301
  }
208
302
  }
209
303
  }
210
304
  }
305
+ }
306
+ }
307
+ },
308
+ "/roles/{roleName}/dataSourceResources:create": {
309
+ post: {
310
+ tags: ["roles.dataSourceResources"],
311
+ summary: "Create collection-level independent ACL permissions for a role",
312
+ description: [
313
+ "Create collection-level independent permission config for a role in a data source.",
314
+ "Request body usually includes `name`, `dataSourceKey`, `usingActionsConfig`, and `actions`.",
315
+ "The server uses the role path parameter plus request-body `name` and `dataSourceKey` to create the record."
316
+ ].join("\n"),
317
+ parameters: [{ $ref: "#/components/parameters/RoleNamePath" }, { $ref: "#/components/parameters/FilterQuery" }],
318
+ requestBody: {
319
+ required: true,
320
+ content: {
321
+ "application/json": {
322
+ schema: {
323
+ $ref: "#/components/schemas/RoleDataSourceResourceWrite"
324
+ }
325
+ }
326
+ }
211
327
  },
212
328
  responses: {
213
- "200": {
214
- description: "OK"
329
+ 200: {
330
+ description: "OK",
331
+ content: {
332
+ "application/json": {
333
+ schema: {
334
+ $ref: "#/components/schemas/RoleDataSourceResource"
335
+ }
336
+ }
337
+ }
215
338
  }
216
339
  }
217
340
  }
218
341
  },
219
- "/roles/{roleName}/collections:list": {
342
+ "/roles/{roleName}/dataSourceResources:get": {
220
343
  get: {
221
- tags: ["roles.collections"],
222
- description: "list permissions of collections for role by roleName",
344
+ tags: ["roles.dataSourceResources"],
345
+ summary: "Get one collection-level independent ACL permission for a role",
346
+ description: "Get one collection-level independent permission config. Target it with a `filter` such as `{ name, dataSourceKey }`. Do not rely on `filterByTk` for this endpoint.",
223
347
  parameters: [
224
- {
225
- name: "filterByTk",
226
- in: "query",
227
- description: "role name",
228
- required: true,
229
- schema: {
230
- type: "string"
348
+ { $ref: "#/components/parameters/RoleNamePath" },
349
+ { $ref: "#/components/parameters/FilterQuery" },
350
+ { $ref: "#/components/parameters/AppendsQuery" }
351
+ ],
352
+ responses: {
353
+ 200: {
354
+ description: "OK",
355
+ content: {
356
+ "application/json": {
357
+ schema: {
358
+ $ref: "#/components/schemas/RoleDataSourceResource"
359
+ }
360
+ }
361
+ }
362
+ }
363
+ }
364
+ }
365
+ },
366
+ "/roles/{roleName}/dataSourceResources:update": {
367
+ post: {
368
+ tags: ["roles.dataSourceResources"],
369
+ summary: "Update collection-level independent ACL permissions for a role",
370
+ description: "Update one collection-level independent permission config. Target it with a `filter` such as `{ name, dataSourceKey }`. Do not rely on `filterByTk` for this endpoint.",
371
+ parameters: [{ $ref: "#/components/parameters/RoleNamePath" }, { $ref: "#/components/parameters/FilterQuery" }],
372
+ requestBody: {
373
+ required: true,
374
+ content: {
375
+ "application/json": {
376
+ schema: {
377
+ $ref: "#/components/schemas/RoleDataSourceResourceWrite"
378
+ }
231
379
  }
232
380
  }
381
+ },
382
+ responses: {
383
+ 200: {
384
+ description: "OK",
385
+ content: {
386
+ "application/json": {
387
+ schema: {
388
+ $ref: "#/components/schemas/RoleDataSourceResource"
389
+ }
390
+ }
391
+ }
392
+ }
393
+ }
394
+ }
395
+ },
396
+ "/rolesResourcesScopes:list": {
397
+ get: {
398
+ tags: ["rolesResourcesScopes"],
399
+ summary: "List reusable ACL scopes",
400
+ parameters: [
401
+ { $ref: "#/components/parameters/PageQuery" },
402
+ { $ref: "#/components/parameters/PageSizeQuery" },
403
+ { $ref: "#/components/parameters/FilterQuery" }
233
404
  ],
234
405
  responses: {
235
- "200": {
406
+ 200: {
236
407
  description: "OK",
237
408
  content: {
238
409
  "application/json": {
239
410
  schema: {
240
411
  type: "array",
241
- items: {
242
- type: "object",
243
- properties: {
244
- type: {
245
- type: "string",
246
- description: "collection"
247
- },
248
- name: {
249
- type: "string",
250
- description: "collection name"
251
- },
252
- collectionName: {
253
- type: "string",
254
- description: "collection name"
255
- },
256
- title: {
257
- type: "string",
258
- description: "collection title"
259
- },
260
- roleName: {
261
- type: "string",
262
- description: "role name"
263
- },
264
- usingConfig: {
265
- type: "string",
266
- enum: ["resourceAction", "strategy"],
267
- description: "resourceAction: \u5355\u72EC\u914D\u7F6E, strategy: \u5168\u5C40\u7B56\u7565"
268
- },
269
- exists: {
270
- type: "boolean",
271
- description: "\u662F\u5426\u5B58\u5728\u5355\u72EC\u914D\u7F6E\u7684\u6743\u9650"
272
- }
412
+ items: { $ref: "#/components/schemas/RoleResourceScope" }
413
+ }
414
+ }
415
+ }
416
+ }
417
+ }
418
+ }
419
+ },
420
+ "/rolesResourcesScopes:get": {
421
+ get: {
422
+ tags: ["rolesResourcesScopes"],
423
+ summary: "Get a reusable ACL scope",
424
+ parameters: [{ $ref: "#/components/parameters/ScopePkQuery" }, { $ref: "#/components/parameters/FilterQuery" }],
425
+ responses: {
426
+ 200: {
427
+ description: "OK",
428
+ content: {
429
+ "application/json": {
430
+ schema: {
431
+ $ref: "#/components/schemas/RoleResourceScope"
432
+ }
433
+ }
434
+ }
435
+ }
436
+ }
437
+ }
438
+ },
439
+ "/dataSources/{dataSourceKey}/rolesResourcesScopes:list": {
440
+ get: {
441
+ tags: ["dataSources.rolesResourcesScopes"],
442
+ summary: "List reusable ACL scopes in a data source",
443
+ parameters: [
444
+ { $ref: "#/components/parameters/DataSourceKeyPath" },
445
+ { $ref: "#/components/parameters/PageQuery" },
446
+ { $ref: "#/components/parameters/PageSizeQuery" },
447
+ { $ref: "#/components/parameters/FilterQuery" }
448
+ ],
449
+ responses: {
450
+ 200: {
451
+ description: "OK",
452
+ content: {
453
+ "application/json": {
454
+ schema: {
455
+ type: "object",
456
+ properties: {
457
+ data: {
458
+ type: "array",
459
+ items: { $ref: "#/components/schemas/RoleResourceScope" }
460
+ },
461
+ meta: {
462
+ type: "object",
463
+ additionalProperties: true
273
464
  }
274
465
  }
275
466
  }
@@ -279,50 +470,121 @@ var swagger_default = {
279
470
  }
280
471
  }
281
472
  },
473
+ "/dataSources/{dataSourceKey}/rolesResourcesScopes:get": {
474
+ get: {
475
+ tags: ["dataSources.rolesResourcesScopes"],
476
+ summary: "Get a reusable ACL scope in a data source",
477
+ parameters: [
478
+ { $ref: "#/components/parameters/DataSourceKeyPath" },
479
+ { $ref: "#/components/parameters/ScopePkQuery" },
480
+ { $ref: "#/components/parameters/FilterQuery" }
481
+ ],
482
+ responses: {
483
+ 200: {
484
+ description: "OK",
485
+ content: {
486
+ "application/json": {
487
+ schema: {
488
+ $ref: "#/components/schemas/RoleResourceScope"
489
+ }
490
+ }
491
+ }
492
+ }
493
+ }
494
+ }
495
+ },
496
+ "/dataSources/{dataSourceKey}/rolesResourcesScopes:create": {
497
+ post: {
498
+ tags: ["dataSources.rolesResourcesScopes"],
499
+ summary: "Create a reusable ACL scope in a data source",
500
+ description: "Create a reusable scope definition under the target data source.",
501
+ parameters: [{ $ref: "#/components/parameters/DataSourceKeyPath" }],
502
+ requestBody: {
503
+ required: true,
504
+ content: {
505
+ "application/json": {
506
+ schema: {
507
+ $ref: "#/components/schemas/RoleResourceScopeWrite"
508
+ }
509
+ }
510
+ }
511
+ },
512
+ responses: {
513
+ 200: {
514
+ description: "OK",
515
+ content: {
516
+ "application/json": {
517
+ schema: {
518
+ $ref: "#/components/schemas/RoleResourceScope"
519
+ }
520
+ }
521
+ }
522
+ }
523
+ }
524
+ }
525
+ },
526
+ "/dataSources/{dataSourceKey}/rolesResourcesScopes:update": {
527
+ post: {
528
+ tags: ["dataSources.rolesResourcesScopes"],
529
+ summary: "Update a reusable ACL scope in a data source",
530
+ parameters: [
531
+ { $ref: "#/components/parameters/DataSourceKeyPath" },
532
+ { $ref: "#/components/parameters/ScopePkQuery" },
533
+ { $ref: "#/components/parameters/FilterQuery" }
534
+ ],
535
+ requestBody: {
536
+ required: true,
537
+ content: {
538
+ "application/json": {
539
+ schema: {
540
+ $ref: "#/components/schemas/RoleResourceScopeWrite"
541
+ }
542
+ }
543
+ }
544
+ },
545
+ responses: {
546
+ 200: {
547
+ description: "OK",
548
+ content: {
549
+ "application/json": {
550
+ schema: {
551
+ $ref: "#/components/schemas/RoleResourceScope"
552
+ }
553
+ }
554
+ }
555
+ }
556
+ }
557
+ }
558
+ },
559
+ "/dataSources/{dataSourceKey}/rolesResourcesScopes:destroy": {
560
+ post: {
561
+ tags: ["dataSources.rolesResourcesScopes"],
562
+ summary: "Destroy a reusable ACL scope in a data source",
563
+ parameters: [
564
+ { $ref: "#/components/parameters/DataSourceKeyPath" },
565
+ { $ref: "#/components/parameters/ScopePkQuery" },
566
+ { $ref: "#/components/parameters/FilterQuery" }
567
+ ],
568
+ responses: {
569
+ 200: {
570
+ description: "OK"
571
+ }
572
+ }
573
+ }
574
+ },
282
575
  "/availableActions:list": {
283
576
  get: {
284
577
  tags: ["availableActions"],
285
- description: "available actions of resource in current system",
286
- parameters: [],
578
+ summary: "List configurable ACL actions",
579
+ description: "List ACL actions available in the current system. Use this before configuring resource-level action or field permissions.",
287
580
  responses: {
288
- "200": {
581
+ 200: {
289
582
  description: "OK",
290
583
  content: {
291
584
  "application/json": {
292
585
  schema: {
293
586
  type: "array",
294
- items: {
295
- type: "object",
296
- properties: {
297
- name: {
298
- type: "string",
299
- description: "Action\u540D\u79F0"
300
- },
301
- displayName: {
302
- type: "string",
303
- description: "Action\u663E\u793A\u540D\u79F0"
304
- },
305
- allowConfigureFields: {
306
- type: "boolean",
307
- description: "\u662F\u5426\u5141\u8BB8\u914D\u7F6E\u5B57\u6BB5"
308
- },
309
- onNewRecord: {
310
- type: "string",
311
- description: "\u662F\u5426\u662F\u65B0\u8BB0\u5F55\u7684Action"
312
- },
313
- type: {
314
- type: "string",
315
- description: "new-data \u6216\u8005 old-data"
316
- },
317
- aliases: {
318
- type: "array",
319
- items: {
320
- type: "string"
321
- },
322
- description: "\u522B\u540D"
323
- }
324
- }
325
- }
587
+ items: { $ref: "#/components/schemas/AvailableAction" }
326
588
  }
327
589
  }
328
590
  }
@@ -332,72 +594,297 @@ var swagger_default = {
332
594
  }
333
595
  },
334
596
  components: {
597
+ parameters: {
598
+ RoleNameQuery: {
599
+ name: "filterByTk",
600
+ in: "query",
601
+ description: "Role name.",
602
+ required: true,
603
+ schema: { type: "string" }
604
+ },
605
+ RoleNamePath: {
606
+ name: "roleName",
607
+ in: "path",
608
+ description: "Role name.",
609
+ required: true,
610
+ schema: { type: "string" }
611
+ },
612
+ DataSourceKeyPath: {
613
+ name: "dataSourceKey",
614
+ in: "path",
615
+ description: "Data source key, for example `main`.",
616
+ required: true,
617
+ schema: { type: "string" }
618
+ },
619
+ ResourceNameQuery: {
620
+ name: "filterByTk",
621
+ in: "query",
622
+ description: "Resource name, typically the collection name.",
623
+ required: true,
624
+ schema: { type: "string" }
625
+ },
626
+ ScopePkQuery: {
627
+ name: "filterByTk",
628
+ in: "query",
629
+ description: "Scope primary key.",
630
+ schema: { type: "integer" }
631
+ },
632
+ ResourcePermissionTkQuery: {
633
+ name: "filterByTk",
634
+ in: "query",
635
+ description: "Resource permission record primary key.",
636
+ schema: { type: "integer" }
637
+ },
638
+ PageQuery: {
639
+ name: "page",
640
+ in: "query",
641
+ schema: { type: "integer" }
642
+ },
643
+ PageSizeQuery: {
644
+ name: "pageSize",
645
+ in: "query",
646
+ schema: { type: "integer" }
647
+ },
648
+ FilterQuery: {
649
+ name: "filter",
650
+ in: "query",
651
+ schema: {
652
+ type: "object",
653
+ additionalProperties: true
654
+ }
655
+ },
656
+ AppendsQuery: {
657
+ name: "appends",
658
+ in: "query",
659
+ schema: {
660
+ type: "array",
661
+ items: { type: "string" }
662
+ }
663
+ }
664
+ },
335
665
  schemas: {
336
- role: {
666
+ RoleStrategy: {
667
+ type: "object",
668
+ description: "Global action strategy for a role.",
669
+ properties: {
670
+ actions: {
671
+ type: "array",
672
+ items: { type: "string" },
673
+ description: "Action names such as `create`, `view`, `update`, `destroy`, or scoped variants like `view:own`."
674
+ }
675
+ },
676
+ additionalProperties: true
677
+ },
678
+ RoleWrite: {
679
+ type: "object",
680
+ properties: {
681
+ title: { type: "string", description: "Role title." },
682
+ name: { type: "string", description: "Role identifier." },
683
+ description: { type: "string", description: "Role description." },
684
+ hidden: { type: "boolean", description: "Whether the role is hidden." },
685
+ default: { type: "boolean", description: "Whether the role is default for new users." },
686
+ allowConfigure: { type: "boolean", description: "Whether the role can be configured." },
687
+ allowNewMenu: { type: "boolean", description: "Whether the role can create menus." },
688
+ snippets: {
689
+ type: "array",
690
+ items: { type: "string" },
691
+ description: "System permission snippets, for example `ui.*`, `!pm`, or `!app`."
692
+ },
693
+ strategy: {
694
+ allOf: [{ $ref: "#/components/schemas/RoleStrategy" }],
695
+ description: "Role-level ACL strategy."
696
+ }
697
+ },
698
+ additionalProperties: true
699
+ },
700
+ Role: {
701
+ allOf: [{ $ref: "#/components/schemas/RoleWrite" }],
702
+ properties: {
703
+ createdAt: { type: "string", format: "date-time" },
704
+ updatedAt: { type: "string", format: "date-time" }
705
+ }
706
+ },
707
+ RoleCheck: {
337
708
  type: "object",
338
709
  properties: {
339
- title: {
710
+ role: { type: "string", description: "Current effective role name." },
711
+ roleMode: {
340
712
  type: "string",
341
- description: "\u89D2\u8272\u540D\u79F0"
713
+ enum: ["default", "allow-use-union", "only-use-union"],
714
+ description: "System role mode."
342
715
  },
343
- name: {
716
+ availableActions: {
717
+ type: "array",
718
+ items: { type: "string" }
719
+ },
720
+ actions: {
721
+ type: "object",
722
+ additionalProperties: true,
723
+ description: "Resolved ACL action map for the current role context."
724
+ }
725
+ },
726
+ additionalProperties: true
727
+ },
728
+ RoleModeWrite: {
729
+ type: "object",
730
+ properties: {
731
+ roleMode: {
732
+ type: "string",
733
+ enum: ["default", "allow-use-union", "only-use-union"]
734
+ }
735
+ },
736
+ required: ["roleMode"]
737
+ },
738
+ DataSourceRole: {
739
+ type: "object",
740
+ properties: {
741
+ id: { type: "string", description: "Optional existing role-data-source permission record id." },
742
+ roleName: { type: "string", description: "Role name." },
743
+ dataSourceKey: { type: "string", description: "Data source key, usually `main`." },
744
+ strategy: {
745
+ allOf: [{ $ref: "#/components/schemas/RoleStrategy" }],
746
+ description: "Global table actions for this role in the data source."
747
+ }
748
+ },
749
+ additionalProperties: true
750
+ },
751
+ RoleCollectionPermissionRow: {
752
+ type: "object",
753
+ properties: {
754
+ type: { type: "string", description: "Resource type, usually `collection`." },
755
+ name: { type: "string", description: "Collection name." },
756
+ collectionName: { type: "string", description: "Collection name." },
757
+ title: { type: "string", description: "Collection title." },
758
+ roleName: { type: "string", description: "Role name." },
759
+ usingConfig: {
760
+ type: "string",
761
+ enum: ["resourceAction", "strategy"],
762
+ description: "`strategy` means the collection uses global permissions. `resourceAction` means it has collection-level independent permissions."
763
+ },
764
+ exists: { type: "boolean", description: "Whether a dedicated resource config exists." }
765
+ }
766
+ },
767
+ RoleResourceScope: {
768
+ type: "object",
769
+ properties: {
770
+ id: { type: "integer", description: "Scope primary key." },
771
+ key: { type: "string", description: "Scope key such as `all` or `own`." },
772
+ dataSourceKey: {
344
773
  type: "string",
345
- description: "\u89D2\u8272\u6807\u8BC6"
774
+ nullable: true,
775
+ description: "Optional data source key, for example `main`."
346
776
  },
347
- description: {
777
+ name: { type: "string", description: "Scope display name." },
778
+ resourceName: { type: "string", nullable: true, description: "Optional resource binding." },
779
+ scope: {
780
+ type: "object",
781
+ additionalProperties: true,
782
+ description: "JSON filter object used as the ACL scope condition."
783
+ }
784
+ },
785
+ additionalProperties: true
786
+ },
787
+ RoleResourceScopeWrite: {
788
+ type: "object",
789
+ properties: {
790
+ id: { type: "integer", description: "Optional scope primary key, commonly present in update payloads." },
791
+ dataSourceKey: { type: "string", nullable: true, description: "Optional data source key." },
792
+ resourceName: { type: "string", nullable: true, description: "Optional bound resource name." },
793
+ name: { type: "string", description: "Scope display name." },
794
+ scope: {
795
+ type: "object",
796
+ additionalProperties: true,
797
+ description: "Row filter JSON."
798
+ }
799
+ },
800
+ required: ["name", "scope"],
801
+ additionalProperties: true
802
+ },
803
+ RoleResourceAction: {
804
+ type: "object",
805
+ properties: {
806
+ id: {
807
+ type: "integer",
808
+ description: "Optional action record id, commonly present in update payloads."
809
+ },
810
+ name: {
348
811
  type: "string",
349
- description: "\u89D2\u8272\u63CF\u8FF0"
812
+ description: "ACL action name, for example `view`, `create`, `update`, `destroy`, or a scoped variant."
350
813
  },
351
- hidden: {
352
- type: "boolean",
353
- description: "\u662F\u5426\u9690\u85CF"
814
+ fields: {
815
+ type: "array",
816
+ items: { type: "string" },
817
+ description: "Allowed field names for this action when field-level configuration is supported."
354
818
  },
355
- default: {
356
- type: "boolean",
357
- description: "\u662F\u5426\u9ED8\u8BA4"
819
+ scopeId: {
820
+ type: "integer",
821
+ nullable: true,
822
+ description: "Optional bound scope id. Use `null` to clear the scope."
358
823
  },
359
- allowConfigure: {
360
- type: "boolean",
361
- description: "\u662F\u5426\u5141\u8BB8\u914D\u7F6E"
824
+ scope: {
825
+ allOf: [{ $ref: "#/components/schemas/RoleResourceScope" }],
826
+ nullable: true,
827
+ description: "Optional row-permission scope for this action."
828
+ }
829
+ },
830
+ required: ["name"],
831
+ additionalProperties: true
832
+ },
833
+ RoleDataSourceResourceWrite: {
834
+ type: "object",
835
+ description: "Collection-level independent permission config inside a data source.",
836
+ properties: {
837
+ id: {
838
+ type: "integer",
839
+ description: "Optional resource permission record id, commonly present in update payloads."
362
840
  },
363
- allowNewMenu: {
841
+ name: { type: "string", description: "Resource name, typically the collection name." },
842
+ dataSourceKey: { type: "string", description: "Data source key, usually `main`." },
843
+ roleName: { type: "string", description: "Optional role name echoed by the client in update payloads." },
844
+ usingActionsConfig: {
364
845
  type: "boolean",
365
- description: "\u662F\u5426\u5141\u8BB8\u65B0\u5EFA\u83DC\u5355"
846
+ description: "Whether this collection uses independent actions instead of only the global strategy."
366
847
  },
367
- snippets: {
848
+ actions: {
368
849
  type: "array",
369
- items: {
370
- type: "string"
371
- },
372
- description: "\u63A5\u53E3\u6743\u9650"
850
+ items: { $ref: "#/components/schemas/RoleResourceAction" },
851
+ description: "Independent action configs for this collection."
852
+ }
853
+ },
854
+ required: ["name", "dataSourceKey"],
855
+ additionalProperties: true
856
+ },
857
+ RoleDataSourceResource: {
858
+ allOf: [{ $ref: "#/components/schemas/RoleDataSourceResourceWrite" }],
859
+ properties: {
860
+ id: { type: "integer" },
861
+ roleName: { type: "string" }
862
+ }
863
+ },
864
+ AvailableAction: {
865
+ type: "object",
866
+ properties: {
867
+ name: { type: "string", description: "Action name." },
868
+ displayName: { type: "string", description: "Localized display name." },
869
+ allowConfigureFields: {
870
+ type: "boolean",
871
+ description: "Whether field-level permission config is supported for this action."
373
872
  },
374
- strategy: {
375
- type: "array",
376
- description: "\u6570\u636E\u8868\u6743\u9650\u7B56\u7565",
377
- items: {
378
- type: "object",
379
- properties: {
380
- actions: {
381
- type: "array",
382
- items: {
383
- type: "string"
384
- },
385
- description: "\u64CD\u4F5C"
386
- }
387
- }
388
- }
873
+ onNewRecord: {
874
+ type: "boolean",
875
+ description: "Whether the action applies to new records instead of existing records."
389
876
  },
390
- createdAt: {
877
+ type: {
391
878
  type: "string",
392
- format: "date-time",
393
- description: "\u521B\u5EFA\u65F6\u95F4"
879
+ description: "Action category such as `new-data` or `old-data`."
394
880
  },
395
- updatedAt: {
396
- type: "string",
397
- format: "date-time",
398
- description: "\u66F4\u65B0\u65F6\u95F4"
881
+ aliases: {
882
+ type: "array",
883
+ items: { type: "string" },
884
+ description: "Action aliases resolved by ACL."
399
885
  }
400
- }
886
+ },
887
+ additionalProperties: true
401
888
  }
402
889
  }
403
890
  }