@nocobase/plugin-acl 2.1.0-alpha.2 → 2.1.0-alpha.20

package/dist/server/middlewares/check-change-with-association.js

@@ -36,42 +36,260 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var check_change_with_association_exports = {};
 __export(check_change_with_association_exports, {
-  checkChangesWithAssociation: () => checkChangesWithAssociation
+  checkChangesWithAssociation: () => checkChangesWithAssociation,
+  sanitizeAssociationValues: () => sanitizeAssociationValues
 });
 module.exports = __toCommonJS(check_change_with_association_exports);
 var import_acl = require("@nocobase/acl");
 var import_lodash = __toESM(require("lodash"));
+async function sanitizeAssociationValues(options) {
+  var _a, _b, _c;
+  const {
+    acl,
+    resourceName,
+    actionName,
+    values,
+    updateAssociationValues = [],
+    protectedKeys = [],
+    aclParams
+  } = options;
+  if (import_lodash.default.isEmpty(values)) {
+    return values;
+  }
+  const collection = options.collection ?? ((_b = (_a = options.database ?? options.db) == null ? void 0 : _a.getCollection) == null ? void 0 : _b.call(_a, resourceName));
+  if (!collection) {
+    return values;
+  }
+  const params = aclParams ?? (acl ? (_c = acl.fixedParamsManager) == null ? void 0 : _c.getParams(resourceName, actionName) : void 0);
+  const roles = options.roles;
+  const can = (canOptions) => (acl == null ? void 0 : acl.can({ roles: (roles == null ? void 0 : roles.length) ? roles : ["anonymous"], ...canOptions })) ?? null;
+  const parseOptions = {
+    timezone: options.timezone,
+    userProvider: options.userProvider,
+    state: {
+      ...options.state || {},
+      currentRole: options.currentRole,
+      currentRoles: options.roles,
+      currentUser: options.currentUser
+    }
+  };
+  return await processValues({
+    values,
+    updateAssociationValues,
+    aclParams: params,
+    collection,
+    lastFieldPath: "",
+    protectedKeys,
+    can,
+    parseOptions
+  });
+}
+const checkChangesWithAssociation = async (ctx, next) => {
+  var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m;
+  const timezone = ((_b = (_a = ctx.request) == null ? void 0 : _a.get) == null ? void 0 : _b.call(_a, "x-timezone")) ?? ((_d = (_c = ctx.request) == null ? void 0 : _c.header) == null ? void 0 : _d["x-timezone"]) ?? ((_f = (_e = ctx.req) == null ? void 0 : _e.headers) == null ? void 0 : _f["x-timezone"]);
+  const { resourceName, actionName } = ctx.action;
+  if (!["create", "firstOrCreate", "updateOrCreate", "update"].includes(actionName)) {
+    return next();
+  }
+  if ((_g = ctx.permission) == null ? void 0 : _g.skip) {
+    return next();
+  }
+  const roles = ctx.state.currentRoles;
+  if (roles.includes("root")) {
+    return next();
+  }
+  const acl = ctx.acl;
+  for (const role of roles) {
+    const aclRole = acl.getRole(role);
+    if (aclRole == null ? void 0 : aclRole.snippetAllowed(`${resourceName}:${actionName}`)) {
+      return next();
+    }
+  }
+  const params = ctx.action.params || {};
+  const rawValues = params.values;
+  if (import_lodash.default.isEmpty(rawValues)) {
+    return next();
+  }
+  const protectedKeys = ["firstOrCreate", "updateOrCreate"].includes(actionName) ? params.filterKeys || [] : [];
+  const collection = (_i = (_h = ctx.database ?? ctx.db) == null ? void 0 : _h.getCollection) == null ? void 0 : _i.call(_h, resourceName);
+  const processed = await sanitizeAssociationValues({
+    acl,
+    collection,
+    resourceName,
+    actionName,
+    values: rawValues,
+    updateAssociationValues: params.updateAssociationValues || [],
+    protectedKeys,
+    roles,
+    currentRole: ctx.state.currentRole,
+    currentUser: ctx.state.currentUser,
+    state: import_lodash.default.clone(ctx.state),
+    aclParams: (_k = (_j = ctx.permission) == null ? void 0 : _j.can) == null ? void 0 : _k.params,
+    timezone,
+    userProvider: (0, import_acl.createUserProvider)({
+      dataSourceManager: (_l = ctx.app) == null ? void 0 : _l.dataSourceManager,
+      currentUser: (_m = ctx.state) == null ? void 0 : _m.currentUser
+    })
+  });
+  ctx.action.params.values = processed;
+  await next();
+};
+async function processValues(options) {
+  var _a, _b;
+  const {
+    values,
+    updateAssociationValues,
+    aclParams,
+    collection,
+    lastFieldPath = "",
+    protectedKeys = [],
+    can,
+    parseOptions
+  } = options;
+  if (Array.isArray(values)) {
+    const result = [];
+    for (const item of values) {
+      if (!import_lodash.default.isPlainObject(item)) {
+        result.push(item);
+        continue;
+      }
+      const processed = await processValues({
+        values: item,
+        updateAssociationValues,
+        aclParams,
+        collection,
+        lastFieldPath,
+        protectedKeys,
+        can,
+        parseOptions
+      });
+      if (processed !== null && processed !== void 0) {
+        result.push(processed);
+      }
+    }
+    return result;
+  }
+  if (!values || !import_lodash.default.isPlainObject(values)) {
+    return values;
+  }
+  if (!collection) {
+    return values;
+  }
+  let v = values;
+  if (aclParams == null ? void 0 : aclParams.whitelist) {
+    const combined = import_lodash.default.uniq([...aclParams.whitelist, ...protectedKeys]);
+    v = import_lodash.default.pick(values, combined);
+  }
+  for (const [fieldName, fieldValue] of Object.entries(v)) {
+    if (protectedKeys.includes(fieldName)) {
+      continue;
+    }
+    const field = collection.getField(fieldName);
+    const isAssociation = field && ["hasOne", "hasMany", "belongsTo", "belongsToMany", "belongsToArray"].includes(field.type);
+    if (!isAssociation) {
+      continue;
+    }
+    const targetCollection = collection.db.getCollection(field.target);
+    if (!targetCollection) {
+      delete v[fieldName];
+      continue;
+    }
+    const fieldPath = lastFieldPath ? `${lastFieldPath}.${fieldName}` : fieldName;
+    const recordKey = field.type === "hasOne" ? targetCollection.model.primaryKeyAttribute : field.targetKey;
+    const canUpdateAssociation = updateAssociationValues.includes(fieldPath);
+    if (!canUpdateAssociation) {
+      const normalized = normalizeAssociationValue(fieldValue, recordKey);
+      if (normalized === void 0 && !protectedKeys.includes(fieldName)) {
+        delete v[fieldName];
+      } else {
+        v[fieldName] = normalized;
+      }
+      continue;
+    }
+    const createParams = can == null ? void 0 : can({
+      resource: field.target,
+      action: "create"
+    });
+    const updateParams = can == null ? void 0 : can({
+      resource: field.target,
+      action: "update"
+    });
+    if (Array.isArray(fieldValue)) {
+      const processed = [];
+      let allowedRecordKeys;
+      let existingRecordKeys;
+      if (updateParams) {
+        const allowedResult = await collectAllowedRecordKeys(
+          fieldValue,
+          recordKey,
+          (_a = updateParams == null ? void 0 : updateParams.params) == null ? void 0 : _a.filter,
+          targetCollection,
+          parseOptions
+        );
+        allowedRecordKeys = allowedResult == null ? void 0 : allowedResult.allowedKeys;
+        if (createParams && ((_b = allowedResult == null ? void 0 : allowedResult.missingKeys) == null ? void 0 : _b.size)) {
+          existingRecordKeys = await collectExistingRecordKeys(recordKey, targetCollection, allowedResult.missingKeys);
+        }
+      }
+      for (const item of fieldValue) {
+        const r2 = await processAssociationChild({
+          value: item,
+          recordKey,
+          updateAssociationValues,
+          createParams,
+          updateParams,
+          target: targetCollection,
+          fieldPath,
+          allowedRecordKeys,
+          existingRecordKeys,
+          can,
+          parseOptions
+        });
+        if (r2 !== null && r2 !== void 0) {
+          processed.push(r2);
+        }
+      }
+      v[fieldName] = processed;
+      continue;
+    }
+    const r = await processAssociationChild({
+      value: fieldValue,
+      recordKey,
+      updateAssociationValues,
+      createParams,
+      updateParams,
+      target: targetCollection,
+      fieldPath,
+      can,
+      parseOptions
+    });
+    v[fieldName] = r;
+  }
+  return v;
+}
 function normalizeAssociationValue(value, recordKey) {
   if (!value) {
     return value;
   }
   if (Array.isArray(value)) {
     const result = value.map((v) => typeof v === "number" || typeof v === "string" ? v : v[recordKey]).filter((v) => v !== null && v !== void 0);
-    return result.length > 0 ? result : void 0;
-  } else {
-    return typeof value === "number" || typeof value === "string" ? value : value[recordKey];
-  }
-}
-async function resolveScopeFilter(ctx, target, params) {
-  if (!params) {
-    return {};
+    return result;
   }
-  const filteredParams = ctx.acl.filterParams(ctx, target, params);
-  const parsedParams = await ctx.acl.parseJsonTemplate(filteredParams, ctx);
-  return parsedParams.filter || {};
+  return typeof value === "number" || typeof value === "string" ? value : value[recordKey];
 }
-async function collectAllowedRecordKeys(ctx, items, recordKey, updateParams, target) {
-  const repo = ctx.database.getRepository(target);
-  if (!repo) {
-    return void 0;
+async function collectAllowedRecordKeys(items, recordKey, filter, collection, parseOptions) {
+  if (!collection) {
+    return;
   }
+  const { repository } = collection;
   const keys = items.map((item) => import_lodash.default.isPlainObject(item) ? item[recordKey] : void 0).filter((key) => key !== void 0 && key !== null);
   if (!keys.length) {
-    return void 0;
+    return;
   }
   try {
-    const scopedFilter = await resolveScopeFilter(ctx, target, updateParams == null ? void 0 : updateParams.params);
-    const records = await repo.find({
+    (0, import_acl.checkFilterParams)(collection, filter);
+    const scopedFilter = filter ? await (0, import_acl.parseJsonTemplate)(filter, parseOptions) : {};
+    const records = await repository.find({
       filter: {
         ...scopedFilter,
         [`${recordKey}.$in`]: keys
@@ -96,16 +314,16 @@ async function collectAllowedRecordKeys(ctx, items, recordKey, updateParams, tar
     throw e;
   }
 }
-async function collectExistingRecordKeys(ctx, recordKey, target, keys) {
-  const repo = ctx.database.getRepository(target);
-  if (!repo) {
+async function collectExistingRecordKeys(recordKey, collection, keys) {
+  const { repository } = collection;
+  if (!repository) {
     return /* @__PURE__ */ new Set();
   }
   const keyList = Array.from(keys);
   if (!keyList.length) {
     return /* @__PURE__ */ new Set();
   }
-  const records = await repo.find({
+  const records = await repository.find({
     filter: {
       [`${recordKey}.$in`]: keyList
     }
@@ -119,43 +337,55 @@ async function collectExistingRecordKeys(ctx, recordKey, target, keys) {
   }
   return existingKeys;
 }
-async function recordExistsWithoutScope(ctx, target, recordKey, keyValue) {
-  const repo = ctx.database.getRepository(target);
-  if (!repo) {
+async function recordExistsWithoutScope(collection, recordKey, keyValue) {
+  const { repository } = collection;
+  if (!repository) {
     return false;
   }
-  const record = await repo.findOne({
+  const record = await repository.findOne({
     filter: {
       [recordKey]: keyValue
     }
   });
   return Boolean(record);
 }
-async function processAssociationChild(ctx, value, recordKey, updateAssociationValues, createParams, updateParams, target, fieldPath, allowedRecordKeys, existingRecordKeys) {
+async function processAssociationChild(options) {
+  var _a, _b;
+  const {
+    value,
+    recordKey,
+    updateAssociationValues,
+    createParams,
+    updateParams,
+    target,
+    fieldPath,
+    allowedRecordKeys,
+    existingRecordKeys,
+    can,
+    parseOptions
+  } = options;
   const keyValue = value == null ? void 0 : value[recordKey];
   const fallbackToCreate = async () => {
     if (!createParams) {
       return keyValue;
     }
-    ctx.log.debug(`Association record missing, fallback to create`, {
-      fieldPath,
-      value,
-      target
+    return await processValues({
+      values: value,
+      updateAssociationValues,
+      aclParams: createParams.params,
+      collection: target,
+      lastFieldPath: fieldPath,
+      protectedKeys: [],
+      can,
+      parseOptions
     });
-    return await processValues(ctx, value, updateAssociationValues, createParams.params, target, fieldPath, []);
   };
   const tryFallbackToCreate = async (reason, knownExists) => {
     if (!createParams) {
       return void 0;
     }
-    const recordExists = typeof knownExists === "boolean" ? knownExists : await recordExistsWithoutScope(ctx, target, recordKey, keyValue);
+    const recordExists = typeof knownExists === "boolean" ? knownExists : await recordExistsWithoutScope(target, recordKey, keyValue);
     if (!recordExists) {
-      ctx.log.debug(reason, {
-        fieldPath,
-        value,
-        createParams,
-        updateParams
-      });
       return await fallbackToCreate();
     }
     return void 0;
@@ -166,225 +396,76 @@ async function processAssociationChild(ctx, value, recordKey, updateAssociationV
       if (created !== void 0) {
         return created;
       }
-      ctx.log.debug(`No permission to update association`, { fieldPath, value, updateParams });
       return keyValue;
-    } else {
-      const repo = ctx.database.getRepository(target);
-      if (!repo) {
-        ctx.log.debug(`Repository not found for association target`, { fieldPath, target });
-        return keyValue;
-      }
-      try {
-        if (allowedRecordKeys) {
-          if (!allowedRecordKeys.has(keyValue)) {
-            const created = await tryFallbackToCreate(
-              `No permission to update association due to scope, try create not exist record`,
-              existingRecordKeys ? existingRecordKeys.has(keyValue) : void 0
-            );
-            if (created !== void 0) {
-              return created;
-            }
-            ctx.log.debug(`No permission to update association due to scope`, { fieldPath, value, updateParams });
-            return keyValue;
-          }
-        } else {
-          const filter = await resolveScopeFilter(ctx, target, updateParams.params);
-          const record = await repo.findOne({
-            filter: {
-              ...filter,
-              [recordKey]: keyValue
-            }
-          });
-          if (!record) {
-            const created = await tryFallbackToCreate(
-              `No permission to update association due to scope, try create not exist record`
-            );
-            if (created !== void 0) {
-              return created;
-            }
-            ctx.log.debug(`No permission to update association due to scope`, { fieldPath, value, updateParams });
-            return keyValue;
+    }
+    const { repository } = target;
+    if (!repository) {
+      return keyValue;
+    }
+    try {
+      if (allowedRecordKeys) {
+        if (!allowedRecordKeys.has(keyValue)) {
+          const created = await tryFallbackToCreate(
+            `No permission to update association due to scope, try create not exist record`,
+            existingRecordKeys ? existingRecordKeys.has(keyValue) : void 0
+          );
+          if (created !== void 0) {
+            return created;
           }
-        }
-        return await processValues(ctx, value, updateAssociationValues, updateParams.params, target, fieldPath, []);
-      } catch (e) {
-        if (e instanceof import_acl.NoPermissionError) {
           return keyValue;
         }
-        throw e;
-      }
-    }
-  }
-  if (createParams) {
-    return await processValues(ctx, value, updateAssociationValues, createParams.params, target, fieldPath, []);
-  }
-  ctx.log.debug(`No permission to create association`, { fieldPath, value, createParams });
-  return null;
-}
-async function processValues(ctx, values, updateAssociationValues, aclParams, collectionName, lastFieldPath = "", protectedKeys = []) {
-  var _a;
-  if (Array.isArray(values)) {
-    const result = [];
-    for (const item of values) {
-      if (!import_lodash.default.isPlainObject(item)) {
-        result.push(item);
-        continue;
-      }
-      const processed = await processValues(
-        ctx,
-        item,
-        updateAssociationValues,
-        aclParams,
-        collectionName,
-        lastFieldPath,
-        protectedKeys
-      );
-      if (processed !== null && processed !== void 0) {
-        result.push(processed);
-      }
-    }
-    return result;
-  }
-  if (!values || !import_lodash.default.isPlainObject(values)) {
-    return values;
-  }
-  const db = ctx.database;
-  const collection = db.getCollection(collectionName);
-  if (!collection) {
-    return values;
-  }
-  if (aclParams == null ? void 0 : aclParams.whitelist) {
-    const combined = import_lodash.default.uniq([...aclParams.whitelist, ...protectedKeys]);
-    values = import_lodash.default.pick(values, combined);
-  }
-  for (const [fieldName, fieldValue] of Object.entries(values)) {
-    if (protectedKeys.includes(fieldName)) {
-      continue;
-    }
-    const field = collection.getField(fieldName);
-    const isAssociation = field && ["hasOne", "hasMany", "belongsTo", "belongsToMany", "belongsToArray"].includes(field.type);
-    if (!isAssociation) {
-      continue;
-    }
-    const targetCollection = db.getCollection(field.target);
-    if (!targetCollection) {
-      delete values[fieldName];
-      continue;
-    }
-    const fieldPath = lastFieldPath ? `${lastFieldPath}.${fieldName}` : fieldName;
-    const recordKey = field.type === "hasOne" ? targetCollection.model.primaryKeyAttribute : field.targetKey;
-    const canUpdateAssociation = updateAssociationValues.includes(fieldPath);
-    if (!canUpdateAssociation) {
-      const normalized = normalizeAssociationValue(fieldValue, recordKey);
-      if (normalized === void 0 && !protectedKeys.includes(fieldName)) {
-        delete values[fieldName];
       } else {
-        values[fieldName] = normalized;
+        (0, import_acl.checkFilterParams)(target, (_a = updateParams.params) == null ? void 0 : _a.filter);
+        const filter = await (0, import_acl.parseJsonTemplate)((_b = updateParams.params) == null ? void 0 : _b.filter, parseOptions);
+        const record = await repository.findOne({
+          filter: {
+            ...filter,
+            [recordKey]: keyValue
+          }
+        });
+        if (!record) {
+          const created = await tryFallbackToCreate(
+            `No permission to update association due to scope, try create not exist record`
+          );
+          if (created !== void 0) {
+            return created;
+          }
+          return keyValue;
+        }
       }
-      ctx.log.debug(`Not allow to update association, only keep keys`, {
-        fieldPath,
-        fieldValue,
+      return await processValues({
+        values: value,
         updateAssociationValues,
-        recordKey,
-        normalizedValue: values[fieldName]
+        aclParams: updateParams.params,
+        collection: target,
+        lastFieldPath: fieldPath,
+        protectedKeys: [],
+        can,
+        parseOptions
       });
-      continue;
-    }
-    const createParams = ctx.can({
-      roles: ctx.state.currentRoles,
-      resource: field.target,
-      action: "create"
-    });
-    const updateParams = ctx.can({
-      roles: ctx.state.currentRoles,
-      resource: field.target,
-      action: "update"
-    });
-    if (Array.isArray(fieldValue)) {
-      const processed = [];
-      let allowedRecordKeys;
-      let existingRecordKeys;
-      if (updateParams) {
-        const allowedResult = await collectAllowedRecordKeys(ctx, fieldValue, recordKey, updateParams, field.target);
-        allowedRecordKeys = allowedResult == null ? void 0 : allowedResult.allowedKeys;
-        if (createParams && ((_a = allowedResult == null ? void 0 : allowedResult.missingKeys) == null ? void 0 : _a.size)) {
-          existingRecordKeys = await collectExistingRecordKeys(ctx, recordKey, field.target, allowedResult.missingKeys);
-        }
-      }
-      for (const item of fieldValue) {
-        const r2 = await processAssociationChild(
-          ctx,
-          item,
-          recordKey,
-          updateAssociationValues,
-          createParams,
-          updateParams,
-          field.target,
-          fieldPath,
-          allowedRecordKeys,
-          existingRecordKeys
-        );
-        if (r2 !== null && r2 !== void 0) {
-          processed.push(r2);
-        }
+    } catch (e) {
+      if (e instanceof import_acl.NoPermissionError) {
+        return keyValue;
       }
-      values[fieldName] = processed;
-      continue;
+      throw e;
     }
-    const r = await processAssociationChild(
-      ctx,
-      fieldValue,
-      recordKey,
+  }
+  if (createParams) {
+    return await processValues({
+      values: value,
       updateAssociationValues,
-      createParams,
-      updateParams,
-      field.target,
-      fieldPath
-    );
-    values[fieldName] = r;
+      aclParams: createParams.params,
+      collection: target,
+      lastFieldPath: fieldPath,
+      protectedKeys: [],
+      can,
+      parseOptions
+    });
   }
-  return values;
+  return null;
 }
-const checkChangesWithAssociation = async (ctx, next) => {
-  var _a, _b;
-  const { resourceName, actionName } = ctx.action;
-  if (!["create", "firstOrCreate", "updateOrCreate", "update"].includes(actionName)) {
-    return next();
-  }
-  if ((_a = ctx.permission) == null ? void 0 : _a.skip) {
-    return next();
-  }
-  const roles = ctx.state.currentRoles;
-  if (roles.includes("root")) {
-    return next();
-  }
-  const acl = ctx.acl;
-  for (const role of roles) {
-    const aclRole = acl.getRole(role);
-    if (aclRole.snippetAllowed(`${resourceName}:${actionName}`)) {
-      return next();
-    }
-  }
-  const params = ctx.action.params || {};
-  const rawValues = params.values;
-  if (import_lodash.default.isEmpty(rawValues)) {
-    return next();
-  }
-  const protectedKeys = ["firstOrCreate", "updateOrCreate"].includes(actionName) ? params.filterKeys || [] : [];
-  const aclParams = ((_b = ctx.permission.can) == null ? void 0 : _b.params) || ctx.acl.fixedParamsManager.getParams(resourceName, actionName);
-  const processed = await processValues(
-    ctx,
-    rawValues,
-    params.updateAssociationValues || [],
-    aclParams,
-    resourceName,
-    "",
-    protectedKeys
-  );
-  ctx.action.params.values = processed;
-  await next();
-};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  checkChangesWithAssociation
+  checkChangesWithAssociation,
+  sanitizeAssociationValues
 });

package/dist/server/middlewares/check-query-permission.d.ts

@@ -0,0 +1,10 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import type { Next } from '@nocobase/actions';
+export declare function checkQueryPermission(ctx: any, next: Next): Promise<void>;