@nocobase/plugin-acl 2.1.0-alpha.20 → 2.1.0-alpha.22

package/dist/externalVersion.js

@@ -8,7 +8,7 @@
  */
 
 module.exports = {
-  "@nocobase/client": "2.1.0-alpha.20",
+  "@nocobase/client": "2.1.0-alpha.22",
   "antd": "5.24.2",
   "react": "18.2.0",
   "react-i18next": "11.18.6",
@@ -17,16 +17,16 @@ module.exports = {
   "@formily/react": "2.3.7",
   "@ant-design/icons": "5.6.1",
   "lodash": "4.18.1",
-  "@nocobase/utils": "2.1.0-alpha.20",
-  "@nocobase/client-v2": "2.1.0-alpha.20",
-  "@nocobase/actions": "2.1.0-alpha.20",
-  "@nocobase/cache": "2.1.0-alpha.20",
-  "@nocobase/database": "2.1.0-alpha.20",
-  "@nocobase/server": "2.1.0-alpha.20",
-  "@nocobase/acl": "2.1.0-alpha.20",
-  "@nocobase/test": "2.1.0-alpha.20",
+  "@nocobase/utils": "2.1.0-alpha.22",
+  "@nocobase/client-v2": "2.1.0-alpha.22",
+  "@nocobase/actions": "2.1.0-alpha.22",
+  "@nocobase/cache": "2.1.0-alpha.22",
+  "@nocobase/database": "2.1.0-alpha.22",
+  "@nocobase/server": "2.1.0-alpha.22",
+  "@nocobase/acl": "2.1.0-alpha.22",
+  "@nocobase/test": "2.1.0-alpha.22",
   "@formily/core": "2.3.7",
   "@formily/antd-v5": "1.2.3",
   "antd-style": "3.7.1",
-  "@nocobase/flow-engine": "2.1.0-alpha.20"
+  "@nocobase/flow-engine": "2.1.0-alpha.22"
 };

package/dist/server/actions/apply-data-permissions.d.ts

@@ -0,0 +1,10 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import type { Context, Next } from '@nocobase/actions';
+export declare function applyDataPermissions(ctx: Context, next: Next): Promise<void>;

package/dist/server/actions/apply-data-permissions.js

@@ -0,0 +1,208 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var apply_data_permissions_exports = {};
+__export(apply_data_permissions_exports, {
+  applyDataPermissions: () => applyDataPermissions
+});
+module.exports = __toCommonJS(apply_data_permissions_exports);
+function ensureString(value, fieldName) {
+  if (typeof value !== "string" || !value.trim()) {
+    throw new Error(`Invalid ${fieldName}`);
+  }
+  return value.trim();
+}
+function normalizeFields(fields) {
+  if (!Array.isArray(fields)) {
+    return void 0;
+  }
+  const normalized = [
+    ...new Set(fields.filter((field) => typeof field === "string" && !!field.trim()))
+  ];
+  return normalized.length ? normalized : [];
+}
+function normalizeScopeId(scopeId) {
+  if (scopeId === null) {
+    return null;
+  }
+  if (scopeId === void 0) {
+    return void 0;
+  }
+  const parsed = Number(scopeId);
+  if (!Number.isInteger(parsed) || parsed <= 0) {
+    throw new Error(`Invalid scopeId: ${scopeId}`);
+  }
+  return parsed;
+}
+async function resolveScopeIdByKey(options) {
+  const scope = await options.ctx.db.getRepository("dataSourcesRolesResourcesScopes").findOne({
+    filter: {
+      dataSourceKey: options.dataSourceKey,
+      key: options.scopeKey
+    },
+    transaction: options.transaction
+  });
+  if (!scope) {
+    throw new Error(`Scope key "${options.scopeKey}" not found in data source "${options.dataSourceKey}"`);
+  }
+  return scope.get("id");
+}
+async function normalizeAction(options) {
+  const name = ensureString(options.action.name, "action.name");
+  let scopeId = normalizeScopeId(options.action.scopeId);
+  if (scopeId === void 0 && options.action.scope && typeof options.action.scope.id === "number") {
+    scopeId = normalizeScopeId(options.action.scope.id);
+  }
+  let scopeKey;
+  if (typeof options.action.scopeKey === "string" && options.action.scopeKey.trim()) {
+    scopeKey = options.action.scopeKey.trim();
+  } else if (options.action.scope && typeof options.action.scope.key === "string" && options.action.scope.key.trim()) {
+    scopeKey = options.action.scope.key.trim();
+  }
+  if (scopeId === void 0 && scopeKey) {
+    scopeId = await resolveScopeIdByKey({
+      ctx: options.ctx,
+      dataSourceKey: options.dataSourceKey,
+      scopeKey,
+      transaction: options.transaction
+    });
+  }
+  if (scopeId === void 0) {
+    scopeId = null;
+  }
+  const normalized = {
+    name,
+    fields: normalizeFields(options.action.fields),
+    scopeId
+  };
+  const output = {
+    name: normalized.name
+  };
+  if (normalized.fields !== void 0) {
+    output.fields = normalized.fields;
+  }
+  if (normalized.scopeId !== void 0) {
+    output.scopeId = normalized.scopeId;
+  }
+  return output;
+}
+async function applyDataPermissions(ctx, next) {
+  const roleName = ensureString(ctx.action.params.filterByTk, "filterByTk");
+  const values = ctx.action.params.values || {};
+  const dataSourceKey = ensureString(values.dataSourceKey || "main", "dataSourceKey");
+  const resources = values.resources;
+  if (!Array.isArray(resources) || resources.length === 0) {
+    throw new Error("`resources` must be a non-empty array");
+  }
+  const role = await ctx.db.getRepository("roles").findOne({
+    filterByTk: roleName
+  });
+  if (!role) {
+    throw new Error(`Role "${roleName}" not found`);
+  }
+  const roleResourceRepository = ctx.db.getRepository("roles.resources", roleName);
+  const appliedResources = [];
+  await ctx.db.sequelize.transaction(async (transaction) => {
+    for (const resourceInput of resources) {
+      const resourceName = ensureString(resourceInput == null ? void 0 : resourceInput.name, "resource.name");
+      const usingActionsConfig = (resourceInput == null ? void 0 : resourceInput.usingActionsConfig) ?? true;
+      const actionsInput = Array.isArray(resourceInput == null ? void 0 : resourceInput.actions) ? resourceInput.actions : [];
+      const normalizedActions = [];
+      for (const action of actionsInput) {
+        normalizedActions.push(
+          await normalizeAction({
+            ctx,
+            dataSourceKey,
+            action,
+            transaction
+          })
+        );
+      }
+      const existingResource = await roleResourceRepository.findOne({
+        filter: {
+          name: resourceName,
+          dataSourceKey
+        },
+        appends: ["actions"],
+        transaction
+      });
+      const writeValues = {
+        name: resourceName,
+        dataSourceKey,
+        usingActionsConfig,
+        actions: normalizedActions
+      };
+      let savedResource;
+      if (existingResource) {
+        await roleResourceRepository.update({
+          filterByTk: existingResource.get("id"),
+          values: writeValues,
+          updateAssociationValues: ["actions"],
+          transaction
+        });
+        savedResource = await roleResourceRepository.findOne({
+          filterByTk: existingResource.get("id"),
+          appends: ["actions"],
+          transaction
+        });
+      } else {
+        const created = await roleResourceRepository.create({
+          values: writeValues,
+          transaction
+        });
+        savedResource = await roleResourceRepository.findOne({
+          filterByTk: created.get("id"),
+          appends: ["actions"],
+          transaction
+        });
+      }
+      const actionModels = savedResource.get("actions") || [];
+      appliedResources.push({
+        id: savedResource.get("id"),
+        name: savedResource.get("name"),
+        dataSourceKey: savedResource.get("dataSourceKey"),
+        usingActionsConfig: !!savedResource.get("usingActionsConfig"),
+        actions: actionModels.map((actionModel) => ({
+          id: actionModel.get("id"),
+          name: actionModel.get("name"),
+          fields: actionModel.get("fields") || [],
+          scopeId: actionModel.get("scopeId") ?? null
+        }))
+      });
+    }
+  });
+  ctx.body = {
+    roleName,
+    dataSourceKey,
+    resources: appliedResources,
+    count: appliedResources.length
+  };
+  await next();
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  applyDataPermissions
+});

package/dist/server/actions/data-source-compat.d.ts

@@ -0,0 +1,13 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import type { Context, Next } from '@nocobase/actions';
+export declare function guardRolesDataSourcesCollectionsList(ctx: Context, next: Next): Promise<void>;
+export declare function guardRolesDataSourceResourcesCreate(ctx: Context, next: Next): Promise<void>;
+export declare function guardRolesDataSourceResourcesGet(ctx: Context, next: Next): Promise<void>;
+export declare function guardRolesDataSourceResourcesUpdate(ctx: Context, next: Next): Promise<void>;

package/dist/server/actions/data-source-compat.js

@@ -0,0 +1,189 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var data_source_compat_exports = {};
+__export(data_source_compat_exports, {
+  guardRolesDataSourceResourcesCreate: () => guardRolesDataSourceResourcesCreate,
+  guardRolesDataSourceResourcesGet: () => guardRolesDataSourceResourcesGet,
+  guardRolesDataSourceResourcesUpdate: () => guardRolesDataSourceResourcesUpdate,
+  guardRolesDataSourcesCollectionsList: () => guardRolesDataSourcesCollectionsList
+});
+module.exports = __toCommonJS(data_source_compat_exports);
+var import_lodash = __toESM(require("lodash"));
+function normalizeString(value) {
+  if (typeof value !== "string") {
+    return void 0;
+  }
+  const trimmed = value.trim();
+  return trimmed ? trimmed : void 0;
+}
+function normalizeFilter(input) {
+  if (!import_lodash.default.isPlainObject(input)) {
+    return {};
+  }
+  return { ...input };
+}
+function applyLocatorFromQuery(params, filter) {
+  const dataSourceKeyFromQuery = normalizeString(params.dataSourceKey);
+  if (dataSourceKeyFromQuery) {
+    filter.dataSourceKey = filter.dataSourceKey || dataSourceKeyFromQuery;
+  }
+  const nameFromQuery = normalizeString(params.name);
+  if (nameFromQuery) {
+    filter.name = filter.name || nameFromQuery;
+  }
+}
+function normalizeNumericTk(value) {
+  if (typeof value === "number" && Number.isInteger(value) && value >= 0) {
+    return value;
+  }
+  const normalized = normalizeString(value);
+  if (!normalized || !/^\d+$/.test(normalized)) {
+    return void 0;
+  }
+  return normalized;
+}
+function deriveNameFromPrefixedTk(value) {
+  const normalized = normalizeString(value);
+  if (!normalized) {
+    return void 0;
+  }
+  const matched = normalized.match(/^[a-zA-Z]+_(.+)$/);
+  if (!matched) {
+    return void 0;
+  }
+  return normalizeString(matched[1]);
+}
+async function resolveLocatorFromFilterByTk(ctx, roleName, filter) {
+  const rawFilterByTk = ctx.action.params.filterByTk;
+  if (rawFilterByTk === void 0 || rawFilterByTk === null || rawFilterByTk === "") {
+    return;
+  }
+  const numericFilterByTk = normalizeNumericTk(rawFilterByTk);
+  if (numericFilterByTk === void 0) {
+    if (!normalizeString(filter.name)) {
+      const derivedName = deriveNameFromPrefixedTk(rawFilterByTk);
+      if (derivedName) {
+        filter.name = derivedName;
+      }
+    }
+    return;
+  }
+  const resource = await ctx.db.getRepository("dataSourcesRolesResources").findOne({
+    filterByTk: numericFilterByTk
+  });
+  if (!resource) {
+    ctx.throw(404, `Resource permission not found by filterByTk "${rawFilterByTk}"`);
+    return;
+  }
+  const targetRoleName = resource.get("roleName");
+  if (targetRoleName !== roleName) {
+    ctx.throw(400, `Resource permission "${rawFilterByTk}" does not belong to role "${roleName}"`);
+    return;
+  }
+  if (!normalizeString(filter.dataSourceKey)) {
+    filter.dataSourceKey = resource.get("dataSourceKey");
+  }
+  if (!normalizeString(filter.name)) {
+    filter.name = resource.get("name");
+  }
+}
+async function normalizeRoleDataSourceResourceLocator(ctx) {
+  const roleName = normalizeString(ctx.action.params.associatedIndex);
+  if (!roleName) {
+    ctx.throw(400, "Role name is required");
+    return;
+  }
+  const filter = normalizeFilter(ctx.action.params.filter);
+  applyLocatorFromQuery(ctx.action.params, filter);
+  await resolveLocatorFromFilterByTk(ctx, roleName, filter);
+  const dataSourceKey = normalizeString(filter.dataSourceKey);
+  const name = normalizeString(filter.name);
+  if (!dataSourceKey || !name) {
+    ctx.throw(
+      400,
+      "Missing resource locator: provide --filter-by-tk, or both --data-source-key and --name (or filter.{dataSourceKey,name})"
+    );
+    return;
+  }
+  ctx.action.params.filter = {
+    ...filter,
+    dataSourceKey,
+    name
+  };
+}
+async function guardRolesDataSourcesCollectionsList(ctx, next) {
+  const filter = normalizeFilter(ctx.action.params.filter);
+  applyLocatorFromQuery(ctx.action.params, filter);
+  const dataSourceKey = normalizeString(filter.dataSourceKey);
+  if (!dataSourceKey) {
+    ctx.throw(400, "dataSourceKey is required: pass --data-source-key or filter.dataSourceKey");
+    return;
+  }
+  ctx.action.params.filter = {
+    ...filter,
+    dataSourceKey
+  };
+  await next();
+}
+async function guardRolesDataSourceResourcesCreate(ctx, next) {
+  const values = normalizeFilter(ctx.action.params.values);
+  const dataSourceKeyFromQuery = normalizeString(ctx.action.params.dataSourceKey);
+  if (!values.dataSourceKey && dataSourceKeyFromQuery) {
+    values.dataSourceKey = dataSourceKeyFromQuery;
+  }
+  if (!normalizeString(values.dataSourceKey)) {
+    ctx.throw(400, "dataSourceKey is required for roles.dataSourceResources:create");
+    return;
+  }
+  ctx.action.params.values = values;
+  await next();
+}
+async function guardRolesDataSourceResourcesGet(ctx, next) {
+  await normalizeRoleDataSourceResourceLocator(ctx);
+  await next();
+}
+async function guardRolesDataSourceResourcesUpdate(ctx, next) {
+  await normalizeRoleDataSourceResourceLocator(ctx);
+  await next();
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  guardRolesDataSourceResourcesCreate,
+  guardRolesDataSourceResourcesGet,
+  guardRolesDataSourceResourcesUpdate,
+  guardRolesDataSourcesCollectionsList
+});

package/dist/server/server.js

@@ -46,6 +46,8 @@ var import_server = require("@nocobase/server");
 var import_lodash = __toESM(require("lodash"));
 var import_path = require("path");
 var import_available_actions = require("./actions/available-actions");
+var import_apply_data_permissions = require("./actions/apply-data-permissions");
+var import_data_source_compat = require("./actions/data-source-compat");
 var import_role_check = require("./actions/role-check");
 var import_role_collections = require("./actions/role-collections");
 var import_user_setDefaultRole = require("./actions/user-setDefaultRole");
@@ -181,7 +183,21 @@ class PluginACLServer extends import_server.Plugin {
     this.app.resourcer.define(import_available_actions.availableActionResource);
     this.app.resourcer.define(import_role_collections.roleCollectionsResource);
     this.app.resourcer.registerActionHandler("roles:setSystemRoleMode", import_union_role.setSystemRoleMode);
+    this.app.resourcer.registerActionHandler("roles:applyDataPermissions", import_apply_data_permissions.applyDataPermissions);
     this.app.resourcer.registerActionHandler("roles:check", import_role_check.checkAction);
+    this.app.resourcer.registerPreActionHandler(
+      "roles.dataSourcesCollections:list",
+      import_data_source_compat.guardRolesDataSourcesCollectionsList
+    );
+    this.app.resourcer.registerPreActionHandler(
+      "roles.dataSourceResources:create",
+      import_data_source_compat.guardRolesDataSourceResourcesCreate
+    );
+    this.app.resourcer.registerPreActionHandler("roles.dataSourceResources:get", import_data_source_compat.guardRolesDataSourceResourcesGet);
+    this.app.resourcer.registerPreActionHandler(
+      "roles.dataSourceResources:update",
+      import_data_source_compat.guardRolesDataSourceResourcesUpdate
+    );
     this.app.resourcer.registerActionHandler(`users:setDefaultRole`, import_user_setDefaultRole.setDefaultRole);
     this.db.on("users.afterCreateWithAssociations", async (model, options) => {
       const { transaction } = options;

package/dist/swagger/index.d.ts

@@ -198,6 +198,38 @@ declare const _default: {
                 };
             };
         };
+        '/roles:applyDataPermissions': {
+            post: {
+                tags: string[];
+                summary: string;
+                description: string;
+                parameters: {
+                    $ref: string;
+                }[];
+                requestBody: {
+                    required: boolean;
+                    content: {
+                        'application/json': {
+                            schema: {
+                                $ref: string;
+                            };
+                        };
+                    };
+                };
+                responses: {
+                    200: {
+                        description: string;
+                        content: {
+                            'application/json': {
+                                schema: {
+                                    $ref: string;
+                                };
+                            };
+                        };
+                    };
+                };
+            };
+        };
         '/roles/{roleName}/users:list': {
             get: {
                 tags: string[];
@@ -744,6 +776,14 @@ declare const _default: {
                     type: string;
                 };
             };
+            DataSourceKeyQuery: {
+                name: string;
+                in: string;
+                description: string;
+                schema: {
+                    type: string;
+                };
+            };
             MembershipUserFilterByTkQuery: {
                 name: string;
                 in: string;
@@ -789,6 +829,14 @@ declare const _default: {
                     type: string;
                 };
             };
+            DataSourceResourceNameQuery: {
+                name: string;
+                in: string;
+                description: string;
+                schema: {
+                    type: string;
+                };
+            };
             ScopePkQuery: {
                 name: string;
                 in: string;
@@ -951,6 +999,107 @@ declare const _default: {
                 };
                 required: string[];
             };
+            RoleDataPermissionActionWrite: {
+                type: string;
+                properties: {
+                    name: {
+                        type: string;
+                        description: string;
+                    };
+                    fields: {
+                        type: string;
+                        items: {
+                            type: string;
+                        };
+                        description: string;
+                    };
+                    scopeId: {
+                        type: string;
+                        nullable: boolean;
+                        description: string;
+                    };
+                    scopeKey: {
+                        type: string;
+                        description: string;
+                    };
+                    scope: {
+                        type: string;
+                        properties: {
+                            id: {
+                                type: string;
+                            };
+                            key: {
+                                type: string;
+                            };
+                        };
+                        additionalProperties: boolean;
+                        description: string;
+                    };
+                };
+                required: string[];
+                additionalProperties: boolean;
+            };
+            RoleDataPermissionResourceWrite: {
+                type: string;
+                properties: {
+                    name: {
+                        type: string;
+                        description: string;
+                    };
+                    usingActionsConfig: {
+                        type: string;
+                        description: string;
+                    };
+                    actions: {
+                        type: string;
+                        items: {
+                            $ref: string;
+                        };
+                        description: string;
+                    };
+                };
+                required: string[];
+                additionalProperties: boolean;
+            };
+            RoleDataPermissionsApplyWrite: {
+                type: string;
+                properties: {
+                    dataSourceKey: {
+                        type: string;
+                        description: string;
+                    };
+                    resources: {
+                        type: string;
+                        items: {
+                            $ref: string;
+                        };
+                        description: string;
+                    };
+                };
+                required: string[];
+                additionalProperties: boolean;
+            };
+            RoleDataPermissionsApplyResult: {
+                type: string;
+                properties: {
+                    roleName: {
+                        type: string;
+                    };
+                    dataSourceKey: {
+                        type: string;
+                    };
+                    count: {
+                        type: string;
+                    };
+                    resources: {
+                        type: string;
+                        items: {
+                            $ref: string;
+                        };
+                    };
+                };
+                additionalProperties: boolean;
+            };
             DataSourceRole: {
                 type: string;
                 properties: {

package/dist/swagger/index.js

@@ -213,6 +213,36 @@ var swagger_default = {
         }
       }
     },
+    "/roles:applyDataPermissions": {
+      post: {
+        tags: ["roles"],
+        summary: "Apply collection-level independent ACL permissions in batch for a role",
+        description: "Apply one or more collection-level independent ACL permission configs for a role in one request. Supports action scope binding by `scopeId` or `scopeKey`.",
+        parameters: [{ $ref: "#/components/parameters/RoleNameQuery" }],
+        requestBody: {
+          required: true,
+          content: {
+            "application/json": {
+              schema: {
+                $ref: "#/components/schemas/RoleDataPermissionsApplyWrite"
+              }
+            }
+          }
+        },
+        responses: {
+          200: {
+            description: "OK",
+            content: {
+              "application/json": {
+                schema: {
+                  $ref: "#/components/schemas/RoleDataPermissionsApplyResult"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
     "/roles/{roleName}/users:list": {
       get: {
         tags: ["roles.users"],
@@ -412,9 +442,10 @@ var swagger_default = {
       get: {
         tags: ["roles.dataSourcesCollections"],
         summary: "List data-source collections in role permission configuration",
-        description: "List collections in the target data source for the given role and indicate whether they use global permissions or collection-level independent permissions.",
+        description: "List collections in the target data source for the given role and indicate whether they use global permissions or collection-level independent permissions. You can pass `dataSourceKey` directly, or through `filter.dataSourceKey` for compatibility.",
         parameters: [
           { $ref: "#/components/parameters/RoleNamePath" },
+          { $ref: "#/components/parameters/DataSourceKeyQuery" },
           { $ref: "#/components/parameters/PageQuery" },
           { $ref: "#/components/parameters/PageSizeQuery" },
           { $ref: "#/components/parameters/SortQuery" },
@@ -483,9 +514,12 @@ var swagger_default = {
       get: {
         tags: ["roles.dataSourceResources"],
         summary: "Get one collection-level independent ACL permission for a role",
-        description: "Get one collection-level independent permission config. Target it with a `filter` such as `{ name, dataSourceKey }`. Do not rely on `filterByTk` for this endpoint.",
+        description: "Get one collection-level independent permission config. You can target it by `filterByTk`, or by `name` + `dataSourceKey`. `filter` with `{ name, dataSourceKey }` is still supported for compatibility.",
         parameters: [
           { $ref: "#/components/parameters/RoleNamePath" },
+          { $ref: "#/components/parameters/ResourcePermissionTkQuery" },
+          { $ref: "#/components/parameters/DataSourceKeyQuery" },
+          { $ref: "#/components/parameters/DataSourceResourceNameQuery" },
           { $ref: "#/components/parameters/FilterQuery" },
           { $ref: "#/components/parameters/AppendsQuery" }
         ],
@@ -507,8 +541,14 @@ var swagger_default = {
       post: {
         tags: ["roles.dataSourceResources"],
         summary: "Update collection-level independent ACL permissions for a role",
-        description: "Update one collection-level independent permission config. Target it with a `filter` such as `{ name, dataSourceKey }`. Do not rely on `filterByTk` for this endpoint.",
-        parameters: [{ $ref: "#/components/parameters/RoleNamePath" }, { $ref: "#/components/parameters/FilterQuery" }],
+        description: "Update one collection-level independent permission config. You can target it by `filterByTk`, or by `name` + `dataSourceKey`. `filter` with `{ name, dataSourceKey }` is still supported for compatibility.",
+        parameters: [
+          { $ref: "#/components/parameters/RoleNamePath" },
+          { $ref: "#/components/parameters/ResourcePermissionTkQuery" },
+          { $ref: "#/components/parameters/DataSourceKeyQuery" },
+          { $ref: "#/components/parameters/DataSourceResourceNameQuery" },
+          { $ref: "#/components/parameters/FilterQuery" }
+        ],
         requestBody: {
           required: true,
           content: {
@@ -765,6 +805,12 @@ var swagger_default = {
         required: true,
         schema: { type: "string" }
       },
+      DataSourceKeyQuery: {
+        name: "dataSourceKey",
+        in: "query",
+        description: "Data source key, for example `main`.",
+        schema: { type: "string" }
+      },
       MembershipUserFilterByTkQuery: {
         name: "filterByTk",
         in: "query",
@@ -807,6 +853,12 @@ var swagger_default = {
         required: true,
         schema: { type: "string" }
       },
+      DataSourceResourceNameQuery: {
+        name: "name",
+        in: "query",
+        description: "Resource name, typically the collection name.",
+        schema: { type: "string" }
+      },
       ScopePkQuery: {
         name: "filterByTk",
         in: "query",
@@ -919,6 +971,89 @@ var swagger_default = {
         },
         required: ["roleMode"]
       },
+      RoleDataPermissionActionWrite: {
+        type: "object",
+        properties: {
+          name: {
+            type: "string",
+            description: "ACL action name, such as `view`, `create`, `update`, or `destroy`."
+          },
+          fields: {
+            type: "array",
+            items: { type: "string" },
+            description: "Optional allowed field list for field-configurable actions."
+          },
+          scopeId: {
+            type: "integer",
+            nullable: true,
+            description: "Optional scope id. Use `null` to clear the scope binding."
+          },
+          scopeKey: {
+            type: "string",
+            description: "Optional built-in/custom scope key. When provided, server resolves it to `scopeId`."
+          },
+          scope: {
+            type: "object",
+            properties: {
+              id: { type: "integer" },
+              key: { type: "string" }
+            },
+            additionalProperties: true,
+            description: "Optional compatibility payload from existing role-resource readback."
+          }
+        },
+        required: ["name"],
+        additionalProperties: true
+      },
+      RoleDataPermissionResourceWrite: {
+        type: "object",
+        properties: {
+          name: {
+            type: "string",
+            description: "Collection name."
+          },
+          usingActionsConfig: {
+            type: "boolean",
+            description: "Whether the collection uses independent action config."
+          },
+          actions: {
+            type: "array",
+            items: { $ref: "#/components/schemas/RoleDataPermissionActionWrite" },
+            description: "Independent action config list for the collection."
+          }
+        },
+        required: ["name"],
+        additionalProperties: true
+      },
+      RoleDataPermissionsApplyWrite: {
+        type: "object",
+        properties: {
+          dataSourceKey: {
+            type: "string",
+            description: "Data source key, default is `main` when omitted."
+          },
+          resources: {
+            type: "array",
+            items: { $ref: "#/components/schemas/RoleDataPermissionResourceWrite" },
+            description: "Collection-level independent permission payloads to apply in batch."
+          }
+        },
+        required: ["resources"],
+        additionalProperties: true
+      },
+      RoleDataPermissionsApplyResult: {
+        type: "object",
+        properties: {
+          roleName: { type: "string" },
+          dataSourceKey: { type: "string" },
+          count: { type: "integer" },
+          resources: {
+            type: "array",
+            items: { $ref: "#/components/schemas/RoleDataSourceResource" }
+          }
+        },
+        additionalProperties: true
+      },
       DataSourceRole: {
         type: "object",
         properties: {

package/package.json

@@ -6,7 +6,7 @@
   "description": "Based on roles, resources, and actions, access control can precisely manage interface configuration permissions, data operation permissions, menu access permissions, and plugin permissions.",
   "description.ru-RU": "На основе ролей, ресурсов и действий система контроля доступа может точно управлять разрешениями на изменение интерфейса, работу с данными, доступ к меню и разрешениями для подключаемых модулей.",
   "description.zh-CN": "基于角色、资源和操作的权限控制，可以精确控制界面配置权限、数据操作权限、菜单访问权限、插件权限。",
-  "version": "2.1.0-alpha.20",
+  "version": "2.1.0-alpha.22",
   "license": "Apache-2.0",
   "main": "./dist/server/index.js",
   "homepage": "https://docs.nocobase.com/handbook/acl",
@@ -46,5 +46,5 @@
     "url": "git+https://github.com/nocobase/nocobase.git",
     "directory": "packages/plugins/acl"
   },
-  "gitHead": "3d1535db6bf93ca23257faf474afee0d565f54c6"
+  "gitHead": "81ed83f158f172cca607b36beaf8428b14ba16ad"
 }