@nocobase/plugin-acl 2.1.0-beta.14 → 2.1.0-beta.16

package/dist/server/query/apply-query-permission.js

@@ -0,0 +1,242 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var apply_query_permission_exports = {};
+__export(apply_query_permission_exports, {
+  applyQueryPermission: () => applyQueryPermission
+});
+module.exports = __toCommonJS(apply_query_permission_exports);
+var import_acl = require("@nocobase/acl");
+var import_utils = require("@nocobase/utils");
+function normalizeFieldPath(field) {
+  if (!field) {
+    return null;
+  }
+  const parts = Array.isArray(field) ? field : field.split(".");
+  const normalized = parts.filter(Boolean);
+  return normalized.length ? normalized : null;
+}
+function stringifyFieldPath(field) {
+  const path = normalizeFieldPath(field);
+  if (!path) {
+    return null;
+  }
+  return path.join(".");
+}
+function resolveQueryFieldKey(resourceName, field) {
+  const path = normalizeFieldPath(field);
+  if (!path) {
+    return null;
+  }
+  if (path.length === 1) {
+    return `${resourceName}.${path[0]}`;
+  }
+  return path.join(".");
+}
+function pruneEmptyArray(items) {
+  return items && items.length > 0 ? items : void 0;
+}
+function getRoleNames(options) {
+  var _a;
+  if ((_a = options.currentRoles) == null ? void 0 : _a.length) {
+    return options.currentRoles;
+  }
+  if (options.currentRole) {
+    return [options.currentRole];
+  }
+  return ["anonymous"];
+}
+function getSelectableFields(permission) {
+  var _a, _b;
+  const fields = (_a = permission == null ? void 0 : permission.params) == null ? void 0 : _a.fields;
+  const appends = (_b = permission == null ? void 0 : permission.params) == null ? void 0 : _b.appends;
+  if (fields === void 0 && appends === void 0) {
+    return null;
+  }
+  return Array.from(/* @__PURE__ */ new Set([...fields || [], ...appends || []]));
+}
+function isAllowedFieldPath(acl, db, roles, rootCollectionName, field) {
+  var _a;
+  const fieldPath = normalizeFieldPath(field);
+  if (!fieldPath) {
+    return false;
+  }
+  let collectionName = rootCollectionName;
+  let permission = acl.can({
+    roles,
+    resource: collectionName,
+    action: "view"
+  });
+  if (!permission) {
+    return false;
+  }
+  for (let index = 0; index < fieldPath.length; index++) {
+    const fieldName = fieldPath[index];
+    const field2 = (_a = db.getCollection(collectionName)) == null ? void 0 : _a.getField(fieldName);
+    if (!field2) {
+      return false;
+    }
+    const selectableFields = getSelectableFields(permission);
+    if (selectableFields && !selectableFields.includes(fieldName)) {
+      return false;
+    }
+    if (index === fieldPath.length - 1) {
+      return true;
+    }
+    if (!field2.target) {
+      return false;
+    }
+    collectionName = field2.target;
+    permission = acl.can({
+      roles,
+      resource: collectionName,
+      action: "view"
+    });
+    if (!permission) {
+      return false;
+    }
+  }
+  return true;
+}
+function pruneSelections(items, acl, db, roles, resourceName) {
+  return pruneEmptyArray((items || []).filter((item) => isAllowedFieldPath(acl, db, roles, resourceName, item.field)));
+}
+function getAvailableSelectionKeys(resourceName, query) {
+  const keys = /* @__PURE__ */ new Set();
+  for (const item of [...query.measures || [], ...query.dimensions || []]) {
+    if (item.alias) {
+      keys.add(item.alias);
+    }
+    const fieldPathKey = stringifyFieldPath(item.field);
+    if (fieldPathKey) {
+      keys.add(fieldPathKey);
+    }
+    const qualifiedFieldKey = resolveQueryFieldKey(resourceName, item.field);
+    if (qualifiedFieldKey) {
+      keys.add(qualifiedFieldKey);
+    }
+  }
+  return keys;
+}
+function pruneOrders(items, acl, db, roles, resourceName, availableSelectionKeys) {
+  return pruneEmptyArray(
+    (items || []).filter((item) => {
+      if (isAllowedFieldPath(acl, db, roles, resourceName, item.field)) {
+        return true;
+      }
+      const fieldKey = stringifyFieldPath(item.field);
+      return !!fieldKey && availableSelectionKeys.has(fieldKey);
+    })
+  );
+}
+function pruneHavingNode(node, availableKeys) {
+  if (!(0, import_utils.isPlainObject)(node)) {
+    return void 0;
+  }
+  const result = {};
+  for (const [key, value] of Object.entries(node)) {
+    if ((key === "$and" || key === "$or") && Array.isArray(value)) {
+      const items = value.map((item) => pruneHavingNode(item, availableKeys)).filter((item) => item !== void 0);
+      if (items.length > 0) {
+        result[key] = items;
+      }
+      continue;
+    }
+    if (!availableKeys.has(key)) {
+      continue;
+    }
+    result[key] = value;
+  }
+  return Object.keys(result).length ? result : void 0;
+}
+async function getParsedPermissionFilter(options, permission) {
+  var _a;
+  const filterParams = (_a = permission == null ? void 0 : permission.params) == null ? void 0 : _a.filter;
+  if (!filterParams) {
+    return void 0;
+  }
+  (0, import_acl.checkFilterParams)(options.db.getCollection(options.resourceName), filterParams);
+  return await (0, import_acl.parseJsonTemplate)(filterParams, {
+    state: options.state,
+    timezone: options.timezone,
+    userProvider: (0, import_acl.createUserProvider)({
+      db: options.db,
+      currentUser: options.currentUser
+    })
+  }) ?? filterParams;
+}
+async function applyQueryPermission(options) {
+  var _a, _b, _c, _d, _e, _f;
+  const { acl, db, resourceName, query: sourceQuery, currentUser, state, timezone } = options;
+  const roles = getRoleNames(options);
+  const rootPermission = acl.can({
+    roles,
+    resource: resourceName,
+    action: "view"
+  });
+  if (!rootPermission) {
+    throw new import_acl.NoPermissionError(`No permission for resource: ${resourceName}`);
+  }
+  const query = {
+    ...sourceQuery,
+    measures: pruneSelections(sourceQuery.measures, acl, db, roles, resourceName),
+    dimensions: pruneSelections(sourceQuery.dimensions, acl, db, roles, resourceName)
+  };
+  const availableSelectionKeys = getAvailableSelectionKeys(resourceName, query);
+  query.orders = pruneOrders(sourceQuery.orders, acl, db, roles, resourceName, availableSelectionKeys);
+  query.having = pruneHavingNode(query.having, availableSelectionKeys);
+  const aclFilter = await getParsedPermissionFilter(
+    {
+      ...options,
+      acl,
+      db,
+      resourceName,
+      query,
+      currentUser,
+      state,
+      timezone
+    },
+    rootPermission
+  );
+  if (aclFilter) {
+    query.filter = (0, import_utils.assign)(query.filter || {}, aclFilter, {
+      filter: "andMerge"
+    });
+  }
+  const hasSelection = (((_a = options.query.measures) == null ? void 0 : _a.length) || 0) > 0 || (((_b = options.query.dimensions) == null ? void 0 : _b.length) || 0) > 0 || (((_c = options.query.orders) == null ? void 0 : _c.length) || 0) > 0;
+  const hasRemainingSelection = (((_d = query.measures) == null ? void 0 : _d.length) || 0) > 0 || (((_e = query.dimensions) == null ? void 0 : _e.length) || 0) > 0 || (((_f = query.orders) == null ? void 0 : _f.length) || 0) > 0;
+  if (hasSelection && !hasRemainingSelection) {
+    throw new import_acl.NoPermissionError(`No permission for query fields: ${options.resourceName}`);
+  }
+  return {
+    permission: rootPermission,
+    query
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  applyQueryPermission
+});

package/dist/server/server.js

@@ -46,6 +46,8 @@ var import_server = require("@nocobase/server");
 var import_lodash = __toESM(require("lodash"));
 var import_path = require("path");
 var import_available_actions = require("./actions/available-actions");
+var import_apply_data_permissions = require("./actions/apply-data-permissions");
+var import_data_source_compat = require("./actions/data-source-compat");
 var import_role_check = require("./actions/role-check");
 var import_role_collections = require("./actions/role-collections");
 var import_user_setDefaultRole = require("./actions/user-setDefaultRole");
@@ -57,6 +59,7 @@ var import_RoleResourceModel = require("./model/RoleResourceModel");
 var import_union_role = require("./actions/union-role");
 var import_check_association_operate = require("./middlewares/check-association-operate");
 var import_check_change_with_association = require("./middlewares/check-change-with-association");
+var import_check_query_permission = require("./middlewares/check-query-permission");
 class PluginACLServer extends import_server.Plugin {
   get acl() {
     return this.app.acl;
@@ -180,7 +183,21 @@ class PluginACLServer extends import_server.Plugin {
     this.app.resourcer.define(import_available_actions.availableActionResource);
     this.app.resourcer.define(import_role_collections.roleCollectionsResource);
     this.app.resourcer.registerActionHandler("roles:setSystemRoleMode", import_union_role.setSystemRoleMode);
+    this.app.resourcer.registerActionHandler("roles:applyDataPermissions", import_apply_data_permissions.applyDataPermissions);
     this.app.resourcer.registerActionHandler("roles:check", import_role_check.checkAction);
+    this.app.resourcer.registerPreActionHandler(
+      "roles.dataSourcesCollections:list",
+      import_data_source_compat.guardRolesDataSourcesCollectionsList
+    );
+    this.app.resourcer.registerPreActionHandler(
+      "roles.dataSourceResources:create",
+      import_data_source_compat.guardRolesDataSourceResourcesCreate
+    );
+    this.app.resourcer.registerPreActionHandler("roles.dataSourceResources:get", import_data_source_compat.guardRolesDataSourceResourcesGet);
+    this.app.resourcer.registerPreActionHandler(
+      "roles.dataSourceResources:update",
+      import_data_source_compat.guardRolesDataSourceResourcesUpdate
+    );
     this.app.resourcer.registerActionHandler(`users:setDefaultRole`, import_user_setDefaultRole.setDefaultRole);
     this.db.on("users.afterCreateWithAssociations", async (model, options) => {
       const { transaction } = options;
@@ -583,6 +600,7 @@ class PluginACLServer extends import_server.Plugin {
         before: "core"
       });
       if (dataSource.options.acl !== false && dataSource.options.useACL !== false) {
+        dataSource.resourceManager.registerPreActionHandler("query", import_check_query_permission.checkQueryPermission);
         dataSource.resourceManager.registerPreActionHandler("create", import_check_change_with_association.checkChangesWithAssociation);
         dataSource.resourceManager.registerPreActionHandler("firstOrCreate", import_check_change_with_association.checkChangesWithAssociation);
         dataSource.resourceManager.registerPreActionHandler("updateOrCreate", import_check_change_with_association.checkChangesWithAssociation);