@nocobase/plugin-acl 2.1.0-beta.14 → 2.1.0-beta.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (33) hide show
  1. package/client-v2.d.ts +2 -0
  2. package/client-v2.js +1 -0
  3. package/dist/client/949.7ad4ad3b554e5452.js +10 -0
  4. package/dist/client/971.50ecf7b6ac572080.js +10 -0
  5. package/dist/client/index.js +1 -1
  6. package/dist/client-v2/139.929bc11d582ef7d4.js +10 -0
  7. package/dist/client-v2/193.3245b23f17b4c9f8.js +10 -0
  8. package/dist/client-v2/366.069b6cf12cfb9a67.js +10 -0
  9. package/dist/client-v2/627.ce101823deb86dd6.js +10 -0
  10. package/dist/client-v2/index.d.ts +9 -0
  11. package/dist/client-v2/index.js +10 -0
  12. package/dist/client-v2/plugin.d.ts +5 -0
  13. package/dist/client-v2/routes/AppInfoDemoRoute.d.ts +10 -0
  14. package/dist/client-v2/routes/DemoHomepageRoute.d.ts +10 -0
  15. package/dist/client-v2/routes/FlowSettingsComponentLoaderDemoRoute.d.ts +2 -0
  16. package/dist/client-v2/settings/DemoFlowSettingsLazyField.d.ts +10 -0
  17. package/dist/externalVersion.js +11 -9
  18. package/dist/server/actions/apply-data-permissions.d.ts +10 -0
  19. package/dist/server/actions/apply-data-permissions.js +208 -0
  20. package/dist/server/actions/data-source-compat.d.ts +13 -0
  21. package/dist/server/actions/data-source-compat.js +189 -0
  22. package/dist/server/index.d.ts +1 -0
  23. package/dist/server/index.js +2 -0
  24. package/dist/server/middlewares/check-query-permission.d.ts +10 -0
  25. package/dist/server/middlewares/check-query-permission.js +64 -0
  26. package/dist/server/query/apply-query-permission.d.ts +27 -0
  27. package/dist/server/query/apply-query-permission.js +242 -0
  28. package/dist/server/server.js +18 -0
  29. package/dist/swagger/index.d.ts +1113 -145
  30. package/dist/swagger/index.js +986 -180
  31. package/package.json +4 -2
  32. package/dist/client/646.e67b75c43441bcc0.js +0 -10
  33. package/dist/client/86.45758388a34b8834.js +0 -10
package/dist/swagger/index.js CHANGED
@@ -32,23 +32,23 @@ module.exports = __toCommonJS(swagger_exports);
32
32
  var swagger_default = {
33
33
  openapi: "3.0.2",
34
34
  info: {
35
- title: "NocoBase API - ACL plugin"
35
+ title: "NocoBase API - ACL plugin",
36
+ version: "1.0.0"
36
37
  },
37
38
  paths: {
38
39
  "/roles:list": {
39
40
  get: {
40
41
  tags: ["roles"],
41
- description: "",
42
- parameters: [],
42
+ summary: "List roles",
43
43
  responses: {
44
44
  200: {
45
- description: "ok",
45
+ description: "OK",
46
46
  content: {
47
47
  "application/json": {
48
48
  schema: {
49
49
  type: "array",
50
50
  items: {
51
- $ref: "#/components/schemas/role"
51
+ $ref: "#/components/schemas/Role"
52
52
  }
53
53
  }
54
54
  }
@@ -60,25 +60,15 @@ var swagger_default = {
60
60
  "/roles:get": {
61
61
  get: {
62
62
  tags: ["roles"],
63
- description: "",
64
- parameters: [
65
- {
66
- name: "filterByTk",
67
- in: "query",
68
- description: "role name",
69
- required: true,
70
- schema: {
71
- type: "string"
72
- }
73
- }
74
- ],
63
+ summary: "Get a role",
64
+ parameters: [{ $ref: "#/components/parameters/RoleNameQuery" }],
75
65
  responses: {
76
66
  200: {
77
- description: "ok",
67
+ description: "OK",
78
68
  content: {
79
69
  "application/json": {
80
70
  schema: {
81
- $ref: "#/components/schemas/role"
71
+ $ref: "#/components/schemas/Role"
82
72
  }
83
73
  }
84
74
  }
@@ -89,23 +79,25 @@ var swagger_default = {
89
79
  "/roles:create": {
90
80
  post: {
91
81
  tags: ["roles"],
92
- description: "",
82
+ summary: "Create a role",
83
+ description: "Create a role. Request body uses direct role values.",
93
84
  requestBody: {
85
+ required: true,
94
86
  content: {
95
87
  "application/json": {
96
88
  schema: {
97
- $ref: "#/components/schemas/role"
89
+ $ref: "#/components/schemas/RoleWrite"
98
90
  }
99
91
  }
100
92
  }
101
93
  },
102
94
  responses: {
103
- "200": {
95
+ 200: {
104
96
  description: "OK",
105
97
  content: {
106
98
  "application/json": {
107
99
  schema: {
108
- $ref: "#/components/schemas/role"
100
+ $ref: "#/components/schemas/Role"
109
101
  }
110
102
  }
111
103
  }
@@ -116,34 +108,26 @@ var swagger_default = {
116
108
  "/roles:update": {
117
109
  post: {
118
110
  tags: ["roles"],
119
- description: "",
120
- parameters: [
121
- {
122
- name: "filterByTk",
123
- in: "query",
124
- description: "role name",
125
- required: true,
126
- schema: {
127
- type: "string"
128
- }
129
- }
130
- ],
111
+ summary: "Update a role",
112
+ description: "Update a role by role name (`filterByTk`). Commonly used for role metadata and system permission snippets.",
113
+ parameters: [{ $ref: "#/components/parameters/RoleNameQuery" }],
131
114
  requestBody: {
115
+ required: true,
132
116
  content: {
133
117
  "application/json": {
134
118
  schema: {
135
- $ref: "#/components/schemas/role"
119
+ $ref: "#/components/schemas/RoleWrite"
136
120
  }
137
121
  }
138
122
  }
139
123
  },
140
124
  responses: {
141
125
  200: {
142
- description: "ok",
126
+ description: "OK",
143
127
  content: {
144
128
  "application/json": {
145
129
  schema: {
146
- $ref: "#/components/schemas/role"
130
+ $ref: "#/components/schemas/Role"
147
131
  }
148
132
  }
149
133
  }
@@ -154,20 +138,10 @@ var swagger_default = {
154
138
  "/roles:destroy": {
155
139
  post: {
156
140
  tags: ["roles"],
157
- description: "",
158
- parameters: [
159
- {
160
- name: "filterByTk",
161
- in: "query",
162
- description: "role name",
163
- required: true,
164
- schema: {
165
- type: "string"
166
- }
167
- }
168
- ],
141
+ summary: "Destroy a role",
142
+ parameters: [{ $ref: "#/components/parameters/RoleNameQuery" }],
169
143
  responses: {
170
- "200": {
144
+ 200: {
171
145
  description: "OK"
172
146
  }
173
147
  }
@@ -176,14 +150,15 @@ var swagger_default = {
176
150
  "/roles:check": {
177
151
  get: {
178
152
  tags: ["roles"],
179
- description: "return current user role",
153
+ summary: "Check current role context",
154
+ description: "Return the current effective role context, including role mode and resolved ACL action map for the current user.",
180
155
  responses: {
181
156
  200: {
182
- description: "ok",
157
+ description: "OK",
183
158
  content: {
184
159
  "application/json": {
185
160
  schema: {
186
- $ref: "#/components/schemas/role"
161
+ $ref: "#/components/schemas/RoleCheck"
187
162
  }
188
163
  }
189
164
  }
@@ -194,82 +169,478 @@ var swagger_default = {
194
169
  "/roles:setDefaultRole": {
195
170
  post: {
196
171
  tags: ["roles"],
197
- description: "set default role for new user",
172
+ summary: "Set default role for new users",
198
173
  requestBody: {
174
+ required: true,
199
175
  content: {
200
176
  "application/json": {
201
177
  schema: {
202
178
  type: "object",
203
179
  properties: {
204
- roleName: {
205
- type: "string"
180
+ roleName: { type: "string" }
181
+ },
182
+ required: ["roleName"]
183
+ }
184
+ }
185
+ }
186
+ },
187
+ responses: {
188
+ 200: {
189
+ description: "OK"
190
+ }
191
+ }
192
+ }
193
+ },
194
+ "/roles:setSystemRoleMode": {
195
+ post: {
196
+ tags: ["roles"],
197
+ summary: "Set system role mode",
198
+ description: "Set the system role mode. Valid values are `default`, `allow-use-union`, and `only-use-union`.",
199
+ requestBody: {
200
+ required: true,
201
+ content: {
202
+ "application/json": {
203
+ schema: {
204
+ $ref: "#/components/schemas/RoleModeWrite"
205
+ }
206
+ }
207
+ }
208
+ },
209
+ responses: {
210
+ 200: {
211
+ description: "OK"
212
+ }
213
+ }
214
+ }
215
+ },
216
+ "/roles:applyDataPermissions": {
217
+ post: {
218
+ tags: ["roles"],
219
+ summary: "Apply collection-level independent ACL permissions in batch for a role",
220
+ description: "Apply one or more collection-level independent ACL permission configs for a role in one request. Supports action scope binding by `scopeId` or `scopeKey`.",
221
+ parameters: [{ $ref: "#/components/parameters/RoleNameQuery" }],
222
+ requestBody: {
223
+ required: true,
224
+ content: {
225
+ "application/json": {
226
+ schema: {
227
+ $ref: "#/components/schemas/RoleDataPermissionsApplyWrite"
228
+ }
229
+ }
230
+ }
231
+ },
232
+ responses: {
233
+ 200: {
234
+ description: "OK",
235
+ content: {
236
+ "application/json": {
237
+ schema: {
238
+ $ref: "#/components/schemas/RoleDataPermissionsApplyResult"
239
+ }
240
+ }
241
+ }
242
+ }
243
+ }
244
+ }
245
+ },
246
+ "/roles/{roleName}/users:list": {
247
+ get: {
248
+ tags: ["roles.users"],
249
+ summary: "List users bound to a role",
250
+ parameters: [
251
+ { $ref: "#/components/parameters/RoleNamePath" },
252
+ { $ref: "#/components/parameters/PageQuery" },
253
+ { $ref: "#/components/parameters/PageSizeQuery" },
254
+ { $ref: "#/components/parameters/SortQuery" },
255
+ { $ref: "#/components/parameters/AppendsQuery" },
256
+ { $ref: "#/components/parameters/FilterQuery" }
257
+ ],
258
+ responses: {
259
+ 200: {
260
+ description: "OK",
261
+ content: {
262
+ "application/json": {
263
+ schema: {
264
+ type: "object",
265
+ additionalProperties: true,
266
+ properties: {
267
+ data: {
268
+ type: "array",
269
+ items: {
270
+ type: "object",
271
+ additionalProperties: true
272
+ }
273
+ },
274
+ meta: {
275
+ type: "object",
276
+ additionalProperties: true
277
+ }
206
278
  }
207
279
  }
208
280
  }
209
281
  }
210
282
  }
211
- },
283
+ }
284
+ }
285
+ },
286
+ "/roles/{roleName}/users:add": {
287
+ post: {
288
+ tags: ["roles.users"],
289
+ summary: "Bind one or more users to a role",
290
+ parameters: [
291
+ { $ref: "#/components/parameters/RoleNamePath" },
292
+ { $ref: "#/components/parameters/MembershipUserFilterByTkQuery" }
293
+ ],
294
+ responses: {
295
+ 200: {
296
+ description: "OK"
297
+ }
298
+ }
299
+ }
300
+ },
301
+ "/roles/{roleName}/users:remove": {
302
+ post: {
303
+ tags: ["roles.users"],
304
+ summary: "Unbind one or more users from a role",
305
+ parameters: [
306
+ { $ref: "#/components/parameters/RoleNamePath" },
307
+ { $ref: "#/components/parameters/MembershipUserFilterByTkQuery" }
308
+ ],
309
+ responses: {
310
+ 200: {
311
+ description: "OK"
312
+ }
313
+ }
314
+ }
315
+ },
316
+ "/users/{userId}/roles:list": {
317
+ get: {
318
+ tags: ["users.roles"],
319
+ summary: "List roles bound to a user",
320
+ parameters: [
321
+ { $ref: "#/components/parameters/UserIdPath" },
322
+ { $ref: "#/components/parameters/PageQuery" },
323
+ { $ref: "#/components/parameters/PageSizeQuery" },
324
+ { $ref: "#/components/parameters/SortQuery" },
325
+ { $ref: "#/components/parameters/AppendsQuery" },
326
+ { $ref: "#/components/parameters/FilterQuery" }
327
+ ],
328
+ responses: {
329
+ 200: {
330
+ description: "OK",
331
+ content: {
332
+ "application/json": {
333
+ schema: {
334
+ type: "object",
335
+ additionalProperties: true,
336
+ properties: {
337
+ data: {
338
+ type: "array",
339
+ items: {
340
+ type: "object",
341
+ additionalProperties: true
342
+ }
343
+ },
344
+ meta: {
345
+ type: "object",
346
+ additionalProperties: true
347
+ }
348
+ }
349
+ }
350
+ }
351
+ }
352
+ }
353
+ }
354
+ }
355
+ },
356
+ "/users/{userId}/roles:add": {
357
+ post: {
358
+ tags: ["users.roles"],
359
+ summary: "Bind one or more roles to a user",
360
+ parameters: [
361
+ { $ref: "#/components/parameters/UserIdPath" },
362
+ { $ref: "#/components/parameters/MembershipRoleFilterByTkQuery" }
363
+ ],
364
+ responses: {
365
+ 200: {
366
+ description: "OK"
367
+ }
368
+ }
369
+ }
370
+ },
371
+ "/users/{userId}/roles:remove": {
372
+ post: {
373
+ tags: ["users.roles"],
374
+ summary: "Unbind one or more roles from a user",
375
+ parameters: [
376
+ { $ref: "#/components/parameters/UserIdPath" },
377
+ { $ref: "#/components/parameters/MembershipRoleFilterByTkQuery" }
378
+ ],
212
379
  responses: {
213
- "200": {
380
+ 200: {
214
381
  description: "OK"
215
382
  }
216
383
  }
217
384
  }
218
385
  },
219
- "/roles/{roleName}/collections:list": {
386
+ "/dataSources/{dataSourceKey}/roles:update": {
387
+ post: {
388
+ tags: ["dataSources.roles"],
389
+ summary: "Update global ACL strategy for a role in a data source",
390
+ description: "Configure global table permissions for a role inside a data source. Request body typically includes `roleName`, `dataSourceKey`, and `strategy.actions`.",
391
+ parameters: [
392
+ { $ref: "#/components/parameters/DataSourceKeyPath" },
393
+ { $ref: "#/components/parameters/RoleNameQuery" }
394
+ ],
395
+ requestBody: {
396
+ required: true,
397
+ content: {
398
+ "application/json": {
399
+ schema: {
400
+ $ref: "#/components/schemas/DataSourceRole"
401
+ }
402
+ }
403
+ }
404
+ },
405
+ responses: {
406
+ 200: {
407
+ description: "OK",
408
+ content: {
409
+ "application/json": {
410
+ schema: {
411
+ $ref: "#/components/schemas/DataSourceRole"
412
+ }
413
+ }
414
+ }
415
+ }
416
+ }
417
+ }
418
+ },
419
+ "/dataSources/{dataSourceKey}/roles:get": {
420
+ get: {
421
+ tags: ["dataSources.roles"],
422
+ summary: "Get global ACL strategy for a role in a data source",
423
+ parameters: [
424
+ { $ref: "#/components/parameters/DataSourceKeyPath" },
425
+ { $ref: "#/components/parameters/RoleNameQuery" }
426
+ ],
427
+ responses: {
428
+ 200: {
429
+ description: "OK",
430
+ content: {
431
+ "application/json": {
432
+ schema: {
433
+ $ref: "#/components/schemas/DataSourceRole"
434
+ }
435
+ }
436
+ }
437
+ }
438
+ }
439
+ }
440
+ },
441
+ "/roles/{roleName}/dataSourcesCollections:list": {
442
+ get: {
443
+ tags: ["roles.dataSourcesCollections"],
444
+ summary: "List data-source collections in role permission configuration",
445
+ description: "List collections in the target data source for the given role and indicate whether they use global permissions or collection-level independent permissions. You can pass `dataSourceKey` directly, or through `filter.dataSourceKey` for compatibility.",
446
+ parameters: [
447
+ { $ref: "#/components/parameters/RoleNamePath" },
448
+ { $ref: "#/components/parameters/DataSourceKeyQuery" },
449
+ { $ref: "#/components/parameters/PageQuery" },
450
+ { $ref: "#/components/parameters/PageSizeQuery" },
451
+ { $ref: "#/components/parameters/SortQuery" },
452
+ { $ref: "#/components/parameters/AppendsQuery" },
453
+ { $ref: "#/components/parameters/FilterQuery" }
454
+ ],
455
+ responses: {
456
+ 200: {
457
+ description: "OK",
458
+ content: {
459
+ "application/json": {
460
+ schema: {
461
+ type: "object",
462
+ properties: {
463
+ count: { type: "integer" },
464
+ rows: {
465
+ type: "array",
466
+ items: { $ref: "#/components/schemas/RoleCollectionPermissionRow" }
467
+ },
468
+ page: { type: "integer" },
469
+ pageSize: { type: "integer" },
470
+ totalPage: { type: "integer" }
471
+ }
472
+ }
473
+ }
474
+ }
475
+ }
476
+ }
477
+ }
478
+ },
479
+ "/roles/{roleName}/dataSourceResources:create": {
480
+ post: {
481
+ tags: ["roles.dataSourceResources"],
482
+ summary: "Create collection-level independent ACL permissions for a role",
483
+ description: [
484
+ "Create collection-level independent permission config for a role in a data source.",
485
+ "Request body usually includes `name`, `dataSourceKey`, `usingActionsConfig`, and `actions`.",
486
+ "The server uses the role path parameter plus request-body `name` and `dataSourceKey` to create the record."
487
+ ].join("\n"),
488
+ parameters: [{ $ref: "#/components/parameters/RoleNamePath" }, { $ref: "#/components/parameters/FilterQuery" }],
489
+ requestBody: {
490
+ required: true,
491
+ content: {
492
+ "application/json": {
493
+ schema: {
494
+ $ref: "#/components/schemas/RoleDataSourceResourceWrite"
495
+ }
496
+ }
497
+ }
498
+ },
499
+ responses: {
500
+ 200: {
501
+ description: "OK",
502
+ content: {
503
+ "application/json": {
504
+ schema: {
505
+ $ref: "#/components/schemas/RoleDataSourceResource"
506
+ }
507
+ }
508
+ }
509
+ }
510
+ }
511
+ }
512
+ },
513
+ "/roles/{roleName}/dataSourceResources:get": {
220
514
  get: {
221
- tags: ["roles.collections"],
222
- description: "list permissions of collections for role by roleName",
515
+ tags: ["roles.dataSourceResources"],
516
+ summary: "Get one collection-level independent ACL permission for a role",
517
+ description: "Get one collection-level independent permission config. You can target it by `filterByTk`, or by `name` + `dataSourceKey`. `filter` with `{ name, dataSourceKey }` is still supported for compatibility.",
518
+ parameters: [
519
+ { $ref: "#/components/parameters/RoleNamePath" },
520
+ { $ref: "#/components/parameters/ResourcePermissionTkQuery" },
521
+ { $ref: "#/components/parameters/DataSourceKeyQuery" },
522
+ { $ref: "#/components/parameters/DataSourceResourceNameQuery" },
523
+ { $ref: "#/components/parameters/FilterQuery" },
524
+ { $ref: "#/components/parameters/AppendsQuery" }
525
+ ],
526
+ responses: {
527
+ 200: {
528
+ description: "OK",
529
+ content: {
530
+ "application/json": {
531
+ schema: {
532
+ $ref: "#/components/schemas/RoleDataSourceResource"
533
+ }
534
+ }
535
+ }
536
+ }
537
+ }
538
+ }
539
+ },
540
+ "/roles/{roleName}/dataSourceResources:update": {
541
+ post: {
542
+ tags: ["roles.dataSourceResources"],
543
+ summary: "Update collection-level independent ACL permissions for a role",
544
+ description: "Update one collection-level independent permission config. You can target it by `filterByTk`, or by `name` + `dataSourceKey`. `filter` with `{ name, dataSourceKey }` is still supported for compatibility.",
223
545
  parameters: [
224
- {
225
- name: "filterByTk",
226
- in: "query",
227
- description: "role name",
228
- required: true,
229
- schema: {
230
- type: "string"
546
+ { $ref: "#/components/parameters/RoleNamePath" },
547
+ { $ref: "#/components/parameters/ResourcePermissionTkQuery" },
548
+ { $ref: "#/components/parameters/DataSourceKeyQuery" },
549
+ { $ref: "#/components/parameters/DataSourceResourceNameQuery" },
550
+ { $ref: "#/components/parameters/FilterQuery" }
551
+ ],
552
+ requestBody: {
553
+ required: true,
554
+ content: {
555
+ "application/json": {
556
+ schema: {
557
+ $ref: "#/components/schemas/RoleDataSourceResourceWrite"
558
+ }
559
+ }
560
+ }
561
+ },
562
+ responses: {
563
+ 200: {
564
+ description: "OK",
565
+ content: {
566
+ "application/json": {
567
+ schema: {
568
+ $ref: "#/components/schemas/RoleDataSourceResource"
569
+ }
570
+ }
231
571
  }
232
572
  }
573
+ }
574
+ }
575
+ },
576
+ "/rolesResourcesScopes:list": {
577
+ get: {
578
+ tags: ["rolesResourcesScopes"],
579
+ summary: "List reusable ACL scopes",
580
+ parameters: [
581
+ { $ref: "#/components/parameters/PageQuery" },
582
+ { $ref: "#/components/parameters/PageSizeQuery" },
583
+ { $ref: "#/components/parameters/FilterQuery" }
233
584
  ],
234
585
  responses: {
235
- "200": {
586
+ 200: {
236
587
  description: "OK",
237
588
  content: {
238
589
  "application/json": {
239
590
  schema: {
240
591
  type: "array",
241
- items: {
242
- type: "object",
243
- properties: {
244
- type: {
245
- type: "string",
246
- description: "collection"
247
- },
248
- name: {
249
- type: "string",
250
- description: "collection name"
251
- },
252
- collectionName: {
253
- type: "string",
254
- description: "collection name"
255
- },
256
- title: {
257
- type: "string",
258
- description: "collection title"
259
- },
260
- roleName: {
261
- type: "string",
262
- description: "role name"
263
- },
264
- usingConfig: {
265
- type: "string",
266
- enum: ["resourceAction", "strategy"],
267
- description: "resourceAction: \u5355\u72EC\u914D\u7F6E, strategy: \u5168\u5C40\u7B56\u7565"
268
- },
269
- exists: {
270
- type: "boolean",
271
- description: "\u662F\u5426\u5B58\u5728\u5355\u72EC\u914D\u7F6E\u7684\u6743\u9650"
272
- }
592
+ items: { $ref: "#/components/schemas/RoleResourceScope" }
593
+ }
594
+ }
595
+ }
596
+ }
597
+ }
598
+ }
599
+ },
600
+ "/rolesResourcesScopes:get": {
601
+ get: {
602
+ tags: ["rolesResourcesScopes"],
603
+ summary: "Get a reusable ACL scope",
604
+ parameters: [{ $ref: "#/components/parameters/ScopePkQuery" }, { $ref: "#/components/parameters/FilterQuery" }],
605
+ responses: {
606
+ 200: {
607
+ description: "OK",
608
+ content: {
609
+ "application/json": {
610
+ schema: {
611
+ $ref: "#/components/schemas/RoleResourceScope"
612
+ }
613
+ }
614
+ }
615
+ }
616
+ }
617
+ }
618
+ },
619
+ "/dataSources/{dataSourceKey}/rolesResourcesScopes:list": {
620
+ get: {
621
+ tags: ["dataSources.rolesResourcesScopes"],
622
+ summary: "List reusable ACL scopes in a data source",
623
+ parameters: [
624
+ { $ref: "#/components/parameters/DataSourceKeyPath" },
625
+ { $ref: "#/components/parameters/PageQuery" },
626
+ { $ref: "#/components/parameters/PageSizeQuery" },
627
+ { $ref: "#/components/parameters/FilterQuery" }
628
+ ],
629
+ responses: {
630
+ 200: {
631
+ description: "OK",
632
+ content: {
633
+ "application/json": {
634
+ schema: {
635
+ type: "object",
636
+ properties: {
637
+ data: {
638
+ type: "array",
639
+ items: { $ref: "#/components/schemas/RoleResourceScope" }
640
+ },
641
+ meta: {
642
+ type: "object",
643
+ additionalProperties: true
273
644
  }
274
645
  }
275
646
  }
@@ -279,50 +650,121 @@ var swagger_default = {
279
650
  }
280
651
  }
281
652
  },
653
+ "/dataSources/{dataSourceKey}/rolesResourcesScopes:get": {
654
+ get: {
655
+ tags: ["dataSources.rolesResourcesScopes"],
656
+ summary: "Get a reusable ACL scope in a data source",
657
+ parameters: [
658
+ { $ref: "#/components/parameters/DataSourceKeyPath" },
659
+ { $ref: "#/components/parameters/ScopePkQuery" },
660
+ { $ref: "#/components/parameters/FilterQuery" }
661
+ ],
662
+ responses: {
663
+ 200: {
664
+ description: "OK",
665
+ content: {
666
+ "application/json": {
667
+ schema: {
668
+ $ref: "#/components/schemas/RoleResourceScope"
669
+ }
670
+ }
671
+ }
672
+ }
673
+ }
674
+ }
675
+ },
676
+ "/dataSources/{dataSourceKey}/rolesResourcesScopes:create": {
677
+ post: {
678
+ tags: ["dataSources.rolesResourcesScopes"],
679
+ summary: "Create a reusable ACL scope in a data source",
680
+ description: "Create a reusable scope definition under the target data source.",
681
+ parameters: [{ $ref: "#/components/parameters/DataSourceKeyPath" }],
682
+ requestBody: {
683
+ required: true,
684
+ content: {
685
+ "application/json": {
686
+ schema: {
687
+ $ref: "#/components/schemas/RoleResourceScopeWrite"
688
+ }
689
+ }
690
+ }
691
+ },
692
+ responses: {
693
+ 200: {
694
+ description: "OK",
695
+ content: {
696
+ "application/json": {
697
+ schema: {
698
+ $ref: "#/components/schemas/RoleResourceScope"
699
+ }
700
+ }
701
+ }
702
+ }
703
+ }
704
+ }
705
+ },
706
+ "/dataSources/{dataSourceKey}/rolesResourcesScopes:update": {
707
+ post: {
708
+ tags: ["dataSources.rolesResourcesScopes"],
709
+ summary: "Update a reusable ACL scope in a data source",
710
+ parameters: [
711
+ { $ref: "#/components/parameters/DataSourceKeyPath" },
712
+ { $ref: "#/components/parameters/ScopePkQuery" },
713
+ { $ref: "#/components/parameters/FilterQuery" }
714
+ ],
715
+ requestBody: {
716
+ required: true,
717
+ content: {
718
+ "application/json": {
719
+ schema: {
720
+ $ref: "#/components/schemas/RoleResourceScopeWrite"
721
+ }
722
+ }
723
+ }
724
+ },
725
+ responses: {
726
+ 200: {
727
+ description: "OK",
728
+ content: {
729
+ "application/json": {
730
+ schema: {
731
+ $ref: "#/components/schemas/RoleResourceScope"
732
+ }
733
+ }
734
+ }
735
+ }
736
+ }
737
+ }
738
+ },
739
+ "/dataSources/{dataSourceKey}/rolesResourcesScopes:destroy": {
740
+ post: {
741
+ tags: ["dataSources.rolesResourcesScopes"],
742
+ summary: "Destroy a reusable ACL scope in a data source",
743
+ parameters: [
744
+ { $ref: "#/components/parameters/DataSourceKeyPath" },
745
+ { $ref: "#/components/parameters/ScopePkQuery" },
746
+ { $ref: "#/components/parameters/FilterQuery" }
747
+ ],
748
+ responses: {
749
+ 200: {
750
+ description: "OK"
751
+ }
752
+ }
753
+ }
754
+ },
282
755
  "/availableActions:list": {
283
756
  get: {
284
757
  tags: ["availableActions"],
285
- description: "available actions of resource in current system",
286
- parameters: [],
758
+ summary: "List configurable ACL actions",
759
+ description: "List ACL actions available in the current system. Use this before configuring resource-level action or field permissions.",
287
760
  responses: {
288
- "200": {
761
+ 200: {
289
762
  description: "OK",
290
763
  content: {
291
764
  "application/json": {
292
765
  schema: {
293
766
  type: "array",
294
- items: {
295
- type: "object",
296
- properties: {
297
- name: {
298
- type: "string",
299
- description: "Action\u540D\u79F0"
300
- },
301
- displayName: {
302
- type: "string",
303
- description: "Action\u663E\u793A\u540D\u79F0"
304
- },
305
- allowConfigureFields: {
306
- type: "boolean",
307
- description: "\u662F\u5426\u5141\u8BB8\u914D\u7F6E\u5B57\u6BB5"
308
- },
309
- onNewRecord: {
310
- type: "string",
311
- description: "\u662F\u5426\u662F\u65B0\u8BB0\u5F55\u7684Action"
312
- },
313
- type: {
314
- type: "string",
315
- description: "new-data \u6216\u8005 old-data"
316
- },
317
- aliases: {
318
- type: "array",
319
- items: {
320
- type: "string"
321
- },
322
- description: "\u522B\u540D"
323
- }
324
- }
325
- }
767
+ items: { $ref: "#/components/schemas/AvailableAction" }
326
768
  }
327
769
  }
328
770
  }
@@ -332,72 +774,436 @@ var swagger_default = {
332
774
  }
333
775
  },
334
776
  components: {
777
+ parameters: {
778
+ RoleNameQuery: {
779
+ name: "filterByTk",
780
+ in: "query",
781
+ description: "Role name.",
782
+ required: true,
783
+ schema: { type: "string" }
784
+ },
785
+ RoleNamePath: {
786
+ name: "roleName",
787
+ in: "path",
788
+ description: "Role name.",
789
+ required: true,
790
+ schema: { type: "string" }
791
+ },
792
+ UserIdPath: {
793
+ name: "userId",
794
+ in: "path",
795
+ description: "User primary key.",
796
+ required: true,
797
+ schema: {
798
+ anyOf: [{ type: "string" }, { type: "integer" }]
799
+ }
800
+ },
801
+ DataSourceKeyPath: {
802
+ name: "dataSourceKey",
803
+ in: "path",
804
+ description: "Data source key, for example `main`.",
805
+ required: true,
806
+ schema: { type: "string" }
807
+ },
808
+ DataSourceKeyQuery: {
809
+ name: "dataSourceKey",
810
+ in: "query",
811
+ description: "Data source key, for example `main`.",
812
+ schema: { type: "string" }
813
+ },
814
+ MembershipUserFilterByTkQuery: {
815
+ name: "filterByTk",
816
+ in: "query",
817
+ description: "User primary key, or a list of user primary keys.",
818
+ required: true,
819
+ schema: {
820
+ anyOf: [
821
+ { type: "string" },
822
+ { type: "integer" },
823
+ {
824
+ type: "array",
825
+ items: {
826
+ anyOf: [{ type: "string" }, { type: "integer" }]
827
+ }
828
+ }
829
+ ]
830
+ }
831
+ },
832
+ MembershipRoleFilterByTkQuery: {
833
+ name: "filterByTk",
834
+ in: "query",
835
+ description: "Role name, or a list of role names.",
836
+ required: true,
837
+ schema: {
838
+ anyOf: [
839
+ { type: "string" },
840
+ {
841
+ type: "array",
842
+ items: {
843
+ type: "string"
844
+ }
845
+ }
846
+ ]
847
+ }
848
+ },
849
+ ResourceNameQuery: {
850
+ name: "filterByTk",
851
+ in: "query",
852
+ description: "Resource name, typically the collection name.",
853
+ required: true,
854
+ schema: { type: "string" }
855
+ },
856
+ DataSourceResourceNameQuery: {
857
+ name: "name",
858
+ in: "query",
859
+ description: "Resource name, typically the collection name.",
860
+ schema: { type: "string" }
861
+ },
862
+ ScopePkQuery: {
863
+ name: "filterByTk",
864
+ in: "query",
865
+ description: "Scope primary key.",
866
+ schema: { type: "integer" }
867
+ },
868
+ ResourcePermissionTkQuery: {
869
+ name: "filterByTk",
870
+ in: "query",
871
+ description: "Resource permission record primary key.",
872
+ schema: { type: "integer" }
873
+ },
874
+ PageQuery: {
875
+ name: "page",
876
+ in: "query",
877
+ schema: { type: "integer" }
878
+ },
879
+ PageSizeQuery: {
880
+ name: "pageSize",
881
+ in: "query",
882
+ schema: { type: "integer" }
883
+ },
884
+ FilterQuery: {
885
+ name: "filter",
886
+ in: "query",
887
+ schema: {
888
+ type: "object",
889
+ additionalProperties: true
890
+ }
891
+ },
892
+ AppendsQuery: {
893
+ name: "appends",
894
+ in: "query",
895
+ schema: {
896
+ type: "array",
897
+ items: { type: "string" }
898
+ }
899
+ }
900
+ },
335
901
  schemas: {
336
- role: {
902
+ RoleStrategy: {
903
+ type: "object",
904
+ description: "Global action strategy for a role.",
905
+ properties: {
906
+ actions: {
907
+ type: "array",
908
+ items: { type: "string" },
909
+ description: "Action names such as `create`, `view`, `update`, `destroy`, or scoped variants like `view:own`."
910
+ }
911
+ },
912
+ additionalProperties: true
913
+ },
914
+ RoleWrite: {
915
+ type: "object",
916
+ properties: {
917
+ title: { type: "string", description: "Role title." },
918
+ name: { type: "string", description: "Role identifier." },
919
+ description: { type: "string", description: "Role description." },
920
+ hidden: { type: "boolean", description: "Whether the role is hidden." },
921
+ default: { type: "boolean", description: "Whether the role is default for new users." },
922
+ allowConfigure: { type: "boolean", description: "Whether the role can be configured." },
923
+ allowNewMenu: { type: "boolean", description: "Whether the role can create menus." },
924
+ snippets: {
925
+ type: "array",
926
+ items: { type: "string" },
927
+ description: "System permission snippets, for example `ui.*`, `!pm`, or `!app`."
928
+ },
929
+ strategy: {
930
+ allOf: [{ $ref: "#/components/schemas/RoleStrategy" }],
931
+ description: "Role-level ACL strategy."
932
+ }
933
+ },
934
+ additionalProperties: true
935
+ },
936
+ Role: {
937
+ allOf: [{ $ref: "#/components/schemas/RoleWrite" }],
938
+ properties: {
939
+ createdAt: { type: "string", format: "date-time" },
940
+ updatedAt: { type: "string", format: "date-time" }
941
+ }
942
+ },
943
+ RoleCheck: {
337
944
  type: "object",
338
945
  properties: {
339
- title: {
946
+ role: { type: "string", description: "Current effective role name." },
947
+ roleMode: {
340
948
  type: "string",
341
- description: "\u89D2\u8272\u540D\u79F0"
949
+ enum: ["default", "allow-use-union", "only-use-union"],
950
+ description: "System role mode."
342
951
  },
952
+ availableActions: {
953
+ type: "array",
954
+ items: { type: "string" }
955
+ },
956
+ actions: {
957
+ type: "object",
958
+ additionalProperties: true,
959
+ description: "Resolved ACL action map for the current role context."
960
+ }
961
+ },
962
+ additionalProperties: true
963
+ },
964
+ RoleModeWrite: {
965
+ type: "object",
966
+ properties: {
967
+ roleMode: {
968
+ type: "string",
969
+ enum: ["default", "allow-use-union", "only-use-union"]
970
+ }
971
+ },
972
+ required: ["roleMode"]
973
+ },
974
+ RoleDataPermissionActionWrite: {
975
+ type: "object",
976
+ properties: {
343
977
  name: {
344
978
  type: "string",
345
- description: "\u89D2\u8272\u6807\u8BC6"
979
+ description: "ACL action name, such as `view`, `create`, `update`, or `destroy`."
346
980
  },
347
- description: {
348
- type: "string",
349
- description: "\u89D2\u8272\u63CF\u8FF0"
981
+ fields: {
982
+ type: "array",
983
+ items: { type: "string" },
984
+ description: "Optional allowed field list for field-configurable actions."
350
985
  },
351
- hidden: {
352
- type: "boolean",
353
- description: "\u662F\u5426\u9690\u85CF"
986
+ scopeId: {
987
+ type: "integer",
988
+ nullable: true,
989
+ description: "Optional scope id. Use `null` to clear the scope binding."
354
990
  },
355
- default: {
356
- type: "boolean",
357
- description: "\u662F\u5426\u9ED8\u8BA4"
991
+ scopeKey: {
992
+ type: "string",
993
+ description: "Optional built-in/custom scope key. When provided, server resolves it to `scopeId`."
358
994
  },
359
- allowConfigure: {
360
- type: "boolean",
361
- description: "\u662F\u5426\u5141\u8BB8\u914D\u7F6E"
995
+ scope: {
996
+ type: "object",
997
+ properties: {
998
+ id: { type: "integer" },
999
+ key: { type: "string" }
1000
+ },
1001
+ additionalProperties: true,
1002
+ description: "Optional compatibility payload from existing role-resource readback."
1003
+ }
1004
+ },
1005
+ required: ["name"],
1006
+ additionalProperties: true
1007
+ },
1008
+ RoleDataPermissionResourceWrite: {
1009
+ type: "object",
1010
+ properties: {
1011
+ name: {
1012
+ type: "string",
1013
+ description: "Collection name."
362
1014
  },
363
- allowNewMenu: {
1015
+ usingActionsConfig: {
364
1016
  type: "boolean",
365
- description: "\u662F\u5426\u5141\u8BB8\u65B0\u5EFA\u83DC\u5355"
1017
+ description: "Whether the collection uses independent action config."
366
1018
  },
367
- snippets: {
1019
+ actions: {
368
1020
  type: "array",
369
- items: {
370
- type: "string"
371
- },
372
- description: "\u63A5\u53E3\u6743\u9650"
1021
+ items: { $ref: "#/components/schemas/RoleDataPermissionActionWrite" },
1022
+ description: "Independent action config list for the collection."
1023
+ }
1024
+ },
1025
+ required: ["name"],
1026
+ additionalProperties: true
1027
+ },
1028
+ RoleDataPermissionsApplyWrite: {
1029
+ type: "object",
1030
+ properties: {
1031
+ dataSourceKey: {
1032
+ type: "string",
1033
+ description: "Data source key, default is `main` when omitted."
373
1034
  },
374
- strategy: {
1035
+ resources: {
375
1036
  type: "array",
376
- description: "\u6570\u636E\u8868\u6743\u9650\u7B56\u7565",
377
- items: {
378
- type: "object",
379
- properties: {
380
- actions: {
381
- type: "array",
382
- items: {
383
- type: "string"
384
- },
385
- description: "\u64CD\u4F5C"
386
- }
387
- }
388
- }
1037
+ items: { $ref: "#/components/schemas/RoleDataPermissionResourceWrite" },
1038
+ description: "Collection-level independent permission payloads to apply in batch."
1039
+ }
1040
+ },
1041
+ required: ["resources"],
1042
+ additionalProperties: true
1043
+ },
1044
+ RoleDataPermissionsApplyResult: {
1045
+ type: "object",
1046
+ properties: {
1047
+ roleName: { type: "string" },
1048
+ dataSourceKey: { type: "string" },
1049
+ count: { type: "integer" },
1050
+ resources: {
1051
+ type: "array",
1052
+ items: { $ref: "#/components/schemas/RoleDataSourceResource" }
1053
+ }
1054
+ },
1055
+ additionalProperties: true
1056
+ },
1057
+ DataSourceRole: {
1058
+ type: "object",
1059
+ properties: {
1060
+ id: { type: "string", description: "Optional existing role-data-source permission record id." },
1061
+ roleName: { type: "string", description: "Role name." },
1062
+ dataSourceKey: { type: "string", description: "Data source key, usually `main`." },
1063
+ strategy: {
1064
+ allOf: [{ $ref: "#/components/schemas/RoleStrategy" }],
1065
+ description: "Global table actions for this role in the data source."
1066
+ }
1067
+ },
1068
+ additionalProperties: true
1069
+ },
1070
+ RoleCollectionPermissionRow: {
1071
+ type: "object",
1072
+ properties: {
1073
+ type: { type: "string", description: "Resource type, usually `collection`." },
1074
+ name: { type: "string", description: "Collection name." },
1075
+ collectionName: { type: "string", description: "Collection name." },
1076
+ title: { type: "string", description: "Collection title." },
1077
+ roleName: { type: "string", description: "Role name." },
1078
+ usingConfig: {
1079
+ type: "string",
1080
+ enum: ["resourceAction", "strategy"],
1081
+ description: "`strategy` means the collection uses global permissions. `resourceAction` means it has collection-level independent permissions."
389
1082
  },
390
- createdAt: {
1083
+ exists: { type: "boolean", description: "Whether a dedicated resource config exists." }
1084
+ }
1085
+ },
1086
+ RoleResourceScope: {
1087
+ type: "object",
1088
+ properties: {
1089
+ id: { type: "integer", description: "Scope primary key." },
1090
+ key: { type: "string", description: "Scope key such as `all` or `own`." },
1091
+ dataSourceKey: {
391
1092
  type: "string",
392
- format: "date-time",
393
- description: "\u521B\u5EFA\u65F6\u95F4"
1093
+ nullable: true,
1094
+ description: "Optional data source key, for example `main`."
1095
+ },
1096
+ name: { type: "string", description: "Scope display name." },
1097
+ resourceName: { type: "string", nullable: true, description: "Optional resource binding." },
1098
+ scope: {
1099
+ type: "object",
1100
+ additionalProperties: true,
1101
+ description: "JSON filter object used as the ACL scope condition."
1102
+ }
1103
+ },
1104
+ additionalProperties: true
1105
+ },
1106
+ RoleResourceScopeWrite: {
1107
+ type: "object",
1108
+ properties: {
1109
+ id: { type: "integer", description: "Optional scope primary key, commonly present in update payloads." },
1110
+ dataSourceKey: { type: "string", nullable: true, description: "Optional data source key." },
1111
+ resourceName: { type: "string", nullable: true, description: "Optional bound resource name." },
1112
+ name: { type: "string", description: "Scope display name." },
1113
+ scope: {
1114
+ type: "object",
1115
+ additionalProperties: true,
1116
+ description: "Row filter JSON."
1117
+ }
1118
+ },
1119
+ required: ["name", "scope"],
1120
+ additionalProperties: true
1121
+ },
1122
+ RoleResourceAction: {
1123
+ type: "object",
1124
+ properties: {
1125
+ id: {
1126
+ type: "integer",
1127
+ description: "Optional action record id, commonly present in update payloads."
394
1128
  },
395
- updatedAt: {
1129
+ name: {
396
1130
  type: "string",
397
- format: "date-time",
398
- description: "\u66F4\u65B0\u65F6\u95F4"
1131
+ description: "ACL action name, for example `view`, `create`, `update`, `destroy`, or a scoped variant."
1132
+ },
1133
+ fields: {
1134
+ type: "array",
1135
+ items: { type: "string" },
1136
+ description: "Allowed field names for this action when field-level configuration is supported."
1137
+ },
1138
+ scopeId: {
1139
+ type: "integer",
1140
+ nullable: true,
1141
+ description: "Optional bound scope id. Use `null` to clear the scope."
1142
+ },
1143
+ scope: {
1144
+ allOf: [{ $ref: "#/components/schemas/RoleResourceScope" }],
1145
+ nullable: true,
1146
+ description: "Optional row-permission scope for this action."
1147
+ }
1148
+ },
1149
+ required: ["name"],
1150
+ additionalProperties: true
1151
+ },
1152
+ RoleDataSourceResourceWrite: {
1153
+ type: "object",
1154
+ description: "Collection-level independent permission config inside a data source.",
1155
+ properties: {
1156
+ id: {
1157
+ type: "integer",
1158
+ description: "Optional resource permission record id, commonly present in update payloads."
1159
+ },
1160
+ name: { type: "string", description: "Resource name, typically the collection name." },
1161
+ dataSourceKey: { type: "string", description: "Data source key, usually `main`." },
1162
+ roleName: { type: "string", description: "Optional role name echoed by the client in update payloads." },
1163
+ usingActionsConfig: {
1164
+ type: "boolean",
1165
+ description: "Whether this collection uses independent actions instead of only the global strategy."
1166
+ },
1167
+ actions: {
1168
+ type: "array",
1169
+ items: { $ref: "#/components/schemas/RoleResourceAction" },
1170
+ description: "Independent action configs for this collection."
399
1171
  }
1172
+ },
1173
+ required: ["name", "dataSourceKey"],
1174
+ additionalProperties: true
1175
+ },
1176
+ RoleDataSourceResource: {
1177
+ allOf: [{ $ref: "#/components/schemas/RoleDataSourceResourceWrite" }],
1178
+ properties: {
1179
+ id: { type: "integer" },
1180
+ roleName: { type: "string" }
400
1181
  }
1182
+ },
1183
+ AvailableAction: {
1184
+ type: "object",
1185
+ properties: {
1186
+ name: { type: "string", description: "Action name." },
1187
+ displayName: { type: "string", description: "Localized display name." },
1188
+ allowConfigureFields: {
1189
+ type: "boolean",
1190
+ description: "Whether field-level permission config is supported for this action."
1191
+ },
1192
+ onNewRecord: {
1193
+ type: "boolean",
1194
+ description: "Whether the action applies to new records instead of existing records."
1195
+ },
1196
+ type: {
1197
+ type: "string",
1198
+ description: "Action category such as `new-data` or `old-data`."
1199
+ },
1200
+ aliases: {
1201
+ type: "array",
1202
+ items: { type: "string" },
1203
+ description: "Action aliases resolved by ACL."
1204
+ }
1205
+ },
1206
+ additionalProperties: true
401
1207
  }
402
1208
  }
403
1209
  }