@nocobase/plugin-acl 2.1.0-beta.15 → 2.1.0-beta.17

package/dist/server/actions/apply-data-permissions.js

@@ -0,0 +1,208 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var apply_data_permissions_exports = {};
+__export(apply_data_permissions_exports, {
+  applyDataPermissions: () => applyDataPermissions
+});
+module.exports = __toCommonJS(apply_data_permissions_exports);
+function ensureString(value, fieldName) {
+  if (typeof value !== "string" || !value.trim()) {
+    throw new Error(`Invalid ${fieldName}`);
+  }
+  return value.trim();
+}
+function normalizeFields(fields) {
+  if (!Array.isArray(fields)) {
+    return void 0;
+  }
+  const normalized = [
+    ...new Set(fields.filter((field) => typeof field === "string" && !!field.trim()))
+  ];
+  return normalized.length ? normalized : [];
+}
+function normalizeScopeId(scopeId) {
+  if (scopeId === null) {
+    return null;
+  }
+  if (scopeId === void 0) {
+    return void 0;
+  }
+  const parsed = Number(scopeId);
+  if (!Number.isInteger(parsed) || parsed <= 0) {
+    throw new Error(`Invalid scopeId: ${scopeId}`);
+  }
+  return parsed;
+}
+async function resolveScopeIdByKey(options) {
+  const scope = await options.ctx.db.getRepository("dataSourcesRolesResourcesScopes").findOne({
+    filter: {
+      dataSourceKey: options.dataSourceKey,
+      key: options.scopeKey
+    },
+    transaction: options.transaction
+  });
+  if (!scope) {
+    throw new Error(`Scope key "${options.scopeKey}" not found in data source "${options.dataSourceKey}"`);
+  }
+  return scope.get("id");
+}
+async function normalizeAction(options) {
+  const name = ensureString(options.action.name, "action.name");
+  let scopeId = normalizeScopeId(options.action.scopeId);
+  if (scopeId === void 0 && options.action.scope && typeof options.action.scope.id === "number") {
+    scopeId = normalizeScopeId(options.action.scope.id);
+  }
+  let scopeKey;
+  if (typeof options.action.scopeKey === "string" && options.action.scopeKey.trim()) {
+    scopeKey = options.action.scopeKey.trim();
+  } else if (options.action.scope && typeof options.action.scope.key === "string" && options.action.scope.key.trim()) {
+    scopeKey = options.action.scope.key.trim();
+  }
+  if (scopeId === void 0 && scopeKey) {
+    scopeId = await resolveScopeIdByKey({
+      ctx: options.ctx,
+      dataSourceKey: options.dataSourceKey,
+      scopeKey,
+      transaction: options.transaction
+    });
+  }
+  if (scopeId === void 0) {
+    scopeId = null;
+  }
+  const normalized = {
+    name,
+    fields: normalizeFields(options.action.fields),
+    scopeId
+  };
+  const output = {
+    name: normalized.name
+  };
+  if (normalized.fields !== void 0) {
+    output.fields = normalized.fields;
+  }
+  if (normalized.scopeId !== void 0) {
+    output.scopeId = normalized.scopeId;
+  }
+  return output;
+}
+async function applyDataPermissions(ctx, next) {
+  const roleName = ensureString(ctx.action.params.filterByTk, "filterByTk");
+  const values = ctx.action.params.values || {};
+  const dataSourceKey = ensureString(values.dataSourceKey || "main", "dataSourceKey");
+  const resources = values.resources;
+  if (!Array.isArray(resources) || resources.length === 0) {
+    throw new Error("`resources` must be a non-empty array");
+  }
+  const role = await ctx.db.getRepository("roles").findOne({
+    filterByTk: roleName
+  });
+  if (!role) {
+    throw new Error(`Role "${roleName}" not found`);
+  }
+  const roleResourceRepository = ctx.db.getRepository("roles.resources", roleName);
+  const appliedResources = [];
+  await ctx.db.sequelize.transaction(async (transaction) => {
+    for (const resourceInput of resources) {
+      const resourceName = ensureString(resourceInput == null ? void 0 : resourceInput.name, "resource.name");
+      const usingActionsConfig = (resourceInput == null ? void 0 : resourceInput.usingActionsConfig) ?? true;
+      const actionsInput = Array.isArray(resourceInput == null ? void 0 : resourceInput.actions) ? resourceInput.actions : [];
+      const normalizedActions = [];
+      for (const action of actionsInput) {
+        normalizedActions.push(
+          await normalizeAction({
+            ctx,
+            dataSourceKey,
+            action,
+            transaction
+          })
+        );
+      }
+      const existingResource = await roleResourceRepository.findOne({
+        filter: {
+          name: resourceName,
+          dataSourceKey
+        },
+        appends: ["actions"],
+        transaction
+      });
+      const writeValues = {
+        name: resourceName,
+        dataSourceKey,
+        usingActionsConfig,
+        actions: normalizedActions
+      };
+      let savedResource;
+      if (existingResource) {
+        await roleResourceRepository.update({
+          filterByTk: existingResource.get("id"),
+          values: writeValues,
+          updateAssociationValues: ["actions"],
+          transaction
+        });
+        savedResource = await roleResourceRepository.findOne({
+          filterByTk: existingResource.get("id"),
+          appends: ["actions"],
+          transaction
+        });
+      } else {
+        const created = await roleResourceRepository.create({
+          values: writeValues,
+          transaction
+        });
+        savedResource = await roleResourceRepository.findOne({
+          filterByTk: created.get("id"),
+          appends: ["actions"],
+          transaction
+        });
+      }
+      const actionModels = savedResource.get("actions") || [];
+      appliedResources.push({
+        id: savedResource.get("id"),
+        name: savedResource.get("name"),
+        dataSourceKey: savedResource.get("dataSourceKey"),
+        usingActionsConfig: !!savedResource.get("usingActionsConfig"),
+        actions: actionModels.map((actionModel) => ({
+          id: actionModel.get("id"),
+          name: actionModel.get("name"),
+          fields: actionModel.get("fields") || [],
+          scopeId: actionModel.get("scopeId") ?? null
+        }))
+      });
+    }
+  });
+  ctx.body = {
+    roleName,
+    dataSourceKey,
+    resources: appliedResources,
+    count: appliedResources.length
+  };
+  await next();
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  applyDataPermissions
+});

package/dist/server/actions/data-source-compat.d.ts

@@ -0,0 +1,13 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import type { Context, Next } from '@nocobase/actions';
+export declare function guardRolesDataSourcesCollectionsList(ctx: Context, next: Next): Promise<void>;
+export declare function guardRolesDataSourceResourcesCreate(ctx: Context, next: Next): Promise<void>;
+export declare function guardRolesDataSourceResourcesGet(ctx: Context, next: Next): Promise<void>;
+export declare function guardRolesDataSourceResourcesUpdate(ctx: Context, next: Next): Promise<void>;

package/dist/server/actions/data-source-compat.js

@@ -0,0 +1,189 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var data_source_compat_exports = {};
+__export(data_source_compat_exports, {
+  guardRolesDataSourceResourcesCreate: () => guardRolesDataSourceResourcesCreate,
+  guardRolesDataSourceResourcesGet: () => guardRolesDataSourceResourcesGet,
+  guardRolesDataSourceResourcesUpdate: () => guardRolesDataSourceResourcesUpdate,
+  guardRolesDataSourcesCollectionsList: () => guardRolesDataSourcesCollectionsList
+});
+module.exports = __toCommonJS(data_source_compat_exports);
+var import_lodash = __toESM(require("lodash"));
+function normalizeString(value) {
+  if (typeof value !== "string") {
+    return void 0;
+  }
+  const trimmed = value.trim();
+  return trimmed ? trimmed : void 0;
+}
+function normalizeFilter(input) {
+  if (!import_lodash.default.isPlainObject(input)) {
+    return {};
+  }
+  return { ...input };
+}
+function applyLocatorFromQuery(params, filter) {
+  const dataSourceKeyFromQuery = normalizeString(params.dataSourceKey);
+  if (dataSourceKeyFromQuery) {
+    filter.dataSourceKey = filter.dataSourceKey || dataSourceKeyFromQuery;
+  }
+  const nameFromQuery = normalizeString(params.name);
+  if (nameFromQuery) {
+    filter.name = filter.name || nameFromQuery;
+  }
+}
+function normalizeNumericTk(value) {
+  if (typeof value === "number" && Number.isInteger(value) && value >= 0) {
+    return value;
+  }
+  const normalized = normalizeString(value);
+  if (!normalized || !/^\d+$/.test(normalized)) {
+    return void 0;
+  }
+  return normalized;
+}
+function deriveNameFromPrefixedTk(value) {
+  const normalized = normalizeString(value);
+  if (!normalized) {
+    return void 0;
+  }
+  const matched = normalized.match(/^[a-zA-Z]+_(.+)$/);
+  if (!matched) {
+    return void 0;
+  }
+  return normalizeString(matched[1]);
+}
+async function resolveLocatorFromFilterByTk(ctx, roleName, filter) {
+  const rawFilterByTk = ctx.action.params.filterByTk;
+  if (rawFilterByTk === void 0 || rawFilterByTk === null || rawFilterByTk === "") {
+    return;
+  }
+  const numericFilterByTk = normalizeNumericTk(rawFilterByTk);
+  if (numericFilterByTk === void 0) {
+    if (!normalizeString(filter.name)) {
+      const derivedName = deriveNameFromPrefixedTk(rawFilterByTk);
+      if (derivedName) {
+        filter.name = derivedName;
+      }
+    }
+    return;
+  }
+  const resource = await ctx.db.getRepository("dataSourcesRolesResources").findOne({
+    filterByTk: numericFilterByTk
+  });
+  if (!resource) {
+    ctx.throw(404, `Resource permission not found by filterByTk "${rawFilterByTk}"`);
+    return;
+  }
+  const targetRoleName = resource.get("roleName");
+  if (targetRoleName !== roleName) {
+    ctx.throw(400, `Resource permission "${rawFilterByTk}" does not belong to role "${roleName}"`);
+    return;
+  }
+  if (!normalizeString(filter.dataSourceKey)) {
+    filter.dataSourceKey = resource.get("dataSourceKey");
+  }
+  if (!normalizeString(filter.name)) {
+    filter.name = resource.get("name");
+  }
+}
+async function normalizeRoleDataSourceResourceLocator(ctx) {
+  const roleName = normalizeString(ctx.action.params.associatedIndex);
+  if (!roleName) {
+    ctx.throw(400, "Role name is required");
+    return;
+  }
+  const filter = normalizeFilter(ctx.action.params.filter);
+  applyLocatorFromQuery(ctx.action.params, filter);
+  await resolveLocatorFromFilterByTk(ctx, roleName, filter);
+  const dataSourceKey = normalizeString(filter.dataSourceKey);
+  const name = normalizeString(filter.name);
+  if (!dataSourceKey || !name) {
+    ctx.throw(
+      400,
+      "Missing resource locator: provide --filter-by-tk, or both --data-source-key and --name (or filter.{dataSourceKey,name})"
+    );
+    return;
+  }
+  ctx.action.params.filter = {
+    ...filter,
+    dataSourceKey,
+    name
+  };
+}
+async function guardRolesDataSourcesCollectionsList(ctx, next) {
+  const filter = normalizeFilter(ctx.action.params.filter);
+  applyLocatorFromQuery(ctx.action.params, filter);
+  const dataSourceKey = normalizeString(filter.dataSourceKey);
+  if (!dataSourceKey) {
+    ctx.throw(400, "dataSourceKey is required: pass --data-source-key or filter.dataSourceKey");
+    return;
+  }
+  ctx.action.params.filter = {
+    ...filter,
+    dataSourceKey
+  };
+  await next();
+}
+async function guardRolesDataSourceResourcesCreate(ctx, next) {
+  const values = normalizeFilter(ctx.action.params.values);
+  const dataSourceKeyFromQuery = normalizeString(ctx.action.params.dataSourceKey);
+  if (!values.dataSourceKey && dataSourceKeyFromQuery) {
+    values.dataSourceKey = dataSourceKeyFromQuery;
+  }
+  if (!normalizeString(values.dataSourceKey)) {
+    ctx.throw(400, "dataSourceKey is required for roles.dataSourceResources:create");
+    return;
+  }
+  ctx.action.params.values = values;
+  await next();
+}
+async function guardRolesDataSourceResourcesGet(ctx, next) {
+  await normalizeRoleDataSourceResourceLocator(ctx);
+  await next();
+}
+async function guardRolesDataSourceResourcesUpdate(ctx, next) {
+  await normalizeRoleDataSourceResourceLocator(ctx);
+  await next();
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  guardRolesDataSourceResourcesCreate,
+  guardRolesDataSourceResourcesGet,
+  guardRolesDataSourceResourcesUpdate,
+  guardRolesDataSourcesCollectionsList
+});

package/dist/server/index.d.ts

@@ -8,6 +8,7 @@
  */
 export * from './middlewares/setCurrentRole';
 export * from './middlewares/with-acl-meta';
+export * from './query/apply-query-permission';
 export { RoleResourceActionModel } from './model/RoleResourceActionModel';
 export { RoleResourceModel } from './model/RoleResourceModel';
 export * from './constants';

package/dist/server/index.js

@@ -44,6 +44,7 @@ __export(server_exports, {
 module.exports = __toCommonJS(server_exports);
 __reExport(server_exports, require("./middlewares/setCurrentRole"), module.exports);
 __reExport(server_exports, require("./middlewares/with-acl-meta"), module.exports);
+__reExport(server_exports, require("./query/apply-query-permission"), module.exports);
 var import_RoleResourceActionModel = require("./model/RoleResourceActionModel");
 var import_RoleResourceModel = require("./model/RoleResourceModel");
 __reExport(server_exports, require("./constants"), module.exports);
@@ -55,6 +56,7 @@ var import_server = __toESM(require("./server"));
   RoleResourceModel,
   ...require("./middlewares/setCurrentRole"),
   ...require("./middlewares/with-acl-meta"),
+  ...require("./query/apply-query-permission"),
   ...require("./constants"),
   ...require("./enum")
 });

package/dist/server/middlewares/check-query-permission.d.ts

@@ -0,0 +1,10 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import type { Next } from '@nocobase/actions';
+export declare function checkQueryPermission(ctx: any, next: Next): Promise<void>;

package/dist/server/middlewares/check-query-permission.js

@@ -0,0 +1,64 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var check_query_permission_exports = {};
+__export(check_query_permission_exports, {
+  checkQueryPermission: () => checkQueryPermission
+});
+module.exports = __toCommonJS(check_query_permission_exports);
+var import_acl = require("@nocobase/acl");
+var import_apply_query_permission = require("../query/apply-query-permission");
+async function checkQueryPermission(ctx, next) {
+  var _a, _b, _c, _d;
+  const query = { ...ctx.action.params.values };
+  try {
+    const result = await (0, import_apply_query_permission.applyQueryPermission)({
+      acl: ctx.acl,
+      db: ctx.database,
+      resourceName: ctx.action.resourceName,
+      query,
+      currentUser: (_a = ctx.state) == null ? void 0 : _a.currentUser,
+      currentRole: (_b = ctx.state) == null ? void 0 : _b.currentRole,
+      currentRoles: (_c = ctx.state) == null ? void 0 : _c.currentRoles,
+      timezone: (_d = ctx.get) == null ? void 0 : _d.call(ctx, "x-timezone"),
+      state: ctx.state
+    });
+    ctx.action.params = {
+      ...ctx.action.params,
+      values: result.query
+    };
+  } catch (error) {
+    if (error instanceof import_acl.NoPermissionError) {
+      ctx.throw(403, "No permissions");
+    }
+    throw error;
+  }
+  await next();
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  checkQueryPermission
+});

package/dist/server/query/apply-query-permission.d.ts

@@ -0,0 +1,27 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { ACL } from '@nocobase/acl';
+import type { QueryOptions } from '@nocobase/database';
+import { Database } from '@nocobase/database';
+export type QueryPermissionQuery = QueryOptions & Record<string, any>;
+export type ApplyQueryPermissionOptions = {
+    acl: ACL;
+    db: Database;
+    resourceName: string;
+    query: QueryPermissionQuery;
+    currentUser?: any;
+    currentRole?: string;
+    currentRoles?: string[];
+    timezone?: string;
+    state?: any;
+};
+export declare function applyQueryPermission(options: ApplyQueryPermissionOptions): Promise<{
+    permission: import("@nocobase/acl").CanResult;
+    query: QueryPermissionQuery;
+}>;