@nocobase/plugin-acl 2.1.0-beta.2 → 2.1.0-beta.21

package/dist/server/middlewares/check-query-permission.js

@@ -0,0 +1,64 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var check_query_permission_exports = {};
+__export(check_query_permission_exports, {
+  checkQueryPermission: () => checkQueryPermission
+});
+module.exports = __toCommonJS(check_query_permission_exports);
+var import_acl = require("@nocobase/acl");
+var import_apply_query_permission = require("../query/apply-query-permission");
+async function checkQueryPermission(ctx, next) {
+  var _a, _b, _c, _d;
+  const query = { ...ctx.action.params.values };
+  try {
+    const result = await (0, import_apply_query_permission.applyQueryPermission)({
+      acl: ctx.acl,
+      db: ctx.database,
+      resourceName: ctx.action.resourceName,
+      query,
+      currentUser: (_a = ctx.state) == null ? void 0 : _a.currentUser,
+      currentRole: (_b = ctx.state) == null ? void 0 : _b.currentRole,
+      currentRoles: (_c = ctx.state) == null ? void 0 : _c.currentRoles,
+      timezone: (_d = ctx.get) == null ? void 0 : _d.call(ctx, "x-timezone"),
+      state: ctx.state
+    });
+    ctx.action.params = {
+      ...ctx.action.params,
+      values: result.query
+    };
+  } catch (error) {
+    if (error instanceof import_acl.NoPermissionError) {
+      ctx.throw(403, "No permissions");
+    }
+    throw error;
+  }
+  await next();
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  checkQueryPermission
+});

package/dist/server/middlewares/with-acl-meta.js

@@ -71,7 +71,11 @@ function createWithACLMetaMiddleware() {
     if (collection.isMultiFilterTargetKey()) {
       return;
     }
-    const primaryKeyField = Model.primaryKeyField || Model.primaryKeyAttribute;
+    const filterTargetKey = collection.filterTargetKey;
+    if (!filterTargetKey || typeof filterTargetKey !== "string") {
+      return;
+    }
+    const primaryKeyField = filterTargetKey;
     let listData;
     if ((_a = ctx.body) == null ? void 0 : _a.data) {
       listData = ctx.data;
@@ -90,7 +94,8 @@ function createWithACLMetaMiddleware() {
     const actionsParams = [];
     for (const action of inspectActions) {
       const actionCtx = {
-        db,
+        db: ctx.db,
+        database: db,
         get: () => {
           return void 0;
         },

package/dist/server/migrations/20251119225252-update-member-default-permission.js

@@ -33,7 +33,7 @@ var import_server = require("@nocobase/server");
 class update_member_default_permission_default extends import_server.Migration {
   on = "afterLoad";
   // 'beforeLoad' or 'afterLoad'
-  appVersion = "<2.0.0";
+  appVersion = "<2.1.0";
   async up() {
     const repo = this.db.getRepository("roles");
     const role = await repo.findOne({

package/dist/server/query/apply-query-permission.d.ts

@@ -0,0 +1,27 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { ACL } from '@nocobase/acl';
+import type { QueryOptions } from '@nocobase/database';
+import { Database } from '@nocobase/database';
+export type QueryPermissionQuery = QueryOptions & Record<string, any>;
+export type ApplyQueryPermissionOptions = {
+    acl: ACL;
+    db: Database;
+    resourceName: string;
+    query: QueryPermissionQuery;
+    currentUser?: any;
+    currentRole?: string;
+    currentRoles?: string[];
+    timezone?: string;
+    state?: any;
+};
+export declare function applyQueryPermission(options: ApplyQueryPermissionOptions): Promise<{
+    permission: import("@nocobase/acl").CanResult;
+    query: QueryPermissionQuery;
+}>;

package/dist/server/query/apply-query-permission.js

@@ -0,0 +1,242 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var apply_query_permission_exports = {};
+__export(apply_query_permission_exports, {
+  applyQueryPermission: () => applyQueryPermission
+});
+module.exports = __toCommonJS(apply_query_permission_exports);
+var import_acl = require("@nocobase/acl");
+var import_utils = require("@nocobase/utils");
+function normalizeFieldPath(field) {
+  if (!field) {
+    return null;
+  }
+  const parts = Array.isArray(field) ? field : field.split(".");
+  const normalized = parts.filter(Boolean);
+  return normalized.length ? normalized : null;
+}
+function stringifyFieldPath(field) {
+  const path = normalizeFieldPath(field);
+  if (!path) {
+    return null;
+  }
+  return path.join(".");
+}
+function resolveQueryFieldKey(resourceName, field) {
+  const path = normalizeFieldPath(field);
+  if (!path) {
+    return null;
+  }
+  if (path.length === 1) {
+    return `${resourceName}.${path[0]}`;
+  }
+  return path.join(".");
+}
+function pruneEmptyArray(items) {
+  return items && items.length > 0 ? items : void 0;
+}
+function getRoleNames(options) {
+  var _a;
+  if ((_a = options.currentRoles) == null ? void 0 : _a.length) {
+    return options.currentRoles;
+  }
+  if (options.currentRole) {
+    return [options.currentRole];
+  }
+  return ["anonymous"];
+}
+function getSelectableFields(permission) {
+  var _a, _b;
+  const fields = (_a = permission == null ? void 0 : permission.params) == null ? void 0 : _a.fields;
+  const appends = (_b = permission == null ? void 0 : permission.params) == null ? void 0 : _b.appends;
+  if (fields === void 0 && appends === void 0) {
+    return null;
+  }
+  return Array.from(/* @__PURE__ */ new Set([...fields || [], ...appends || []]));
+}
+function isAllowedFieldPath(acl, db, roles, rootCollectionName, field) {
+  var _a;
+  const fieldPath = normalizeFieldPath(field);
+  if (!fieldPath) {
+    return false;
+  }
+  let collectionName = rootCollectionName;
+  let permission = acl.can({
+    roles,
+    resource: collectionName,
+    action: "view"
+  });
+  if (!permission) {
+    return false;
+  }
+  for (let index = 0; index < fieldPath.length; index++) {
+    const fieldName = fieldPath[index];
+    const field2 = (_a = db.getCollection(collectionName)) == null ? void 0 : _a.getField(fieldName);
+    if (!field2) {
+      return false;
+    }
+    const selectableFields = getSelectableFields(permission);
+    if (selectableFields && !selectableFields.includes(fieldName)) {
+      return false;
+    }
+    if (index === fieldPath.length - 1) {
+      return true;
+    }
+    if (!field2.target) {
+      return false;
+    }
+    collectionName = field2.target;
+    permission = acl.can({
+      roles,
+      resource: collectionName,
+      action: "view"
+    });
+    if (!permission) {
+      return false;
+    }
+  }
+  return true;
+}
+function pruneSelections(items, acl, db, roles, resourceName) {
+  return pruneEmptyArray((items || []).filter((item) => isAllowedFieldPath(acl, db, roles, resourceName, item.field)));
+}
+function getAvailableSelectionKeys(resourceName, query) {
+  const keys = /* @__PURE__ */ new Set();
+  for (const item of [...query.measures || [], ...query.dimensions || []]) {
+    if (item.alias) {
+      keys.add(item.alias);
+    }
+    const fieldPathKey = stringifyFieldPath(item.field);
+    if (fieldPathKey) {
+      keys.add(fieldPathKey);
+    }
+    const qualifiedFieldKey = resolveQueryFieldKey(resourceName, item.field);
+    if (qualifiedFieldKey) {
+      keys.add(qualifiedFieldKey);
+    }
+  }
+  return keys;
+}
+function pruneOrders(items, acl, db, roles, resourceName, availableSelectionKeys) {
+  return pruneEmptyArray(
+    (items || []).filter((item) => {
+      if (isAllowedFieldPath(acl, db, roles, resourceName, item.field)) {
+        return true;
+      }
+      const fieldKey = stringifyFieldPath(item.field);
+      return !!fieldKey && availableSelectionKeys.has(fieldKey);
+    })
+  );
+}
+function pruneHavingNode(node, availableKeys) {
+  if (!(0, import_utils.isPlainObject)(node)) {
+    return void 0;
+  }
+  const result = {};
+  for (const [key, value] of Object.entries(node)) {
+    if ((key === "$and" || key === "$or") && Array.isArray(value)) {
+      const items = value.map((item) => pruneHavingNode(item, availableKeys)).filter((item) => item !== void 0);
+      if (items.length > 0) {
+        result[key] = items;
+      }
+      continue;
+    }
+    if (!availableKeys.has(key)) {
+      continue;
+    }
+    result[key] = value;
+  }
+  return Object.keys(result).length ? result : void 0;
+}
+async function getParsedPermissionFilter(options, permission) {
+  var _a;
+  const filterParams = (_a = permission == null ? void 0 : permission.params) == null ? void 0 : _a.filter;
+  if (!filterParams) {
+    return void 0;
+  }
+  (0, import_acl.checkFilterParams)(options.db.getCollection(options.resourceName), filterParams);
+  return await (0, import_acl.parseJsonTemplate)(filterParams, {
+    state: options.state,
+    timezone: options.timezone,
+    userProvider: (0, import_acl.createUserProvider)({
+      db: options.db,
+      currentUser: options.currentUser
+    })
+  }) ?? filterParams;
+}
+async function applyQueryPermission(options) {
+  var _a, _b, _c, _d, _e, _f;
+  const { acl, db, resourceName, query: sourceQuery, currentUser, state, timezone } = options;
+  const roles = getRoleNames(options);
+  const rootPermission = acl.can({
+    roles,
+    resource: resourceName,
+    action: "view"
+  });
+  if (!rootPermission) {
+    throw new import_acl.NoPermissionError(`No permission for resource: ${resourceName}`);
+  }
+  const query = {
+    ...sourceQuery,
+    measures: pruneSelections(sourceQuery.measures, acl, db, roles, resourceName),
+    dimensions: pruneSelections(sourceQuery.dimensions, acl, db, roles, resourceName)
+  };
+  const availableSelectionKeys = getAvailableSelectionKeys(resourceName, query);
+  query.orders = pruneOrders(sourceQuery.orders, acl, db, roles, resourceName, availableSelectionKeys);
+  query.having = pruneHavingNode(query.having, availableSelectionKeys);
+  const aclFilter = await getParsedPermissionFilter(
+    {
+      ...options,
+      acl,
+      db,
+      resourceName,
+      query,
+      currentUser,
+      state,
+      timezone
+    },
+    rootPermission
+  );
+  if (aclFilter) {
+    query.filter = (0, import_utils.assign)(query.filter || {}, aclFilter, {
+      filter: "andMerge"
+    });
+  }
+  const hasSelection = (((_a = options.query.measures) == null ? void 0 : _a.length) || 0) > 0 || (((_b = options.query.dimensions) == null ? void 0 : _b.length) || 0) > 0 || (((_c = options.query.orders) == null ? void 0 : _c.length) || 0) > 0;
+  const hasRemainingSelection = (((_d = query.measures) == null ? void 0 : _d.length) || 0) > 0 || (((_e = query.dimensions) == null ? void 0 : _e.length) || 0) > 0 || (((_f = query.orders) == null ? void 0 : _f.length) || 0) > 0;
+  if (hasSelection && !hasRemainingSelection) {
+    throw new import_acl.NoPermissionError(`No permission for query fields: ${options.resourceName}`);
+  }
+  return {
+    permission: rootPermission,
+    query
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  applyQueryPermission
+});

package/dist/server/server.d.ts

@@ -11,8 +11,13 @@ import { Plugin } from '@nocobase/server';
 import { RoleModel } from './model/RoleModel';
 import { RoleResourceActionModel } from './model/RoleResourceActionModel';
 import { RoleResourceModel } from './model/RoleResourceModel';
+import { SanitizeAssociationValuesOptions } from './middlewares/check-change-with-association';
+import type { ACL } from '@nocobase/acl';
 export declare class PluginACLServer extends Plugin {
-    get acl(): import("@nocobase/acl").ACL;
+    get acl(): ACL;
+    sanitizeAssociationValues(options: SanitizeAssociationValuesOptions & {
+        acl?: ACL;
+    }): Promise<any>;
     writeResourceToACL(resourceModel: RoleResourceModel, transaction: Transaction): Promise<void>;
     writeActionToACL(actionModel: RoleResourceActionModel, transaction: Transaction): Promise<void>;
     handleSyncMessage(message: any): Promise<void>;

package/dist/server/server.js

@@ -46,6 +46,8 @@ var import_server = require("@nocobase/server");
 var import_lodash = __toESM(require("lodash"));
 var import_path = require("path");
 var import_available_actions = require("./actions/available-actions");
+var import_apply_data_permissions = require("./actions/apply-data-permissions");
+var import_data_source_compat = require("./actions/data-source-compat");
 var import_role_check = require("./actions/role-check");
 var import_role_collections = require("./actions/role-collections");
 var import_user_setDefaultRole = require("./actions/user-setDefaultRole");
@@ -57,10 +59,17 @@ var import_RoleResourceModel = require("./model/RoleResourceModel");
 var import_union_role = require("./actions/union-role");
 var import_check_association_operate = require("./middlewares/check-association-operate");
 var import_check_change_with_association = require("./middlewares/check-change-with-association");
+var import_check_query_permission = require("./middlewares/check-query-permission");
 class PluginACLServer extends import_server.Plugin {
   get acl() {
     return this.app.acl;
   }
+  async sanitizeAssociationValues(options) {
+    return (0, import_check_change_with_association.sanitizeAssociationValues)({
+      ...options,
+      acl: options.acl ?? this.acl
+    });
+  }
   async writeResourceToACL(resourceModel, transaction) {
     await resourceModel.writeToACL({
       acl: this.acl,
@@ -174,7 +183,21 @@ class PluginACLServer extends import_server.Plugin {
     this.app.resourcer.define(import_available_actions.availableActionResource);
     this.app.resourcer.define(import_role_collections.roleCollectionsResource);
     this.app.resourcer.registerActionHandler("roles:setSystemRoleMode", import_union_role.setSystemRoleMode);
+    this.app.resourcer.registerActionHandler("roles:applyDataPermissions", import_apply_data_permissions.applyDataPermissions);
     this.app.resourcer.registerActionHandler("roles:check", import_role_check.checkAction);
+    this.app.resourcer.registerPreActionHandler(
+      "roles.dataSourcesCollections:list",
+      import_data_source_compat.guardRolesDataSourcesCollectionsList
+    );
+    this.app.resourcer.registerPreActionHandler(
+      "roles.dataSourceResources:create",
+      import_data_source_compat.guardRolesDataSourceResourcesCreate
+    );
+    this.app.resourcer.registerPreActionHandler("roles.dataSourceResources:get", import_data_source_compat.guardRolesDataSourceResourcesGet);
+    this.app.resourcer.registerPreActionHandler(
+      "roles.dataSourceResources:update",
+      import_data_source_compat.guardRolesDataSourceResourcesUpdate
+    );
     this.app.resourcer.registerActionHandler(`users:setDefaultRole`, import_user_setDefaultRole.setDefaultRole);
     this.db.on("users.afterCreateWithAssociations", async (model, options) => {
       const { transaction } = options;
@@ -505,7 +528,6 @@ class PluginACLServer extends import_server.Plugin {
       }
       return next();
     });
-    const parseJsonTemplate = this.app.acl.parseJsonTemplate;
     this.app.acl.beforeGrantAction(async (ctx) => {
       const actionName = this.app.acl.resolveActionAlias(ctx.actionName);
       if (import_lodash.default.isPlainObject(ctx.params)) {
@@ -578,6 +600,7 @@ class PluginACLServer extends import_server.Plugin {
         before: "core"
       });
       if (dataSource.options.acl !== false && dataSource.options.useACL !== false) {
+        dataSource.resourceManager.registerPreActionHandler("query", import_check_query_permission.checkQueryPermission);
         dataSource.resourceManager.registerPreActionHandler("create", import_check_change_with_association.checkChangesWithAssociation);
         dataSource.resourceManager.registerPreActionHandler("firstOrCreate", import_check_change_with_association.checkChangesWithAssociation);
         dataSource.resourceManager.registerPreActionHandler("updateOrCreate", import_check_change_with_association.checkChangesWithAssociation);