@nocobase/plugin-acl 2.1.0-beta.9 → 2.2.0-alpha.1

package/dist/server/actions/data-source-compat.js

@@ -0,0 +1,189 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var data_source_compat_exports = {};
+__export(data_source_compat_exports, {
+  guardRolesDataSourceResourcesCreate: () => guardRolesDataSourceResourcesCreate,
+  guardRolesDataSourceResourcesGet: () => guardRolesDataSourceResourcesGet,
+  guardRolesDataSourceResourcesUpdate: () => guardRolesDataSourceResourcesUpdate,
+  guardRolesDataSourcesCollectionsList: () => guardRolesDataSourcesCollectionsList
+});
+module.exports = __toCommonJS(data_source_compat_exports);
+var import_lodash = __toESM(require("lodash"));
+function normalizeString(value) {
+  if (typeof value !== "string") {
+    return void 0;
+  }
+  const trimmed = value.trim();
+  return trimmed ? trimmed : void 0;
+}
+function normalizeFilter(input) {
+  if (!import_lodash.default.isPlainObject(input)) {
+    return {};
+  }
+  return { ...input };
+}
+function applyLocatorFromQuery(params, filter) {
+  const dataSourceKeyFromQuery = normalizeString(params.dataSourceKey);
+  if (dataSourceKeyFromQuery) {
+    filter.dataSourceKey = filter.dataSourceKey || dataSourceKeyFromQuery;
+  }
+  const nameFromQuery = normalizeString(params.name);
+  if (nameFromQuery) {
+    filter.name = filter.name || nameFromQuery;
+  }
+}
+function normalizeNumericTk(value) {
+  if (typeof value === "number" && Number.isInteger(value) && value >= 0) {
+    return value;
+  }
+  const normalized = normalizeString(value);
+  if (!normalized || !/^\d+$/.test(normalized)) {
+    return void 0;
+  }
+  return normalized;
+}
+function deriveNameFromPrefixedTk(value) {
+  const normalized = normalizeString(value);
+  if (!normalized) {
+    return void 0;
+  }
+  const matched = normalized.match(/^[a-zA-Z]+_(.+)$/);
+  if (!matched) {
+    return void 0;
+  }
+  return normalizeString(matched[1]);
+}
+async function resolveLocatorFromFilterByTk(ctx, roleName, filter) {
+  const rawFilterByTk = ctx.action.params.filterByTk;
+  if (rawFilterByTk === void 0 || rawFilterByTk === null || rawFilterByTk === "") {
+    return;
+  }
+  const numericFilterByTk = normalizeNumericTk(rawFilterByTk);
+  if (numericFilterByTk === void 0) {
+    if (!normalizeString(filter.name)) {
+      const derivedName = deriveNameFromPrefixedTk(rawFilterByTk);
+      if (derivedName) {
+        filter.name = derivedName;
+      }
+    }
+    return;
+  }
+  const resource = await ctx.db.getRepository("dataSourcesRolesResources").findOne({
+    filterByTk: numericFilterByTk
+  });
+  if (!resource) {
+    ctx.throw(404, `Resource permission not found by filterByTk "${rawFilterByTk}"`);
+    return;
+  }
+  const targetRoleName = resource.get("roleName");
+  if (targetRoleName !== roleName) {
+    ctx.throw(400, `Resource permission "${rawFilterByTk}" does not belong to role "${roleName}"`);
+    return;
+  }
+  if (!normalizeString(filter.dataSourceKey)) {
+    filter.dataSourceKey = resource.get("dataSourceKey");
+  }
+  if (!normalizeString(filter.name)) {
+    filter.name = resource.get("name");
+  }
+}
+async function normalizeRoleDataSourceResourceLocator(ctx) {
+  const roleName = normalizeString(ctx.action.params.associatedIndex);
+  if (!roleName) {
+    ctx.throw(400, "Role name is required");
+    return;
+  }
+  const filter = normalizeFilter(ctx.action.params.filter);
+  applyLocatorFromQuery(ctx.action.params, filter);
+  await resolveLocatorFromFilterByTk(ctx, roleName, filter);
+  const dataSourceKey = normalizeString(filter.dataSourceKey);
+  const name = normalizeString(filter.name);
+  if (!dataSourceKey || !name) {
+    ctx.throw(
+      400,
+      "Missing resource locator: provide --filter-by-tk, or both --data-source-key and --name (or filter.{dataSourceKey,name})"
+    );
+    return;
+  }
+  ctx.action.params.filter = {
+    ...filter,
+    dataSourceKey,
+    name
+  };
+}
+async function guardRolesDataSourcesCollectionsList(ctx, next) {
+  const filter = normalizeFilter(ctx.action.params.filter);
+  applyLocatorFromQuery(ctx.action.params, filter);
+  const dataSourceKey = normalizeString(filter.dataSourceKey);
+  if (!dataSourceKey) {
+    ctx.throw(400, "dataSourceKey is required: pass --data-source-key or filter.dataSourceKey");
+    return;
+  }
+  ctx.action.params.filter = {
+    ...filter,
+    dataSourceKey
+  };
+  await next();
+}
+async function guardRolesDataSourceResourcesCreate(ctx, next) {
+  const values = normalizeFilter(ctx.action.params.values);
+  const dataSourceKeyFromQuery = normalizeString(ctx.action.params.dataSourceKey);
+  if (!values.dataSourceKey && dataSourceKeyFromQuery) {
+    values.dataSourceKey = dataSourceKeyFromQuery;
+  }
+  if (!normalizeString(values.dataSourceKey)) {
+    ctx.throw(400, "dataSourceKey is required for roles.dataSourceResources:create");
+    return;
+  }
+  ctx.action.params.values = values;
+  await next();
+}
+async function guardRolesDataSourceResourcesGet(ctx, next) {
+  await normalizeRoleDataSourceResourceLocator(ctx);
+  await next();
+}
+async function guardRolesDataSourceResourcesUpdate(ctx, next) {
+  await normalizeRoleDataSourceResourceLocator(ctx);
+  await next();
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  guardRolesDataSourceResourcesCreate,
+  guardRolesDataSourceResourcesGet,
+  guardRolesDataSourceResourcesUpdate,
+  guardRolesDataSourcesCollectionsList
+});

package/dist/server/collections/roles-users.js

@@ -32,6 +32,7 @@ module.exports = __toCommonJS(roles_users_exports);
 var import_database = require("@nocobase/database");
 var roles_users_default = (0, import_database.defineCollection)({
   name: "rolesUsers",
+  dataCategory: "business",
   description: "User's roles",
   dumpRules: {
     group: "user"

package/dist/server/collections/roles.js

@@ -36,6 +36,7 @@ var roles_default = (0, import_database.defineCollection)({
   description: "Role data",
   migrationRules: ["overwrite", "schema-only"],
   name: "roles",
+  dataCategory: "system",
   title: '{{t("Roles")}}',
   autoGenId: false,
   model: "RoleModel",

package/dist/server/collections/rolesResources.js

@@ -33,6 +33,7 @@ var import_database = require("@nocobase/database");
 var rolesResources_default = (0, import_database.defineCollection)({
   dumpRules: "required",
   name: "rolesResources",
+  dataCategory: "system",
   migrationRules: ["overwrite", "schema-only"],
   model: "RoleResourceModel",
   indexes: [

package/dist/server/collections/rolesResourcesActions.js

@@ -33,6 +33,7 @@ var import_database = require("@nocobase/database");
 var rolesResourcesActions_default = (0, import_database.defineCollection)({
   dumpRules: "required",
   name: "rolesResourcesActions",
+  dataCategory: "system",
   migrationRules: ["overwrite", "schema-only"],
   model: "RoleResourceActionModel",
   fields: [

package/dist/server/collections/rolesResourcesScopes.js

@@ -33,6 +33,7 @@ var import_database = require("@nocobase/database");
 var rolesResourcesScopes_default = (0, import_database.defineCollection)({
   dumpRules: "required",
   name: "rolesResourcesScopes",
+  dataCategory: "system",
   migrationRules: ["overwrite", "schema-only"],
   fields: [
     {

package/dist/server/index.d.ts

@@ -8,6 +8,9 @@
  */
 export * from './middlewares/setCurrentRole';
 export * from './middlewares/with-acl-meta';
+export * from './middlewares/check-association-operate';
+export * from './middlewares/check-change-with-association';
+export * from './query/apply-query-permission';
 export { RoleResourceActionModel } from './model/RoleResourceActionModel';
 export { RoleResourceModel } from './model/RoleResourceModel';
 export * from './constants';

package/dist/server/index.js

@@ -44,6 +44,9 @@ __export(server_exports, {
 module.exports = __toCommonJS(server_exports);
 __reExport(server_exports, require("./middlewares/setCurrentRole"), module.exports);
 __reExport(server_exports, require("./middlewares/with-acl-meta"), module.exports);
+__reExport(server_exports, require("./middlewares/check-association-operate"), module.exports);
+__reExport(server_exports, require("./middlewares/check-change-with-association"), module.exports);
+__reExport(server_exports, require("./query/apply-query-permission"), module.exports);
 var import_RoleResourceActionModel = require("./model/RoleResourceActionModel");
 var import_RoleResourceModel = require("./model/RoleResourceModel");
 __reExport(server_exports, require("./constants"), module.exports);
@@ -55,6 +58,9 @@ var import_server = __toESM(require("./server"));
   RoleResourceModel,
   ...require("./middlewares/setCurrentRole"),
   ...require("./middlewares/with-acl-meta"),
+  ...require("./middlewares/check-association-operate"),
+  ...require("./middlewares/check-change-with-association"),
+  ...require("./query/apply-query-permission"),
   ...require("./constants"),
   ...require("./enum")
 });

package/dist/server/middlewares/check-association-operate.js

@@ -31,16 +31,19 @@ __export(check_association_operate_exports, {
 module.exports = __toCommonJS(check_association_operate_exports);
 var import_acl = require("@nocobase/acl");
 async function checkAssociationOperate(ctx, next) {
-  var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j;
+  var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k;
   const { actionName, resourceName, sourceId } = ctx.action;
   if (!(resourceName.includes(".") && ["add", "set", "remove", "toggle"].includes(actionName))) {
     return next();
   }
+  if ((_a = ctx.permission) == null ? void 0 : _a.skip) {
+    return next();
+  }
   const acl = ctx.acl;
   const roles = ctx.state.currentRoles;
   for (const role of roles) {
     const aclRole = acl.getRole(role);
-    if (aclRole.snippetAllowed(`${resourceName}:${actionName}`)) {
+    if (aclRole == null ? void 0 : aclRole.snippetAllowed(`${resourceName}:${actionName}`)) {
       return next();
     }
   }
@@ -54,20 +57,20 @@ async function checkAssociationOperate(ctx, next) {
     ctx.throw(403, "No permissions");
   }
   const params = result.params || ctx.acl.fixedParamsManager.getParams(resourceName, actionName);
-  if (params.whitelist && !((_a = params.whitelist) == null ? void 0 : _a.includes(association))) {
+  if (params.whitelist && !((_b = params.whitelist) == null ? void 0 : _b.includes(association))) {
     ctx.throw(403, "No permissions");
   }
   if (params.filter) {
     try {
-      const timezone = ((_c = (_b = ctx.request) == null ? void 0 : _b.get) == null ? void 0 : _c.call(_b, "x-timezone")) ?? ((_e = (_d = ctx.request) == null ? void 0 : _d.header) == null ? void 0 : _e["x-timezone"]) ?? ((_g = (_f = ctx.req) == null ? void 0 : _f.headers) == null ? void 0 : _g["x-timezone"]);
-      const collection = (_i = (_h = ctx.database) == null ? void 0 : _h.getCollection) == null ? void 0 : _i.call(_h, resource);
+      const timezone = ((_d = (_c = ctx.request) == null ? void 0 : _c.get) == null ? void 0 : _d.call(_c, "x-timezone")) ?? ((_f = (_e = ctx.request) == null ? void 0 : _e.header) == null ? void 0 : _f["x-timezone"]) ?? ((_h = (_g = ctx.req) == null ? void 0 : _g.headers) == null ? void 0 : _h["x-timezone"]);
+      const collection = (_j = (_i = ctx.database) == null ? void 0 : _i.getCollection) == null ? void 0 : _j.call(_i, resource);
       (0, import_acl.checkFilterParams)(collection, params.filter);
       const parsedFilter = await (0, import_acl.parseJsonTemplate)(params.filter, {
         state: ctx.state,
         timezone,
         userProvider: (0, import_acl.createUserProvider)({
           db: ctx.db,
-          currentUser: (_j = ctx.state) == null ? void 0 : _j.currentUser
+          currentUser: (_k = ctx.state) == null ? void 0 : _k.currentUser
         })
       });
       const repo = ctx.database.getRepository(resource);

package/dist/server/middlewares/check-change-with-association.d.ts

@@ -23,6 +23,7 @@ export type SanitizeAssociationValuesOptions = {
     collection?: Collection;
     db?: any;
     database?: any;
+    state?: Record<string, any>;
     timezone?: string;
     userProvider?: UserProvider;
 };

package/dist/server/middlewares/check-change-with-association.js

@@ -67,6 +67,7 @@ async function sanitizeAssociationValues(options) {
     timezone: options.timezone,
     userProvider: options.userProvider,
     state: {
+      ...options.state || {},
       currentRole: options.currentRole,
       currentRoles: options.roles,
       currentUser: options.currentUser
@@ -122,6 +123,7 @@ const checkChangesWithAssociation = async (ctx, next) => {
     roles,
     currentRole: ctx.state.currentRole,
     currentUser: ctx.state.currentUser,
+    state: import_lodash.default.clone(ctx.state),
     aclParams: (_k = (_j = ctx.permission) == null ? void 0 : _j.can) == null ? void 0 : _k.params,
     timezone,
     userProvider: (0, import_acl.createUserProvider)({
@@ -271,7 +273,7 @@ function normalizeAssociationValue(value, recordKey) {
   }
   if (Array.isArray(value)) {
     const result = value.map((v) => typeof v === "number" || typeof v === "string" ? v : v[recordKey]).filter((v) => v !== null && v !== void 0);
-    return result.length > 0 ? result : void 0;
+    return result;
   }
   return typeof value === "number" || typeof value === "string" ? value : value[recordKey];
 }

package/dist/server/middlewares/check-query-permission.d.ts

@@ -0,0 +1,10 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import type { Next } from '@nocobase/actions';
+export declare function checkQueryPermission(ctx: any, next: Next): Promise<void>;

package/dist/server/middlewares/check-query-permission.js

@@ -0,0 +1,64 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var check_query_permission_exports = {};
+__export(check_query_permission_exports, {
+  checkQueryPermission: () => checkQueryPermission
+});
+module.exports = __toCommonJS(check_query_permission_exports);
+var import_acl = require("@nocobase/acl");
+var import_apply_query_permission = require("../query/apply-query-permission");
+async function checkQueryPermission(ctx, next) {
+  var _a, _b, _c, _d;
+  const query = { ...ctx.action.params.values };
+  try {
+    const result = await (0, import_apply_query_permission.applyQueryPermission)({
+      acl: ctx.acl,
+      db: ctx.database,
+      resourceName: ctx.action.resourceName,
+      query,
+      currentUser: (_a = ctx.state) == null ? void 0 : _a.currentUser,
+      currentRole: (_b = ctx.state) == null ? void 0 : _b.currentRole,
+      currentRoles: (_c = ctx.state) == null ? void 0 : _c.currentRoles,
+      timezone: (_d = ctx.get) == null ? void 0 : _d.call(ctx, "x-timezone"),
+      state: ctx.state
+    });
+    ctx.action.params = {
+      ...ctx.action.params,
+      values: result.query
+    };
+  } catch (error) {
+    if (error instanceof import_acl.NoPermissionError) {
+      ctx.throw(403, "No permissions");
+    }
+    throw error;
+  }
+  await next();
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  checkQueryPermission
+});

package/dist/server/middlewares/setCurrentRole.js

@@ -43,7 +43,7 @@ var import_constants = require("../constants");
 var import_enum = require("../enum");
 var import_lodash = __toESM(require("lodash"));
 async function setCurrentRole(ctx, next) {
-  var _a, _b, _c;
+  var _a, _b;
   let currentRole = ctx.get("X-Role");
   if (currentRole === "anonymous") {
     ctx.state.currentRole = currentRole;
@@ -114,7 +114,7 @@ async function setCurrentRole(ctx, next) {
     role = (defaultRoleModel == null ? void 0 : defaultRoleModel.roleName) || ((_b = userRoles[0]) == null ? void 0 : _b.name);
   }
   ctx.state.currentRole = role;
-  ctx.state.currentRoles = role === import_constants.UNION_ROLE_KEY ? [(_c = userRoles[0]) == null ? void 0 : _c.name] : [role];
+  ctx.state.currentRoles = role === import_constants.UNION_ROLE_KEY ? userRoles.map((role2) => role2.name) : [role];
   if (!ctx.state.currentRoles.length) {
     return ctx.throw(401, {
       code: "ROLE_NOT_FOUND_ERR",

package/dist/server/middlewares/with-acl-meta.js

@@ -52,7 +52,7 @@ function createWithACLMetaMiddleware() {
     const dataSourceKey = ctx.get("x-data-source");
     const dataSource = ctx.app.dataSourceManager.dataSources.get(dataSourceKey);
     const db = dataSource ? dataSource.collectionManager.db : ctx.db;
-    if (!db) {
+    if (!db || db.isDBInstance === false) {
       return;
     }
     const acl = dataSource ? dataSource.acl : ctx.app.acl;

package/dist/server/query/apply-query-permission.d.ts

@@ -0,0 +1,27 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { ACL } from '@nocobase/acl';
+import type { QueryOptions } from '@nocobase/database';
+import { Database } from '@nocobase/database';
+export type QueryPermissionQuery = QueryOptions & Record<string, any>;
+export type ApplyQueryPermissionOptions = {
+    acl: ACL;
+    db: Database;
+    resourceName: string;
+    query: QueryPermissionQuery;
+    currentUser?: any;
+    currentRole?: string;
+    currentRoles?: string[];
+    timezone?: string;
+    state?: any;
+};
+export declare function applyQueryPermission(options: ApplyQueryPermissionOptions): Promise<{
+    permission: import("@nocobase/acl").CanResult;
+    query: QueryPermissionQuery;
+}>;