@nocobase/plugin-action-custom-request 2.1.0-alpha.1 → 2.1.0-alpha.10

package/dist/locale/en-US.json

@@ -5,22 +5,30 @@
   "Add request header": "Add request header",
   "Body": "Body",
   "Custom Request": "Custom Request",
+  "Custom request": "Custom request",
   "Enter description info": "Enter description info",
   "Format": "Format",
   "HTTP method": "HTTP method",
   "Headers": "Headers",
   "If not set, all roles can see this action": "If not set, all roles can see this action",
+  "If not set, all roles can access this request": "If not set, all roles can access this request",
   "Input request data": "Input request data",
   "Insert": "Insert",
+  "Key": "Key",
+  "Name": "Name",
   "Only support standard JSON data": "Only support standard JSON data",
   "Parameters": "Parameters",
   "Please configure the request settings first": "Please configure the request settings first",
   "Request settings": "Request settings",
+  "Response type": "Response type",
   "Roles": "Roles",
+  "Stream": "Stream",
   "Timeout config": "Timeout config",
   "Title": "Title",
   "URL": "URL",
   "Use variable": "Use variable",
+  "You do not have permission to access this custom request": "You do not have permission to access this custom request",
+  "Value": "Value",
   "When the HTTP method is Post, Put or Patch, and this custom request inside the form, the request body will be automatically filled in with the form data": "When the HTTP method is Post, Put or Patch, and this custom request inside the form, the request body will be automatically filled in with the form data",
   "ms": "ms"
-}
+}

package/dist/locale/zh-CN.json

@@ -5,22 +5,30 @@
   "Add request header": "添加请求头",
   "Body": "请求体",
   "Custom Request": "自定义请求",
+  "Custom request": "自定义请求",
   "Enter description info": "输入描述信息",
   "Format": "格式化",
   "HTTP method": "HTTP 方法",
   "Headers": "请求头",
   "If not set, all roles can see this action": "如果不设置，所有角色都可以看到这个自定义请求",
+  "If not set, all roles can access this request": "如果不设置，所有角色都可以访问此请求",
   "Input request data": "输入请求数据",
   "Insert": "插入",
+  "Key": "标识",
+  "Name": "名称",
   "Only support standard JSON data": "仅支持标准 JSON 数据",
   "Parameters": "参数",
   "Please configure the request settings first": "请先配置请求设置",
   "Request settings": "请求设置",
+  "Response type": "响应类型",
   "Roles": "角色",
+  "Stream": "流",
   "Timeout config": "超时设置",
   "Title": "标题",
   "URL": "URL",
   "Use variable": "使用变量",
+  "You do not have permission to access this custom request": "你没有权限访问此自定义请求",
+  "Value": "值",
   "When the HTTP method is Post, Put or Patch, and this custom request inside the form, the request body will be automatically filled in with the form data": "当请求方法为 Post、Put 或 Patch 时，且此自定义请求在表单内，请求体将自动填充表单数据",
   "ms": "毫秒"
-}
+}

package/dist/server/actions/send.js

@@ -43,6 +43,22 @@ module.exports = __toCommonJS(send_exports);
 var import_utils = require("@nocobase/utils");
 var import_evaluators = require("@nocobase/evaluators");
 var import_axios = __toESM(require("axios"));
+var import_set = __toESM(require("lodash/set"));
+const UnsafePathSegments = /* @__PURE__ */ new Set(["__proto__", "prototype", "constructor"]);
+const hasUnsafePathSegment = (path) => {
+  return path.split(/[.[\]]+/).filter(Boolean).some((segment) => UnsafePathSegments.has(segment));
+};
+const applyVarsToVariables = (variables, vars) => {
+  if (!vars || typeof vars !== "object" || Array.isArray(vars)) {
+    return;
+  }
+  for (const [key, value] of Object.entries(vars)) {
+    if (!key || typeof key !== "string" || hasUnsafePathSegment(key)) {
+      continue;
+    }
+    (0, import_set.default)(variables, key, value);
+  }
+};
 function toJSON(value) {
   if (typeof value === "string") {
     try {
@@ -75,7 +91,7 @@ const omitNullAndUndefined = (obj) => {
     return acc;
   }, {});
 };
-const CurrentUserVariableRegExp = /{{\s*(currentUser[^}]+)\s*}}/g;
+const CurrentUserVariableRegExp = /{{\s*(?:ctx\.)?(currentUser[^}]+)\s*}}/g;
 const getCurrentUserAppends = (str, user) => {
   const matched = str.matchAll(CurrentUserVariableRegExp);
   return Array.from(matched).map((item) => {
@@ -104,18 +120,30 @@ async function send(ctx, next) {
       data: {}
     },
     $nForm,
-    $nSelectedRecord
+    $nSelectedRecord,
+    vars,
+    options: runtimeOptions
   } = values;
   if (ctx.state.currentRole !== "root") {
-    const crRepo = ctx.db.getRepository("uiButtonSchemasRoles");
-    const hasRoles = await crRepo.find({
+    const schemaRoleRepo = ctx.db.getRepository("uiButtonSchemasRoles");
+    const customRequestRoleRepo = ctx.db.getRepository("customRequestsRoles");
+    const schemaRoles = await schemaRoleRepo.find({
       filter: {
         uid: filterByTk
       }
     });
-    if (hasRoles.length) {
-      if (!hasRoles.some((item) => ctx.state.currentRoles.includes(item.roleName))) {
-        return ctx.throw(403, "custom request no permission");
+    const customRequestRoles = await customRequestRoleRepo.find({
+      filter: {
+        customRequestKey: filterByTk
+      }
+    });
+    const roleRows = [...schemaRoles, ...customRequestRoles];
+    if (roleRows.length) {
+      if (!roleRows.some((item) => ctx.state.currentRoles.includes(item.roleName))) {
+        return ctx.throw(
+          403,
+          ctx.t("You do not have permission to access this custom request", { ns: "action-custom-request" })
+        );
       }
     }
   }
@@ -129,15 +157,11 @@ async function send(ctx, next) {
     ctx.throw(404, "request config not found");
   }
   ctx.withoutDataWrapping = true;
-  const {
-    dataSourceKey,
-    collectionName,
-    url,
-    headers = [],
-    params = [],
-    data = {},
-    ...options
-  } = requestConfig.options || {};
+  const mergedOptions = {
+    ...requestConfig.options || {},
+    ...omitNullAndUndefined(runtimeOptions || {})
+  };
+  const { dataSourceKey, collectionName, url, headers = [], params = [], data = {}, ...options } = mergedOptions;
   if (!url) {
     return ctx.throw(400, ctx.t("Please configure the request settings first", { ns: "action-custom-request" }));
   }
@@ -174,6 +198,7 @@ async function send(ctx, next) {
     $env: ctx.app.environment.getVariables(),
     $nSelectedRecord
   };
+  applyVarsToVariables(variables, vars);
   const axiosRequestConfig = {
     baseURL: ctx.origin,
     ...options,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nocobase/plugin-action-custom-request",
-  "version": "2.1.0-alpha.1",
+  "version": "2.1.0-alpha.10",
   "main": "dist/server/index.js",
   "homepage": "https://docs.nocobase.com/handbook/action-custom-request",
   "homepage.ru-RU": "https://docs-ru.nocobase.com/handbook/action-custom-request",
@@ -11,7 +11,7 @@
   "description": "Sending a request to any HTTP service supports sending context data to the target service.",
   "description.ru-RU": "Отправка запроса к любому HTTP-сервису, поддерживается отправка контекстных данных в целевой сервис.",
   "description.zh-CN": "向任意 HTTP 服务发送请求，支持将上下文数据发送给目标服务。",
-  "license": "AGPL-3.0",
+  "license": "Apache-2.0",
   "devDependencies": {
     "@formily/react": "2.x",
     "@formily/shared": "2.x",
@@ -20,12 +20,18 @@
     "react-i18next": "^11.15.1",
     "react-router-dom": "6.x"
   },
+  "nocobase": {
+    "supportedVersions": [
+      "1.x"
+    ],
+    "editionLevel": 0
+  },
   "peerDependencies": {
     "@nocobase/client": "2.x",
     "@nocobase/server": "2.x",
     "@nocobase/test": "2.x"
   },
-  "gitHead": "d27baf21569643d6fa83f882233f4e90eb5b89f1",
+  "gitHead": "ce790d46c0a5768ca9618c7d0d77ab8300de75c8",
   "keywords": [
     "Actions"
   ]