@objectstack/platform-objects 4.0.5 → 4.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/apps/index.d.mts +16 -48
- package/dist/apps/index.d.ts +16 -48
- package/dist/apps/index.js +139 -217
- package/dist/apps/index.js.map +1 -1
- package/dist/apps/index.mjs +140 -212
- package/dist/apps/index.mjs.map +1 -1
- package/dist/audit/index.d.mts +38990 -51
- package/dist/audit/index.d.ts +38990 -51
- package/dist/audit/index.js +1428 -0
- package/dist/audit/index.js.map +1 -1
- package/dist/audit/index.mjs +1417 -1
- package/dist/audit/index.mjs.map +1 -1
- package/dist/identity/index.d.mts +14869 -2802
- package/dist/identity/index.d.ts +14869 -2802
- package/dist/identity/index.js +1090 -6
- package/dist/identity/index.js.map +1 -1
- package/dist/identity/index.mjs +1089 -7
- package/dist/identity/index.mjs.map +1 -1
- package/dist/index.d.mts +8 -7
- package/dist/index.d.ts +8 -7
- package/dist/index.js +3652 -1482
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +3633 -1465
- package/dist/index.mjs.map +1 -1
- package/dist/integration/index.d.mts +2905 -0
- package/dist/integration/index.d.ts +2905 -0
- package/dist/integration/index.js +140 -0
- package/dist/integration/index.js.map +1 -0
- package/dist/integration/index.mjs +138 -0
- package/dist/integration/index.mjs.map +1 -0
- package/dist/metadata/index.d.mts +577 -21181
- package/dist/metadata/index.d.ts +577 -21181
- package/dist/metadata/index.js +29 -619
- package/dist/metadata/index.js.map +1 -1
- package/dist/metadata/index.mjs +30 -615
- package/dist/metadata/index.mjs.map +1 -1
- package/dist/security/index.d.mts +7278 -46
- package/dist/security/index.d.ts +7278 -46
- package/dist/security/index.js +540 -0
- package/dist/security/index.js.map +1 -1
- package/dist/security/index.mjs +539 -1
- package/dist/security/index.mjs.map +1 -1
- package/dist/system/index.d.mts +8409 -0
- package/dist/system/index.d.ts +8409 -0
- package/dist/system/index.js +395 -0
- package/dist/system/index.js.map +1 -0
- package/dist/system/index.mjs +391 -0
- package/dist/system/index.mjs.map +1 -0
- package/package.json +13 -8
- package/dist/tenant/index.d.mts +0 -18464
- package/dist/tenant/index.d.ts +0 -18464
- package/dist/tenant/index.js +0 -741
- package/dist/tenant/index.js.map +0 -1
- package/dist/tenant/index.mjs +0 -733
- package/dist/tenant/index.mjs.map +0 -1
- /package/dist/{state-machine.zod-BFg-VE0M.d-Ek3_yo9P.d.mts → state-machine.zod-BNanU03M.d-Ek3_yo9P.d.mts} +0 -0
- /package/dist/{state-machine.zod-BFg-VE0M.d-Ek3_yo9P.d.ts → state-machine.zod-BNanU03M.d-Ek3_yo9P.d.ts} +0 -0
package/dist/security/index.mjs
CHANGED
|
@@ -8,10 +8,52 @@ var SysRole = ObjectSchema.create({
|
|
|
8
8
|
pluralLabel: "Roles",
|
|
9
9
|
icon: "shield",
|
|
10
10
|
isSystem: true,
|
|
11
|
+
managedBy: "config",
|
|
11
12
|
description: "Role definitions for RBAC access control",
|
|
12
13
|
displayNameField: "label",
|
|
13
14
|
titleFormat: "{label}",
|
|
14
15
|
compactLayout: ["label", "name", "active", "is_default"],
|
|
16
|
+
listViews: {
|
|
17
|
+
active: {
|
|
18
|
+
type: "grid",
|
|
19
|
+
name: "active",
|
|
20
|
+
label: "Active",
|
|
21
|
+
data: { provider: "object", object: "sys_role" },
|
|
22
|
+
columns: ["label", "name", "is_default", "updated_at"],
|
|
23
|
+
filter: [{ field: "active", operator: "equals", value: true }],
|
|
24
|
+
sort: [{ field: "label", order: "asc" }],
|
|
25
|
+
pagination: { pageSize: 50 }
|
|
26
|
+
},
|
|
27
|
+
default_roles: {
|
|
28
|
+
type: "grid",
|
|
29
|
+
name: "default_roles",
|
|
30
|
+
label: "Default",
|
|
31
|
+
data: { provider: "object", object: "sys_role" },
|
|
32
|
+
columns: ["label", "name", "description", "active"],
|
|
33
|
+
filter: [{ field: "is_default", operator: "equals", value: true }],
|
|
34
|
+
sort: [{ field: "label", order: "asc" }],
|
|
35
|
+
pagination: { pageSize: 50 }
|
|
36
|
+
},
|
|
37
|
+
custom: {
|
|
38
|
+
type: "grid",
|
|
39
|
+
name: "custom",
|
|
40
|
+
label: "Custom",
|
|
41
|
+
data: { provider: "object", object: "sys_role" },
|
|
42
|
+
columns: ["label", "name", "active", "updated_at"],
|
|
43
|
+
filter: [{ field: "is_default", operator: "equals", value: false }],
|
|
44
|
+
sort: [{ field: "label", order: "asc" }],
|
|
45
|
+
pagination: { pageSize: 50 }
|
|
46
|
+
},
|
|
47
|
+
all_roles: {
|
|
48
|
+
type: "grid",
|
|
49
|
+
name: "all_roles",
|
|
50
|
+
label: "All",
|
|
51
|
+
data: { provider: "object", object: "sys_role" },
|
|
52
|
+
columns: ["label", "name", "active", "is_default", "updated_at"],
|
|
53
|
+
sort: [{ field: "label", order: "asc" }],
|
|
54
|
+
pagination: { pageSize: 50 }
|
|
55
|
+
}
|
|
56
|
+
},
|
|
15
57
|
fields: {
|
|
16
58
|
// ── Identity ─────────────────────────────────────────────────
|
|
17
59
|
label: Field.text({
|
|
@@ -92,10 +134,42 @@ var SysPermissionSet = ObjectSchema.create({
|
|
|
92
134
|
pluralLabel: "Permission Sets",
|
|
93
135
|
icon: "lock",
|
|
94
136
|
isSystem: true,
|
|
137
|
+
managedBy: "config",
|
|
95
138
|
description: "Named permission groupings for fine-grained access control",
|
|
96
139
|
displayNameField: "label",
|
|
97
140
|
titleFormat: "{label}",
|
|
98
141
|
compactLayout: ["label", "name", "active"],
|
|
142
|
+
listViews: {
|
|
143
|
+
active: {
|
|
144
|
+
type: "grid",
|
|
145
|
+
name: "active",
|
|
146
|
+
label: "Active",
|
|
147
|
+
data: { provider: "object", object: "sys_permission_set" },
|
|
148
|
+
columns: ["label", "name", "description", "updated_at"],
|
|
149
|
+
filter: [{ field: "active", operator: "equals", value: true }],
|
|
150
|
+
sort: [{ field: "label", order: "asc" }],
|
|
151
|
+
pagination: { pageSize: 50 }
|
|
152
|
+
},
|
|
153
|
+
inactive: {
|
|
154
|
+
type: "grid",
|
|
155
|
+
name: "inactive",
|
|
156
|
+
label: "Inactive",
|
|
157
|
+
data: { provider: "object", object: "sys_permission_set" },
|
|
158
|
+
columns: ["label", "name", "updated_at"],
|
|
159
|
+
filter: [{ field: "active", operator: "equals", value: false }],
|
|
160
|
+
sort: [{ field: "label", order: "asc" }],
|
|
161
|
+
pagination: { pageSize: 50 }
|
|
162
|
+
},
|
|
163
|
+
all_permsets: {
|
|
164
|
+
type: "grid",
|
|
165
|
+
name: "all_permsets",
|
|
166
|
+
label: "All",
|
|
167
|
+
data: { provider: "object", object: "sys_permission_set" },
|
|
168
|
+
columns: ["label", "name", "active", "updated_at"],
|
|
169
|
+
sort: [{ field: "label", order: "asc" }],
|
|
170
|
+
pagination: { pageSize: 50 }
|
|
171
|
+
}
|
|
172
|
+
},
|
|
99
173
|
fields: {
|
|
100
174
|
// ── Identity ─────────────────────────────────────────────────
|
|
101
175
|
label: Field.text({
|
|
@@ -176,6 +250,7 @@ var SysUserPermissionSet = ObjectSchema.create({
|
|
|
176
250
|
pluralLabel: "User Permission Sets",
|
|
177
251
|
icon: "user-check",
|
|
178
252
|
isSystem: true,
|
|
253
|
+
managedBy: "system",
|
|
179
254
|
description: "Direct assignment of a permission set to a user (optionally scoped to an organization).",
|
|
180
255
|
titleFormat: "{user_id} \u2192 {permission_set_id}",
|
|
181
256
|
compactLayout: ["user_id", "permission_set_id", "organization_id"],
|
|
@@ -238,6 +313,7 @@ var SysRolePermissionSet = ObjectSchema.create({
|
|
|
238
313
|
pluralLabel: "Role Permission Sets",
|
|
239
314
|
icon: "shield-plus",
|
|
240
315
|
isSystem: true,
|
|
316
|
+
managedBy: "system",
|
|
241
317
|
description: "Binds a permission set to a role.",
|
|
242
318
|
titleFormat: "{role_id} \u2192 {permission_set_id}",
|
|
243
319
|
compactLayout: ["role_id", "permission_set_id"],
|
|
@@ -283,6 +359,337 @@ var SysRolePermissionSet = ObjectSchema.create({
|
|
|
283
359
|
mru: false
|
|
284
360
|
}
|
|
285
361
|
});
|
|
362
|
+
var SysRecordShare = ObjectSchema.create({
|
|
363
|
+
name: "sys_record_share",
|
|
364
|
+
label: "Record Share",
|
|
365
|
+
pluralLabel: "Record Shares",
|
|
366
|
+
icon: "share",
|
|
367
|
+
isSystem: true,
|
|
368
|
+
managedBy: "system",
|
|
369
|
+
description: "Per-record sharing grant \u2014 extends OWD with explicit access",
|
|
370
|
+
titleFormat: "{object_name}/{record_id} \u2192 {recipient_id} ({access_level})",
|
|
371
|
+
compactLayout: ["object_name", "record_id", "recipient_id", "access_level", "source"],
|
|
372
|
+
listViews: {
|
|
373
|
+
granted_to_me: {
|
|
374
|
+
type: "grid",
|
|
375
|
+
name: "granted_to_me",
|
|
376
|
+
label: "Granted to Me",
|
|
377
|
+
data: { provider: "object", object: "sys_record_share" },
|
|
378
|
+
columns: ["object_name", "record_id", "access_level", "source", "granted_by", "created_at"],
|
|
379
|
+
filter: [
|
|
380
|
+
{ field: "recipient_type", operator: "equals", value: "user" },
|
|
381
|
+
{ field: "recipient_id", operator: "equals", value: "{current_user_id}" }
|
|
382
|
+
],
|
|
383
|
+
sort: [{ field: "created_at", order: "desc" }],
|
|
384
|
+
pagination: { pageSize: 50 }
|
|
385
|
+
},
|
|
386
|
+
granted_by_me: {
|
|
387
|
+
type: "grid",
|
|
388
|
+
name: "granted_by_me",
|
|
389
|
+
label: "Granted by Me",
|
|
390
|
+
data: { provider: "object", object: "sys_record_share" },
|
|
391
|
+
columns: ["object_name", "record_id", "recipient_id", "access_level", "source", "created_at"],
|
|
392
|
+
filter: [
|
|
393
|
+
{ field: "granted_by", operator: "equals", value: "{current_user_id}" }
|
|
394
|
+
],
|
|
395
|
+
sort: [{ field: "created_at", order: "desc" }],
|
|
396
|
+
pagination: { pageSize: 50 }
|
|
397
|
+
},
|
|
398
|
+
by_object: {
|
|
399
|
+
type: "grid",
|
|
400
|
+
name: "by_object",
|
|
401
|
+
label: "By Object",
|
|
402
|
+
data: { provider: "object", object: "sys_record_share" },
|
|
403
|
+
columns: ["object_name", "record_id", "recipient_id", "access_level", "source", "created_at"],
|
|
404
|
+
sort: [{ field: "object_name", order: "asc" }, { field: "created_at", order: "desc" }],
|
|
405
|
+
grouping: { fields: [{ field: "object_name", order: "asc", collapsed: false }] },
|
|
406
|
+
pagination: { pageSize: 100 }
|
|
407
|
+
},
|
|
408
|
+
manual_grants: {
|
|
409
|
+
type: "grid",
|
|
410
|
+
name: "manual_grants",
|
|
411
|
+
label: "Manual Grants",
|
|
412
|
+
data: { provider: "object", object: "sys_record_share" },
|
|
413
|
+
columns: ["object_name", "record_id", "recipient_id", "access_level", "granted_by", "reason", "created_at"],
|
|
414
|
+
filter: [{ field: "source", operator: "equals", value: "manual" }],
|
|
415
|
+
sort: [{ field: "created_at", order: "desc" }],
|
|
416
|
+
pagination: { pageSize: 50 }
|
|
417
|
+
},
|
|
418
|
+
rule_grants: {
|
|
419
|
+
type: "grid",
|
|
420
|
+
name: "rule_grants",
|
|
421
|
+
label: "Rule Grants",
|
|
422
|
+
data: { provider: "object", object: "sys_record_share" },
|
|
423
|
+
columns: ["object_name", "record_id", "recipient_id", "access_level", "source_id", "created_at"],
|
|
424
|
+
filter: [{ field: "source", operator: "in", value: ["rule", "team", "inherited"] }],
|
|
425
|
+
sort: [{ field: "source_id", order: "asc" }, { field: "created_at", order: "desc" }],
|
|
426
|
+
pagination: { pageSize: 50 }
|
|
427
|
+
},
|
|
428
|
+
all_shares: {
|
|
429
|
+
type: "grid",
|
|
430
|
+
name: "all_shares",
|
|
431
|
+
label: "All",
|
|
432
|
+
data: { provider: "object", object: "sys_record_share" },
|
|
433
|
+
columns: ["object_name", "record_id", "recipient_type", "recipient_id", "access_level", "source", "created_at"],
|
|
434
|
+
sort: [{ field: "created_at", order: "desc" }],
|
|
435
|
+
pagination: { pageSize: 100 }
|
|
436
|
+
}
|
|
437
|
+
},
|
|
438
|
+
fields: {
|
|
439
|
+
id: Field.text({
|
|
440
|
+
label: "Share ID",
|
|
441
|
+
required: true,
|
|
442
|
+
readonly: true,
|
|
443
|
+
group: "System"
|
|
444
|
+
}),
|
|
445
|
+
// ── Target (which record is being shared) ────────────────────
|
|
446
|
+
object_name: Field.text({
|
|
447
|
+
label: "Object",
|
|
448
|
+
required: true,
|
|
449
|
+
maxLength: 100,
|
|
450
|
+
description: "Short object name of the shared record",
|
|
451
|
+
group: "Target"
|
|
452
|
+
}),
|
|
453
|
+
record_id: Field.text({
|
|
454
|
+
label: "Record",
|
|
455
|
+
required: true,
|
|
456
|
+
maxLength: 100,
|
|
457
|
+
description: "Primary key of the shared record within object_name",
|
|
458
|
+
group: "Target"
|
|
459
|
+
}),
|
|
460
|
+
// ── Recipient (who receives access) ──────────────────────────
|
|
461
|
+
recipient_type: Field.select(
|
|
462
|
+
["user", "group", "role", "role_and_subordinates", "guest"],
|
|
463
|
+
{
|
|
464
|
+
label: "Recipient Type",
|
|
465
|
+
required: true,
|
|
466
|
+
defaultValue: "user",
|
|
467
|
+
description: "Kind of principal that holds the grant",
|
|
468
|
+
group: "Recipient"
|
|
469
|
+
}
|
|
470
|
+
),
|
|
471
|
+
recipient_id: Field.text({
|
|
472
|
+
label: "Recipient",
|
|
473
|
+
required: true,
|
|
474
|
+
maxLength: 100,
|
|
475
|
+
description: "ID of the user/group/role that receives access",
|
|
476
|
+
group: "Recipient"
|
|
477
|
+
}),
|
|
478
|
+
access_level: Field.select(
|
|
479
|
+
["read", "edit", "full"],
|
|
480
|
+
{
|
|
481
|
+
label: "Access Level",
|
|
482
|
+
required: true,
|
|
483
|
+
defaultValue: "read",
|
|
484
|
+
description: "What the recipient can do \u2014 read | edit | full (transfer/share/delete)",
|
|
485
|
+
group: "Recipient"
|
|
486
|
+
}
|
|
487
|
+
),
|
|
488
|
+
// ── Provenance ───────────────────────────────────────────────
|
|
489
|
+
source: Field.select(
|
|
490
|
+
["manual", "rule", "team", "inherited"],
|
|
491
|
+
{
|
|
492
|
+
label: "Source",
|
|
493
|
+
required: true,
|
|
494
|
+
defaultValue: "manual",
|
|
495
|
+
description: "Why this grant exists \u2014 used by the rule evaluator to reconcile",
|
|
496
|
+
group: "Provenance"
|
|
497
|
+
}
|
|
498
|
+
),
|
|
499
|
+
source_id: Field.text({
|
|
500
|
+
label: "Source ID",
|
|
501
|
+
required: false,
|
|
502
|
+
maxLength: 200,
|
|
503
|
+
description: "Rule name / team id when source != manual",
|
|
504
|
+
group: "Provenance"
|
|
505
|
+
}),
|
|
506
|
+
granted_by: Field.lookup("sys_user", {
|
|
507
|
+
label: "Granted By",
|
|
508
|
+
required: false,
|
|
509
|
+
description: "User that created the grant (manual only)",
|
|
510
|
+
group: "Provenance"
|
|
511
|
+
}),
|
|
512
|
+
reason: Field.text({
|
|
513
|
+
label: "Reason",
|
|
514
|
+
required: false,
|
|
515
|
+
maxLength: 500,
|
|
516
|
+
description: "Optional free-text explanation surfaced to the recipient",
|
|
517
|
+
group: "Provenance"
|
|
518
|
+
}),
|
|
519
|
+
// ── Lifecycle ────────────────────────────────────────────────
|
|
520
|
+
created_at: Field.datetime({
|
|
521
|
+
label: "Created At",
|
|
522
|
+
required: true,
|
|
523
|
+
defaultValue: "NOW()",
|
|
524
|
+
readonly: true,
|
|
525
|
+
group: "System"
|
|
526
|
+
}),
|
|
527
|
+
updated_at: Field.datetime({
|
|
528
|
+
label: "Updated At",
|
|
529
|
+
required: false,
|
|
530
|
+
group: "System"
|
|
531
|
+
})
|
|
532
|
+
},
|
|
533
|
+
indexes: [
|
|
534
|
+
// Hot path: "all records visible to user U on object O" — the
|
|
535
|
+
// middleware reads (object_name, recipient_type, recipient_id) to
|
|
536
|
+
// build the `id IN (...)` predicate on every find.
|
|
537
|
+
{ fields: ["object_name", "recipient_type", "recipient_id"] },
|
|
538
|
+
// "all grants on this record" — used by the share-management UI
|
|
539
|
+
// and by canEdit() to look up explicit grants.
|
|
540
|
+
{ fields: ["object_name", "record_id"] },
|
|
541
|
+
// Reconciliation key for rule-driven shares.
|
|
542
|
+
{ fields: ["source", "source_id"] }
|
|
543
|
+
]
|
|
544
|
+
});
|
|
545
|
+
var SysSharingRule = ObjectSchema.create({
|
|
546
|
+
name: "sys_sharing_rule",
|
|
547
|
+
label: "Sharing Rule",
|
|
548
|
+
pluralLabel: "Sharing Rules",
|
|
549
|
+
icon: "shield-check",
|
|
550
|
+
isSystem: true,
|
|
551
|
+
managedBy: "config",
|
|
552
|
+
// Sharing rules can now be authored visually via the Studio criteria
|
|
553
|
+
// builder (apps/studio/src/components/SharingCriteriaBuilder.tsx).
|
|
554
|
+
// We still recommend `defineSharingRule({...})` for repo-controlled
|
|
555
|
+
// baselines, but admins can safely create/edit/delete from the UI.
|
|
556
|
+
userActions: { create: true, edit: true, delete: true, import: false },
|
|
557
|
+
description: "Declarative sharing rule that auto-materialises sys_record_share grants. Authored via defineSharingRule() in code or the Studio criteria builder.",
|
|
558
|
+
displayNameField: "name",
|
|
559
|
+
titleFormat: "{label}",
|
|
560
|
+
compactLayout: ["name", "object_name", "recipient_type", "recipient_id", "access_level", "active"],
|
|
561
|
+
listViews: {
|
|
562
|
+
active: {
|
|
563
|
+
type: "grid",
|
|
564
|
+
name: "active",
|
|
565
|
+
label: "Active",
|
|
566
|
+
data: { provider: "object", object: "sys_sharing_rule" },
|
|
567
|
+
columns: ["label", "object_name", "recipient_type", "recipient_id", "access_level", "updated_at"],
|
|
568
|
+
filter: [{ field: "active", operator: "equals", value: true }],
|
|
569
|
+
sort: [{ field: "object_name", order: "asc" }, { field: "label", order: "asc" }],
|
|
570
|
+
pagination: { pageSize: 50 }
|
|
571
|
+
},
|
|
572
|
+
inactive: {
|
|
573
|
+
type: "grid",
|
|
574
|
+
name: "inactive",
|
|
575
|
+
label: "Inactive",
|
|
576
|
+
data: { provider: "object", object: "sys_sharing_rule" },
|
|
577
|
+
columns: ["label", "object_name", "recipient_type", "recipient_id", "updated_at"],
|
|
578
|
+
filter: [{ field: "active", operator: "equals", value: false }],
|
|
579
|
+
sort: [{ field: "label", order: "asc" }],
|
|
580
|
+
pagination: { pageSize: 50 }
|
|
581
|
+
},
|
|
582
|
+
by_object: {
|
|
583
|
+
type: "grid",
|
|
584
|
+
name: "by_object",
|
|
585
|
+
label: "By Object",
|
|
586
|
+
data: { provider: "object", object: "sys_sharing_rule" },
|
|
587
|
+
columns: ["object_name", "label", "recipient_type", "access_level", "active"],
|
|
588
|
+
sort: [{ field: "object_name", order: "asc" }, { field: "label", order: "asc" }],
|
|
589
|
+
grouping: { fields: [{ field: "object_name", order: "asc", collapsed: false }] },
|
|
590
|
+
pagination: { pageSize: 100 }
|
|
591
|
+
},
|
|
592
|
+
all_rules: {
|
|
593
|
+
type: "grid",
|
|
594
|
+
name: "all_rules",
|
|
595
|
+
label: "All",
|
|
596
|
+
data: { provider: "object", object: "sys_sharing_rule" },
|
|
597
|
+
columns: ["label", "object_name", "recipient_type", "recipient_id", "access_level", "active", "updated_at"],
|
|
598
|
+
sort: [{ field: "label", order: "asc" }],
|
|
599
|
+
pagination: { pageSize: 50 }
|
|
600
|
+
}
|
|
601
|
+
},
|
|
602
|
+
fields: {
|
|
603
|
+
id: Field.text({ label: "Rule ID", required: true, readonly: true, group: "System" }),
|
|
604
|
+
organization_id: Field.lookup("sys_organization", {
|
|
605
|
+
label: "Organization",
|
|
606
|
+
required: false,
|
|
607
|
+
group: "System",
|
|
608
|
+
description: "Tenant that owns this rule; null = global"
|
|
609
|
+
}),
|
|
610
|
+
name: Field.text({
|
|
611
|
+
label: "Name",
|
|
612
|
+
required: true,
|
|
613
|
+
maxLength: 100,
|
|
614
|
+
description: "Unique snake_case rule name",
|
|
615
|
+
group: "Identity"
|
|
616
|
+
}),
|
|
617
|
+
label: Field.text({
|
|
618
|
+
label: "Display Label",
|
|
619
|
+
required: true,
|
|
620
|
+
maxLength: 200,
|
|
621
|
+
group: "Identity"
|
|
622
|
+
}),
|
|
623
|
+
description: Field.textarea({
|
|
624
|
+
label: "Description",
|
|
625
|
+
required: false,
|
|
626
|
+
group: "Identity"
|
|
627
|
+
}),
|
|
628
|
+
object_name: Field.text({
|
|
629
|
+
label: "Object",
|
|
630
|
+
required: true,
|
|
631
|
+
maxLength: 100,
|
|
632
|
+
description: "Short object name (e.g. opportunity, account)",
|
|
633
|
+
group: "Target"
|
|
634
|
+
}),
|
|
635
|
+
criteria_json: Field.textarea({
|
|
636
|
+
label: "Criteria (FilterCondition JSON)",
|
|
637
|
+
required: false,
|
|
638
|
+
description: "JSON FilterCondition matched against records of object_name. Empty = match all.",
|
|
639
|
+
group: "Target"
|
|
640
|
+
}),
|
|
641
|
+
recipient_type: Field.select(
|
|
642
|
+
["user", "team", "department", "role", "queue"],
|
|
643
|
+
{
|
|
644
|
+
label: "Recipient Type",
|
|
645
|
+
required: true,
|
|
646
|
+
defaultValue: "department",
|
|
647
|
+
description: "Kind of principal that receives access \u2014 expanded to user grants at evaluation time. `department` walks the parent_department_id tree; `team` is flat (better-auth).",
|
|
648
|
+
group: "Recipient"
|
|
649
|
+
}
|
|
650
|
+
),
|
|
651
|
+
recipient_id: Field.text({
|
|
652
|
+
label: "Recipient",
|
|
653
|
+
required: true,
|
|
654
|
+
maxLength: 200,
|
|
655
|
+
description: "department id / team id / role name / queue name / user id depending on recipient_type",
|
|
656
|
+
group: "Recipient"
|
|
657
|
+
}),
|
|
658
|
+
access_level: Field.select(
|
|
659
|
+
["read", "edit", "full"],
|
|
660
|
+
{
|
|
661
|
+
label: "Access Level",
|
|
662
|
+
required: true,
|
|
663
|
+
defaultValue: "read",
|
|
664
|
+
group: "Recipient"
|
|
665
|
+
}
|
|
666
|
+
),
|
|
667
|
+
active: Field.boolean({
|
|
668
|
+
label: "Active",
|
|
669
|
+
required: false,
|
|
670
|
+
defaultValue: true,
|
|
671
|
+
description: "Only active rules participate in lifecycle evaluation",
|
|
672
|
+
group: "Lifecycle"
|
|
673
|
+
}),
|
|
674
|
+
created_at: Field.datetime({
|
|
675
|
+
label: "Created At",
|
|
676
|
+
required: true,
|
|
677
|
+
defaultValue: "NOW()",
|
|
678
|
+
readonly: true,
|
|
679
|
+
group: "System"
|
|
680
|
+
}),
|
|
681
|
+
updated_at: Field.datetime({
|
|
682
|
+
label: "Updated At",
|
|
683
|
+
required: false,
|
|
684
|
+
group: "System"
|
|
685
|
+
})
|
|
686
|
+
},
|
|
687
|
+
indexes: [
|
|
688
|
+
{ fields: ["object_name", "active"] },
|
|
689
|
+
{ fields: ["name"], unique: true },
|
|
690
|
+
{ fields: ["organization_id"] }
|
|
691
|
+
]
|
|
692
|
+
});
|
|
286
693
|
var BETTER_AUTH_MANAGED_OBJECTS = [
|
|
287
694
|
"sys_user",
|
|
288
695
|
"sys_account",
|
|
@@ -360,6 +767,15 @@ var defaultPermissionSets = [
|
|
|
360
767
|
},
|
|
361
768
|
// ── better-auth system tables that lack `organization_id` and would
|
|
362
769
|
// otherwise be left unprotected by the wildcard rule above. ────
|
|
770
|
+
//
|
|
771
|
+
// The security plugin's RLS injector treats wildcard policies that
|
|
772
|
+
// target a missing field as `RLS_DENY_FILTER` (zero rows) unless a
|
|
773
|
+
// per-object policy contributes an alternate match. Each `*_self`
|
|
774
|
+
// policy below restores per-user visibility on a better-auth table
|
|
775
|
+
// that has `user_id` but no `organization_id`. Tables without
|
|
776
|
+
// `user_id` (`sys_verification`, `sys_jwks`, empty `sys_passkey`)
|
|
777
|
+
// stay DENY for non-admins by design — only platform admins (via
|
|
778
|
+
// `admin_full_access`, which has no RLS) should inspect them.
|
|
363
779
|
{
|
|
364
780
|
name: "sys_organization_self",
|
|
365
781
|
object: "sys_organization",
|
|
@@ -371,6 +787,66 @@ var defaultPermissionSets = [
|
|
|
371
787
|
object: "sys_user",
|
|
372
788
|
operation: "select",
|
|
373
789
|
using: "id = current_user.id"
|
|
790
|
+
},
|
|
791
|
+
{
|
|
792
|
+
name: "sys_session_self",
|
|
793
|
+
object: "sys_session",
|
|
794
|
+
operation: "all",
|
|
795
|
+
using: "user_id = current_user.id"
|
|
796
|
+
},
|
|
797
|
+
{
|
|
798
|
+
name: "sys_account_self",
|
|
799
|
+
object: "sys_account",
|
|
800
|
+
operation: "select",
|
|
801
|
+
using: "user_id = current_user.id"
|
|
802
|
+
},
|
|
803
|
+
{
|
|
804
|
+
name: "sys_team_member_self",
|
|
805
|
+
object: "sys_team_member",
|
|
806
|
+
operation: "select",
|
|
807
|
+
using: "user_id = current_user.id"
|
|
808
|
+
},
|
|
809
|
+
{
|
|
810
|
+
name: "sys_two_factor_self",
|
|
811
|
+
object: "sys_two_factor",
|
|
812
|
+
operation: "all",
|
|
813
|
+
using: "user_id = current_user.id"
|
|
814
|
+
},
|
|
815
|
+
{
|
|
816
|
+
name: "sys_user_preference_self",
|
|
817
|
+
object: "sys_user_preference",
|
|
818
|
+
operation: "all",
|
|
819
|
+
using: "user_id = current_user.id"
|
|
820
|
+
},
|
|
821
|
+
{
|
|
822
|
+
name: "sys_api_key_self",
|
|
823
|
+
object: "sys_api_key",
|
|
824
|
+
operation: "all",
|
|
825
|
+
using: "user_id = current_user.id"
|
|
826
|
+
},
|
|
827
|
+
{
|
|
828
|
+
name: "sys_device_code_self",
|
|
829
|
+
object: "sys_device_code",
|
|
830
|
+
operation: "all",
|
|
831
|
+
using: "user_id = current_user.id"
|
|
832
|
+
},
|
|
833
|
+
{
|
|
834
|
+
name: "sys_oauth_access_token_self",
|
|
835
|
+
object: "sys_oauth_access_token",
|
|
836
|
+
operation: "select",
|
|
837
|
+
using: "user_id = current_user.id"
|
|
838
|
+
},
|
|
839
|
+
{
|
|
840
|
+
name: "sys_oauth_refresh_token_self",
|
|
841
|
+
object: "sys_oauth_refresh_token",
|
|
842
|
+
operation: "select",
|
|
843
|
+
using: "user_id = current_user.id"
|
|
844
|
+
},
|
|
845
|
+
{
|
|
846
|
+
name: "sys_oauth_consent_self",
|
|
847
|
+
object: "sys_oauth_consent",
|
|
848
|
+
operation: "all",
|
|
849
|
+
using: "user_id = current_user.id"
|
|
374
850
|
}
|
|
375
851
|
]
|
|
376
852
|
}),
|
|
@@ -408,11 +884,73 @@ var defaultPermissionSets = [
|
|
|
408
884
|
object: "sys_user",
|
|
409
885
|
operation: "select",
|
|
410
886
|
using: "id = current_user.id"
|
|
887
|
+
},
|
|
888
|
+
// ── Per-user visibility on better-auth tables that lack
|
|
889
|
+
// `organization_id` (matches the `member_default` carve-outs).
|
|
890
|
+
{
|
|
891
|
+
name: "sys_session_self",
|
|
892
|
+
object: "sys_session",
|
|
893
|
+
operation: "select",
|
|
894
|
+
using: "user_id = current_user.id"
|
|
895
|
+
},
|
|
896
|
+
{
|
|
897
|
+
name: "sys_account_self",
|
|
898
|
+
object: "sys_account",
|
|
899
|
+
operation: "select",
|
|
900
|
+
using: "user_id = current_user.id"
|
|
901
|
+
},
|
|
902
|
+
{
|
|
903
|
+
name: "sys_team_member_self",
|
|
904
|
+
object: "sys_team_member",
|
|
905
|
+
operation: "select",
|
|
906
|
+
using: "user_id = current_user.id"
|
|
907
|
+
},
|
|
908
|
+
{
|
|
909
|
+
name: "sys_two_factor_self",
|
|
910
|
+
object: "sys_two_factor",
|
|
911
|
+
operation: "select",
|
|
912
|
+
using: "user_id = current_user.id"
|
|
913
|
+
},
|
|
914
|
+
{
|
|
915
|
+
name: "sys_user_preference_self",
|
|
916
|
+
object: "sys_user_preference",
|
|
917
|
+
operation: "select",
|
|
918
|
+
using: "user_id = current_user.id"
|
|
919
|
+
},
|
|
920
|
+
{
|
|
921
|
+
name: "sys_api_key_self",
|
|
922
|
+
object: "sys_api_key",
|
|
923
|
+
operation: "select",
|
|
924
|
+
using: "user_id = current_user.id"
|
|
925
|
+
},
|
|
926
|
+
{
|
|
927
|
+
name: "sys_device_code_self",
|
|
928
|
+
object: "sys_device_code",
|
|
929
|
+
operation: "select",
|
|
930
|
+
using: "user_id = current_user.id"
|
|
931
|
+
},
|
|
932
|
+
{
|
|
933
|
+
name: "sys_oauth_access_token_self",
|
|
934
|
+
object: "sys_oauth_access_token",
|
|
935
|
+
operation: "select",
|
|
936
|
+
using: "user_id = current_user.id"
|
|
937
|
+
},
|
|
938
|
+
{
|
|
939
|
+
name: "sys_oauth_refresh_token_self",
|
|
940
|
+
object: "sys_oauth_refresh_token",
|
|
941
|
+
operation: "select",
|
|
942
|
+
using: "user_id = current_user.id"
|
|
943
|
+
},
|
|
944
|
+
{
|
|
945
|
+
name: "sys_oauth_consent_self",
|
|
946
|
+
object: "sys_oauth_consent",
|
|
947
|
+
operation: "select",
|
|
948
|
+
using: "user_id = current_user.id"
|
|
411
949
|
}
|
|
412
950
|
]
|
|
413
951
|
})
|
|
414
952
|
];
|
|
415
953
|
|
|
416
|
-
export { SysPermissionSet, SysRole, SysRolePermissionSet, SysUserPermissionSet, defaultPermissionSets };
|
|
954
|
+
export { SysPermissionSet, SysRecordShare, SysRole, SysRolePermissionSet, SysSharingRule, SysUserPermissionSet, defaultPermissionSets };
|
|
417
955
|
//# sourceMappingURL=index.mjs.map
|
|
418
956
|
//# sourceMappingURL=index.mjs.map
|