npm - @objectstack/plugin-security - Versions diffs - 9.10.0 → 9.11.0 - Mend

@objectstack/plugin-security 9.10.0 → 9.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -914,6 +914,7 @@ __export(index_exports, {
   SECURITY_PLUGIN_ID: () => SECURITY_PLUGIN_ID,
   SECURITY_PLUGIN_VERSION: () => SECURITY_PLUGIN_VERSION,
   SecurityPlugin: () => SecurityPlugin,
+  appDefaultProfileName: () => appDefaultProfileName,
   backfillOrgAdminGrants: () => backfillOrgAdminGrants,
   bootstrapPlatformAdmin: () => bootstrapPlatformAdmin,
   claimSeedOwnership: () => claimSeedOwnership,
@@ -1053,7 +1054,19 @@ var PermissionEvaluator = class {
 var RLS_DENY_FILTER = Object.freeze({
   id: "__rls_deny__:00000000-0000-0000-0000-000000000000"
 });
+function isSupportedRlsExpression(expression) {
+  if (!expression) return false;
+  const e = expression.trim();
+  if (/^\s*1\s*=\s*1\s*$/.test(e)) return true;
+  if (/^\s*\w+\s*=\s*current_user\.\w+\s*$/.test(e)) return true;
+  if (/^\s*\w+\s*=\s*'[^']*'\s*$/.test(e)) return true;
+  if (/^\s*\w+\s+IN\s+\(\s*current_user\.\w+\s*\)\s*$/i.test(e)) return true;
+  return false;
+}
 var RLSCompiler = class {
+  setLogger(logger) {
+    this.logger = logger;
+  }
   /**
    * Compile RLS policies into a query filter for the given user context.
    * Multiple policies for the same object/operation are OR-combined (any match allows access).
@@ -1073,7 +1086,9 @@ var RLSCompiler = class {
       id: executionContext?.userId,
       organization_id: executionContext?.tenantId,
       roles: executionContext?.roles,
-      org_user_ids: executionContext?.org_user_ids
+      org_user_ids: executionContext?.org_user_ids,
+      // Unique identifier — safe for ownership predicates (see RLSUserContext).
+      email: executionContext?.email
     };
     const membership = executionContext?.rlsMembership;
     if (membership && typeof membership === "object") {
@@ -1089,6 +1104,10 @@ var RLSCompiler = class {
       const filter = this.compileExpression(policy.using, userCtx);
       if (filter) {
         filters.push(filter);
+      } else if (!isSupportedRlsExpression(policy.using)) {
+        this.logger?.warn?.(
+          `[RLS] policy '${policy.name ?? "(unnamed)"}' on '${policy.object ?? "?"}' has an uncompilable predicate and was DROPPED (no enforcement): ${policy.using}`
+        );
       }
     }
     if (filters.length === 0) {
@@ -2709,9 +2728,11 @@ var SecurityPlugin = class {
      */
     this.metadata = null;
     this.ql = null;
+    /** ADR-0055: cache the resolved master-detail relation per controlled_by_parent object. */
+    this.cbpRelCache = /* @__PURE__ */ new Map();
     this.logger = {};
     this.bootstrapPermissionSets = options.defaultPermissionSets ?? securityDefaultPermissionSets;
-    this.fallbackPermissionSet = options.fallbackPermissionSet === void 0 ? "member_default" : options.fallbackPermissionSet;
+    this.fallbackPermissionSet = options.fallbackPermissionSet === void 0 ? this.bootstrapPermissionSets.find((p) => p.isDefault)?.name ?? "member_default" : options.fallbackPermissionSet;
   }
   async init(ctx) {
     ctx.logger.info("Initializing Security Plugin...");
@@ -2778,6 +2799,7 @@ var SecurityPlugin = class {
     this.metadata = metadata;
     this.ql = ql;
     this.logger = ctx.logger;
+    this.rlsCompiler.setLogger?.(ctx.logger);
     try {
       const orgScoping = ctx.getService("org-scoping");
       this.orgScopingEnabled = !!orgScoping;
@@ -2827,6 +2849,16 @@ var SecurityPlugin = class {
       if (opCtx.context?.isSystem) {
         return next();
       }
+      const formGrant = opCtx.context?.publicFormGrant;
+      if (formGrant && typeof formGrant === "object" && formGrant.object) {
+        const grantObject = formGrant.object;
+        const allowed = opCtx.object === grantObject && ["insert", "find", "findOne", "count"].includes(opCtx.operation);
+        if (allowed) return next();
+        throw new PermissionDeniedError(
+          `[Security] Access denied: public-form grant permits only create/read-back on '${grantObject}', not '${opCtx.operation}' on '${opCtx.object}'`,
+          { operation: opCtx.operation, object: opCtx.object }
+        );
+      }
       const roles = opCtx.context?.roles ?? [];
       const explicitPermissionSets = opCtx.context?.permissions ?? [];
       if (roles.length === 0 && explicitPermissionSets.length === 0 && !opCtx.context?.userId) {
@@ -2891,6 +2923,15 @@ var SecurityPlugin = class {
           }
         }
       }
+      if ((opCtx.operation === "insert" || opCtx.operation === "update" || opCtx.operation === "delete") && permissionSets.length > 0 && !!opCtx.context?.userId && this.ql) {
+        await this.assertControlledByParentWrite(
+          permissionSets,
+          opCtx.object,
+          opCtx.operation,
+          opCtx,
+          opCtx.context
+        );
+      }
       if ((opCtx.operation === "insert" || opCtx.operation === "update") && opCtx.data && permissionSets.length > 0) {
         const fieldPerms = this.permissionEvaluator.getFieldPermissions(
           opCtx.object,
@@ -2925,18 +2966,22 @@ var SecurityPlugin = class {
         }
       }
       if (opCtx.ast) {
+        const extra = [];
         const rlsFilter = await this.computeRlsFilter(
           permissionSets,
           opCtx.object,
           opCtx.operation,
           opCtx.context
         );
-        if (rlsFilter) {
-          if (opCtx.ast.where) {
-            opCtx.ast.where = { $and: [opCtx.ast.where, rlsFilter] };
-          } else {
-            opCtx.ast.where = rlsFilter;
-          }
+        if (rlsFilter) extra.push(rlsFilter);
+        const cbpFilter = await this.computeControlledByParentFilter(
+          permissionSets,
+          opCtx.object,
+          opCtx.context
+        );
+        if (cbpFilter) extra.push(cbpFilter);
+        if (extra.length) {
+          opCtx.ast.where = opCtx.ast.where ? { $and: [opCtx.ast.where, ...extra] } : extra.length === 1 ? extra[0] : { $and: extra };
         }
       }
       await next();
@@ -3132,6 +3177,122 @@ var SecurityPlugin = class {
     }
     return rlsFilter;
   }
+  /**
+   * Resolve a controlled_by_parent object's master-detail relation (the FK field
+   * key + the master object name), or null. Prefers a required `master_detail`
+   * field; falls back to any `master_detail`, then a required `lookup`. Cached.
+   */
+  resolveCbpRelation(object) {
+    if (this.cbpRelCache.has(object)) return this.cbpRelCache.get(object) ?? null;
+    let rel = null;
+    const schema = typeof this.ql?.getSchema === "function" ? this.ql.getSchema(object) : null;
+    const fields = schema?.fields;
+    const entries = Array.isArray(fields) ? fields.map((f) => [f?.name, f]) : fields && typeof fields === "object" ? Object.entries(fields) : [];
+    const ref = (f) => f?.reference ?? f?.reference_to ?? f?.referenceTo;
+    const pick = (pred) => entries.find(([, f]) => pred(f) && ref(f));
+    const found = pick((f) => f?.type === "master_detail" && f?.required) ?? pick((f) => f?.type === "master_detail") ?? pick((f) => f?.type === "lookup" && f?.required);
+    if (found) rel = { fk: String(found[0]), master: String(ref(found[1])) };
+    this.cbpRelCache.set(object, rel);
+    return rel;
+  }
+  /**
+   * ADR-0055 — master-detail "controlled by parent" READ derivation.
+   *
+   * For an object whose `sharingModel` is `controlled_by_parent`, access is
+   * derived from the master: return a filter `masterFK IN (<master ids this user
+   * can read>)`. The id set is resolved by running the MASTER's own read RLS
+   * (reused via `computeRlsFilter`) under a system context — no middleware
+   * re-entry, so no recursion. An empty set yields `{ masterFK: { $in: [] } }`,
+   * which matches no rows (fail closed). A misconfigured object (no
+   * master_detail/lookup to derive from) denies all reads (defense-in-depth;
+   * spec validation should prevent authoring it). Returns null when the object is
+   * not controlled_by_parent.
+   *
+   * v1 scope (ADR-0055): single level — the master's OWN controlled_by_parent is
+   * not traversed transitively; master accessibility is the master's RLS filter
+   * (sharing-service grants on the master are not folded in).
+   */
+  async computeControlledByParentFilter(permissionSets, object, context) {
+    if (!this.ql || !context?.userId) return null;
+    const schema = typeof this.ql.getSchema === "function" ? this.ql.getSchema(object) : null;
+    const sharingModel = schema?.sharingModel ?? schema?.security?.sharingModel;
+    if (sharingModel !== "controlled_by_parent") return null;
+    const rel = this.resolveCbpRelation(object);
+    if (!rel) return { ...RLS_DENY_FILTER };
+    const masterFilter = await this.computeRlsFilter(permissionSets, rel.master, "find", context);
+    let masterIds = [];
+    try {
+      const rows = await this.ql.find(rel.master, {
+        where: masterFilter ?? {},
+        fields: ["id"],
+        context: { isSystem: true }
+      });
+      masterIds = (Array.isArray(rows) ? rows : []).map((r) => r?.id).filter((id) => id != null);
+    } catch {
+      masterIds = [];
+    }
+    return { [rel.fk]: { $in: masterIds } };
+  }
+  /**
+   * ADR-0055 — master-detail "controlled by parent" WRITE enforcement.
+   *
+   * A by-id write (insert/update/delete) to a controlled_by_parent detail
+   * requires EDIT access to its master: the caller must hold CRUD `update` on the
+   * master object AND the master row must be visible under the master's write RLS.
+   * This is the write-side companion to the read derivation — the RLS read filter
+   * never applies to a by-id write (the #1994 class), so without this a member
+   * could mutate a detail under a master they cannot edit. Throws on denial;
+   * no-op when the object is not controlled_by_parent.
+   *
+   * v1 scope: single-id writes. Bulk writes flow through the AST and are already
+   * scoped by the controlled-by-parent READ filter (to readable masters).
+   */
+  async assertControlledByParentWrite(permissionSets, object, operation, opCtx, context) {
+    const schema = typeof this.ql?.getSchema === "function" ? this.ql.getSchema(object) : null;
+    const sharingModel = schema?.sharingModel ?? schema?.security?.sharingModel;
+    if (sharingModel !== "controlled_by_parent") return;
+    const deny = (reason, recordId) => {
+      throw new PermissionDeniedError(
+        `[Security] Access denied: ${operation} on '${object}' requires edit access to its master record (${reason})`,
+        { operation, object, recordId }
+      );
+    };
+    const rel = this.resolveCbpRelation(object);
+    if (!rel) deny("controlled_by_parent declared but no master_detail relation");
+    let masterId;
+    if (operation === "insert") {
+      const data = opCtx.data;
+      masterId = data && typeof data === "object" && !Array.isArray(data) ? data[rel.fk] : void 0;
+    } else {
+      const targetId = this.extractSingleId(opCtx);
+      if (targetId == null) return;
+      let row = null;
+      try {
+        row = await this.ql.findOne(object, { where: { id: targetId }, context: { isSystem: true } });
+      } catch {
+        row = null;
+      }
+      if (!row) deny("target record not found", targetId);
+      masterId = row[rel.fk];
+    }
+    if (masterId == null) deny("detail record has no master reference");
+    if (!this.permissionEvaluator.checkObjectPermission("update", rel.master, permissionSets)) {
+      deny(`no edit permission on master '${rel.master}'`, masterId);
+    }
+    const masterWriteFilter = await this.computeRlsFilter(permissionSets, rel.master, "update", context);
+    if (masterWriteFilter) {
+      let visible = null;
+      try {
+        visible = await this.ql.findOne(rel.master, {
+          where: { $and: [{ id: masterId }, masterWriteFilter] },
+          context
+        });
+      } catch {
+        visible = null;
+      }
+      if (!visible) deny(`master '${rel.master}' not editable by this user (row-level security)`, masterId);
+    }
+  }
   /**
    * Collect all RLS policies from permission sets applicable to the given object/operation.
    */
@@ -3202,6 +3363,20 @@ var SecurityPlugin = class {
     return m ? m[1] : null;
   }
 };
+// src/app-default-profile.ts
+function appDefaultProfileName(permissions) {
+  if (!Array.isArray(permissions)) return void 0;
+  for (const p of permissions) {
+    if (p && typeof p === "object") {
+      const ps = p;
+      if (ps.isDefault === true && ps.isProfile !== false && typeof ps.name === "string" && ps.name.length > 0) {
+        return ps.name;
+      }
+    }
+  }
+  return void 0;
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   FieldMasker,
@@ -3212,6 +3387,7 @@ var SecurityPlugin = class {
   SECURITY_PLUGIN_ID,
   SECURITY_PLUGIN_VERSION,
   SecurityPlugin,
+  appDefaultProfileName,
   backfillOrgAdminGrants,
   bootstrapPlatformAdmin,
   claimSeedOwnership,