@objectstack/plugin-security 9.10.0 → 9.11.0

package/dist/index.mjs

@@ -1019,7 +1019,19 @@ var PermissionEvaluator = class {
 var RLS_DENY_FILTER = Object.freeze({
   id: "__rls_deny__:00000000-0000-0000-0000-000000000000"
 });
+function isSupportedRlsExpression(expression) {
+  if (!expression) return false;
+  const e = expression.trim();
+  if (/^\s*1\s*=\s*1\s*$/.test(e)) return true;
+  if (/^\s*\w+\s*=\s*current_user\.\w+\s*$/.test(e)) return true;
+  if (/^\s*\w+\s*=\s*'[^']*'\s*$/.test(e)) return true;
+  if (/^\s*\w+\s+IN\s+\(\s*current_user\.\w+\s*\)\s*$/i.test(e)) return true;
+  return false;
+}
 var RLSCompiler = class {
+  setLogger(logger) {
+    this.logger = logger;
+  }
   /**
    * Compile RLS policies into a query filter for the given user context.
    * Multiple policies for the same object/operation are OR-combined (any match allows access).
@@ -1039,7 +1051,9 @@ var RLSCompiler = class {
       id: executionContext?.userId,
       organization_id: executionContext?.tenantId,
       roles: executionContext?.roles,
-      org_user_ids: executionContext?.org_user_ids
+      org_user_ids: executionContext?.org_user_ids,
+      // Unique identifier — safe for ownership predicates (see RLSUserContext).
+      email: executionContext?.email
     };
     const membership = executionContext?.rlsMembership;
     if (membership && typeof membership === "object") {
@@ -1055,6 +1069,10 @@ var RLSCompiler = class {
       const filter = this.compileExpression(policy.using, userCtx);
       if (filter) {
         filters.push(filter);
+      } else if (!isSupportedRlsExpression(policy.using)) {
+        this.logger?.warn?.(
+          `[RLS] policy '${policy.name ?? "(unnamed)"}' on '${policy.object ?? "?"}' has an uncompilable predicate and was DROPPED (no enforcement): ${policy.using}`
+        );
       }
     }
     if (filters.length === 0) {
@@ -2675,9 +2693,11 @@ var SecurityPlugin = class {
      */
     this.metadata = null;
     this.ql = null;
+    /** ADR-0055: cache the resolved master-detail relation per controlled_by_parent object. */
+    this.cbpRelCache = /* @__PURE__ */ new Map();
     this.logger = {};
     this.bootstrapPermissionSets = options.defaultPermissionSets ?? securityDefaultPermissionSets;
-    this.fallbackPermissionSet = options.fallbackPermissionSet === void 0 ? "member_default" : options.fallbackPermissionSet;
+    this.fallbackPermissionSet = options.fallbackPermissionSet === void 0 ? this.bootstrapPermissionSets.find((p) => p.isDefault)?.name ?? "member_default" : options.fallbackPermissionSet;
   }
   async init(ctx) {
     ctx.logger.info("Initializing Security Plugin...");
@@ -2744,6 +2764,7 @@ var SecurityPlugin = class {
     this.metadata = metadata;
     this.ql = ql;
     this.logger = ctx.logger;
+    this.rlsCompiler.setLogger?.(ctx.logger);
     try {
       const orgScoping = ctx.getService("org-scoping");
       this.orgScopingEnabled = !!orgScoping;
@@ -2793,6 +2814,16 @@ var SecurityPlugin = class {
       if (opCtx.context?.isSystem) {
         return next();
       }
+      const formGrant = opCtx.context?.publicFormGrant;
+      if (formGrant && typeof formGrant === "object" && formGrant.object) {
+        const grantObject = formGrant.object;
+        const allowed = opCtx.object === grantObject && ["insert", "find", "findOne", "count"].includes(opCtx.operation);
+        if (allowed) return next();
+        throw new PermissionDeniedError(
+          `[Security] Access denied: public-form grant permits only create/read-back on '${grantObject}', not '${opCtx.operation}' on '${opCtx.object}'`,
+          { operation: opCtx.operation, object: opCtx.object }
+        );
+      }
       const roles = opCtx.context?.roles ?? [];
       const explicitPermissionSets = opCtx.context?.permissions ?? [];
       if (roles.length === 0 && explicitPermissionSets.length === 0 && !opCtx.context?.userId) {
@@ -2857,6 +2888,15 @@ var SecurityPlugin = class {
           }
         }
       }
+      if ((opCtx.operation === "insert" || opCtx.operation === "update" || opCtx.operation === "delete") && permissionSets.length > 0 && !!opCtx.context?.userId && this.ql) {
+        await this.assertControlledByParentWrite(
+          permissionSets,
+          opCtx.object,
+          opCtx.operation,
+          opCtx,
+          opCtx.context
+        );
+      }
       if ((opCtx.operation === "insert" || opCtx.operation === "update") && opCtx.data && permissionSets.length > 0) {
         const fieldPerms = this.permissionEvaluator.getFieldPermissions(
           opCtx.object,
@@ -2891,18 +2931,22 @@ var SecurityPlugin = class {
         }
       }
       if (opCtx.ast) {
+        const extra = [];
         const rlsFilter = await this.computeRlsFilter(
           permissionSets,
           opCtx.object,
           opCtx.operation,
           opCtx.context
         );
-        if (rlsFilter) {
-          if (opCtx.ast.where) {
-            opCtx.ast.where = { $and: [opCtx.ast.where, rlsFilter] };
-          } else {
-            opCtx.ast.where = rlsFilter;
-          }
+        if (rlsFilter) extra.push(rlsFilter);
+        const cbpFilter = await this.computeControlledByParentFilter(
+          permissionSets,
+          opCtx.object,
+          opCtx.context
+        );
+        if (cbpFilter) extra.push(cbpFilter);
+        if (extra.length) {
+          opCtx.ast.where = opCtx.ast.where ? { $and: [opCtx.ast.where, ...extra] } : extra.length === 1 ? extra[0] : { $and: extra };
         }
       }
       await next();
@@ -3098,6 +3142,122 @@ var SecurityPlugin = class {
     }
     return rlsFilter;
   }
+  /**
+   * Resolve a controlled_by_parent object's master-detail relation (the FK field
+   * key + the master object name), or null. Prefers a required `master_detail`
+   * field; falls back to any `master_detail`, then a required `lookup`. Cached.
+   */
+  resolveCbpRelation(object) {
+    if (this.cbpRelCache.has(object)) return this.cbpRelCache.get(object) ?? null;
+    let rel = null;
+    const schema = typeof this.ql?.getSchema === "function" ? this.ql.getSchema(object) : null;
+    const fields = schema?.fields;
+    const entries = Array.isArray(fields) ? fields.map((f) => [f?.name, f]) : fields && typeof fields === "object" ? Object.entries(fields) : [];
+    const ref = (f) => f?.reference ?? f?.reference_to ?? f?.referenceTo;
+    const pick = (pred) => entries.find(([, f]) => pred(f) && ref(f));
+    const found = pick((f) => f?.type === "master_detail" && f?.required) ?? pick((f) => f?.type === "master_detail") ?? pick((f) => f?.type === "lookup" && f?.required);
+    if (found) rel = { fk: String(found[0]), master: String(ref(found[1])) };
+    this.cbpRelCache.set(object, rel);
+    return rel;
+  }
+  /**
+   * ADR-0055 — master-detail "controlled by parent" READ derivation.
+   *
+   * For an object whose `sharingModel` is `controlled_by_parent`, access is
+   * derived from the master: return a filter `masterFK IN (<master ids this user
+   * can read>)`. The id set is resolved by running the MASTER's own read RLS
+   * (reused via `computeRlsFilter`) under a system context — no middleware
+   * re-entry, so no recursion. An empty set yields `{ masterFK: { $in: [] } }`,
+   * which matches no rows (fail closed). A misconfigured object (no
+   * master_detail/lookup to derive from) denies all reads (defense-in-depth;
+   * spec validation should prevent authoring it). Returns null when the object is
+   * not controlled_by_parent.
+   *
+   * v1 scope (ADR-0055): single level — the master's OWN controlled_by_parent is
+   * not traversed transitively; master accessibility is the master's RLS filter
+   * (sharing-service grants on the master are not folded in).
+   */
+  async computeControlledByParentFilter(permissionSets, object, context) {
+    if (!this.ql || !context?.userId) return null;
+    const schema = typeof this.ql.getSchema === "function" ? this.ql.getSchema(object) : null;
+    const sharingModel = schema?.sharingModel ?? schema?.security?.sharingModel;
+    if (sharingModel !== "controlled_by_parent") return null;
+    const rel = this.resolveCbpRelation(object);
+    if (!rel) return { ...RLS_DENY_FILTER };
+    const masterFilter = await this.computeRlsFilter(permissionSets, rel.master, "find", context);
+    let masterIds = [];
+    try {
+      const rows = await this.ql.find(rel.master, {
+        where: masterFilter ?? {},
+        fields: ["id"],
+        context: { isSystem: true }
+      });
+      masterIds = (Array.isArray(rows) ? rows : []).map((r) => r?.id).filter((id) => id != null);
+    } catch {
+      masterIds = [];
+    }
+    return { [rel.fk]: { $in: masterIds } };
+  }
+  /**
+   * ADR-0055 — master-detail "controlled by parent" WRITE enforcement.
+   *
+   * A by-id write (insert/update/delete) to a controlled_by_parent detail
+   * requires EDIT access to its master: the caller must hold CRUD `update` on the
+   * master object AND the master row must be visible under the master's write RLS.
+   * This is the write-side companion to the read derivation — the RLS read filter
+   * never applies to a by-id write (the #1994 class), so without this a member
+   * could mutate a detail under a master they cannot edit. Throws on denial;
+   * no-op when the object is not controlled_by_parent.
+   *
+   * v1 scope: single-id writes. Bulk writes flow through the AST and are already
+   * scoped by the controlled-by-parent READ filter (to readable masters).
+   */
+  async assertControlledByParentWrite(permissionSets, object, operation, opCtx, context) {
+    const schema = typeof this.ql?.getSchema === "function" ? this.ql.getSchema(object) : null;
+    const sharingModel = schema?.sharingModel ?? schema?.security?.sharingModel;
+    if (sharingModel !== "controlled_by_parent") return;
+    const deny = (reason, recordId) => {
+      throw new PermissionDeniedError(
+        `[Security] Access denied: ${operation} on '${object}' requires edit access to its master record (${reason})`,
+        { operation, object, recordId }
+      );
+    };
+    const rel = this.resolveCbpRelation(object);
+    if (!rel) deny("controlled_by_parent declared but no master_detail relation");
+    let masterId;
+    if (operation === "insert") {
+      const data = opCtx.data;
+      masterId = data && typeof data === "object" && !Array.isArray(data) ? data[rel.fk] : void 0;
+    } else {
+      const targetId = this.extractSingleId(opCtx);
+      if (targetId == null) return;
+      let row = null;
+      try {
+        row = await this.ql.findOne(object, { where: { id: targetId }, context: { isSystem: true } });
+      } catch {
+        row = null;
+      }
+      if (!row) deny("target record not found", targetId);
+      masterId = row[rel.fk];
+    }
+    if (masterId == null) deny("detail record has no master reference");
+    if (!this.permissionEvaluator.checkObjectPermission("update", rel.master, permissionSets)) {
+      deny(`no edit permission on master '${rel.master}'`, masterId);
+    }
+    const masterWriteFilter = await this.computeRlsFilter(permissionSets, rel.master, "update", context);
+    if (masterWriteFilter) {
+      let visible = null;
+      try {
+        visible = await this.ql.findOne(rel.master, {
+          where: { $and: [{ id: masterId }, masterWriteFilter] },
+          context
+        });
+      } catch {
+        visible = null;
+      }
+      if (!visible) deny(`master '${rel.master}' not editable by this user (row-level security)`, masterId);
+    }
+  }
   /**
    * Collect all RLS policies from permission sets applicable to the given object/operation.
    */
@@ -3168,6 +3328,20 @@ var SecurityPlugin = class {
     return m ? m[1] : null;
   }
 };
+
+// src/app-default-profile.ts
+function appDefaultProfileName(permissions) {
+  if (!Array.isArray(permissions)) return void 0;
+  for (const p of permissions) {
+    if (p && typeof p === "object") {
+      const ps = p;
+      if (ps.isDefault === true && ps.isProfile !== false && typeof ps.name === "string" && ps.name.length > 0) {
+        return ps.name;
+      }
+    }
+  }
+  return void 0;
+}
 export {
   FieldMasker,
   PermissionDeniedError,
@@ -3177,6 +3351,7 @@ export {
   SECURITY_PLUGIN_ID,
   SECURITY_PLUGIN_VERSION,
   SecurityPlugin,
+  appDefaultProfileName,
   backfillOrgAdminGrants,
   bootstrapPlatformAdmin,
   claimSeedOwnership,