npm - @objectstack/plugin-security - Versions diffs - 9.9.0 → 9.10.0 - Mend

@objectstack/plugin-security 9.9.0 → 9.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -915,6 +915,8 @@ __export(index_exports, {
   SECURITY_PLUGIN_VERSION: () => SECURITY_PLUGIN_VERSION,
   SecurityPlugin: () => SecurityPlugin,
   backfillOrgAdminGrants: () => backfillOrgAdminGrants,
+  bootstrapPlatformAdmin: () => bootstrapPlatformAdmin,
+  claimSeedOwnership: () => claimSeedOwnership,
   isPermissionDeniedError: () => isPermissionDeniedError,
   reconcileOrgAdminGrant: () => reconcileOrgAdminGrant,
   securityDefaultPermissionSets: () => securityDefaultPermissionSets,
@@ -1073,6 +1075,14 @@ var RLSCompiler = class {
       roles: executionContext?.roles,
       org_user_ids: executionContext?.org_user_ids
     };
+    const membership = executionContext?.rlsMembership;
+    if (membership && typeof membership === "object") {
+      for (const [key, value] of Object.entries(membership)) {
+        if (Array.isArray(value) && userCtx[key] === void 0) {
+          userCtx[key] = value;
+        }
+      }
+    }
     const filters = [];
     for (const policy of policies) {
       if (!policy.using) continue;
@@ -1089,14 +1099,24 @@ var RLSCompiler = class {
   }
   /**
    * Compile a single RLS expression into a query filter.
-   *
-   * Supports simple expressions like:
-   * - "field_name = current_user.property"
-   * - "field_name IN (current_user.array_property)"
-   * - "field_name = 'literal_value'"
+   *
+   * This reference compiler recognizes exactly four forms — anything else
+   * returns `null` and (via {@link compileFilter}) fails closed:
+   * - `field = current_user.property`     → `{ field: <value> }`
+   * - `field = 'literal_value'`           → `{ field: 'literal_value' }`
+   * - `field IN (current_user.array)`     → `{ field: { $in: [...] } }`
+   *   (the array may be a §7.3.1 pre-resolved membership set)
+   * - `1 = 1`                             → `{}` (always-true / no restriction)
+   *
+   * There is intentionally no support for subqueries, `LIKE`/`ILIKE`,
+   * regex, `ANY`/`ALL`, `AND`/`OR`/`NOT`, or `NULL` checks — express those
+   * needs as a `current_user.*` property the runtime pre-resolves instead.
    */
   compileExpression(expression, userCtx) {
     if (!expression) return null;
+    if (/^\s*1\s*=\s*1\s*$/.test(expression)) {
+      return {};
+    }
     const eqMatch = expression.match(/^\s*(\w+)\s*=\s*current_user\.(\w+)\s*$/);
     if (eqMatch) {
       const [, field, prop] = eqMatch;
@@ -1244,11 +1264,91 @@ function isPermissionDeniedError(e) {
 }
 // src/bootstrap-platform-admin.ts
+var import_system2 = require("@objectstack/spec/system");
+// src/claim-seed-ownership.ts
 var import_system = require("@objectstack/spec/system");
 var SYSTEM_CTX = { isSystem: true };
+function hasOwnerField(schema) {
+  const fields = schema?.fields;
+  if (!fields) return false;
+  if (Array.isArray(fields)) {
+    return fields.some((f) => f?.name === "owner_id");
+  }
+  return Object.prototype.hasOwnProperty.call(fields, "owner_id");
+}
+async function claimSeedOwnership(ql, adminUserId, options = {}) {
+  const logger = options.logger;
+  if (!adminUserId || adminUserId === import_system.SystemUserId.SYSTEM) return [];
+  if (!ql || typeof ql.update !== "function" || typeof ql.find !== "function") {
+    return [];
+  }
+  const registry = ql.registry;
+  if (!registry || typeof registry.getAllObjects !== "function") {
+    logger?.warn?.("[security] claimSeedOwnership: registry unavailable");
+    return [];
+  }
+  const schemas = registry.getAllObjects();
+  const results = [];
+  for (const schema of schemas) {
+    if (!schema?.name) continue;
+    if (schema.managedBy) continue;
+    if (schema.name.startsWith("sys_")) continue;
+    if (!hasOwnerField(schema)) continue;
+    try {
+      const seen = /* @__PURE__ */ new Set();
+      const ids = [];
+      for (const where of [{ owner_id: null }, { owner_id: import_system.SystemUserId.SYSTEM }]) {
+        const rows = await ql.find(
+          schema.name,
+          { where, limit: 1e4, fields: ["id"] },
+          { context: SYSTEM_CTX }
+        );
+        const list = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
+        for (const r of list) {
+          if (r?.id && !seen.has(r.id)) {
+            seen.add(r.id);
+            ids.push(r.id);
+          }
+        }
+      }
+      if (ids.length === 0) continue;
+      let updated = 0;
+      for (const id of ids) {
+        try {
+          await ql.update(
+            schema.name,
+            { id, owner_id: adminUserId },
+            { context: SYSTEM_CTX }
+          );
+          updated += 1;
+        } catch (e) {
+          logger?.warn?.(`[security] claimSeedOwnership failed for ${schema.name}:${id}`, {
+            error: e.message
+          });
+        }
+      }
+      if (updated > 0) results.push({ object: schema.name, count: updated });
+    } catch (e) {
+      logger?.warn?.(`[security] claimSeedOwnership scan failed for ${schema.name}`, {
+        error: e.message
+      });
+    }
+  }
+  if (results.length > 0) {
+    const total = results.reduce((s, r) => s + r.count, 0);
+    logger?.info?.(`[security] handed ${total} seeded record(s) to first admin ${adminUserId}`, {
+      breakdown: results
+    });
+  }
+  return results;
+}
+// src/bootstrap-platform-admin.ts
+var SYSTEM_CTX2 = { isSystem: true };
 async function tryFind(ql, object, where, limit = 100) {
   try {
-    const rows = await ql.find(object, { where, limit }, { context: SYSTEM_CTX });
+    const rows = await ql.find(object, { where, limit }, { context: SYSTEM_CTX2 });
     return Array.isArray(rows) ? rows : [];
   } catch {
     return [];
@@ -1256,7 +1356,7 @@ async function tryFind(ql, object, where, limit = 100) {
 }
 async function tryInsert(ql, object, data) {
   try {
-    return await ql.insert(object, data, { context: SYSTEM_CTX });
+    return await ql.insert(object, data, { context: SYSTEM_CTX2 });
   } catch {
     return null;
   }
@@ -1284,6 +1384,9 @@ async function bootstrapPlatformAdmin(ql, bootstrapPermissionSets, options = {})
       id,
       name: ps.name,
       label: ps.label ?? ps.name,
+      // `description` is not part of the typed PermissionSet shape (name/label
+      // only); read it defensively so a runtime-provided description still
+      // persists without tripping the dts typecheck.
       description: ps.description ?? null,
       object_permissions: JSON.stringify(ps.objects ?? {}),
       field_permissions: JSON.stringify(ps.fields ?? {}),
@@ -1313,12 +1416,12 @@ async function bootstrapPlatformAdmin(ql, bootstrapPermissionSets, options = {})
     { permission_set_id: adminPsId },
     50
   );
-  if (existingAdminLinks.some((r) => !r.organization_id && r.user_id !== import_system.SystemUserId.SYSTEM)) {
+  if (existingAdminLinks.some((r) => !r.organization_id && r.user_id !== import_system2.SystemUserId.SYSTEM)) {
     return { seeded: seededCount, adminPromoted: false, reason: "already_have_admin" };
   }
   const allUsers = await tryFind(ql, "sys_user", {}, 50);
   const humanUsers = allUsers.filter(
-    (u) => u.id !== import_system.SystemUserId.SYSTEM && u.role !== "system"
+    (u) => u.id !== import_system2.SystemUserId.SYSTEM && u.role !== "system"
   );
   if (humanUsers.length === 0) {
     logger?.info?.("[security] no human users yet \u2014 first sign-up will be promoted to platform admin");
@@ -1342,11 +1445,18 @@ async function bootstrapPlatformAdmin(ql, bootstrapPermissionSets, options = {})
     return { seeded: seededCount, adminPromoted: false, reason: "insert_failed" };
   }
   logger?.info?.(`[security] first user promoted to platform admin: ${target.email ?? target.id}`);
-  return { seeded: seededCount, adminPromoted: true };
+  let ownershipClaimed = 0;
+  try {
+    const claims = await claimSeedOwnership(ql, target.id, { logger });
+    ownershipClaimed = claims.reduce((s, c) => s + c.count, 0);
+  } catch (e) {
+    logger?.warn?.("[security] seed ownership handoff failed", { error: e.message });
+  }
+  return { seeded: seededCount, adminPromoted: true, ownershipClaimed };
 }
 // src/auto-org-admin-grant.ts
-var SYSTEM_CTX2 = { isSystem: true };
+var SYSTEM_CTX3 = { isSystem: true };
 var PERMISSION_SET_NAME = "organization_admin";
 function genId2(prefix) {
   const rand = Math.random().toString(36).slice(2, 10);
@@ -1355,7 +1465,7 @@ function genId2(prefix) {
 }
 async function tryFind2(ql, object, where, limit = 50) {
   try {
-    const rows = await ql.find(object, { where, limit }, { context: SYSTEM_CTX2 });
+    const rows = await ql.find(object, { where, limit }, { context: SYSTEM_CTX3 });
     return Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
   } catch {
     return [];
@@ -1363,14 +1473,14 @@ async function tryFind2(ql, object, where, limit = 50) {
 }
 async function tryInsert2(ql, object, data) {
   try {
-    return await ql.insert(object, data, { context: SYSTEM_CTX2 });
+    return await ql.insert(object, data, { context: SYSTEM_CTX3 });
   } catch {
     return null;
   }
 }
 async function tryDelete(ql, object, id) {
   try {
-    await ql.delete(object, id, { context: SYSTEM_CTX2 });
+    await ql.delete(object, id, { context: SYSTEM_CTX3 });
     return true;
   } catch {
     return false;
@@ -3103,6 +3213,8 @@ var SecurityPlugin = class {
   SECURITY_PLUGIN_VERSION,
   SecurityPlugin,
   backfillOrgAdminGrants,
+  bootstrapPlatformAdmin,
+  claimSeedOwnership,
   isPermissionDeniedError,
   reconcileOrgAdminGrant,
   securityDefaultPermissionSets,