@objectstack/rest 9.10.0 → 9.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +13 -0
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +13 -0
- package/dist/index.js.map +1 -1
- package/package.json +4 -4
package/dist/index.cjs
CHANGED
|
@@ -810,6 +810,7 @@ var RestServer = class {
|
|
|
810
810
|
}
|
|
811
811
|
let userId;
|
|
812
812
|
let tenantId;
|
|
813
|
+
let email;
|
|
813
814
|
const keyPrincipal = await (0, import_core.resolveApiKeyPrincipal)(identityQl, headers).catch(() => void 0);
|
|
814
815
|
if (keyPrincipal) {
|
|
815
816
|
userId = keyPrincipal.userId;
|
|
@@ -820,6 +821,11 @@ var RestServer = class {
|
|
|
820
821
|
if (!session?.user?.id) return void 0;
|
|
821
822
|
userId = session.user.id;
|
|
822
823
|
tenantId = session.session?.activeOrganizationId ?? void 0;
|
|
824
|
+
if (session.user?.email) email = String(session.user.email);
|
|
825
|
+
}
|
|
826
|
+
if (!email && identityQl && typeof identityQl.find === "function") {
|
|
827
|
+
const urows = await identityQl.find("sys_user", { where: { id: userId }, limit: 1, context: { isSystem: true } }).catch(() => []);
|
|
828
|
+
if (urows?.[0]?.email) email = String(urows[0].email);
|
|
823
829
|
}
|
|
824
830
|
try {
|
|
825
831
|
let ql;
|
|
@@ -930,6 +936,7 @@ var RestServer = class {
|
|
|
930
936
|
return {
|
|
931
937
|
userId,
|
|
932
938
|
tenantId,
|
|
939
|
+
email,
|
|
933
940
|
roles,
|
|
934
941
|
permissions,
|
|
935
942
|
systemPermissions,
|
|
@@ -3003,6 +3010,7 @@ var RestServer = class {
|
|
|
3003
3010
|
Object.assign(filteredData, rawBody);
|
|
3004
3011
|
}
|
|
3005
3012
|
const context = {
|
|
3013
|
+
publicFormGrant: { object: match.object },
|
|
3006
3014
|
permissions: ["guest_portal"],
|
|
3007
3015
|
anonymous: true
|
|
3008
3016
|
};
|
|
@@ -4489,6 +4497,11 @@ function createRestApiPlugin(config = {}) {
|
|
|
4489
4497
|
const restServer = new RestServer(server, protocol, config.api, kernelManager, envRegistry, defaultEnvironmentIdProvider, authServiceProvider, objectQLProvider, emailServiceProvider, sharingServiceProvider, reportsServiceProvider, approvalsServiceProvider, sharingRulesServiceProvider, i18nServiceProvider, analyticsServiceProvider, settingsServiceProvider);
|
|
4490
4498
|
restServer.registerRoutes();
|
|
4491
4499
|
ctx.logger.info("REST API successfully registered");
|
|
4500
|
+
if (!config.api?.requireAuth) {
|
|
4501
|
+
ctx.logger.warn(
|
|
4502
|
+
"[security] anonymous access to the data API is ALLOWED (api.requireAuth=false) \u2014 objects without OWD/RLS are world-readable. For secure-by-default set api.requireAuth=true and expose public records via share-links / publicSharing (ADR-0056 D2)."
|
|
4503
|
+
);
|
|
4504
|
+
}
|
|
4492
4505
|
} catch (err) {
|
|
4493
4506
|
ctx.logger.error("Failed to register REST API routes", { error: err.message });
|
|
4494
4507
|
throw err;
|