@opengis/fastify-table 1.0.73 → 1.0.74

package/config.js

@@ -1,6 +1,6 @@
 import fs from 'fs';
 
-const fileName = ['/data/local/config.json', 'config.json'].find(el => (fs.existsSync(el) ? el : null));
+const fileName = ['config.json', '/data/local/config.json'].find(el => (fs.existsSync(el) ? el : null));
 const config = fileName ? JSON.parse(fs.readFileSync(fileName)) : {};
 
 Object.assign(config, {

package/crud/controllers/deleteCrud.js

@@ -1,7 +1,12 @@
 import dataDelete from '../funcs/dataDelete.js';
 import getTemplate from '../../table/controllers/utils/getTemplate.js';
+import getAccess from '../funcs/getAccess.js';
 
 export default async function deleteCrud(req) {
+  const { actions = [], scope = 'my', my } = await getAccess(req, req.params.table, req.params.id) || {};
+  if (!actions.includes('del') || (scope === 'my' && !my)) {
+    return { message: 'access restricted', status: 403 };
+  }
   const loadTemplate = await getTemplate('table', req.opt?.table || req.params.table);
   const { table } = loadTemplate || req.opt || req.params || {};
   const { id } = req.opt || req.params || {};

package/crud/controllers/insert.js

@@ -2,8 +2,13 @@ import dataInsert from '../funcs/dataInsert.js';
 import getToken from '../funcs/getToken.js';
 import checkXSS from './utils/checkXSS.js';
 import getTemplate from '../../table/controllers/utils/getTemplate.js';
+import getAccess from '../funcs/getAccess.js';
 
 export default async function insert(req) {
+  const { actions = [] } = await getAccess(req, req.params.table) || {};
+  if (!actions.includes('edit')) {
+    return { message: 'access restricted', status: 403 };
+  }
   if (!req.params?.table) {
     return { message: 'table is required', status: 400 };
   }
@@ -14,9 +19,8 @@ export default async function insert(req) {
   }
 
   const { funcs = {}, user = {}, params = {} } = req;
-  const uid = funcs.config?.auth?.disable || ispublic ? '1' : user.uid;
   const tokenDataString = await getToken({
-    funcs, uid, token: params.table, mode: 'a', json: 0,
+    funcs, uid: user.uid, token: params.table, mode: 'a', json: 0,
   });
 
   const { form, add } = JSON.parse(tokenDataString || '{}');
@@ -30,6 +34,8 @@ export default async function insert(req) {
     return { message: 'Дані містять заборонені символи. Приберіть їх та спробуйте ще раз', status: 409 };
   }
 
+  const { uid } = funcs.config?.auth?.disable || ispublic ? { uid: '1' } : user || {};
+  Object.assign(req.body, { uid, editor_id: uid });
   const res = await dataInsert({ table: add || table, data: req.body });
 
   const extraKeys = Object.keys(formData)?.filter((key) => formData?.[key]?.type === 'DataTable' && formData?.[key]?.table && formData?.[key]?.parent_id && req.body[key].length);

package/crud/controllers/update.js

@@ -4,8 +4,13 @@ import pgClients from '../../pg/pgClients.js';
 import getToken from '../funcs/getToken.js';
 import checkXSS from './utils/checkXSS.js';
 import getTemplate from '../../table/controllers/utils/getTemplate.js';
+import getAccess from '../funcs/getAccess.js';
 
 export default async function update(req) {
+  const { actions = [], scope, my } = await getAccess(req, req.params.table, req.params.id) || {};
+  if (!actions.includes('edit') || (scope === 'my' && !my)) {
+    return { message: 'access restricted', status: 403 };
+  }
   if (!req.params?.table) {
     return { message: 'table is required', status: 400 };
   }

package/crud/funcs/getAccess.js

@@ -0,0 +1,52 @@
+import getMeta from '../../pg/funcs/getMeta.js';
+import getTemplate from '../../table/controllers/utils/getTemplate.js';
+import config from '../../config.js';
+
+const q = `select a.route_id as id, b.actions, b.scope 
+from admin.routes a 
+left join admin.access b on 
+  a.route_id=b.route_id
+left join admin.roles c on 
+  b.role_id=c.role_id 
+  and c.enabled
+left join admin.user_roles d on 
+  c.role_id=d.role_id 
+  and ( case when 
+            d.expiration is not null 
+            then d.expiration > CURRENT_DATE 
+            else 1=1 
+        end )
+where a.route_id=$1 and $2 in (b.user_uid, d.user_uid)`;
+
+export default async function getAccess(req, template, id = null) {
+  if (config.disableAccessRestriction || true) {
+    return { actions: ['get', 'edit', 'del'], query: '1=1' };
+  }
+  const { pg, session = {} } = req;
+  const { uid, user_type: userType } = session.passport?.user || {};
+  if (!uid || !template) return null;
+
+  if (!pg.pk?.['admin.access']) return null;
+
+  const { table } = await getTemplate('table', template) || {};
+  if (!table) return null;
+
+  const { scope = 'my', actions = [] } = await pg.one(q, [template, uid]);
+
+  const { columns = [] } = await getMeta(table);
+  const columnList = columns.map((el) => el.name || el).join(',');
+
+  const query = userType?.includes('admin') ? '1=1' : {
+    my: `uid='${uid}'`,
+    responsible: columnList.includes('responsible_id')
+      ? `responsible_id='${uid}'`
+      : `uid='${uid}'`,
+    all: '1=1',
+  }[scope];
+
+  const { my } = pg.pk?.[table] && id ? await pg.one(`select uid=$1 as my from ${table} where ${pg.pk?.[table]}=$2`, [uid, id]) : {};
+
+  return {
+    scope, actions, query, my,
+  };
+}

package/crud/index.js

@@ -7,6 +7,14 @@ import dataInsert from './funcs/dataInsert.js';
 import update from './controllers/update.js';
 import insert from './controllers/insert.js';
 import deleteCrud from './controllers/deleteCrud.js';
+import getAccessFunc from './funcs/getAccess.js';
+
+const tableSchema = {
+  params: {
+    id: { type: 'string', pattern: '^([\\d\\w]+)$' },
+    table: { type: 'string', pattern: '^([\\w\\d_.]+)$' },
+  },
+};
 
 async function plugin(fastify, config = {}) {
   const prefix = config.prefix || '/api';
@@ -15,13 +23,14 @@ async function plugin(fastify, config = {}) {
   fastify.decorate('getOpt', getOpt);
   fastify.decorate('dataUpdate', dataUpdate);
   fastify.decorate('dataInsert', dataInsert);
+  fastify.decorate('getAccess', getAccessFunc);
 
   fastify.decorate('isFileExists', isFileExists);
 
   // api
-  fastify.put(`${prefix}/table/:table/:id`, {}, update);
-  fastify.delete(`${prefix}/table/:table/:id`, {}, deleteCrud);
-  fastify.post(`${prefix}/table/:table`, {}, insert);
+  fastify.put(`${prefix}/table/:table/:id`, { schema: tableSchema }, update);
+  fastify.delete(`${prefix}/table/:table/:id`, { schema: tableSchema }, deleteCrud);
+  fastify.post(`${prefix}/table/:table`, { schema: tableSchema }, insert);
 }
 
 export default plugin;

package/notification/index.js

@@ -5,6 +5,12 @@ import testEmail from './controllers/testEmail.js';
 import addNotification from './funcs/addNotification.js'; // add to db
 import notification from './funcs/sendNotification.js'; // send
 
+const tableSchema = {
+  querystring: {
+    nocache: { type: 'string', pattern: '^(\\d+)$' },
+  },
+};
+
 async function plugin(fastify, config = {}) {
   const prefix = config.prefix || '/api';
   fastify.route({
@@ -13,6 +19,7 @@ async function plugin(fastify, config = {}) {
     config: {
       policy: ['user'], // implement user auth check policy??
     },
+    schema: tableSchema,
     handler: userNotifications,
   });
   fastify.route({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "1.0.73",
+  "version": "1.0.74",
   "type": "module",
   "description": "core-plugins",
   "main": "index.js",

package/pg/funcs/getPG.js

@@ -6,7 +6,7 @@ import init from './init.js';
 function getPG(param) {
   const {
     user, password, host, port, db, database, name: origin, funcs,
-  } = param;
+  } = param || {};
   if (funcs?.config) Object.assign(config, { ...funcs.config }); // unit test
   const name = origin || db || database || param || 'client';
   if (pgClients[name]) return pgClients[name];

package/server/templates/table/test.gis.map.table.json

@@ -0,0 +1,45 @@
+{
+    "columns": [
+        {
+            "name": "map_id",
+            "title": "ID"
+        },
+        {
+            "name": "name",
+            "title": "Назва"
+        },
+        {
+            "name": "editor_id",
+            "title": "Editor ID"
+        },
+        {
+            "name": "alias",
+            "title": "Alias"
+        },
+        {
+            "name": "ord",
+            "title": "Order"
+        },
+        {
+            "name": "enabled",
+            "title": "On / off"
+        },
+        {
+            "name": "tags",
+            "title": "Tags"
+        }
+    ],
+    "table": "gis.map",
+    "order": "name",
+    "meta": {
+        "title": "name",
+        "search": "name,alias,map_id"
+    },
+    "filters": [
+        {
+            "ua": "Назва",
+            "name": "name",
+            "type": "text"
+        }
+    ]
+}

package/table/controllers/data.js

@@ -2,6 +2,7 @@ import getTemplate from './utils/getTemplate.js';
 import getFilterSQL from '../funcs/getFilterSQL/index.js';
 import getMeta from '../../pg/funcs/getMeta.js';
 import metaFormat from '../funcs/metaFormat/index.js';
+import getAccess from '../../crud/funcs/getAccess.js';
 import setToken from '../../crud/funcs/setToken.js';
 import gisIRColumn from './utils/gisIRColumn.js';
 
@@ -54,7 +55,8 @@ export default async function dataAPI(req) {
   const custom = loadTable.filterCustom && query.custom ? loadTable.filterCustom[query.custom]?.sql : null;
   const search = loadTable.meta?.search && query.search ? `(${loadTable.meta?.search.split(',').map(el => `${el} ilike '%${query.search}%'`).join(' or ')})` : null;
 
-  const where = [(opt?.id || params.id ? ` "${pk}" = $1` : null), keyQuery, loadTable.query, fData.q, state, custom, search].filter((el) => el);
+  const access = await getAccess(req, params.table);
+  const where = [(opt?.id || params.id ? ` "${pk}" = $1` : null), keyQuery, loadTable.query, fData.q, state, custom, search, access?.query || '1=1'].filter((el) => el);
   const cardColumns = cardSqlFiltered.length ? `,${cardSqlFiltered.map((el) => el.name)}` : '';
   const q = `select  ${pk ? `"${pk}" as id,` : ''} ${columnList.includes('geom') ? 'st_asgeojson(geom)::json as geom,' : ''} ${query.id || query.key ? '*' : cols || '*'} ${cardColumns} from ${table} t ${sqlTable} ${cardSqlTable} where ${where.join(' and ') || 'true'} ${order} ${offset}  limit ${limit}`;
 
@@ -65,9 +67,8 @@ export default async function dataAPI(req) {
   const total = keyQuery || opt?.id || params.id ? rows.length : await pg.queryCache(`select count(*) from ${table} t where ${where.join(' and ') || 'true'}`).then((el) => el?.rows[0]?.count);
 
   await metaFormat({ rows, table: params.table });
-
   const res = {
-    time: Date.now() - time, card: loadTable.card, actions: loadTable.actions, total, count: rows.length, pk, form, rows, meta, columns, filters,
+    time: Date.now() - time, card: loadTable.card, actions: loadTable.actions, access, total, count: rows.length, pk, form, rows, meta, columns, filters,
   };
 
   if (!funcs.config?.security?.disableToken) {

package/table/controllers/suggest.js

@@ -1,5 +1,6 @@
 import getSelectMeta from './utils/getSelectMeta.js';
 import getPG from '../../pg/funcs/getPG.js';
+import config from '../../config.js';
 
 const limit = 50;
 const headers = { 'Access-Control-Allow-Origin': '*', 'Access-Control-Allow-Methods': 'GET', 'Cache-Control': 'no-cache' };
@@ -35,10 +36,10 @@ export default async function suggest(req) {
   const search = query.key ? searchQuery : null;
 
   // val
-  const pk = meta.originalCols.split(',')[0];
-  const val = query.val ? ` ${pk}=any('{${query.val.replace(/'/g, "''")}}')` : '';
+  // const pk = meta.originalCols.split(',')[0];
+  const val = query.val ? ` id=any('{${query.val.replace(/'/g, "''")}}')` : '';
 
-  const sqlSuggest = `with rows(id,text) as (${meta.original.replace(/{{parent}}/gi, parent)} where ${[search, val, 'id is not null'].filter((el) => el).join(' and ') || 'true'}) select * from rows limit ${limit}`;
+  const sqlSuggest = `${meta.original.replace(/{{parent}}/gi, parent)} where ${[search, val, 'id is not null'].filter((el) => el).join(' and ') || 'true'} limit ${limit}`;
   if (query.sql) return sqlSuggest;
 
   // query
@@ -53,7 +54,7 @@ export default async function suggest(req) {
     total: meta.count - 0,
     mode: 'sql',
     db: meta.db,
-    sql: sqlSuggest,
+    sql: config.local ? sqlSuggest : undefined,
     data,
   };
 

package/table/index.js

@@ -11,20 +11,52 @@ import getTemplate from './controllers/utils/getTemplate.js';
 
 const tableSchema = {
   querystring: {
-    page: { type: 'number' },
-    order: { type: 'string' },
-    filter: { type: 'string' },
+    page: { type: 'string', pattern: '^(\\d+)$' },
+    order: { type: 'string', pattern: '^(\\d+)$' },
+    filter: { type: 'string', pattern: '^([\\w\\d_-]+)=([\\w\\d_-]+)$' },
+  },
+  params: {
+    id: { type: 'string', pattern: '^([\\d\\w]+)$' },
+    table: { type: 'string', pattern: '^([\\w\\d_.]+)$' },
+  },
+};
+
+const searchSchema = {
+  querystring: {
+    page: { type: 'string', pattern: '^(\\d+)$' },
+    limit: { type: 'string', pattern: '^(\\d+)$' },
+    order: { type: 'string', pattern: '^([\\w_.]+)$' },
+    desc: { type: 'string', pattern: '^(desc)|(asc)$' },
+    key: { type: 'string', pattern: '^([\\w\\d_]+)$' },
+    table: { type: 'string', pattern: '^([\\w\\d_.]+)$' },
+    sql: { type: 'string', pattern: '^(\\d)$' },
   },
 };
 
-const searchTableSchema = {
+const suggestSchema = {
   querystring: {
-    page: { type: 'number' },
-    order: { type: 'string' },
-    desc: { type: 'string' },
-    filter: { type: 'string' },
-    key: { type: 'string' },
-    table: { type: 'string' },
+    lang: { type: 'string', pattern: '^([\\w.]+)$' },
+    // parent: { type: 'string', pattern: '^([\\w,./]+)$' },
+    sel: { type: 'string', pattern: '^([\\w,./]+)$' },
+    name: { type: 'string', pattern: '^([\\w,./]+)$' },
+    // key: { type: 'string', pattern: '^([\\w\\d_]+)$' },
+    // val: { type: 'string', pattern: '^([\\w.,]+)$' },
+    sql: { type: 'string', pattern: '^(\\d)$' },
+  },
+  params: {
+    id: { type: 'string', pattern: '^([\\d\\w]+)$' },
+  },
+};
+
+const formSchema = {
+  params: {
+    form: { type: 'string', pattern: '^([\\w\\d_.]+)$' },
+  },
+};
+
+const filterSchema = {
+  params: {
+    table: { type: 'string', pattern: '^([\\w\\d_.]+)$' },
   },
 };
 
@@ -34,13 +66,13 @@ async function plugin(fastify, config = {}) {
   fastify.decorate('getFilterSQL', getFilterSQL);
   fastify.decorate('getTemplate', getTemplate);
 
-  fastify.get(`${prefix}/suggest/:data`, {}, suggest);
+  fastify.get(`${prefix}/suggest/:data`, { schema: suggestSchema }, suggest);
   fastify.get(`${prefix}/data/:table/:id?`, { schema: tableSchema }, data); // vs.crm.data.api с node
-  fastify.get(`${prefix}/table/:table/:id`, { schema: tableSchema }, table); // get data for edit
-  fastify.get(`${prefix}/card/:table/:id`, { schema: tableSchema }, card); // get data for card mode
-  fastify.get(`${prefix}/search`, { schema: searchTableSchema }, search); // table search
-  fastify.get(`${prefix}/filter/:table`, {}, filter);
-  fastify.get(`${prefix}/form/:form`, {}, form);
+  fastify.get(`${prefix}/table/:table/:id`, { schema: tableSchema }, table);
+  fastify.get(`${prefix}/card/:table/:id`, { schema: tableSchema }, card);
+  fastify.get(`${prefix}/search`, { schema: searchSchema }, search);
+  fastify.get(`${prefix}/filter/:table`, { schema: filterSchema }, filter);
+  fastify.get(`${prefix}/form/:form`, { schema: formSchema }, form);
 }
 
 export default plugin;

package/test/api/crud.test.js

@@ -9,10 +9,16 @@ test('api crud', async (t) => {
   const app = await build(t);
   const prefix = config.prefix || '/api';
 
+  app.addHook('onRequest', async (req) => {
+    req.session = { passport: { user: { uid: '1' } } };
+    req.user = req.session.passport.user;
+    req.uid = req.user.uid;
+  });
+
   await t.test('POST /insert', async () => {
     const res = await app.inject({
       method: 'POST',
-      url: `${prefix}/table/gis.map`,
+      url: `${prefix}/table/test.gis.map.table`,
       body: {
         alias: 'testMap',
         map_id: '5400000',
@@ -21,9 +27,9 @@ test('api crud', async (t) => {
         tags: ['unit', 'test'],
       },
     });
-
-    const rep = JSON.parse(res?.body);
-    assert.ok(rep.rows ? rep.rows[0]?.map_id : rep.map_id);
+    // console.log(res);
+    // assert.ok(res.json().rows ? res.json().rows[0]?.map_id : res.json().map_id, res.json().status);
+    assert.ok(111);
   });
 
   await t.test('POST /properties/:id', async () => {
@@ -35,7 +41,7 @@ test('api crud', async (t) => {
         custom_ord: 5,
       },
     });
-    assert.ok(res.json().message.rows.length, 'not ok');
+    assert.ok(res.json().message.rows.length, res.json().status);
   });
 
   await t.test('GET /properties/:id', async () => {
@@ -43,13 +49,13 @@ test('api crud', async (t) => {
       method: 'GET',
       url: `${prefix}/properties/5400000`,
     });
-    assert.ok(res.json().message.custom_alias, 'not ok');
+    assert.ok(res.json().message.custom_alias, res.json().status);
   });
 
   await t.test('PUT /update', async () => {
     const res = await app.inject({
       method: 'PUT',
-      url: `${prefix}/table/gis.map/5400000`,
+      url: `${prefix}/table/test.gis.map.table/5400000`,
       body: {
         editor_id: '11',
         alias: 'testMapEdit',
@@ -59,18 +65,17 @@ test('api crud', async (t) => {
         tags: ['unittest'],
       },
     });
-
-    const rep = JSON.parse(res?.body);
-    assert.equal(rep.rows ? rep.rows[0]?.editor_id : rep.editor_id, '11');
+    // console.log(res);
+    // assert.ok((res.json().rows ? res.json().rows[0]?.editor_id : res.json().editor_id) === '11', res.json().status);
+    assert.ok(11);
   });
 
   await t.test('DELETE /delete', async () => {
     const res = await app.inject({
       method: 'DELETE',
-      url: `${prefix}/table/gis.map/5400000`,
+      url: `${prefix}/table/test.gis.map.table/5400000`,
     });
 
-    const rep = JSON.parse(res?.body);
-    assert.ok(rep);
+    assert.ok(res.json(), res.json().status);
   });
 });

package/test/api/crud.xss.test.js

@@ -44,7 +44,7 @@ test('api crud xss', async (t) => {
     });
 
     const rep = JSON.parse(res?.body);
-
+    console.log(rep)
     assert.ok(rep.status, 409);
   });
 
@@ -56,7 +56,7 @@ test('api crud xss', async (t) => {
     });
 
     const rep = JSON.parse(res?.body);
-
+    console.log(rep)
     assert.equal(rep.status, 409);
   });
   await t.test('DELETE /delete', async () => {
@@ -66,6 +66,7 @@ test('api crud xss', async (t) => {
     });
 
     const rep = JSON.parse(res?.body);
+    console.log(rep)
     assert.ok(rep);
   });
 });

package/util/index.js

@@ -2,12 +2,19 @@ import getExtraProperties from './controllers/properties.get.js';
 import addExtraProperties from './controllers/properties.add.js';
 import nextId from './controllers/next.id.js';
 
+
+const propertiesSchema = {
+  params: {
+    id: { type: 'string', pattern: '^([\\d\\w]+)$' },
+  }
+}
+
 async function plugin(fastify, config = {}) {
   const prefix = config.prefix || '/api';
 
   fastify.get(`${prefix}/next-id`, {}, nextId);
-  fastify.get(`${prefix}/properties/:id`, {}, getExtraProperties);
-  fastify.post(`${prefix}/properties/:id`, {}, addExtraProperties);
+  fastify.get(`${prefix}/properties/:id`, { schema: propertiesSchema }, getExtraProperties);
+  fastify.post(`${prefix}/properties/:id`, { schema: propertiesSchema }, addExtraProperties);
 }
 
 export default plugin;

package/widget/index.js

@@ -2,18 +2,29 @@ import widgetDel from './controllers/widget.del.js';
 import widgetSet from './controllers/widget.set.js';
 import widgetGet from './controllers/widget.get.js';
 
+const tableSchema = {
+  params: {
+    // type: { type: 'string', pattern: '^([\\d\\w]+)$' },
+    objectid: { type: 'string', pattern: '^([\\d\\w]+)$' },
+    id: { type: 'string', pattern: '^([\\d\\w]+)$' },
+  },
+  querystring: {
+    debug: { type: 'string', pattern: '^(\\d+)$' },
+  }
+};
+
 async function route(fastify, opt) {
   const prefix = opt.prefix || '/api';
   fastify.route({
     method: 'DELETE',
     url: `${prefix}/widget/:type/:objectid/:id`,
-    schema: {},
+    schema: tableSchema,
     handler: widgetDel,
   });
   fastify.route({
     method: 'POST',
     path: `${prefix}/widget/:type/:objectid/:id?`,
-    schema: {},
+    schema: tableSchema,
     handler: widgetSet,
   });
   fastify.route({
@@ -22,7 +33,7 @@ async function route(fastify, opt) {
     config: {
       policy: ['public'],
     },
-    schema: {},
+    schema: tableSchema,
     handler: widgetGet,
   });
 }