npm - @opengis/fastify-table - Versions diffs - 1.1.126 → 1.1.127 - Mend

@opengis/fastify-table 1.1.126 → 1.1.127

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json +1 -1
package/server/migrations/roles.sql +2 -0
package/server/plugins/crud/funcs/getAccess.js +52 -52
package/server/plugins/policy/funcs/checkXSS.js +3 -11
package/server/routes/crud/index.js +22 -22

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "1.1.126",
+  "version": "1.1.127",
   "type": "module",
   "description": "core-plugins",
   "keywords": ["fastify", "table", "crud", "pg", "backend" ],

package/server/migrations/roles.sql CHANGED Viewed

@@ -124,6 +124,7 @@ ALTER TABLE admin.user_roles ADD COLUMN IF NOT EXISTS editor_date timestamp with
 ALTER TABLE admin.user_roles ADD COLUMN IF NOT EXISTS expiration date;
 ALTER TABLE admin.user_roles ADD COLUMN IF NOT EXISTS access_granted text;
 ALTER TABLE admin.user_roles ADD COLUMN IF NOT EXISTS access_granted_time timestamp without time zone;
+ALTER TABLE admin.user_roles ADD COLUMN IF NOT EXISTS actions text [];
 ALTER TABLE admin.user_roles ADD CONSTRAINT admin_user_roles_pkey PRIMARY KEY (ugr_id);
@@ -135,6 +136,7 @@ COMMENT ON COLUMN admin.user_roles.uid IS 'Користувач, який ств
 COMMENT ON COLUMN admin.user_roles.expiration IS 'закінчення терміну дії доступу до групи';
 COMMENT ON COLUMN admin.user_roles.access_granted IS 'Ідентифікатор користувача який надав доступ';
 COMMENT ON COLUMN admin.user_roles.access_granted_time IS 'Час коли надали доступ';
+COMMENT ON COLUMN admin.user_roles.actions IS 'Рівень доступу користувача в межах групи';
 CREATE INDEX IF NOT EXISTS admin_user_roles_access_user_uid_idx ON admin.user_roles USING btree (user_uid COLLATE pg_catalog."default");
 CREATE INDEX IF NOT EXISTS admin_user_roles_cdate_btree_idx ON admin.user_roles USING btree (cdate);

package/server/plugins/crud/funcs/getAccess.js CHANGED Viewed

@@ -1,52 +1,52 @@
-import pgClients from '../../pg/pgClients.js';
-import getTemplate from '../../table/funcs/getTemplate.js';
-import applyHook from '../../hook/funcs/applyHook.js';
-const q = `select a.route_id as id, coalesce(b.actions,array['view']) as "userActions", b.scope as "userScope"
-from admin.routes a
-left join admin.role_access b on
-  a.route_id=b.route_id
-left join admin.roles c on
-  b.role_id=c.role_id
-  and c.enabled
-left join admin.user_roles d on
-  c.role_id=d.role_id
-  and ( case when
-            d.expiration is not null
-            then d.expiration > CURRENT_DATE
-            else 1=1
-        end )
-where $1 in (a.route_id, a.alias, a.table_name) and $2 in (b.user_uid, d.user_uid)`;
-export default async function getAccess({ table, user = {} }) {
-  if (!table) return null;
-  const hookData = await applyHook('getAccess', { table, user });
-  if (hookData) return hookData;
-  const { uid, user_type: userType = 'regular' } = user;
-  if (userType.includes('admin')) {
-    return { actions: ['view', 'edit', 'add', 'del'], query: '1=1' };
-  }
-  const body = await getTemplate('table', table);
-  const tableActions = ['view'].concat(body?.actions || body?.action_default || []);
-  if (body?.public || body?.access === 'public') {
-    return { actions: tableActions, query: '1=1' };
-  }
-  if (body?.access === 'user' && uid) {
-    return { actions: tableActions, query: '1=1' };
-  }
-  const { userScope, userActions = [] } = uid
-    ? await pgClients.client.query(q, [table, uid]).then(el => el.rows?.[0] || {})
-    : {};
-  const query = uid && userScope === 'my' ? `uid='${uid}'` : '1=1';
-  const actions = userActions.filter((el => tableActions.includes(el)));
-  return { scope: userScope, actions, query };
-}
+import pgClients from '../../pg/pgClients.js';
+import getTemplate from '../../table/funcs/getTemplate.js';
+import applyHook from '../../hook/funcs/applyHook.js';
+const q = `select a.route_id as id, coalesce(b.actions,array['view']) as "userActions", b.scope as "userScope"
+from admin.routes a
+left join admin.role_access b on
+  a.route_id=b.route_id
+left join admin.roles c on
+  b.role_id=c.role_id
+  and c.enabled
+left join admin.user_roles d on
+  c.role_id=d.role_id
+  and ( case when
+            d.expiration is not null
+            then d.expiration > CURRENT_DATE
+            else 1=1
+        end )
+where $1 in (a.route_id, a.alias, a.table_name) and $2 in (b.user_uid, d.user_uid)`;
+export default async function getAccess({ table, user = {} }) {
+  if (!table) return null;
+  const hookData = await applyHook('getAccess', { table, user });
+  if (hookData) return hookData;
+  const { uid, user_type: userType = 'regular' } = user;
+  if (userType.includes('admin')) {
+    return { actions: ['view', 'edit', 'add', 'del'], query: '1=1' };
+  }
+  const body = await getTemplate('table', table);
+  const tableActions = ['view'].concat(body?.actions || body?.action_default || []);
+  if (body?.public || body?.access === 'public') {
+    return { actions: tableActions, query: '1=1' };
+  }
+  if (body?.access === 'user' && uid) {
+    return { actions: tableActions, query: '1=1' };
+  }
+  const { userScope, userActions = [] } = uid
+    ? await pgClients.client.query(q, [table, uid]).then(el => el.rows?.[0] || {})
+    : {};
+  const query = uid && userScope === 'my' ? `uid='${uid}'` : '1=1';
+  const actions = userActions.filter((el => tableActions.includes(el)));
+  return { scope: userScope, actions, query };
+}

package/server/plugins/policy/funcs/checkXSS.js CHANGED Viewed

@@ -1,8 +1,6 @@
 import config from '../../../../config.js';
 import xssInjection from '../xssInjection.js';
-// RTE - rich text editor
 function checkXSS({ body, schema = {} }) {
   const data = typeof body === 'string' ? body : JSON.stringify(body);
   const stopWords = xssInjection.filter((el) => data.toLowerCase().includes(el));
@@ -11,7 +9,7 @@ function checkXSS({ body, schema = {} }) {
   const stopSpecialSymbols = data.match(/\p{S}OR\p{S}|\p{P}OR\p{P}| OR |\+OR\+/gi);
   if (stopSpecialSymbols?.length) stopSpecialSymbols?.forEach((el) => stopWords.push(el));
-  // escape arrows on non-RTE
+  // escape arrows on non-rich text editor inputs
   const skipScreening = config.skipScreening || ['Summernote', 'Tiny', 'Ace', 'Texteditor'];
   Object.keys(body)
     .filter((key) => ['<', '>'].find((el) => body[key]?.includes?.(el))
@@ -20,23 +18,17 @@ function checkXSS({ body, schema = {} }) {
       Object.assign(body, { [key]: body[key].replace(/</g, '&lt;').replace(/>/g, '&gt;') });
     });
-  // try { } catch (err) { return { error: err.toString() }; }
   if (!stopWords.length) return { body };
   const disabledCheckFields = Object.keys(schema || {})?.filter((el) => schema?.[el]?.xssCheck === false); // exclude specific columns
-  // check RTE
-  /* const richTextFields = Object.keys(schema).filter((el) => skipScreening.includes(schema[el]?.type));
-  richTextFields.filter((key) => !checkList.find((el) => body[key].includes(el)))?.forEach((key) => {
-    disabledCheckFields.push(key);
-  }); */
   const field = Object.keys(body)
     ?.find((key) => body[key]?.toLowerCase
         && !disabledCheckFields.includes(key)
+        && (skipScreening.includes(schema?.[key]?.type) ? stopWords.find(el => !['href=', 'src='].includes(el)) : true)
         && body[key].toLowerCase().includes(stopWords[0]));
   if (field) {
+    console.error(stopWords[0], field, body[field]);
     return { error: `rule: ${stopWords[0]} | attr: ${field} | val: ${body[field]}`, body };
   }
   return { body };

package/server/routes/crud/index.js CHANGED Viewed

@@ -1,22 +1,22 @@
-import update from './controllers/update.js';
-import insert from './controllers/insert.js';
-import deleteCrud from './controllers/deleteCrud.js';
-import table from './controllers/table.js';
-const tableSchema = {
-  params: {
-    id: { type: 'string', pattern: '^([\\d\\w]+)$' },
-    table: { type: 'string', pattern: '^([\\w\\d_.]+)$' },
-  },
-};
-async function plugin(fastify, config = {}) {
-  const prefix = config.prefix || '/api';
-  const policy = ['public'];
-  fastify.put(`${prefix}/table/:table/:id?`, { config: { policy }, schema: tableSchema }, update);
-  fastify.delete(`${prefix}/table/:table/:id?`, { config: { policy }, schema: tableSchema }, deleteCrud);
-  fastify.post(`${prefix}/table/:table/:id?`, { config: { policy }, schema: tableSchema }, insert);
-  fastify.get(`${prefix}/table/:table/:id?`, { config: { policy }, schema: tableSchema }, table);
-}
-export default plugin;
+import update from './controllers/update.js';
+import insert from './controllers/insert.js';
+import deleteCrud from './controllers/deleteCrud.js';
+import table from './controllers/table.js';
+const tableSchema = {
+  params: {
+    id: { type: 'string', pattern: '^([\\w\\d_.]+)$' },
+    table: { type: 'string', pattern: '^([\\w\\d_.]+)$' },
+  },
+};
+async function plugin(fastify, config = {}) {
+  const prefix = config.prefix || '/api';
+  const policy = ['public'];
+  fastify.put(`${prefix}/table/:table/:id?`, { config: { policy }, schema: tableSchema }, update);
+  fastify.delete(`${prefix}/table/:table/:id?`, { config: { policy }, schema: tableSchema }, deleteCrud);
+  fastify.post(`${prefix}/table/:table/:id?`, { config: { policy }, schema: tableSchema }, insert);
+  fastify.get(`${prefix}/table/:table/:id?`, { config: { policy }, schema: tableSchema }, table);
+}
+export default plugin;