@opengis/fastify-table 1.1.48 → 1.1.49

package/Changelog.md

@@ -1,9 +1,9 @@
 # fastify-table
 
-## 1.1.46 - 22.10.2024
+## 1.1.49 - 22.10.2024
 
 - addHook params refactor
-- add handlebars to utils
+- add getFolder, handlebars to utils
 - refactor getAccess for CRUD
 
 ## 1.1.40 - 18.10.2024

package/README.md

@@ -1,26 +1,26 @@
-# fastify-table
-
-[![NPM version](https://img.shields.io/npm/v/@opengis/fastify-table)](https://www.npmjs.com/package/@opengis/fastify-table)
-[![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg?style=flat)](http://standardjs.com/)
-
-It standardizes the entire form building process, while taking care of everything from rendering to validation and processing:
-
-- pg
-- redis
-- crud
-
-## Install
-
-```bash
-npm i @opengis/fastify-table
-```
-
-## Usage
-
-```js
-fastify.register(import('@opengis/fastify-table'), config);
-```
-
-## Documenation
-
-For a detailed understanding fastify-table, its features, and how to use them, refer to our [Documentation](https://apidocs.softpro.ua/gis.storage/).
+# fastify-table
+
+[![NPM version](https://img.shields.io/npm/v/@opengis/fastify-table)](https://www.npmjs.com/package/@opengis/fastify-table)
+[![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg?style=flat)](http://standardjs.com/)
+
+It standardizes the entire form building process, while taking care of everything from rendering to validation and processing:
+
+- pg
+- redis
+- crud
+
+## Install
+
+```bash
+npm i @opengis/fastify-table
+```
+
+## Usage
+
+```js
+fastify.register(import('@opengis/fastify-table'), config);
+```
+
+## Documenation
+
+For a detailed understanding fastify-table, its features, and how to use them, refer to our [Documentation](https://apidocs.softpro.ua/gis.storage/).

package/config.js

@@ -1,10 +1,10 @@
-import fs from 'fs';
-
-const fileName = ['config.json', '/data/local/config.json'].find(el => (fs.existsSync(el) ? el : null));
-const config = fileName ? JSON.parse(fs.readFileSync(fileName)) : {};
-
-Object.assign(config, {
-  allTemplates: config?.allTemplates || {},
-});
-
-export default config;
+import fs from 'fs';
+
+const fileName = ['config.json', '/data/local/config.json'].find(el => (fs.existsSync(el) ? el : null));
+const config = fileName ? JSON.parse(fs.readFileSync(fileName)) : {};
+
+Object.assign(config, {
+  allTemplates: config?.allTemplates || {},
+});
+
+export default config;

package/cron/controllers/cronApi.js

@@ -1,22 +1,22 @@
-import cronList from './utils/cronList.js';
-
-export default async function cronApi(req) {
-  const {
-    params = {}, user = {}, hostname,
-  } = req;
-
-  if ((!user.uid || !user.user_type?.includes('admin')) && !hostname?.includes('localhost')) {
-    return { message: 'access restricted', status: 403 };
-  }
-
-  if (params.name === 'list') {
-    return { data: Object.keys(cronList || {}) };
-  }
-
-  if (!cronList[params.name]) {
-    return { message: `cron not found: ${params.name}`, status: 404 };
-  }
-
-  const result = await cronList[params.name](req);
-  return result;
-}
+import cronList from './utils/cronList.js';
+
+export default async function cronApi(req) {
+  const {
+    params = {}, user = {}, hostname,
+  } = req;
+
+  if ((!user.uid || !user.user_type?.includes('admin')) && !hostname?.includes('localhost')) {
+    return { message: 'access restricted', status: 403 };
+  }
+
+  if (params.name === 'list') {
+    return { data: Object.keys(cronList || {}) };
+  }
+
+  if (!cronList[params.name]) {
+    return { message: `cron not found: ${params.name}`, status: 404 };
+  }
+
+  const result = await cronList[params.name](req);
+  return result;
+}

package/cron/controllers/utils/cronList.js

@@ -1 +1 @@
-export default {};
+export default {};

package/cron/index.js

@@ -1,10 +1,10 @@
-import cronApi from './controllers/cronApi.js';
-import addCron from './funcs/addCron.js';
-
-async function plugin(fastify, config = {}) {
-  const prefix = config.prefix || '/api';
-  fastify.decorate('addCron', addCron);
-  fastify.get(`${prefix}/cron/:name`, {}, cronApi);
-}
-
-export default plugin;
+import cronApi from './controllers/cronApi.js';
+import addCron from './funcs/addCron.js';
+
+async function plugin(fastify, config = {}) {
+  const prefix = config.prefix || '/api';
+  fastify.decorate('addCron', addCron);
+  fastify.get(`${prefix}/cron/:name`, {}, cronApi);
+}
+
+export default plugin;

package/crud/controllers/deleteCrud.js

@@ -1,5 +1,5 @@
 import {
-  dataDelete, getTemplate, getAccess, applyHook, getToken, config,
+  dataDelete, getTemplate, getAccess, applyHook,
 } from '../../utils.js';
 
 export default async function deleteCrud(req) {
@@ -11,18 +11,13 @@ export default async function deleteCrud(req) {
     return { message: hookData?.message, status: hookData?.status };
   }
 
-  const tokenData = await getToken({
-    uid: user.uid, token: params.table, mode: 'w', json: 1,
-  });
-
-  const { table: del, id } = hookData || tokenData || (config.auth?.disable ? req.params : {});
-  const { actions = [] } = await getAccess({ table: del, id, user }) || {};
+  const { table: del, id } = hookData || req.params || {};
+  const { actions = [], scope, my } = await getAccess({ table: del, id, user }) || {};
 
-  if (!actions.includes('del')) {
+  if (!actions.includes('del') || (scope === 'my' && !my)) {
     return { message: 'access restricted', status: 403 };
   }
   const loadTemplate = await getTemplate('table', del);
-
   const { table } = loadTemplate || hookData || req.params || {};
 
   if (!table) return { status: 404, message: 'table is required' };

package/crud/controllers/insert.js

@@ -1,5 +1,5 @@
 import {
-  applyHook, getAccess, getTemplate, checkXSS, dataInsert, getToken, config,
+  applyHook, getAccess, getTemplate, checkXSS, dataInsert,
 } from '../../utils.js';
 
 export default async function insert(req) {
@@ -10,22 +10,21 @@ export default async function insert(req) {
   if (hookData?.message && hookData?.status) {
     return { message: hookData?.message, status: hookData?.status };
   }
-  const tokenData = await getToken({
-    uid: user.uid, token: params.table, mode: 'a', json: 1,
-  });
 
-  const { form, table: add } = hookData || tokenData || (config.auth?.disable ? req.params : {});
+  const { form, table: add } = hookData || req.params || {};
 
   const { actions = [] } = await getAccess({ table: add, user }) || {};
 
-  if (!actions.includes('add')) return { message: 'access restricted', status: 403 };
+  if (!actions.includes('edit')) {
+    return { message: 'access restricted', status: 403 };
+  }
 
   if (!add) {
     return { message: 'table is required', status: 400 };
   }
 
   const loadTemplate = await getTemplate('table', add);
-  const { table } = loadTemplate || hookData || req.params || {};
+  const { table, public: ispublic } = loadTemplate || hookData || req.params || {};
   if (!table) {
     return { message: 'table not found', status: 404 };
   }
@@ -39,7 +38,7 @@ export default async function insert(req) {
     return { message: 'Дані містять заборонені символи. Приберіть їх та спробуйте ще раз', status: 409 };
   }
 
-  const uid = user?.uid;
+  const uid = ispublic ? (user?.uid || '1') : user?.uid;
   if ((add || table) !== 'admin.users') {
     Object.assign(body, { uid, editor_id: uid });
   }

package/crud/controllers/update.js

@@ -1,26 +1,23 @@
 import {
-  pgClients, applyHook, getAccess, getTemplate, checkXSS, dataInsert, dataUpdate, logger, getToken,
+  pgClients, applyHook, getAccess, getTemplate, checkXSS, dataInsert, dataUpdate,
 } from '../../utils.js';
-import config from '../../config.js';
 
 export default async function update(req) {
-  const { user, params = {}, body = {} } = req;
+  const {
+    user, params = {}, body = {},
+  } = req || {};
   const hookData = await applyHook('preUpdate', {
     table: params?.table, id: params?.id, user,
   });
-
   if (hookData?.message && hookData?.status) {
     return { message: hookData?.message, status: hookData?.status };
   }
-  const tokenData = await getToken({
-    uid: user.uid, token: body.token || params.table, mode: 'w', json: 1,
-  });
 
-  const { form, table: edit, id } = hookData || tokenData || (config.auth?.disable ? params : {});
+  const { form, table: edit, id } = hookData || req.params;
 
-  const { actions = [] } = await getAccess({ table: edit, id, user }) || {};
+  const { actions = [], scope, my } = await getAccess({ table: edit, id, user }) || {};
 
-  if (!actions.includes('edit')) {
+  if (!actions.includes('edit') || (scope === 'my' && !my)) {
     return { message: 'access restricted', status: 403 };
   }
 
@@ -33,16 +30,16 @@ export default async function update(req) {
   }
 
   const loadTemplate = await getTemplate('table', edit);
-  const { table } = loadTemplate || hookData || params || {};
+  const { table, public: ispublic } = loadTemplate || hookData || req.params || {};
 
-  const uid = user?.uid;
+  const uid = ispublic ? (user?.uid || '1') : user?.uid;
 
   const formData = form || loadTemplate?.form ? await getTemplate('form', form || loadTemplate?.form) : {};
 
   const xssCheck = checkXSS({ body, schema: formData?.schema || formData });
 
   if (xssCheck.error && formData?.xssCheck !== false) {
-    logger.warn({ name: 'injection/xss', msg: xssCheck.error, table }, req);
+    req.log.warn({ name: 'injection/xss', msg: xssCheck.error, table }, req);
     return { message: 'Дані містять заборонені символи. Приберіть їх та спробуйте ще раз', status: 409 };
   }
 

package/crud/controllers/utils/xssInjection.js

@@ -1,72 +1,72 @@
-const xssInjection = [
-  'onkeypress=',
-  'onkeyup=',
-  'ondblclick=',
-  'onerror=',
-  'onmouseover=',
-  '<meta',
-  '<script',
-  'vascript:',
-  'onkeydown=',
-  'onmousedown=',
-  'onmouseenter=',
-  'onmouseleave=',
-  'onmousemove=',
-  'onmouseout=',
-  'onmouseup=',
-  'onmousewheel=',
-  'onpaste=',
-  'onscroll=',
-  'onwheel=',
-  'javascript:',
-  '\\x',
-  'eval(',
-  'onmouseover=',
-  'action=',
-  'xlink:',
-  'allowscriptaccess',
-  'href=',
-  'behavior:',
-  'onreadystatechange=',
-  'onstart=',
-  'offline=',
-  'onabort=',
-  'onafterprint=',
-  'onbeforeonload=',
-  'onbeforeprint=',
-  'onblur=',
-  'oncanplay=',
-  'oncanplaythrough=',
-  'onchange=',
-  'onclick=',
-  'oncontextmenu=',
-  'ondblclick=',
-  'ondrag=',
-  'ondragend=',
-  'ondragenter=',
-  'ondragleave=',
-  'ondragover=',
-  'ondragstart=',
-  'ondrop=',
-  'ondurationchange=',
-  'onemptied=',
-  'onended=',
-  'onerror=',
-  'onfocus=',
-  'onformchange=',
-  'onforminput=',
-  'onhaschange=',
-  'oninput=',
-  'oninvalid=',
-  'onkeydown=',
-  'onkeypress=',
-  'onkeyup=',
-  'onload=',
-  'onloadeddata=',
-  'onloadedmetadata=',
-  'onloadstart=',
-  'alert(',
-  'script:',
-];
-
-export default xssInjection;
+const xssInjection = [
+  'onkeypress=',
+  'onkeyup=',
+  'ondblclick=',
+  'onerror=',
+  'onmouseover=',
+  '<meta',
+  '<script',
+  'vascript:',
+  'onkeydown=',
+  'onmousedown=',
+  'onmouseenter=',
+  'onmouseleave=',
+  'onmousemove=',
+  'onmouseout=',
+  'onmouseup=',
+  'onmousewheel=',
+  'onpaste=',
+  'onscroll=',
+  'onwheel=',
+  'javascript:',
+  '\\x',
+  'eval(',
+  'onmouseover=',
+  'action=',
+  'xlink:',
+  'allowscriptaccess',
+  'href=',
+  'behavior:',
+  'onreadystatechange=',
+  'onstart=',
+  'offline=',
+  'onabort=',
+  'onafterprint=',
+  'onbeforeonload=',
+  'onbeforeprint=',
+  'onblur=',
+  'oncanplay=',
+  'oncanplaythrough=',
+  'onchange=',
+  'onclick=',
+  'oncontextmenu=',
+  'ondblclick=',
+  'ondrag=',
+  'ondragend=',
+  'ondragenter=',
+  'ondragleave=',
+  'ondragover=',
+  'ondragstart=',
+  'ondrop=',
+  'ondurationchange=',
+  'onemptied=',
+  'onended=',
+  'onerror=',
+  'onfocus=',
+  'onformchange=',
+  'onforminput=',
+  'onhaschange=',
+  'oninput=',
+  'oninvalid=',
+  'onkeydown=',
+  'onkeypress=',
+  'onkeyup=',
+  'onload=',
+  'onloadeddata=',
+  'onloadedmetadata=',
+  'onloadstart=',
+  'alert(',
+  'script:',
+];
+
+export default xssInjection;

package/crud/funcs/getAccess.js

@@ -1,8 +1,7 @@
-// import getMeta from '../../pg/funcs/getMeta.js';
+import getMeta from '../../pg/funcs/getMeta.js';
 import getTemplate from '../../table/controllers/utils/getTemplate.js';
 import config from '../../config.js';
 import pgClients from '../../pg/pgClients.js';
-import applyHook from '../../hook/funcs/applyHook.js';
 
 const q = `select a.route_id as id, coalesce(b.actions,array['get']) as actions, b.scope 
 from admin.routes a 
@@ -20,24 +19,38 @@ left join admin.user_roles d on
         end )
 where $1 in (a.route_id, a.alias) and $2 in (b.user_uid, d.user_uid)`;
 
-export default async function getAccess({ table, user = {} }) {
-  if (!table) return null;
+export default async function getAccess({ table, id, user }) {
+  const { client: pg } = pgClients || {};
+  const { uid, user_type: userType } = user || {};
 
-  const hookData = await applyHook('getAccess', { table, user });
-  if (hookData) return hookData;
+  if (!table || !pg.pk?.['admin.access']) return null;
 
-  const { uid } = user;
   const body = await getTemplate('table', table) || {};
 
-  if (config.auth?.disable || user?.user_type?.includes('admin') || body?.public || body.access === 'public' || (body.access === 'user' && user.uid)) {
-    return { actions: ['get'].concat(body.actions || body.action_default || []), query: '1=1' };
+  if (config.auth?.disable || user?.user_type?.includes('admin') || body?.public) {
+    return { actions: ['get', 'edit', 'del'], my: true, query: '1=1' };
   }
 
   if (!uid || !body?.table) return null;
 
-  const { scope, actions = [] } = await pgClients.client.query(q, [table, uid]).then((res) => res.rows?.[0] || {});
+  const { scope = 'my', actions = [] } = await pg.query(q, [table, uid]).then((res) => res.rows?.[0] || {});
+
+  const { columns = [] } = await getMeta({ table: body?.table });
+
+  const query = userType?.includes('admin') ? '1=1' : {
+    my: `uid='${uid}'`,
+    responsible: columns.map((el) => el?.name || el).includes('responsible_id')
+      ? `responsible_id='${uid}'`
+      : `uid='${uid}'`,
+    all: '1=1',
+  }[scope];
+
+  const { my } = pg.pk?.[body?.table] && id
+    ? await pg.query(`select uid=$1 as my from ${body?.table} where ${pg.pk?.[body?.table]}=$2`, [uid, id])
+      .then((res) => res.rows?.[0] || {})
+    : {};
 
   return {
-    scope, actions, query: scope === 'my' ? `uid='${uid}` : null,
+    scope, actions, query, my,
   };
 }

package/crud/funcs/getToken.js

@@ -1,27 +1,27 @@
-import getRedis from '../../redis/funcs/getRedis.js';
-import config from '../../config.js';
-
-function sprintf(str, ...args) {
-  return str.replace(/%s/g, () => args.shift());
-}
-
-const keys = {
-  r: '%s:token:view:%s',
-  a: '%s:token:add:%s',
-  w: '%s:token:edit:%s',
-  e: '%s:token:exec:%s',
-};
-
-async function getToken({
-  uid, token, mode = 'r', json,
-}) {
-  if (mode === 'r') return token;
-
-  const rclient = getRedis({ db: 0 });
-
-  const key = sprintf(keys[mode], config?.pg?.database, uid?.toString());
-  const id = await rclient.hget(key, token);
-  return json && id?.[0] === '{' ? JSON.parse(id) : id;
-}
-
-export default getToken;
+import getRedis from '../../redis/funcs/getRedis.js';
+import config from '../../config.js';
+
+function sprintf(str, ...args) {
+  return str.replace(/%s/g, () => args.shift());
+}
+
+const keys = {
+  r: '%s:token:view:%s',
+  a: '%s:token:add:%s',
+  w: '%s:token:edit:%s',
+  e: '%s:token:exec:%s',
+};
+
+async function getToken({
+  uid, token, mode = 'r', json,
+}) {
+  if (mode === 'r') return token;
+
+  const rclient = getRedis({ db: 0 });
+
+  const key = sprintf(keys[mode], config?.pg?.database, uid?.toString());
+  const id = await rclient.hget(key, token);
+  return json && id?.[0] === '{' ? JSON.parse(id) : id;
+}
+
+export default getToken;

package/crud/funcs/isFileExists.js

@@ -1,13 +1,13 @@
-import { access } from 'fs/promises';
-
-const isFileExists = async (filepath) => {
-  try {
-    await access(filepath);
-    return true;
-  }
-  catch (err) {
-    return false;
-  }
-};
-
-export default isFileExists;
+import { access } from 'fs/promises';
+
+const isFileExists = async (filepath) => {
+  try {
+    await access(filepath);
+    return true;
+  }
+  catch (err) {
+    return false;
+  }
+};
+
+export default isFileExists;