@rpcbase/server 0.476.0 → 0.478.0

package/dist/{handler-DEEir2xV.js → handler-BOTZftAB.js}

@@ -1,8 +1,8 @@
 import { loadModel, getTenantFilesystemDb } from "@rpcbase/db";
 import { GridFSBucket, ObjectId } from "mongodb";
-import { g as getTenantId, a as getModelCtx, b as getOwnershipSelector, e as ensureUploadIndexes, c as getBucketName, d as getUserId, f as getChunkSizeBytes, h as getSessionTtlMs, i as computeSha256Hex, t as toBufferPayload, n as normalizeSha256Hex, j as getMaxClientUploadBytesPerSecond, k as getRawBodyLimitBytes } from "./shared-Chfrv8o6.js";
+import { g as getTenantId, a as getModelCtx, b as buildUploadsAbility, c as getUploadSessionAccessQuery, e as ensureUploadIndexes, d as getBucketName, f as getUserId, h as getChunkSizeBytes, i as getSessionTtlMs, j as computeSha256Hex, t as toBufferPayload, n as normalizeSha256Hex, k as getMaxClientUploadBytesPerSecond, l as getRawBodyLimitBytes } from "./shared-UGuDRAKK.js";
 import { randomBytes } from "node:crypto";
-import { o as object, n as number, s as string, b as boolean, a as array, _ as _enum } from "./schemas-DI7ewltq.js";
+import { o as object, n as number, s as string, b as boolean, a as array, _ as _enum } from "./schemas-D5T9tDtI.js";
 const waitForStreamFinished = async (stream) => new Promise((resolve, reject) => {
   stream.once("finish", resolve);
   stream.once("error", reject);
@@ -37,7 +37,8 @@ const abortUploadStream = async (stream) => {
     }
   }
   try {
-    stream.destroy();
+    ;
+    stream.destroy?.();
   } catch {
   }
 };
@@ -57,21 +58,21 @@ const completeUpload = async (_payload, ctx) => {
     loadModel("RBUploadSession", modelCtx),
     loadModel("RBUploadChunk", modelCtx)
   ]);
-  const existing = await UploadSession.findOne({ _id: uploadId }).lean();
+  const ability = buildUploadsAbility(ctx, tenantId);
+  if (!ability.can("update", "RBUploadSession")) {
+    ctx.res.status(401);
+    return { ok: false, error: "unauthorized" };
+  }
+  const existing = await UploadSession.findOne({ $and: [{ _id: uploadId }, getUploadSessionAccessQuery(ability, "read")] }).lean();
   if (!existing) {
     ctx.res.status(404);
     return { ok: false, error: "not_found" };
   }
-  const ownershipSelector = getOwnershipSelector(ctx, existing);
-  if (!ownershipSelector) {
-    ctx.res.status(401);
-    return { ok: false, error: "unauthorized" };
-  }
   if (existing.status === "done" && existing.fileId) {
     return { ok: true, fileId: existing.fileId };
   }
   const locked = await UploadSession.findOneAndUpdate(
-    { _id: uploadId, ...ownershipSelector, status: "uploading" },
+    { $and: [{ _id: uploadId }, { status: "uploading" }, getUploadSessionAccessQuery(ability, "update")] },
     { $set: { status: "assembling" }, $unset: { error: "" } },
     { new: true }
   ).lean();
@@ -84,7 +85,7 @@ const completeUpload = async (_payload, ctx) => {
   const nativeDb = fsDb.db;
   if (!nativeDb) {
     await UploadSession.updateOne(
-      { _id: uploadId, ...ownershipSelector },
+      { $and: [{ _id: uploadId }, getUploadSessionAccessQuery(ability, "update")] },
       { $set: { status: "error", error: "filesystem_db_unavailable" } }
     );
     ctx.res.status(500);
@@ -106,8 +107,7 @@ const completeUpload = async (_payload, ctx) => {
     const cursor = UploadChunk.find({ uploadId }).sort({ index: 1 }).cursor();
     let expectedIndex = 0;
     try {
-      for await (const doc of cursor) {
-        const chunkDoc = doc;
+      for await (const chunkDoc of cursor) {
         if (chunkDoc.index !== expectedIndex) {
           throw new Error("missing_chunks");
         }
@@ -131,7 +131,7 @@ const completeUpload = async (_payload, ctx) => {
       throw new Error("missing_file_id");
     }
     await UploadSession.updateOne(
-      { _id: uploadId, ...ownershipSelector },
+      { $and: [{ _id: uploadId }, getUploadSessionAccessQuery(ability, "update")] },
       { $set: { status: "done", fileId }, $unset: { error: "" } }
     );
     try {
@@ -144,14 +144,14 @@ const completeUpload = async (_payload, ctx) => {
     await abortUploadStream(uploadStream);
     if (message === "missing_chunks") {
       await UploadSession.updateOne(
-        { _id: uploadId, ...ownershipSelector },
+        { $and: [{ _id: uploadId }, getUploadSessionAccessQuery(ability, "update")] },
         { $set: { status: "uploading" } }
       );
       ctx.res.status(409);
       return { ok: false, error: "missing_chunks" };
     }
     await UploadSession.updateOne(
-      { _id: uploadId, ...ownershipSelector },
+      { $and: [{ _id: uploadId }, getUploadSessionAccessQuery(ability, "update")] },
       { $set: { status: "error", error: message } }
     );
     ctx.res.status(500);
@@ -174,21 +174,21 @@ const getStatus = async (_payload, ctx) => {
     loadModel("RBUploadSession", modelCtx),
     loadModel("RBUploadChunk", modelCtx)
   ]);
-  const session = await UploadSession.findOne({ _id: uploadId }).lean();
+  const ability = buildUploadsAbility(ctx, tenantId);
+  if (!ability.can("read", "RBUploadSession")) {
+    ctx.res.status(401);
+    return { ok: false, error: "unauthorized" };
+  }
+  const session = await UploadSession.findOne({ $and: [{ _id: uploadId }, getUploadSessionAccessQuery(ability, "read")] }).lean();
   if (!session) {
     ctx.res.status(404);
     return { ok: false, error: "not_found" };
   }
-  const ownershipSelector = getOwnershipSelector(ctx, session);
-  if (!ownershipSelector) {
-    ctx.res.status(401);
-    return { ok: false, error: "unauthorized" };
-  }
   const receivedDocs = await UploadChunk.find(
     { uploadId },
     { index: 1, _id: 0 }
   ).sort({ index: 1 }).lean();
-  const received = receivedDocs.map((d) => Number(d?.index ?? -1)).filter((n) => Number.isInteger(n) && n >= 0);
+  const received = receivedDocs.map((doc) => typeof doc.index === "number" ? doc.index : -1).filter((n) => Number.isInteger(n) && n >= 0);
   return {
     ok: true,
     status: session.status,
@@ -294,16 +294,16 @@ const uploadChunk = async (payload, ctx) => {
     loadModel("RBUploadSession", modelCtx),
     loadModel("RBUploadChunk", modelCtx)
   ]);
-  const session = await UploadSession.findOne({ _id: uploadId }).lean();
+  const ability = buildUploadsAbility(ctx, tenantId);
+  if (!ability.can("update", "RBUploadSession")) {
+    ctx.res.status(401);
+    return { ok: false, error: "unauthorized" };
+  }
+  const session = await UploadSession.findOne({ $and: [{ _id: uploadId }, getUploadSessionAccessQuery(ability, "update")] }).lean();
   if (!session) {
     ctx.res.status(404);
     return { ok: false, error: "not_found" };
   }
-  const ownershipSelector = getOwnershipSelector(ctx, session);
-  if (!ownershipSelector) {
-    ctx.res.status(401);
-    return { ok: false, error: "unauthorized" };
-  }
   if (session.status !== "uploading") {
     ctx.res.status(409);
     return { ok: false, error: "not_uploading" };

package/dist/{handler-BITFtEr_.js → handler-B_mMDLBO.js}

@@ -1,6 +1,7 @@
 import { loadModel } from "@rpcbase/db";
+import { buildAbilityFromSession, getAccessibleByQuery } from "@rpcbase/db/acl";
 import { createNotification, sendNotificationsDigestForUser } from "./notifications.js";
-import { o as object, b as boolean, n as number, a as array, s as string, r as record, u as unknown, _ as _enum } from "./schemas-DI7ewltq.js";
+import { o as object, b as boolean, n as number, a as array, s as string, r as record, u as unknown, _ as _enum } from "./schemas-D5T9tDtI.js";
 const getSessionUser = (ctx) => {
   const rawSessionUser = ctx.req.session?.user;
   const userId = typeof rawSessionUser?.id === "string" ? rawSessionUser.id.trim() : "";
@@ -123,6 +124,11 @@ const listNotifications = async (payload, ctx) => {
   if (!session) {
     return { ok: false, error: "unauthorized" };
   }
+  const ability = buildAbilityFromSession({ tenantId: session.tenantId, session: ctx.req.session });
+  if (!ability.can("read", "RBNotification")) {
+    ctx.res.status(403);
+    return { ok: false, error: "forbidden" };
+  }
   const parsed = listRequestSchema.safeParse(payload);
   if (!parsed.success) {
     ctx.res.status(400);
@@ -137,33 +143,31 @@ const listNotifications = async (payload, ctx) => {
   const settings = await SettingsModel.findOne({ userId }).lean();
   const disabledTopics = buildDisabledTopics(settings, "inApp");
   const NotificationModel = await loadModel("RBNotification", ctx);
-  const query = { userId };
-  if (!includeArchived) {
-    query.archivedAt = { $exists: false };
-  }
-  if (unreadOnly) {
-    query.readAt = { $exists: false };
-  }
-  if (disabledTopics.length > 0) {
-    query.topic = { $nin: disabledTopics };
-  }
+  const queryFilters = [
+    { userId },
+    getAccessibleByQuery(ability, "read", "RBNotification")
+  ];
+  if (!includeArchived) queryFilters.push({ archivedAt: { $exists: false } });
+  if (unreadOnly) queryFilters.push({ readAt: { $exists: false } });
+  if (disabledTopics.length > 0) queryFilters.push({ topic: { $nin: disabledTopics } });
+  const query = { $and: queryFilters };
   const notifications = await NotificationModel.find(query).sort({ createdAt: -1 }).limit(limit).lean();
-  const unseenQuery = {
-    userId,
-    archivedAt: { $exists: false },
-    seenAt: { $exists: false }
-  };
-  if (disabledTopics.length > 0) {
-    unseenQuery.topic = { $nin: disabledTopics };
-  }
-  const unreadQuery = {
-    userId,
-    archivedAt: { $exists: false },
-    readAt: { $exists: false }
-  };
-  if (disabledTopics.length > 0) {
-    unreadQuery.topic = { $nin: disabledTopics };
-  }
+  const unseenQueryFilters = [
+    { userId },
+    { archivedAt: { $exists: false } },
+    { seenAt: { $exists: false } },
+    getAccessibleByQuery(ability, "read", "RBNotification")
+  ];
+  if (disabledTopics.length > 0) unseenQueryFilters.push({ topic: { $nin: disabledTopics } });
+  const unseenQuery = { $and: unseenQueryFilters };
+  const unreadQueryFilters = [
+    { userId },
+    { archivedAt: { $exists: false } },
+    { readAt: { $exists: false } },
+    getAccessibleByQuery(ability, "read", "RBNotification")
+  ];
+  if (disabledTopics.length > 0) unreadQueryFilters.push({ topic: { $nin: disabledTopics } });
+  const unreadQuery = { $and: unreadQueryFilters };
   const [unreadCount, unseenCount] = await Promise.all([
     NotificationModel.countDocuments(unreadQuery),
     NotificationModel.countDocuments(unseenQuery)
@@ -195,6 +199,11 @@ const createNotificationForCurrentUser = async (payload, ctx) => {
   if (!session) {
     return { ok: false, error: "unauthorized" };
   }
+  const ability = buildAbilityFromSession({ tenantId: session.tenantId, session: ctx.req.session });
+  if (!ability.can("create", "RBNotification")) {
+    ctx.res.status(403);
+    return { ok: false, error: "forbidden" };
+  }
   const parsed = createRequestSchema.safeParse(payload);
   if (!parsed.success) {
     ctx.res.status(400);
@@ -215,6 +224,11 @@ const markRead = async (_payload, ctx) => {
   if (!session) {
     return { ok: false, error: "unauthorized" };
   }
+  const ability = buildAbilityFromSession({ tenantId: session.tenantId, session: ctx.req.session });
+  if (!ability.can("update", "RBNotification")) {
+    ctx.res.status(403);
+    return { ok: false, error: "forbidden" };
+  }
   const notificationId = typeof ctx.req.params.notificationId === "string" ? ctx.req.params.notificationId.trim() : "";
   if (!notificationId) {
     ctx.res.status(400);
@@ -224,7 +238,7 @@ const markRead = async (_payload, ctx) => {
   const now = /* @__PURE__ */ new Date();
   try {
     await NotificationModel.updateOne(
-      { _id: notificationId, userId: session.userId, archivedAt: { $exists: false } },
+      { $and: [{ _id: notificationId }, { archivedAt: { $exists: false } }, getAccessibleByQuery(ability, "update", "RBNotification")] },
       { $set: { readAt: now, seenAt: now } }
     );
   } catch {
@@ -238,18 +252,23 @@ const markAllRead = async (_payload, ctx) => {
   if (!session) {
     return { ok: false, error: "unauthorized" };
   }
+  const ability = buildAbilityFromSession({ tenantId: session.tenantId, session: ctx.req.session });
+  if (!ability.can("update", "RBNotification")) {
+    ctx.res.status(403);
+    return { ok: false, error: "forbidden" };
+  }
   const SettingsModel = await loadModel("RBNotificationSettings", ctx);
   const settings = await SettingsModel.findOne({ userId: session.userId }).lean();
   const disabledTopics = buildDisabledTopics(settings, "inApp");
   const NotificationModel = await loadModel("RBNotification", ctx);
-  const query = {
-    userId: session.userId,
-    archivedAt: { $exists: false },
-    readAt: { $exists: false }
-  };
-  if (disabledTopics.length > 0) {
-    query.topic = { $nin: disabledTopics };
-  }
+  const queryFilters = [
+    { userId: session.userId },
+    { archivedAt: { $exists: false } },
+    { readAt: { $exists: false } },
+    getAccessibleByQuery(ability, "update", "RBNotification")
+  ];
+  if (disabledTopics.length > 0) queryFilters.push({ topic: { $nin: disabledTopics } });
+  const query = { $and: queryFilters };
   const now = /* @__PURE__ */ new Date();
   await NotificationModel.updateMany(query, { $set: { readAt: now, seenAt: now } });
   return { ok: true };
@@ -259,6 +278,11 @@ const archiveNotification = async (_payload, ctx) => {
   if (!session) {
     return { ok: false, error: "unauthorized" };
   }
+  const ability = buildAbilityFromSession({ tenantId: session.tenantId, session: ctx.req.session });
+  if (!ability.can("update", "RBNotification")) {
+    ctx.res.status(403);
+    return { ok: false, error: "forbidden" };
+  }
   const notificationId = typeof ctx.req.params.notificationId === "string" ? ctx.req.params.notificationId.trim() : "";
   if (!notificationId) {
     ctx.res.status(400);
@@ -267,7 +291,7 @@ const archiveNotification = async (_payload, ctx) => {
   const NotificationModel = await loadModel("RBNotification", ctx);
   try {
     await NotificationModel.updateOne(
-      { _id: notificationId, userId: session.userId, archivedAt: { $exists: false } },
+      { $and: [{ _id: notificationId }, { archivedAt: { $exists: false } }, getAccessibleByQuery(ability, "update", "RBNotification")] },
       { $set: { archivedAt: /* @__PURE__ */ new Date() } }
     );
   } catch {
@@ -281,8 +305,15 @@ const getSettings = async (_payload, ctx) => {
   if (!session) {
     return { ok: false, error: "unauthorized" };
   }
+  const ability = buildAbilityFromSession({ tenantId: session.tenantId, session: ctx.req.session });
+  if (!ability.can("read", "RBNotificationSettings")) {
+    ctx.res.status(403);
+    return { ok: false, error: "forbidden" };
+  }
   const SettingsModel = await loadModel("RBNotificationSettings", ctx);
-  const settings = await SettingsModel.findOne({ userId: session.userId }).lean();
+  const settings = await SettingsModel.findOne(
+    { $and: [{ userId: session.userId }, getAccessibleByQuery(ability, "read", "RBNotificationSettings")] }
+  ).lean();
   const digestFrequencyRaw = typeof settings?.digestFrequency === "string" ? settings.digestFrequency : "weekly";
   const digestFrequency = digestFrequencyRaw === "off" || digestFrequencyRaw === "daily" || digestFrequencyRaw === "weekly" ? digestFrequencyRaw : "weekly";
   const topicPreferences = Array.isArray(settings?.topicPreferences) ? settings.topicPreferences.map((pref) => ({
@@ -305,6 +336,11 @@ const updateSettings = async (payload, ctx) => {
   if (!session) {
     return { ok: false, error: "unauthorized" };
   }
+  const ability = buildAbilityFromSession({ tenantId: session.tenantId, session: ctx.req.session });
+  if (!ability.can("update", "RBNotificationSettings")) {
+    ctx.res.status(403);
+    return { ok: false, error: "forbidden" };
+  }
   const parsed = updateSettingsRequestSchema.safeParse(payload);
   if (!parsed.success) {
     ctx.res.status(400);
@@ -336,7 +372,7 @@ const updateSettings = async (payload, ctx) => {
     ops.$set = nextValues;
   }
   const settings = await SettingsModel.findOneAndUpdate(
-    { userId: session.userId },
+    { $and: [{ userId: session.userId }, getAccessibleByQuery(ability, "update", "RBNotificationSettings")] },
     ops,
     { upsert: true, new: true, setDefaultsOnInsert: true }
   ).lean();
@@ -362,6 +398,11 @@ const runDigest = async (payload, ctx) => {
   if (!session) {
     return { ok: false, error: "unauthorized" };
   }
+  const ability = buildAbilityFromSession({ tenantId: session.tenantId, session: ctx.req.session });
+  if (!ability.can("read", "RBNotification")) {
+    ctx.res.status(403);
+    return { ok: false, error: "forbidden" };
+  }
   const parsed = digestRunRequestSchema.safeParse(payload);
   if (!parsed.success) {
     ctx.res.status(400);

package/dist/{handler-BYVnU9H-.js → handler-Cl-0-832.js}

@@ -1,6 +1,6 @@
 import { getTenantFilesystemDb } from "@rpcbase/db";
 import { ObjectId, GridFSBucket } from "mongodb";
-import { g as getTenantId, c as getBucketName } from "./shared-Chfrv8o6.js";
+import { g as getTenantId, d as getBucketName } from "./shared-UGuDRAKK.js";
 const deleteFile = async (_payload, ctx) => {
   const tenantId = getTenantId(ctx);
   if (!tenantId) {

package/dist/{handler-CHuOXAtH.js → handler-Dd20DHyz.js}

@@ -1,5 +1,6 @@
 import { loadModel, ZRBRtsChangeOp } from "@rpcbase/db";
-import { o as object, a as array, s as string, n as number, b as boolean, _ as _enum } from "./schemas-DI7ewltq.js";
+import { buildAbilityFromSession } from "@rpcbase/db/acl";
+import { o as object, a as array, s as string, n as number, b as boolean, _ as _enum } from "./schemas-D5T9tDtI.js";
 const Route = "/api/rb/rts/changes";
 const requestSchema = object({
   sinceSeq: number().int().min(0).default(0),
@@ -68,6 +69,7 @@ const changesHandler = async (payload, ctx) => {
     ctx.res.status(401);
     return { ok: false, latestSeq: 0, changes: [] };
   }
+  const ability = buildAbilityFromSession({ tenantId, session: ctx.req.session });
   const modelCtx = getModelCtx(ctx, tenantId);
   const [RtsChange, RtsCounter] = await Promise.all([
     loadModel("RBRtsChange", modelCtx),
@@ -76,24 +78,26 @@ const changesHandler = async (payload, ctx) => {
   const counter = await RtsCounter.findOne({ _id: "rts" }, { seq: 1 }).lean();
   const latestSeq = Number(counter?.seq ?? 0) || 0;
   const { sinceSeq, limit, modelNames } = parsed.data;
-  const earliestSelector = {};
-  if (Array.isArray(modelNames) && modelNames.length) {
-    earliestSelector.modelName = { $in: modelNames };
+  const requestedModelNames = Array.isArray(modelNames) && modelNames.length ? modelNames.map((m) => String(m)).filter(Boolean) : null;
+  const allowedModelNames = requestedModelNames ? requestedModelNames.filter((m) => ability.can("read", m)) : Array.from(
+    new Set(
+      (await RtsChange.distinct("modelName")).map((m) => String(m)).filter(Boolean).filter((m) => ability.can("read", m))
+    )
+  );
+  let earliestSeq;
+  if (allowedModelNames.length) {
+    const earliest = await RtsChange.findOne({ modelName: { $in: allowedModelNames } }, { seq: 1 }).sort({ seq: 1 }).lean();
+    earliestSeq = earliest?.seq ? Number(earliest.seq) : void 0;
   }
-  const earliest = await RtsChange.findOne(earliestSelector, { seq: 1 }).sort({ seq: 1 }).lean();
-  const earliestSeq = earliest?.seq ? Number(earliest.seq) : void 0;
   const needsFullResync = typeof earliestSeq === "number" && sinceSeq < earliestSeq - 1;
-  const selector = { seq: { $gt: sinceSeq } };
-  if (Array.isArray(modelNames) && modelNames.length) {
-    selector.modelName = { $in: modelNames };
-  }
+  const selector = { seq: { $gt: sinceSeq }, modelName: { $in: allowedModelNames } };
   const changes = await RtsChange.find(selector, { _id: 0, seq: 1, modelName: 1, op: 1, docId: 1 }).sort({ seq: 1 }).limit(limit).lean();
   return {
     ok: true,
     needsFullResync: needsFullResync || void 0,
     earliestSeq,
     latestSeq,
-    changes: Array.isArray(changes) ? changes.filter(isRtsChangeRecord).map((c) => ({
+    changes: Array.isArray(changes) ? changes.filter(isRtsChangeRecord).filter((c) => ability.can("read", c.modelName)).map((c) => ({
       seq: Number(c.seq),
       modelName: String(c.modelName),
       op: c.op,

package/dist/index.d.ts

@@ -4,5 +4,4 @@ export * from './hashPassword';
 export * from './passwordHashStorage';
 export * from './ssrMiddleware';
 export * from './email';
-export * from './rts/index';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAA;AAC5B,cAAc,iBAAiB,CAAA;AAC/B,cAAc,gBAAgB,CAAA;AAC9B,cAAc,uBAAuB,CAAA;AACrC,cAAc,iBAAiB,CAAA;AAC/B,cAAc,SAAS,CAAA;AACvB,cAAc,aAAa,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAA;AAC5B,cAAc,iBAAiB,CAAA;AAC/B,cAAc,gBAAgB,CAAA;AAC9B,cAAc,uBAAuB,CAAA;AACrC,cAAc,iBAAiB,CAAA;AAC/B,cAAc,SAAS,CAAA"}