@tachybase/acl 0.23.8

package/lib/acl-role.js

@@ -0,0 +1,184 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var acl_role_exports = {};
+__export(acl_role_exports, {
+  ACLRole: () => ACLRole
+});
+module.exports = __toCommonJS(acl_role_exports);
+var import_lodash = __toESM(require("lodash"));
+var import_minimatch = __toESM(require("minimatch"));
+var import_acl_available_strategy = require("./acl-available-strategy");
+var import_acl_resource = require("./acl-resource");
+const _ACLRole = class _ACLRole {
+  constructor(acl, name) {
+    this.acl = acl;
+    this.name = name;
+  }
+  strategy;
+  resources = /* @__PURE__ */ new Map();
+  snippets = /* @__PURE__ */ new Set();
+  _snippetCache = {
+    params: null,
+    result: null
+  };
+  _serializeSet(set) {
+    return JSON.stringify([...set].sort());
+  }
+  getResource(name) {
+    return this.resources.get(name);
+  }
+  setStrategy(value) {
+    this.strategy = value;
+  }
+  getStrategy() {
+    if (!this.strategy) {
+      return null;
+    }
+    return import_lodash.default.isString(this.strategy) ? this.acl.availableStrategy.get(this.strategy) : new import_acl_available_strategy.ACLAvailableStrategy(this.acl, this.strategy);
+  }
+  getResourceActionsParams(resourceName) {
+    const resource = this.getResource(resourceName);
+    return resource.getActions();
+  }
+  revokeResource(resourceName) {
+    for (const key of [...this.resources.keys()]) {
+      if (key === resourceName || key.includes(`${resourceName}.`)) {
+        this.resources.delete(key);
+      }
+    }
+  }
+  grantAction(path, options) {
+    let { resource } = this.getResourceActionFromPath(path);
+    const { resourceName, actionName } = this.getResourceActionFromPath(path);
+    if (!resource) {
+      resource = new import_acl_resource.ACLResource({
+        role: this,
+        name: resourceName
+      });
+      this.resources.set(resourceName, resource);
+    }
+    resource.setAction(actionName, options);
+  }
+  getActionParams(path) {
+    const { action } = this.getResourceActionFromPath(path);
+    return action;
+  }
+  revokeAction(path) {
+    const { resource, actionName } = this.getResourceActionFromPath(path);
+    resource.removeAction(actionName);
+  }
+  effectiveSnippets() {
+    const currentParams = this._serializeSet(this.snippets);
+    if (this._snippetCache.params === currentParams) {
+      return this._snippetCache.result;
+    }
+    const allowedSnippets = /* @__PURE__ */ new Set();
+    const rejectedSnippets = /* @__PURE__ */ new Set();
+    const availableSnippets = this.acl.snippetManager.snippets;
+    for (let snippetRule of this.snippets) {
+      const negated = snippetRule.startsWith("!");
+      snippetRule = negated ? snippetRule.slice(1) : snippetRule;
+      for (const [_, availableSnippet] of availableSnippets) {
+        if ((0, import_minimatch.default)(availableSnippet.name, snippetRule)) {
+          if (negated) {
+            rejectedSnippets.add(availableSnippet.name);
+          } else {
+            allowedSnippets.add(availableSnippet.name);
+          }
+        }
+      }
+    }
+    const effectiveSnippets = new Set([...allowedSnippets].filter((x) => !rejectedSnippets.has(x)));
+    this._snippetCache = {
+      params: currentParams,
+      result: {
+        allowed: [...effectiveSnippets],
+        rejected: [...rejectedSnippets]
+      }
+    };
+    return this._snippetCache.result;
+  }
+  snippetAllowed(actionPath) {
+    const effectiveSnippets = this.effectiveSnippets();
+    const getActions = /* @__PURE__ */ __name((snippets) => {
+      return snippets.map((snippetName) => this.acl.snippetManager.snippets.get(snippetName).actions).flat();
+    }, "getActions");
+    const allowedActions = getActions(effectiveSnippets.allowed);
+    const rejectedActions = getActions(effectiveSnippets.rejected);
+    const actionMatched = /* @__PURE__ */ __name((actionPath2, actionRule) => {
+      return (0, import_minimatch.default)(actionPath2, actionRule);
+    }, "actionMatched");
+    for (const action of allowedActions) {
+      if (actionMatched(actionPath, action)) {
+        return true;
+      }
+    }
+    for (const action of rejectedActions) {
+      if (actionMatched(actionPath, action)) {
+        return false;
+      }
+    }
+    return null;
+  }
+  toJSON() {
+    const actions = {};
+    for (const resourceName of this.resources.keys()) {
+      const resourceActions = this.getResourceActionsParams(resourceName);
+      for (const actionName of Object.keys(resourceActions)) {
+        actions[`${resourceName}:${actionName}`] = resourceActions[actionName];
+      }
+    }
+    return {
+      role: this.name,
+      strategy: this.strategy,
+      actions,
+      snippets: Array.from(this.snippets)
+    };
+  }
+  getResourceActionFromPath(path) {
+    const [resourceName, actionName] = path.split(":");
+    const resource = this.resources.get(resourceName);
+    let action = null;
+    if (resource) {
+      action = resource.getAction(actionName);
+    }
+    return {
+      resourceName,
+      actionName,
+      resource,
+      action
+    };
+  }
+};
+__name(_ACLRole, "ACLRole");
+let ACLRole = _ACLRole;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ACLRole
+});

package/lib/acl.d.ts

@@ -0,0 +1,117 @@
+import EventEmitter from 'node:events';
+import { Toposort, ToposortOptions } from '@tachybase/utils';
+import { ACLAvailableAction, AvailableActionOptions } from './acl-available-action';
+import { ACLAvailableStrategy, AvailableStrategyOptions } from './acl-available-strategy';
+import { ACLRole, ResourceActionsOptions, RoleActionParams } from './acl-role';
+import { AllowManager, ConditionFunc } from './allow-manager';
+import FixedParamsManager, { Merger } from './fixed-params-manager';
+import SnippetManager, { SnippetOptions } from './snippet-manager';
+interface CanResult {
+    role: string;
+    resource: string;
+    action: string;
+    params?: any;
+}
+export interface DefineOptions {
+    role: string;
+    allowConfigure?: boolean;
+    strategy?: string | AvailableStrategyOptions;
+    actions?: ResourceActionsOptions;
+    routes?: any;
+    snippets?: string[];
+}
+export interface ListenerContext {
+    acl: ACL;
+    role: ACLRole;
+    path: string;
+    actionName: string;
+    resourceName: string;
+    params: RoleActionParams;
+}
+type Listener = (ctx: ListenerContext) => void;
+interface CanArgs {
+    role: string;
+    resource: string;
+    action: string;
+    ctx?: any;
+}
+export declare class ACL extends EventEmitter {
+    /**
+     * @internal
+     */
+    availableStrategy: Map<string, ACLAvailableStrategy>;
+    /**
+     * @internal
+     */
+    allowManager: AllowManager;
+    /**
+     * @internal
+     */
+    snippetManager: SnippetManager;
+    /**
+     * @internal
+     */
+    roles: Map<string, ACLRole>;
+    /**
+     * @internal
+     */
+    actionAlias: Map<string, string>;
+    /**
+     * @internal
+     */
+    configResources: string[];
+    protected availableActions: Map<string, ACLAvailableAction>;
+    protected fixedParamsManager: FixedParamsManager;
+    protected middlewares: Toposort<any>;
+    middlewareSourceMap: WeakMap<Function, string>;
+    constructor();
+    define(options: DefineOptions): ACLRole;
+    getRole(name: string): ACLRole;
+    removeRole(name: string): boolean;
+    /**
+     * @internal
+     */
+    registerConfigResources(names: string[]): void;
+    /**
+     * @internal
+     */
+    registerConfigResource(name: string): void;
+    /**
+     * @internal
+     */
+    isConfigResource(name: string): boolean;
+    setAvailableAction(name: string, options?: AvailableActionOptions): void;
+    getAvailableAction(name: string): ACLAvailableAction;
+    getAvailableActions(): Map<string, ACLAvailableAction>;
+    setAvailableStrategy(name: string, options: AvailableStrategyOptions): void;
+    beforeGrantAction(listener?: Listener): void;
+    can(options: CanArgs): CanResult | null;
+    /**
+     * @internal
+     */
+    resolveActionAlias(action: string): string;
+    use(fn: any, options?: ToposortOptions): void;
+    allow(resourceName: string, actionNames: string[] | string, condition?: string | ConditionFunc): void;
+    /**
+     * @deprecated
+     */
+    skip(resourceName: string, actionNames: string[] | string, condition?: string | ConditionFunc): void;
+    /**
+     * @internal
+     */
+    parseJsonTemplate(json: any, ctx: any): Promise<any>;
+    middleware(): (ctx: any, next: any) => Promise<any>;
+    /**
+     * @internal
+     */
+    getActionParams(ctx: any): Promise<void>;
+    addFixedParams(resource: string, action: string, merger: Merger): void;
+    registerSnippet(snippet: SnippetOptions): void;
+    /**
+     * @internal
+     */
+    filterParams(ctx: any, resourceName: any, params: any): any;
+    protected addCoreMiddleware(): void;
+    protected isAvailableAction(actionName: string): boolean;
+}
+export {};

package/lib/acl.js

@@ -0,0 +1,384 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var acl_exports = {};
+__export(acl_exports, {
+  ACL: () => ACL
+});
+module.exports = __toCommonJS(acl_exports);
+var import_node_events = __toESM(require("node:events"));
+var import_utils = require("@tachybase/utils");
+var import_koa_compose = __toESM(require("koa-compose"));
+var import_lodash = __toESM(require("lodash"));
+var import_acl_available_action = require("./acl-available-action");
+var import_acl_available_strategy = require("./acl-available-strategy");
+var import_acl_role = require("./acl-role");
+var import_allow_manager = require("./allow-manager");
+var import_fixed_params_manager = __toESM(require("./fixed-params-manager"));
+var import_snippet_manager = __toESM(require("./snippet-manager"));
+const _ACL = class _ACL extends import_node_events.default {
+  /**
+   * @internal
+   */
+  availableStrategy = /* @__PURE__ */ new Map();
+  /**
+   * @internal
+   */
+  allowManager = new import_allow_manager.AllowManager(this);
+  /**
+   * @internal
+   */
+  snippetManager = new import_snippet_manager.default();
+  /**
+   * @internal
+   */
+  roles = /* @__PURE__ */ new Map();
+  /**
+   * @internal
+   */
+  actionAlias = /* @__PURE__ */ new Map();
+  /**
+   * @internal
+   */
+  configResources = [];
+  availableActions = /* @__PURE__ */ new Map();
+  fixedParamsManager = new import_fixed_params_manager.default();
+  middlewares;
+  middlewareSourceMap = /* @__PURE__ */ new WeakMap();
+  constructor() {
+    super();
+    this.middlewares = new import_utils.Toposort();
+    this.beforeGrantAction((ctx) => {
+      if (import_lodash.default.isPlainObject(ctx.params) && ctx.params.own) {
+        ctx.params = import_lodash.default.merge(ctx.params, import_acl_available_strategy.predicate.own);
+      }
+    });
+    this.beforeGrantAction((ctx) => {
+      const actionName = this.resolveActionAlias(ctx.actionName);
+      if (import_lodash.default.isPlainObject(ctx.params)) {
+        if ((actionName === "create" || actionName === "update") && ctx.params.fields) {
+          ctx.params = {
+            ...import_lodash.default.omit(ctx.params, "fields"),
+            whitelist: ctx.params.fields
+          };
+        }
+      }
+    });
+    this.use(this.allowManager.aclMiddleware(), {
+      tag: "allow-manager",
+      before: "core"
+    });
+    this.addCoreMiddleware();
+  }
+  define(options) {
+    const roleName = options.role;
+    const role = new import_acl_role.ACLRole(this, roleName);
+    if (options.strategy) {
+      role.strategy = options.strategy;
+    }
+    const actions = options.actions || {};
+    for (const [actionName, actionParams] of Object.entries(actions)) {
+      role.grantAction(actionName, actionParams);
+    }
+    this.roles.set(roleName, role);
+    return role;
+  }
+  getRole(name) {
+    return this.roles.get(name);
+  }
+  removeRole(name) {
+    return this.roles.delete(name);
+  }
+  /**
+   * @internal
+   */
+  registerConfigResources(names) {
+    names.forEach((name) => this.registerConfigResource(name));
+  }
+  /**
+   * @internal
+   */
+  registerConfigResource(name) {
+    this.configResources.push(name);
+  }
+  /**
+   * @internal
+   */
+  isConfigResource(name) {
+    return this.configResources.includes(name);
+  }
+  setAvailableAction(name, options = {}) {
+    this.availableActions.set(name, new import_acl_available_action.ACLAvailableAction(name, options));
+    if (options.aliases) {
+      const aliases = import_lodash.default.isArray(options.aliases) ? options.aliases : [options.aliases];
+      for (const alias of aliases) {
+        this.actionAlias.set(alias, name);
+      }
+    }
+  }
+  getAvailableAction(name) {
+    const actionName = this.actionAlias.get(name) || name;
+    return this.availableActions.get(actionName);
+  }
+  getAvailableActions() {
+    return this.availableActions;
+  }
+  setAvailableStrategy(name, options) {
+    this.availableStrategy.set(name, new import_acl_available_strategy.ACLAvailableStrategy(this, options));
+  }
+  beforeGrantAction(listener) {
+    this.addListener("beforeGrantAction", listener);
+  }
+  can(options) {
+    const { role, resource, action } = options;
+    const aclRole = this.roles.get(role);
+    if (!aclRole) {
+      return null;
+    }
+    const snippetAllowed = aclRole.snippetAllowed(`${resource}:${action}`);
+    const fixedParams = this.fixedParamsManager.getParams(resource, action);
+    const mergeParams = /* @__PURE__ */ __name((result) => {
+      const params = result["params"] || {};
+      const mergedParams = (0, import_utils.assign)(params, fixedParams);
+      if (Object.keys(mergedParams).length) {
+        result["params"] = mergedParams;
+      } else {
+        delete result["params"];
+      }
+      return result;
+    }, "mergeParams");
+    const aclResource = aclRole.getResource(resource);
+    if (aclResource) {
+      const actionParams = aclResource.getAction(action);
+      if (actionParams) {
+        return mergeParams({
+          role,
+          resource,
+          action,
+          params: actionParams
+        });
+      } else {
+        return null;
+      }
+    }
+    const roleStrategy = aclRole.getStrategy();
+    if (!roleStrategy && !snippetAllowed) {
+      return null;
+    }
+    let roleStrategyParams = roleStrategy == null ? void 0 : roleStrategy.allow(resource, this.resolveActionAlias(action));
+    if (!roleStrategyParams && snippetAllowed) {
+      roleStrategyParams = {};
+    }
+    if (roleStrategyParams) {
+      const result = { role, resource, action, params: {} };
+      if (import_lodash.default.isPlainObject(roleStrategyParams)) {
+        result["params"] = roleStrategyParams;
+      }
+      return mergeParams(result);
+    }
+    return null;
+  }
+  /**
+   * @internal
+   */
+  resolveActionAlias(action) {
+    return this.actionAlias.get(action) ? this.actionAlias.get(action) : action;
+  }
+  use(fn, options) {
+    this.middlewareSourceMap.set(fn, (0, import_utils.getCurrentStacks)());
+    this.middlewares.add(fn, {
+      group: "prep",
+      ...options
+    });
+  }
+  allow(resourceName, actionNames, condition) {
+    return this.skip(resourceName, actionNames, condition);
+  }
+  /**
+   * @deprecated
+   */
+  skip(resourceName, actionNames, condition) {
+    if (!Array.isArray(actionNames)) {
+      actionNames = [actionNames];
+    }
+    for (const actionName of actionNames) {
+      this.allowManager.allow(resourceName, actionName, condition);
+    }
+  }
+  /**
+   * @internal
+   */
+  async parseJsonTemplate(json, ctx) {
+    var _a, _b, _c, _d, _e;
+    if (json.filter) {
+      (_b = (_a = ctx.logger) == null ? void 0 : _a.info) == null ? void 0 : _b.call(_a, "parseJsonTemplate.raw", JSON.parse(JSON.stringify(json.filter)));
+      const timezone = (_c = ctx == null ? void 0 : ctx.get) == null ? void 0 : _c.call(ctx, "x-timezone");
+      const state = JSON.parse(JSON.stringify(ctx.state));
+      const filter = await (0, import_utils.parseFilter)(json.filter, {
+        timezone,
+        now: (/* @__PURE__ */ new Date()).toISOString(),
+        vars: {
+          ctx: {
+            state
+          },
+          $user: getUser(ctx),
+          $nRole: /* @__PURE__ */ __name(() => state.currentRole, "$nRole")
+        }
+      });
+      json.filter = filter;
+      (_e = (_d = ctx.logger) == null ? void 0 : _d.info) == null ? void 0 : _e.call(_d, "parseJsonTemplate.parsed", filter);
+    }
+    return json;
+  }
+  middleware() {
+    const acl = this;
+    return /* @__PURE__ */ __name(async function ACLMiddleware(ctx, next) {
+      const roleName = ctx.state.currentRole || "anonymous";
+      const { resourceName, actionName } = ctx.action;
+      ctx.can = (options) => {
+        const canResult = acl.can({ role: roleName, ...options });
+        return canResult;
+      };
+      ctx.permission = {
+        can: ctx.can({ resource: resourceName, action: actionName })
+      };
+      return (0, import_koa_compose.default)(acl.middlewares.nodes)(ctx, next);
+    }, "ACLMiddleware");
+  }
+  /**
+   * @internal
+   */
+  async getActionParams(ctx) {
+    const roleName = ctx.state.currentRole || "anonymous";
+    const { resourceName, actionName } = ctx.action;
+    ctx.can = (options) => {
+      const can = this.can({ role: roleName, ...options });
+      if (!can) {
+        return null;
+      }
+      return import_lodash.default.cloneDeep(can);
+    };
+    ctx.permission = {
+      can: ctx.can({ resource: resourceName, action: actionName })
+    };
+    await (0, import_koa_compose.default)(this.middlewares.nodes)(ctx, async () => {
+    });
+  }
+  addFixedParams(resource, action, merger) {
+    this.fixedParamsManager.addParams(resource, action, merger);
+  }
+  registerSnippet(snippet) {
+    this.snippetManager.register(snippet);
+  }
+  /**
+   * @internal
+   */
+  filterParams(ctx, resourceName, params) {
+    var _a;
+    if ((_a = params == null ? void 0 : params.filter) == null ? void 0 : _a.createdById) {
+      const collection = ctx.db.getCollection(resourceName);
+      if (!collection || !collection.getField("createdById")) {
+        return import_lodash.default.omit(params, "filter.createdById");
+      }
+    }
+    return params;
+  }
+  addCoreMiddleware() {
+    const acl = this;
+    this.middlewares.add(
+      async (ctx, next) => {
+        var _a, _b, _c, _d;
+        const resourcerAction = ctx.action;
+        const { resourceName, actionName } = ctx.action;
+        const permission = ctx.permission;
+        ((_a = ctx.log) == null ? void 0 : _a.info) && ctx.log.info("ctx permission", permission);
+        if ((!permission.can || typeof permission.can !== "object") && !permission.skip) {
+          ctx.throw(403, "No permissions");
+          return;
+        }
+        const params = ((_b = permission.can) == null ? void 0 : _b.params) || acl.fixedParamsManager.getParams(resourceName, actionName);
+        ((_c = ctx.log) == null ? void 0 : _c.info) && ctx.log.info("acl params", params);
+        if (params && resourcerAction.mergeParams) {
+          const filteredParams = acl.filterParams(ctx, resourceName, params);
+          const parsedParams = await acl.parseJsonTemplate(filteredParams, ctx);
+          ctx.permission.parsedParams = parsedParams;
+          ((_d = ctx.log) == null ? void 0 : _d.info) && ctx.log.info("acl parsedParams", parsedParams);
+          ctx.permission.rawParams = import_lodash.default.cloneDeep(resourcerAction.params);
+          resourcerAction.mergeParams(parsedParams, {
+            appends: /* @__PURE__ */ __name((x, y) => {
+              if (!x) {
+                return [];
+              }
+              if (!y) {
+                return x;
+              }
+              return x.filter((i) => y.includes(i.split(".").shift()));
+            }, "appends")
+          });
+          ctx.permission.mergedParams = import_lodash.default.cloneDeep(resourcerAction.params);
+        }
+        await next();
+      },
+      {
+        tag: "core",
+        group: "core"
+      }
+    );
+  }
+  isAvailableAction(actionName) {
+    return this.availableActions.has(this.resolveActionAlias(actionName));
+  }
+};
+__name(_ACL, "ACL");
+let ACL = _ACL;
+function getUser(ctx) {
+  return async ({ fields }) => {
+    var _a, _b;
+    const userFields = fields.filter((f) => f && ctx.db.getFieldByPath("users." + f));
+    (_a = ctx.logger) == null ? void 0 : _a.info("filter-parse: ", { userFields });
+    if (!ctx.state.currentUser) {
+      return;
+    }
+    if (!userFields.length) {
+      return;
+    }
+    const user = await ctx.db.getRepository("users").findOne({
+      filterByTk: ctx.state.currentUser.id,
+      fields: userFields
+    });
+    (_b = ctx.logger) == null ? void 0 : _b.info("filter-parse: ", {
+      $user: user == null ? void 0 : user.toJSON()
+    });
+    return user;
+  };
+}
+__name(getUser, "getUser");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ACL
+});

package/lib/allow-manager.d.ts

@@ -0,0 +1,13 @@
+import { ACL } from './acl';
+export type ConditionFunc = (ctx: any) => Promise<boolean> | boolean;
+export declare class AllowManager {
+    acl: ACL;
+    protected skipActions: Map<string, Map<string, string | true | ConditionFunc>>;
+    protected registeredCondition: Map<string, ConditionFunc>;
+    constructor(acl: ACL);
+    allow(resourceName: string, actionName: string, condition?: string | ConditionFunc): void;
+    getAllowedConditions(resourceName: string, actionName: string): Array<ConditionFunc | true>;
+    registerAllowCondition(name: string, condition: ConditionFunc): void;
+    isAllowed(resourceName: string, actionName: string, ctx: any): Promise<boolean>;
+    aclMiddleware(): (ctx: any, next: any) => Promise<void>;
+}