npm - @webiny/api-headless-cms - Versions diffs - 5.39.1 → 5.39.2-beta.0 - Mend

@webiny/api-headless-cms 5.39.1 → 5.39.2-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/context.js +14 -26
package/context.js.map +1 -1
package/crud/AccessControl/AccessControl.d.ts +98 -0
package/crud/AccessControl/AccessControl.js +542 -0
package/crud/AccessControl/AccessControl.js.map +1 -0
package/crud/AccessControl/README.md +47 -0
package/crud/AccessControl/groups-own.png +0 -0
package/crud/AccessControl/models-own.png +0 -0
package/crud/contentEntry/entryDataFactories/createEntryData.d.ts +3 -3
package/crud/contentEntry/entryDataFactories/createEntryData.js +21 -3
package/crud/contentEntry/entryDataFactories/createEntryData.js.map +1 -1
package/crud/contentEntry/entryDataFactories/createEntryRevisionFromData.d.ts +3 -1
package/crud/contentEntry/entryDataFactories/createEntryRevisionFromData.js +54 -11
package/crud/contentEntry/entryDataFactories/createEntryRevisionFromData.js.map +1 -1
package/crud/contentEntry.crud.d.ts +2 -4
package/crud/contentEntry.crud.js +106 -113
package/crud/contentEntry.crud.js.map +1 -1
package/crud/contentModel.crud.d.ts +2 -2
package/crud/contentModel.crud.js +45 -31
package/crud/contentModel.crud.js.map +1 -1
package/crud/contentModelGroup.crud.d.ts +2 -2
package/crud/contentModelGroup.crud.js +17 -28
package/crud/contentModelGroup.crud.js.map +1 -1
package/index.d.ts +2 -1
package/index.js +24 -12
package/index.js.map +1 -1
package/package.json +19 -19
package/plugins/CmsModelPlugin.d.ts +1 -1
package/plugins/CmsModelPlugin.js +4 -3
package/plugins/CmsModelPlugin.js.map +1 -1
package/types.d.ts +12 -10
package/types.js.map +1 -1
package/utils/createModelField.d.ts +5 -0
package/utils/createModelField.js +41 -0
package/utils/createModelField.js.map +1 -0
package/utils/isHeadlessCmsReady.d.ts +2 -0
package/utils/isHeadlessCmsReady.js +23 -0
package/utils/isHeadlessCmsReady.js.map +1 -0
package/utils/access.d.ts +0 -9
package/utils/access.js +0 -26
package/utils/access.js.map +0 -1
package/utils/permissions/EntriesPermissions.d.ts +0 -4
package/utils/permissions/EntriesPermissions.js +0 -11
package/utils/permissions/EntriesPermissions.js.map +0 -1
package/utils/permissions/ModelGroupsPermissions.d.ts +0 -9
package/utils/permissions/ModelGroupsPermissions.js +0 -50
package/utils/permissions/ModelGroupsPermissions.js.map +0 -1
package/utils/permissions/ModelsPermissions.d.ts +0 -22
package/utils/permissions/ModelsPermissions.js +0 -90
package/utils/permissions/ModelsPermissions.js.map +0 -1

package/crud/AccessControl/AccessControl.js ADDED Viewed

@@ -0,0 +1,542 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.AccessControl = void 0;
+var _apiSecurity = require("@webiny/api-security");
+class AccessControl {
+  constructor({
+    getIdentity,
+    getGroupsPermissions,
+    getModelsPermissions,
+    getEntriesPermissions,
+    listAllGroups
+  }) {
+    this.getIdentity = getIdentity;
+    this.getGroupsPermissions = getGroupsPermissions;
+    this.getModelsPermissions = getModelsPermissions;
+    this.getEntriesPermissions = getEntriesPermissions;
+    this.fullAccessPermissions = ["*", "cms.*"];
+    this.listAllGroupsCallback = listAllGroups;
+    this.allGroups = null;
+  }
+  /**
+   * Groups-related methods below. 👇
+   * - canAccessGroup
+   * - ensureCanAccessGroup
+   * - canAccessNonOwnedGroups
+   * - canAccessOnlyOwnedGroups
+   * - getGroupsAccessControlList
+   * - hasFullAccessToGroups
+   */
+  async canAccessGroup(params = {}) {
+    const acl = await this.getGroupsAccessControlList(params);
+    const canRead = acl.find(ace => ace.rwd?.includes("r"));
+    if (!canRead) {
+      return false;
+    }
+    const {
+      rwd
+    } = params;
+    if (rwd) {
+      const hasRwd = acl.find(ace => ace.rwd.includes(rwd));
+      if (!hasRwd) {
+        return false;
+      }
+    }
+    return true;
+  }
+  async ensureCanAccessGroup(params = {}) {
+    const canAccess = await this.canAccessGroup(params);
+    if (canAccess) {
+      return;
+    }
+    if ("group" in params) {
+      let groupName = "(could not determine name)";
+      if (params.group?.name) {
+        groupName = `"${params.group.name}"`;
+      }
+      throw new _apiSecurity.NotAuthorizedError({
+        data: {
+          reason: `Not allowed to access content model group ${groupName}.`
+        }
+      });
+    }
+    throw new _apiSecurity.NotAuthorizedError({
+      data: {
+        reason: `Not allowed to access content model groups.`
+      }
+    });
+  }
+  async canAccessNonOwnedGroups(params) {
+    const acl = await this.getGroupsAccessControlList(params);
+    return acl.some(ace => ace.canAccessNonOwned);
+  }
+  async canAccessOnlyOwnedGroups(params) {
+    const canAccessNonOwned = await this.canAccessNonOwnedGroups(params);
+    return !canAccessNonOwned;
+  }
+  async getGroupsAccessControlList(params) {
+    if (await this.hasFullAccessToGroups()) {
+      return [{
+        rwd: "rwd",
+        canAccessNonOwned: true,
+        canAccessOnlyOwned: false
+      }];
+    }
+    const groupsPermissionsList = await this.getGroupsPermissions();
+    const acl = [];
+    for (const groupsPermissions of groupsPermissionsList) {
+      if (groupsPermissions.own) {
+        if ("group" in params) {
+          const modelGroupCreatedBy = params.group?.createdBy;
+          if (!modelGroupCreatedBy) {
+            continue;
+          }
+          const identity = await this.getIdentity();
+          if (modelGroupCreatedBy.id !== identity.id) {
+            continue;
+          }
+        }
+        acl.push({
+          rwd: "rwd",
+          canAccessNonOwned: false,
+          canAccessOnlyOwned: true
+        });
+      }
+      if (groupsPermissions.groups) {
+        if ("group" in params) {
+          const {
+            group
+          } = params;
+          if (!group) {
+            continue;
+          }
+          const {
+            groups
+          } = groupsPermissions;
+          if (!Array.isArray(groups[group.locale])) {
+            continue;
+          }
+          if (!groups[group.locale].includes(group.id)) {
+            continue;
+          }
+        }
+      }
+      acl.push({
+        rwd: groupsPermissions.rwd,
+        canAccessNonOwned: true,
+        canAccessOnlyOwned: false
+      });
+    }
+    return acl;
+  }
+  async hasFullAccessToGroups() {
+    const permissions = await this.getGroupsPermissions();
+    return permissions.some(p => this.fullAccessPermissions.filter(Boolean).includes(p.name));
+  }
+  /**
+   * Models-related methods below. 👇
+   * - canAccessModel
+   * - ensureCanAccessModel
+   * - canAccessNonOwnedModels
+   * - canAccessOnlyOwnedModels
+   * - getModelsAccessControlList
+   * - hasFullAccessToModels
+   */
+  async canAccessModel(params) {
+    const acl = await this.getModelsAccessControlList(params);
+    const canRead = acl.find(ace => ace.rwd.includes("r"));
+    if (!canRead) {
+      return false;
+    }
+    const {
+      rwd
+    } = params;
+    if (rwd) {
+      const hasRwd = acl.find(ace => ace.rwd.includes(rwd));
+      if (!hasRwd) {
+        return false;
+      }
+    }
+    return true;
+  }
+  async ensureCanAccessModel(params = {}) {
+    const canAccess = await this.canAccessModel(params);
+    if (canAccess) {
+      return;
+    }
+    if ("model" in params) {
+      let modelName = "(could not determine name)";
+      if (params.model?.name) {
+        modelName = `"${params.model.name}"`;
+      }
+      throw new _apiSecurity.NotAuthorizedError({
+        data: {
+          reason: `Not allowed to access content model ${modelName}.`
+        }
+      });
+    }
+    throw new _apiSecurity.NotAuthorizedError({
+      data: {
+        reason: `Not allowed to access content models.`
+      }
+    });
+  }
+  async canAccessNonOwnedModels(params) {
+    const acl = await this.getModelsAccessControlList(params);
+    return acl.some(ace => ace.canAccessNonOwned);
+  }
+  async canAccessOnlyOwnedModels(params) {
+    const canAccessNonOwned = await this.canAccessNonOwnedModels(params);
+    return !canAccessNonOwned;
+  }
+  async getModelsAccessControlList(params) {
+    if (await this.hasFullAccessToModels(params)) {
+      return [{
+        rwd: "rwd",
+        canAccessNonOwned: true,
+        canAccessOnlyOwned: false
+      }];
+    }
+    const groupsPermissionsList = await this.getGroupsPermissions();
+    const acl = [];
+    for (let i = 0; i < groupsPermissionsList.length; i++) {
+      const groupsPermissions = groupsPermissionsList[i];
+      const modelsPermissionsList = await this.getModelsPermissions();
+      const relatedModelPermissions = modelsPermissionsList.find(permissions => permissions._src === groupsPermissions._src);
+      if (!relatedModelPermissions) {
+        continue;
+      }
+      if (groupsPermissions.own) {
+        if ("model" in params) {
+          const {
+            model
+          } = params;
+          if (!model) {
+            continue;
+          }
+          const group = await this.getGroup(model.group.id);
+          if (!group) {
+            continue;
+          }
+          const modelGroupCreatedBy = group.createdBy;
+          if (!modelGroupCreatedBy) {
+            continue;
+          }
+          const identity = await this.getIdentity();
+          if (modelGroupCreatedBy.id !== identity.id) {
+            continue;
+          }
+        }
+        acl.push({
+          rwd: "rwd",
+          canAccessNonOwned: false,
+          canAccessOnlyOwned: true
+        });
+        continue;
+      }
+      if (groupsPermissions.groups) {
+        if ("model" in params) {
+          const {
+            model
+          } = params;
+          if (!model) {
+            continue;
+          }
+          if (!Array.isArray(groupsPermissions.groups[model.locale])) {
+            continue;
+          }
+          if (!groupsPermissions.groups[model.locale].includes(model.group.id)) {
+            continue;
+          }
+        }
+      }
+      const fullAccess = !relatedModelPermissions.rwd && !relatedModelPermissions.own && !relatedModelPermissions.models;
+      if (fullAccess) {
+        acl.push({
+          rwd: "rwd",
+          canAccessNonOwned: true,
+          canAccessOnlyOwned: false
+        });
+        continue;
+      }
+      if (relatedModelPermissions.own) {
+        if ("model" in params) {
+          if (!params.model) {
+            continue;
+          }
+          const modelCreatedBy = params.model.createdBy;
+          if (!modelCreatedBy) {
+            continue;
+          }
+          const identity = await this.getIdentity();
+          if (modelCreatedBy.id !== identity.id) {
+            continue;
+          }
+        }
+        acl.push({
+          rwd: "rwd",
+          canAccessNonOwned: false,
+          canAccessOnlyOwned: true
+        });
+        continue;
+      }
+      if (relatedModelPermissions.models) {
+        const {
+          models
+        } = relatedModelPermissions;
+        if ("model" in params) {
+          if (!params.model) {
+            continue;
+          }
+          if (!Array.isArray(models[params.model.locale])) {
+            continue;
+          }
+          if (!models[params.model.locale].includes(params.model.modelId)) {
+            continue;
+          }
+        }
+      }
+      acl.push({
+        rwd: relatedModelPermissions.rwd,
+        canAccessNonOwned: true,
+        canAccessOnlyOwned: false
+      });
+    }
+    return acl;
+  }
+  async hasFullAccessToModels(params) {
+    const {
+      model
+    } = params;
+    if (model) {
+      if (this.modelAuthorizationDisabled({
+        model
+      })) {
+        return true;
+      }
+    }
+    const permissions = await this.getModelsPermissions();
+    return permissions.some(p => this.fullAccessPermissions.filter(Boolean).includes(p.name));
+  }
+  /**
+   * Entries-related methods below. 👇
+   * - canAccessEntry
+   * - ensureCanAccessEntry
+   * - canAccessNonOwnedEntries
+   * - canAccessOnlyOwnedEntries
+   * - getEntriesAccessControlList
+   * - hasFullAccessToEntries
+   */
+  async canAccessEntry(params) {
+    const acl = await this.getEntriesAccessControlList(params);
+    const canRead = acl.find(ace => ace.rwd.includes("r"));
+    if (!canRead) {
+      return false;
+    }
+    const {
+      rwd
+    } = params;
+    if (rwd) {
+      const hasRwd = acl.find(ace => ace.rwd.includes(rwd));
+      if (!hasRwd) {
+        return false;
+      }
+    }
+    const {
+      pw
+    } = params;
+    if (pw) {
+      const hasPw = acl.find(ace => ace.pw?.includes(pw));
+      if (!hasPw) {
+        return false;
+      }
+    }
+    return true;
+  }
+  async ensureCanAccessEntry(params) {
+    const canAccess = await this.canAccessEntry(params);
+    if (!canAccess) {
+      if (params.entry) {
+        throw new _apiSecurity.NotAuthorizedError({
+          data: {
+            reason: `Not allowed to access entry "${params.entry.entryId}".`
+          }
+        });
+      }
+      throw new _apiSecurity.NotAuthorizedError({
+        data: {
+          reason: `Not allowed to access "${params.model.modelId}" entries.`
+        }
+      });
+    }
+  }
+  async canAccessNonOwnedEntries(params) {
+    const acl = await this.getEntriesAccessControlList(params);
+    return acl.some(ace => ace.canAccessNonOwned);
+  }
+  async canAccessOnlyOwnedEntries(params) {
+    const canAccessNonOwned = await this.canAccessNonOwnedEntries(params);
+    return !canAccessNonOwned;
+  }
+  async getEntriesAccessControlList(params) {
+    if (await this.hasFullAccessToEntries(params)) {
+      return [{
+        rwd: "rwd",
+        pw: "pu",
+        canAccessNonOwned: true,
+        canAccessOnlyOwned: false
+      }];
+    }
+    const {
+      model
+    } = params;
+    const groupsPermissionsList = await this.getGroupsPermissions();
+    const acl = [];
+    for (let i = 0; i < groupsPermissionsList.length; i++) {
+      const groupPermissions = groupsPermissionsList[i];
+      const modelsPermissionsList = await this.getModelsPermissions();
+      const relatedModelsPermissions = modelsPermissionsList.find(permissions => permissions._src === groupPermissions._src);
+      if (!relatedModelsPermissions) {
+        continue;
+      }
+      const entriesPermissionsList = await this.getEntriesPermissions();
+      const relatedEntriesPermissions = entriesPermissionsList.find(permissions => permissions._src === groupPermissions._src);
+      if (!relatedEntriesPermissions) {
+        continue;
+      }
+      if (groupPermissions.own) {
+        const group = await this.getGroup(model.group.id);
+        if (!group) {
+          continue;
+        }
+        const groupCreatedBy = group.createdBy;
+        if (!groupCreatedBy) {
+          continue;
+        }
+        const identity = await this.getIdentity();
+        if (groupCreatedBy.id !== identity.id) {
+          continue;
+        }
+        acl.push({
+          rwd: "rwd",
+          canAccessNonOwned: false,
+          canAccessOnlyOwned: true,
+          pw: relatedEntriesPermissions.pw
+        });
+        continue;
+      }
+      if (groupPermissions.groups) {
+        const {
+          groups
+        } = groupPermissions;
+        if (!Array.isArray(groups[model.locale])) {
+          continue;
+        }
+        if (!groups[model.locale].includes(model.group.id)) {
+          continue;
+        }
+      }
+      if (relatedModelsPermissions.own) {
+        const modelCreatedBy = model.createdBy;
+        if (!modelCreatedBy) {
+          continue;
+        }
+        const identity = await this.getIdentity();
+        if (modelCreatedBy.id !== identity.id) {
+          continue;
+        }
+        acl.push({
+          rwd: "rwd",
+          canAccessNonOwned: false,
+          canAccessOnlyOwned: true,
+          pw: relatedEntriesPermissions.pw
+        });
+      }
+      if (relatedModelsPermissions.models) {
+        if (!Array.isArray(relatedModelsPermissions.models[model.locale])) {
+          continue;
+        }
+        if (!relatedModelsPermissions.models[model.locale].includes(model.modelId)) {
+          continue;
+        }
+      }
+      const fullAccess = !relatedEntriesPermissions.rwd && !relatedEntriesPermissions.own && !relatedEntriesPermissions.models;
+      if (fullAccess) {
+        acl.push({
+          rwd: "rwd",
+          canAccessNonOwned: false,
+          canAccessOnlyOwned: true,
+          pw: "pu"
+        });
+        continue;
+      }
+      if (relatedEntriesPermissions.own) {
+        if ("entry" in params) {
+          const entryCreatedBy = params.entry?.createdBy;
+          if (!entryCreatedBy) {
+            continue;
+          }
+          const identity = await this.getIdentity();
+          if (entryCreatedBy.id !== identity.id) {
+            continue;
+          }
+        }
+        acl.push({
+          rwd: relatedEntriesPermissions.rwd,
+          canAccessNonOwned: false,
+          canAccessOnlyOwned: true,
+          pw: relatedEntriesPermissions.pw
+        });
+        continue;
+      }
+      acl.push({
+        rwd: relatedEntriesPermissions.rwd,
+        canAccessNonOwned: true,
+        canAccessOnlyOwned: false,
+        pw: relatedEntriesPermissions.pw
+      });
+    }
+    return acl;
+  }
+  async hasFullAccessToEntries(params) {
+    if (this.modelAuthorizationDisabled(params)) {
+      return true;
+    }
+    const permissions = await this.getEntriesPermissions();
+    return permissions.some(p => this.fullAccessPermissions.filter(Boolean).includes(p.name));
+  }
+  modelAuthorizationDisabled(params) {
+    if ("authorization" in params.model) {
+      const {
+        authorization
+      } = params.model;
+      if (typeof authorization === "boolean") {
+        return authorization === false;
+      }
+      return authorization?.permissions === false;
+    }
+    return false;
+  }
+  async listAllGroups() {
+    if (this.allGroups === null) {
+      this.allGroups = this.listAllGroupsCallback();
+    }
+    return this.allGroups;
+  }
+  async getGroup(id) {
+    const groups = await this.listAllGroups();
+    return groups.find(group => group.id === id);
+  }
+}
+exports.AccessControl = AccessControl;
+//# sourceMappingURL=AccessControl.js.map

package/crud/AccessControl/AccessControl.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["_apiSecurity","require","AccessControl","constructor","getIdentity","getGroupsPermissions","getModelsPermissions","getEntriesPermissions","listAllGroups","fullAccessPermissions","listAllGroupsCallback","allGroups","canAccessGroup","params","acl","getGroupsAccessControlList","canRead","find","ace","rwd","includes","hasRwd","ensureCanAccessGroup","canAccess","groupName","group","name","NotAuthorizedError","data","reason","canAccessNonOwnedGroups","some","canAccessNonOwned","canAccessOnlyOwnedGroups","hasFullAccessToGroups","canAccessOnlyOwned","groupsPermissionsList","groupsPermissions","own","modelGroupCreatedBy","createdBy","identity","id","push","groups","Array","isArray","locale","permissions","p","filter","Boolean","canAccessModel","getModelsAccessControlList","ensureCanAccessModel","modelName","model","canAccessNonOwnedModels","canAccessOnlyOwnedModels","hasFullAccessToModels","i","length","modelsPermissionsList","relatedModelPermissions","_src","getGroup","fullAccess","models","modelCreatedBy","modelId","modelAuthorizationDisabled","canAccessEntry","getEntriesAccessControlList","pw","hasPw","ensureCanAccessEntry","entry","entryId","canAccessNonOwnedEntries","canAccessOnlyOwnedEntries","hasFullAccessToEntries","groupPermissions","relatedModelsPermissions","entriesPermissionsList","relatedEntriesPermissions","groupCreatedBy","entryCreatedBy","authorization","exports"],"sources":["AccessControl.ts"],"sourcesContent":["import { NotAuthorizedError } from \"@webiny/api-security\";\nimport { SecurityIdentity } from \"@webiny/api-security/types\";\nimport {\n CmsEntry,\n CmsEntryPermission,\n CmsGroup,\n CmsGroupPermission,\n CmsModel,\n CmsModelPermission\n} from \"~/types\";\n\nexport interface AccessControlParams {\n getIdentity: () => SecurityIdentity | Promise<SecurityIdentity>;\n getGroupsPermissions: () => CmsGroupPermission[] | Promise<CmsGroupPermission[]>;\n getModelsPermissions: () => CmsModelPermission[] | Promise<CmsModelPermission[]>;\n getEntriesPermissions: () => CmsEntryPermission[] | Promise<CmsEntryPermission[]>;\n listAllGroups: () => Promise<CmsGroup[]>;\n}\n\ninterface GetGroupsAccessControlListParams {\n group?: CmsGroup;\n}\n\ninterface CanAccessGroupParams extends GetGroupsAccessControlListParams {\n rwd?: string;\n}\n\ninterface GetModelsAccessControlListParams {\n model?: CmsModel;\n}\n\ninterface CanAccessModelParams extends GetModelsAccessControlListParams {\n rwd?: string;\n}\n\ninterface GetEntriesAccessControlListParams {\n model: CmsModel;\n entry?: CmsEntry;\n}\n\ninterface CanAccessEntryParams extends GetEntriesAccessControlListParams {\n rwd?: string;\n pw?: string;\n}\n\ninterface AccessControlEntry {\n rwd: string;\n canAccessNonOwned: boolean;\n canAccessOnlyOwned: boolean;\n}\n\ntype AccessControlList = AccessControlEntry[];\n\ninterface EntriesAccessControlEntry extends AccessControlEntry {\n pw?: string;\n}\n\ntype EntriesAccessControlList = EntriesAccessControlEntry[];\n\nexport class AccessControl {\n getIdentity: AccessControlParams[\"getIdentity\"];\n getGroupsPermissions: AccessControlParams[\"getGroupsPermissions\"];\n getModelsPermissions: AccessControlParams[\"getModelsPermissions\"];\n getEntriesPermissions: AccessControlParams[\"getEntriesPermissions\"];\n listAllGroupsCallback: AccessControlParams[\"listAllGroups\"];\n\n private fullAccessPermissions: string[];\n private allGroups: null | CmsGroup[] | Promise<CmsGroup[]>;\n\n constructor({\n getIdentity,\n getGroupsPermissions,\n getModelsPermissions,\n getEntriesPermissions,\n listAllGroups\n }: AccessControlParams) {\n this.getIdentity = getIdentity;\n this.getGroupsPermissions = getGroupsPermissions;\n this.getModelsPermissions = getModelsPermissions;\n this.getEntriesPermissions = getEntriesPermissions;\n this.fullAccessPermissions = [\"*\", \"cms.*\"];\n this.listAllGroupsCallback = listAllGroups;\n this.allGroups = null;\n }\n\n /**\n * Groups-related methods below. 👇\n * - canAccessGroup\n * - ensureCanAccessGroup\n * - canAccessNonOwnedGroups\n * - canAccessOnlyOwnedGroups\n * - getGroupsAccessControlList\n * - hasFullAccessToGroups\n */\n\n async canAccessGroup(params: CanAccessGroupParams = {}) {\n const acl = await this.getGroupsAccessControlList(params);\n\n const canRead = acl.find(ace => ace.rwd?.includes(\"r\"));\n if (!canRead) {\n return false;\n }\n\n const { rwd } = params;\n if (rwd) {\n const hasRwd = acl.find(ace => ace.rwd.includes(rwd));\n if (!hasRwd) {\n return false;\n }\n }\n\n return true;\n }\n\n async ensureCanAccessGroup(params: CanAccessGroupParams = {}) {\n const canAccess = await this.canAccessGroup(params);\n if (canAccess) {\n return;\n }\n\n if (\"group\" in params) {\n let groupName = \"(could not determine name)\";\n if (params.group?.name) {\n groupName = `\"${params.group.name}\"`;\n }\n\n throw new NotAuthorizedError({\n data: {\n reason: `Not allowed to access content model group ${groupName}.`\n }\n });\n }\n\n throw new NotAuthorizedError({\n data: {\n reason: `Not allowed to access content model groups.`\n }\n });\n }\n\n async canAccessNonOwnedGroups(params: GetGroupsAccessControlListParams) {\n const acl = await this.getGroupsAccessControlList(params);\n return acl.some(ace => ace.canAccessNonOwned);\n }\n\n async canAccessOnlyOwnedGroups(params: GetGroupsAccessControlListParams) {\n const canAccessNonOwned = await this.canAccessNonOwnedGroups(params);\n return !canAccessNonOwned;\n }\n\n async getGroupsAccessControlList(\n params: GetGroupsAccessControlListParams\n ): Promise<AccessControlList> {\n if (await this.hasFullAccessToGroups()) {\n return [{ rwd: \"rwd\", canAccessNonOwned: true, canAccessOnlyOwned: false }];\n }\n\n const groupsPermissionsList = await this.getGroupsPermissions();\n const acl: AccessControlList = [];\n\n for (const groupsPermissions of groupsPermissionsList) {\n if (groupsPermissions.own) {\n if (\"group\" in params) {\n const modelGroupCreatedBy = params.group?.createdBy;\n if (!modelGroupCreatedBy) {\n continue;\n }\n\n const identity = await this.getIdentity();\n\n if (modelGroupCreatedBy.id !== identity.id) {\n continue;\n }\n }\n\n acl.push({\n rwd: \"rwd\",\n canAccessNonOwned: false,\n canAccessOnlyOwned: true\n });\n }\n\n if (groupsPermissions.groups) {\n if (\"group\" in params) {\n const { group } = params;\n if (!group) {\n continue;\n }\n\n const { groups } = groupsPermissions;\n if (!Array.isArray(groups[group.locale])) {\n continue;\n }\n\n if (!groups[group.locale].includes(group.id)) {\n continue;\n }\n }\n }\n\n acl.push({\n rwd: groupsPermissions.rwd as string,\n canAccessNonOwned: true,\n canAccessOnlyOwned: false\n });\n }\n\n return acl;\n }\n\n async hasFullAccessToGroups() {\n const permissions = await this.getGroupsPermissions();\n return permissions.some(p => this.fullAccessPermissions.filter(Boolean).includes(p.name));\n }\n\n /**\n * Models-related methods below. 👇\n * - canAccessModel\n * - ensureCanAccessModel\n * - canAccessNonOwnedModels\n * - canAccessOnlyOwnedModels\n * - getModelsAccessControlList\n * - hasFullAccessToModels\n */\n\n async canAccessModel(params: CanAccessModelParams) {\n const acl = await this.getModelsAccessControlList(params);\n\n const canRead = acl.find(ace => ace.rwd.includes(\"r\"));\n if (!canRead) {\n return false;\n }\n\n const { rwd } = params;\n if (rwd) {\n const hasRwd = acl.find(ace => ace.rwd.includes(rwd));\n if (!hasRwd) {\n return false;\n }\n }\n\n return true;\n }\n\n async ensureCanAccessModel(params: CanAccessModelParams = {}) {\n const canAccess = await this.canAccessModel(params);\n if (canAccess) {\n return;\n }\n\n if (\"model\" in params) {\n let modelName = \"(could not determine name)\";\n if (params.model?.name) {\n modelName = `\"${params.model.name}\"`;\n }\n\n throw new NotAuthorizedError({\n data: {\n reason: `Not allowed to access content model ${modelName}.`\n }\n });\n }\n\n throw new NotAuthorizedError({\n data: {\n reason: `Not allowed to access content models.`\n }\n });\n }\n\n async canAccessNonOwnedModels(params: GetModelsAccessControlListParams) {\n const acl = await this.getModelsAccessControlList(params);\n return acl.some(ace => ace.canAccessNonOwned);\n }\n\n async canAccessOnlyOwnedModels(params: GetModelsAccessControlListParams) {\n const canAccessNonOwned = await this.canAccessNonOwnedModels(params);\n return !canAccessNonOwned;\n }\n\n async getModelsAccessControlList(\n params: GetModelsAccessControlListParams\n ): Promise<AccessControlList> {\n if (await this.hasFullAccessToModels(params)) {\n return [{ rwd: \"rwd\", canAccessNonOwned: true, canAccessOnlyOwned: false }];\n }\n\n const groupsPermissionsList = await this.getGroupsPermissions();\n const acl: AccessControlList = [];\n\n for (let i = 0; i < groupsPermissionsList.length; i++) {\n const groupsPermissions = groupsPermissionsList[i];\n\n const modelsPermissionsList = await this.getModelsPermissions();\n const relatedModelPermissions = modelsPermissionsList.find(\n permissions => permissions._src === groupsPermissions._src\n );\n\n if (!relatedModelPermissions) {\n continue;\n }\n\n if (groupsPermissions.own) {\n if (\"model\" in params) {\n const { model } = params;\n if (!model) {\n continue;\n }\n\n const group = await this.getGroup(model.group.id);\n if (!group) {\n continue;\n }\n\n const modelGroupCreatedBy = group.createdBy;\n if (!modelGroupCreatedBy) {\n continue;\n }\n\n const identity = await this.getIdentity();\n if (modelGroupCreatedBy.id !== identity.id) {\n continue;\n }\n }\n\n acl.push({\n rwd: \"rwd\",\n canAccessNonOwned: false,\n canAccessOnlyOwned: true\n });\n\n continue;\n }\n\n if (groupsPermissions.groups) {\n if (\"model\" in params) {\n const { model } = params;\n if (!model) {\n continue;\n }\n\n if (!Array.isArray(groupsPermissions.groups[model.locale])) {\n continue;\n }\n\n if (!groupsPermissions.groups[model.locale].includes(model.group.id)) {\n continue;\n }\n }\n }\n\n const fullAccess =\n !relatedModelPermissions.rwd &&\n !relatedModelPermissions.own &&\n !relatedModelPermissions.models;\n\n if (fullAccess) {\n acl.push({\n rwd: \"rwd\",\n canAccessNonOwned: true,\n canAccessOnlyOwned: false\n });\n\n continue;\n }\n\n if (relatedModelPermissions.own) {\n if (\"model\" in params) {\n if (!params.model) {\n continue;\n }\n\n const modelCreatedBy = params.model.createdBy;\n if (!modelCreatedBy) {\n continue;\n }\n\n const identity = await this.getIdentity();\n if (modelCreatedBy.id !== identity.id) {\n continue;\n }\n }\n\n acl.push({\n rwd: \"rwd\",\n canAccessNonOwned: false,\n canAccessOnlyOwned: true\n });\n\n continue;\n }\n\n if (relatedModelPermissions.models) {\n const { models } = relatedModelPermissions;\n if (\"model\" in params) {\n if (!params.model) {\n continue;\n }\n\n if (!Array.isArray(models[params.model.locale])) {\n continue;\n }\n\n if (!models[params.model.locale].includes(params.model.modelId)) {\n continue;\n }\n }\n }\n\n acl.push({\n rwd: relatedModelPermissions.rwd as string,\n canAccessNonOwned: true,\n canAccessOnlyOwned: false\n });\n }\n\n return acl;\n }\n\n async hasFullAccessToModels(params: GetModelsAccessControlListParams) {\n const { model } = params;\n if (model) {\n if (this.modelAuthorizationDisabled({ model })) {\n return true;\n }\n }\n\n const permissions = await this.getModelsPermissions();\n return permissions.some(p => this.fullAccessPermissions.filter(Boolean).includes(p.name));\n }\n\n /**\n * Entries-related methods below. 👇\n * - canAccessEntry\n * - ensureCanAccessEntry\n * - canAccessNonOwnedEntries\n * - canAccessOnlyOwnedEntries\n * - getEntriesAccessControlList\n * - hasFullAccessToEntries\n */\n\n async canAccessEntry(params: CanAccessEntryParams) {\n const acl = await this.getEntriesAccessControlList(params);\n\n const canRead = acl.find(ace => ace.rwd.includes(\"r\"));\n if (!canRead) {\n return false;\n }\n\n const { rwd } = params;\n if (rwd) {\n const hasRwd = acl.find(ace => ace.rwd.includes(rwd));\n if (!hasRwd) {\n return false;\n }\n }\n\n const { pw } = params;\n if (pw) {\n const hasPw = acl.find(ace => ace.pw?.includes(pw));\n if (!hasPw) {\n return false;\n }\n }\n\n return true;\n }\n\n async ensureCanAccessEntry(params: CanAccessEntryParams) {\n const canAccess = await this.canAccessEntry(params);\n if (!canAccess) {\n if (params.entry) {\n throw new NotAuthorizedError({\n data: {\n reason: `Not allowed to access entry \"${params.entry.entryId}\".`\n }\n });\n }\n\n throw new NotAuthorizedError({\n data: {\n reason: `Not allowed to access \"${params.model.modelId}\" entries.`\n }\n });\n }\n }\n\n async canAccessNonOwnedEntries(params: GetEntriesAccessControlListParams) {\n const acl = await this.getEntriesAccessControlList(params);\n return acl.some(ace => ace.canAccessNonOwned);\n }\n\n async canAccessOnlyOwnedEntries(params: GetEntriesAccessControlListParams) {\n const canAccessNonOwned = await this.canAccessNonOwnedEntries(params);\n return !canAccessNonOwned;\n }\n\n async getEntriesAccessControlList(\n params: GetEntriesAccessControlListParams\n ): Promise<EntriesAccessControlList> {\n if (await this.hasFullAccessToEntries(params)) {\n return [{ rwd: \"rwd\", pw: \"pu\", canAccessNonOwned: true, canAccessOnlyOwned: false }];\n }\n\n const { model } = params;\n const groupsPermissionsList = await this.getGroupsPermissions();\n const acl: EntriesAccessControlList = [];\n\n for (let i = 0; i < groupsPermissionsList.length; i++) {\n const groupPermissions = groupsPermissionsList[i];\n\n const modelsPermissionsList = await this.getModelsPermissions();\n const relatedModelsPermissions = modelsPermissionsList.find(\n permissions => permissions._src === groupPermissions._src\n );\n\n if (!relatedModelsPermissions) {\n continue;\n }\n\n const entriesPermissionsList = await this.getEntriesPermissions();\n const relatedEntriesPermissions = entriesPermissionsList.find(\n permissions => permissions._src === groupPermissions._src\n );\n\n if (!relatedEntriesPermissions) {\n continue;\n }\n\n if (groupPermissions.own) {\n const group = await this.getGroup(model.group.id);\n if (!group) {\n continue;\n }\n\n const groupCreatedBy = group.createdBy;\n if (!groupCreatedBy) {\n continue;\n }\n\n const identity = await this.getIdentity();\n if (groupCreatedBy.id !== identity.id) {\n continue;\n }\n\n acl.push({\n rwd: \"rwd\",\n canAccessNonOwned: false,\n canAccessOnlyOwned: true,\n pw: relatedEntriesPermissions.pw\n });\n\n continue;\n }\n\n if (groupPermissions.groups) {\n const { groups } = groupPermissions;\n\n if (!Array.isArray(groups[model.locale])) {\n continue;\n }\n\n if (!groups[model.locale].includes(model.group.id)) {\n continue;\n }\n }\n\n if (relatedModelsPermissions.own) {\n const modelCreatedBy = model.createdBy;\n if (!modelCreatedBy) {\n continue;\n }\n\n const identity = await this.getIdentity();\n if (modelCreatedBy.id !== identity.id) {\n continue;\n }\n\n acl.push({\n rwd: \"rwd\",\n canAccessNonOwned: false,\n canAccessOnlyOwned: true,\n pw: relatedEntriesPermissions.pw\n });\n }\n\n if (relatedModelsPermissions.models) {\n if (!Array.isArray(relatedModelsPermissions.models[model.locale])) {\n continue;\n }\n\n if (!relatedModelsPermissions.models[model.locale].includes(model.modelId)) {\n continue;\n }\n }\n\n const fullAccess =\n !relatedEntriesPermissions.rwd &&\n !relatedEntriesPermissions.own &&\n !relatedEntriesPermissions.models;\n\n if (fullAccess) {\n acl.push({\n rwd: \"rwd\",\n canAccessNonOwned: false,\n canAccessOnlyOwned: true,\n pw: \"pu\"\n });\n\n continue;\n }\n\n if (relatedEntriesPermissions.own) {\n if (\"entry\" in params) {\n const entryCreatedBy = params.entry?.createdBy;\n if (!entryCreatedBy) {\n continue;\n }\n\n const identity = await this.getIdentity();\n if (entryCreatedBy.id !== identity.id) {\n continue;\n }\n }\n\n acl.push({\n rwd: relatedEntriesPermissions.rwd,\n canAccessNonOwned: false,\n canAccessOnlyOwned: true,\n pw: relatedEntriesPermissions.pw\n });\n\n continue;\n }\n\n acl.push({\n rwd: relatedEntriesPermissions.rwd,\n canAccessNonOwned: true,\n canAccessOnlyOwned: false,\n pw: relatedEntriesPermissions.pw\n });\n }\n\n return acl;\n }\n\n async hasFullAccessToEntries(params: GetEntriesAccessControlListParams) {\n if (this.modelAuthorizationDisabled(params)) {\n return true;\n }\n\n const permissions = await this.getEntriesPermissions();\n return permissions.some(p => this.fullAccessPermissions.filter(Boolean).includes(p.name));\n }\n\n private modelAuthorizationDisabled(params: { model: CmsModel }) {\n if (\"authorization\" in params.model) {\n const { authorization } = params.model;\n if (typeof authorization === \"boolean\") {\n return authorization === false;\n }\n\n return authorization?.permissions === false;\n }\n\n return false;\n }\n\n async listAllGroups(): Promise<CmsGroup[]> {\n if (this.allGroups === null) {\n this.allGroups = this.listAllGroupsCallback();\n }\n\n return this.allGroups;\n }\n\n async getGroup(id: string): Promise<CmsGroup | undefined> {\n const groups = await this.listAllGroups();\n return groups.find(group => group.id === id);\n }\n}\n"],"mappings":";;;;;;AAAA,IAAAA,YAAA,GAAAC,OAAA;AA2DO,MAAMC,aAAa,CAAC;EAUvBC,WAAWA,CAAC;IACRC,WAAW;IACXC,oBAAoB;IACpBC,oBAAoB;IACpBC,qBAAqB;IACrBC;EACiB,CAAC,EAAE;IACpB,IAAI,CAACJ,WAAW,GAAGA,WAAW;IAC9B,IAAI,CAACC,oBAAoB,GAAGA,oBAAoB;IAChD,IAAI,CAACC,oBAAoB,GAAGA,oBAAoB;IAChD,IAAI,CAACC,qBAAqB,GAAGA,qBAAqB;IAClD,IAAI,CAACE,qBAAqB,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC;IAC3C,IAAI,CAACC,qBAAqB,GAAGF,aAAa;IAC1C,IAAI,CAACG,SAAS,GAAG,IAAI;EACzB;;EAEA;AACJ;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;EAEI,MAAMC,cAAcA,CAACC,MAA4B,GAAG,CAAC,CAAC,EAAE;IACpD,MAAMC,GAAG,GAAG,MAAM,IAAI,CAACC,0BAA0B,CAACF,MAAM,CAAC;IAEzD,MAAMG,OAAO,GAAGF,GAAG,CAACG,IAAI,CAACC,GAAG,IAAIA,GAAG,CAACC,GAAG,EAAEC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACvD,IAAI,CAACJ,OAAO,EAAE;MACV,OAAO,KAAK;IAChB;IAEA,MAAM;MAAEG;IAAI,CAAC,GAAGN,MAAM;IACtB,IAAIM,GAAG,EAAE;MACL,MAAME,MAAM,GAAGP,GAAG,CAACG,IAAI,CAACC,GAAG,IAAIA,GAAG,CAACC,GAAG,CAACC,QAAQ,CAACD,GAAG,CAAC,CAAC;MACrD,IAAI,CAACE,MAAM,EAAE;QACT,OAAO,KAAK;MAChB;IACJ;IAEA,OAAO,IAAI;EACf;EAEA,MAAMC,oBAAoBA,CAACT,MAA4B,GAAG,CAAC,CAAC,EAAE;IAC1D,MAAMU,SAAS,GAAG,MAAM,IAAI,CAACX,cAAc,CAACC,MAAM,CAAC;IACnD,IAAIU,SAAS,EAAE;MACX;IACJ;IAEA,IAAI,OAAO,IAAIV,MAAM,EAAE;MACnB,IAAIW,SAAS,GAAG,4BAA4B;MAC5C,IAAIX,MAAM,CAACY,KAAK,EAAEC,IAAI,EAAE;QACpBF,SAAS,GAAI,IAAGX,MAAM,CAACY,KAAK,CAACC,IAAK,GAAE;MACxC;MAEA,MAAM,IAAIC,+BAAkB,CAAC;QACzBC,IAAI,EAAE;UACFC,MAAM,EAAG,6CAA4CL,SAAU;QACnE;MACJ,CAAC,CAAC;IACN;IAEA,MAAM,IAAIG,+BAAkB,CAAC;MACzBC,IAAI,EAAE;QACFC,MAAM,EAAG;MACb;IACJ,CAAC,CAAC;EACN;EAEA,MAAMC,uBAAuBA,CAACjB,MAAwC,EAAE;IACpE,MAAMC,GAAG,GAAG,MAAM,IAAI,CAACC,0BAA0B,CAACF,MAAM,CAAC;IACzD,OAAOC,GAAG,CAACiB,IAAI,CAACb,GAAG,IAAIA,GAAG,CAACc,iBAAiB,CAAC;EACjD;EAEA,MAAMC,wBAAwBA,CAACpB,MAAwC,EAAE;IACrE,MAAMmB,iBAAiB,GAAG,MAAM,IAAI,CAACF,uBAAuB,CAACjB,MAAM,CAAC;IACpE,OAAO,CAACmB,iBAAiB;EAC7B;EAEA,MAAMjB,0BAA0BA,CAC5BF,MAAwC,EACd;IAC1B,IAAI,MAAM,IAAI,CAACqB,qBAAqB,CAAC,CAAC,EAAE;MACpC,OAAO,CAAC;QAAEf,GAAG,EAAE,KAAK;QAAEa,iBAAiB,EAAE,IAAI;QAAEG,kBAAkB,EAAE;MAAM,CAAC,CAAC;IAC/E;IAEA,MAAMC,qBAAqB,GAAG,MAAM,IAAI,CAAC/B,oBAAoB,CAAC,CAAC;IAC/D,MAAMS,GAAsB,GAAG,EAAE;IAEjC,KAAK,MAAMuB,iBAAiB,IAAID,qBAAqB,EAAE;MACnD,IAAIC,iBAAiB,CAACC,GAAG,EAAE;QACvB,IAAI,OAAO,IAAIzB,MAAM,EAAE;UACnB,MAAM0B,mBAAmB,GAAG1B,MAAM,CAACY,KAAK,EAAEe,SAAS;UACnD,IAAI,CAACD,mBAAmB,EAAE;YACtB;UACJ;UAEA,MAAME,QAAQ,GAAG,MAAM,IAAI,CAACrC,WAAW,CAAC,CAAC;UAEzC,IAAImC,mBAAmB,CAACG,EAAE,KAAKD,QAAQ,CAACC,EAAE,EAAE;YACxC;UACJ;QACJ;QAEA5B,GAAG,CAAC6B,IAAI,CAAC;UACLxB,GAAG,EAAE,KAAK;UACVa,iBAAiB,EAAE,KAAK;UACxBG,kBAAkB,EAAE;QACxB,CAAC,CAAC;MACN;MAEA,IAAIE,iBAAiB,CAACO,MAAM,EAAE;QAC1B,IAAI,OAAO,IAAI/B,MAAM,EAAE;UACnB,MAAM;YAAEY;UAAM,CAAC,GAAGZ,MAAM;UACxB,IAAI,CAACY,KAAK,EAAE;YACR;UACJ;UAEA,MAAM;YAAEmB;UAAO,CAAC,GAAGP,iBAAiB;UACpC,IAAI,CAACQ,KAAK,CAACC,OAAO,CAACF,MAAM,CAACnB,KAAK,CAACsB,MAAM,CAAC,CAAC,EAAE;YACtC;UACJ;UAEA,IAAI,CAACH,MAAM,CAACnB,KAAK,CAACsB,MAAM,CAAC,CAAC3B,QAAQ,CAACK,KAAK,CAACiB,EAAE,CAAC,EAAE;YAC1C;UACJ;QACJ;MACJ;MAEA5B,GAAG,CAAC6B,IAAI,CAAC;QACLxB,GAAG,EAAEkB,iBAAiB,CAAClB,GAAa;QACpCa,iBAAiB,EAAE,IAAI;QACvBG,kBAAkB,EAAE;MACxB,CAAC,CAAC;IACN;IAEA,OAAOrB,GAAG;EACd;EAEA,MAAMoB,qBAAqBA,CAAA,EAAG;IAC1B,MAAMc,WAAW,GAAG,MAAM,IAAI,CAAC3C,oBAAoB,CAAC,CAAC;IACrD,OAAO2C,WAAW,CAACjB,IAAI,CAACkB,CAAC,IAAI,IAAI,CAACxC,qBAAqB,CAACyC,MAAM,CAACC,OAAO,CAAC,CAAC/B,QAAQ,CAAC6B,CAAC,CAACvB,IAAI,CAAC,CAAC;EAC7F;;EAEA;AACJ;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;EAEI,MAAM0B,cAAcA,CAACvC,MAA4B,EAAE;IAC/C,MAAMC,GAAG,GAAG,MAAM,IAAI,CAACuC,0BAA0B,CAACxC,MAAM,CAAC;IAEzD,MAAMG,OAAO,GAAGF,GAAG,CAACG,IAAI,CAACC,GAAG,IAAIA,GAAG,CAACC,GAAG,CAACC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACtD,IAAI,CAACJ,OAAO,EAAE;MACV,OAAO,KAAK;IAChB;IAEA,MAAM;MAAEG;IAAI,CAAC,GAAGN,MAAM;IACtB,IAAIM,GAAG,EAAE;MACL,MAAME,MAAM,GAAGP,GAAG,CAACG,IAAI,CAACC,GAAG,IAAIA,GAAG,CAACC,GAAG,CAACC,QAAQ,CAACD,GAAG,CAAC,CAAC;MACrD,IAAI,CAACE,MAAM,EAAE;QACT,OAAO,KAAK;MAChB;IACJ;IAEA,OAAO,IAAI;EACf;EAEA,MAAMiC,oBAAoBA,CAACzC,MAA4B,GAAG,CAAC,CAAC,EAAE;IAC1D,MAAMU,SAAS,GAAG,MAAM,IAAI,CAAC6B,cAAc,CAACvC,MAAM,CAAC;IACnD,IAAIU,SAAS,EAAE;MACX;IACJ;IAEA,IAAI,OAAO,IAAIV,MAAM,EAAE;MACnB,IAAI0C,SAAS,GAAG,4BAA4B;MAC5C,IAAI1C,MAAM,CAAC2C,KAAK,EAAE9B,IAAI,EAAE;QACpB6B,SAAS,GAAI,IAAG1C,MAAM,CAAC2C,KAAK,CAAC9B,IAAK,GAAE;MACxC;MAEA,MAAM,IAAIC,+BAAkB,CAAC;QACzBC,IAAI,EAAE;UACFC,MAAM,EAAG,uCAAsC0B,SAAU;QAC7D;MACJ,CAAC,CAAC;IACN;IAEA,MAAM,IAAI5B,+BAAkB,CAAC;MACzBC,IAAI,EAAE;QACFC,MAAM,EAAG;MACb;IACJ,CAAC,CAAC;EACN;EAEA,MAAM4B,uBAAuBA,CAAC5C,MAAwC,EAAE;IACpE,MAAMC,GAAG,GAAG,MAAM,IAAI,CAACuC,0BAA0B,CAACxC,MAAM,CAAC;IACzD,OAAOC,GAAG,CAACiB,IAAI,CAACb,GAAG,IAAIA,GAAG,CAACc,iBAAiB,CAAC;EACjD;EAEA,MAAM0B,wBAAwBA,CAAC7C,MAAwC,EAAE;IACrE,MAAMmB,iBAAiB,GAAG,MAAM,IAAI,CAACyB,uBAAuB,CAAC5C,MAAM,CAAC;IACpE,OAAO,CAACmB,iBAAiB;EAC7B;EAEA,MAAMqB,0BAA0BA,CAC5BxC,MAAwC,EACd;IAC1B,IAAI,MAAM,IAAI,CAAC8C,qBAAqB,CAAC9C,MAAM,CAAC,EAAE;MAC1C,OAAO,CAAC;QAAEM,GAAG,EAAE,KAAK;QAAEa,iBAAiB,EAAE,IAAI;QAAEG,kBAAkB,EAAE;MAAM,CAAC,CAAC;IAC/E;IAEA,MAAMC,qBAAqB,GAAG,MAAM,IAAI,CAAC/B,oBAAoB,CAAC,CAAC;IAC/D,MAAMS,GAAsB,GAAG,EAAE;IAEjC,KAAK,IAAI8C,CAAC,GAAG,CAAC,EAAEA,CAAC,GAAGxB,qBAAqB,CAACyB,MAAM,EAAED,CAAC,EAAE,EAAE;MACnD,MAAMvB,iBAAiB,GAAGD,qBAAqB,CAACwB,CAAC,CAAC;MAElD,MAAME,qBAAqB,GAAG,MAAM,IAAI,CAACxD,oBAAoB,CAAC,CAAC;MAC/D,MAAMyD,uBAAuB,GAAGD,qBAAqB,CAAC7C,IAAI,CACtD+B,WAAW,IAAIA,WAAW,CAACgB,IAAI,KAAK3B,iBAAiB,CAAC2B,IAC1D,CAAC;MAED,IAAI,CAACD,uBAAuB,EAAE;QAC1B;MACJ;MAEA,IAAI1B,iBAAiB,CAACC,GAAG,EAAE;QACvB,IAAI,OAAO,IAAIzB,MAAM,EAAE;UACnB,MAAM;YAAE2C;UAAM,CAAC,GAAG3C,MAAM;UACxB,IAAI,CAAC2C,KAAK,EAAE;YACR;UACJ;UAEA,MAAM/B,KAAK,GAAG,MAAM,IAAI,CAACwC,QAAQ,CAACT,KAAK,CAAC/B,KAAK,CAACiB,EAAE,CAAC;UACjD,IAAI,CAACjB,KAAK,EAAE;YACR;UACJ;UAEA,MAAMc,mBAAmB,GAAGd,KAAK,CAACe,SAAS;UAC3C,IAAI,CAACD,mBAAmB,EAAE;YACtB;UACJ;UAEA,MAAME,QAAQ,GAAG,MAAM,IAAI,CAACrC,WAAW,CAAC,CAAC;UACzC,IAAImC,mBAAmB,CAACG,EAAE,KAAKD,QAAQ,CAACC,EAAE,EAAE;YACxC;UACJ;QACJ;QAEA5B,GAAG,CAAC6B,IAAI,CAAC;UACLxB,GAAG,EAAE,KAAK;UACVa,iBAAiB,EAAE,KAAK;UACxBG,kBAAkB,EAAE;QACxB,CAAC,CAAC;QAEF;MACJ;MAEA,IAAIE,iBAAiB,CAACO,MAAM,EAAE;QAC1B,IAAI,OAAO,IAAI/B,MAAM,EAAE;UACnB,MAAM;YAAE2C;UAAM,CAAC,GAAG3C,MAAM;UACxB,IAAI,CAAC2C,KAAK,EAAE;YACR;UACJ;UAEA,IAAI,CAACX,KAAK,CAACC,OAAO,CAACT,iBAAiB,CAACO,MAAM,CAACY,KAAK,CAACT,MAAM,CAAC,CAAC,EAAE;YACxD;UACJ;UAEA,IAAI,CAACV,iBAAiB,CAACO,MAAM,CAACY,KAAK,CAACT,MAAM,CAAC,CAAC3B,QAAQ,CAACoC,KAAK,CAAC/B,KAAK,CAACiB,EAAE,CAAC,EAAE;YAClE;UACJ;QACJ;MACJ;MAEA,MAAMwB,UAAU,GACZ,CAACH,uBAAuB,CAAC5C,GAAG,IAC5B,CAAC4C,uBAAuB,CAACzB,GAAG,IAC5B,CAACyB,uBAAuB,CAACI,MAAM;MAEnC,IAAID,UAAU,EAAE;QACZpD,GAAG,CAAC6B,IAAI,CAAC;UACLxB,GAAG,EAAE,KAAK;UACVa,iBAAiB,EAAE,IAAI;UACvBG,kBAAkB,EAAE;QACxB,CAAC,CAAC;QAEF;MACJ;MAEA,IAAI4B,uBAAuB,CAACzB,GAAG,EAAE;QAC7B,IAAI,OAAO,IAAIzB,MAAM,EAAE;UACnB,IAAI,CAACA,MAAM,CAAC2C,KAAK,EAAE;YACf;UACJ;UAEA,MAAMY,cAAc,GAAGvD,MAAM,CAAC2C,KAAK,CAAChB,SAAS;UAC7C,IAAI,CAAC4B,cAAc,EAAE;YACjB;UACJ;UAEA,MAAM3B,QAAQ,GAAG,MAAM,IAAI,CAACrC,WAAW,CAAC,CAAC;UACzC,IAAIgE,cAAc,CAAC1B,EAAE,KAAKD,QAAQ,CAACC,EAAE,EAAE;YACnC;UACJ;QACJ;QAEA5B,GAAG,CAAC6B,IAAI,CAAC;UACLxB,GAAG,EAAE,KAAK;UACVa,iBAAiB,EAAE,KAAK;UACxBG,kBAAkB,EAAE;QACxB,CAAC,CAAC;QAEF;MACJ;MAEA,IAAI4B,uBAAuB,CAACI,MAAM,EAAE;QAChC,MAAM;UAAEA;QAAO,CAAC,GAAGJ,uBAAuB;QAC1C,IAAI,OAAO,IAAIlD,MAAM,EAAE;UACnB,IAAI,CAACA,MAAM,CAAC2C,KAAK,EAAE;YACf;UACJ;UAEA,IAAI,CAACX,KAAK,CAACC,OAAO,CAACqB,MAAM,CAACtD,MAAM,CAAC2C,KAAK,CAACT,MAAM,CAAC,CAAC,EAAE;YAC7C;UACJ;UAEA,IAAI,CAACoB,MAAM,CAACtD,MAAM,CAAC2C,KAAK,CAACT,MAAM,CAAC,CAAC3B,QAAQ,CAACP,MAAM,CAAC2C,KAAK,CAACa,OAAO,CAAC,EAAE;YAC7D;UACJ;QACJ;MACJ;MAEAvD,GAAG,CAAC6B,IAAI,CAAC;QACLxB,GAAG,EAAE4C,uBAAuB,CAAC5C,GAAa;QAC1Ca,iBAAiB,EAAE,IAAI;QACvBG,kBAAkB,EAAE;MACxB,CAAC,CAAC;IACN;IAEA,OAAOrB,GAAG;EACd;EAEA,MAAM6C,qBAAqBA,CAAC9C,MAAwC,EAAE;IAClE,MAAM;MAAE2C;IAAM,CAAC,GAAG3C,MAAM;IACxB,IAAI2C,KAAK,EAAE;MACP,IAAI,IAAI,CAACc,0BAA0B,CAAC;QAAEd;MAAM,CAAC,CAAC,EAAE;QAC5C,OAAO,IAAI;MACf;IACJ;IAEA,MAAMR,WAAW,GAAG,MAAM,IAAI,CAAC1C,oBAAoB,CAAC,CAAC;IACrD,OAAO0C,WAAW,CAACjB,IAAI,CAACkB,CAAC,IAAI,IAAI,CAACxC,qBAAqB,CAACyC,MAAM,CAACC,OAAO,CAAC,CAAC/B,QAAQ,CAAC6B,CAAC,CAACvB,IAAI,CAAC,CAAC;EAC7F;;EAEA;AACJ;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;EAEI,MAAM6C,cAAcA,CAAC1D,MAA4B,EAAE;IAC/C,MAAMC,GAAG,GAAG,MAAM,IAAI,CAAC0D,2BAA2B,CAAC3D,MAAM,CAAC;IAE1D,MAAMG,OAAO,GAAGF,GAAG,CAACG,IAAI,CAACC,GAAG,IAAIA,GAAG,CAACC,GAAG,CAACC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACtD,IAAI,CAACJ,OAAO,EAAE;MACV,OAAO,KAAK;IAChB;IAEA,MAAM;MAAEG;IAAI,CAAC,GAAGN,MAAM;IACtB,IAAIM,GAAG,EAAE;MACL,MAAME,MAAM,GAAGP,GAAG,CAACG,IAAI,CAACC,GAAG,IAAIA,GAAG,CAACC,GAAG,CAACC,QAAQ,CAACD,GAAG,CAAC,CAAC;MACrD,IAAI,CAACE,MAAM,EAAE;QACT,OAAO,KAAK;MAChB;IACJ;IAEA,MAAM;MAAEoD;IAAG,CAAC,GAAG5D,MAAM;IACrB,IAAI4D,EAAE,EAAE;MACJ,MAAMC,KAAK,GAAG5D,GAAG,CAACG,IAAI,CAACC,GAAG,IAAIA,GAAG,CAACuD,EAAE,EAAErD,QAAQ,CAACqD,EAAE,CAAC,CAAC;MACnD,IAAI,CAACC,KAAK,EAAE;QACR,OAAO,KAAK;MAChB;IACJ;IAEA,OAAO,IAAI;EACf;EAEA,MAAMC,oBAAoBA,CAAC9D,MAA4B,EAAE;IACrD,MAAMU,SAAS,GAAG,MAAM,IAAI,CAACgD,cAAc,CAAC1D,MAAM,CAAC;IACnD,IAAI,CAACU,SAAS,EAAE;MACZ,IAAIV,MAAM,CAAC+D,KAAK,EAAE;QACd,MAAM,IAAIjD,+BAAkB,CAAC;UACzBC,IAAI,EAAE;YACFC,MAAM,EAAG,gCAA+BhB,MAAM,CAAC+D,KAAK,CAACC,OAAQ;UACjE;QACJ,CAAC,CAAC;MACN;MAEA,MAAM,IAAIlD,+BAAkB,CAAC;QACzBC,IAAI,EAAE;UACFC,MAAM,EAAG,0BAAyBhB,MAAM,CAAC2C,KAAK,CAACa,OAAQ;QAC3D;MACJ,CAAC,CAAC;IACN;EACJ;EAEA,MAAMS,wBAAwBA,CAACjE,MAAyC,EAAE;IACtE,MAAMC,GAAG,GAAG,MAAM,IAAI,CAAC0D,2BAA2B,CAAC3D,MAAM,CAAC;IAC1D,OAAOC,GAAG,CAACiB,IAAI,CAACb,GAAG,IAAIA,GAAG,CAACc,iBAAiB,CAAC;EACjD;EAEA,MAAM+C,yBAAyBA,CAAClE,MAAyC,EAAE;IACvE,MAAMmB,iBAAiB,GAAG,MAAM,IAAI,CAAC8C,wBAAwB,CAACjE,MAAM,CAAC;IACrE,OAAO,CAACmB,iBAAiB;EAC7B;EAEA,MAAMwC,2BAA2BA,CAC7B3D,MAAyC,EACR;IACjC,IAAI,MAAM,IAAI,CAACmE,sBAAsB,CAACnE,MAAM,CAAC,EAAE;MAC3C,OAAO,CAAC;QAAEM,GAAG,EAAE,KAAK;QAAEsD,EAAE,EAAE,IAAI;QAAEzC,iBAAiB,EAAE,IAAI;QAAEG,kBAAkB,EAAE;MAAM,CAAC,CAAC;IACzF;IAEA,MAAM;MAAEqB;IAAM,CAAC,GAAG3C,MAAM;IACxB,MAAMuB,qBAAqB,GAAG,MAAM,IAAI,CAAC/B,oBAAoB,CAAC,CAAC;IAC/D,MAAMS,GAA6B,GAAG,EAAE;IAExC,KAAK,IAAI8C,CAAC,GAAG,CAAC,EAAEA,CAAC,GAAGxB,qBAAqB,CAACyB,MAAM,EAAED,CAAC,EAAE,EAAE;MACnD,MAAMqB,gBAAgB,GAAG7C,qBAAqB,CAACwB,CAAC,CAAC;MAEjD,MAAME,qBAAqB,GAAG,MAAM,IAAI,CAACxD,oBAAoB,CAAC,CAAC;MAC/D,MAAM4E,wBAAwB,GAAGpB,qBAAqB,CAAC7C,IAAI,CACvD+B,WAAW,IAAIA,WAAW,CAACgB,IAAI,KAAKiB,gBAAgB,CAACjB,IACzD,CAAC;MAED,IAAI,CAACkB,wBAAwB,EAAE;QAC3B;MACJ;MAEA,MAAMC,sBAAsB,GAAG,MAAM,IAAI,CAAC5E,qBAAqB,CAAC,CAAC;MACjE,MAAM6E,yBAAyB,GAAGD,sBAAsB,CAAClE,IAAI,CACzD+B,WAAW,IAAIA,WAAW,CAACgB,IAAI,KAAKiB,gBAAgB,CAACjB,IACzD,CAAC;MAED,IAAI,CAACoB,yBAAyB,EAAE;QAC5B;MACJ;MAEA,IAAIH,gBAAgB,CAAC3C,GAAG,EAAE;QACtB,MAAMb,KAAK,GAAG,MAAM,IAAI,CAACwC,QAAQ,CAACT,KAAK,CAAC/B,KAAK,CAACiB,EAAE,CAAC;QACjD,IAAI,CAACjB,KAAK,EAAE;UACR;QACJ;QAEA,MAAM4D,cAAc,GAAG5D,KAAK,CAACe,SAAS;QACtC,IAAI,CAAC6C,cAAc,EAAE;UACjB;QACJ;QAEA,MAAM5C,QAAQ,GAAG,MAAM,IAAI,CAACrC,WAAW,CAAC,CAAC;QACzC,IAAIiF,cAAc,CAAC3C,EAAE,KAAKD,QAAQ,CAACC,EAAE,EAAE;UACnC;QACJ;QAEA5B,GAAG,CAAC6B,IAAI,CAAC;UACLxB,GAAG,EAAE,KAAK;UACVa,iBAAiB,EAAE,KAAK;UACxBG,kBAAkB,EAAE,IAAI;UACxBsC,EAAE,EAAEW,yBAAyB,CAACX;QAClC,CAAC,CAAC;QAEF;MACJ;MAEA,IAAIQ,gBAAgB,CAACrC,MAAM,EAAE;QACzB,MAAM;UAAEA;QAAO,CAAC,GAAGqC,gBAAgB;QAEnC,IAAI,CAACpC,KAAK,CAACC,OAAO,CAACF,MAAM,CAACY,KAAK,CAACT,MAAM,CAAC,CAAC,EAAE;UACtC;QACJ;QAEA,IAAI,CAACH,MAAM,CAACY,KAAK,CAACT,MAAM,CAAC,CAAC3B,QAAQ,CAACoC,KAAK,CAAC/B,KAAK,CAACiB,EAAE,CAAC,EAAE;UAChD;QACJ;MACJ;MAEA,IAAIwC,wBAAwB,CAAC5C,GAAG,EAAE;QAC9B,MAAM8B,cAAc,GAAGZ,KAAK,CAAChB,SAAS;QACtC,IAAI,CAAC4B,cAAc,EAAE;UACjB;QACJ;QAEA,MAAM3B,QAAQ,GAAG,MAAM,IAAI,CAACrC,WAAW,CAAC,CAAC;QACzC,IAAIgE,cAAc,CAAC1B,EAAE,KAAKD,QAAQ,CAACC,EAAE,EAAE;UACnC;QACJ;QAEA5B,GAAG,CAAC6B,IAAI,CAAC;UACLxB,GAAG,EAAE,KAAK;UACVa,iBAAiB,EAAE,KAAK;UACxBG,kBAAkB,EAAE,IAAI;UACxBsC,EAAE,EAAEW,yBAAyB,CAACX;QAClC,CAAC,CAAC;MACN;MAEA,IAAIS,wBAAwB,CAACf,MAAM,EAAE;QACjC,IAAI,CAACtB,KAAK,CAACC,OAAO,CAACoC,wBAAwB,CAACf,MAAM,CAACX,KAAK,CAACT,MAAM,CAAC,CAAC,EAAE;UAC/D;QACJ;QAEA,IAAI,CAACmC,wBAAwB,CAACf,MAAM,CAACX,KAAK,CAACT,MAAM,CAAC,CAAC3B,QAAQ,CAACoC,KAAK,CAACa,OAAO,CAAC,EAAE;UACxE;QACJ;MACJ;MAEA,MAAMH,UAAU,GACZ,CAACkB,yBAAyB,CAACjE,GAAG,IAC9B,CAACiE,yBAAyB,CAAC9C,GAAG,IAC9B,CAAC8C,yBAAyB,CAACjB,MAAM;MAErC,IAAID,UAAU,EAAE;QACZpD,GAAG,CAAC6B,IAAI,CAAC;UACLxB,GAAG,EAAE,KAAK;UACVa,iBAAiB,EAAE,KAAK;UACxBG,kBAAkB,EAAE,IAAI;UACxBsC,EAAE,EAAE;QACR,CAAC,CAAC;QAEF;MACJ;MAEA,IAAIW,yBAAyB,CAAC9C,GAAG,EAAE;QAC/B,IAAI,OAAO,IAAIzB,MAAM,EAAE;UACnB,MAAMyE,cAAc,GAAGzE,MAAM,CAAC+D,KAAK,EAAEpC,SAAS;UAC9C,IAAI,CAAC8C,cAAc,EAAE;YACjB;UACJ;UAEA,MAAM7C,QAAQ,GAAG,MAAM,IAAI,CAACrC,WAAW,CAAC,CAAC;UACzC,IAAIkF,cAAc,CAAC5C,EAAE,KAAKD,QAAQ,CAACC,EAAE,EAAE;YACnC;UACJ;QACJ;QAEA5B,GAAG,CAAC6B,IAAI,CAAC;UACLxB,GAAG,EAAEiE,yBAAyB,CAACjE,GAAG;UAClCa,iBAAiB,EAAE,KAAK;UACxBG,kBAAkB,EAAE,IAAI;UACxBsC,EAAE,EAAEW,yBAAyB,CAACX;QAClC,CAAC,CAAC;QAEF;MACJ;MAEA3D,GAAG,CAAC6B,IAAI,CAAC;QACLxB,GAAG,EAAEiE,yBAAyB,CAACjE,GAAG;QAClCa,iBAAiB,EAAE,IAAI;QACvBG,kBAAkB,EAAE,KAAK;QACzBsC,EAAE,EAAEW,yBAAyB,CAACX;MAClC,CAAC,CAAC;IACN;IAEA,OAAO3D,GAAG;EACd;EAEA,MAAMkE,sBAAsBA,CAACnE,MAAyC,EAAE;IACpE,IAAI,IAAI,CAACyD,0BAA0B,CAACzD,MAAM,CAAC,EAAE;MACzC,OAAO,IAAI;IACf;IAEA,MAAMmC,WAAW,GAAG,MAAM,IAAI,CAACzC,qBAAqB,CAAC,CAAC;IACtD,OAAOyC,WAAW,CAACjB,IAAI,CAACkB,CAAC,IAAI,IAAI,CAACxC,qBAAqB,CAACyC,MAAM,CAACC,OAAO,CAAC,CAAC/B,QAAQ,CAAC6B,CAAC,CAACvB,IAAI,CAAC,CAAC;EAC7F;EAEQ4C,0BAA0BA,CAACzD,MAA2B,EAAE;IAC5D,IAAI,eAAe,IAAIA,MAAM,CAAC2C,KAAK,EAAE;MACjC,MAAM;QAAE+B;MAAc,CAAC,GAAG1E,MAAM,CAAC2C,KAAK;MACtC,IAAI,OAAO+B,aAAa,KAAK,SAAS,EAAE;QACpC,OAAOA,aAAa,KAAK,KAAK;MAClC;MAEA,OAAOA,aAAa,EAAEvC,WAAW,KAAK,KAAK;IAC/C;IAEA,OAAO,KAAK;EAChB;EAEA,MAAMxC,aAAaA,CAAA,EAAwB;IACvC,IAAI,IAAI,CAACG,SAAS,KAAK,IAAI,EAAE;MACzB,IAAI,CAACA,SAAS,GAAG,IAAI,CAACD,qBAAqB,CAAC,CAAC;IACjD;IAEA,OAAO,IAAI,CAACC,SAAS;EACzB;EAEA,MAAMsD,QAAQA,CAACvB,EAAU,EAAiC;IACtD,MAAME,MAAM,GAAG,MAAM,IAAI,CAACpC,aAAa,CAAC,CAAC;IACzC,OAAOoC,MAAM,CAAC3B,IAAI,CAACQ,KAAK,IAAIA,KAAK,CAACiB,EAAE,KAAKA,EAAE,CAAC;EAChD;AACJ;AAAC8C,OAAA,CAAAtF,aAAA,GAAAA,aAAA"}

package/crud/AccessControl/README.md ADDED Viewed

@@ -0,0 +1,47 @@
+# How Access Control Works
+With Headless CMS, checking base permissions (access control) is a bit more interesting because the three types of permissions objects are related to each other. The three types of permissions are:
+1. `cms.contentModelGroup`
+2. `cms.contentModel`
+3. `cms.contentEntry`
+So, for example, when checking if a user can create content entries, it's not enough to check if the user has the `cms.contentEntry` permission. We also need to check if the user has the `cms.contentModel` permission for the content model the entry belongs to, and if the user has the `cms.contentModelGroup` permission for the content model group the content model belongs to.
+All of the above is handled by the `AccessControl` class, which provides a set of methods to check if a user has the necessary permissions to perform a specific action. The main methods that are used in CRUD operations-related code are:
+1. `canAccessGroup` (`ensureCanAccessGroup`): checks if a user has the necessary permissions to access a content model group.
+2. `canAccessModel` (`ensureCanAccessModel`): checks if a user has the necessary permissions to access a content model (takes into consideration the content model group permissions).
+3. `canAccessEntry` (`ensureCanAccessEntry`): checks if a user has the necessary permissions to access a content entry (takes into consideration the content model and content model group permissions).
+Note that all of these methods can accept an exact entity instance if needed, but it's not required. Both has its own use cases.
+For example, when checking if a user can access (read) a content entry, you can pass the entry instance to the `canAccessEntry` method, and it will check if the user has the necessary permissions to access that specific entry. On the other hand, if the entry instance was not passed, the method would check if the user has the necessary permissions to access (read) entries of the given content model.
+Note that, whenever possible, the entry should be passed to the method, as it's more secure and provides more accurate results. For example, it is possible to receive a `true` response when checking if a user can access a specific content model, but still receive `false` when the model was not passed (when checking if user can access / read models in general).
+## Folder Level Permissions
+With Folder Level Permissions, a user can be part of a team, that may have multiple roles that provide different Headless CMS-related permissions (more information [here](https://www.webiny.com/docs/enterprise/aacl/teams#overview)).
+The Access Control class is aware of this and ensures that only permissions objects from a single role are taken into consideration when checking if a user has the necessary permissions to perform a specific action. If permission objects from a single role do not provide the necessary permissions, the next role is checked, and so on.
+In order to achieve this, we're using the `_src` property that's assigned to each permission object. This property contains the role ID, and is used to filter out permissions objects that belong to a different role.
+## Interesting Permissions-related Logic
+### Only groups created by the user
+When choosing "Only groups created by the user" access scope via the `cms.contentModelGroup` permission, the user that possesses this permission can not only fully (r/w/d) access content models that belong to the content model groups that the user has created, but also content entries that belong to those content models.
+<img src="./groups-own.png">
+Note that only the entry publishing actions-related permissions are not automatically set here. They need to be defined when defining the role explicitly.
+### Only models created by the user
+When choosing "Only models created by the user" access scope via the `cms.contentModel` permission, the user that possesses this permission can not only fully (r/w/d) access content models that the user has created, but also content entries that belong to those content models.
+<img src="./models-own.png">
+Note that only the entry publishing actions-related permissions are not automatically set here. They need to be defined when defining the role explicitly.

package/crud/AccessControl/groups-own.png ADDED Viewed

Binary file

package/crud/AccessControl/models-own.png ADDED Viewed

Binary file