hola-server 1.0.6 → 1.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/core/meta.js +1 -0
- package/core/role.js +20 -10
- package/db/entity.js +25 -10
- package/http/session.js +19 -1
- package/index.js +2 -2
- package/package.json +1 -1
- package/router/clone.js +17 -3
- package/router/create.js +6 -6
- package/router/delete.js +13 -1
- package/router/read.js +50 -21
- package/router/update.js +38 -14
package/core/meta.js
CHANGED
|
@@ -251,6 +251,7 @@ class EntityMeta {
|
|
|
251
251
|
this.field_names = this.fields.map(field => field.name);
|
|
252
252
|
this.user_field = meta.user_field;
|
|
253
253
|
|
|
254
|
+
this.client_fields = this.fields.filter(field => field.sys != true);
|
|
254
255
|
this.property_fields = this.fields.filter(field => field.sys != true && field.secure != true);
|
|
255
256
|
this.create_fields = this.fields.filter(field => field.create != false && field.sys != true);
|
|
256
257
|
this.update_fields = this.fields.filter(field => field.create != false && field.update != false && field.sys != true);
|
package/core/role.js
CHANGED
|
@@ -44,22 +44,30 @@ const get_session_user_role = (req) => {
|
|
|
44
44
|
return user ? user.role : null;
|
|
45
45
|
}
|
|
46
46
|
|
|
47
|
+
/**
|
|
48
|
+
*
|
|
49
|
+
* @param {*} req
|
|
50
|
+
*/
|
|
51
|
+
const is_root_user = (req) => {
|
|
52
|
+
return is_root_role(get_session_user_role(req));
|
|
53
|
+
}
|
|
54
|
+
|
|
47
55
|
/**
|
|
48
56
|
* Get the meta mode based on user's role
|
|
49
57
|
* @param {request} req
|
|
50
58
|
* @param {meta} meta
|
|
51
59
|
* @returns
|
|
52
60
|
*/
|
|
53
|
-
const
|
|
61
|
+
const get_user_role_right = (req, meta) => {
|
|
54
62
|
const settings = get_settings();
|
|
55
63
|
//no role defined in settings or no roles defined in meta, use meta mode
|
|
56
64
|
if (!settings.roles || !meta.roles) {
|
|
57
|
-
return meta.mode;
|
|
65
|
+
return [meta.mode, "*"];
|
|
58
66
|
}
|
|
59
67
|
|
|
60
68
|
const user_role = get_session_user_role(req);
|
|
61
69
|
if (!user_role) {
|
|
62
|
-
return "";
|
|
70
|
+
return ["", ""];
|
|
63
71
|
}
|
|
64
72
|
|
|
65
73
|
if (is_valid_role(user_role)) {
|
|
@@ -69,17 +77,18 @@ const get_user_role_mode = (req, meta) => {
|
|
|
69
77
|
const role_settings = role.split(":");
|
|
70
78
|
const role_name = role_settings[0];
|
|
71
79
|
const role_mode = role_settings[1];
|
|
80
|
+
const role_view = role_settings.length == 3 ? role_settings[2] : "*";
|
|
72
81
|
if (user_role == role_name) {
|
|
73
82
|
// * stands to get the mode from meta definition
|
|
74
83
|
if (role_mode == "*") {
|
|
75
|
-
return meta.mode;
|
|
84
|
+
return [meta.mode, role_view];
|
|
76
85
|
} else {
|
|
77
|
-
return role_mode;
|
|
86
|
+
return [role_mode, role_view];
|
|
78
87
|
}
|
|
79
88
|
}
|
|
80
89
|
}
|
|
81
90
|
}
|
|
82
|
-
return "";
|
|
91
|
+
return ["", ""];
|
|
83
92
|
}
|
|
84
93
|
|
|
85
94
|
/**
|
|
@@ -87,11 +96,12 @@ const get_user_role_mode = (req, meta) => {
|
|
|
87
96
|
* @param {http request} req
|
|
88
97
|
* @param {meta defination} meta
|
|
89
98
|
* @param {meta mode} mode
|
|
99
|
+
* @param {view} view
|
|
90
100
|
* @returns
|
|
91
101
|
*/
|
|
92
|
-
const check_user_role = (req, meta, mode) => {
|
|
93
|
-
const role_mode =
|
|
94
|
-
return role_mode.includes(mode);
|
|
102
|
+
const check_user_role = (req, meta, mode, view) => {
|
|
103
|
+
const [role_mode, role_view] = get_user_role_right(req, meta);
|
|
104
|
+
return role_mode.includes(mode) && (role_view == "*" || role_view.includes(view));
|
|
95
105
|
}
|
|
96
106
|
|
|
97
|
-
module.exports = { is_root_role, validate_meta_role, check_user_role,
|
|
107
|
+
module.exports = { is_root_role, is_root_user, validate_meta_role, check_user_role, get_user_role_right };
|
package/db/entity.js
CHANGED
|
@@ -188,7 +188,7 @@ class Entity {
|
|
|
188
188
|
* @param {search object and all the search attributes object} param_obj
|
|
189
189
|
* @returns
|
|
190
190
|
*/
|
|
191
|
-
async list_entity(query_params, query, param_obj) {
|
|
191
|
+
async list_entity(query_params, query, param_obj, view) {
|
|
192
192
|
const error_required_field_names = validate_required_fields(query_params, ["attr_names", "sort_by", "desc"]);
|
|
193
193
|
if (error_required_field_names.length > 0) {
|
|
194
194
|
if (is_log_error()) {
|
|
@@ -206,7 +206,9 @@ class Entity {
|
|
|
206
206
|
sort[value] = descs[index] === "false" ? 1 : -1;
|
|
207
207
|
});
|
|
208
208
|
|
|
209
|
-
const
|
|
209
|
+
const list_fields = view && view !== "*" ? this.meta.list_fields.filter(field => Array.isArray(field.view) ? this.contain_view(field.view, view) || field.view.includes("*") : view.includes(field.view) || field.view === "*") : this.meta.list_fields;
|
|
210
|
+
const list_field_names = list_fields.map(f => f.name);
|
|
211
|
+
|
|
210
212
|
const ref_fields = [];
|
|
211
213
|
const link_fields = [];
|
|
212
214
|
|
|
@@ -337,8 +339,8 @@ class Entity {
|
|
|
337
339
|
* @param {param obj from user input} param_obj
|
|
338
340
|
* @returns object with code and err
|
|
339
341
|
*/
|
|
340
|
-
async clone_entity(_id, param_obj) {
|
|
341
|
-
const fields = this.meta.clone_fields
|
|
342
|
+
async clone_entity(_id, param_obj, view) {
|
|
343
|
+
const fields = view && view !== "*" ? this.meta.clone_fields.filter(field => Array.isArray(field.view) ? field.view.includes(view) || field.view.includes("*") : field.view === view || field.view === "*") : this.meta.clone_fields;
|
|
342
344
|
const { obj, error_field_names } = convert_type(param_obj, fields);
|
|
343
345
|
if (error_field_names.length > 0) {
|
|
344
346
|
if (is_log_error()) {
|
|
@@ -504,8 +506,9 @@ class Entity {
|
|
|
504
506
|
* @param {param object from user input} param_obj
|
|
505
507
|
*
|
|
506
508
|
*/
|
|
507
|
-
async batch_update_entity(_ids, param_obj) {
|
|
508
|
-
const
|
|
509
|
+
async batch_update_entity(_ids, param_obj, view) {
|
|
510
|
+
const update_fields = view && view !== "*" ? this.meta.update_fields.filter(field => Array.isArray(field.view) ? this.contain_view(field.view, view) || field.view.includes("*") : view.includes(field.view) || field.view === "*") : this.meta.update_fields;
|
|
511
|
+
const { obj, error_field_names } = convert_update_type(param_obj, update_fields);
|
|
509
512
|
if (error_field_names.length > 0) {
|
|
510
513
|
if (is_log_error()) {
|
|
511
514
|
log_error(LOG_ENTITY, "batch_update_entity error fields:" + JSON.stringify(error_field_names));
|
|
@@ -562,6 +565,15 @@ class Entity {
|
|
|
562
565
|
return { code: SUCCESS };
|
|
563
566
|
}
|
|
564
567
|
|
|
568
|
+
contain_view(array, view) {
|
|
569
|
+
for (let i = 0; i < array.length; i++) {
|
|
570
|
+
if (view.includes(array[i])) {
|
|
571
|
+
return true;
|
|
572
|
+
}
|
|
573
|
+
}
|
|
574
|
+
return false;
|
|
575
|
+
}
|
|
576
|
+
|
|
565
577
|
/**
|
|
566
578
|
* Use objectid to read entity properties. Validate the param object and invoke the logic to read entity properties.
|
|
567
579
|
* This method doesn't convert ref property, so all the ref properties are objectid of the ref entity.
|
|
@@ -570,7 +582,7 @@ class Entity {
|
|
|
570
582
|
* @param {attr names to retrieve} attr_names
|
|
571
583
|
*
|
|
572
584
|
*/
|
|
573
|
-
async read_property(_id, attr_names) {
|
|
585
|
+
async read_property(_id, attr_names, view) {
|
|
574
586
|
const query = oid_query(_id);
|
|
575
587
|
if (query == null) {
|
|
576
588
|
if (is_log_error()) {
|
|
@@ -579,7 +591,8 @@ class Entity {
|
|
|
579
591
|
return { code: INVALID_PARAMS, err: ["_id"] };
|
|
580
592
|
}
|
|
581
593
|
|
|
582
|
-
const
|
|
594
|
+
const property_fields = view && view !== "*" ? this.meta.property_fields.filter(field => Array.isArray(field.view) ? this.contain_view(field.view, view) || field.view.includes("*") : view.includes(field.view) || field.view === "*") : this.meta.property_fields;
|
|
595
|
+
const field_names = property_fields.map(f => f.name);
|
|
583
596
|
const attrs = { _id: 1 };
|
|
584
597
|
attr_names.split(",").forEach((attr) => {
|
|
585
598
|
if (field_names.includes(attr)) {
|
|
@@ -605,7 +618,7 @@ class Entity {
|
|
|
605
618
|
* @param {attr names to retrieve} attr_names
|
|
606
619
|
*
|
|
607
620
|
*/
|
|
608
|
-
async read_entity(_id, attr_names) {
|
|
621
|
+
async read_entity(_id, attr_names, view) {
|
|
609
622
|
const query = oid_query(_id);
|
|
610
623
|
if (query == null) {
|
|
611
624
|
if (is_log_error()) {
|
|
@@ -621,7 +634,9 @@ class Entity {
|
|
|
621
634
|
return { code: INVALID_PARAMS, err: ["attr_names"] };
|
|
622
635
|
}
|
|
623
636
|
|
|
624
|
-
const
|
|
637
|
+
const property_fields = view && view !== "*" ? this.meta.property_fields.filter(field => Array.isArray(field.view) ? this.contain_view(field.view, view) || field.view.includes("*") : view.includes(field.view) || field.view === "*") : this.meta.property_fields;
|
|
638
|
+
const field_names = property_fields.map(f => f.name);
|
|
639
|
+
|
|
625
640
|
const ref_fields = [];
|
|
626
641
|
const link_fields = [];
|
|
627
642
|
const attrs = { _id: 1 };
|
package/http/session.js
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
const express_session = require('express-session');
|
|
2
2
|
const MongoStore = require('connect-mongo');
|
|
3
3
|
const { get_settings } = require('../setting');
|
|
4
|
+
const { is_root_user } = require('../core/role');
|
|
4
5
|
|
|
5
6
|
const init_session = (app) => {
|
|
6
7
|
const server = get_settings().server;
|
|
@@ -29,4 +30,21 @@ const get_session_user_groups = (req) => {
|
|
|
29
30
|
return group && Array.isArray(group) ? group : null;
|
|
30
31
|
}
|
|
31
32
|
|
|
32
|
-
|
|
33
|
+
const is_owner = async (req, meta, entity, query) => {
|
|
34
|
+
if (is_root_user(req)) {
|
|
35
|
+
return true;
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
if (meta.user_field) {
|
|
39
|
+
const user_id = get_session_userid(req);
|
|
40
|
+
if (user_id == null) {
|
|
41
|
+
throw new Error("no user id is found in session");
|
|
42
|
+
}
|
|
43
|
+
const user_query = {};
|
|
44
|
+
user_query[meta.user_field] = user_id;
|
|
45
|
+
return await entity.count({ ...query, ...user_query }) == 1;
|
|
46
|
+
}
|
|
47
|
+
return true;
|
|
48
|
+
}
|
|
49
|
+
|
|
50
|
+
module.exports = { init_session, get_session_userid, get_session_user_groups, is_owner };
|
package/index.js
CHANGED
|
@@ -5,7 +5,7 @@ const { init_router } = require('./http/router');
|
|
|
5
5
|
const { init_express_server } = require('./http/express');
|
|
6
6
|
const { register_type, get_type } = require('./core/type');
|
|
7
7
|
const { EntityMeta, get_entity_meta } = require('./core/meta');
|
|
8
|
-
const { is_root_role } = require('./core/role');
|
|
8
|
+
const { is_root_role, is_root_user, check_user_role, get_user_role_right } = require('./core/role');
|
|
9
9
|
const { url } = require('./core/url');
|
|
10
10
|
const array = require('./core/array');
|
|
11
11
|
const bash = require('./core/bash');
|
|
@@ -30,7 +30,7 @@ const { gen_i18n } = require('./tool/gen_i18n');
|
|
|
30
30
|
const { log_debug, log_info, log_warn, log_error, is_log_debug, is_log_info, is_log_warn, is_log_error, get_session_userid, oid_queries, oid_query } = require('./db/db');
|
|
31
31
|
|
|
32
32
|
module.exports = {
|
|
33
|
-
init_settings, is_root_role, init_express_server, init_router, register_type, get_type, get_db, url,
|
|
33
|
+
init_settings, is_root_role, is_root_user, check_user_role, get_user_role_right, init_express_server, init_router, register_type, get_type, get_db, url,
|
|
34
34
|
Entity, EntityMeta, get_entity_meta, array, bash, chart, cron, date, file, lhs, msg, number, obj, random, thread, validate, code, err, params, context, gridfs, gen_i18n,
|
|
35
35
|
log_debug, log_info, log_warn, log_error, is_log_debug, is_log_info, is_log_warn, is_log_error, get_session_userid, oid_queries, oid_query
|
|
36
36
|
};
|
package/package.json
CHANGED
package/router/clone.js
CHANGED
|
@@ -1,10 +1,11 @@
|
|
|
1
1
|
const { set_file_fields, save_file_fields_to_db } = require('../db/gridfs');
|
|
2
2
|
const { SUCCESS, NO_PARAMS, NO_RIGHTS } = require('../http/code');
|
|
3
|
-
const { get_session_userid } = require('../http/session');
|
|
3
|
+
const { get_session_userid, is_owner } = require('../http/session');
|
|
4
4
|
const { wrap_http } = require('../http/error');
|
|
5
5
|
const { post_params, required_post_params } = require('../http/params');
|
|
6
6
|
const { has_value } = require('../core/validate');
|
|
7
7
|
const { check_user_role } = require('../core/role');
|
|
8
|
+
const { oid_query } = require('../db/db');
|
|
8
9
|
const { Entity } = require('../db/entity');
|
|
9
10
|
|
|
10
11
|
const multer = require('multer');
|
|
@@ -20,7 +21,13 @@ const init_clone_router = function (router, meta) {
|
|
|
20
21
|
const cp_upload = meta.upload_fields.length > 0 ? upload_file.fields(meta.upload_fields) : upload_file.none();
|
|
21
22
|
|
|
22
23
|
router.post('/clone', cp_upload, wrap_http(async function (req, res) {
|
|
23
|
-
|
|
24
|
+
//which view to clone the entity
|
|
25
|
+
let { _view } = post_params(req, ["_view"]);
|
|
26
|
+
if (!_view) {
|
|
27
|
+
_view = "*";
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
const has_right = check_user_role(req, meta, "o", _view);
|
|
24
31
|
if (!has_right) {
|
|
25
32
|
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
26
33
|
return;
|
|
@@ -35,6 +42,13 @@ const init_clone_router = function (router, meta) {
|
|
|
35
42
|
const param_obj = post_params(req, meta.field_names);
|
|
36
43
|
set_file_fields(meta, req, param_obj);
|
|
37
44
|
|
|
45
|
+
const query = params["_id"] ? oid_query(params["_id"]) : entity.primary_key_query(param_obj);
|
|
46
|
+
const owner = await is_owner(req, meta, entity, query);
|
|
47
|
+
if (!owner) {
|
|
48
|
+
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
49
|
+
return;
|
|
50
|
+
}
|
|
51
|
+
|
|
38
52
|
if (meta.user_field) {
|
|
39
53
|
const user_id = get_session_userid(req);
|
|
40
54
|
if (user_id == null) {
|
|
@@ -43,7 +57,7 @@ const init_clone_router = function (router, meta) {
|
|
|
43
57
|
param_obj[meta.user_field] = user_id;
|
|
44
58
|
}
|
|
45
59
|
|
|
46
|
-
const { code, err } = await entity.clone_entity(params["_id"], param_obj);
|
|
60
|
+
const { code, err } = await entity.clone_entity(params["_id"], param_obj, _view);
|
|
47
61
|
if (!has_value(code)) {
|
|
48
62
|
throw new Error("the method should return code");
|
|
49
63
|
}
|
package/router/create.js
CHANGED
|
@@ -20,18 +20,18 @@ const init_create_router = function (router, meta) {
|
|
|
20
20
|
const cp_upload = meta.upload_fields.length > 0 ? upload_file.fields(meta.upload_fields) : upload_file.none();
|
|
21
21
|
|
|
22
22
|
router.post('/create', cp_upload, wrap_http(async function (req, res) {
|
|
23
|
-
const has_right = check_user_role(req, meta, "c");
|
|
24
|
-
if (!has_right) {
|
|
25
|
-
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
26
|
-
return;
|
|
27
|
-
}
|
|
28
|
-
|
|
29
23
|
//which view to create the entity
|
|
30
24
|
let { _view } = post_params(req, ["_view"]);
|
|
31
25
|
if (!_view) {
|
|
32
26
|
_view = "*";
|
|
33
27
|
}
|
|
34
28
|
|
|
29
|
+
const has_right = check_user_role(req, meta, "c", _view);
|
|
30
|
+
if (!has_right) {
|
|
31
|
+
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
32
|
+
return;
|
|
33
|
+
}
|
|
34
|
+
|
|
35
35
|
const param_obj = post_params(req, meta.field_names);
|
|
36
36
|
set_file_fields(meta, req, param_obj);
|
|
37
37
|
|
package/router/delete.js
CHANGED
|
@@ -2,6 +2,8 @@ const { required_post_params } = require('../http/params');
|
|
|
2
2
|
const { has_value } = require('../core/validate');
|
|
3
3
|
const { NO_PARAMS, NO_RIGHTS } = require('../http/code');
|
|
4
4
|
const { check_user_role } = require('../core/role');
|
|
5
|
+
const { is_owner } = require('../http/session');
|
|
6
|
+
const { oid_query } = require('../db/db');
|
|
5
7
|
const { wrap_http } = require('../http/error');
|
|
6
8
|
const { Entity } = require('../db/entity');
|
|
7
9
|
|
|
@@ -14,7 +16,7 @@ const init_delete_router = function (router, meta) {
|
|
|
14
16
|
const entity = new Entity(meta);
|
|
15
17
|
|
|
16
18
|
router.post('/delete', wrap_http(async function (req, res) {
|
|
17
|
-
const has_right = check_user_role(req, meta, "d");
|
|
19
|
+
const has_right = check_user_role(req, meta, "d", "*");
|
|
18
20
|
if (!has_right) {
|
|
19
21
|
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
20
22
|
return;
|
|
@@ -28,6 +30,16 @@ const init_delete_router = function (router, meta) {
|
|
|
28
30
|
|
|
29
31
|
const { ids } = params;
|
|
30
32
|
const id_array = ids.split(",");
|
|
33
|
+
|
|
34
|
+
for (let i = 0; i < id_array.length; i++) {
|
|
35
|
+
const id_query = oid_query(id_array[i]);
|
|
36
|
+
const owner = await is_owner(req, meta, entity, id_query);
|
|
37
|
+
if (!owner) {
|
|
38
|
+
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
39
|
+
return;
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
|
|
31
43
|
const { code, err } = await entity.delete_entity(id_array);
|
|
32
44
|
if (!has_value(code)) {
|
|
33
45
|
throw new Error("the delete_entity method should return code");
|
package/router/read.js
CHANGED
|
@@ -1,11 +1,21 @@
|
|
|
1
1
|
const { required_post_params, get_params } = require('../http/params');
|
|
2
2
|
const { has_value } = require('../core/validate');
|
|
3
3
|
const { NO_PARAMS, SUCCESS, NO_RIGHTS } = require('../http/code');
|
|
4
|
-
const { check_user_role,
|
|
5
|
-
const { get_session_userid, get_session_user_groups } = require('../http/session');
|
|
4
|
+
const { check_user_role, get_user_role_right } = require('../core/role');
|
|
5
|
+
const { get_session_userid, get_session_user_groups, is_owner } = require('../http/session');
|
|
6
6
|
const { wrap_http } = require('../http/error');
|
|
7
|
+
const { oid_query } = require('../db/db');
|
|
7
8
|
const { Entity } = require('../db/entity');
|
|
8
9
|
|
|
10
|
+
const contain_view = (array, view) => {
|
|
11
|
+
for (let i = 0; i < array.length; i++) {
|
|
12
|
+
if (view.includes(array[i])) {
|
|
13
|
+
return true;
|
|
14
|
+
}
|
|
15
|
+
}
|
|
16
|
+
return false;
|
|
17
|
+
}
|
|
18
|
+
|
|
9
19
|
/**
|
|
10
20
|
* init http read router
|
|
11
21
|
* @param {express router} router
|
|
@@ -15,35 +25,37 @@ const init_read_router = function (router, meta) {
|
|
|
15
25
|
const entity = new Entity(meta);
|
|
16
26
|
|
|
17
27
|
router.get('/meta', wrap_http(async function (req, res) {
|
|
18
|
-
const
|
|
28
|
+
const [role_mode, role_view] = get_user_role_right(req, meta);
|
|
29
|
+
const has_right = role_mode.includes("r");
|
|
19
30
|
if (!has_right) {
|
|
20
31
|
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
21
32
|
return;
|
|
22
33
|
}
|
|
23
34
|
|
|
35
|
+
const client_fields = role_view && role_view !== "*" ? meta.client_fields.filter(field => Array.isArray(field.view) ? contain_view(field.view, role_view) || field.view.includes("*") : role_view.includes(field.view) || field.view === "*") : meta.client_fields;
|
|
24
36
|
const entity_meta = {
|
|
25
|
-
creatable:
|
|
26
|
-
readable:
|
|
27
|
-
updatable:
|
|
28
|
-
deleteable:
|
|
29
|
-
cloneable:
|
|
30
|
-
importable:
|
|
31
|
-
exportable:
|
|
32
|
-
editable:
|
|
33
|
-
|
|
34
|
-
fields: meta.fields
|
|
37
|
+
creatable: role_mode.includes("c"),
|
|
38
|
+
readable: role_mode.includes("r"),
|
|
39
|
+
updatable: role_mode.includes("u"),
|
|
40
|
+
deleteable: role_mode.includes("d"),
|
|
41
|
+
cloneable: role_mode.includes("o"),
|
|
42
|
+
importable: role_mode.includes("i"),
|
|
43
|
+
exportable: role_mode.includes("e"),
|
|
44
|
+
editable: role_mode.includes("c") || role_mode.includes("u"),
|
|
45
|
+
fields: client_fields
|
|
35
46
|
}
|
|
36
47
|
res.json({ code: SUCCESS, data: entity_meta });
|
|
37
48
|
}));
|
|
38
49
|
|
|
39
50
|
router.get('/mode', wrap_http(async function (req, res) {
|
|
40
|
-
const has_right = check_user_role(req, meta, "r");
|
|
51
|
+
const has_right = check_user_role(req, meta, "r", "*");
|
|
41
52
|
if (!has_right) {
|
|
42
53
|
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
43
54
|
return;
|
|
44
55
|
}
|
|
45
56
|
|
|
46
|
-
|
|
57
|
+
const [mode, view] = get_user_role_right(req, meta);
|
|
58
|
+
res.json({ code: SUCCESS, mode: mode, view: view });
|
|
47
59
|
}));
|
|
48
60
|
|
|
49
61
|
router.get('/ref', wrap_http(async function (req, res) {
|
|
@@ -60,7 +72,8 @@ const init_read_router = function (router, meta) {
|
|
|
60
72
|
}));
|
|
61
73
|
|
|
62
74
|
router.post('/list', wrap_http(async function (req, res) {
|
|
63
|
-
const
|
|
75
|
+
const [role_mode, role_view] = get_user_role_right(req, meta);
|
|
76
|
+
const has_right = role_mode.includes("r");
|
|
64
77
|
if (!has_right) {
|
|
65
78
|
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
66
79
|
return;
|
|
@@ -92,7 +105,7 @@ const init_read_router = function (router, meta) {
|
|
|
92
105
|
}
|
|
93
106
|
|
|
94
107
|
const query = meta.list_query ? await meta.list_query(entity, param_obj, req) : null;
|
|
95
|
-
const { code, err, total, data } = await entity.list_entity(query_params["_query"], query, param_obj);
|
|
108
|
+
const { code, err, total, data } = await entity.list_entity(query_params["_query"], query, param_obj, role_view);
|
|
96
109
|
if (!has_value(code)) {
|
|
97
110
|
throw new Error("the list_entity method should return code");
|
|
98
111
|
}
|
|
@@ -101,7 +114,8 @@ const init_read_router = function (router, meta) {
|
|
|
101
114
|
}));
|
|
102
115
|
|
|
103
116
|
router.post('/read_entity', wrap_http(async function (req, res) {
|
|
104
|
-
const
|
|
117
|
+
const [role_mode, role_view] = get_user_role_right(req, meta);
|
|
118
|
+
const has_right = role_mode.includes("r");
|
|
105
119
|
if (!has_right) {
|
|
106
120
|
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
107
121
|
return;
|
|
@@ -114,7 +128,14 @@ const init_read_router = function (router, meta) {
|
|
|
114
128
|
}
|
|
115
129
|
|
|
116
130
|
const { _id, attr_names } = params;
|
|
117
|
-
|
|
131
|
+
|
|
132
|
+
const owner = await is_owner(req, meta, entity, oid_query(_id));
|
|
133
|
+
if (!owner) {
|
|
134
|
+
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
135
|
+
return;
|
|
136
|
+
}
|
|
137
|
+
|
|
138
|
+
const { code, err, data } = await entity.read_entity(_id, attr_names, role_view);
|
|
118
139
|
if (!has_value(code)) {
|
|
119
140
|
throw new Error("the method should return code");
|
|
120
141
|
}
|
|
@@ -122,7 +143,8 @@ const init_read_router = function (router, meta) {
|
|
|
122
143
|
}));
|
|
123
144
|
|
|
124
145
|
router.post('/read_property', wrap_http(async function (req, res) {
|
|
125
|
-
const
|
|
146
|
+
const [role_mode, role_view] = get_user_role_right(req, meta);
|
|
147
|
+
const has_right = role_mode.includes("r");
|
|
126
148
|
if (!has_right) {
|
|
127
149
|
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
128
150
|
return;
|
|
@@ -135,7 +157,14 @@ const init_read_router = function (router, meta) {
|
|
|
135
157
|
}
|
|
136
158
|
|
|
137
159
|
const { _id, attr_names } = params;
|
|
138
|
-
|
|
160
|
+
|
|
161
|
+
const owner = await is_owner(req, meta, entity, oid_query(_id));
|
|
162
|
+
if (!owner) {
|
|
163
|
+
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
164
|
+
return;
|
|
165
|
+
}
|
|
166
|
+
|
|
167
|
+
const { code, err, data } = await entity.read_property(_id, attr_names, role_view);
|
|
139
168
|
if (!has_value(code)) {
|
|
140
169
|
throw new Error("the method should return code");
|
|
141
170
|
}
|
package/router/update.js
CHANGED
|
@@ -1,8 +1,10 @@
|
|
|
1
1
|
const { set_file_fields, save_file_fields_to_db } = require('../db/gridfs');
|
|
2
2
|
const { required_post_params, post_update_params, post_params } = require('../http/params');
|
|
3
3
|
const { SUCCESS, NO_PARAMS, NO_RIGHTS } = require('../http/code');
|
|
4
|
-
const { check_user_role } = require('../core/role');
|
|
5
4
|
const { has_value } = require('../core/validate');
|
|
5
|
+
const { check_user_role, get_user_role_right } = require('../core/role');
|
|
6
|
+
const { is_owner } = require('../http/session');
|
|
7
|
+
const { oid_query } = require('../db/db');
|
|
6
8
|
const { wrap_http } = require('../http/error');
|
|
7
9
|
const { Entity } = require('../db/entity');
|
|
8
10
|
|
|
@@ -19,12 +21,16 @@ const init_update_router = function (router, meta) {
|
|
|
19
21
|
const cp_upload = meta.upload_fields.length > 0 ? upload_file.fields(meta.upload_fields) : upload_file.none();
|
|
20
22
|
|
|
21
23
|
router.post('/update', cp_upload, wrap_http(async function (req, res) {
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
24
|
+
//which view to update the entity
|
|
25
|
+
let { _view } = post_params(req, ["_view"]);
|
|
26
|
+
if (!_view) {
|
|
27
|
+
_view = "*";
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
const has_right = check_user_role(req, meta, "u", _view);
|
|
31
|
+
if (!has_right) {
|
|
32
|
+
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
33
|
+
return;
|
|
28
34
|
}
|
|
29
35
|
|
|
30
36
|
let params = required_post_params(req, ["_id"]);
|
|
@@ -36,15 +42,16 @@ const init_update_router = function (router, meta) {
|
|
|
36
42
|
}
|
|
37
43
|
}
|
|
38
44
|
|
|
39
|
-
//which view to update the entity
|
|
40
|
-
let { _view } = post_params(req, ["_view"]);
|
|
41
|
-
if (!_view) {
|
|
42
|
-
_view = "*";
|
|
43
|
-
}
|
|
44
|
-
|
|
45
45
|
const param_obj = post_update_params(req, meta.field_names);
|
|
46
46
|
set_file_fields(meta, req, param_obj);
|
|
47
47
|
|
|
48
|
+
const query = params["_id"] ? oid_query(params["_id"]) : entity.primary_key_query(param_obj);
|
|
49
|
+
const owner = await is_owner(req, meta, entity, query);
|
|
50
|
+
if (!owner) {
|
|
51
|
+
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
52
|
+
return;
|
|
53
|
+
}
|
|
54
|
+
|
|
48
55
|
const { code, err } = await entity.update_entity(params["_id"], param_obj, _view);
|
|
49
56
|
if (!has_value(code)) {
|
|
50
57
|
throw new Error("the method should return code");
|
|
@@ -58,6 +65,13 @@ const init_update_router = function (router, meta) {
|
|
|
58
65
|
}));
|
|
59
66
|
|
|
60
67
|
router.post('/batch_update', cp_upload, wrap_http(async function (req, res) {
|
|
68
|
+
const [role_mode, role_view] = get_user_role_right(req, meta);
|
|
69
|
+
const has_right = role_mode.includes("u");
|
|
70
|
+
if (!has_right) {
|
|
71
|
+
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
72
|
+
return;
|
|
73
|
+
}
|
|
74
|
+
|
|
61
75
|
let params = required_post_params(req, ["_ids"]);
|
|
62
76
|
if (params === null) {
|
|
63
77
|
res.json({ code: NO_PARAMS, err: '[_ids] checking params are failed!' });
|
|
@@ -67,7 +81,17 @@ const init_update_router = function (router, meta) {
|
|
|
67
81
|
const param_obj = post_update_params(req, meta.field_names);
|
|
68
82
|
set_file_fields(meta, req, param_obj);
|
|
69
83
|
|
|
70
|
-
const
|
|
84
|
+
const ids = params["_ids"];
|
|
85
|
+
for (let i = 0; i < ids.length; i++) {
|
|
86
|
+
const id_query = oid_query(ids[i]);
|
|
87
|
+
const owner = await is_owner(req, meta, entity, id_query);
|
|
88
|
+
if (!owner) {
|
|
89
|
+
res.json({ code: NO_RIGHTS, err: "no rights error" });
|
|
90
|
+
return;
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
|
|
94
|
+
const { code, err } = await entity.batch_update_entity(ids, param_obj, role_view);
|
|
71
95
|
if (!has_value(code)) {
|
|
72
96
|
throw new Error("the batch_update_entity method should return code");
|
|
73
97
|
}
|