nuxt-auto-crud 1.14.1 → 1.15.2

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-auto-crud",
   "configKey": "autoCrud",
-  "version": "1.14.1",
+  "version": "1.15.2",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/runtime/server/api/[model]/[id].get.js

@@ -3,6 +3,7 @@ import { eq } from "drizzle-orm";
 import { getTableForModel } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
 import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
+import { checkAdminAccess } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event);
   const isAdmin = await ensureResourceAccess(event, model, "read");
@@ -14,5 +15,14 @@ export default eventHandler(async (event) => {
       message: "Record not found"
     });
   }
+  if ("status" in record && record.status !== "active") {
+    const canListAll = await checkAdminAccess(event, model, "list_all");
+    if (!canListAll) {
+      throw createError({
+        statusCode: 404,
+        message: "Record not found"
+      });
+    }
+  }
   return formatResourceResult(model, record, isAdmin);
 });

package/dist/runtime/server/api/[model]/index.get.js

@@ -1,13 +1,25 @@
 import { eventHandler, getRouterParams } from "h3";
 import { getTableForModel } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
-import { desc } from "drizzle-orm";
+import { desc, getTableColumns, eq } from "drizzle-orm";
 import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
+import { checkAdminAccess } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
   console.log("[GET] Request received", event.path);
   const { model } = getRouterParams(event);
   const isAdmin = await ensureResourceAccess(event, model, "list");
+  let canListAll = false;
+  try {
+    canListAll = await checkAdminAccess(event, model, "list_all");
+  } catch {
+    canListAll = false;
+  }
   const table = getTableForModel(model);
-  const results = await useDrizzle().select().from(table).orderBy(desc(table.id)).all();
+  const columns = getTableColumns(table);
+  let query = useDrizzle().select().from(table);
+  if (!canListAll && "status" in columns) {
+    query = query.where(eq(table.status, "active"));
+  }
+  const results = await query.orderBy(desc(table.id)).all();
   return results.map((item) => formatResourceResult(model, item, isAdmin));
 });

package/dist/runtime/server/utils/auth.js

@@ -1,5 +1,5 @@
 import { createError } from "h3";
-import { requireUserSession, allows, getUserSession, abilities as globalAbility } from "#imports";
+import { requireUserSession, allows, getUserSession, abilities as globalAbility, abilityLogic } from "#imports";
 import { useAutoCrudConfig } from "./config.js";
 import { verifyJwtToken } from "./jwt.js";
 export async function checkAdminAccess(event, model, action) {
@@ -22,7 +22,7 @@ export async function checkAdminAccess(event, model, action) {
   }
   if (auth.authorization) {
     try {
-      const guestCheck = !user && (typeof globalAbility === "function" ? globalAbility : null);
+      const guestCheck = !user && (typeof abilityLogic === "function" ? abilityLogic : typeof globalAbility === "function" ? globalAbility : null);
       const allowed = guestCheck ? await guestCheck(null, model, action) : await allows(event, globalAbility, model, action);
       if (!allowed) {
         if (user) throw createError({ statusCode: 403, message: "Forbidden" });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-auto-crud",
-  "version": "1.14.1",
+  "version": "1.15.2",
   "description": "Exposes RESTful CRUD APIs for your Nuxt app based solely on your database migrations.",
   "author": "Cliford Pereira",
   "license": "MIT",

package/src/runtime/server/api/[model]/[id].get.ts

@@ -6,6 +6,7 @@ import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
+import { checkAdminAccess } from '../../utils/auth'
 
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event) as { model: string, id: string }
@@ -26,5 +27,17 @@ export default eventHandler(async (event) => {
     })
   }
 
+  // Filter inactive rows for non-admins (or those without list_all) if status field exists
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  if ('status' in record && (record as any).status !== 'active') {
+    const canListAll = await checkAdminAccess(event, model, 'list_all')
+    if (!canListAll) {
+      throw createError({
+        statusCode: 404,
+        message: 'Record not found',
+      })
+    }
+  }
+
   return formatResourceResult(model, record as Record<string, unknown>, isAdmin)
 })

package/src/runtime/server/api/[model]/index.get.ts

@@ -3,18 +3,38 @@ import { eventHandler, getRouterParams } from 'h3'
 import { getTableForModel } from '../../utils/modelMapper'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
-import { desc } from 'drizzle-orm'
+import { desc, getTableColumns, eq } from 'drizzle-orm'
 import type { TableWithId } from '../../types'
 import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
+import { checkAdminAccess } from '../../utils/auth'
+
 export default eventHandler(async (event) => {
   console.log('[GET] Request received', event.path)
   const { model } = getRouterParams(event) as { model: string }
   const isAdmin = await ensureResourceAccess(event, model, 'list')
 
+  let canListAll = false
+  try {
+    canListAll = await checkAdminAccess(event, model, 'list_all')
+  }
+  catch {
+    canListAll = false
+  }
+
   const table = getTableForModel(model) as TableWithId
+  const columns = getTableColumns(table)
+
+  let query = useDrizzle().select().from(table)
+
+  // Filter active rows for non-admins (or those without list_all) if status field exists
+
+  if (!canListAll && 'status' in columns) {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    query = query.where(eq((table as any).status, 'active')) as any
+  }
 
-  const results = await useDrizzle().select().from(table).orderBy(desc(table.id)).all()
+  const results = await query.orderBy(desc(table.id)).all()
 
   return results.map((item: Record<string, unknown>) => formatResourceResult(model, item, isAdmin))
 })

package/src/runtime/server/utils/auth.ts

@@ -3,7 +3,7 @@
 import type { H3Event } from 'h3'
 import { createError } from 'h3'
 // @ts-expect-error - #imports is available in runtime
-import { requireUserSession, allows, getUserSession, abilities as globalAbility } from '#imports'
+import { requireUserSession, allows, getUserSession, abilities as globalAbility, abilityLogic } from '#imports'
 import { useAutoCrudConfig } from './config'
 import { verifyJwtToken } from './jwt'
 
@@ -35,7 +35,8 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
   // Check authorization if enabled
   if (auth.authorization) {
     try {
-      const guestCheck = !user && (typeof globalAbility === 'function' ? globalAbility : null)
+      const guestCheck = !user && (typeof abilityLogic === 'function' ? abilityLogic : (typeof globalAbility === 'function' ? globalAbility : null))
+
       const allowed = guestCheck
         ? await guestCheck(null, model, action)
         : await allows(event, globalAbility, model, action)