nuxt-auto-crud 1.19.1 → 1.21.0

package/README.md

@@ -321,6 +321,31 @@ export default defineNuxtConfig({
 })
 ```
 
+
+## 👤 Owner-based Permissions (RBAC)
+
+In addition to standard `create`, `read`, `update`, and `delete` permissions, you can assign **Ownership Permissions**:
+
+- `list`: Allows a user to view a list of active records (status='active').
+- `list_all`: Allows a user to view **all** records, including inactive ones (e.g., status='inactive', 'draft').
+- `update_own`: Allows a user to update a record **only if they created it**.
+- `delete_own`: Allows a user to delete a record **only if they created it**.
+
+**How it works:**
+The module checks for ownership using the following logic:
+1.  **Standard Tables:** Checks if the record has a `createdBy` (or `userId`) column that matches the logged-in user's ID.
+2.  **Users Table:** Checks if the record being accessed is the user's own profile (`id` matches).
+
+**Prerequisites:**
+Ensure your schema includes a `createdBy` field for resources where you want this behavior:
+
+```typescript
+export const posts = sqliteTable('posts', {
+  // ...
+  createdBy: integer('created_by'), // Recommended
+})
+```
+
 ## ⚠️ Known Issues
 
 - **Automatic Relation Expansion:** The module tries to automatically expand foreign keys (e.g., `user_id` -> `user: { name: ... }`). However, this relies on the foreign key column name matching the target table name (e.g., `user_id` for `users`).

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-auto-crud",
   "configKey": "autoCrud",
-  "version": "1.19.1",
+  "version": "1.21.0",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/runtime/composables/useRelationDisplay.d.ts

@@ -9,4 +9,5 @@ export declare const useRelationDisplay: (schema: {
     fetchRelations: () => Promise<void>;
     getDisplayValue: (key: string, value: unknown) => unknown;
     relationsMap: import("vue").Ref<Record<string, Record<string, string>>, Record<string, Record<string, string>>>;
+    forbiddenRelations: import("vue").Ref<Set<string> & Omit<Set<string>, keyof Set<any>>, Set<string> | (Set<string> & Omit<Set<string>, keyof Set<any>>)>;
 };

package/dist/runtime/composables/useRelationDisplay.js

@@ -4,6 +4,7 @@ export const useRelationDisplay = (schema) => {
   const relationsMap = ref({});
   const displayValues = ref({});
   const headers = useRequestHeaders(["cookie"]);
+  const forbiddenRelations = ref(/* @__PURE__ */ new Set());
   const fetchRelations = async () => {
     const { data: relations } = await useFetch("/api/_relations");
     if (relations.value) {
@@ -30,6 +31,10 @@ export const useRelationDisplay = (schema) => {
           }
         } catch (error) {
           console.error(`Failed to fetch relation data for ${targetTable}:`, error);
+          const err = error;
+          if (err?.statusCode === 403) {
+            forbiddenRelations.value.add(fieldName);
+          }
         }
       })
     );
@@ -43,6 +48,7 @@ export const useRelationDisplay = (schema) => {
   return {
     fetchRelations,
     getDisplayValue,
-    relationsMap
+    relationsMap,
+    forbiddenRelations
   };
 };

package/dist/runtime/server/api/[model]/[id].delete.js

@@ -5,7 +5,7 @@ import { db } from "hub:db";
 import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event);
-  const isAdmin = await ensureResourceAccess(event, model, "delete");
+  const isAdmin = await ensureResourceAccess(event, model, "delete", { id });
   const table = getTableForModel(model);
   const singularName = getModelSingularName(model);
   const deletedRecord = await db.delete(table).where(eq(table.id, Number(id))).returning().get();

package/dist/runtime/server/api/[model]/[id].patch.js

@@ -1,4 +1,5 @@
 import { eventHandler, getRouterParams, readBody, createError } from "h3";
+import { getUserSession } from "#imports";
 import { eq } from "drizzle-orm";
 import { getTableForModel, filterUpdatableFields } from "../../utils/modelMapper.js";
 import { db } from "hub:db";
@@ -13,6 +14,15 @@ export default eventHandler(async (event) => {
   if ("updatedAt" in table) {
     payload.updatedAt = /* @__PURE__ */ new Date();
   }
+  try {
+    const session = await getUserSession(event);
+    if (session?.user?.id) {
+      if ("updatedBy" in table) {
+        payload.updatedBy = session.user.id;
+      }
+    }
+  } catch {
+  }
   const updatedRecord = await db.update(table).set(payload).where(eq(table.id, Number(id))).returning().get();
   if (!updatedRecord) {
     throw createError({

package/dist/runtime/server/api/[model]/index.post.js

@@ -1,4 +1,5 @@
 import { eventHandler, getRouterParams, readBody } from "h3";
+import { getUserSession } from "#imports";
 import { getTableForModel, filterUpdatableFields } from "../../utils/modelMapper.js";
 import { db } from "hub:db";
 import { ensureResourceAccess, formatResourceResult, hashPayloadFields } from "../../utils/handler.js";
@@ -9,6 +10,18 @@ export default eventHandler(async (event) => {
   const body = await readBody(event);
   const payload = filterUpdatableFields(model, body);
   await hashPayloadFields(payload);
+  try {
+    const session = await getUserSession(event);
+    if (session?.user?.id) {
+      if ("createdBy" in table) {
+        payload.createdBy = session.user.id;
+      }
+      if ("updatedBy" in table) {
+        payload.updatedBy = session.user.id;
+      }
+    }
+  } catch {
+  }
   const newRecord = await db.insert(table).values(payload).returning().get();
   return formatResourceResult(model, newRecord, isAdmin);
 });

package/dist/runtime/server/api/_schema/[table].get.d.ts

@@ -1,10 +1,5 @@
 declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
     resource: string;
-    fields: {
-        name: string;
-        type: string;
-        required: any;
-        selectOptions: string[] | undefined;
-    }[];
+    fields: import("../../utils/schema.js").Field[];
 }>>;
 export default _default;

package/dist/runtime/server/utils/auth.js

@@ -37,10 +37,18 @@ export async function checkAdminAccess(event, model, action, context) {
               if (model === "users" && String(context.id) === String(user.id)) {
                 return true;
               }
-              if ("userId" in table) {
-                const record = await db.select({ userId: table.userId }).from(table).where(eq(table.id, context.id)).get();
-                if (record && String(record.userId) === String(user.id)) {
-                  return true;
+              const hasCreatedBy = "createdBy" in table;
+              const hasUserId = "userId" in table;
+              if (hasCreatedBy || hasUserId) {
+                const query = db.select().from(table).where(eq(table.id, Number(context.id)));
+                const record = await query.get();
+                if (record) {
+                  if (hasCreatedBy) {
+                    if (String(record.createdBy) === String(user.id)) return true;
+                  }
+                  if (hasUserId) {
+                    if (String(record.userId) === String(user.id)) return true;
+                  }
                 }
               }
             } catch (e) {

package/dist/runtime/server/utils/schema.d.ts

@@ -1,20 +1,17 @@
+export interface Field {
+    name: string;
+    type: string;
+    required: boolean;
+    selectOptions?: string[];
+    references?: string;
+}
 export declare function drizzleTableToFields(table: any, resourceName: string): {
     resource: string;
-    fields: {
-        name: string;
-        type: string;
-        required: any;
-        selectOptions: string[] | undefined;
-    }[];
+    fields: Field[];
 };
 export declare function getRelations(): Promise<Record<string, Record<string, string>>>;
 export declare function getAllSchemas(): Promise<Record<string, any>>;
 export declare function getSchema(tableName: string): Promise<{
     resource: string;
-    fields: {
-        name: string;
-        type: string;
-        required: any;
-        selectOptions: string[] | undefined;
-    }[];
+    fields: Field[];
 } | undefined>;

package/dist/runtime/server/utils/schema.js

@@ -15,6 +15,20 @@ export function drizzleTableToFields(table, resourceName) {
       selectOptions
     });
   }
+  try {
+    const config = getTableConfig(table);
+    config.foreignKeys.forEach((fk) => {
+      const sourceColumnName = fk.reference().columns[0].name;
+      const field = fields.find((f) => {
+        return f.name === sourceColumnName;
+      });
+      if (field) {
+        const targetTable = fk.reference().foreignTable[Symbol.for("drizzle:Name")];
+        field.references = targetTable;
+      }
+    });
+  } catch {
+  }
   return {
     resource: resourceName,
     fields
@@ -44,14 +58,18 @@ export async function getRelations() {
   for (const [tableName, table] of Object.entries(modelTableMap)) {
     try {
       const config = getTableConfig(table);
-      if (config.foreignKeys.length > 0) {
-        const tableRelations = {};
-        relations[tableName] = tableRelations;
-        const columns = getTableColumns(table);
-        const columnToProperty = {};
-        for (const [key, col] of Object.entries(columns)) {
-          columnToProperty[col.name] = key;
+      const tableRelations = {};
+      relations[tableName] = tableRelations;
+      const columns = getTableColumns(table);
+      const columnToProperty = {};
+      for (const [key, col] of Object.entries(columns)) {
+        const columnName = col.name;
+        columnToProperty[columnName] = key;
+        if (["createdBy", "created_by", "updatedBy", "updated_by", "deletedBy", "deleted_by"].includes(key)) {
+          tableRelations[key] = "users";
         }
+      }
+      if (config.foreignKeys.length > 0) {
         config.foreignKeys.forEach((fk) => {
           const sourceColumnName = fk.reference().columns[0].name;
           const sourceProperty = columnToProperty[sourceColumnName] || sourceColumnName;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-auto-crud",
-  "version": "1.19.1",
+  "version": "1.21.0",
   "description": "Exposes RESTful CRUD APIs for your Nuxt app based solely on your database migrations.",
   "author": "Cliford Pereira",
   "license": "MIT",
@@ -78,8 +78,6 @@
     "drizzle-orm": "^0.38.3",
     "eslint": "^9.39.1",
     "nuxt": "^4.2.1",
-    "nuxt-auth-utils": "^0.5.25",
-    "nuxt-authorization": "^0.3.5",
     "typescript": "~5.9.3",
     "vitest": "^4.0.13",
     "vue-tsc": "^3.1.5",

package/src/runtime/composables/useRelationDisplay.ts

@@ -11,6 +11,8 @@ export const useRelationDisplay = (
   const displayValues = ref<Record<string, Record<string, string>>>({})
   const headers = useRequestHeaders(['cookie'])
 
+  const forbiddenRelations = ref<Set<string>>(new Set())
+
   const fetchRelations = async () => {
     // 1. Fetch relations metadata
     const { data: relations } = await useFetch<Record<string, Record<string, string>>>('/api/_relations')
@@ -45,8 +47,12 @@ export const useRelationDisplay = (
             )
           }
         }
-        catch (error) {
+        catch (error: unknown) {
           console.error(`Failed to fetch relation data for ${targetTable}:`, error)
+          const err = error as { statusCode?: number }
+          if (err?.statusCode === 403) {
+            forbiddenRelations.value.add(fieldName)
+          }
         }
       }),
     )
@@ -63,5 +69,6 @@ export const useRelationDisplay = (
     fetchRelations,
     getDisplayValue,
     relationsMap,
+    forbiddenRelations,
   }
 }

package/src/runtime/server/api/[model]/[id].delete.ts

@@ -9,7 +9,7 @@ import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event) as { model: string, id: string }
-  const isAdmin = await ensureResourceAccess(event, model, 'delete')
+  const isAdmin = await ensureResourceAccess(event, model, 'delete', { id })
 
   const table = getTableForModel(model) as TableWithId
   const singularName = getModelSingularName(model)

package/src/runtime/server/api/[model]/[id].patch.ts

@@ -1,5 +1,7 @@
 // server/api/[model]/[id].patch.ts
 import { eventHandler, getRouterParams, readBody, createError } from 'h3'
+import type { H3Event } from 'h3'
+import { getUserSession } from '#imports'
 import { eq } from 'drizzle-orm'
 import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
@@ -28,6 +30,20 @@ export default eventHandler(async (event) => {
     (payload as any).updatedAt = new Date()
   }
 
+  // Inject updatedBy if user is authenticated
+  try {
+    const session = await (getUserSession as (event: H3Event) => Promise<{ user: { id: string | number } | null }>)(event)
+    if (session?.user?.id) {
+      if ('updatedBy' in table) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        (payload as any).updatedBy = session.user.id
+      }
+    }
+  }
+  catch {
+    // No session available
+  }
+
   const updatedRecord = await db
     .update(table)
     .set(payload)

package/src/runtime/server/api/[model]/index.post.ts

@@ -1,5 +1,7 @@
 // server/api/[model]/index.post.ts
 import { eventHandler, getRouterParams, readBody } from 'h3'
+import type { H3Event } from 'h3'
+import { getUserSession } from '#imports'
 import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
 // @ts-expect-error - hub:db is a virtual alias
 import { db } from 'hub:db'
@@ -17,6 +19,27 @@ export default eventHandler(async (event) => {
   // Auto-hash fields based on config (default: ['password'])
   await hashPayloadFields(payload)
 
+  // Inject createdBy/updatedBy if user is authenticated
+  try {
+    const session = await (getUserSession as (event: H3Event) => Promise<{ user: { id: string | number } | null }>)(event)
+    if (session?.user?.id) {
+      // Check if table has columns before assigning (optional but safer if we had strict types)
+      // Since we are passing payload to .values(), extra keys might be ignored or cause error depending on driver
+      // Using 'in' table check is good practice
+      if ('createdBy' in table) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        (payload as any).createdBy = session.user.id
+      }
+      if ('updatedBy' in table) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        (payload as any).updatedBy = session.user.id
+      }
+    }
+  }
+  catch {
+    // No session available
+  }
+
   const newRecord = await db.insert(table).values(payload).returning().get()
 
   return formatResourceResult(model, newRecord as Record<string, unknown>, isAdmin)

package/src/runtime/server/utils/auth.ts

@@ -62,16 +62,27 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
                 return true
               }
 
-              // Standard case: Check 'userId' column for ownership
-              // We need to check if table has userId column.
-              // We cast to any to check property exist roughly or just try query
-              if ('userId' in table) {
-                // @ts-expect-error - dyanmic table access
-                const record = await db.select({ userId: table.userId }).from(table).where(eq(table.id, context.id)).get()
-
-                // If record exists and userId matches session user id
-                if (record && String(record.userId) === String(user.id)) {
-                  return true
+              // Standard case: Check 'createdBy' or 'userId' column for ownership
+
+              // const columns = table.columns || {}
+
+              const hasCreatedBy = 'createdBy' in table
+              const hasUserId = 'userId' in table
+
+              if (hasCreatedBy || hasUserId) {
+                // @ts-expect-error - table is dynamic
+                const query = db.select().from(table).where(eq(table.id, Number(context.id)))
+                const record = await query.get()
+
+                if (record) {
+                  // Check createdBy
+                  if (hasCreatedBy) {
+                    if (String(record.createdBy) === String(user.id)) return true
+                  }
+                  // Check userId (legacy)
+                  if (hasUserId) {
+                    if (String(record.userId) === String(user.id)) return true
+                  }
                 }
               }
             }

package/src/runtime/server/utils/schema.ts

@@ -2,10 +2,18 @@ import { getTableColumns } from 'drizzle-orm'
 import { getTableConfig } from 'drizzle-orm/sqlite-core'
 import { modelTableMap } from './modelMapper'
 
+export interface Field {
+  name: string
+  type: string
+  required: boolean
+  selectOptions?: string[]
+  references?: string
+}
+
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 export function drizzleTableToFields(table: any, resourceName: string) {
   const columns = getTableColumns(table)
-  const fields = []
+  const fields: Field[] = []
 
   for (const [key, col] of Object.entries(columns)) {
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -22,6 +30,31 @@ export function drizzleTableToFields(table: any, resourceName: string) {
     })
   }
 
+  try {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const config = getTableConfig(table as any)
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    config.foreignKeys.forEach((fk: any) => {
+      const sourceColumnName = fk.reference().columns[0].name
+      // Find the field that matches this column
+      const field = fields.find((f) => {
+        // In simple cases, field.name matches column name.
+        // If camelCase mapping handles it differently, we might need adjustments,
+        // but typically Drizzle key = field name.
+        return f.name === sourceColumnName
+      })
+
+      if (field) {
+        // Get target table name
+        const targetTable = fk.reference().foreignTable[Symbol.for('drizzle:Name')] as string
+        field.references = targetTable
+      }
+    })
+  }
+  catch {
+    // Ignore error if getTableConfig fails (e.g. not a Drizzle table)
+  }
+
   return {
     resource: resourceName,
     fields,
@@ -63,19 +96,25 @@ export async function getRelations() {
     try {
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
       const config = getTableConfig(table as any)
-      if (config.foreignKeys.length > 0) {
-        const tableRelations: Record<string, string> = {}
-        relations[tableName] = tableRelations
+      const tableRelations: Record<string, string> = {}
+      relations[tableName] = tableRelations
 
-        // Map column names to property names
+      // Map column names to property names
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const columns = getTableColumns(table as any)
+      const columnToProperty: Record<string, string> = {}
+      for (const [key, col] of Object.entries(columns)) {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        const columns = getTableColumns(table as any)
-        const columnToProperty: Record<string, string> = {}
-        for (const [key, col] of Object.entries(columns)) {
-          // eslint-disable-next-line @typescript-eslint/no-explicit-any
-          columnToProperty[(col as any).name] = key
+        const columnName = (col as any).name
+        columnToProperty[columnName] = key
+
+        // Auto-link createdBy/updatedBy to users table
+        if (['createdBy', 'created_by', 'updatedBy', 'updated_by', 'deletedBy', 'deleted_by'].includes(key)) {
+          tableRelations[key] = 'users'
         }
+      }
 
+      if (config.foreignKeys.length > 0) {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         config.foreignKeys.forEach((fk: any) => {
           const sourceColumnName = fk.reference().columns[0].name