nuxt-auto-crud 1.22.1 → 1.23.1

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-auto-crud",
   "configKey": "autoCrud",
-  "version": "1.22.1",
+  "version": "1.23.1",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/runtime/server/api/[model]/[id].get.js

@@ -7,15 +7,18 @@ import { checkAdminAccess } from "../../utils/auth.js";
 import { RecordNotFoundError } from "../../exceptions.js";
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event);
-  const isAdmin = await ensureResourceAccess(event, model, "read");
+  const isAdmin = await ensureResourceAccess(event, model, "read", { id });
   const table = getTableForModel(model);
   const record = await db.select().from(table).where(eq(table.id, Number(id))).get();
   if (!record) {
     throw new RecordNotFoundError();
   }
   if ("status" in record && record.status !== "active") {
-    const canListAll = await checkAdminAccess(event, model, "list_all");
-    if (!canListAll) {
+    const [canListAll, canReadOwn] = await Promise.all([
+      checkAdminAccess(event, model, "list_all").catch(() => false),
+      checkAdminAccess(event, model, "read_own", { id }).catch(() => false)
+    ]);
+    if (!canListAll && !canReadOwn) {
       throw new RecordNotFoundError();
     }
   }

package/dist/runtime/server/api/[model]/[id].patch.js

@@ -11,6 +11,13 @@ export default eventHandler(async (event) => {
   const table = getTableForModel(model);
   const body = await readBody(event);
   const payload = filterUpdatableFields(model, body);
+  if ("status" in payload) {
+    const { checkAdminAccess } = await import("../../utils/auth.js");
+    const hasStatusPermission = await checkAdminAccess(event, model, "update_status", { id });
+    if (!hasStatusPermission) {
+      delete payload.status;
+    }
+  }
   await hashPayloadFields(payload);
   if ("updatedAt" in table) {
     payload.updatedAt = /* @__PURE__ */ new Date();

package/dist/runtime/server/api/[model]/index.get.js

@@ -1,25 +1,59 @@
 import { eventHandler, getRouterParams } from "h3";
 import { getTableForModel } from "../../utils/modelMapper.js";
 import { db } from "hub:db";
-import { desc, getTableColumns, eq } from "drizzle-orm";
-import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
+import { desc, getTableColumns, eq, and, or } from "drizzle-orm";
+import { formatResourceResult } from "../../utils/handler.js";
+import { getUserSession } from "#imports";
 import { checkAdminAccess } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
   console.log("[GET] Request received", event.path);
   const { model } = getRouterParams(event);
-  const isAdmin = await ensureResourceAccess(event, model, "list");
+  let canListAny = false;
   let canListAll = false;
-  try {
-    canListAll = await checkAdminAccess(event, model, "list_all");
-  } catch {
-    canListAll = false;
+  let canListOwn = false;
+  const [anyAccess, allAccess, ownAccess] = await Promise.all([
+    checkAdminAccess(event, model, "list").catch(() => false),
+    checkAdminAccess(event, model, "list_all").catch(() => false),
+    checkAdminAccess(event, model, "list_own").catch(() => false)
+  ]);
+  canListAny = anyAccess;
+  canListAll = allAccess;
+  canListOwn = ownAccess;
+  if (!canListAny && !canListAll && !canListOwn) {
+    throw createError({ statusCode: 403, message: "Forbidden" });
   }
   const table = getTableForModel(model);
   const columns = getTableColumns(table);
+  const session = await getUserSession(event);
+  const userId = session?.user?.id;
   let query = db.select().from(table);
-  if (!canListAll && "status" in columns) {
-    query = query.where(eq(table.status, "active"));
+  const filters = [];
+  if (canListAll) {
+  } else if (canListAny && canListOwn && userId) {
+    const ownershipFilter = "createdBy" in columns ? eq(table.createdBy, userId) : "userId" in columns ? eq(table.userId, userId) : null;
+    const activeFilter = "status" in columns ? eq(table.status, "active") : null;
+    if (ownershipFilter && activeFilter) {
+      filters.push(or(activeFilter, ownershipFilter));
+    } else if (activeFilter) {
+      filters.push(activeFilter);
+    } else if (ownershipFilter) {
+      filters.push(ownershipFilter);
+    }
+  } else if (canListAny) {
+    if ("status" in columns) {
+      filters.push(eq(table.status, "active"));
+    }
+  } else if (canListOwn && userId) {
+    if ("createdBy" in columns) {
+      filters.push(eq(table.createdBy, userId));
+    } else if ("userId" in columns) {
+      filters.push(eq(table.userId, userId));
+    }
   }
+  if (filters.length > 0) {
+    query = query.where(and(...filters));
+  }
+  const isAdmin = true;
   const results = await query.orderBy(desc(table.id)).all();
   return results.map((item) => formatResourceResult(model, item, isAdmin));
 });

package/dist/runtime/server/api/[model]/index.post.js

@@ -9,6 +9,13 @@ export default eventHandler(async (event) => {
   const table = getTableForModel(model);
   const body = await readBody(event);
   const payload = filterUpdatableFields(model, body);
+  if ("status" in payload) {
+    const { checkAdminAccess } = await import("../../utils/auth.js");
+    const hasStatusPermission = await checkAdminAccess(event, model, "update_status");
+    if (!hasStatusPermission) {
+      delete payload.status;
+    }
+  }
   await hashPayloadFields(payload);
   try {
     const session = await getUserSession(event);

package/dist/runtime/server/utils/auth.js

@@ -25,7 +25,7 @@ export async function checkAdminAccess(event, model, action, context) {
       const guestCheck = !user && (typeof abilityLogic === "function" ? abilityLogic : typeof globalAbility === "function" ? globalAbility : null);
       const allowed = guestCheck ? await guestCheck(null, model, action, context) : await allows(event, globalAbility, model, action, context);
       if (!allowed) {
-        if (user && (action === "update" || action === "delete") && context && typeof context === "object" && "id" in context) {
+        if (user && (action === "read" || action === "update" || action === "delete") && context && typeof context === "object" && "id" in context) {
           const ownAction = `${action}_own`;
           const userPermissions = user.permissions?.[model];
           if (userPermissions && userPermissions.includes(ownAction)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-auto-crud",
-  "version": "1.22.1",
+  "version": "1.23.1",
   "description": "Exposes RESTful CRUD APIs for your Nuxt app based solely on your database migrations.",
   "author": "Cliford Pereira",
   "license": "MIT",

package/src/runtime/server/api/[model]/[id].get.ts

@@ -11,7 +11,7 @@ import { RecordNotFoundError } from '../../exceptions'
 
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event) as { model: string, id: string }
-  const isAdmin = await ensureResourceAccess(event, model, 'read')
+  const isAdmin = await ensureResourceAccess(event, model, 'read', { id })
 
   const table = getTableForModel(model) as TableWithId
 
@@ -25,11 +25,14 @@ export default eventHandler(async (event) => {
     throw new RecordNotFoundError()
   }
 
-  // Filter inactive rows for non-admins (or those without list_all) if status field exists
+  // Filter inactive rows for non-admins (or those without list_all or read_own) if status field exists
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   if ('status' in record && (record as any).status !== 'active') {
-    const canListAll = await checkAdminAccess(event, model, 'list_all')
-    if (!canListAll) {
+    const [canListAll, canReadOwn] = await Promise.all([
+      checkAdminAccess(event, model, 'list_all').catch(() => false),
+      checkAdminAccess(event, model, 'read_own', { id }).catch(() => false),
+    ])
+    if (!canListAll && !canReadOwn) {
       throw new RecordNotFoundError()
     }
   }

package/src/runtime/server/api/[model]/[id].patch.ts

@@ -1,6 +1,7 @@
 // server/api/[model]/[id].patch.ts
 import { eventHandler, getRouterParams, readBody } from 'h3'
 import type { H3Event } from 'h3'
+// @ts-expect-error - #imports is a virtual alias
 import { getUserSession } from '#imports'
 import { eq } from 'drizzle-orm'
 import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
@@ -21,6 +22,15 @@ export default eventHandler(async (event) => {
   const body = await readBody(event)
   const payload = filterUpdatableFields(model, body)
 
+  // Custom check for status update permission
+  if ('status' in payload) {
+    const { checkAdminAccess } = await import('../../utils/auth')
+    const hasStatusPermission = await checkAdminAccess(event, model, 'update_status', { id })
+    if (!hasStatusPermission) {
+      delete payload.status
+    }
+  }
+
   // Auto-hash fields based on config (default: ['password'])
   await hashPayloadFields(payload)
 

package/src/runtime/server/api/[model]/index.get.ts

@@ -1,38 +1,91 @@
 // server/api/[model]/index.get.ts
+/* eslint-disable @typescript-eslint/no-explicit-any */
 import { eventHandler, getRouterParams } from 'h3'
 import { getTableForModel } from '../../utils/modelMapper'
 // @ts-expect-error - hub:db is a virtual alias
 import { db } from 'hub:db'
-import { desc, getTableColumns, eq } from 'drizzle-orm'
+import { desc, getTableColumns, eq, and, or } from 'drizzle-orm'
 import type { TableWithId } from '../../types'
-import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
+import { formatResourceResult } from '../../utils/handler'
+// @ts-expect-error - #imports is a virtual alias
+import { getUserSession } from '#imports'
 
 import { checkAdminAccess } from '../../utils/auth'
 
 export default eventHandler(async (event) => {
   console.log('[GET] Request received', event.path)
   const { model } = getRouterParams(event) as { model: string }
-  const isAdmin = await ensureResourceAccess(event, model, 'list')
-
+  let canListAny = false
   let canListAll = false
-  try {
-    canListAll = await checkAdminAccess(event, model, 'list_all')
-  }
-  catch {
-    canListAll = false
+  let canListOwn = false
+
+  // 1. Check permissions
+  const [anyAccess, allAccess, ownAccess] = await Promise.all([
+    checkAdminAccess(event, model, 'list').catch(() => false),
+    checkAdminAccess(event, model, 'list_all').catch(() => false),
+    checkAdminAccess(event, model, 'list_own').catch(() => false),
+  ])
+
+  canListAny = anyAccess
+  canListAll = allAccess
+  canListOwn = ownAccess
+
+  if (!canListAny && !canListAll && !canListOwn) {
+    throw createError({ statusCode: 403, message: 'Forbidden' })
   }
 
   const table = getTableForModel(model) as TableWithId
   const columns = getTableColumns(table)
+  const session = await (getUserSession as any)(event)
+  const userId = session?.user?.id
 
   let query = db.select().from(table)
 
-  // Filter active rows for non-admins (or those without list_all) if status field exists
+  // 2. Build Filters
+  const filters = []
 
-  if (!canListAll && 'status' in columns) {
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    query = query.where(eq((table as any).status, 'active')) as any
+  if (canListAll) {
+    // No filters needed for List All
   }
+  else if (canListAny && canListOwn && userId) {
+    // Can see everyone's ACTIVE records OR OWN records (any status)
+    const ownershipFilter = 'createdBy' in columns
+      ? eq((table as any).createdBy, userId)
+      : ('userId' in columns ? eq((table as any).userId, userId) : null)
+
+    const activeFilter = 'status' in columns ? eq((table as any).status, 'active') : null
+
+    if (ownershipFilter && activeFilter) {
+      filters.push(or(activeFilter, ownershipFilter))
+    }
+    else if (activeFilter) {
+      filters.push(activeFilter)
+    }
+    else if (ownershipFilter) {
+      filters.push(ownershipFilter)
+    }
+  }
+  else if (canListAny) {
+    // Only Any: see everyone's ACTIVE records
+    if ('status' in columns) {
+      filters.push(eq((table as any).status, 'active'))
+    }
+  }
+  else if (canListOwn && userId) {
+    // Only Own: see ONLY own records (all statuses)
+    if ('createdBy' in columns) {
+      filters.push(eq((table as any).createdBy, userId))
+    }
+    else if ('userId' in columns) {
+      filters.push(eq((table as any).userId, userId))
+    }
+  }
+
+  if (filters.length > 0) {
+    query = query.where(and(...filters)) as any
+  }
+
+  const isAdmin = true // Result formatting control
 
   const results = await query.orderBy(desc(table.id)).all()
 

package/src/runtime/server/api/[model]/index.post.ts

@@ -1,6 +1,7 @@
 // server/api/[model]/index.post.ts
 import { eventHandler, getRouterParams, readBody } from 'h3'
 import type { H3Event } from 'h3'
+// @ts-expect-error - #imports is a virtual alias
 import { getUserSession } from '#imports'
 import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
 // @ts-expect-error - hub:db is a virtual alias
@@ -16,6 +17,15 @@ export default eventHandler(async (event) => {
   const body = await readBody(event)
   const payload = filterUpdatableFields(model, body)
 
+  // Custom check for status update permission (or just remove it during creation as per requirement)
+  if ('status' in payload) {
+    const { checkAdminAccess } = await import('../../utils/auth')
+    const hasStatusPermission = await checkAdminAccess(event, model, 'update_status')
+    if (!hasStatusPermission) {
+      delete payload.status
+    }
+  }
+
   // Auto-hash fields based on config (default: ['password'])
   await hashPayloadFields(payload)
 
@@ -23,9 +33,7 @@ export default eventHandler(async (event) => {
   try {
     const session = await (getUserSession as (event: H3Event) => Promise<{ user: { id: string | number } | null }>)(event)
     if (session?.user?.id) {
-      // Check if table has columns before assigning (optional but safer if we had strict types)
-      // Since we are passing payload to .values(), extra keys might be ignored or cause error depending on driver
-      // Using 'in' table check is good practice
+      // Using 'in' table check is good practice to ensure column exists
       if ('createdBy' in table) {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         (payload as any).createdBy = session.user.id

package/src/runtime/server/utils/auth.ts

@@ -3,6 +3,7 @@
 import type { H3Event } from 'h3'
 import { createError } from 'h3'
 
+// @ts-expect-error - #imports is a virtual alias
 import { requireUserSession, allows, getUserSession, abilities as globalAbility, abilityLogic } from '#imports'
 import { useAutoCrudConfig } from './config'
 import { verifyJwtToken } from './jwt'
@@ -43,7 +44,7 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
 
       if (!allowed) {
         // Fallback: Check for "Own Record" permission (e.g. update_own, delete_own)
-        if (user && (action === 'update' || action === 'delete') && context && typeof context === 'object' && 'id' in context) {
+        if (user && (action === 'read' || action === 'update' || action === 'delete') && context && typeof context === 'object' && 'id' in context) {
           const ownAction = `${action}_own`
           const userPermissions = user.permissions?.[model] as string[] | undefined
 
@@ -64,8 +65,6 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
 
               // Standard case: Check 'createdBy' or 'userId' column for ownership
 
-              // const columns = table.columns || {}
-
               const hasCreatedBy = 'createdBy' in table
               const hasUserId = 'userId' in table