plugin-cluster-manager 1.1.6 → 1.1.10

package/src/client/PluginOperations.tsx

@@ -32,7 +32,14 @@ export function PluginOperations() {
     setLoading(true);
     try {
       const res = await api.request({ url: 'clusterManagerPlugins:list' });
-      setPlugins(res?.data?.data || []);
+      const data = Array.isArray(res?.data?.data?.data)
+        ? res.data.data.data
+        : Array.isArray(res?.data?.data)
+        ? res.data.data
+        : Array.isArray(res?.data)
+        ? res.data
+        : [];
+      setPlugins(data);
     } catch (err: any) {
       message.error(getErrorMessage(err, t('Failed to load plugins')));
     } finally {
@@ -46,8 +53,9 @@ export function PluginOperations() {
 
   const filteredPlugins = useMemo(() => {
     const keyword = search.trim().toLowerCase();
-    if (!keyword) return plugins;
-    return plugins.filter((plugin) =>
+    const list = Array.isArray(plugins) ? plugins : [];
+    if (!keyword) return list;
+    return list.filter((plugin) =>
       [plugin.name, plugin.packageName, plugin.displayName, plugin.description]
         .filter(Boolean)
         .some((value) => String(value).toLowerCase().includes(keyword)),
@@ -63,7 +71,7 @@ export function PluginOperations() {
         method: 'post',
         data: { name: record.name },
       });
-      message.success(res?.data?.message || t('Plugin force disabled'));
+      message.success(res?.data?.data?.message || res?.data?.message || t('Plugin force disabled'));
       await fetchData();
     } catch (err: any) {
       message.error(getErrorMessage(err, t('Failed to force disable plugin')));
@@ -81,7 +89,7 @@ export function PluginOperations() {
         method: 'post',
         data: { name: record.name },
       });
-      message.success(res?.data?.message || t('Plugin force removed'));
+      message.success(res?.data?.data?.message || res?.data?.message || t('Plugin force removed'));
       await fetchData();
     } catch (err: any) {
       message.error(getErrorMessage(err, t('Failed to force remove plugin')));

package/src/server/actions/acl-cache.ts

@@ -108,8 +108,8 @@ export function createAclCacheMiddleware(app: any) {
     // This is safe because we read ctx.permission AFTER next() completes —
     // no monkey-patching of shared singletons.
     try {
-      const result = ctx.permission?.can;
-      const valueToCache = result ? JSON.stringify(result) : '__DENIED__';
+      const result = ctx.permission?.can as any;
+      const valueToCache = JSON.stringify(result !== undefined && result !== null ? result : true);
       cache.set(cacheKey, valueToCache, ACL_CACHE_TTL).catch(() => {});
     } catch {
       // Ignore cache write errors

package/src/server/orchestrator/PackageManager.ts

@@ -5,7 +5,7 @@ import path from 'path';
 import Application from '@nocobase/server';
 
 /** Allow only safe package name characters: letters, digits, dash, underscore, dot, @, /, [, ] */
-const SAFE_PKG_RE = /^[a-zA-Z0-9_\-\.@\/\[\]]+$/;
+const SAFE_PKG_RE = /^(?:[a-zA-Z0-9_.@/-]|\[|\])+$/;
 const INSTALL_CHANNEL = 'cluster-manager.install-packages';
 
 type TargetRole = 'app' | 'worker' | 'sandbox' | 'all';
@@ -17,6 +17,11 @@ interface InstallPayload {
   registryConfig?: { aptMirrorUrl?: string; npmRegistryUrl?: string; pypiIndexUrl?: string; pypiTrustedHost?: string };
 }
 
+interface AptOsInfo {
+  id: string;
+  codename: string;
+}
+
 function sanitizePkg(name: string): string {
   if (typeof name !== 'string') {
     throw new Error('Package name must be a string');
@@ -81,10 +86,44 @@ function formatCommand(command: string, args: string[]): string {
     .join(' ');
 }
 
+function parseOsRelease(content: string): Record<string, string> {
+  const values: Record<string, string> = {};
+  for (const line of content.split('\n')) {
+    const match = line.match(/^([A-Z0-9_]+)=(.*)$/);
+    if (!match) continue;
+
+    values[match[1]] = match[2].replace(/^"|"$/g, '');
+  }
+  return values;
+}
+
+function normalizeMirrorUrl(value: string): string {
+  return value.endsWith('/') ? value : `${value}/`;
+}
+
+function isInternalCacheMirror(url: URL): boolean {
+  return url.hostname === 'nginx-cache-registry';
+}
+
+function resolveAptMirrorForOs(aptMirrorUrl: string, osInfo: AptOsInfo, logs: string[]): string {
+  const url = new URL(normalizeMirrorUrl(aptMirrorUrl));
+  const original = url.toString();
+
+  if (isInternalCacheMirror(url) && osInfo.id === 'debian' && url.pathname === '/ubuntu/') {
+    url.pathname = '/debian/';
+  } else if (isInternalCacheMirror(url) && osInfo.id === 'ubuntu' && url.pathname === '/debian/') {
+    url.pathname = '/ubuntu/';
+  }
+
+  const resolved = url.toString();
+  if (resolved !== original) {
+    logs.push(`Adjusted APT mirror for ${osInfo.id}: ${redactUrl(resolved)}`);
+  }
+  return resolved;
+}
+
 export class PackageManager {
-  constructor(
-    private app: Application,
-  ) {}
+  constructor(private app: Application) {}
 
   /**
    * Called from REST action when admin clicks "Install Packages".
@@ -107,9 +146,7 @@ export class PackageManager {
     // Filter by role
     const currentRole = getCurrentRole();
     const roleMatches =
-      targetRole === 'all' ||
-      targetRole === currentRole ||
-      (targetRole === 'worker' && currentRole === 'sandbox');
+      targetRole === 'all' || targetRole === currentRole || (targetRole === 'worker' && currentRole === 'sandbox');
 
     if (!roleMatches) {
       return; // Skip if role doesn't match
@@ -138,7 +175,7 @@ export class PackageManager {
         if (registryConfig.aptMirrorUrl) {
           const aptMirrorUrl = sanitizeHttpUrl(registryConfig.aptMirrorUrl, 'APT mirror URL');
           logs.push(`Applying APT mirror: ${redactUrl(aptMirrorUrl)}`);
-          await this.configureAptMirror(aptMirrorUrl);
+          await this.configureAptMirror(aptMirrorUrl, logs);
         }
 
         await this.updateInstallStatus('running', 20, 'Installing APT packages...', logs);
@@ -241,7 +278,13 @@ export class PackageManager {
   /**
    * Run a command without a shell so registry URLs and package names are not re-parsed as shell syntax.
    */
-  private async runCommand(command: string, args: string[], label: string, logs: string[], timeoutMs = 1200000): Promise<void> {
+  private async runCommand(
+    command: string,
+    args: string[],
+    label: string,
+    logs: string[],
+    timeoutMs = 1200000,
+  ): Promise<void> {
     logs.push(`RUNNING: ${formatCommand(command, args)}`);
     logs.push(`${label}`);
 
@@ -250,12 +293,12 @@ export class PackageManager {
       let stdout = '';
       let stderr = '';
       let settled = false;
-      let timer: NodeJS.Timeout;
+      const state: { timer?: NodeJS.Timeout } = {};
 
       const finish = (error?: Error) => {
         if (settled) return;
         settled = true;
-        clearTimeout(timer);
+        if (state.timer) clearTimeout(state.timer);
         if (stdout) logs.push(stdout.slice(0, 500));
         if (stderr) logs.push(`WARN: ${stderr.slice(0, 300)}`);
         if (error) {
@@ -266,7 +309,7 @@ export class PackageManager {
         }
       };
 
-      timer = setTimeout(() => {
+      state.timer = setTimeout(() => {
         child.kill('SIGTERM');
         finish(new Error(`${command} timed out after ${timeoutMs}ms`));
       }, timeoutMs);
@@ -324,16 +367,16 @@ export class PackageManager {
       const child = spawn(command, args, { stdio: ['ignore', 'pipe', 'ignore'] });
       let stdout = '';
       let settled = false;
-      let timer: NodeJS.Timeout;
+      const state: { timer?: NodeJS.Timeout } = {};
 
       const finish = (ok: boolean) => {
         if (settled) return;
         settled = true;
-        clearTimeout(timer);
+        if (state.timer) clearTimeout(state.timer);
         resolve(ok);
       };
 
-      timer = setTimeout(() => {
+      state.timer = setTimeout(() => {
         child.kill('SIGTERM');
         finish(false);
       }, timeoutMs);
@@ -346,7 +389,31 @@ export class PackageManager {
     });
   }
 
-  private async configureAptMirror(aptMirrorUrl: string): Promise<void> {
+  private async getAptOsInfo(): Promise<AptOsInfo> {
+    const values = parseOsRelease(await fsp.readFile('/etc/os-release', 'utf8'));
+    const id = (values.ID || '').toLowerCase();
+    const codename = values.VERSION_CODENAME || values.UBUNTU_CODENAME;
+
+    if (!id || !codename) {
+      throw new Error('Cannot detect OS ID/version codename from /etc/os-release for APT mirror configuration.');
+    }
+    return { id, codename };
+  }
+
+  private buildAptSources(aptMirrorUrl: string, osInfo: AptOsInfo): string {
+    const mirror = normalizeMirrorUrl(aptMirrorUrl);
+    if (osInfo.id === 'ubuntu') {
+      return `deb ${mirror} ${osInfo.codename} main universe restricted multiverse\n`;
+    }
+    if (osInfo.id === 'debian') {
+      return `deb ${mirror} ${osInfo.codename} main contrib non-free non-free-firmware\n`;
+    }
+    return `deb ${mirror} ${osInfo.codename} main\n`;
+  }
+
+  private async configureAptMirror(aptMirrorUrl: string, logs: string[]): Promise<void> {
+    const osInfo = await this.getAptOsInfo();
+    const resolvedMirrorUrl = resolveAptMirrorForOs(aptMirrorUrl, osInfo, logs);
     const backupDir = '/etc/apt/sources.list.d.bak';
     await fsp.mkdir(backupDir, { recursive: true });
 
@@ -362,7 +429,7 @@ export class PackageManager {
       // sources.list.d may not exist in minimal images.
     }
 
-    await fsp.writeFile('/etc/apt/sources.list', `deb ${aptMirrorUrl} bookworm main\n`, 'utf8');
+    await fsp.writeFile('/etc/apt/sources.list', this.buildAptSources(resolvedMirrorUrl, osInfo), 'utf8');
   }
 
   private async moveIfExists(from: string, to: string): Promise<void> {

package/src/server/plugin.ts

@@ -33,6 +33,21 @@ export class PluginClusterManagerServer extends Plugin {
   }
 
   async load() {
+    // Fix NocoBase core strategy resource permission check crash:
+    // Attachments collection has "createdBy: true" options but lacks explicit 'createdById' metadata field registration.
+    // When non-root roles upload attachments, core ACL merges 'own' filters (createdById) and calls checkFilterParams,
+    // which throws a NoPermissionError because getField('createdById') returns undefined.
+    // Registering 'createdById' explicitly as a metadata field on the attachments collection prevents this check from crashing.
+    this.db.extendCollection({
+      name: 'attachments',
+      fields: [
+        {
+          type: 'bigInt',
+          name: 'createdById',
+        },
+      ],
+    });
+
     this.nodeRegistry = new RedisNodeRegistry(this.app);
 
     (this.app as any).on('afterStart', () => {