sumba 2.11.0 → 2.12.0

package/extend/bajo/hook/dobo@before-find-record.js

@@ -34,11 +34,6 @@ export async function rebuildFilter (modelName, filter, req) {
     if (filter.query.$and) q.$and.push(...filter.query.$and)
     else q.$and.push(filter.query)
   }
-  /*
-  if (!(hasSiteId || hasUserId || hasTeamId)) {
-    return filter
-  }
-  */
   if (hasSiteId) q.$and.push({ siteId: req.site.id })
   if (hasTeamId && !isAdmin) {
     const teamIds = map(req.user.teams, 'id')

package/extend/bajo/hook/waibu-mpa@pre-parsing.js

@@ -1,7 +1,4 @@
-import checkUserId from '../../../lib/check-user-id.js'
-import checkTheme from '../../../lib/check-theme.js'
-import checkIconset from '../../../lib/check-iconset.js'
-import checkTeam from '../../../lib/check-team.js'
+import { checkUserId, checkTeam, checkTheme, checkIconset } from '../../../lib/util.js'
 
 const preParsing = {
   level: 10,

package/extend/bajo/hook/waibu-rest-api@pre-parsing.js

@@ -1,5 +1,4 @@
-import checkUserId from '../../../lib/check-user-id.js'
-import checkTeam from '../../../lib/check-team.js'
+import { checkUserId, checkTeam } from '../../../lib/util.js'
 
 const preParsing = {
   level: 10,

package/extend/bajo/hook/waibu-static@pre-parsing.js

@@ -1,5 +1,4 @@
-import checkUserId from '../../../lib/check-user-id.js'
-import checkTeam from '../../../lib/check-team.js'
+import { checkUserId, checkTeam } from '../../../lib/util.js'
 
 const preParsing = {
   level: 10,

package/extend/bajo/hook/waibu@after-app-boot.js

@@ -1,5 +1,4 @@
-import collectRoutes from '../../../lib/collect-routes.js'
-import collectTeam from '../../../lib/collect-team.js'
+import { collectRoutes, collectTeam } from '../../../lib/collect.js'
 
 async function afterAppBoot () {
   const { runHook } = this.app.bajo

package/extend/bajo/hook/waibu@pre-parsing.js

@@ -1,7 +1,12 @@
+import { checkNoRouteSetting, checkNoRouteSettingKey } from '../../../lib/util.js'
+
 const preParsing = {
   level: 10,
   handler: async function (req, reply) {
+    const { get } = this.app.lib._
     req.site = await this.getSite(req)
+    const routes = get(req.site, checkNoRouteSettingKey)
+    checkNoRouteSetting.call(this, req, routes)
   }
 }
 

package/lib/{collect-routes.js → collect.js}

@@ -23,21 +23,38 @@ export async function collect ({ type = '', handler, container, file, ns, dir })
   }
 }
 
-function handler (item) {
+function collectHandler (item, keys = []) {
   const { isString } = this.app.lib._
-  for (const k of ['methods']) {
+  for (const k of keys) {
     item[k] = item[k] ?? []
     if (isString(item[k])) item[k] = item[k].split(',')
   }
 }
 
-async function collectRoutes (type) {
+export async function collectRoutes (type) {
   const { eachPlugins } = this.app.bajo
   const me = this
+
+  function handler (item) {
+    collectHandler.call(this, item, ['methods'])
+  }
+
   await eachPlugins(async function ({ file, dir }) {
     const { ns } = this
     await collect.call(me, { type, container: 'Routes', handler, file, ns, dir })
   }, { glob: `route/${type}.*`, prefix: this.ns })
 }
 
-export default collectRoutes
+export async function collectTeam () {
+  const { eachPlugins } = this.app.bajo
+  const me = this
+
+  function handler (item) {
+    collectHandler.call(this, item, ['methods', 'teams', 'features'])
+  }
+
+  await eachPlugins(async function ({ file, dir }) {
+    const { ns } = this
+    await collect.call(me, { type: 'team', container: 'Routes', handler, file, ns, dir })
+  }, { glob: 'route/team.*', prefix: this.ns })
+}

package/lib/util.js

@@ -1,16 +1,25 @@
+export const checkNoRouteSettingKey = 'setting.waibu.noRoutes.$in'
+
 export function parseNsSettings (ns, setting, items) {
-  const { trim, set, isPlainObject, isArray, isEmpty } = this.app.lib._
+  const { trim, set, isPlainObject, isArray, isEmpty, find, get, isString } = this.app.lib._
   const { parseObject, dayjs } = this.app.lib
+  const { routePath } = this.app.waibu
 
   for (const item of items) {
+    if (item.ns === '_var' || ns === '_var') continue
     let value = trim([item.value] ?? '')
-    if (['[', '{'].includes(value[0])) {
+    if (value[0] === '#' && value[value.length - 1] === '#') {
+      const val = value.slice(1, -1)
+      const newValue = find(items, { ns: '_var', key: val })
+      if (newValue) value = newValue.value
+    }
+    if (['[', '{'].includes(value[0]) && [']', '}'].includes(value[value.length - 1])) {
       try {
         value = parseObject(JSON.parse(value))
       } catch (err) {}
     } else if (Number(value)) value = Number(value)
     else if (['true', 'false'].includes(value)) value = value === 'true'
-    else if (item.key.endsWith('$in')) value = value.split(',').map(v => v.trim())
+    else if (item.key.endsWith('$in')) value = value.split('\n').map(v => v.trim())
     else {
       const dt = dayjs(value)
       if (dt.isValid()) value = dt.toDate()
@@ -18,4 +27,149 @@ export function parseNsSettings (ns, setting, items) {
     if ((isPlainObject(value) || isArray(value)) && isEmpty(value)) continue
     set(setting, `${ns}.${item.key}`, value)
   }
+  const key = checkNoRouteSettingKey.slice(checkNoRouteSettingKey.indexOf('.') + 1)
+  let noRoutes = get(setting, key, [])
+  if (noRoutes.length > 0) {
+    noRoutes = noRoutes.map(item => {
+      if (!isString(item)) return item
+      let [url, methods] = item.split('|')
+      if (methods === '*' || !methods) methods = 'GET,POST,PUT,DELETE'
+      methods = methods.split(',').map(m => m.trim().toUpperCase())
+      return { url: routePath(url), methods }
+    })
+    set(setting, key, noRoutes)
+  }
+}
+
+export function checkNoRouteSetting (req, routes) {
+  const { isEmpty } = this.app.lib._
+  const { outmatch } = this.app.lib
+  if (isEmpty(routes)) return
+  for (const route of routes) {
+    const isMatchUrl = outmatch(route.url)
+    if (isMatchUrl(req.url) || isMatchUrl(req.routeOptions.url)) {
+      if (route.methods.includes(req.method)) throw this.error('accessDenied', { statusCode: 403 })
+    }
+  }
+}
+
+export function pathsToCheck (req, withHome) {
+  const { uniq, without } = this.app.lib._
+  return uniq(without([req.routeOptions.url, req.url], undefined, null))
+}
+
+export async function checkIconset (req, reply) {
+  const { get, isString } = this.app.lib._
+  const mpa = this.app.waibuMpa
+
+  if (!req.site) return
+  const siteIconset = get(req, 'site.setting.waibuMpa.iconset')
+  req.iconset = siteIconset ?? get(mpa, 'config.iconset.set', 'default')
+  const hiconset = req.headers['x-iconset']
+  if (isString(hiconset) && mpa.getIconset(hiconset)) req.iconset = hiconset
+  req.iconset = req.iconset ?? 'default'
+}
+
+export async function checkTheme (req, reply) {
+  const { get, isString } = this.app.lib._
+  const mpa = this.app.waibuMpa
+
+  if (!req.site) return
+  const siteTheme = get(req, 'site.setting.waibuMpa.theme')
+  req.theme = siteTheme ?? get(mpa, 'config.theme.set', 'default')
+  const htheme = req.headers['x-theme']
+  if (isString(htheme) && mpa.getTheme(htheme)) req.theme = htheme
+  req.theme = req.theme ?? 'default'
+}
+
+export async function checkTeam (req, reply, source) {
+  const { get, isEmpty } = this.app.lib._
+  if (!req.user) return
+  const { map } = this.app.lib._
+  const paths = pathsToCheck.call(this, req, true)
+  const teams = map(req.user.teams, 'alias')
+  let match = this.checkPathsByTeam({ paths, method: req.method, teams, guards: this.teamRoutes })
+  if (!match) match = this.checkPathsByTeam({ paths, method: req.method, teams, guards: this.teamNegRoutes })
+  if (!match) {
+    const guards = map(this.teamRoutes, 'path')
+    match = !this.checkPathsByGuard({ paths, guards })
+  }
+  if (!match) throw this.error('accessDenied', { statusCode: 403 })
+  const routes = []
+  for (const team of (req.user.teams ?? [])) {
+    const items = get(team, checkNoRouteSettingKey, [])
+    if (isEmpty(items)) continue
+    routes.push(...items)
+  }
+  checkNoRouteSetting.call(this, req, routes)
+}
+
+export async function checkUserId (req, reply, source) {
+  const { merge, isEmpty, camelCase, get } = this.app.lib._
+  const { routePath } = this.app.waibu
+  const userId = get(req, 'session.userId')
+
+  const setUser = async () => {
+    const id = get(req, 'session.userId')
+    if (!id) return
+    try {
+      const user = await this.getUser(id)
+      if (user) req.user = user
+      else req.session.userId = null
+    } catch (err) {
+      console.log(err)
+      req.session.userId = null
+    }
+  }
+
+  if (req.session) req.session.siteId = req.site.id
+
+  const webApp = get(req, 'routeOptions.config.webApp', 'waibu')
+  if (!req.routeOptions.url) {
+    if (!req.session) return
+    await setUser()
+    return
+  }
+
+  const paths = pathsToCheck.call(this, req)
+  let securePath = await this.checkPathsByRoute({ paths, method: req.method, guards: this.secureRoutes })
+  if (securePath) {
+    const neg = await this.checkPathsByRoute({ paths, method: req.method, guards: this.secureNegRoutes })
+    if (neg) securePath = undefined
+  }
+  let anonymousPath = await this.checkPathsByRoute({ paths, method: req.method, guards: this.anonymousRoutes })
+  if (anonymousPath) {
+    const neg = await this.checkPathsByRoute({ paths, method: req.method, guards: this.anonymousNegRoutes })
+    if (neg) anonymousPath = undefined
+  }
+  if (!securePath && !anonymousPath) {
+    if (userId) await setUser()
+    return
+  }
+  if (anonymousPath) {
+    if (!userId) return
+    req.session.ref = req.url
+    return reply.redirectTo(routePath(this.config.redirect.signout))
+  }
+  if (securePath) {
+    if (userId) {
+      await setUser()
+      return
+    }
+    const silentOnError = this.config.auth[webApp].silentOnError ?? this.config.auth.common.silentOnError
+    const payload = silentOnError ? { noContent: true } : undefined
+    const authMethods = this.config.auth[webApp].methods ?? []
+    if (isEmpty(authMethods)) throw this.error('noAuthMethod', merge({ statusCode: 500 }, payload))
+    let success
+    for (const m of authMethods) {
+      const handler = this[camelCase(`verify ${m}`)]
+      if (!handler) throw this.error('invalidAuthMethod%s', m, merge({ statusCode: 500 }, payload))
+      const check = await handler(req, reply, source, payload)
+      if (check) {
+        success = check
+        break
+      }
+    }
+    if (!success) throw this.error('accessDeniedNoAuth', merge({ statusCode: 403 }, payload))
+  }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sumba",
-  "version": "2.11.0",
+  "version": "2.12.0",
   "description": "Biz Suite for Bajo Framework",
   "main": "index.js",
   "scripts": {

package/wiki/CHANGES.md

@@ -2,10 +2,17 @@
 
 ## 2026-03-22
 
+- [2.12.0] Add no route settings sitewise
+- [2.12.0] Add no route settings for teams
+- [2.12.0] Some organizatorial changes in module files
+
+## 2026-03-22
+
 - [2.11.0] Add ```Team Setting``` feature
 - [2.11.0] Rewrite ```getUser()```
 - [2.11.0] Rewrite ```getSite()```
 - [2.11.0] Bug fix in model reference not displayed correctly on ```Details View```
+- [2.11.1] Bug fix in ```parseNsSetting()```
 
 ## 2026-03-13
 

package/lib/check-iconset.js

@@ -1,13 +0,0 @@
-async function checkIconset (req, reply) {
-  const { get, isString } = this.app.lib._
-  const mpa = this.app.waibuMpa
-
-  if (!req.site) return
-  const siteIconset = get(req, 'site.setting.waibuMpa.iconset')
-  req.iconset = siteIconset ?? get(mpa, 'config.iconset.set', 'default')
-  const hiconset = req.headers['x-iconset']
-  if (isString(hiconset) && mpa.getIconset(hiconset)) req.iconset = hiconset
-  req.iconset = req.iconset ?? 'default'
-}
-
-export default checkIconset

package/lib/check-team.js

@@ -1,19 +0,0 @@
-import { pathsToCheck } from './check-user-id.js'
-
-async function checkTeam (req, reply, source) {
-  if (!req.user) return
-  const { map } = this.app.lib._
-  const paths = pathsToCheck.call(this, req, true)
-  const teams = map(req.user.teams, 'alias')
-  const match = this.checkPathsByTeam({ paths, method: req.method, teams, guards: this.teamRoutes })
-  if (match) return
-  const negMatch = this.checkPathsByTeam({ paths, method: req.method, teams, guards: this.teamNegRoutes })
-  if (negMatch) return
-  const guards = map(this.teamRoutes, 'path')
-  // fallback
-  const guarded = this.checkPathsByGuard({ paths, guards })
-  if (!guarded) return
-  throw this.error('accessDenied', { statusCode: 403 })
-}
-
-export default checkTeam

package/lib/check-theme.js

@@ -1,13 +0,0 @@
-async function checkTheme (req, reply) {
-  const { get, isString } = this.app.lib._
-  const mpa = this.app.waibuMpa
-
-  if (!req.site) return
-  const siteTheme = get(req, 'site.setting.waibuMpa.theme')
-  req.theme = siteTheme ?? get(mpa, 'config.theme.set', 'default')
-  const htheme = req.headers['x-theme']
-  if (isString(htheme) && mpa.getTheme(htheme)) req.theme = htheme
-  req.theme = req.theme ?? 'default'
-}
-
-export default checkTheme

package/lib/check-user-id.js

@@ -1,76 +0,0 @@
-export function pathsToCheck (req, withHome) {
-  const { uniq, without } = this.app.lib._
-  return uniq(without([req.routeOptions.url, req.url], undefined, null))
-}
-
-async function setUser (req) {
-  const { get } = this.app.lib._
-  const id = get(req, 'session.userId')
-  if (!id) return
-  try {
-    const user = await this.getUser(id)
-    if (user) req.user = user
-    else req.session.userId = null
-  } catch (err) {
-    console.log(err)
-    req.session.userId = null
-  }
-}
-
-async function checkUserId (req, reply, source) {
-  const { merge, isEmpty, camelCase, get } = this.app.lib._
-  const { routePath } = this.app.waibu
-  const userId = get(req, 'session.userId')
-  if (req.session) req.session.siteId = req.site.id
-
-  const webApp = get(req, 'routeOptions.config.webApp', 'waibu')
-  if (!req.routeOptions.url) {
-    if (!req.session) return
-    await setUser.call(this, req)
-    return
-  }
-
-  const paths = pathsToCheck.call(this, req)
-  let securePath = await this.checkPathsByRoute({ paths, method: req.method, guards: this.secureRoutes })
-  if (securePath) {
-    const neg = await this.checkPathsByRoute({ paths, method: req.method, guards: this.secureNegRoutes })
-    if (neg) securePath = undefined
-  }
-  let anonymousPath = await this.checkPathsByRoute({ paths, method: req.method, guards: this.anonymousRoutes })
-  if (anonymousPath) {
-    const neg = await this.checkPathsByRoute({ paths, method: req.method, guards: this.anonymousNegRoutes })
-    if (neg) anonymousPath = undefined
-  }
-  if (!securePath && !anonymousPath) {
-    if (userId) await setUser.call(this, req)
-    return
-  }
-  if (anonymousPath) {
-    if (!userId) return
-    req.session.ref = req.url
-    return reply.redirectTo(routePath(this.config.redirect.signout))
-  }
-  if (securePath) {
-    if (userId) {
-      await setUser.call(this, req)
-      return
-    }
-    const silentOnError = this.config.auth[webApp].silentOnError ?? this.config.auth.common.silentOnError
-    const payload = silentOnError ? { noContent: true } : undefined
-    const authMethods = this.config.auth[webApp].methods ?? []
-    if (isEmpty(authMethods)) throw this.error('noAuthMethod', merge({ statusCode: 500 }, payload))
-    let success
-    for (const m of authMethods) {
-      const handler = this[camelCase(`verify ${m}`)]
-      if (!handler) throw this.error('invalidAuthMethod%s', m, merge({ statusCode: 500 }, payload))
-      const check = await handler(req, reply, source, payload)
-      if (check) {
-        success = check
-        break
-      }
-    }
-    if (!success) throw this.error('accessDeniedNoAuth', merge({ statusCode: 403 }, payload))
-  }
-}
-
-export default checkUserId

package/lib/collect-redirects.js

@@ -1,5 +0,0 @@
-async function collectRedirects () {
-  this.redirects = []
-}
-
-export default collectRedirects

package/lib/collect-team.js

@@ -1,20 +0,0 @@
-import { collect } from './collect-routes.js'
-
-function handler (item) {
-  const { isString } = this.app.lib._
-  for (const k of ['methods', 'teams', 'features']) {
-    item[k] = item[k] ?? []
-    if (isString(item[k])) item[k] = item[k].split(',')
-  }
-}
-
-async function collectTeam () {
-  const { eachPlugins } = this.app.bajo
-  const me = this
-  await eachPlugins(async function ({ file, dir }) {
-    const { ns } = this
-    await collect.call(me, { type: 'team', container: 'Routes', handler, file, ns, dir })
-  }, { glob: 'route/team.*', prefix: this.ns })
-}
-
-export default collectTeam