sumba 2.23.0 → 2.24.0

package/extend/bajo/hook/bajo.extend@after-read-config.js

@@ -0,0 +1,13 @@
+import path from 'path'
+
+async function afterReadConfig (file, result, options) {
+  const base = path.basename(file, path.extname(file))
+  // rewrite fixtures
+  if (!(base === 'route-guard' && Array.isArray(result) && file.includes('/fixture/'))) return
+  for (const res of result) {
+    if (res.path.slice(0, 2) === ':/') res.path = options.sourceNs + res.path
+    res.path = res.path.replaceAll('{ns}', options.sourceNs)
+  }
+}
+
+export default afterReadConfig

package/extend/bajo/hook/dobo.sumba-route-guard@after-transaction.js

@@ -0,0 +1,6 @@
+async function afterTransaction (action, ...args) {
+  if (!['createRecord', 'updateRecord', 'removeRecord'].includes(action)) return
+  await this.getRouteGuards(true)
+}
+
+export default afterTransaction

package/extend/bajo/hook/dobo@before-count-record.js

@@ -1,8 +1,8 @@
-import { handler } from './dobo@before-find-record.js'
+import { handler } from './dobo@before-driver-find-record.js'
 
-const doboBeforeCountRecord = {
+const doboBeforeDriverCountRecord = {
   level: 1000,
   handler
 }
 
-export default doboBeforeCountRecord
+export default doboBeforeDriverCountRecord

package/extend/bajo/hook/dobo@before-driver-create-record.js

@@ -0,0 +1,17 @@
+const doboBeforeDriverCreateRecord = {
+  level: 1000,
+  handler: async function (model, body, options = {}) {
+    const { get } = this.app.lib._
+    const { isSet } = this.app.lib.aneka
+    const { req } = options
+    if (options.noAutoFilter || !req || get(req, 'routeOptions.config.crossSite')) return
+    const item = { siteId: 'site.id', userId: 'user.id' }
+    for (const i in item) {
+      const rec = get(req, item[i])
+      const field = model.getProperty(i)
+      if (rec && field && !isSet(body[i])) body[i] = field.type === 'string' ? (rec + '') : rec
+    }
+  }
+}
+
+export default doboBeforeDriverCreateRecord

package/extend/bajo/hook/dobo@before-driver-find-all-record.js

@@ -0,0 +1,13 @@
+import { rebuildFilter } from './dobo@before-driver-find-record.js'
+
+const doboBeforeDriverFindAllRecord = {
+  level: 1000,
+  handler: async function (model, filter, options) {
+    const { req } = options
+    const { isEmpty } = this.app.lib._
+    if (options.noAutoFilter || !req || isEmpty(req.site)) return
+    await rebuildFilter.call(this, model, filter, options)
+  }
+}
+
+export default doboBeforeDriverFindAllRecord

package/extend/bajo/hook/dobo@before-driver-find-record.js

@@ -0,0 +1,96 @@
+async function applyModelGuard ({ model, q, teamIds, options }) {
+  const { isEmpty, get, set, uniq } = this.app.lib._
+  const { req } = options
+  const { getModel } = this.app.dobo
+
+  const guards = []
+  const query = { status: 'ACTIVE', siteId: req.site.id + '' }
+  const results = await getModel('SumbaModelGuard').findAllRecord({ query }, { noMagic: true, dataOnly: true, noDriverHook: true })
+  const item = {}
+
+  function add (res) {
+    item[res.column].push(...res.value)
+  }
+
+  for (const res of results) {
+    res.teamIds = res.teamIds ?? []
+    if (!(res.models ?? []).includes(model.name) || isEmpty(res.value)) continue
+    item[res.column] = item[res.column] ?? []
+    if (teamIds.length > 0) {
+      for (const id of res.teamIds) {
+        if (teamIds.includes(id)) add(res)
+      }
+    }
+  }
+  for (const key in item) {
+    item[key] = uniq(item[key])
+    if (item[key].length === 0) continue
+    guards.push(set({}, key, { $in: item[key] }))
+  }
+
+  const allowEmpty = get(this, `config.dobo.model.${model.name}.allowEmptyQuery`, true)
+  if (guards.length === 0 && !allowEmpty) throw this.error('_emptyColumnQuery') // signal driver to about with no result immediately
+  q.$and.push(...guards)
+}
+
+export async function applyAttribGuard ({ model, teamIds, options }) {
+  const { getModel } = this.app.dobo
+  const { uniq } = this.app.lib._
+  const { req } = options
+
+  const query = { status: 'ACTIVE', siteId: req.site.id + '' }
+  const results = await getModel('SumbaAttribGuard').findAllRecord({ query }, { noMagic: true, dataOnly: true, noDriverHook: true })
+  const result = results.find(item => (item.models ?? []).includes(model.name))
+  if (!result) return
+  options.hidden = options.hidden ?? []
+  for (const id of result.teamIds ?? []) {
+    if (teamIds.includes(id)) options.hidden.push(...(result.hiddenCols ?? []))
+  }
+  options.hidden = uniq(options.hidden)
+}
+
+export async function rebuildFilter (model, filter = {}, options = {}) {
+  const { isEmpty, get } = this.app.lib._
+  const { req } = options
+  const hasSiteId = model.hasProperty('siteId')
+  const hasUserId = model.hasProperty('userId')
+  const hasTeamId = model.hasProperty('teamId')
+  const teams = get(req, 'user.teams', [])
+  const teamIds = teams.map(team => team.id + '')
+  const aliases = teams.map(team => team.alias)
+  const q = { $and: [] }
+
+  filter.query = filter.query ?? {}
+  if (!isEmpty(filter.query)) {
+    if (filter.query.$and) q.$and.push(...filter.query.$and)
+    else q.$and.push(filter.query)
+  }
+  if (req.routeOptions.config.crossSite) return
+  if (hasSiteId) q.$and.push({ siteId: req.site.id + '' })
+  if (aliases.includes('administrator')) {
+    filter.query = q
+    return
+  }
+
+  if (hasTeamId) {
+    if (hasUserId) q.$and.push({ $or: [{ teamId: { $in: teamIds } }, { userId: req.user.id + '' }] })
+    else q.$and.push({ teamId: { $in: teamIds } })
+  } else if (hasUserId) q.$and.push({ userId: req.user.id + '' })
+
+  await applyModelGuard.call(this, { model, q, teamIds, options })
+  await applyAttribGuard.call(this, { model, teamIds, options })
+  filter.query = q
+}
+
+export async function handler (model, filter, options = {}) {
+  const { isEmpty } = this.app.lib._
+  if (options.noAutoFilter || !options.req || isEmpty((options.req ?? {}).site)) return
+  await rebuildFilter.call(this, model, filter, options)
+}
+
+const doboBeforeDriverFindRecord = {
+  level: 1000,
+  handler
+}
+
+export default doboBeforeDriverFindRecord

package/extend/bajo/hook/dobo@before-driver-get-record.js

@@ -0,0 +1,22 @@
+import { rebuildFilter } from './dobo@before-driver-find-record.js'
+
+export async function checker (model, id, options = {}) {
+  const { req } = options
+
+  if (options.noAutoFilter || !req) return
+  const filter = {}
+  await rebuildFilter.call(this, model, filter, options)
+  if (filter.query.$and) filter.query.$and.push({ id })
+  else filter.query.id = id
+  const row = await model.findOneRecord(filter, { count: false })
+  if (!row) throw this.app.dobo.error('recordNotFound%s%s', id, this.name, { statusCode: 404 })
+}
+
+const doboBeforeDriverGetRecord = {
+  level: 1000,
+  handler: async function (model, id, options) {
+    await checker.call(this, model, id, options)
+  }
+}
+
+export default doboBeforeDriverGetRecord

package/extend/bajo/hook/dobo@before-driver-remove-record.js

@@ -0,0 +1,10 @@
+import { checker } from './dobo@before-driver-get-record.js'
+
+const doboBeforeDriverRemoveRecord = {
+  level: 1000,
+  handler: async function (model, id, options = {}) {
+    await checker.call(this, model, id, options.req)
+  }
+}
+
+export default doboBeforeDriverRemoveRecord

package/extend/bajo/hook/dobo@before-driver-update-record.js

@@ -0,0 +1,10 @@
+import { checker } from './dobo@before-driver-get-record.js'
+
+const doboBeforeDriverUpdateRecord = {
+  level: 1000,
+  handler: async function (model, id, body, options = {}) {
+    await checker.call(this, model, id, options)
+  }
+}
+
+export default doboBeforeDriverUpdateRecord

package/extend/bajo/hook/waibu-mpa@pre-parsing.js

@@ -1,13 +1,14 @@
-import { checkUserId, checkTeam, checkTheme, checkIconset, checkInterSite } from '../../../lib/util.js'
+import { checkUserId, checkTeam, checkTheme, checkIconset, checkCrossSite } from '../../../lib/util.js'
 
 const preParsing = {
   level: 10,
   handler: async function (req, reply) {
     await checkTheme.call(this, req, reply)
     await checkIconset.call(this, req, reply)
-    if (!await checkUserId.call(this, req, reply, 'waibuMpa')) return
-    if (!await checkTeam.call(this, req, reply, 'waibuMpa')) return
-    await checkInterSite.call(this, req, reply)
+    const secure = await checkUserId.call(this, req, reply, 'waibuMpa')
+    if (!secure) return
+    await checkTeam.call(this, req, reply, secure)
+    await checkCrossSite.call(this, req, reply)
   }
 }
 

package/extend/bajo/hook/waibu-rest-api@pre-parsing.js

@@ -1,11 +1,12 @@
-import { checkUserId, checkTeam, checkInterSite } from '../../../lib/util.js'
+import { checkUserId, checkTeam, checkCrossSite } from '../../../lib/util.js'
 
 const preParsing = {
   level: 10,
   handler: async function (req, reply) {
-    if (!await checkUserId.call(this, req, reply, 'waibuRestApi')) return
-    if (!await checkTeam.call(this, req, reply, 'waibuRestApi')) return
-    await checkInterSite.call(this, req, reply)
+    const secure = await checkUserId.call(this, req, reply, 'waibuRestApi')
+    if (!secure) return
+    await checkTeam.call(this, req, reply, secure)
+    await checkCrossSite.call(this, req, reply)
   }
 }
 

package/extend/bajo/hook/waibu-static@pre-parsing.js

@@ -1,11 +1,12 @@
-import { checkUserId, checkTeam, checkInterSite } from '../../../lib/util.js'
+import { checkUserId, checkTeam, checkCrossSite } from '../../../lib/util.js'
 
 const preParsing = {
   level: 10,
   handler: async function (req, reply) {
-    if (!await checkUserId.call(this, req, reply, 'waibuStatic')) return
-    if (!await checkTeam.call(this, req, reply, 'waibuStatic')) return
-    await checkInterSite.call(this, req, reply)
+    const secure = await checkUserId.call(this, req, reply, 'waibuStatic')
+    if (!secure) return
+    await checkTeam.call(this, req, reply, secure)
+    await checkCrossSite.call(this, req, reply)
   }
 }
 

package/extend/bajo/intl/en-US.json

@@ -132,7 +132,9 @@
   "statusClosed": "Closed",
   "allSites": "All Sites",
   "permission": "Permission",
-  "routeGuard": "Route Guard",
+  "routeGuard": "Route",
+  "modelGuard": "Model",
+  "attribGuard": "Attribute",
   "field": {
     "currentPassword": "Current Password",
     "newPassword": "New Password",
@@ -161,7 +163,10 @@
     "inverse": "Inverse?",
     "anonymous": "Anonymous?",
     "methods": "Methods",
-    "teams": "Teams"
+    "teamIds": "Teams",
+    "column": "Column",
+    "hiddenCols": "Hidden Columns",
+    "models": "Models"
   },
   "validation": {
     "password": {

package/extend/bajo/intl/id.json

@@ -137,6 +137,10 @@
   "statusOpen": "Terbuka",
   "statusClosed": "Tertutup",
   "allSites": "Semua Situs",
+  "permission": "Permisi",
+  "routeGuard": "Rute",
+  "modelGuard": "Model",
+  "attribGuard": "Atribut",
   "field": {
     "currentPassword": "Kata Sandi Saat Ini",
     "newPassword": "Kata Sandi Baru",
@@ -159,8 +163,16 @@
     "user": "Pengguna",
     "team": "Tim",
     "ns": "Ruang Nama Modul",
-    "value": "Value",
-    "notes": "Catatan"
+    "value": "Nilai",
+    "notes": "Catatan",
+    "path": "Jejak",
+    "inverse": "Inverse?",
+    "anonymous": "Anonim?",
+    "methods": "Metode",
+    "teamIds": "Tim",
+    "column": "Kolom",
+    "hideCols": "Sembunyikan Kolom",
+    "models": "Model"
   },
   "validation": {
     "password": {

package/extend/dobo/feature/team-ids.js

@@ -0,0 +1,20 @@
+async function teamIds (opts = {}) {
+  return {
+    properties: [{
+      name: 'teamIds',
+      type: 'array',
+      default: [],
+      ref: {
+        teamIds: {
+          model: 'SumbaTeam',
+          field: 'id',
+          searchField: 'name',
+          fields: ['id', 'alias', 'name']
+        }
+      },
+      index: true
+    }]
+  }
+}
+
+export default teamIds

package/extend/dobo/fixture/route-guard.js

@@ -10,7 +10,7 @@ const routes = [
   '~sumba.restapi:/user/access-token/**/*'
 ]
 
-async function userGuard () {
+async function routeGuard () {
   return routes.map(r => {
     const anonymous = r[0] === '~'
     return {
@@ -23,4 +23,4 @@ async function userGuard () {
   })
 }
 
-export default userGuard
+export default routeGuard

package/extend/dobo/model/attrib-guard.js

@@ -0,0 +1,36 @@
+async function routeGuard () {
+  return {
+    properties: [
+      {
+        name: 'models',
+        type: 'array',
+        required: true
+      },
+      'hiddenCols,array',
+      'teamIds,sumba:teamIds'
+    ],
+    indexes: [{
+      type: 'unique',
+      fields: ['models', 'siteId']
+    }],
+    features: [
+      {
+        name: 'sumba:status',
+        values: ['ACTIVE', 'INACTIVE'],
+        default: 'ACTIVE'
+      },
+      'dobo:immutable',
+      'dobo:updatedAt',
+      'sumba:siteId'
+    ],
+    options: {
+      attachment: false
+    },
+    buildEnd: async function (model) {
+      const prop = model.properties.find(prop => prop.name === 'models')
+      prop.values = this.app.dobo.models.map(model => model.name).sort().map(item => ({ value: item, text: item }))
+    }
+  }
+}
+
+export default routeGuard

package/extend/dobo/model/model-guard.js

@@ -0,0 +1,37 @@
+async function routeGuard () {
+  return {
+    properties: [
+      {
+        name: 'models',
+        type: 'array',
+        required: true
+      },
+      'column,,50,true,true',
+      'value,array',
+      'teamIds,sumba:teamIds'
+    ],
+    indexes: [{
+      type: 'unique',
+      fields: ['models', 'column', 'siteId']
+    }],
+    features: [
+      {
+        name: 'sumba:status',
+        values: ['ACTIVE', 'INACTIVE'],
+        default: 'ACTIVE'
+      },
+      'dobo:immutable',
+      'dobo:updatedAt',
+      'sumba:siteId'
+    ],
+    options: {
+      attachment: false
+    },
+    buildEnd: async function (model) {
+      const prop = model.properties.find(prop => prop.name === 'models')
+      prop.values = this.app.dobo.models.map(model => model.name).sort().map(item => ({ value: item, text: item }))
+    }
+  }
+}
+
+export default routeGuard

package/extend/dobo/model/route-guard.js

@@ -1,9 +1,20 @@
 async function routeGuard () {
   return {
-    connection: 'memory',
     properties: [
       'path,,255,true,true',
       {
+        name: 'methods',
+        type: 'array',
+        required: true,
+        default: ['GET', 'POST', 'UPDATE', 'DELETE'],
+        values: ['GET', 'POST', 'UPDATE', 'DELETE']
+      },
+      'teamIds,sumba:teamIds',
+      {
+        name: 'weight',
+        type: 'smallint',
+        default: 0
+      }, {
         name: 'inverse',
         type: 'boolean',
         required: true,
@@ -13,28 +24,6 @@ async function routeGuard () {
         type: 'boolean',
         required: true,
         default: false
-      }, {
-        name: 'methods',
-        type: 'array',
-        required: true,
-        default: ['GET', 'POST', 'UPDATE', 'DELETE'],
-        values: ['GET', 'POST', 'UPDATE', 'DELETE']
-      }, {
-        name: 'teams',
-        type: 'array',
-        default: [],
-        ref: {
-          teams: {
-            model: 'SumbaTeam',
-            field: 'alias',
-            searchField: 'name',
-            fields: ['alias', 'name']
-          }
-        }
-      }, {
-        name: 'weight',
-        type: 'smallint',
-        default: 0
       }
     ],
     features: [
@@ -43,16 +32,12 @@ async function routeGuard () {
         values: ['ACTIVE', 'INACTIVE'],
         default: 'ACTIVE'
       },
-      {
-        name: 'dobo:unique',
-        fields: ['path', 'anonymous', 'methods', 'teams', 'inverse', 'weight', 'status', 'siteId']
-      },
       'dobo:immutable',
       'dobo:updatedAt',
       'sumba:siteId'
     ],
     options: {
-      persistence: false
+      attachment: false
     }
   }
 }

package/extend/waibuDb/schema/attrib-guard.js

@@ -0,0 +1,15 @@
+async function attribGuard () {
+  return {
+    common: {
+      widget: {
+        teamIds: {
+          attr: {
+            refUrl: 'waibuAdmin:/{prefix}/team/details?id={id}'
+          }
+        }
+      }
+    }
+  }
+}
+
+export default attribGuard

package/extend/waibuDb/schema/model-guard.js

@@ -0,0 +1,15 @@
+async function modelGuard () {
+  return {
+    common: {
+      widget: {
+        teamIds: {
+          attr: {
+            refUrl: 'waibuAdmin:/{prefix}/team/details?id={id}'
+          }
+        }
+      }
+    }
+  }
+}
+
+export default modelGuard

package/extend/waibuDb/schema/route-guard.js

@@ -2,7 +2,7 @@ async function routeGuard () {
   return {
     common: {
       widget: {
-        teams: {
+        teamIds: {
           attr: {
             refUrl: 'waibuAdmin:/{prefix}/team/details?id={id}'
           }

package/extend/waibuDb/schema/user.js

@@ -1,9 +1,23 @@
 async function user ({ req } = {}) {
+  const { merge } = this.app.lib._
+  const details = {
+    forceVisible: ['password', 'token'],
+    format: {
+      password: function (val, rec) {
+        return `<a href="waibuAdmin:/site/reset-user-password?username=${rec.username}">${req.t('resetPassword')}</a>`
+      }
+    },
+    widget: {
+      password: {
+        component: 'form-plaintext'
+      }
+    }
+  }
   return {
     common: {
       layout: [
         { name: 'meta', fields: ['id:3', 'createdAt:3', 'updatedAt:3', 'status:3'] },
-        { name: 'account', fields: ['username:3', 'email:3', 'provider:3', 'password:3', 'firstName:3', 'lastName:3', 'apiKey:6'] },
+        { name: 'account', fields: ['username:3', 'email:3', 'provider:3', 'password:3', 'firstName:3', 'lastName:3'] },
         { name: 'address', fields: ['address1:12', 'address2:12', 'city:6-md 8-sm', 'zipCode:2-md 4-sm', 'provinceState:4-md', 'country:6-md', 'phone:6-md', 'website:12'] },
         { name: 'socialMedia', fields: ['socX:3-md 6-sm', 'socInstagram:3-md 6-sm', 'socFacebook:3-md 6-sm', 'socLinkedIn:3-md 6-sm'] }
       ],
@@ -19,7 +33,7 @@ async function user ({ req } = {}) {
           sort: 'username:1',
           limit: 10
         },
-        fields: ['createdAt', 'status', 'username', 'provider', 'email', 'firstName', 'lastName', 'city', 'zipCode', 'provinceState', 'country', 'phone', 'apiKey'],
+        fields: ['createdAt', 'status', 'username', 'provider', 'email', 'firstName', 'lastName', 'city', 'zipCode', 'provinceState', 'country', 'phone'],
         stat: {
           aggregate: [
             { fields: ['status'], group: 'status', aggregate: ['count'] },
@@ -28,35 +42,14 @@ async function user ({ req } = {}) {
           ]
         }
       },
-      details: {
-        forceVisible: ['password', 'token'],
-        widget: {
-          password: {
-            component: 'form-plaintext',
-            attr: {
-              href: 'waibuAdmin:/site/reset-user-password?username={username}',
-              value: req.t('resetPassword')
-            }
-          }
-        }
-      },
+      details,
       add: {
         forceVisible: ['password'],
         hidden: ['id', 'createdAt', 'updatedAt', 'provider']
       },
-      edit: {
-        forceVisible: ['password', 'token'],
-        widget: {
-          password: {
-            component: 'form-plaintext',
-            attr: {
-              href: 'waibuAdmin:/site/reset-user-password?username={username}',
-              value: req.t('resetPassword')
-            }
-          }
-        },
+      edit: merge({}, details, {
         readonly: ['id', 'createdAt', 'updatedAt', 'username', 'provider']
-      }
+      })
     }
   }
 }

package/extend/waibuMpa/extend/waibuAdmin/route/all-sites/@action.js

@@ -1,7 +1,7 @@
 const action = {
   method: ['GET', 'POST'],
   title: 'manageAllSite',
-  interSite: true,
+  crossSite: true,
   handler: async function (req, reply) {
     const { importModule } = this.app.bajo
     const crudSkel = await importModule('waibuAdmin:/lib/crud-skel.js')

package/extend/waibuMpa/extend/waibuAdmin/route/attrib-guard/@action.js

@@ -0,0 +1,11 @@
+const action = {
+  method: ['GET', 'POST'],
+  title: 'attribGuard',
+  handler: async function (req, reply) {
+    const { importModule } = this.app.bajo
+    const crudSkel = await importModule('waibuAdmin:/lib/crud-skel.js')
+    return await crudSkel.call(this, 'SumbaAttribGuard', req, reply)
+  }
+}
+
+export default action

package/extend/waibuMpa/extend/waibuAdmin/route/cache/@action.js

@@ -1,7 +1,7 @@
 const action = {
   method: ['GET', 'POST'],
   title: 'cacheStorage',
-  interSite: true,
+  crossSite: true,
   handler: async function (req, reply) {
     if (!this.app.bajoCache) throw this.error('_notFound')
     const { importModule } = this.app.bajo

package/extend/waibuMpa/extend/waibuAdmin/route/model-guard/@action.js

@@ -0,0 +1,11 @@
+const action = {
+  method: ['GET', 'POST'],
+  title: 'modelGuard',
+  handler: async function (req, reply) {
+    const { importModule } = this.app.bajo
+    const crudSkel = await importModule('waibuAdmin:/lib/crud-skel.js')
+    return await crudSkel.call(this, 'SumbaModelGuard', req, reply)
+  }
+}
+
+export default action

package/extend/waibuMpa/extend/waibuAdmin/route/reset-user-password.js

@@ -4,13 +4,14 @@ const resetUserPassword = {
   handler: async function (req, reply) {
     const { importPkg } = this.app.bajo
     const { defaultsDeep } = this.app.lib.aneka
+    const { passwordRule } = this.app.sumba
     const Joi = await importPkg('dobo:joi')
     const model = this.app.dobo.getModel('SumbaUser')
     const form = defaultsDeep(req.body, { username: req.query.username })
     let error
     if (req.method === 'POST') {
       try {
-        const password = await this.passwordRule(req)
+        const password = await passwordRule(req)
         const schema = Joi.object({
           username: Joi.string().max(50).required(),
           password,

package/extend/waibuMpa/extend/waibuAdmin/route/session/@action.js

@@ -1,7 +1,7 @@
 const action = {
   method: ['GET', 'POST'],
   title: 'userSession',
-  interSite: true,
+  crossSite: true,
   handler: async function (req, reply) {
     const { importModule } = this.app.bajo
     const crudSkel = await importModule('waibuAdmin:/lib/crud-skel.js')

package/index.js

@@ -32,11 +32,14 @@ async function factory (pkgName) {
       super(pkgName, me.app)
       this.config = {
         multiSite: cloneDeep(defMultiSite),
-        interSiteAdmins: [],
+        crossSiteAdmins: [],
         waibu: {
           title: 'site',
           prefix: 'site'
         },
+        dobo: {
+          model: {}
+        },
         waibuMpa: {
           home: 'sumba:/your-stuff/profile',
           icon: 'globe',
@@ -152,8 +155,6 @@ async function factory (pkgName) {
           getUserByTokenDur: '1m'
         }
       }
-      this.userGuards = []
-      this.teamGuards = []
       this.unsafeUserFields = ['password']
       this.selfBind(['createNewSite', 'removeSite', 'getSite', 'getUserById', 'getUserByToken', 'getUserByUsernamePassword'])
     }
@@ -170,10 +171,10 @@ async function factory (pkgName) {
 
     start = async () => {
       const { getModel } = this.app.dobo
-      if (this.config.interSiteAdmins.length === 0) {
+      if (this.config.crossSiteAdmins.length === 0) {
         const site = await getModel('SumbaSite').findOneRecord({ query: { alias: 'default' } }, { noMagic: true })
         const user = await getModel('SumbaUser').findOneRecord({ query: { username: 'admin', siteId: site.id } }, { noMagic: true })
-        this.config.interSiteAdmins.push(user.id)
+        this.config.crossSiteAdmins.push(user.id)
       }
     }
 
@@ -228,7 +229,9 @@ async function factory (pkgName) {
       }, {
         title: 'permission',
         children: [
-          { title: 'routeGuard', href: `waibuAdmin:/${prefix}/route-guard/list` }
+          { title: 'routeGuard', href: `waibuAdmin:/${prefix}/route-guard/list` },
+          { title: 'modelGuard', href: `waibuAdmin:/${prefix}/model-guard/list` },
+          { title: 'attribGuard', href: `waibuAdmin:/${prefix}/attrib-guard/list` }
         ]
       }, {
         title: 'supportSystem',
@@ -272,13 +275,14 @@ async function factory (pkgName) {
 
     verifySession = async (req, reply, source, payload) => {
       const { routePath } = this.app.waibu
+      const { query, params } = req
 
       if (!req.session) return false
       if (req.session.userId) {
         req.user = await this.getUserById(req.session.userId, req)
         return true
       }
-      const redir = routePath(this.config.redirect.signin, req)
+      const redir = routePath(this.config.redirect.signin, { query, params })
       req.session.ref = req.url
       throw this.error('_redirect', { redirect: redir })
     }
@@ -361,7 +365,7 @@ async function factory (pkgName) {
       return true
     }
 
-    checkPathsByRoute = ({ paths = [], method = 'GET', teams = [], guards = [] }) => {
+    checkPathsByRoute = ({ paths = [], teamIds = [], guards = [] }) => {
       const { includes } = this.app.lib.aneka
       const { outmatch } = this.app.lib
 
@@ -369,10 +373,8 @@ async function factory (pkgName) {
         const matchPath = outmatch(item.path)
         for (const path of paths) {
           if (matchPath(path)) {
-            if (item.methods.includes(method)) {
-              if (teams.length === 0) return item
-              if (includes(teams, item.teams)) return item
-            }
+            if (includes(teamIds, item.teamIds)) return item
+            if (teamIds.length === 0) return item
           }
         }
       }
@@ -535,7 +537,12 @@ async function factory (pkgName) {
       const { map, orderBy } = this.app.lib._
       if (!reread) return this.routeGuards
       const model = getModel('SumbaRouteGuard')
-      const results = await model.findAllRecord({ query: { status: 'ACTIVE' } }, { noMagic: true, dataOnly: true })
+      let results = await model.findAllRecord({ query: { status: 'ACTIVE' } }, { noMagic: true, noCache: true, noDriverHook: true, dataOnly: true })
+      results = results.map(item => {
+        item.teamIds = item.teamIds ?? []
+        item.methods = item.methods ?? []
+        return item
+      })
       this.routeGuards = orderBy(map(results, item => {
         item.path = routePath(item.path)
         return item

package/lib/get-user.js

@@ -3,7 +3,7 @@ import { parseNsSettings } from './util.js'
 export async function mergeTeam (user) {
   const { map, pick } = this.app.lib._
   const { getModel } = this.app.dobo
-  user.interSiteAdmin = this.config.interSiteAdmins.includes(user.id)
+  user.crossSiteAdmin = this.config.crossSiteAdmins.includes(user.id)
   user.teams = []
   const query = { userId: user.id, siteId: user.siteId }
   let mdl = getModel('SumbaTeamUser')
@@ -45,7 +45,7 @@ export async function getUserById (id, req) {
     user = await getCache({ key })
     if (user) return JSON.parse(user)
   }
-  user = await getModel('SumbaUser').getRecord(id, { noHook: true, throwNotFound: false, req })
+  user = await getModel('SumbaUser').getRecord(id, { noHook: true, noDriverHook: true, throwNotFound: false, req })
   if (!user) return
   await mergeTeam.call(this, user)
   if (setCache) {
@@ -63,7 +63,7 @@ export async function getUserByToken (token, req) {
     user = await getCache({ key })
     if (user) return JSON.parse(user)
   }
-  user = await getModel('SumbaUser').findOneRecord({ query: { token } }, { noHook: true, throwNotFound: false, req })
+  user = await getModel('SumbaUser').findOneRecord({ query: { token } }, { noHook: true, noDriverHook: true, throwNotFound: false, req })
   if (!user) return
   await mergeTeam.call(this, user)
   if (setCache) {
@@ -80,7 +80,7 @@ export async function getUserByUsernamePassword (username = '', password = '', r
   const bcrypt = await importPkg('bajoExtra:bcrypt')
 
   const query = { username, provider: 'local', siteId: req.site.id }
-  const user = await model.findOneRecord({ query }, { req, forceNoHidden: true, noHook: true })
+  const user = await model.findOneRecord({ query }, { req, forceNoHidden: true, noHook: true, noDriverHook: true })
   if (!user) throw this.error('validationError', { details: [{ field: 'username', error: 'Unknown username' }], statusCode: 401 })
   if (user.status !== 'ACTIVE') throw this.error('validationError', { details: ['User is inactive or temporarily disabled'], statusCode: 401 })
   const verified = await bcrypt.compare(password, user.password)

package/lib/util.js

@@ -56,17 +56,21 @@ export async function checkTheme (req, reply) {
   req.theme = req.theme ?? 'default'
 }
 
-export async function checkTeam (req, reply, source) {
-  if (!req.user) return
+export async function checkTeam (req, reply, route) {
   const { map } = this.app.lib._
-  const paths = pathsToCheck.call(this, req, true)
+  route.teams = route.teams ?? []
+  if (route.teams.length === 0) return
+
   const teams = map(req.user.teams, 'alias')
+  if (teams.includes('administrator')) return
+  if (teams.length === 0) throw this.error('accessDenied', { statusCode: 403 })
+
+  const paths = pathsToCheck.call(this, req, true)
   const allGuards = (await this.getRouteGuards()).filter(item => item.siteId === req.site.id + '' && item.teams.length > 0)
-  if (allGuards.length === 0) return // no route guarded
-  let match = this.checkPathsByRoute({ paths, method: req.method, teams, guards: allGuards.filter(item => !item.inverse) })
-  if (!match) return // route is NOT protected by team guard
+  if (allGuards.length === 0) return // no route to be team guarded
+  let match = this.checkPathsByRoute({ paths, teams, guards: allGuards.filter(item => !item.inverse) })
   if (match) {
-    const neg = this.checkPathsByRoute({ paths, method: req.method, teams, guards: allGuards.filter(item => item.inverse) })
+    const neg = this.checkPathsByRoute({ paths, teams, guards: allGuards.filter(item => item.inverse) })
     if (neg) match = undefined
   }
   if (!match) throw this.error('accessDenied', { statusCode: 403 })
@@ -102,14 +106,14 @@ export async function checkUserId (req, reply, source) {
   const paths = pathsToCheck.call(this, req)
   const allGuards = (await this.getRouteGuards()).filter(item => item.siteId === req.site.id + '')
   if (allGuards.length === 0) return false // no routes protected
-  let securePath = await this.checkPathsByRoute({ paths, method: req.method, guards: allGuards.filter(item => !item.anonymous && !item.inverse) })
+  let securePath = await this.checkPathsByRoute({ paths, guards: allGuards.filter(item => !item.anonymous && !item.inverse) })
   if (securePath) {
-    const neg = await this.checkPathsByRoute({ paths, method: req.method, guards: allGuards.filter(item => !item.anonymous && item.inverse) })
+    const neg = await this.checkPathsByRoute({ paths, guards: allGuards.filter(item => !item.anonymous && item.inverse) })
     if (neg) securePath = undefined
   }
-  let anonymousPath = await this.checkPathsByRoute({ paths, method: req.method, guards: allGuards.filter(item => item.anonymous && !item.inverse) })
+  let anonymousPath = await this.checkPathsByRoute({ paths, guards: allGuards.filter(item => item.anonymous && !item.inverse) })
   if (anonymousPath) {
-    const neg = await this.checkPathsByRoute({ paths, method: req.method, guards: allGuards.filter(item => item.anonymous && item.inverse) })
+    const neg = await this.checkPathsByRoute({ paths, guards: allGuards.filter(item => item.anonymous && item.inverse) })
     if (neg) anonymousPath = undefined
   }
   if (!securePath && !anonymousPath) {
@@ -121,9 +125,10 @@ export async function checkUserId (req, reply, source) {
     req.session.ref = req.url
     return reply.redirectTo(routePath(this.config.redirect.signout))
   }
+  if (!(securePath.methods ?? []).includes(req.method)) throw this.error('accessDenied', { statusCode: 403 })
   if (userId) {
     await setUser()
-    return true
+    return securePath
   }
   const silentOnError = this.config.auth[webApp].silentOnError ?? this.config.auth.common.silentOnError
   const payload = silentOnError ? { noContent: true } : undefined
@@ -140,7 +145,7 @@ export async function checkUserId (req, reply, source) {
     }
   }
   if (!success) throw this.error('accessDeniedNoAuth', merge({ statusCode: 403 }, payload))
-  return true
+  return securePath
 }
 
 export async function latLngHook (body, options) {
@@ -157,10 +162,8 @@ export async function latLngHook (body, options) {
  * @param {Object} reply - Reply object
  * @returns
  */
-export async function checkInterSite (req, reply) {
+export async function checkCrossSite (req, reply) {
   const { get } = this.app.lib._
-  const isinterSite = get(req, 'routeOptions.config.interSite')
-  const isInterSiteAdmin = get(req, 'user.interSiteAdmin')
-  if (!isinterSite) return
-  if (!isInterSiteAdmin) throw this.error('accessDenied', { statusCode: 403 })
+  if (!get(req, 'routeOptions.config.crossSite')) return
+  if (!get(req, 'user.crossSiteAdmin')) throw this.error('accessDenied', { statusCode: 403 })
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sumba",
-  "version": "2.23.0",
+  "version": "2.24.0",
   "description": "Biz Suite for Bajo Framework",
   "main": "index.js",
   "scripts": {

package/wiki/CHANGES.md

@@ -2,6 +2,12 @@
 
 ## 2026-05-11
 
+- [2.24.0] Complete rewrite of route guards
+- [2.24.0] Add model guards
+- [2.24.0] Add attribute guards
+
+## 2026-05-11
+
 - [2.23.0] Unify route guards and put it in ```SumbaRouteGuard``` database
 - [2.23.0] Phased out ```setting.noRoutes```
 

package/extend/bajo/hook/dobo.sumba-team-guard@after-action.js

@@ -1,6 +0,0 @@
-async function afterAction (action, ...args) {
-  if (!['createRecord', 'updateRecord', 'removeRecord'].includes(action)) return
-  await this.getTeamGuards(true)
-}
-
-export default afterAction

package/extend/bajo/hook/dobo.sumba-user-guard@after-action.js

@@ -1,6 +0,0 @@
-async function afterAction (action, ...args) {
-  if (!['createRecord', 'updateRecord', 'removeRecord'].includes(action)) return
-  await this.getUserGuards(true)
-}
-
-export default afterAction

package/extend/bajo/hook/dobo@before-create-record.js

@@ -1,17 +0,0 @@
-const doboBeforeCreateRecord = {
-  level: 1000,
-  handler: async function (modelName, body, options = {}) {
-    const { get } = this.app.lib._
-    const { req } = options
-    if (options.noAutoFilter || !req || get(req, 'routeOptions.config.interSite')) return
-    const item = { siteId: 'site.id', userId: 'user.id' }
-    const model = this.app.dobo.getModel(modelName)
-    for (const i in item) {
-      const rec = get(req, item[i])
-      const field = model.getProperty(i)
-      if (rec && field) body[i] = field.type === 'string' ? (rec + '') : rec
-    }
-  }
-}
-
-export default doboBeforeCreateRecord

package/extend/bajo/hook/dobo@before-find-record.js

@@ -1,63 +0,0 @@
-const useAdmin = ['waibuAdmin']
-
-export async function rebuildFilter (modelName, filter, req) {
-  const { isEmpty, isPlainObject, map, find, get } = this.app.lib._
-  filter.query = filter.query ?? {}
-  if (req.routeOptions.config.interSite) {
-    filter.query = { $and: [filter.query] }
-    return
-  }
-
-  const queryBySiteSetting = (query) => {
-    if (!req.site) return
-    const setting = get(req, `site.setting.dobo.query.${modelName}`)
-    if (isPlainObject(setting) && !isEmpty(setting)) query.$and.push(setting)
-  }
-
-  const queryByTeamSetting = (query) => {
-    if (!req.user) return
-    const q = []
-    for (const team of req.user.teams) {
-      const item = get(team, `setting.dobo.query.${modelName}`)
-      if (item) q.push(item)
-    }
-    if (isEmpty(q)) return
-    if (q.length === 1) query.$and.push(q[0])
-    else query.$and.push({ $or: q })
-  }
-
-  const model = this.app.dobo.getModel(modelName)
-  const hasSiteId = model.hasProperty('siteId')
-  const hasUserId = model.hasProperty('userId')
-  const hasTeamId = model.hasProperty('teamId')
-  const isAdmin = find(get(req, 'user.teams', []), { alias: 'administrator' }) && useAdmin.includes(get(req, 'routeOptions.config.ns'))
-  const q = { $and: [] }
-  queryBySiteSetting(q)
-  queryByTeamSetting(q)
-  if (!isEmpty(filter.query)) {
-    if (filter.query.$and) q.$and.push(...filter.query.$and)
-    else q.$and.push(filter.query)
-  }
-  if (hasSiteId) q.$and.push({ siteId: req.site.id })
-  if (hasTeamId && !isAdmin) {
-    const teamIds = map(req.user.teams, 'id')
-    if (hasUserId) q.$and.push({ $or: [{ teamId: { $in: teamIds } }, { userId: req.user.id }] })
-    else q.$and.push({ teamId: { $in: teamIds } })
-  } else if (!isAdmin) {
-    if (hasUserId) q.$and.push({ userId: req.user.id })
-  }
-  filter.query = q
-}
-
-export async function handler (modelName, filter, options = {}) {
-  const { req } = options
-  if (options.noAutoFilter || !req) return
-  await rebuildFilter.call(this, modelName, filter, req)
-}
-
-const doboBeforeFindRecord = {
-  level: 1000,
-  handler
-}
-
-export default doboBeforeFindRecord

package/extend/bajo/hook/dobo@before-get-record.js

@@ -1,23 +0,0 @@
-import { rebuildFilter } from './dobo@before-find-record.js'
-
-export async function checker (modelName, id, options = {}) {
-  const { req } = options
-
-  const model = this.app.dobo.getModel(modelName)
-  if (options.noAutoFilter || !req) return
-  const filter = {}
-  await rebuildFilter.call(this, modelName, filter, req)
-  if (filter.query.$and) filter.query.$and.push({ id })
-  else filter.query.id = id
-  const row = await model.findOneRecord(filter, { count: false })
-  if (!row) throw this.app.dobo.error('recordNotFound%s%s', id, this.name, { statusCode: 404 })
-}
-
-const doboBeforeGetRecord = {
-  level: 1000,
-  handler: async function (modelName, id, options) {
-    await checker.call(this, modelName, id, options)
-  }
-}
-
-export default doboBeforeGetRecord

package/extend/bajo/hook/dobo@before-remove-record.js

@@ -1,10 +0,0 @@
-import { checker } from './dobo@before-get-record.js'
-
-const doboBeforeRemoveRecord = {
-  level: 1000,
-  handler: async function (modelName, id, options = {}) {
-    await checker.call(this, modelName, id, options.req)
-  }
-}
-
-export default doboBeforeRemoveRecord

package/extend/bajo/hook/dobo@before-update-record.js

@@ -1,10 +0,0 @@
-import { checker } from './dobo@before-get-record.js'
-
-const doboBeforeUpdateRecord = {
-  level: 1000,
-  handler: async function (modelName, id, body, options = {}) {
-    await checker.call(this, modelName, id, options)
-  }
-}
-
-export default doboBeforeUpdateRecord