sumba 2.23.0 → 2.25.0

package/lib/util.js

@@ -56,19 +56,35 @@ export async function checkTheme (req, reply) {
   req.theme = req.theme ?? 'default'
 }
 
-export async function checkTeam (req, reply, source) {
-  if (!req.user) return
+export async function checkTeam (req, reply, route) {
   const { map } = this.app.lib._
+  const { outmatch } = this.app.lib
+  route.teamIds = route.teamIds ?? []
+  if (route.teamIds.length === 0) return
+
+  const teamIds = map(req.user.teams, 'id')
+  const teamAliases = map(req.user.teams, 'alias')
+  if (req.user.isAdmin) return
+  const matchXSite = outmatch(route.path)
+  if (req.routeOptions.config.xSite && matchXSite(req.url) && req.user.isXSiteAdmin) return
+  if (teamAliases.length === 0) throw this.error('accessDenied', { statusCode: 403 })
+
   const paths = pathsToCheck.call(this, req, true)
-  const teams = map(req.user.teams, 'alias')
-  const allGuards = (await this.getRouteGuards()).filter(item => item.siteId === req.site.id + '' && item.teams.length > 0)
-  if (allGuards.length === 0) return // no route guarded
-  let match = this.checkPathsByRoute({ paths, method: req.method, teams, guards: allGuards.filter(item => !item.inverse) })
-  if (!match) return // route is NOT protected by team guard
+  const guards = await this.getRouteGuards()
+  const globalGuards = guards.global.filter(item => item.siteIds.includes(req.site.id + '') && item.teamIds.length > 0)
+  const localGuards = guards.local.filter(item => item.siteIds.includes(req.site.id + '') && item.teamIds.length > 0)
+  let match = this.checkPathsByRoute({ paths, teamIds, guards: localGuards.filter(item => !item.negation) })
   if (match) {
-    const neg = this.checkPathsByRoute({ paths, method: req.method, teams, guards: allGuards.filter(item => item.inverse) })
+    const neg = this.checkPathsByRoute({ paths, teamIds, guards: localGuards.filter(item => item.negation) })
     if (neg) match = undefined
   }
+  if (!match) {
+    match = this.checkPathsByRoute({ paths, teamIds, guards: globalGuards.filter(item => !item.negation) })
+    if (match) {
+      const neg = this.checkPathsByRoute({ paths, teamIds, guards: globalGuards.filter(item => item.negation) })
+      if (neg) match = undefined
+    }
+  }
   if (!match) throw this.error('accessDenied', { statusCode: 403 })
   // passed
 }
@@ -100,18 +116,38 @@ export async function checkUserId (req, reply, source) {
   }
 
   const paths = pathsToCheck.call(this, req)
-  const allGuards = (await this.getRouteGuards()).filter(item => item.siteId === req.site.id + '')
-  if (allGuards.length === 0) return false // no routes protected
-  let securePath = await this.checkPathsByRoute({ paths, method: req.method, guards: allGuards.filter(item => !item.anonymous && !item.inverse) })
+  const guards = await this.getRouteGuards()
+  let securePath
+  let anonymousPath
+  const globalGuards = guards.global.filter(item => item.siteIds.includes(req.site.id + ''))
+  const localGuards = guards.local.filter(item => item.siteIds.includes(req.site.id + ''))
+  // find anonymousPath
+  anonymousPath = await this.checkPathsByRoute({ paths, guards: localGuards.filter(item => item.anonymous && !item.negation) })
+  if (anonymousPath) {
+    const neg = await this.checkPathsByRoute({ paths, guards: localGuards.filter(item => item.anonymous && item.negation) })
+    if (neg) anonymousPath = undefined
+  }
+  if (!anonymousPath) {
+    anonymousPath = await this.checkPathsByRoute({ paths, guards: globalGuards.filter(item => item.anonymous && !item.negation) })
+    if (anonymousPath) {
+      const neg = await this.checkPathsByRoute({ paths, guards: globalGuards.filter(item => item.anonymous && item.negation) })
+      if (neg) anonymousPath = undefined
+    }
+  }
+  // find securePath
+  securePath = await this.checkPathsByRoute({ paths, guards: localGuards.filter(item => !item.anonymous && !item.negation) })
   if (securePath) {
-    const neg = await this.checkPathsByRoute({ paths, method: req.method, guards: allGuards.filter(item => !item.anonymous && item.inverse) })
+    const neg = await this.checkPathsByRoute({ paths, guards: localGuards.filter(item => !item.anonymous && item.negation) })
     if (neg) securePath = undefined
   }
-  let anonymousPath = await this.checkPathsByRoute({ paths, method: req.method, guards: allGuards.filter(item => item.anonymous && !item.inverse) })
-  if (anonymousPath) {
-    const neg = await this.checkPathsByRoute({ paths, method: req.method, guards: allGuards.filter(item => item.anonymous && item.inverse) })
-    if (neg) anonymousPath = undefined
+  if (!securePath) {
+    securePath = await this.checkPathsByRoute({ paths, guards: globalGuards.filter(item => !item.anonymous && !item.negation) })
+    if (securePath) {
+      const neg = await this.checkPathsByRoute({ paths, guards: globalGuards.filter(item => !item.anonymous && item.negation) })
+      if (neg) securePath = undefined
+    }
   }
+  // checking...
   if (!securePath && !anonymousPath) {
     if (userId) await setUser()
     return false // regular, unguarded path. Not secure & not anonymous path
@@ -121,9 +157,10 @@ export async function checkUserId (req, reply, source) {
     req.session.ref = req.url
     return reply.redirectTo(routePath(this.config.redirect.signout))
   }
+  if (!(securePath.methods ?? []).includes(req.method)) throw this.error('accessDenied', { statusCode: 403 })
   if (userId) {
     await setUser()
-    return true
+    return securePath
   }
   const silentOnError = this.config.auth[webApp].silentOnError ?? this.config.auth.common.silentOnError
   const payload = silentOnError ? { noContent: true } : undefined
@@ -140,7 +177,7 @@ export async function checkUserId (req, reply, source) {
     }
   }
   if (!success) throw this.error('accessDeniedNoAuth', merge({ statusCode: 403 }, payload))
-  return true
+  return securePath
 }
 
 export async function latLngHook (body, options) {
@@ -157,10 +194,8 @@ export async function latLngHook (body, options) {
  * @param {Object} reply - Reply object
  * @returns
  */
-export async function checkInterSite (req, reply) {
+export async function checkXSite (req, reply) {
   const { get } = this.app.lib._
-  const isinterSite = get(req, 'routeOptions.config.interSite')
-  const isInterSiteAdmin = get(req, 'user.interSiteAdmin')
-  if (!isinterSite) return
-  if (!isInterSiteAdmin) throw this.error('accessDenied', { statusCode: 403 })
+  if (!get(req, 'routeOptions.config.xSite')) return
+  if (!get(req, 'user.isXSiteAdmin')) throw this.error('accessDenied', { statusCode: 403 })
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sumba",
-  "version": "2.23.0",
+  "version": "2.25.0",
   "description": "Biz Suite for Bajo Framework",
   "main": "index.js",
   "scripts": {

package/wiki/CHANGES.md

@@ -1,5 +1,18 @@
 # Changes
 
+## 2026-05-22
+
+- [2.25.0] Reorganize admin menu layout & order
+- [2.25.0] Add ```getModelGuards()```
+- [2.25.0] Add ```getAttribGuards()```
+- [2.25.0] Bug fix in ```getRouteGuards()```
+
+## 2026-05-11
+
+- [2.24.0] Complete rewrite of route guards
+- [2.24.0] Add model guards
+- [2.24.0] Add attribute guards
+
 ## 2026-05-11
 
 - [2.23.0] Unify route guards and put it in ```SumbaRouteGuard``` database

package/extend/bajo/hook/dobo.sumba-team-guard@after-action.js

@@ -1,6 +0,0 @@
-async function afterAction (action, ...args) {
-  if (!['createRecord', 'updateRecord', 'removeRecord'].includes(action)) return
-  await this.getTeamGuards(true)
-}
-
-export default afterAction

package/extend/bajo/hook/dobo.sumba-user-guard@after-action.js

@@ -1,6 +0,0 @@
-async function afterAction (action, ...args) {
-  if (!['createRecord', 'updateRecord', 'removeRecord'].includes(action)) return
-  await this.getUserGuards(true)
-}
-
-export default afterAction

package/extend/bajo/hook/dobo@before-find-record.js

@@ -1,63 +0,0 @@
-const useAdmin = ['waibuAdmin']
-
-export async function rebuildFilter (modelName, filter, req) {
-  const { isEmpty, isPlainObject, map, find, get } = this.app.lib._
-  filter.query = filter.query ?? {}
-  if (req.routeOptions.config.interSite) {
-    filter.query = { $and: [filter.query] }
-    return
-  }
-
-  const queryBySiteSetting = (query) => {
-    if (!req.site) return
-    const setting = get(req, `site.setting.dobo.query.${modelName}`)
-    if (isPlainObject(setting) && !isEmpty(setting)) query.$and.push(setting)
-  }
-
-  const queryByTeamSetting = (query) => {
-    if (!req.user) return
-    const q = []
-    for (const team of req.user.teams) {
-      const item = get(team, `setting.dobo.query.${modelName}`)
-      if (item) q.push(item)
-    }
-    if (isEmpty(q)) return
-    if (q.length === 1) query.$and.push(q[0])
-    else query.$and.push({ $or: q })
-  }
-
-  const model = this.app.dobo.getModel(modelName)
-  const hasSiteId = model.hasProperty('siteId')
-  const hasUserId = model.hasProperty('userId')
-  const hasTeamId = model.hasProperty('teamId')
-  const isAdmin = find(get(req, 'user.teams', []), { alias: 'administrator' }) && useAdmin.includes(get(req, 'routeOptions.config.ns'))
-  const q = { $and: [] }
-  queryBySiteSetting(q)
-  queryByTeamSetting(q)
-  if (!isEmpty(filter.query)) {
-    if (filter.query.$and) q.$and.push(...filter.query.$and)
-    else q.$and.push(filter.query)
-  }
-  if (hasSiteId) q.$and.push({ siteId: req.site.id })
-  if (hasTeamId && !isAdmin) {
-    const teamIds = map(req.user.teams, 'id')
-    if (hasUserId) q.$and.push({ $or: [{ teamId: { $in: teamIds } }, { userId: req.user.id }] })
-    else q.$and.push({ teamId: { $in: teamIds } })
-  } else if (!isAdmin) {
-    if (hasUserId) q.$and.push({ userId: req.user.id })
-  }
-  filter.query = q
-}
-
-export async function handler (modelName, filter, options = {}) {
-  const { req } = options
-  if (options.noAutoFilter || !req) return
-  await rebuildFilter.call(this, modelName, filter, req)
-}
-
-const doboBeforeFindRecord = {
-  level: 1000,
-  handler
-}
-
-export default doboBeforeFindRecord

package/extend/bajo/hook/dobo@before-get-record.js

@@ -1,23 +0,0 @@
-import { rebuildFilter } from './dobo@before-find-record.js'
-
-export async function checker (modelName, id, options = {}) {
-  const { req } = options
-
-  const model = this.app.dobo.getModel(modelName)
-  if (options.noAutoFilter || !req) return
-  const filter = {}
-  await rebuildFilter.call(this, modelName, filter, req)
-  if (filter.query.$and) filter.query.$and.push({ id })
-  else filter.query.id = id
-  const row = await model.findOneRecord(filter, { count: false })
-  if (!row) throw this.app.dobo.error('recordNotFound%s%s', id, this.name, { statusCode: 404 })
-}
-
-const doboBeforeGetRecord = {
-  level: 1000,
-  handler: async function (modelName, id, options) {
-    await checker.call(this, modelName, id, options)
-  }
-}
-
-export default doboBeforeGetRecord

package/extend/bajo/hook/dobo@before-remove-record.js

@@ -1,10 +0,0 @@
-import { checker } from './dobo@before-get-record.js'
-
-const doboBeforeRemoveRecord = {
-  level: 1000,
-  handler: async function (modelName, id, options = {}) {
-    await checker.call(this, modelName, id, options.req)
-  }
-}
-
-export default doboBeforeRemoveRecord

package/extend/bajo/hook/dobo@before-update-record.js

@@ -1,10 +0,0 @@
-import { checker } from './dobo@before-get-record.js'
-
-const doboBeforeUpdateRecord = {
-  level: 1000,
-  handler: async function (modelName, id, body, options = {}) {
-    await checker.call(this, modelName, id, options)
-  }
-}
-
-export default doboBeforeUpdateRecord