sumba 2.24.0 → 2.25.1

package/extend/bajo/hook/dobo.sumba-attrib-guard$dobo.sumba-x-attrib-guard@after-transaction.js

@@ -0,0 +1,6 @@
+async function afterTransaction (action, ...args) {
+  if (!['createRecord', 'updateRecord', 'removeRecord'].includes(action)) return
+  await this.getAttribGuards(true)
+}
+
+export default afterTransaction

package/extend/bajo/hook/dobo.sumba-model-guard$dobo.sumba-x-model-guard@after-transaction.js

@@ -0,0 +1,6 @@
+async function afterTransaction (action, ...args) {
+  if (!['createRecord', 'updateRecord', 'removeRecord'].includes(action)) return
+  await this.getModelGuards(true)
+}
+
+export default afterTransaction

package/extend/bajo/hook/dobo.sumba-team$dobo.sumba-site@after-transaction.js

@@ -0,0 +1,8 @@
+async function afterTransaction (action, ...args) {
+  if (!['createRecord', 'updateRecord', 'removeRecord'].includes(action)) return
+  await this.getRouteGuards(true)
+  await this.getModelGuards(true)
+  await this.getAttribGuards(true)
+}
+
+export default afterTransaction

package/extend/bajo/hook/dobo@before-driver-create-record.js

@@ -4,7 +4,7 @@ const doboBeforeDriverCreateRecord = {
     const { get } = this.app.lib._
     const { isSet } = this.app.lib.aneka
     const { req } = options
-    if (options.noAutoFilter || !req || get(req, 'routeOptions.config.crossSite')) return
+    if (options.noAutoFilter || !req || get(req, 'routeOptions.config.xSite')) return
     const item = { siteId: 'site.id', userId: 'user.id' }
     for (const i in item) {
       const rec = get(req, item[i])

package/extend/bajo/hook/dobo@before-driver-find-all-record.js

@@ -1,13 +1,8 @@
-import { rebuildFilter } from './dobo@before-driver-find-record.js'
+import { handler } from './dobo@before-driver-find-record.js'
 
 const doboBeforeDriverFindAllRecord = {
   level: 1000,
-  handler: async function (model, filter, options) {
-    const { req } = options
-    const { isEmpty } = this.app.lib._
-    if (options.noAutoFilter || !req || isEmpty(req.site)) return
-    await rebuildFilter.call(this, model, filter, options)
-  }
+  handler
 }
 
 export default doboBeforeDriverFindAllRecord

package/extend/bajo/hook/dobo@before-driver-find-record.js

@@ -1,51 +1,69 @@
 async function applyModelGuard ({ model, q, teamIds, options }) {
-  const { isEmpty, get, set, uniq } = this.app.lib._
+  const { get, set, orderBy, intersection, without } = this.app.lib._
+  const { include } = this.app.lib.aneka
   const { req } = options
-  const { getModel } = this.app.dobo
+  const results = []
 
-  const guards = []
-  const query = { status: 'ACTIVE', siteId: req.site.id + '' }
-  const results = await getModel('SumbaModelGuard').findAllRecord({ query }, { noMagic: true, dataOnly: true, noDriverHook: true })
-  const item = {}
-
-  function add (res) {
-    item[res.column].push(...res.value)
+  const guards = await this.getModelGuards()
+  const columns = model.getNonVirtualProperties().map(prop => prop.name)
+  const filterFn = item => {
+    const bySiteId = item.siteIds.includes(req.site.id + '')
+    const byModel = item.models.includes(model.name)
+    const byTeamId = item.teamIds.length === 0 || include(item.teamIds, teamIds)
+    const byColumn = columns.includes(item.column)
+    return bySiteId && byModel && byTeamId && byColumn
   }
 
-  for (const res of results) {
-    res.teamIds = res.teamIds ?? []
-    if (!(res.models ?? []).includes(model.name) || isEmpty(res.value)) continue
-    item[res.column] = item[res.column] ?? []
-    if (teamIds.length > 0) {
-      for (const id of res.teamIds) {
-        if (teamIds.includes(id)) add(res)
-      }
+  guards.global = orderBy(guards.global.filter(filterFn), ['column'])
+  guards.local = orderBy(guards.local.filter(filterFn), ['column'])
+  for (const col of columns) {
+    let values = []
+    let items = guards.global.filter(item => item.column === col && !item.negation)
+    for (const item of items) {
+      values.push(...item.value)
     }
-  }
-  for (const key in item) {
-    item[key] = uniq(item[key])
-    if (item[key].length === 0) continue
-    guards.push(set({}, key, { $in: item[key] }))
+    items = guards.global.filter(item => item.column === col && item.negation)
+    for (const item of items) {
+      values = without(values, ...item.value)
+    }
+    items = guards.local.filter(item => item.column === col && !item.negation)
+    const newValues = []
+    for (const item of items) {
+      newValues.push(...item.value)
+    }
+    if (newValues.length > 0) values = intersection(values, newValues)
+    items = guards.local.filter(item => item.column === col && item.negation)
+    for (const item of items) {
+      values = without(values, ...item.value)
+    }
+    if (values.length) results.push(set({}, col, { $in: values }))
   }
 
   const allowEmpty = get(this, `config.dobo.model.${model.name}.allowEmptyQuery`, true)
-  if (guards.length === 0 && !allowEmpty) throw this.error('_emptyColumnQuery') // signal driver to about with no result immediately
-  q.$and.push(...guards)
+  if (results.length === 0 && !allowEmpty) throw this.error('_emptyColumnQuery') // signal driver to about with no result immediately
+  q.$and.push(...results)
 }
 
 export async function applyAttribGuard ({ model, teamIds, options }) {
-  const { getModel } = this.app.dobo
   const { uniq } = this.app.lib._
+  const { include } = this.app.lib.aneka
   const { req } = options
+  const results = []
 
-  const query = { status: 'ACTIVE', siteId: req.site.id + '' }
-  const results = await getModel('SumbaAttribGuard').findAllRecord({ query }, { noMagic: true, dataOnly: true, noDriverHook: true })
-  const result = results.find(item => (item.models ?? []).includes(model.name))
-  if (!result) return
-  options.hidden = options.hidden ?? []
-  for (const id of result.teamIds ?? []) {
-    if (teamIds.includes(id)) options.hidden.push(...(result.hiddenCols ?? []))
+  const guards = await this.getAttribGuards()
+  const filterFn = item => {
+    const bySiteId = item.siteIds.includes(req.site.id + '')
+    const byModel = item.models.includes(model.name)
+    const byTeamId = item.teamIds.length === 0 || include(item.teamIds, teamIds)
+    return bySiteId && byModel && byTeamId
   }
+
+  let item = guards.global.filter(filterFn)[0]
+  if (item) results.push(...item.hiddenCols)
+  item = guards.local.filter(filterFn)[0]
+  if (item) results.push(...item.hiddenCols)
+  options.hidden = options.hidden ?? []
+  if (results.length > 0) options.hidden.push(...results)
   options.hidden = uniq(options.hidden)
 }
 
@@ -65,17 +83,35 @@ export async function rebuildFilter (model, filter = {}, options = {}) {
     if (filter.query.$and) q.$and.push(...filter.query.$and)
     else q.$and.push(filter.query)
   }
-  if (req.routeOptions.config.crossSite) return
+  if (req.routeOptions.config.xSite) return
   if (hasSiteId) q.$and.push({ siteId: req.site.id + '' })
   if (aliases.includes('administrator')) {
     filter.query = q
     return
   }
+  if (!req.user) {
+    filter.query = q
+    return
+  }
+
+  const condUserId = {
+    $or: [
+      { userId: req.user.id + '' },
+      { userId: { $eq: null } }
+    ]
+  }
+
+  const condTeamId = {
+    $or: [
+      { teamId: { $in: teamIds } },
+      { teamId: { $eq: null } }
+    ]
+  }
 
   if (hasTeamId) {
-    if (hasUserId) q.$and.push({ $or: [{ teamId: { $in: teamIds } }, { userId: req.user.id + '' }] })
-    else q.$and.push({ teamId: { $in: teamIds } })
-  } else if (hasUserId) q.$and.push({ userId: req.user.id + '' })
+    if (hasUserId) q.$and.push({ $or: [condTeamId, condUserId] })
+    else q.$and.push(condTeamId)
+  } else if (hasUserId) q.$and.push(condUserId)
 
   await applyModelGuard.call(this, { model, q, teamIds, options })
   await applyAttribGuard.call(this, { model, teamIds, options })
@@ -84,7 +120,8 @@ export async function rebuildFilter (model, filter = {}, options = {}) {
 
 export async function handler (model, filter, options = {}) {
   const { isEmpty } = this.app.lib._
-  if (options.noAutoFilter || !options.req || isEmpty((options.req ?? {}).site)) return
+  const { req = {} } = options
+  if (options.noAutoFilter || isEmpty(req) || isEmpty(req.site)) return
   await rebuildFilter.call(this, model, filter, options)
 }
 

package/extend/bajo/hook/dobo@before-driver-get-record.js

@@ -1,9 +1,10 @@
 import { rebuildFilter } from './dobo@before-driver-find-record.js'
 
 export async function checker (model, id, options = {}) {
-  const { req } = options
+  const { isEmpty } = this.app.lib._
+  const { req = {} } = options
+  if (options.noAutoFilter || isEmpty(req) || isEmpty(req.site)) return
 
-  if (options.noAutoFilter || !req) return
   const filter = {}
   await rebuildFilter.call(this, model, filter, options)
   if (filter.query.$and) filter.query.$and.push({ id })

package/extend/bajo/hook/waibu-mpa@pre-parsing.js

@@ -1,4 +1,4 @@
-import { checkUserId, checkTeam, checkTheme, checkIconset, checkCrossSite } from '../../../lib/util.js'
+import { checkUserId, checkTeam, checkTheme, checkIconset, checkXSite } from '../../../lib/util.js'
 
 const preParsing = {
   level: 10,
@@ -8,7 +8,7 @@ const preParsing = {
     const secure = await checkUserId.call(this, req, reply, 'waibuMpa')
     if (!secure) return
     await checkTeam.call(this, req, reply, secure)
-    await checkCrossSite.call(this, req, reply)
+    await checkXSite.call(this, req, reply)
   }
 }
 

package/extend/bajo/hook/waibu-rest-api@pre-parsing.js

@@ -1,4 +1,4 @@
-import { checkUserId, checkTeam, checkCrossSite } from '../../../lib/util.js'
+import { checkUserId, checkTeam, checkXSite } from '../../../lib/util.js'
 
 const preParsing = {
   level: 10,
@@ -6,7 +6,7 @@ const preParsing = {
     const secure = await checkUserId.call(this, req, reply, 'waibuRestApi')
     if (!secure) return
     await checkTeam.call(this, req, reply, secure)
-    await checkCrossSite.call(this, req, reply)
+    await checkXSite.call(this, req, reply)
   }
 }
 

package/extend/bajo/hook/waibu-static@pre-parsing.js

@@ -1,4 +1,4 @@
-import { checkUserId, checkTeam, checkCrossSite } from '../../../lib/util.js'
+import { checkUserId, checkTeam, checkXSite } from '../../../lib/util.js'
 
 const preParsing = {
   level: 10,
@@ -6,7 +6,7 @@ const preParsing = {
     const secure = await checkUserId.call(this, req, reply, 'waibuStatic')
     if (!secure) return
     await checkTeam.call(this, req, reply, secure)
-    await checkCrossSite.call(this, req, reply)
+    await checkXSite.call(this, req, reply)
   }
 }
 

package/extend/bajo/hook/waibu@after-app-boot.js

@@ -1,5 +1,7 @@
 async function afterAppBoot () {
   await this.getRouteGuards(true)
+  await this.getModelGuards(true)
+  await this.getAttribGuards(true)
 }
 
 export default afterAppBoot

package/extend/bajo/intl/en-US.json

@@ -132,9 +132,14 @@
   "statusClosed": "Closed",
   "allSites": "All Sites",
   "permission": "Permission",
-  "routeGuard": "Route",
-  "modelGuard": "Model",
-  "attribGuard": "Attribute",
+  "routeGuard": "Route Guard",
+  "modelGuard": "Model Guard",
+  "attribGuard": "Attribute Guard",
+  "xRouteGuard": "Route Guard",
+  "xModelGuard": "Model Guard",
+  "xAttribGuard": "Attribute Guard",
+  "xSite": "Cross-Site",
+  "xSiteAdminArea": "Cross-Site Admin Area",
   "field": {
     "currentPassword": "Current Password",
     "newPassword": "New Password",
@@ -160,13 +165,14 @@
     "value": "Value",
     "notes": "Notes",
     "path": "Path",
-    "inverse": "Inverse?",
+    "negation": "Negation?",
     "anonymous": "Anonymous?",
     "methods": "Methods",
     "teamIds": "Teams",
     "column": "Column",
     "hiddenCols": "Hidden Columns",
-    "models": "Models"
+    "models": "Models",
+    "siteIds": "Sites"
   },
   "validation": {
     "password": {

package/extend/bajo/intl/id.json

@@ -138,9 +138,14 @@
   "statusClosed": "Tertutup",
   "allSites": "Semua Situs",
   "permission": "Permisi",
-  "routeGuard": "Rute",
-  "modelGuard": "Model",
-  "attribGuard": "Atribut",
+  "routeGuard": "Pelindung Rute",
+  "modelGuard": "Pelindung Model",
+  "attribGuard": "Pelindung Atribut",
+  "xRouteGuard": "Pelindung Rute",
+  "xModelGuard": "Pelindung Model",
+  "xAttribGuard": "Pelindung Atribut",
+  "xSite": "Antar Situs",
+  "xSiteAdminArea": "Area Admin Antar Situs",
   "field": {
     "currentPassword": "Kata Sandi Saat Ini",
     "newPassword": "Kata Sandi Baru",
@@ -166,13 +171,14 @@
     "value": "Nilai",
     "notes": "Catatan",
     "path": "Jejak",
-    "inverse": "Inverse?",
+    "negation": "Negation?",
     "anonymous": "Anonim?",
     "methods": "Metode",
     "teamIds": "Tim",
     "column": "Kolom",
-    "hideCols": "Sembunyikan Kolom",
-    "models": "Model"
+    "hiddenCols": "Kolom Tersembunyi",
+    "models": "Model",
+    "siteIds": "Situs"
   },
   "validation": {
     "password": {

package/extend/dobo/feature/site-ids.js

@@ -0,0 +1,19 @@
+async function siteIds (opts = {}) {
+  return {
+    properties: [{
+      name: 'siteIds',
+      type: 'array',
+      default: [],
+      ref: {
+        siteIds: {
+          model: 'SumbaSite',
+          field: 'id',
+          searchField: 'hostname',
+          fields: ['id', 'hostname']
+        }
+      }
+    }]
+  }
+}
+
+export default siteIds

package/extend/dobo/feature/team-ids.js

@@ -11,8 +11,7 @@ async function teamIds (opts = {}) {
           searchField: 'name',
           fields: ['id', 'alias', 'name']
         }
-      },
-      index: true
+      }
     }]
   }
 }

package/extend/dobo/fixture/team-user.json

@@ -1,6 +1,6 @@
 [{
-  "userId": "?:SumbaUser::username:admin",
-  "teamId": "?:SumbaTeam::alias:administrator",
   "siteId": "?:SumbaSite::alias:default",
+  "userId": "?:SumbaUser::username:admin+siteId={siteId}",
+  "teamId": "?:SumbaTeam::alias:administrator+siteId={siteId}",
   "_immutable": true
 }]

package/extend/dobo/fixture/{route-guard.js → x-route-guard.js}

@@ -16,8 +16,6 @@ async function routeGuard () {
     return {
       path: anonymous ? r.slice(1) : r,
       anonymous,
-      _immutable: true,
-      siteId: '?:SumbaSite::alias:default',
       status: 'ACTIVE'
     }
   })

package/extend/dobo/model/attrib-guard.js

@@ -1,35 +1,31 @@
+import { buildEnd, options } from './model-guard.js'
+
+export const properties = [
+  {
+    name: 'models',
+    type: 'array',
+    required: true
+  },
+  'hiddenCols,array',
+  'siteId,sumba:siteId',
+  'teamIds,sumba:teamIds'
+]
+
+export const features = [
+  {
+    name: 'sumba:status',
+    values: ['ACTIVE', 'INACTIVE'],
+    default: 'ACTIVE'
+  },
+  'dobo:updatedAt'
+]
+
 async function routeGuard () {
   return {
-    properties: [
-      {
-        name: 'models',
-        type: 'array',
-        required: true
-      },
-      'hiddenCols,array',
-      'teamIds,sumba:teamIds'
-    ],
-    indexes: [{
-      type: 'unique',
-      fields: ['models', 'siteId']
-    }],
-    features: [
-      {
-        name: 'sumba:status',
-        values: ['ACTIVE', 'INACTIVE'],
-        default: 'ACTIVE'
-      },
-      'dobo:immutable',
-      'dobo:updatedAt',
-      'sumba:siteId'
-    ],
-    options: {
-      attachment: false
-    },
-    buildEnd: async function (model) {
-      const prop = model.properties.find(prop => prop.name === 'models')
-      prop.values = this.app.dobo.models.map(model => model.name).sort().map(item => ({ value: item, text: item }))
-    }
+    properties,
+    features,
+    options,
+    buildEnd
   }
 }
 

package/extend/dobo/model/model-guard.js

@@ -1,36 +1,47 @@
+export async function buildEnd (model) {
+  const prop = model.properties.find(prop => prop.name === 'models')
+  if (prop) prop.values = this.app.sumba.getModelNames(true)
+}
+
+export const properties = [
+  {
+    name: 'models',
+    type: 'array',
+    required: true
+  },
+  'column,,50,true,true',
+  {
+    name: 'negation',
+    type: 'boolean',
+    required: true,
+    default: false
+  },
+  {
+    name: 'status',
+    type: 'sumba:status',
+    values: ['ACTIVE', 'INACTIVE'],
+    default: 'ACTIVE'
+  },
+  'value,array,,,true',
+  'siteId,sumba:siteId',
+  'teamIds,sumba:teamIds'
+]
+
+export const options = {
+  attachment: false,
+  cache: { ttlDur: 0 }
+}
+
+export const features = [
+  'dobo:updatedAt'
+]
+
 async function routeGuard () {
   return {
-    properties: [
-      {
-        name: 'models',
-        type: 'array',
-        required: true
-      },
-      'column,,50,true,true',
-      'value,array',
-      'teamIds,sumba:teamIds'
-    ],
-    indexes: [{
-      type: 'unique',
-      fields: ['models', 'column', 'siteId']
-    }],
-    features: [
-      {
-        name: 'sumba:status',
-        values: ['ACTIVE', 'INACTIVE'],
-        default: 'ACTIVE'
-      },
-      'dobo:immutable',
-      'dobo:updatedAt',
-      'sumba:siteId'
-    ],
-    options: {
-      attachment: false
-    },
-    buildEnd: async function (model) {
-      const prop = model.properties.find(prop => prop.name === 'models')
-      prop.values = this.app.dobo.models.map(model => model.name).sort().map(item => ({ value: item, text: item }))
-    }
+    properties,
+    features,
+    options,
+    buildEnd
   }
 }
 

package/extend/dobo/model/route-guard.js

@@ -1,44 +1,47 @@
+import { options } from './model-guard.js'
+
+export const properties = [
+  'path,,255,true,true',
+  {
+    name: 'methods',
+    type: 'array',
+    required: true,
+    default: ['GET', 'POST', 'UPDATE', 'DELETE'],
+    values: ['GET', 'POST', 'UPDATE', 'DELETE']
+  },
+  {
+    name: 'weight',
+    type: 'smallint',
+    default: 0
+  }, {
+    name: 'negation',
+    type: 'boolean',
+    required: true,
+    default: false
+  }, {
+    name: 'anonymous',
+    type: 'boolean',
+    required: true,
+    default: false
+  },
+  'siteId,sumba:siteId',
+  'teamIds,sumba:teamIds'
+]
+
+export const features = [
+  {
+    name: 'sumba:status',
+    values: ['ACTIVE', 'INACTIVE'],
+    default: 'ACTIVE'
+  },
+  'dobo:updatedAt'
+]
+
 async function routeGuard () {
   return {
-    properties: [
-      'path,,255,true,true',
-      {
-        name: 'methods',
-        type: 'array',
-        required: true,
-        default: ['GET', 'POST', 'UPDATE', 'DELETE'],
-        values: ['GET', 'POST', 'UPDATE', 'DELETE']
-      },
-      'teamIds,sumba:teamIds',
-      {
-        name: 'weight',
-        type: 'smallint',
-        default: 0
-      }, {
-        name: 'inverse',
-        type: 'boolean',
-        required: true,
-        default: false
-      }, {
-        name: 'anonymous',
-        type: 'boolean',
-        required: true,
-        default: false
-      }
-    ],
-    features: [
-      {
-        name: 'sumba:status',
-        values: ['ACTIVE', 'INACTIVE'],
-        default: 'ACTIVE'
-      },
-      'dobo:immutable',
-      'dobo:updatedAt',
-      'sumba:siteId'
-    ],
-    options: {
-      attachment: false
-    }
+    properties,
+    features,
+    options
   }
 }
 

package/extend/dobo/model/team-user.json

@@ -8,9 +8,9 @@
   "features": [
     "dobo:createdAt",
     "dobo:updatedAt",
-    "sumba:teamId",
     "sumba:siteId",
     "sumba:userId",
+    "sumba:teamId",
     "dobo:immutable"
   ]
 }

package/extend/dobo/model/x-attrib-guard.js

@@ -0,0 +1,14 @@
+import { properties, features } from './attrib-guard.js'
+import { options, buildEnd } from './model-guard.js'
+
+async function routeGuard () {
+  const { isString } = this.app.lib._
+  return {
+    properties: properties.filter(prop => !isString(prop) || (isString(prop) && !prop.startsWith('teamIds'))),
+    features: features.filter(feat => !isString(feat) || (isString(feat) && !['sumba:siteId', 'dobo:updatedAt'].includes(feat))).concat('sumba:siteIds', 'dobo:updatedAt'),
+    options,
+    buildEnd
+  }
+}
+
+export default routeGuard

package/extend/dobo/model/x-model-guard.js

@@ -0,0 +1,13 @@
+import { buildEnd, properties, features, options } from './model-guard.js'
+
+async function xModelGuard () {
+  const { isString } = this.app.lib._
+  return {
+    properties: properties.filter(prop => !isString(prop) || (isString(prop) && !prop.startsWith('teamIds'))),
+    features: features.filter(feat => !isString(feat) || (isString(feat) && !['sumba:siteId', 'dobo:updatedAt'].includes(feat))).concat('sumba:siteIds', 'dobo:updatedAt'),
+    options,
+    buildEnd
+  }
+}
+
+export default xModelGuard

package/extend/dobo/model/x-route-guard.js

@@ -0,0 +1,13 @@
+import { properties, features } from './route-guard.js'
+import { options } from './model-guard.js'
+
+async function xRouteGuard () {
+  const { isString } = this.app.lib._
+  return {
+    properties: properties.filter(prop => !isString(prop) || (isString(prop) && !prop.startsWith('teamIds'))),
+    features: features.filter(feat => !isString(feat) || (isString(feat) && !['sumba:siteId', 'dobo:updatedAt'].includes(feat))).concat('sumba:siteIds', 'dobo:updatedAt'),
+    options
+  }
+}
+
+export default xRouteGuard

package/extend/waibuDb/schema/x-attrib-guard.js

@@ -0,0 +1,15 @@
+async function xAttribGuard () {
+  return {
+    common: {
+      widget: {
+        siteIds: {
+          attr: {
+            refUrl: 'waibuAdmin:/{prefix}/site/details?id={id}'
+          }
+        }
+      }
+    }
+  }
+}
+
+export default xAttribGuard

package/extend/waibuDb/schema/x-model-guard.js

@@ -0,0 +1,15 @@
+async function xModelGuard () {
+  return {
+    common: {
+      widget: {
+        siteIds: {
+          attr: {
+            refUrl: 'waibuAdmin:/{prefix}/site/details?id={id}'
+          }
+        }
+      }
+    }
+  }
+}
+
+export default xModelGuard

package/extend/waibuDb/schema/x-route-guard.js

@@ -0,0 +1,15 @@
+async function xRouteGuard () {
+  return {
+    common: {
+      widget: {
+        siteIds: {
+          attr: {
+            refUrl: 'waibuAdmin:/{prefix}/site/details?id={id}'
+          }
+        }
+      }
+    }
+  }
+}
+
+export default xRouteGuard

package/extend/waibuMpa/extend/waibuAdmin/route/x/attrib-guard/@action.js

@@ -0,0 +1,12 @@
+const action = {
+  method: ['GET', 'POST'],
+  title: 'xAttribGuard',
+  xSite: true,
+  handler: async function (req, reply) {
+    const { importModule } = this.app.bajo
+    const crudSkel = await importModule('waibuAdmin:/lib/crud-skel.js')
+    return await crudSkel.call(this, 'SumbaXAttribGuard', req, reply)
+  }
+}
+
+export default action

package/extend/waibuMpa/extend/waibuAdmin/route/{cache → x/cache}/@action.js

@@ -1,7 +1,7 @@
 const action = {
   method: ['GET', 'POST'],
   title: 'cacheStorage',
-  crossSite: true,
+  xSite: true,
   handler: async function (req, reply) {
     if (!this.app.bajoCache) throw this.error('_notFound')
     const { importModule } = this.app.bajo

package/extend/waibuMpa/extend/waibuAdmin/route/x/model-guard/@action.js

@@ -0,0 +1,12 @@
+const action = {
+  method: ['GET', 'POST'],
+  title: 'xModelGuard',
+  xSite: true,
+  handler: async function (req, reply) {
+    const { importModule } = this.app.bajo
+    const crudSkel = await importModule('waibuAdmin:/lib/crud-skel.js')
+    return await crudSkel.call(this, 'SumbaXModelGuard', req, reply)
+  }
+}
+
+export default action

package/extend/waibuMpa/extend/waibuAdmin/route/x/route-guard/@action.js

@@ -0,0 +1,12 @@
+const action = {
+  method: ['GET', 'POST'],
+  title: 'xRouteGuard',
+  xSite: true,
+  handler: async function (req, reply) {
+    const { importModule } = this.app.bajo
+    const crudSkel = await importModule('waibuAdmin:/lib/crud-skel.js')
+    return await crudSkel.call(this, 'SumbaXRouteGuard', req, reply)
+  }
+}
+
+export default action

package/extend/waibuMpa/extend/waibuAdmin/route/{session → x/session}/@action.js

@@ -1,7 +1,7 @@
 const action = {
   method: ['GET', 'POST'],
   title: 'userSession',
-  crossSite: true,
+  xSite: true,
   handler: async function (req, reply) {
     const { importModule } = this.app.bajo
     const crudSkel = await importModule('waibuAdmin:/lib/crud-skel.js')

package/extend/waibuMpa/extend/waibuAdmin/route/{all-sites → x/site}/@action.js

@@ -1,7 +1,7 @@
 const action = {
   method: ['GET', 'POST'],
   title: 'manageAllSite',
-  crossSite: true,
+  xSite: true,
   handler: async function (req, reply) {
     const { importModule } = this.app.bajo
     const crudSkel = await importModule('waibuAdmin:/lib/crud-skel.js')

package/index.js

@@ -20,7 +20,7 @@ const defMultiSite = {
 async function factory (pkgName) {
   const me = this
   const { getModel } = this.app.dobo
-  const { cloneDeep } = this.app.lib._
+  const { cloneDeep, uniq, isEmpty } = this.app.lib._
 
   /**
    * Sumba class
@@ -32,7 +32,7 @@ async function factory (pkgName) {
       super(pkgName, me.app)
       this.config = {
         multiSite: cloneDeep(defMultiSite),
-        crossSiteAdmins: [],
+        xSiteAdmins: [], // format: "<siteAlias>:<username>"
         waibu: {
           title: 'site',
           prefix: 'site'
@@ -155,6 +155,10 @@ async function factory (pkgName) {
           getUserByTokenDur: '1m'
         }
       }
+      this.routeGuards = { local: [], global: [] }
+      this.modelGuards = { local: [], global: [] }
+      this.attribGuards = { local: [], global: [] }
+
       this.unsafeUserFields = ['password']
       this.selfBind(['createNewSite', 'removeSite', 'getSite', 'getUserById', 'getUserByToken', 'getUserByUsernamePassword'])
     }
@@ -171,10 +175,10 @@ async function factory (pkgName) {
 
     start = async () => {
       const { getModel } = this.app.dobo
-      if (this.config.crossSiteAdmins.length === 0) {
+      if (this.config.xSiteAdmins.length === 0) {
         const site = await getModel('SumbaSite').findOneRecord({ query: { alias: 'default' } }, { noMagic: true })
         const user = await getModel('SumbaUser').findOneRecord({ query: { username: 'admin', siteId: site.id } }, { noMagic: true })
-        this.config.crossSiteAdmins.push(user.id)
+        this.config.xSiteAdmins.push(`${site.alias}:${user.username}`)
       }
     }
 
@@ -205,52 +209,60 @@ async function factory (pkgName) {
       if (!this.app.waibuAdmin) return
       const { getPluginPrefix } = this.app.waibu
       const prefix = getPluginPrefix(this.ns)
+      const params = { action: 'list' }
       const items = [{
+        title: 'xSite',
+        children: [
+          { title: 'allSites', href: `waibuAdmin:/${prefix}/x/site/:action`, params },
+          { title: 'xRouteGuard', href: `waibuAdmin:/${prefix}/x/route-guard/:action`, params },
+          { title: 'xModelGuard', href: `waibuAdmin:/${prefix}/x/model-guard/:action`, params },
+          { title: 'xAttribGuard', href: `waibuAdmin:/${prefix}/x/attrib-guard/:action`, params },
+          { title: 'userSession', href: `waibuAdmin:/${prefix}/x/session/:action`, params }
+        ]
+      }, {
         title: 'manageSite',
         children: [
           { title: 'siteProfile', href: `waibuAdmin:/${prefix}/site` },
-          { title: 'siteSetting', href: `waibuAdmin:/${prefix}/site-setting/list` },
-          { title: 'allSites', href: `waibuAdmin:/${prefix}/all-sites/list` }
+          { title: 'siteSetting', href: `waibuAdmin:/${prefix}/site-setting/:action`, params }
         ]
       }, {
         title: 'manageUser',
         children: [
-          { title: 'userProfile', href: `waibuAdmin:/${prefix}/user/list` },
-          { title: 'userSetting', href: `waibuAdmin:/${prefix}/user-setting/list` },
+          { title: 'userProfile', href: `waibuAdmin:/${prefix}/user/:action`, params },
+          { title: 'userSetting', href: `waibuAdmin:/${prefix}/user-setting/:action`, params },
           { title: 'resetUserPassword', href: `waibuAdmin:/${prefix}/reset-user-password` }
         ]
       }, {
         title: 'manageTeam',
         children: [
-          { title: 'teamProfile', href: `waibuAdmin:/${prefix}/team/list` },
-          { title: 'teamUser', href: `waibuAdmin:/${prefix}/team-user/list` },
-          { title: 'teamSetting', href: `waibuAdmin:/${prefix}/team-setting/list` }
+          { title: 'teamProfile', href: `waibuAdmin:/${prefix}/team/:action`, params },
+          { title: 'teamUser', href: `waibuAdmin:/${prefix}/team-user/:action`, params },
+          { title: 'teamSetting', href: `waibuAdmin:/${prefix}/team-setting/:action`, params }
         ]
       }, {
         title: 'permission',
         children: [
-          { title: 'routeGuard', href: `waibuAdmin:/${prefix}/route-guard/list` },
-          { title: 'modelGuard', href: `waibuAdmin:/${prefix}/model-guard/list` },
-          { title: 'attribGuard', href: `waibuAdmin:/${prefix}/attrib-guard/list` }
+          { title: 'routeGuard', href: `waibuAdmin:/${prefix}/route-guard/:action`, params },
+          { title: 'modelGuard', href: `waibuAdmin:/${prefix}/model-guard/:action`, params },
+          { title: 'attribGuard', href: `waibuAdmin:/${prefix}/attrib-guard/:action`, params }
         ]
       }, {
         title: 'supportSystem',
         children: [
-          { title: 'contactForm', href: `waibuAdmin:/${prefix}/contact-form/list` },
-          { title: 'contactFormCat', href: `waibuAdmin:/${prefix}/contact-form-cat/list` },
-          { title: 'ticket', href: `waibuAdmin:/${prefix}/ticket/list` },
-          { title: 'ticketCat', href: `waibuAdmin:/${prefix}/ticket-cat/list` }
+          { title: 'contactForm', href: `waibuAdmin:/${prefix}/contact-form/:action`, params },
+          { title: 'contactFormCat', href: `waibuAdmin:/${prefix}/contact-form-cat/:action`, params },
+          { title: 'ticket', href: `waibuAdmin:/${prefix}/ticket/:action`, params },
+          { title: 'ticketCat', href: `waibuAdmin:/${prefix}/ticket-cat/:action`, params }
         ]
       }, {
         title: 'misc',
         children: [
-          { title: 'manageDownload', href: `waibuAdmin:/${prefix}/download/list` },
-          { title: 'userSession', href: `waibuAdmin:/${prefix}/session/list` }
+          { title: 'manageDownload', href: `waibuAdmin:/${prefix}/download/:action`, params }
         ]
       }]
       if (this.app.bajoCache) {
-        const item = items.find(i => i.title === 'misc')
-        if (item) item.children.push({ title: 'cacheStorage', href: `waibuAdmin:/${prefix}/cache/list` })
+        const item = items.find(i => i.title === 'xSite')
+        item.children.push({ title: 'cacheStorage', href: `waibuAdmin:/${prefix}/x/cache/:action`, params })
       }
       return items
     }
@@ -531,25 +543,89 @@ async function factory (pkgName) {
       return await hash(item, this.config.auth.common.apiKey.algo)
     }
 
-    getRouteGuards = async (reread) => {
+    _fetchGuards = async (type = 'Route') => {
       const { getModel } = this.app.dobo
+      const options = { noMagic: true, noCache: true, noDriverHook: true, dataOnly: true }
+      const filter = { query: { status: 'ACTIVE' } }
+      return {
+        global: await getModel(`SumbaX${type}Guard`).findAllRecord(filter, options),
+        local: await getModel(`Sumba${type}Guard`).findAllRecord(filter, options),
+        siteIds: (await getModel('SumbaSite').findAllRecord(filter.options)).map(item => item.id + '')
+      }
+    }
+
+    getRouteGuards = async (reread) => {
       const { routePath } = this.app.waibu
-      const { map, orderBy } = this.app.lib._
+      const { orderBy } = this.app.lib._
+      const { isSet } = this.app.lib.aneka
       if (!reread) return this.routeGuards
-      const model = getModel('SumbaRouteGuard')
-      let results = await model.findAllRecord({ query: { status: 'ACTIVE' } }, { noMagic: true, noCache: true, noDriverHook: true, dataOnly: true })
-      results = results.map(item => {
-        item.teamIds = item.teamIds ?? []
-        item.methods = item.methods ?? []
-        return item
-      })
-      this.routeGuards = orderBy(map(results, item => {
-        item.path = routePath(item.path)
-        return item
-      }), ['weight', 'path'])
+
+      const result = await this._fetchGuards('Route')
+      for (const type of ['global', 'local']) {
+        result[type] = result[type].map(item => {
+          item.siteIds = item.siteIds ?? []
+          if (item.siteIds.length === 0) item.siteIds = [...result.siteIds]
+          if (item.siteId) item.siteIds = uniq([...item.siteIds, item.siteId].filter(i => isSet(i)).map(i => i + ''))
+          item.teamIds = (item.teamIds ?? []).filter(i => isSet(i)).map(i => i + '')
+          item.methods = item.methods ?? []
+          delete item.siteId
+          return item
+        })
+        this.routeGuards[type] = orderBy(result[type].filter(item => {
+          try {
+            item.path = routePath(item.path)
+            return true
+          } catch (err) {
+            return false
+          }
+        }), ['weight', 'path'], ['desc', 'asc'])
+      }
       return this.routeGuards
     }
 
+    getModelGuards = async (reread) => {
+      const { isSet } = this.app.lib.aneka
+      if (!reread) return this.modelGuards
+
+      const result = await this._fetchGuards('Model')
+      for (const type of ['global', 'local']) {
+        this.modelGuards[type] = result[type].filter(item => (!isEmpty(item.value)) && (!isEmpty(item.models))).map(item => {
+          item.siteIds = item.siteIds ?? []
+          if (item.siteIds.length === 0) item.siteIds = [...result.siteIds]
+          if (item.siteId) item.siteIds = uniq([...item.siteIds, item.siteId].filter(i => isSet(i)).map(i => i + ''))
+          item.teamIds = (item.teamIds ?? []).filter(i => isSet(i)).map(i => i + '')
+          delete item.siteId
+          return item
+        })
+      }
+      return this.modelGuards
+    }
+
+    getAttribGuards = async (reread) => {
+      const { isSet } = this.app.lib.aneka
+      if (!reread) return this.attribGuards
+
+      const result = await this._fetchGuards('Attrib')
+      for (const type of ['global', 'local']) {
+        this.attribGuards[type] = result[type].map(item => {
+          item.siteIds = item.siteIds ?? []
+          if (item.siteIds.length === 0) item.siteIds = [...result.siteIds]
+          if (item.siteId) item.siteIds = uniq([...item.siteIds, item.siteId].filter(i => isSet(i)).map(i => i + ''))
+          item.teamIds = (item.teamIds ?? []).filter(i => isSet(i)).map(i => i + '')
+          item.models = item.models ?? []
+          item.hiddenCols = item.hiddenCols ?? []
+          delete item.siteId
+          return item
+        })
+      }
+      return this.attribGuards
+    }
+
+    getModelNames = (asValue) => {
+      const values = this.app.dobo.models.map(item => item.name).sort()
+      return asValue ? values.map(item => ({ value: item, text: item })) : values
+    }
+
     createNewSite = createNewSite
     removeSite = removeSite
     getSite = getSite

package/lib/get-user.js

@@ -1,9 +1,8 @@
 import { parseNsSettings } from './util.js'
 
-export async function mergeTeam (user) {
+export async function mergeTeam (user, req) {
   const { map, pick } = this.app.lib._
   const { getModel } = this.app.dobo
-  user.crossSiteAdmin = this.config.crossSiteAdmins.includes(user.id)
   user.teams = []
   const query = { userId: user.id, siteId: user.siteId }
   let mdl = getModel('SumbaTeamUser')
@@ -31,6 +30,8 @@ export async function mergeTeam (user) {
       user.teams.push(item)
     }
   }
+  user.isXSiteAdmin = this.config.xSiteAdmins.includes(`${req.site.alias}:${user.username}`)
+  user.isAdmin = user.teams.some(t => t.alias === 'administrator')
   for (const field of this.unsafeUserFields) {
     delete user[field]
   }
@@ -47,7 +48,7 @@ export async function getUserById (id, req) {
   }
   user = await getModel('SumbaUser').getRecord(id, { noHook: true, noDriverHook: true, throwNotFound: false, req })
   if (!user) return
-  await mergeTeam.call(this, user)
+  await mergeTeam.call(this, user, req)
   if (setCache) {
     await setCache({ key, value: JSON.stringify(user), ttl: this.config.cacheTtl.getUserByIdDur })
   }
@@ -65,7 +66,7 @@ export async function getUserByToken (token, req) {
   }
   user = await getModel('SumbaUser').findOneRecord({ query: { token } }, { noHook: true, noDriverHook: true, throwNotFound: false, req })
   if (!user) return
-  await mergeTeam.call(this, user)
+  await mergeTeam.call(this, user, req)
   if (setCache) {
     await setCache({ key, value: JSON.stringify(user), ttl: this.config.cacheTtl.getUserByTokenDur })
   }
@@ -85,6 +86,6 @@ export async function getUserByUsernamePassword (username = '', password = '', r
   if (user.status !== 'ACTIVE') throw this.error('validationError', { details: ['User is inactive or temporarily disabled'], statusCode: 401 })
   const verified = await bcrypt.compare(password, user.password)
   if (!verified) throw this.error('validationError', { details: [{ field: 'password', error: 'invalidPassword' }], statusCode: 401 })
-  await mergeTeam.call(this, user)
+  await mergeTeam.call(this, user, req)
   return user
 }

package/lib/util.js

@@ -58,21 +58,33 @@ export async function checkTheme (req, reply) {
 
 export async function checkTeam (req, reply, route) {
   const { map } = this.app.lib._
-  route.teams = route.teams ?? []
-  if (route.teams.length === 0) return
+  const { outmatch } = this.app.lib
+  route.teamIds = route.teamIds ?? []
+  if (route.teamIds.length === 0) return
 
-  const teams = map(req.user.teams, 'alias')
-  if (teams.includes('administrator')) return
-  if (teams.length === 0) throw this.error('accessDenied', { statusCode: 403 })
+  const teamIds = map(req.user.teams, 'id')
+  const teamAliases = map(req.user.teams, 'alias')
+  if (req.user.isAdmin) return
+  const matchXSite = outmatch(route.path)
+  if (req.routeOptions.config.xSite && matchXSite(req.url) && req.user.isXSiteAdmin) return
+  if (teamAliases.length === 0) throw this.error('accessDenied', { statusCode: 403 })
 
   const paths = pathsToCheck.call(this, req, true)
-  const allGuards = (await this.getRouteGuards()).filter(item => item.siteId === req.site.id + '' && item.teams.length > 0)
-  if (allGuards.length === 0) return // no route to be team guarded
-  let match = this.checkPathsByRoute({ paths, teams, guards: allGuards.filter(item => !item.inverse) })
+  const guards = await this.getRouteGuards()
+  const globalGuards = guards.global.filter(item => item.siteIds.includes(req.site.id + '') && item.teamIds.length > 0)
+  const localGuards = guards.local.filter(item => item.siteIds.includes(req.site.id + '') && item.teamIds.length > 0)
+  let match = this.checkPathsByRoute({ paths, teamIds, guards: localGuards.filter(item => !item.negation) })
   if (match) {
-    const neg = this.checkPathsByRoute({ paths, teams, guards: allGuards.filter(item => item.inverse) })
+    const neg = this.checkPathsByRoute({ paths, teamIds, guards: localGuards.filter(item => item.negation) })
     if (neg) match = undefined
   }
+  if (!match) {
+    match = this.checkPathsByRoute({ paths, teamIds, guards: globalGuards.filter(item => !item.negation) })
+    if (match) {
+      const neg = this.checkPathsByRoute({ paths, teamIds, guards: globalGuards.filter(item => item.negation) })
+      if (neg) match = undefined
+    }
+  }
   if (!match) throw this.error('accessDenied', { statusCode: 403 })
   // passed
 }
@@ -104,18 +116,38 @@ export async function checkUserId (req, reply, source) {
   }
 
   const paths = pathsToCheck.call(this, req)
-  const allGuards = (await this.getRouteGuards()).filter(item => item.siteId === req.site.id + '')
-  if (allGuards.length === 0) return false // no routes protected
-  let securePath = await this.checkPathsByRoute({ paths, guards: allGuards.filter(item => !item.anonymous && !item.inverse) })
+  const guards = await this.getRouteGuards()
+  let securePath
+  let anonymousPath
+  const globalGuards = guards.global.filter(item => item.siteIds.includes(req.site.id + ''))
+  const localGuards = guards.local.filter(item => item.siteIds.includes(req.site.id + ''))
+  // find anonymousPath
+  anonymousPath = await this.checkPathsByRoute({ paths, guards: localGuards.filter(item => item.anonymous && !item.negation) })
+  if (anonymousPath) {
+    const neg = await this.checkPathsByRoute({ paths, guards: localGuards.filter(item => item.anonymous && item.negation) })
+    if (neg) anonymousPath = undefined
+  }
+  if (!anonymousPath) {
+    anonymousPath = await this.checkPathsByRoute({ paths, guards: globalGuards.filter(item => item.anonymous && !item.negation) })
+    if (anonymousPath) {
+      const neg = await this.checkPathsByRoute({ paths, guards: globalGuards.filter(item => item.anonymous && item.negation) })
+      if (neg) anonymousPath = undefined
+    }
+  }
+  // find securePath
+  securePath = await this.checkPathsByRoute({ paths, guards: localGuards.filter(item => !item.anonymous && !item.negation) })
   if (securePath) {
-    const neg = await this.checkPathsByRoute({ paths, guards: allGuards.filter(item => !item.anonymous && item.inverse) })
+    const neg = await this.checkPathsByRoute({ paths, guards: localGuards.filter(item => !item.anonymous && item.negation) })
     if (neg) securePath = undefined
   }
-  let anonymousPath = await this.checkPathsByRoute({ paths, guards: allGuards.filter(item => item.anonymous && !item.inverse) })
-  if (anonymousPath) {
-    const neg = await this.checkPathsByRoute({ paths, guards: allGuards.filter(item => item.anonymous && item.inverse) })
-    if (neg) anonymousPath = undefined
+  if (!securePath) {
+    securePath = await this.checkPathsByRoute({ paths, guards: globalGuards.filter(item => !item.anonymous && !item.negation) })
+    if (securePath) {
+      const neg = await this.checkPathsByRoute({ paths, guards: globalGuards.filter(item => !item.anonymous && item.negation) })
+      if (neg) securePath = undefined
+    }
   }
+  // checking...
   if (!securePath && !anonymousPath) {
     if (userId) await setUser()
     return false // regular, unguarded path. Not secure & not anonymous path
@@ -162,8 +194,8 @@ export async function latLngHook (body, options) {
  * @param {Object} reply - Reply object
  * @returns
  */
-export async function checkCrossSite (req, reply) {
+export async function checkXSite (req, reply) {
   const { get } = this.app.lib._
-  if (!get(req, 'routeOptions.config.crossSite')) return
-  if (!get(req, 'user.crossSiteAdmin')) throw this.error('accessDenied', { statusCode: 403 })
+  if (!get(req, 'routeOptions.config.xSite')) return
+  if (!get(req, 'user.isXSiteAdmin')) throw this.error('accessDenied', { statusCode: 403 })
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sumba",
-  "version": "2.24.0",
+  "version": "2.25.1",
   "description": "Biz Suite for Bajo Framework",
   "main": "index.js",
   "scripts": {

package/wiki/CHANGES.md

@@ -1,5 +1,16 @@
 # Changes
 
+## 2026-05-25
+
+- [2.25.1] Bug fix in several places because name changing ```crossSiteAdmins``` to ```xSiteAdmins```
+
+## 2026-05-22
+
+- [2.25.0] Reorganize admin menu layout & order
+- [2.25.0] Add ```getModelGuards()```
+- [2.25.0] Add ```getAttribGuards()```
+- [2.25.0] Bug fix in ```getRouteGuards()```
+
 ## 2026-05-11
 
 - [2.24.0] Complete rewrite of route guards