sumba 2.29.0 → 2.30.0

package/extend/bajo/hook.js

@@ -22,45 +22,30 @@ async function clearCacheUser (id, result) {
 }
 
 async function applyModelGuard ({ model, q, teamIds, options }) {
-  const { get, set, orderBy, intersection, without } = this.app.lib._
+  const { get, set, orderBy, without } = this.app.lib._
   const { includes } = this.app.lib.aneka
   const { req } = options
   const results = []
 
   const guards = await this.getModelGuards()
-  const columns = model.getNonVirtualProperties().map(prop => prop.name)
+  const fields = model.getNonVirtualProperties().map(prop => prop.name)
   const filterFn = item => {
-    const bySiteId = item.siteIds ? item.siteIds.includes(req.site.id + '') : true
+    const bySiteId = item.siteId === req.site.id + ''
     const byModel = item.models.includes(model.name)
-    const byTeamId = item.teamIds ? includes(item.teamIds, teamIds) : true
-    const byColumn = columns.includes(item.column)
-    return bySiteId && byModel && byTeamId && byColumn
+    const byTeamId = includes(item.teamIds, teamIds)
+    const byFields = fields.includes(item.field)
+    return bySiteId && byModel && byTeamId && byFields
   }
 
-  guards.global = orderBy(guards.global.filter(filterFn), ['column'])
-  guards.local = orderBy(guards.local.filter(filterFn), ['column'])
-  for (const col of columns) {
+  const rules = orderBy(guards.filter(filterFn), ['field'])
+  for (const field of fields) {
     let values = []
-    let items = guards.global.filter(item => item.column === col && !item.negation)
+    const items = rules.filter(item => item.field === field)
     for (const item of items) {
-      values.push(...item.value)
+      if (item.behavior === 'NIN') values = without(values, ...item.value)
+      else if (item.behavior === 'IN') values.push(...item.value)
     }
-    items = guards.global.filter(item => item.column === col && item.negation)
-    for (const item of items) {
-      values = without(values, ...item.value)
-    }
-    items = guards.local.filter(item => item.column === col && !item.negation)
-    const newValues = []
-    for (const item of items) {
-      newValues.push(...item.value)
-    }
-    if (values.length === 0) values = newValues
-    else if (newValues.length > 0) values = intersection(values, newValues)
-    items = guards.local.filter(item => item.column === col && item.negation)
-    for (const item of items) {
-      values = without(values, ...item.value)
-    }
-    if (values.length) results.push(set({}, col, { $in: values }))
+    if (values.length) results.push(set({}, field, { $in: values }))
   }
 
   const allowEmpty = get(this, `config.dobo.model.${model.name}.allowEmptyQuery`, true)
@@ -76,16 +61,14 @@ export async function applyAttribGuard ({ model, teamIds, options }) {
 
   const guards = await this.getAttribGuards()
   const filterFn = item => {
-    const bySiteId = item.siteIds ? item.siteIds.includes(req.site.id + '') : true
+    const bySiteId = item.siteId === req.site.id + ''
     const byModel = item.models.includes(model.name)
-    const byTeamId = item.teamIds ? includes(item.teamIds, teamIds) : true
+    const byTeamId = includes(item.teamIds, teamIds)
     return bySiteId && byModel && byTeamId
   }
 
-  let item = guards.global.filter(filterFn)[0]
-  if (item) results.push(...item.hiddenCols)
-  item = guards.local.filter(filterFn)[0]
-  if (item) results.push(...item.hiddenCols)
+  const item = guards.filter(filterFn)[0]
+  if (item) results.push(...item.hiddenFields)
   options.hidden = options.hidden ?? []
   if (results.length > 0) options.hidden.push(...results)
   options.hidden = uniq(options.hidden)
@@ -168,7 +151,7 @@ async function hook () {
       }
     }
   }, {
-    name: ['dobo.sumbaAttribGuard:afterTransaction', 'dobo.sumbaXAttribGuard:afterTransaction'],
+    name: ['dobo.sumbaAttribGuard:afterTransaction'],
     handler: async function (action, ...args) {
       if (!['createRecord', 'updateRecord', 'removeRecord'].includes(action)) return
       await this.getAttribGuards(true)
@@ -205,16 +188,22 @@ async function hook () {
       options.checksumId = true
     }
   }, {
-    name: ['dobo.sumbaModelGuard:afterTransaction', 'dobo.sumbaXModelGuard:afterTransaction'],
+    name: ['dobo.sumbaModelGuard:afterTransaction'],
     handler: async function (action, ...args) {
       if (!['createRecord', 'updateRecord', 'removeRecord'].includes(action)) return
       await this.getModelGuards(true)
     }
   }, {
-    name: ['dobo.sumbaRouteGuard:afterTransaction', 'dobo.sumbaXRouteGuard:afterTransaction'],
+    name: ['dobo.sumbaSecureGuard:afterTransaction'],
     handler: async function (action, ...args) {
       if (!['createRecord', 'updateRecord', 'removeRecord'].includes(action)) return
-      await this.getRouteGuards(true)
+      await this.getSecureGuards(true)
+    }
+  }, {
+    name: ['dobo.sumbaAnonymousGuard:afterTransaction'],
+    handler: async function (action, ...args) {
+      if (!['createRecord', 'updateRecord', 'removeRecord'].includes(action)) return
+      await this.getAnonymousGuards(true)
     }
   }, {
     name: 'dobo.sumbaSite:afterCreateRecord',
@@ -237,7 +226,7 @@ async function hook () {
     name: ['dobo.sumbaTeam:afterTransaction', 'dobo.sumbaSite:afterTransaction'],
     handler: async function (action, ...args) {
       if (!['createRecord', 'updateRecord', 'removeRecord'].includes(action)) return
-      await this.getRouteGuards(true)
+      await this.getSecureGuards(true)
       await this.getModelGuards(true)
       await this.getAttribGuards(true)
     }
@@ -353,7 +342,7 @@ async function hook () {
       await checkIconset.call(this, req, reply)
       const secure = await checkUserId.call(this, req, reply, 'waibuMpa')
       if (!secure) return
-      await checkTeam.call(this, req, reply, secure)
+      await checkTeam.call(this, req, reply)
       await checkXSite.call(this, req, reply)
     }
   }, {
@@ -362,7 +351,7 @@ async function hook () {
     handler: async function (req, reply) {
       const secure = await checkUserId.call(this, req, reply, 'waibuRestApi')
       if (!secure) return
-      await checkTeam.call(this, req, reply, secure)
+      await checkTeam.call(this, req, reply)
       await checkXSite.call(this, req, reply)
     }
   }, {
@@ -371,13 +360,14 @@ async function hook () {
     handler: async function (req, reply) {
       const secure = await checkUserId.call(this, req, reply, 'waibuStatic')
       if (!secure) return
-      await checkTeam.call(this, req, reply, secure)
+      await checkTeam.call(this, req, reply)
       await checkXSite.call(this, req, reply)
     }
   }, {
     name: 'waibu:afterAppBoot',
     handler: async function () {
-      await this.getRouteGuards(true)
+      await this.getAnonymousGuards(true)
+      await this.getSecureGuards(true)
       await this.getModelGuards(true)
       await this.getAttribGuards(true)
     }
@@ -392,6 +382,14 @@ async function hook () {
     handler: async function (req, reply) {
       const { getHostname } = this.app.waibu
       req.site = await this.getSite(getHostname(req))
+      req.user = {}
+    }
+  }, {
+    name: 'waibu:beforeStart',
+    handler: async function () {
+      if (this.app.sumba.config.multiSite.enabled) return
+      const routes = ['waibuAdmin:/site/x/site/*']
+      this.app.waibu.config.route.disabled.push(...routes)
     }
   }]
 }

package/extend/bajo/intl/en-US.json

@@ -132,15 +132,14 @@
   "statusClosed": "Closed",
   "allSites": "All Sites",
   "permission": "Permission",
-  "routeGuard": "Route Guard",
+  "anonymousGuard": "Anonymous Guard",
+  "secureGuard": "Secure Guard",
   "modelGuard": "Model Guard",
   "attribGuard": "Attribute Guard",
-  "xRouteGuard": "Route Guard",
-  "xModelGuard": "Model Guard",
-  "xAttribGuard": "Attribute Guard",
   "xSite": "Cross-Site",
   "xSiteAdminArea": "Cross-Site Admin Area",
   "x": "Cross-Site",
+  "misc": "Miscellaneous",
   "field": {
     "currentPassword": "Current Password",
     "newPassword": "New Password",
@@ -173,7 +172,8 @@
     "column": "Column",
     "hiddenCols": "Hidden Columns",
     "models": "Models",
-    "siteIds": "Sites"
+    "siteIds": "Sites",
+    "allTeams": "All Teams?"
   },
   "validation": {
     "password": {

package/extend/bajo/intl/id.json

@@ -138,15 +138,14 @@
   "statusClosed": "Tertutup",
   "allSites": "Semua Situs",
   "permission": "Permisi",
-  "routeGuard": "Pelindung Rute",
+  "anonymousGuard": "Pelindung Rute Anonim",
+  "secureGuard": "Pelindung Rute Aman",
   "modelGuard": "Pelindung Model",
   "attribGuard": "Pelindung Atribut",
-  "xRouteGuard": "Pelindung Rute",
-  "xModelGuard": "Pelindung Model",
-  "xAttribGuard": "Pelindung Atribut",
   "xSite": "Antar Situs",
   "xSiteAdminArea": "Area Admin Antar Situs",
   "x": "Antar Situs",
+  "misc": "Lain-lain",
   "field": {
     "currentPassword": "Kata Sandi Saat Ini",
     "newPassword": "Kata Sandi Baru",
@@ -179,7 +178,8 @@
     "column": "Kolom",
     "hiddenCols": "Kolom Tersembunyi",
     "models": "Model",
-    "siteIds": "Situs"
+    "siteIds": "Situs",
+    "allTeams": "Semua Tim?"
   },
   "validation": {
     "password": {

package/extend/dobo/feature/status.js

@@ -1,13 +1,15 @@
 async function status (opts = {}) {
   opts.field = opts.field ?? 'status'
   opts.required = opts.required ?? true
-  opts.values = opts.values ?? ['UNVERIFIED', 'ACTIVE', 'INACTIVE']
+  opts.default = opts.default ?? 'ACTIVE'
+  opts.values = opts.values ?? ['ACTIVE', 'INACTIVE']
   return {
     properties: [{
       name: opts.field ?? 'status',
       type: 'string',
       maxLength: 50,
       index: true,
+      default: opts.default,
       required: opts.required,
       values: opts.values
     }],

package/extend/dobo/fixture/site.json

@@ -14,5 +14,5 @@
   "phone": "+001-000000001",
   "waPhone": "+001-111111111",
   "status": "ACTIVE",
-  "_immutable": true
+  "_immutable": ["*"]
 }]

package/extend/dobo/fixture/team-user.json

@@ -2,5 +2,5 @@
   "siteId": "?:SumbaSite::alias:default",
   "userId": "?:SumbaUser::username:'admin'+siteId:'{siteId}'",
   "teamId": "?:SumbaTeam::alias:'administrator'+siteId:'{siteId}'",
-  "_immutable": true
+  "_immutable": ["*"]
 }]

package/extend/dobo/fixture/team.json

@@ -2,6 +2,6 @@
   "alias": "administrator",
   "name": "Administrator",
   "siteId": "?:SumbaSite::alias:default",
-  "status": "ENABLED",
-  "_immutable": true
+  "status": "ACTIVE",
+  "_immutable": ["*"]
 }]

package/extend/dobo/fixture/user.json

@@ -13,5 +13,5 @@
   "provider": "local",
   "siteId": "?:SumbaSite::alias:default",
   "status": "ACTIVE",
-  "_immutable": true
+  "_immutable": ["*"]
 }]

package/extend/dobo/model.js

@@ -3,142 +3,102 @@ const buildEnd = async function (model) {
   if (prop) prop.values = this.getModelNames(true)
 }
 
-const mgProperties = [
-  {
-    name: 'models',
-    type: 'array',
-    required: true
-  },
-  'column,,50,true,true',
-  {
-    name: 'negation',
-    type: 'boolean',
-    required: true,
-    default: false
-  },
-  {
-    name: 'status',
-    type: 'sumba:status',
-    values: ['ACTIVE', 'INACTIVE'],
-    default: 'ACTIVE'
-  },
-  'value,array,,,true',
-  'siteId,sumba:siteId',
-  'teamIds,sumba:teamIds'
-]
-
 const options = {
   attachment: false,
   cache: { ttlDur: 0 }
 }
 
-const mgFeatures = [
-  'dobo:updatedAt'
-]
-
-const agProperties = [
-  {
-    name: 'models',
-    type: 'array',
-    required: true
-  },
-  'hiddenCols,array',
-  'siteId,sumba:siteId',
-  'teamIds,sumba:teamIds'
-]
-
-const agFeatures = [
-  {
-    name: 'sumba:status',
-    values: ['ACTIVE', 'INACTIVE'],
-    default: 'ACTIVE'
-  },
-  'dobo:updatedAt'
-]
-
-export const rgProperties = [
-  'path,,255,true,true',
-  {
-    name: 'methods',
-    type: 'array',
-    required: true,
-    default: ['GET', 'POST', 'UPDATE', 'DELETE'],
-    values: ['GET', 'POST', 'UPDATE', 'DELETE']
-  },
-  {
-    name: 'weight',
-    type: 'smallint',
-    default: 0
-  }, {
-    name: 'negation',
-    type: 'boolean',
-    required: true,
-    default: false
-  }, {
-    name: 'anonymous',
-    type: 'boolean',
-    required: true,
-    default: false
-  },
-  'siteId,sumba:siteId',
-  'teamIds,sumba:teamIds'
-]
+const allTeams = {
+  name: 'allTeams',
+  type: 'boolean',
+  default: true,
+  required: true
+}
 
-export const rgFeatures = [
-  {
-    name: 'sumba:status',
-    values: ['ACTIVE', 'INACTIVE'],
-    default: 'ACTIVE'
-  },
-  'dobo:updatedAt'
-]
+const routeGuard = {
+  properties: [
+    {
+      name: 'path',
+      maxLength: 255,
+      required: true
+    },
+    allTeams,
+    'teamIds,sumba:teamIds',
+    {
+      name: 'weight',
+      type: 'smallint',
+      index: true,
+      default: 0
+    },
+    'siteId,sumba:siteId'
+  ],
+  features: [
+    'sumba:status',
+    'dobo:updatedAt',
+    'dobo:immutable'
+  ],
+  indexes: [{
+    type: 'unique',
+    fields: ['siteId', 'path']
+  }],
+  options: { ...options }
+}
 
 async function model () {
-  const { isString } = this.app.lib._
+  const { merge, cloneDeep } = this.app.lib._
   return [{
-    baseName: 'route-guard',
-    properties: rgProperties,
-    features: rgFeatures,
-    options
-  }, {
-    baseName: 'x-route-guard',
-    properties: rgProperties.filter(prop => {
-      if (!isString(prop)) return true
-      return !(prop.startsWith('teamIds') || prop.startsWith('siteId'))
-    }).concat('siteIds,sumba:siteIds'),
-    features: rgFeatures,
-    options
-  }, {
     baseName: 'attrib-guard',
-    properties: agProperties,
-    features: agFeatures,
-    options,
-    buildEnd
-  }, {
-    baseName: 'x-attrib-guard',
-    properties: agProperties.filter(prop => {
-      if (!isString(prop)) return true
-      return !(prop.startsWith('teamIds') || prop.startsWith('siteId'))
-    }).concat('siteIds,sumba:siteIds'),
-    features: agFeatures,
-    options,
+    properties: [
+      {
+        name: 'models',
+        type: 'array',
+        required: true
+      },
+      'hiddenFields,array',
+      allTeams,
+      'teamIds,sumba:teamIds',
+      'siteId,sumba:siteId'
+    ],
+    features: [
+      'sumba:status',
+      'dobo:updatedAt',
+      'dobo:immutable'
+    ],
+    options: { ...options },
     buildEnd
   }, {
     baseName: 'model-guard',
-    properties: mgProperties,
-    features: mgFeatures,
-    options,
-    buildEnd
-  }, {
-    baseName: 'x-model-guard',
-    properties: mgProperties.filter(prop => {
-      if (!isString(prop)) return true
-      return !(prop.startsWith('teamIds') || prop.startsWith('siteId'))
-    }).concat('siteIds,sumba:siteIds'),
-    features: mgFeatures,
-    options,
+    properties: [
+      {
+        name: 'models',
+        type: 'array',
+        required: true
+      },
+      'field,,50,true,true',
+      {
+        name: 'behavior',
+        type: 'string',
+        maxLength: 20,
+        required: true,
+        values: ['IN', 'NIN'],
+        default: 'IN'
+      },
+      'value,array,,,true',
+      allTeams,
+      'teamIds,sumba:teamIds',
+      'siteId,sumba:siteId'
+    ],
+    features: [
+      'sumba:status',
+      'dobo:updatedAt',
+      'dobo:immutable'
+    ],
+    options: { ...options },
     buildEnd
-  }, {
+  },
+  merge(cloneDeep(routeGuard), { baseName: 'anonymous-guard' }),
+  merge(cloneDeep(routeGuard), { baseName: 'secure-guard' }),
+  {
     buildLevel: 2,
     baseName: 'user',
     properties: [{

package/extend/dobo/model.json

@@ -88,10 +88,7 @@
     "sumba:personInCharge",
     "sumba:address",
     "sumba:social",
-    {
-      "name": "sumba:status",
-      "default": "ACTIVE"
-    },
+    "sumba:status",
     "dobo:createdAt",
     "dobo:updatedAt",
     "dobo:immutable"
@@ -146,11 +143,7 @@
     "dobo:updatedAt",
     "dobo:immutable",
     "sumba:siteId",
-    {
-      "name": "sumba:status",
-      "default": "ENABLED",
-      "values": ["ENABLED", "DISABLED"]
-    },
+    "sumba:status",
     "dobo:immutable"
   ]
 }, {

package/extend/sumba/route/anonymous.json

@@ -0,0 +1,5 @@
+[
+  "/user/**/*",
+  "/signin",
+  "restapi:/user/access-token/**/*"
+]

package/extend/sumba/route/secure.json

@@ -0,0 +1,8 @@
+[
+  "/your-stuff/**/*",
+  "/signout",
+  "/help/trouble-tickets/**/*",
+  "restapi:/user/api-key",
+  "restapi:/your-stuff/**/*",
+  "restapi:/manage/**/*"
+]

package/extend/waibuDb/schema/anonymous-guard.js

@@ -0,0 +1,15 @@
+async function anonymousGuard () {
+  return {
+    common: {
+      widget: {
+        teamIds: {
+          attr: {
+            refUrl: 'waibuAdmin:/{prefix}/team/details?id={id}'
+          }
+        }
+      }
+    }
+  }
+}
+
+export default anonymousGuard

package/extend/waibuDb/schema/{route-guard.js → secure-guard.js}

@@ -1,4 +1,4 @@
-async function routeGuard () {
+async function secureGuard () {
   return {
     common: {
       widget: {
@@ -12,4 +12,4 @@ async function routeGuard () {
   }
 }
 
-export default routeGuard
+export default secureGuard

package/extend/waibuDb/schema/team.json

@@ -21,7 +21,7 @@
     "details": {
     },
     "add": {
-      "hidden": ["id", "createdAt", "updatedAt", "status"]
+      "hidden": ["id", "createdAt", "updatedAt"]
     },
     "edit": {
       "readonly": ["id", "createdAt", "updatedAt"]

package/extend/waibuMpa/extend/waibuAdmin/route/{x/model-guard → anonymous-guard}/@action.js

@@ -1,11 +1,10 @@
 const action = {
   method: ['GET', 'POST'],
-  title: 'xModelGuard',
-  xSite: true,
+  title: 'anonymousGuard',
   handler: async function (req, reply) {
     const { importModule } = this.app.bajo
     const crudSkel = await importModule('waibuAdmin:/lib/crud-skel.js')
-    return await crudSkel.call(this, 'SumbaXModelGuard', req, reply)
+    return await crudSkel.call(this, 'SumbaAnonymousGuard', req, reply)
   }
 }
 

package/extend/waibuMpa/extend/waibuAdmin/route/{route-guard → secure-guard}/@action.js

@@ -1,10 +1,10 @@
 const action = {
   method: ['GET', 'POST'],
-  title: 'routeGuard',
+  title: 'secureGuard',
   handler: async function (req, reply) {
     const { importModule } = this.app.bajo
     const crudSkel = await importModule('waibuAdmin:/lib/crud-skel.js')
-    return await crudSkel.call(this, 'SumbaRouteGuard', req, reply)
+    return await crudSkel.call(this, 'SumbaSecureGuard', req, reply)
   }
 }
 

package/extend/waibuMpa/route/access-token.js

@@ -1,7 +1,9 @@
 const apiToken = {
   method: 'POST',
   handler: async function (req, reply) {
-    if (!req.user) return ''
+    const { get } = this.app.lib._
+    const uid = get(req, 'user.id')
+    if (!uid) return ''
     const rec = await this.app.dobo.getModel('SumbaUser').getRecord(req.user.id, { forceNoHidden: true, noCache: true })
     return (await this.createJwtFromUserRecord(rec)).token
   }

package/extend/waibuRestApi/route/manage/anonymous-guard/model-builder.json

@@ -0,0 +1,4 @@
+{
+  "model": "SumbaAnonymousGuard",
+  "disabled": ["create", "update", "remove"]
+}

package/extend/waibuRestApi/route/manage/{route-guard → secure-guard}/model-builder.json

@@ -1,4 +1,4 @@
 {
-  "model": "SumbaRouteGuard",
+  "model": "SumbaSecureGuard",
   "disabled": ["create", "update", "remove"]
 }

package/index.js

@@ -20,7 +20,7 @@ const defMultiSite = {
 async function factory (pkgName) {
   const me = this
   const { getModel } = this.app.dobo
-  const { cloneDeep, uniq, isEmpty } = this.app.lib._
+  const { cloneDeep, isEmpty } = this.app.lib._
 
   /**
    * Sumba class
@@ -52,6 +52,14 @@ async function factory (pkgName) {
             '/help': 'sumba:/help/contact-form',
             '/help/trouble-tickets': 'sumba:/help/trouble-tickets/list'
           },
+          redirectSubRoute: {
+            waibuAdmin: {
+              '/': 'waibuAdmin:/site/site',
+              '/x': 'waibuAdmin:/site/x/site/list',
+              '/x/*': 'waibuAdmin:/site/x/{2}/list',
+              '/*': 'waibuAdmin:/site/{1}/list'
+            }
+          },
           menuHandler: [{
             title: 'account',
             icon: 'person',
@@ -155,9 +163,11 @@ async function factory (pkgName) {
           getUserByTokenDur: '1m'
         }
       }
-      this.routeGuards = { local: [], global: [] }
-      this.modelGuards = { local: [], global: [] }
-      this.attribGuards = { local: [], global: [] }
+      this.secureGuards = []
+      this.modelGuards = []
+      this.attribGuards = []
+      this.secureGuards = []
+      this.anonymousGuards = []
 
       this.unsafeUserFields = ['password']
       this.selfBind(['createNewSite', 'removeSite', 'getSite', 'getUserById', 'getUserByToken', 'getUserByUsernamePassword'])
@@ -174,7 +184,11 @@ async function factory (pkgName) {
     }
 
     start = async () => {
-      const { getModel } = this.app.dobo
+      await this.populateRouteGuards()
+      if (!this.config.multiSite.enabled) {
+        this.config.xSiteAdmins = []
+        return
+      }
       if (this.config.xSiteAdmins.length === 0) {
         const site = await getModel('SumbaSite').findOneRecord({ query: { alias: 'default' } }, { noMagic: true })
         const user = await getModel('SumbaUser').findOneRecord({ query: { username: 'admin', siteId: site.id } }, { noMagic: true })
@@ -182,6 +196,84 @@ async function factory (pkgName) {
       }
     }
 
+    populateRouteGuards = async () => {
+      const { isString, get, difference } = this.app.lib._
+      const { pascalCase } = this.app.lib.aneka
+      const { eachPlugins, readConfig, breakNsPath } = this.app.bajo
+      const { getModel } = this.app.dobo
+
+      const allNs = this.app.getAllNs()
+      const sites = await getModel('SumbaSite').findAllRecord({ query: { status: 'ACTIVE' } }, { noMagic: true, dataOnly: true, fields: ['id', 'hostname'] })
+
+      const sanitize = (item, ns) => {
+        if (isString(item)) item = { path: item }
+        let [prefix, ...args] = item.path.split(':')
+        const neg = prefix[0] === '!'
+        if (neg) prefix = prefix.slice(1)
+        if (isEmpty(args)) {
+          args = prefix
+          prefix = null
+        } else args = args.join(':')
+        if (isEmpty(prefix)) prefix = ns
+        else {
+          const [_ns, subNs] = prefix.split('.')
+          if (subNs) prefix = `${ns}.${subNs}`
+          else if (!allNs.includes(_ns)) prefix = `${ns}.${_ns}`
+          else prefix = _ns
+        }
+        item.path = `${neg ? '!' : ''}${prefix}:${args}`
+        item._immutable = item._immutable ?? ['path']
+        if (neg) {
+          item.allTeams = true
+          item.teamIds = []
+          item._immutable = ['path', 'teamIds', 'allTeams']
+        }
+        return item
+      }
+
+      const filterFn = item => {
+        let [ns] = (item.path.split(':')[0] ?? '').split('.')
+        if (ns[0] === '!') ns = ns.slice(1)
+        return allNs.includes(ns)
+      }
+
+      for (const type of ['secure', 'anonymous']) {
+        const routes = []
+        // get it from <pluginDir>/extend/sumba/route/*
+        await eachPlugins(async function ({ file }) {
+          const { ns } = this
+          const items = (await readConfig(file)).map(item => sanitize(item, ns)).filter(filterFn)
+          routes.push(...items)
+        }, { glob: `route/${type}.*`, prefix: this.ns })
+        // get it from config
+        const items = get(this, `config.route.${type}`, []).map(item => {
+          if (isString(item)) item = { path: item }
+          const neg = item.path[0] === '!'
+          if (neg) item.path.slice(1)
+          const { fullNs } = breakNsPath(item.path)
+          if (neg) item.path = '!' + item.path
+          return sanitize(item, fullNs)
+        }).filter(filterFn)
+        routes.push(...items)
+        const paths = routes.map(item => item.path)
+        const model = getModel(pascalCase(`Sumba ${type} Guard`))
+        for (const site of sites) {
+          const query = { path: { $in: paths }, siteId: site.id }
+          const recs = await model.findAllRecord({ query }, { noMagic: true, dataOnly: true, fields: ['path', 'status'] })
+          const spaths = difference(paths, recs.map(rec => rec.path))
+          for (const path of spaths) {
+            const body = cloneDeep(routes.find(r => r.path === path))
+            body.status = 'ACTIVE'
+            body.siteId = site.id
+            await model.sanitizeFixture({ body, lookupValue: body })
+            try {
+              await model.createRecord(body, { noMagic: true, noReturn: true })
+            } catch (err) {}
+          }
+        }
+      }
+    }
+
     _getSetting = async (type, source) => {
       const { defaultsDeep } = this.app.lib.aneka
       const { get } = this.app.lib._
@@ -208,18 +300,10 @@ async function factory (pkgName) {
     adminMenu = async (locals, req) => {
       if (!this.app.waibuAdmin) return
       const { getPluginPrefix } = this.app.waibu
+      const { findIndex } = this.app.lib._
       const prefix = getPluginPrefix(this.ns)
       const params = { action: 'list' }
       const items = [{
-        title: 'xSite',
-        children: [
-          { title: 'allSites', href: `waibuAdmin:/${prefix}/x/site/:action`, params },
-          { title: 'xRouteGuard', href: `waibuAdmin:/${prefix}/x/route-guard/:action`, params },
-          { title: 'xModelGuard', href: `waibuAdmin:/${prefix}/x/model-guard/:action`, params },
-          { title: 'xAttribGuard', href: `waibuAdmin:/${prefix}/x/attrib-guard/:action`, params },
-          { title: 'userSession', href: `waibuAdmin:/${prefix}/x/session/:action`, params }
-        ]
-      }, {
         title: 'manageSite',
         children: [
           { title: 'siteProfile', href: `waibuAdmin:/${prefix}/site` },
@@ -242,7 +326,8 @@ async function factory (pkgName) {
       }, {
         title: 'permission',
         children: [
-          { title: 'routeGuard', href: `waibuAdmin:/${prefix}/route-guard/:action`, params },
+          { title: 'secureGuard', href: `waibuAdmin:/${prefix}/secure-guard/:action`, params },
+          { title: 'anonymousGuard', href: `waibuAdmin:/${prefix}/anonymous-guard/:action`, params },
           { title: 'modelGuard', href: `waibuAdmin:/${prefix}/model-guard/:action`, params },
           { title: 'attribGuard', href: `waibuAdmin:/${prefix}/attrib-guard/:action`, params }
         ]
@@ -260,9 +345,23 @@ async function factory (pkgName) {
           { title: 'manageDownload', href: `waibuAdmin:/${prefix}/download/:action`, params }
         ]
       }]
+      const sessionMenu = { title: 'userSession', href: `waibuAdmin:/${prefix}/x/session/:action`, params }
+      const cacheMenu = { title: 'cacheStorage', href: `waibuAdmin:/${prefix}/x/cache/:action`, params }
+      if (this.config.multiSite.enabled) {
+        items.unshift({
+          title: 'xSite',
+          children: [
+            { title: 'allSites', href: `waibuAdmin:/${prefix}/x/site/:action`, params },
+            sessionMenu
+          ]
+        })
+      } else {
+        const idx = findIndex(items, i => i.title === 'misc')
+        if (idx > -1) items[idx].children.push(sessionMenu)
+      }
       if (this.app.bajoCache) {
-        const item = items.find(i => i.title === 'xSite')
-        item.children.push({ title: 'cacheStorage', href: `waibuAdmin:/${prefix}/x/cache/:action`, params })
+        const idx = findIndex(items, i => i.title === this.config.multiSite.enabled ? 'xSite' : 'misc')
+        if (idx > -1)items[idx].children.push(cacheMenu)
       }
       return items
     }
@@ -377,31 +476,11 @@ async function factory (pkgName) {
       return true
     }
 
-    checkPathsByRoute = ({ req, paths = [], teamIds = [], guards = [] }) => {
-      const { includes } = this.app.lib.aneka
+    checkRouteGuard = (guards, paths) => {
       const { outmatch } = this.app.lib
-
-      for (const item of guards) {
-        const matchPath = outmatch(item.path)
-        for (const path of paths) {
-          if (matchPath(path)) {
-            if (item.methods.includes(req.method)) {
-              if (includes(teamIds, item.teamIds)) return item
-              if (teamIds.length === 0) return item
-            }
-          }
-        }
-      }
-    }
-
-    checkPathsByGuard = ({ guards, paths }) => {
-      const { outmatch } = this.app.lib
-      const matcher = outmatch(guards)
-      let guarded
-      for (const path of paths) {
-        if (!guarded) guarded = matcher(path)
-      }
-      return guarded
+      const all = guards.map(item => item.path)
+      const isMatch = outmatch(all)
+      return paths.find(isMatch)
     }
 
     signout = async ({ req, reply, reason }) => {
@@ -545,81 +624,56 @@ async function factory (pkgName) {
       return await hash(item, this.config.auth.common.apiKey.algo)
     }
 
-    _fetchGuards = async (type = 'Route') => {
+    _fetchGuards = async (type) => {
       const { getModel } = this.app.dobo
       const options = { noMagic: true, noCache: true, noDriverHook: true, dataOnly: true }
       const filter = { query: { status: 'ACTIVE' } }
-      return {
-        global: await getModel(`SumbaX${type}Guard`).findAllRecord(filter, options),
-        local: await getModel(`Sumba${type}Guard`).findAllRecord(filter, options),
-        siteIds: (await getModel('SumbaSite').findAllRecord(filter.options)).map(item => item.id + '')
-      }
+      const results = await getModel(`Sumba${type}Guard`).findAllRecord(filter, options)
+      return results.map(result => {
+        result.teamIds = result.teamIds.map(item => item + '')
+        return result
+      })
     }
 
-    getRouteGuards = async (reread) => {
+    _getGuards = (inputs = []) => {
       const { routePath } = this.app.waibu
       const { orderBy } = this.app.lib._
-      const { isSet } = this.app.lib.aneka
-      if (!reread) return this.routeGuards
-
-      const result = await this._fetchGuards('Route')
-      for (const type of ['global', 'local']) {
-        result[type] = result[type].map(item => {
-          item.siteIds = item.siteIds ?? []
-          if (item.siteIds.length === 0) item.siteIds = [...result.siteIds]
-          if (item.siteId) item.siteIds = uniq([...item.siteIds, item.siteId].filter(i => isSet(i)).map(i => i + ''))
-          item.teamIds = (item.teamIds ?? []).filter(i => isSet(i)).map(i => i + '')
-          item.methods = item.methods ?? []
-          delete item.siteId
-          return item
-        })
-        this.routeGuards[type] = orderBy(result[type].filter(item => {
-          try {
-            item.path = routePath(item.path)
-            return true
-          } catch (err) {
-            return false
-          }
-        }), ['weight', 'path'], ['desc', 'asc'])
-      }
-      return this.routeGuards
+      const normal = orderBy(inputs.filter(input => input.path[0] !== '!').map(result => {
+        result.path = routePath(result.path)
+        return result
+      }), ['weight', 'path'], ['desc', 'asc'])
+      const inverse = orderBy(inputs.filter(input => input.path[0] === '!').map(result => {
+        result.path = routePath(result.path)
+        return result
+      }), ['weight', 'path'], ['desc', 'asc'])
+      return [...normal, ...inverse]
+    }
+
+    getAnonymousGuards = async (reread) => {
+      if (!reread) return this.anonymousGuards
+      const guards = await this._fetchGuards('Anonymous')
+      this.anonymousGuards = this._getGuards(guards)
+      return this.anonymousGuards
+    }
+
+    getSecureGuards = async (reread) => {
+      if (!reread) return this.secureGuards
+      const guards = await this._fetchGuards('Secure')
+      this.secureGuards = this._getGuards(guards)
+      return this.secureGuards
     }
 
     getModelGuards = async (reread) => {
-      const { isSet } = this.app.lib.aneka
       if (!reread) return this.modelGuards
 
-      const result = await this._fetchGuards('Model')
-      for (const type of ['global', 'local']) {
-        this.modelGuards[type] = result[type].filter(item => (!isEmpty(item.value)) && (!isEmpty(item.models))).map(item => {
-          item.siteIds = item.siteIds ?? []
-          if (item.siteIds.length === 0) item.siteIds = [...result.siteIds]
-          if (item.siteId) item.siteIds = uniq([...item.siteIds, item.siteId].filter(i => isSet(i)).map(i => i + ''))
-          item.teamIds = (item.teamIds ?? []).filter(i => isSet(i)).map(i => i + '')
-          delete item.siteId
-          return item
-        })
-      }
+      this.modelGuards = await this._fetchGuards('Model')
       return this.modelGuards
     }
 
     getAttribGuards = async (reread) => {
-      const { isSet } = this.app.lib.aneka
       if (!reread) return this.attribGuards
 
-      const result = await this._fetchGuards('Attrib')
-      for (const type of ['global', 'local']) {
-        this.attribGuards[type] = result[type].map(item => {
-          item.siteIds = item.siteIds ?? []
-          if (item.siteIds.length === 0) item.siteIds = [...result.siteIds]
-          if (item.siteId) item.siteIds = uniq([...item.siteIds, item.siteId].filter(i => isSet(i)).map(i => i + ''))
-          item.teamIds = (item.teamIds ?? []).filter(i => isSet(i)).map(i => i + '')
-          item.models = item.models ?? []
-          item.hiddenCols = item.hiddenCols ?? []
-          delete item.siteId
-          return item
-        })
-      }
+      this.attribGuards = await this._fetchGuards('Model')
       return this.attribGuards
     }
 
@@ -632,6 +686,7 @@ async function factory (pkgName) {
     removeSite = removeSite
     getSite = getSite
     getUserById = getUserById
+
     getUserByToken = getUserByToken
     getUserByUsernamePassword = getUserByUsernamePassword
   }

package/lib/get-user.js

@@ -10,7 +10,7 @@ export async function mergeTeam (user, req) {
   if (userTeam.length === 0) return
   delete query.userId
   query.id = { $in: map(userTeam, 'teamId') }
-  query.status = 'ENABLED'
+  query.status = 'ACTIVE'
   mdl = getModel('SumbaTeam')
   const teams = await mdl.findAllRecord({ query })
   if (teams.length > 0) {

package/lib/util.js

@@ -26,7 +26,7 @@ export function parseNsSettings (ns, setting, items) {
   }
 }
 
-export function pathsToCheck (req, withHome) {
+export function pathsToCheck (req) {
   const { uniq, without } = this.app.lib._
   const items = [req.routeOptions.url, req.url].map(url => url.split('?')[0].split('#')[0])
   return uniq(without(items, undefined, null))
@@ -56,36 +56,25 @@ export async function checkTheme (req, reply) {
   req.theme = req.theme ?? 'default'
 }
 
-export async function checkTeam (req, reply, route) {
-  const { map } = this.app.lib._
+export async function checkTeam (req, reply) {
+  const { includes } = this.app.lib.aneka
   const { outmatch } = this.app.lib
-  route.teamIds = route.teamIds ?? []
-  if (route.teamIds.length === 0) return
 
-  const teamIds = map(req.user.teams, 'id')
-  const teamAliases = map(req.user.teams, 'alias')
   if (req.user.isAdmin) return
-  const matchXSite = outmatch(route.path)
-  if (req.routeOptions.config.xSite && matchXSite(req.url) && req.user.isXSiteAdmin) return
-  if (teamAliases.length === 0) throw this.error('accessDenied', { statusCode: 403 })
-
-  const paths = pathsToCheck.call(this, req, true)
-  const guards = await this.getRouteGuards()
-  const globalGuards = guards.global.filter(item => item.siteIds.includes(req.site.id + '') && item.teamIds.length > 0)
-  const localGuards = guards.local.filter(item => item.siteIds.includes(req.site.id + '') && item.teamIds.length > 0)
-  let match = this.checkPathsByRoute({ paths, teamIds, guards: localGuards.filter(item => !item.negation) })
-  if (match) {
-    const neg = this.checkPathsByRoute({ paths, teamIds, guards: localGuards.filter(item => item.negation) })
-    if (neg) match = undefined
-  }
-  if (!match) {
-    match = this.checkPathsByRoute({ paths, teamIds, guards: globalGuards.filter(item => !item.negation) })
-    if (match) {
-      const neg = this.checkPathsByRoute({ paths, teamIds, guards: globalGuards.filter(item => item.negation) })
-      if (neg) match = undefined
-    }
+  if (req.routeOptions.config.xSite && req.user.isXSiteAdmin) return
+
+  const teamIds = req.user.teams.map(item => item.id + '')
+  if (req.user.teams.map(item => item.alias).length === 0) throw this.error('accessDenied', { statusCode: 403 })
+
+  const paths = pathsToCheck.call(this, req)
+  const results = (await this.getSecureGuards()).filter(item => {
+    if (item.siteId !== req.site.id + '' || item.path[0] === '!') return false
+    return paths.some(outmatch([item.path]))
+  })
+  for (const result of results) {
+    if (result.allTeams) continue
+    if (!includes(teamIds, result.teamIds)) throw this.error('accessDenied', { statusCode: 403 })
   }
-  if (!match) throw this.error('accessDenied', { statusCode: 403 })
   // passed
 }
 
@@ -116,51 +105,22 @@ export async function checkUserId (req, reply, source) {
   }
 
   const paths = pathsToCheck.call(this, req)
-  const guards = await this.getRouteGuards()
-  let securePath
-  let anonymousPath
-  const globalGuards = guards.global.filter(item => item.siteIds.includes(req.site.id + ''))
-  const localGuards = guards.local.filter(item => item.siteIds.includes(req.site.id + ''))
-  // find anonymousPath
-  anonymousPath = await this.checkPathsByRoute({ req, paths, guards: localGuards.filter(item => item.anonymous && !item.negation) })
-  if (anonymousPath) {
-    const neg = await this.checkPathsByRoute({ req, paths, guards: localGuards.filter(item => item.anonymous && item.negation) })
-    if (neg) anonymousPath = undefined
-  }
-  if (!anonymousPath) {
-    anonymousPath = await this.checkPathsByRoute({ req, paths, guards: globalGuards.filter(item => item.anonymous && !item.negation) })
-    if (anonymousPath) {
-      const neg = await this.checkPathsByRoute({ req, paths, guards: globalGuards.filter(item => item.anonymous && item.negation) })
-      if (neg) anonymousPath = undefined
-    }
-  }
-  // find securePath
-  securePath = await this.checkPathsByRoute({ req, paths, guards: localGuards.filter(item => !item.anonymous && !item.negation) })
-  if (securePath) {
-    const neg = await this.checkPathsByRoute({ req, paths, guards: localGuards.filter(item => !item.anonymous && item.negation) })
-    if (neg) securePath = undefined
-  }
-  if (!securePath) {
-    securePath = await this.checkPathsByRoute({ req, paths, guards: globalGuards.filter(item => !item.anonymous && !item.negation) })
-    if (securePath) {
-      const neg = await this.checkPathsByRoute({ req, paths, guards: globalGuards.filter(item => !item.anonymous && item.negation) })
-      if (neg) securePath = undefined
-    }
-  }
-  // checking...
-  if (!securePath && !anonymousPath) {
-    if (userId) await setUser()
-    return false // regular, unguarded path. Not secure & not anonymous path
-  }
-  if (anonymousPath) {
+  let guards = (await this.getAnonymousGuards()).filter(item => item.siteId === req.site.id + '')
+  const anonymous = this.checkRouteGuard(guards, paths)
+  if (anonymous) {
     if (!userId) return false
     req.session.ref = req.url
     return reply.redirectTo(routePath(this.config.redirect.signout))
   }
-  if (!(securePath.methods ?? []).includes(req.method)) throw this.error('accessDenied', { statusCode: 403 })
+  guards = (await this.getSecureGuards()).filter(item => item.siteId === req.site.id + '')
+  const secure = this.checkRouteGuard(guards, paths)
+  if (!secure) {
+    if (userId) await setUser()
+    return false // regular, unguarded path. Not secure & not anonymous path
+  }
   if (userId) {
     await setUser()
-    return securePath
+    return secure
   }
   const silentOnError = this.config.auth[webApp].silentOnError ?? this.config.auth.common.silentOnError
   const payload = silentOnError ? { noContent: true } : undefined
@@ -177,7 +137,7 @@ export async function checkUserId (req, reply, source) {
     }
   }
   if (!success) throw this.error('accessDeniedNoAuth', merge({ statusCode: 403 }, payload))
-  return securePath
+  return secure
 }
 
 export async function latLngHook (body, options) {
@@ -196,6 +156,7 @@ export async function latLngHook (body, options) {
  */
 export async function checkXSite (req, reply) {
   const { get } = this.app.lib._
+  if (!this.config.multiSite.enabled) return
   if (!get(req, 'routeOptions.config.xSite')) return
   if (!get(req, 'user.isXSiteAdmin')) throw this.error('accessDenied', { statusCode: 403 })
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sumba",
-  "version": "2.29.0",
+  "version": "2.30.0",
   "description": "Biz Suite for Bajo Framework",
   "main": "index.js",
   "scripts": {

package/wiki/CHANGES.md

@@ -1,5 +1,13 @@
 # Changes
 
+## 2026-06-10
+
+- [2.30.0] Refactoring all guards
+- [2.30.0] Feature ```sumba:status``` now by default using ```ACTIVE``` and ```INACTIVE``` states
+- [2.30.0] Bug in ```multiSite``` handling
+- [2.30.0] Add ```populateRouteGuards()```
+- [2.30.0] Bug fix in ```hook.js```
+
 ## 2026-06-03
 
 - [2.29.0] Some models with property ```values``` now use the newly introduced function values

package/extend/dobo/fixture/x-route-guard.js

@@ -1,24 +0,0 @@
-const routes = [
-  'sumba:/your-stuff/**/*',
-  'sumba:/signout',
-  'sumba:/help/trouble-tickets/**/*',
-  'sumba.restapi:/user/api-key',
-  'sumba.restapi:/your-stuff/**/*',
-  'sumba.restapi:/manage/**/*',
-  '~sumba:/user/**/*',
-  '~sumba:/signin',
-  '~sumba.restapi:/user/access-token/**/*'
-]
-
-async function routeGuard () {
-  return routes.map(r => {
-    const anonymous = r[0] === '~'
-    return {
-      path: anonymous ? r.slice(1) : r,
-      anonymous,
-      status: 'ACTIVE'
-    }
-  })
-}
-
-export default routeGuard

package/extend/waibuDb/schema/x-attrib-guard.js

@@ -1,15 +0,0 @@
-async function xAttribGuard () {
-  return {
-    common: {
-      widget: {
-        siteIds: {
-          attr: {
-            refUrl: 'waibuAdmin:/{prefix}/site/details?id={id}'
-          }
-        }
-      }
-    }
-  }
-}
-
-export default xAttribGuard

package/extend/waibuDb/schema/x-model-guard.js

@@ -1,15 +0,0 @@
-async function xModelGuard () {
-  return {
-    common: {
-      widget: {
-        siteIds: {
-          attr: {
-            refUrl: 'waibuAdmin:/{prefix}/site/details?id={id}'
-          }
-        }
-      }
-    }
-  }
-}
-
-export default xModelGuard

package/extend/waibuDb/schema/x-route-guard.js

@@ -1,15 +0,0 @@
-async function xRouteGuard () {
-  return {
-    common: {
-      widget: {
-        siteIds: {
-          attr: {
-            refUrl: 'waibuAdmin:/{prefix}/site/details?id={id}'
-          }
-        }
-      }
-    }
-  }
-}
-
-export default xRouteGuard

package/extend/waibuMpa/extend/waibuAdmin/route/index.json

@@ -1,3 +0,0 @@
-{
-  "redirect": "waibuAdmin:/site/site"
-}

package/extend/waibuMpa/extend/waibuAdmin/route/x/attrib-guard/@action.js

@@ -1,12 +0,0 @@
-const action = {
-  method: ['GET', 'POST'],
-  title: 'xAttribGuard',
-  xSite: true,
-  handler: async function (req, reply) {
-    const { importModule } = this.app.bajo
-    const crudSkel = await importModule('waibuAdmin:/lib/crud-skel.js')
-    return await crudSkel.call(this, 'SumbaXAttribGuard', req, reply)
-  }
-}
-
-export default action

package/extend/waibuMpa/extend/waibuAdmin/route/x/index.json

@@ -1,3 +0,0 @@
-{
-  "redirect": "waibuAdmin:/site/x/site/list"
-}

package/extend/waibuMpa/extend/waibuAdmin/route/x/route-guard/@action.js

@@ -1,12 +0,0 @@
-const action = {
-  method: ['GET', 'POST'],
-  title: 'xRouteGuard',
-  xSite: true,
-  handler: async function (req, reply) {
-    const { importModule } = this.app.bajo
-    const crudSkel = await importModule('waibuAdmin:/lib/crud-skel.js')
-    return await crudSkel.call(this, 'SumbaXRouteGuard', req, reply)
-  }
-}
-
-export default action