2023-01-08 23:35:48 +00:00
|
|
|
import { NoPermissionError } from '@nocobase/acl';
|
|
|
|
|
import { Context, utils as actionUtils } from '@nocobase/actions';
|
|
|
|
|
import { Collection, RelationField } from '@nocobase/database';
|
2022-02-11 10:13:14 +00:00
|
|
|
import { Plugin } from '@nocobase/server';
|
2023-01-08 23:35:48 +00:00
|
|
|
import lodash from 'lodash';
|
2022-02-11 15:59:03 +00:00
|
|
|
import { resolve } from 'path';
|
2022-01-24 06:10:35 +00:00
|
|
|
import { availableActionResource } from './actions/available-actions';
|
2022-03-13 11:36:37 +00:00
|
|
|
import { checkAction } from './actions/role-check';
|
2022-04-08 08:17:39 +00:00
|
|
|
import { roleCollectionsResource } from './actions/role-collections';
|
2022-07-25 11:33:23 +00:00
|
|
|
import { setDefaultRole } from './actions/user-setDefaultRole';
|
|
|
|
|
import { setCurrentRole } from './middlewares/setCurrentRole';
|
2022-02-28 06:25:50 +00:00
|
|
|
import { RoleModel } from './model/RoleModel';
|
2022-01-30 02:37:27 +00:00
|
|
|
import { RoleResourceActionModel } from './model/RoleResourceActionModel';
|
|
|
|
|
import { RoleResourceModel } from './model/RoleResourceModel';
|
2022-01-24 06:10:35 +00:00
|
|
|
|
2022-01-30 02:37:27 +00:00
|
|
|
export interface AssociationFieldAction {
|
|
|
|
|
associationActions: string[];
|
|
|
|
|
targetActions?: string[];
|
|
|
|
|
}
|
2022-01-24 06:10:35 +00:00
|
|
|
|
2022-01-30 02:37:27 +00:00
|
|
|
interface AssociationFieldActions {
|
|
|
|
|
[availableActionName: string]: AssociationFieldAction;
|
|
|
|
|
}
|
2022-01-24 06:10:35 +00:00
|
|
|
|
2022-01-30 02:37:27 +00:00
|
|
|
export interface AssociationFieldsActions {
|
|
|
|
|
[associationType: string]: AssociationFieldActions;
|
|
|
|
|
}
|
2022-01-24 06:10:35 +00:00
|
|
|
|
2022-01-30 02:37:27 +00:00
|
|
|
export class GrantHelper {
|
|
|
|
|
resourceTargetActionMap = new Map<string, string[]>();
|
|
|
|
|
targetActionResourceMap = new Map<string, string[]>();
|
2022-01-24 06:10:35 +00:00
|
|
|
|
2022-01-30 02:37:27 +00:00
|
|
|
constructor() {}
|
2022-01-24 06:10:35 +00:00
|
|
|
}
|
|
|
|
|
|
2022-02-11 10:13:14 +00:00
|
|
|
export class PluginACL extends Plugin {
|
2022-05-04 12:44:59 +00:00
|
|
|
// association field actions config
|
|
|
|
|
|
2022-01-30 02:37:27 +00:00
|
|
|
associationFieldsActions: AssociationFieldsActions = {};
|
|
|
|
|
|
|
|
|
|
grantHelper = new GrantHelper();
|
|
|
|
|
|
2022-02-11 15:59:03 +00:00
|
|
|
get acl() {
|
|
|
|
|
return this.app.acl;
|
2022-01-30 02:37:27 +00:00
|
|
|
}
|
|
|
|
|
|
2022-02-11 15:59:03 +00:00
|
|
|
registerAssociationFieldAction(associationType: string, value: AssociationFieldActions) {
|
|
|
|
|
this.associationFieldsActions[associationType] = value;
|
2022-01-24 06:10:35 +00:00
|
|
|
}
|
|
|
|
|
|
2022-01-30 02:37:27 +00:00
|
|
|
registerAssociationFieldsActions() {
|
2022-05-04 12:44:59 +00:00
|
|
|
// if grant create action to role, it should
|
|
|
|
|
// also grant add action and association target's view action
|
2023-01-08 23:35:48 +00:00
|
|
|
|
|
|
|
|
this.registerAssociationFieldAction('hasOne', {
|
2022-01-30 02:37:27 +00:00
|
|
|
view: {
|
2023-01-08 23:35:48 +00:00
|
|
|
associationActions: ['list', 'get', 'view'],
|
2022-01-30 02:37:27 +00:00
|
|
|
},
|
|
|
|
|
create: {
|
2023-01-08 23:35:48 +00:00
|
|
|
associationActions: ['create', 'set'],
|
2022-01-30 02:37:27 +00:00
|
|
|
},
|
|
|
|
|
update: {
|
2023-01-08 23:35:48 +00:00
|
|
|
associationActions: ['update', 'remove', 'set'],
|
2022-01-30 02:37:27 +00:00
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
2023-01-08 23:35:48 +00:00
|
|
|
this.registerAssociationFieldAction('hasMany', {
|
2022-01-30 02:37:27 +00:00
|
|
|
view: {
|
2023-01-08 23:35:48 +00:00
|
|
|
associationActions: ['list', 'get', 'view'],
|
2022-01-30 02:37:27 +00:00
|
|
|
},
|
2023-01-08 23:35:48 +00:00
|
|
|
create: {
|
|
|
|
|
associationActions: ['create', 'set', 'add'],
|
2022-01-30 02:37:27 +00:00
|
|
|
},
|
|
|
|
|
update: {
|
2023-01-08 23:35:48 +00:00
|
|
|
associationActions: ['update', 'remove', 'set'],
|
2022-01-30 02:37:27 +00:00
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
2023-01-08 23:35:48 +00:00
|
|
|
this.registerAssociationFieldAction('belongsTo', {
|
2022-01-30 02:37:27 +00:00
|
|
|
view: {
|
2023-01-08 23:35:48 +00:00
|
|
|
associationActions: ['list', 'get', 'view'],
|
2022-01-30 02:37:27 +00:00
|
|
|
},
|
|
|
|
|
create: {
|
2023-01-08 23:35:48 +00:00
|
|
|
associationActions: ['create', 'set'],
|
2022-01-30 02:37:27 +00:00
|
|
|
},
|
|
|
|
|
update: {
|
2023-01-08 23:35:48 +00:00
|
|
|
associationActions: ['update', 'remove', 'set'],
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
this.registerAssociationFieldAction('belongsToMany', {
|
|
|
|
|
view: {
|
|
|
|
|
associationActions: ['list', 'get', 'view'],
|
|
|
|
|
},
|
|
|
|
|
create: {
|
|
|
|
|
associationActions: ['create', 'set', 'add'],
|
|
|
|
|
},
|
|
|
|
|
update: {
|
|
|
|
|
associationActions: ['update', 'remove', 'set', 'toggle'],
|
2022-01-30 02:37:27 +00:00
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-11 13:47:26 +00:00
|
|
|
async writeResourceToACL(resourceModel: RoleResourceModel, transaction) {
|
|
|
|
|
await resourceModel.writeToACL({
|
|
|
|
|
acl: this.acl,
|
|
|
|
|
associationFieldsActions: this.associationFieldsActions,
|
|
|
|
|
transaction: transaction,
|
|
|
|
|
grantHelper: this.grantHelper,
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
async writeActionToACL(actionModel: RoleResourceActionModel, transaction) {
|
|
|
|
|
const resource = actionModel.get('resource') as RoleResourceModel;
|
|
|
|
|
const role = this.acl.getRole(resource.get('roleName') as string);
|
|
|
|
|
await actionModel.writeToACL({
|
|
|
|
|
acl: this.acl,
|
|
|
|
|
role,
|
|
|
|
|
resourceName: resource.get('name') as string,
|
|
|
|
|
associationFieldsActions: this.associationFieldsActions,
|
|
|
|
|
grantHelper: this.grantHelper,
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-19 17:23:04 +00:00
|
|
|
async writeRolesToACL() {
|
|
|
|
|
const roles = (await this.app.db.getRepository('roles').find({
|
|
|
|
|
appends: ['resources', 'resources.actions'],
|
|
|
|
|
})) as RoleModel[];
|
2022-05-04 12:44:59 +00:00
|
|
|
|
2022-02-19 17:23:04 +00:00
|
|
|
for (const role of roles) {
|
|
|
|
|
role.writeToAcl({ acl: this.acl });
|
|
|
|
|
for (const resource of role.get('resources') as RoleResourceModel[]) {
|
|
|
|
|
await this.writeResourceToACL(resource, null);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-02-11 11:31:53 +00:00
|
|
|
|
2022-02-19 17:23:04 +00:00
|
|
|
async beforeLoad() {
|
2023-01-08 23:35:48 +00:00
|
|
|
this.db.addMigrations({
|
|
|
|
|
namespace: this.name,
|
|
|
|
|
directory: resolve(__dirname, './migrations'),
|
|
|
|
|
context: {
|
|
|
|
|
plugin: this,
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
2022-02-06 17:14:00 +00:00
|
|
|
this.app.db.registerModels({
|
|
|
|
|
RoleResourceActionModel,
|
|
|
|
|
RoleResourceModel,
|
2022-02-19 17:23:04 +00:00
|
|
|
RoleModel,
|
2022-01-24 06:10:35 +00:00
|
|
|
});
|
|
|
|
|
|
2023-01-08 23:35:48 +00:00
|
|
|
this.app.acl.registerSnippet({
|
|
|
|
|
name: `pm.${this.name}.roles`,
|
|
|
|
|
actions: [
|
|
|
|
|
'roles:*',
|
|
|
|
|
'roles.snippets:*',
|
|
|
|
|
'availableActions:list',
|
|
|
|
|
'roles.collections:list',
|
|
|
|
|
'roles.resources:*',
|
|
|
|
|
'uiSchemas:getProperties',
|
|
|
|
|
'roles.menuUiSchemas:*',
|
|
|
|
|
],
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// change resource fields to association fields
|
|
|
|
|
this.app.acl.beforeGrantAction((ctx) => {
|
|
|
|
|
const actionName = this.app.acl.resolveActionAlias(ctx.actionName);
|
|
|
|
|
const collection = this.app.db.getCollection(ctx.resourceName);
|
|
|
|
|
|
|
|
|
|
if (!collection) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const fieldsParams = ctx.params.fields;
|
|
|
|
|
|
|
|
|
|
if (!fieldsParams) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (actionName == 'view' || actionName == 'export') {
|
|
|
|
|
const associationsFields = fieldsParams.filter((fieldName) => {
|
|
|
|
|
const field = collection.getField(fieldName);
|
|
|
|
|
return field instanceof RelationField;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
ctx.params = {
|
|
|
|
|
...ctx.params,
|
|
|
|
|
fields: lodash.difference(fieldsParams, associationsFields),
|
|
|
|
|
appends: associationsFields,
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
2022-01-30 02:37:27 +00:00
|
|
|
this.registerAssociationFieldsActions();
|
|
|
|
|
|
2022-01-24 06:10:35 +00:00
|
|
|
this.app.resourcer.define(availableActionResource);
|
|
|
|
|
this.app.resourcer.define(roleCollectionsResource);
|
|
|
|
|
|
2022-03-13 11:36:37 +00:00
|
|
|
this.app.resourcer.registerActionHandler('roles:check', checkAction);
|
|
|
|
|
|
2022-07-25 11:33:23 +00:00
|
|
|
this.app.resourcer.registerActionHandler(`users:setDefaultRole`, setDefaultRole);
|
|
|
|
|
|
|
|
|
|
this.db.on('users.afterCreateWithAssociations', async (model, options) => {
|
|
|
|
|
const { transaction } = options;
|
|
|
|
|
const repository = this.app.db.getRepository('roles');
|
|
|
|
|
const defaultRole = await repository.findOne({
|
|
|
|
|
filter: {
|
|
|
|
|
default: true,
|
|
|
|
|
},
|
|
|
|
|
transaction,
|
|
|
|
|
});
|
2023-01-08 23:35:48 +00:00
|
|
|
|
2022-07-25 11:33:23 +00:00
|
|
|
if (defaultRole && (await model.countRoles({ transaction })) == 0) {
|
|
|
|
|
await model.addRoles(defaultRole, { transaction });
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
2022-04-11 02:09:55 +00:00
|
|
|
this.app.db.on('roles.afterSaveWithAssociations', async (model, options) => {
|
2022-01-30 02:37:27 +00:00
|
|
|
const { transaction } = options;
|
2022-01-24 06:10:35 +00:00
|
|
|
|
2022-02-19 17:23:04 +00:00
|
|
|
model.writeToAcl({
|
|
|
|
|
acl: this.acl,
|
2022-01-24 06:10:35 +00:00
|
|
|
});
|
2022-01-30 02:37:27 +00:00
|
|
|
|
2022-04-11 02:09:55 +00:00
|
|
|
for (const resource of (await model.getResources({ transaction })) as RoleResourceModel[]) {
|
|
|
|
|
await this.writeResourceToACL(resource, transaction);
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-30 02:37:27 +00:00
|
|
|
// model is default
|
|
|
|
|
if (model.get('default')) {
|
|
|
|
|
await this.app.db.getRepository('roles').update({
|
|
|
|
|
values: {
|
|
|
|
|
default: false,
|
|
|
|
|
},
|
|
|
|
|
filter: {
|
|
|
|
|
'name.$ne': model.get('name'),
|
|
|
|
|
},
|
|
|
|
|
hooks: false,
|
|
|
|
|
transaction,
|
|
|
|
|
});
|
|
|
|
|
}
|
2022-01-24 06:10:35 +00:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
this.app.db.on('roles.afterDestroy', (model) => {
|
|
|
|
|
const roleName = model.get('name');
|
2022-02-11 15:59:03 +00:00
|
|
|
this.acl.removeRole(roleName);
|
2022-01-24 06:10:35 +00:00
|
|
|
});
|
|
|
|
|
|
2022-01-30 02:37:27 +00:00
|
|
|
this.app.db.on('rolesResources.afterSaveWithAssociations', async (model: RoleResourceModel, options) => {
|
2022-02-11 13:47:26 +00:00
|
|
|
await this.writeResourceToACL(model, options.transaction);
|
2022-01-30 02:37:27 +00:00
|
|
|
});
|
2022-01-24 06:10:35 +00:00
|
|
|
|
2022-01-30 02:37:27 +00:00
|
|
|
this.app.db.on('rolesResourcesActions.afterUpdateWithAssociations', async (model, options) => {
|
|
|
|
|
const { transaction } = options;
|
|
|
|
|
const resource = await model.getResource({
|
|
|
|
|
transaction,
|
|
|
|
|
});
|
2022-01-24 06:10:35 +00:00
|
|
|
|
2022-02-11 13:47:26 +00:00
|
|
|
await this.writeResourceToACL(resource, transaction);
|
|
|
|
|
});
|
|
|
|
|
|
2022-02-11 14:00:11 +00:00
|
|
|
this.app.db.on('rolesResources.afterDestroy', async (model, options) => {
|
|
|
|
|
const role = this.acl.getRole(model.get('roleName'));
|
2022-06-03 13:36:40 +00:00
|
|
|
if (role) {
|
|
|
|
|
role.revokeResource(model.get('name'));
|
|
|
|
|
}
|
2022-02-11 14:00:11 +00:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
this.app.db.on('collections.afterDestroy', async (model, options) => {
|
|
|
|
|
const { transaction } = options;
|
|
|
|
|
await this.app.db.getRepository('rolesResources').destroy({
|
|
|
|
|
filter: {
|
|
|
|
|
name: model.get('name'),
|
|
|
|
|
},
|
|
|
|
|
transaction,
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2022-02-11 13:47:26 +00:00
|
|
|
this.app.db.on('fields.afterCreate', async (model, options) => {
|
|
|
|
|
const { transaction } = options;
|
|
|
|
|
|
|
|
|
|
const collectionName = model.get('collectionName');
|
|
|
|
|
const fieldName = model.get('name');
|
|
|
|
|
|
|
|
|
|
const resourceActions = (await this.app.db.getRepository('rolesResourcesActions').find({
|
|
|
|
|
filter: {
|
|
|
|
|
'resource.name': collectionName,
|
|
|
|
|
},
|
|
|
|
|
transaction,
|
|
|
|
|
appends: ['resource'],
|
|
|
|
|
})) as RoleResourceActionModel[];
|
|
|
|
|
|
|
|
|
|
for (const resourceAction of resourceActions) {
|
|
|
|
|
const fields = resourceAction.get('fields') as string[];
|
|
|
|
|
const newFields = [...fields, fieldName];
|
|
|
|
|
|
|
|
|
|
await this.app.db.getRepository('rolesResourcesActions').update({
|
|
|
|
|
filterByTk: resourceAction.get('id') as number,
|
|
|
|
|
values: {
|
|
|
|
|
fields: newFields,
|
|
|
|
|
},
|
|
|
|
|
transaction,
|
|
|
|
|
});
|
|
|
|
|
}
|
2022-01-24 06:10:35 +00:00
|
|
|
});
|
|
|
|
|
|
2022-01-30 02:37:27 +00:00
|
|
|
this.app.db.on('fields.afterDestroy', async (model, options) => {
|
|
|
|
|
const collectionName = model.get('collectionName');
|
|
|
|
|
const fieldName = model.get('name');
|
2022-01-24 06:10:35 +00:00
|
|
|
|
2022-01-30 02:37:27 +00:00
|
|
|
const resourceActions = await this.app.db.getRepository('rolesResourcesActions').find({
|
|
|
|
|
filter: {
|
|
|
|
|
'resource.name': collectionName,
|
|
|
|
|
'fields.$anyOf': [fieldName],
|
|
|
|
|
},
|
|
|
|
|
transaction: options.transaction,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
for (const resourceAction of resourceActions) {
|
|
|
|
|
const fields = resourceAction.get('fields') as string[];
|
|
|
|
|
const newFields = fields.filter((field) => field != fieldName);
|
|
|
|
|
|
|
|
|
|
await this.app.db.getRepository('rolesResourcesActions').update({
|
|
|
|
|
filterByTk: resourceAction.get('id') as number,
|
|
|
|
|
values: {
|
|
|
|
|
fields: newFields,
|
2022-01-24 06:10:35 +00:00
|
|
|
},
|
2022-01-30 02:37:27 +00:00
|
|
|
transaction: options.transaction,
|
2022-01-24 06:10:35 +00:00
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
});
|
2022-02-19 17:23:04 +00:00
|
|
|
|
|
|
|
|
// sync database role data to acl
|
2022-10-27 07:27:08 +00:00
|
|
|
this.app.on('afterLoad', async (app, options) => {
|
2023-01-08 23:35:48 +00:00
|
|
|
if (options?.method === 'install' || options?.method === 'upgrade') {
|
2022-10-27 07:32:58 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
const exists = await this.app.db.collectionExistsInDb('roles');
|
|
|
|
|
if (exists) {
|
2022-10-27 07:27:08 +00:00
|
|
|
await this.writeRolesToACL();
|
|
|
|
|
}
|
2022-02-19 17:23:04 +00:00
|
|
|
});
|
2022-02-28 06:25:50 +00:00
|
|
|
|
2022-10-28 07:09:14 +00:00
|
|
|
this.app.on('afterInstall', async (app, options) => {
|
|
|
|
|
const exists = await this.app.db.collectionExistsInDb('roles');
|
|
|
|
|
if (exists) {
|
|
|
|
|
await this.writeRolesToACL();
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
2022-10-29 06:07:51 +00:00
|
|
|
this.app.on('afterInstallPlugin', async (plugin) => {
|
|
|
|
|
if (plugin.getName() !== 'users') {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
const User = this.db.getCollection('users');
|
|
|
|
|
await User.repository.update({
|
|
|
|
|
values: {
|
|
|
|
|
roles: ['root', 'admin', 'member'],
|
|
|
|
|
},
|
|
|
|
|
forceUpdate: true,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const RolesUsers = this.db.getCollection('rolesUsers');
|
|
|
|
|
await RolesUsers.repository.update({
|
|
|
|
|
filter: {
|
|
|
|
|
userId: 1,
|
|
|
|
|
roleName: 'root',
|
|
|
|
|
},
|
|
|
|
|
values: {
|
|
|
|
|
default: true,
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2022-02-28 14:10:04 +00:00
|
|
|
this.app.on('beforeInstallPlugin', async (plugin) => {
|
2022-10-29 06:07:51 +00:00
|
|
|
if (plugin.getName() !== 'users') {
|
2022-02-28 14:10:04 +00:00
|
|
|
return;
|
|
|
|
|
}
|
2022-04-10 11:22:39 +00:00
|
|
|
const roles = this.app.db.getRepository('roles');
|
|
|
|
|
await roles.createMany({
|
2022-02-28 06:25:50 +00:00
|
|
|
records: [
|
2022-04-10 11:22:39 +00:00
|
|
|
{
|
|
|
|
|
name: 'root',
|
2022-04-22 15:58:19 +00:00
|
|
|
title: '{{t("Root")}}',
|
2022-04-10 11:22:39 +00:00
|
|
|
hidden: true,
|
2023-01-08 23:35:48 +00:00
|
|
|
snippets: ['ui.*', 'pm', 'pm.*'],
|
2022-04-10 11:22:39 +00:00
|
|
|
},
|
2022-02-28 06:25:50 +00:00
|
|
|
{
|
|
|
|
|
name: 'admin',
|
2022-04-22 15:58:19 +00:00
|
|
|
title: '{{t("Admin")}}',
|
2022-04-12 04:02:58 +00:00
|
|
|
allowConfigure: true,
|
|
|
|
|
allowNewMenu: true,
|
2022-07-25 11:33:23 +00:00
|
|
|
strategy: { actions: ['create', 'view', 'update', 'destroy'] },
|
2023-01-08 23:35:48 +00:00
|
|
|
snippets: ['ui.*', 'pm', 'pm.*'],
|
2022-02-28 06:25:50 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: 'member',
|
2022-04-22 15:58:19 +00:00
|
|
|
title: '{{t("Member")}}',
|
2022-04-12 04:02:58 +00:00
|
|
|
allowNewMenu: true,
|
|
|
|
|
strategy: { actions: ['view', 'update:own', 'destroy:own', 'create'] },
|
2022-02-28 06:25:50 +00:00
|
|
|
default: true,
|
2023-01-08 23:35:48 +00:00
|
|
|
snippets: ['!ui.*', '!pm', '!pm.*'],
|
2022-02-28 06:25:50 +00:00
|
|
|
},
|
|
|
|
|
],
|
|
|
|
|
});
|
2022-04-10 11:22:39 +00:00
|
|
|
const rolesResourcesScopes = this.app.db.getRepository('rolesResourcesScopes');
|
|
|
|
|
await rolesResourcesScopes.createMany({
|
|
|
|
|
records: [
|
|
|
|
|
{
|
2022-04-12 04:02:58 +00:00
|
|
|
key: 'all',
|
2022-04-10 11:22:39 +00:00
|
|
|
name: '{{t("All records")}}',
|
|
|
|
|
scope: {},
|
|
|
|
|
},
|
|
|
|
|
{
|
2022-04-12 04:02:58 +00:00
|
|
|
key: 'own',
|
2022-04-10 11:22:39 +00:00
|
|
|
name: '{{t("Own records")}}',
|
|
|
|
|
scope: {
|
|
|
|
|
createdById: '{{ ctx.state.currentUser.id }}',
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
],
|
|
|
|
|
});
|
2022-02-28 06:25:50 +00:00
|
|
|
});
|
2022-04-24 02:14:46 +00:00
|
|
|
|
2022-09-29 13:05:31 +00:00
|
|
|
this.app.resourcer.use(setCurrentRole, { tag: 'setCurrentRole', before: 'acl', after: 'parseToken' });
|
2022-07-25 11:33:23 +00:00
|
|
|
|
|
|
|
|
this.app.acl.allow('users', 'setDefaultRole', 'loggedIn');
|
2022-04-24 02:14:46 +00:00
|
|
|
this.app.acl.allow('roles', 'check', 'loggedIn');
|
|
|
|
|
|
|
|
|
|
this.app.acl.allow('*', '*', (ctx) => {
|
2022-04-10 11:22:39 +00:00
|
|
|
return ctx.state.currentRole === 'root';
|
|
|
|
|
});
|
2022-04-13 04:18:44 +00:00
|
|
|
|
2023-01-08 23:35:48 +00:00
|
|
|
this.app.acl.addFixedParams('collections', 'destroy', () => {
|
|
|
|
|
return {
|
|
|
|
|
filter: {
|
|
|
|
|
$and: [{ 'name.$ne': 'roles' }, { 'name.$ne': 'rolesUsers' }],
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
this.app.acl.addFixedParams('rolesResourcesScopes', 'destroy', () => {
|
|
|
|
|
return {
|
|
|
|
|
filter: {
|
|
|
|
|
$and: [{ 'key.$ne': 'all' }, { 'key.$ne': 'own' }],
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
this.app.acl.addFixedParams('rolesResourcesScopes', 'update', () => {
|
|
|
|
|
return {
|
|
|
|
|
filter: {
|
|
|
|
|
$and: [{ 'key.$ne': 'all' }, { 'key.$ne': 'own' }],
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
this.app.acl.addFixedParams('roles', 'destroy', () => {
|
|
|
|
|
return {
|
|
|
|
|
filter: {
|
|
|
|
|
$and: [{ 'name.$ne': 'root' }, { 'name.$ne': 'admin' }, { 'name.$ne': 'member' }],
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
|
2022-04-10 11:22:39 +00:00
|
|
|
this.app.resourcer.use(async (ctx, next) => {
|
2022-04-13 04:18:44 +00:00
|
|
|
const { actionName, resourceName, params } = ctx.action;
|
|
|
|
|
const { showAnonymous } = params || {};
|
2022-04-10 11:22:39 +00:00
|
|
|
if (actionName === 'list' && resourceName === 'roles') {
|
2022-04-13 04:18:44 +00:00
|
|
|
if (!showAnonymous) {
|
|
|
|
|
ctx.action.mergeParams({
|
|
|
|
|
filter: {
|
|
|
|
|
'name.$ne': 'anonymous',
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
}
|
2022-04-10 11:22:39 +00:00
|
|
|
}
|
2023-01-08 23:35:48 +00:00
|
|
|
|
2022-07-07 09:46:19 +00:00
|
|
|
if (actionName === 'update' && resourceName === 'roles.resources') {
|
|
|
|
|
ctx.action.mergeParams({
|
|
|
|
|
updateAssociationValues: ['actions'],
|
|
|
|
|
});
|
|
|
|
|
}
|
2023-01-08 23:35:48 +00:00
|
|
|
|
2022-04-10 11:22:39 +00:00
|
|
|
await next();
|
|
|
|
|
});
|
2022-04-12 04:02:58 +00:00
|
|
|
|
|
|
|
|
this.app.acl.use(async (ctx: Context, next) => {
|
|
|
|
|
const { actionName, resourceName } = ctx.action;
|
|
|
|
|
if (actionName === 'get' || actionName === 'list') {
|
|
|
|
|
if (!Array.isArray(ctx?.permission?.can?.params?.fields)) {
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
let collection: Collection;
|
|
|
|
|
if (resourceName.includes('.')) {
|
|
|
|
|
const [collectionName, associationName] = resourceName.split('.');
|
|
|
|
|
const field = ctx.db.getCollection(collectionName)?.getField?.(associationName);
|
|
|
|
|
if (field.target) {
|
|
|
|
|
collection = ctx.db.getCollection(field.target);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
collection = ctx.db.getCollection(resourceName);
|
|
|
|
|
}
|
2023-01-08 23:35:48 +00:00
|
|
|
|
2022-04-12 04:02:58 +00:00
|
|
|
if (collection && collection.hasField('createdById')) {
|
|
|
|
|
ctx.permission.can.params.fields.push('createdById');
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return next();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const parseJsonTemplate = this.app.acl.parseJsonTemplate;
|
2023-01-08 23:35:48 +00:00
|
|
|
|
|
|
|
|
this.app.acl.use(
|
|
|
|
|
async (ctx: Context, next) => {
|
|
|
|
|
const { actionName, resourceName, resourceOf } = ctx.action;
|
|
|
|
|
// is association request
|
|
|
|
|
if (resourceName.includes('.') && resourceOf) {
|
|
|
|
|
if (!ctx?.permission?.can?.params) {
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
// 关联数据去掉 filter
|
|
|
|
|
delete ctx.permission.can.params.filter;
|
|
|
|
|
// 关联数据能不能处理取决于 source 是否有权限
|
|
|
|
|
const [collectionName] = resourceName.split('.');
|
|
|
|
|
const action = ctx.can({ resource: collectionName, action: actionName });
|
|
|
|
|
|
|
|
|
|
const availableAction = this.app.acl.getAvailableAction(actionName);
|
|
|
|
|
|
|
|
|
|
if (availableAction?.options?.onNewRecord) {
|
|
|
|
|
if (action) {
|
|
|
|
|
ctx.permission.skip = true;
|
|
|
|
|
} else {
|
|
|
|
|
ctx.permission.can = false;
|
|
|
|
|
}
|
2022-04-12 04:02:58 +00:00
|
|
|
} else {
|
2023-01-08 23:35:48 +00:00
|
|
|
const filter = parseJsonTemplate(action?.params?.filter || {}, ctx);
|
|
|
|
|
const sourceInstance = await ctx.db.getRepository(collectionName).findOne({
|
|
|
|
|
filterByTk: resourceOf,
|
|
|
|
|
filter,
|
|
|
|
|
});
|
|
|
|
|
if (!sourceInstance) {
|
|
|
|
|
ctx.permission.can = false;
|
|
|
|
|
}
|
2022-04-12 04:02:58 +00:00
|
|
|
}
|
2023-01-08 23:35:48 +00:00
|
|
|
}
|
|
|
|
|
await next();
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
before: 'core',
|
|
|
|
|
},
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// throw error when user has no fixed params permissions
|
|
|
|
|
this.app.acl.use(
|
|
|
|
|
async (ctx: any, next) => {
|
|
|
|
|
const action = ctx.permission?.can?.action;
|
|
|
|
|
|
|
|
|
|
if (action == 'destroy' && !ctx.action.resourceName.includes('.')) {
|
|
|
|
|
const repository = actionUtils.getRepositoryFromParams(ctx);
|
|
|
|
|
|
|
|
|
|
// params after merge with fixed params
|
|
|
|
|
const filteredCount = await repository.count(ctx.permission.mergedParams);
|
|
|
|
|
|
|
|
|
|
// params user requested
|
|
|
|
|
const queryCount = await repository.count(ctx.permission.rawParams);
|
|
|
|
|
|
|
|
|
|
if (queryCount > filteredCount) {
|
|
|
|
|
ctx.throw(403, 'No permissions');
|
|
|
|
|
return;
|
2022-04-12 04:02:58 +00:00
|
|
|
}
|
|
|
|
|
}
|
2023-01-08 23:35:48 +00:00
|
|
|
|
|
|
|
|
await next();
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
after: 'core',
|
|
|
|
|
group: 'after',
|
|
|
|
|
},
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
const withACLMeta = async (ctx: any, next) => {
|
2022-04-12 04:02:58 +00:00
|
|
|
await next();
|
2023-01-08 23:35:48 +00:00
|
|
|
|
|
|
|
|
if (!ctx.action) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const { resourceName, actionName } = ctx.action;
|
|
|
|
|
|
|
|
|
|
if (!ctx.get('X-With-ACL-Meta')) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-01 11:55:01 +00:00
|
|
|
if (ctx.status !== 200) {
|
2023-01-08 23:35:48 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-01 11:55:01 +00:00
|
|
|
if (!['list', 'get'].includes(actionName)) {
|
2023-01-08 23:35:48 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-01 11:55:01 +00:00
|
|
|
const collection = ctx.db.getCollection(resourceName);
|
|
|
|
|
|
|
|
|
|
if (!collection) {
|
2023-01-08 23:35:48 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const Model = collection.model;
|
|
|
|
|
|
|
|
|
|
const primaryKeyField = Model.primaryKeyField || Model.primaryKeyAttribute;
|
|
|
|
|
|
|
|
|
|
const dataPath = ctx.body?.rows ? 'body.rows' : 'body';
|
|
|
|
|
let listData = lodash.get(ctx, dataPath);
|
|
|
|
|
|
|
|
|
|
if (actionName == 'get') {
|
|
|
|
|
listData = lodash.castArray(listData);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const actions = ['view', 'update', 'destroy'];
|
|
|
|
|
|
|
|
|
|
const actionsParams = [];
|
|
|
|
|
|
|
|
|
|
for (const action of actions) {
|
|
|
|
|
const actionCtx: any = {
|
|
|
|
|
db: ctx.db,
|
|
|
|
|
action: {
|
|
|
|
|
actionName: action,
|
|
|
|
|
name: action,
|
|
|
|
|
params: {},
|
|
|
|
|
resourceName: ctx.action.resourceName,
|
|
|
|
|
resourceOf: ctx.action.resourceOf,
|
|
|
|
|
mergeParams() {},
|
|
|
|
|
},
|
|
|
|
|
state: {
|
|
|
|
|
currentRole: ctx.state.currentRole,
|
|
|
|
|
currentUser: (() => {
|
|
|
|
|
if (!ctx.state.currentUser) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
if (ctx.state.currentUser.toJSON) {
|
|
|
|
|
return ctx.state.currentUser?.toJSON();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ctx.state.currentUser;
|
|
|
|
|
})(),
|
|
|
|
|
},
|
|
|
|
|
permission: {},
|
|
|
|
|
throw(...args) {
|
|
|
|
|
throw new NoPermissionError(...args);
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
await this.app.acl.getActionParams(actionCtx);
|
|
|
|
|
} catch (e) {
|
|
|
|
|
if (e instanceof NoPermissionError) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
throw e;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
actionsParams.push([
|
|
|
|
|
action,
|
|
|
|
|
actionCtx.permission?.can === null && !actionCtx.permission.skip
|
|
|
|
|
? null
|
|
|
|
|
: actionCtx.permission?.parsedParams || {},
|
2023-02-01 11:55:01 +00:00
|
|
|
actionCtx,
|
2023-01-08 23:35:48 +00:00
|
|
|
]);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const ids = listData.map((item) => item[primaryKeyField]);
|
|
|
|
|
|
|
|
|
|
const conditions = [];
|
|
|
|
|
|
|
|
|
|
const allAllowed = [];
|
|
|
|
|
|
2023-02-01 11:55:01 +00:00
|
|
|
for (const [action, params, actionCtx] of actionsParams) {
|
2023-01-08 23:35:48 +00:00
|
|
|
if (!params) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (lodash.isEmpty(params) || lodash.isEmpty(params.filter)) {
|
|
|
|
|
allAllowed.push(action);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-01 11:55:01 +00:00
|
|
|
const queryParams = collection.repository.buildQueryOptions({
|
|
|
|
|
...params,
|
|
|
|
|
context: actionCtx,
|
|
|
|
|
});
|
2023-01-08 23:35:48 +00:00
|
|
|
|
|
|
|
|
const actionSql = ctx.db.sequelize.queryInterface.queryGenerator.selectQuery(
|
|
|
|
|
Model.getTableName(),
|
|
|
|
|
{
|
|
|
|
|
// ...queryParams,
|
|
|
|
|
where: queryParams.where,
|
|
|
|
|
attributes: [primaryKeyField],
|
|
|
|
|
includeIgnoreAttributes: false,
|
|
|
|
|
// include: queryParams.include,
|
|
|
|
|
},
|
|
|
|
|
Model,
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
const whereCase = actionSql.match(/WHERE (.*?);/)[1];
|
|
|
|
|
conditions.push({
|
|
|
|
|
whereCase,
|
|
|
|
|
action,
|
|
|
|
|
include: queryParams.include,
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const results = await collection.model.findAll({
|
|
|
|
|
where: {
|
|
|
|
|
[primaryKeyField]: ids,
|
|
|
|
|
},
|
|
|
|
|
attributes: [
|
|
|
|
|
primaryKeyField,
|
|
|
|
|
...conditions.map((condition) => {
|
|
|
|
|
return [ctx.db.sequelize.literal(`CASE WHEN ${condition.whereCase} THEN 1 ELSE 0 END`), condition.action];
|
|
|
|
|
}),
|
|
|
|
|
],
|
|
|
|
|
include: conditions.map((condition) => condition.include).flat(),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const allowedActions = actions
|
|
|
|
|
.map((action) => {
|
|
|
|
|
if (allAllowed.includes(action)) {
|
|
|
|
|
return [action, ids];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return [action, results.filter((item) => Boolean(item.get(action))).map((item) => item.get(primaryKeyField))];
|
|
|
|
|
})
|
|
|
|
|
.reduce((acc, [action, ids]) => {
|
|
|
|
|
acc[action] = ids;
|
|
|
|
|
return acc;
|
|
|
|
|
}, {});
|
|
|
|
|
|
|
|
|
|
if (actionName == 'get') {
|
|
|
|
|
ctx.bodyMeta = {
|
|
|
|
|
...(ctx.bodyMeta || {}),
|
|
|
|
|
allowedActions: allowedActions,
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (actionName == 'list') {
|
|
|
|
|
ctx.body.allowedActions = allowedActions;
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// append allowedActions to list & get response
|
|
|
|
|
this.app.use(
|
|
|
|
|
async (ctx, next) => {
|
|
|
|
|
try {
|
|
|
|
|
await withACLMeta(ctx, next);
|
|
|
|
|
} catch (error) {
|
|
|
|
|
ctx.logger.error(error);
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{ after: 'restApi', group: 'after' },
|
|
|
|
|
);
|
2022-01-24 06:10:35 +00:00
|
|
|
}
|
2022-02-06 17:14:00 +00:00
|
|
|
|
2022-03-02 10:35:49 +00:00
|
|
|
async install() {
|
|
|
|
|
const repo = this.db.getRepository<any>('collections');
|
|
|
|
|
if (repo) {
|
|
|
|
|
await repo.db2cm('roles');
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-06 17:14:00 +00:00
|
|
|
async load() {
|
2023-01-08 04:45:02 +00:00
|
|
|
await this.importCollections(resolve(__dirname, 'collections'));
|
2022-02-06 17:14:00 +00:00
|
|
|
}
|
2022-01-24 06:10:35 +00:00
|
|
|
}
|
2022-02-11 10:13:14 +00:00
|
|
|
|
|
|
|
|
export default PluginACL;
|
