From 0b7f96dab39c973658d010c074190b6dd61b479f Mon Sep 17 00:00:00 2001 From: ChengLei Shao Date: Wed, 4 May 2022 20:44:59 +0800 Subject: [PATCH] Fix acl error (#358) * fix: empty resource acl error * fix: removeAction error --- packages/plugins/acl/src/model/RoleResourceActionModel.ts | 6 ++++-- packages/plugins/acl/src/model/RoleResourceModel.ts | 7 ++++--- packages/plugins/acl/src/server.ts | 5 +++++ 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/packages/plugins/acl/src/model/RoleResourceActionModel.ts b/packages/plugins/acl/src/model/RoleResourceActionModel.ts index ef2f2ac9b3..4bd762f3e8 100644 --- a/packages/plugins/acl/src/model/RoleResourceActionModel.ts +++ b/packages/plugins/acl/src/model/RoleResourceActionModel.ts @@ -51,6 +51,7 @@ export class RoleResourceActionModel extends Model { const fieldTarget = collectionField.get('target'); if (fieldActions) { + // grant association actions to role const associationActions = fieldActions.associationActions || []; associationActions.forEach((associationAction) => { const actionName = `${resourceName}.${fieldTarget}:${associationAction}`; @@ -62,14 +63,15 @@ export class RoleResourceActionModel extends Model { targetActions.forEach((targetAction) => { const targetActionPath = `${fieldTarget}:${targetAction}`; - grantHelper.resourceTargetActionMap.set(resourceName, [ + // set resource target action with current resourceName + grantHelper.resourceTargetActionMap.set(`${role.name}.${resourceName}`, [ ...(grantHelper.resourceTargetActionMap.get(resourceName) || []), targetActionPath, ]); grantHelper.targetActionResourceMap.set(targetActionPath, [ ...(grantHelper.targetActionResourceMap.get(targetActionPath) || []), - resourceName, + `${role.name}.${resourceName}`, ]); role.grantAction(targetActionPath); diff --git a/packages/plugins/acl/src/model/RoleResourceModel.ts b/packages/plugins/acl/src/model/RoleResourceModel.ts index bfd259184f..fc9ec5c352 100644 --- a/packages/plugins/acl/src/model/RoleResourceModel.ts +++ b/packages/plugins/acl/src/model/RoleResourceModel.ts @@ -8,20 +8,21 @@ export class RoleResourceModel extends Model { const { role, resourceName, grantHelper } = options; role.revokeResource(resourceName); - const targetActions = grantHelper.resourceTargetActionMap.get(resourceName) || []; + const targetActions = grantHelper.resourceTargetActionMap.get(`${role.name}.${resourceName}`) || []; for (const targetAction of targetActions) { const targetActionResource = (grantHelper.targetActionResourceMap.get(targetAction) || []).filter( - (item) => resourceName !== item, + (item) => `${role.name}.${resourceName}` !== item, ); grantHelper.targetActionResourceMap.set(targetAction, targetActionResource); + if (targetActionResource.length == 0) { role.revokeAction(targetAction); } } - grantHelper.resourceTargetActionMap.set(resourceName, []); + grantHelper.resourceTargetActionMap.set(`${role.name}.${resourceName}`, []); } async writeToACL(options: { diff --git a/packages/plugins/acl/src/server.ts b/packages/plugins/acl/src/server.ts index 85dcfe4d7c..3a9ebd67bf 100644 --- a/packages/plugins/acl/src/server.ts +++ b/packages/plugins/acl/src/server.ts @@ -30,6 +30,8 @@ export class GrantHelper { } export class PluginACL extends Plugin { + // association field actions config + associationFieldsActions: AssociationFieldsActions = {}; grantHelper = new GrantHelper(); @@ -43,6 +45,8 @@ export class PluginACL extends Plugin { } registerAssociationFieldsActions() { + // if grant create action to role, it should + // also grant add action and association target's view action this.registerAssociationFieldAction('linkTo', { view: { associationActions: ['list', 'get'], @@ -107,6 +111,7 @@ export class PluginACL extends Plugin { const roles = (await this.app.db.getRepository('roles').find({ appends: ['resources', 'resources.actions'], })) as RoleModel[]; + for (const role of roles) { role.writeToAcl({ acl: this.acl }); for (const resource of role.get('resources') as RoleResourceModel[]) {