feat: implement permission management for BaseNode with role-based access control

Author: younocode

apps/nestjs-backend/src/features/auth/decorators/base-node-permissions.decorator.ts

@@ -0,0 +1,8 @@
+import { SetMetadata } from '@nestjs/common';
+import type { BaseNodeAction } from '@teable/core';
+
+export const BASE_NODE_PERMISSIONS_KEY = 'baseNodePermissions';
+
+// eslint-disable-next-line @typescript-eslint/naming-convention
+export const BaseNodePermissions = (...permissions: BaseNodeAction[]) =>
+  SetMetadata(BASE_NODE_PERMISSIONS_KEY, permissions);

apps/nestjs-backend/src/features/auth/guard/base-node-permission.guard.ts

@@ -0,0 +1,145 @@
+import type { ExecutionContext } from '@nestjs/common';
+import { Injectable } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { HttpErrorCode } from '@teable/core';
+import type { BaseNodeAction } from '@teable/core';
+import { PrismaService } from '@teable/db-main-prisma';
+import type { BaseNodeResourceType } from '@teable/openapi';
+import { ClsService } from 'nestjs-cls';
+import { CustomHttpException } from '../../../custom.exception';
+import type { IClsStore } from '../../../types/cls';
+import {
+  checkBaseNodePermission,
+  checkBaseNodePermissionCreate,
+} from '../../base-node/base-node.permission.helper';
+import { BASE_NODE_PERMISSIONS_KEY } from '../decorators/base-node-permissions.decorator';
+import { IS_DISABLED_PERMISSION } from '../decorators/disabled-permission.decorator';
+import { PermissionService } from '../permission.service';
+import { PermissionGuard } from './permission.guard';
+
+@Injectable()
+export class BaseNodePermissionGuard extends PermissionGuard {
+  constructor(
+    private readonly reflectorInner: Reflector,
+    private readonly clsInner: ClsService<IClsStore>,
+    private readonly permissionServiceInner: PermissionService,
+    private readonly prismaService: PrismaService
+  ) {
+    super(reflectorInner, clsInner, permissionServiceInner);
+  }
+
+  async canActivate(context: ExecutionContext) {
+    const superResult = await super.canActivate(context);
+    if (!superResult) {
+      return false;
+    }
+
+    // disabled check
+    const isDisabledPermission = this.reflectorInner.getAllAndOverride<boolean>(
+      IS_DISABLED_PERMISSION,
+      [context.getHandler(), context.getClass()]
+    );
+
+    if (isDisabledPermission) {
+      return true;
+    }
+
+    const baseId = this.getBaseId(context);
+    if (!baseId) {
+      throw new CustomHttpException('Base ID is required', HttpErrorCode.RESTRICTED_RESOURCE);
+    }
+    const permissionContext = await this.getPermissionContext();
+    return this.checkActivate(context, baseId, permissionContext);
+  }
+
+  async checkActivate(
+    context: ExecutionContext,
+    baseId: string,
+    permissionContext: {
+      permissionSet: Set<string>;
+      tablePermissionMap?: Record<string, string[]>;
+    }
+  ) {
+    const baseNodePermissions = this.reflectorInner.getAllAndOverride<BaseNodeAction[] | undefined>(
+      BASE_NODE_PERMISSIONS_KEY,
+      [context.getHandler(), context.getClass()]
+    );
+
+    if (!baseNodePermissions?.length) {
+      return true;
+    }
+    const nodeId = this.getNodeId(context);
+    const node = await this.getNode(baseId, nodeId);
+    const checkCreate = checkBaseNodePermissionCreate(
+      node ?? { resourceType: this.getNodeResourceType(context), resourceId: '' },
+      baseNodePermissions,
+      permissionContext
+    );
+
+    if (!checkCreate) {
+      return false;
+    }
+
+    const baseNodePermissionsWithoutCreate = baseNodePermissions.filter(
+      (permission: BaseNodeAction) => permission !== 'base_node|create'
+    );
+    if (!baseNodePermissionsWithoutCreate.length) {
+      return true;
+    }
+
+    if (!nodeId) {
+      throw new CustomHttpException('Node ID is required', HttpErrorCode.RESTRICTED_RESOURCE);
+    }
+
+    if (!node) {
+      throw new CustomHttpException('Node not found', HttpErrorCode.NOT_FOUND);
+    }
+
+    return baseNodePermissionsWithoutCreate.every((permission: BaseNodeAction) =>
+      checkBaseNodePermission(node, permission, permissionContext)
+    );
+  }
+
+  getBaseId(context: ExecutionContext): string | undefined {
+    const request = context.switchToHttp().getRequest();
+    const defaultBaseId = request.params ?? {};
+    return super.getResourceId(context) || defaultBaseId.baseId;
+  }
+
+  getNodeId(context: ExecutionContext): string | undefined {
+    const req = context.switchToHttp().getRequest();
+    return req.params.nodeId;
+  }
+
+  getNodeResourceType(context: ExecutionContext): BaseNodeResourceType {
+    const req = context.switchToHttp().getRequest();
+    return req.body.resourceType;
+  }
+
+  async getNode(baseId: string, nodeId?: string) {
+    if (!nodeId) {
+      return;
+    }
+    const node = await this.prismaService.baseNode.findFirst({
+      where: { baseId, id: nodeId },
+      select: {
+        id: true,
+        resourceType: true,
+        resourceId: true,
+      },
+    });
+
+    if (node) {
+      return {
+        resourceType: node.resourceType as BaseNodeResourceType,
+        resourceId: node.resourceId,
+      };
+    }
+  }
+
+  private async getPermissionContext() {
+    const permissions = this.clsInner.get('permissions');
+    const permissionSet = new Set(permissions);
+    return { permissionSet };
+  }
+}

apps/nestjs-backend/src/features/auth/permission.module.ts

@@ -1,10 +1,11 @@
 import { Global, Module } from '@nestjs/common';
+import { BaseNodePermissionGuard } from './guard/base-node-permission.guard';
 import { PermissionGuard } from './guard/permission.guard';
 import { PermissionService } from './permission.service';
 
 @Global()
 @Module({
-  providers: [PermissionService, PermissionGuard],
-  exports: [PermissionService, PermissionGuard],
+  providers: [PermissionService, PermissionGuard, BaseNodePermissionGuard],
+  exports: [PermissionService, PermissionGuard, BaseNodePermissionGuard],
 })
 export class PermissionModule {}

apps/nestjs-backend/src/features/base-node/base-node.controller.ts

@@ -1,5 +1,5 @@
 /* eslint-disable sonarjs/no-duplicate-string */
-import { Body, Controller, Delete, Get, Param, Post, Put } from '@nestjs/common';
+import { Body, Controller, Delete, Get, Param, Post, Put, UseGuards } from '@nestjs/common';
 import type { IBaseNodeTreeVo, IBaseNodeVo } from '@teable/openapi';
 import {
   moveBaseNodeRoSchema,
@@ -11,31 +11,67 @@ import {
   updateBaseNodeRoSchema,
   IUpdateBaseNodeRo,
 } from '@teable/openapi';
+import { ClsService } from 'nestjs-cls';
+import type { IClsStore } from '../../types/cls';
 import { ZodValidationPipe } from '../../zod.validation.pipe';
+import { BaseNodePermissions } from '../auth/decorators/base-node-permissions.decorator';
 import { Permissions } from '../auth/decorators/permissions.decorator';
+import { BaseNodePermissionGuard } from '../auth/guard/base-node-permission.guard';
+import { checkBaseNodePermission } from './base-node.permission.helper';
 import { BaseNodeService } from './base-node.service';
 
 @Controller('api/base/:baseId/node')
+@UseGuards(BaseNodePermissionGuard)
 export class BaseNodeController {
-  constructor(private readonly baseNodeService: BaseNodeService) {}
+  constructor(
+    private readonly baseNodeService: BaseNodeService,
+    private readonly cls: ClsService<IClsStore>
+  ) {}
+
+  @Get('list')
+  @Permissions('base|read')
+  async getList(@Param('baseId') baseId: string): Promise<IBaseNodeVo[]> {
+    const permissionContext = await this.getPermissionContext(baseId);
+    const nodeList = await this.baseNodeService.getList(baseId);
+    return nodeList.filter((node) =>
+      checkBaseNodePermission(
+        { resourceType: node.resourceType, resourceId: node.resourceId },
+        'base_node|read',
+        permissionContext
+      )
+    );
+  }
 
   @Get('tree')
   @Permissions('base|read')
   async getTree(@Param('baseId') baseId: string): Promise<IBaseNodeTreeVo> {
-    return this.baseNodeService.getTree(baseId);
+    const permissionContext = await this.getPermissionContext(baseId);
+    const tree = await this.baseNodeService.getTree(baseId);
+    return {
+      ...tree,
+      nodes: tree.nodes.filter((node) =>
+        checkBaseNodePermission(
+          { resourceType: node.resourceType, resourceId: node.resourceId },
+          'base_node|read',
+          permissionContext
+        )
+      ),
+    };
   }
 
   @Get(':nodeId')
   @Permissions('base|read')
-  async get(
+  @BaseNodePermissions('base_node|read')
+  async getNode(
     @Param('baseId') baseId: string,
     @Param('nodeId') nodeId: string
   ): Promise<IBaseNodeVo> {
-    return this.baseNodeService.getNode(baseId, nodeId);
+    return this.baseNodeService.getNodeVo(baseId, nodeId);
   }
 
   @Post()
-  @Permissions('base|update')
+  @Permissions('base|read')
+  @BaseNodePermissions('base_node|create')
   async create(
     @Param('baseId') baseId: string,
     @Body(new ZodValidationPipe(createBaseNodeRoSchema)) ro: ICreateBaseNodeRo
@@ -44,7 +80,8 @@ export class BaseNodeController {
   }
 
   @Post(':nodeId/duplicate')
-  @Permissions('base|update')
+  @Permissions('base|read')
+  @BaseNodePermissions('base_node|read', 'base_node|create')
   async duplicate(
     @Param('baseId') baseId: string,
     @Param('nodeId') nodeId: string,
@@ -53,14 +90,9 @@ export class BaseNodeController {
     return this.baseNodeService.duplicate(baseId, nodeId, ro);
   }
 
-  @Delete(':nodeId')
-  @Permissions('base|update')
-  async delete(@Param('baseId') baseId: string, @Param('nodeId') nodeId: string): Promise<void> {
-    return this.baseNodeService.delete(baseId, nodeId);
-  }
-
   @Put(':nodeId')
-  @Permissions('base|update')
+  @Permissions('base|read')
+  @BaseNodePermissions('base_node|update')
   async update(
     @Param('baseId') baseId: string,
     @Param('nodeId') nodeId: string,
@@ -71,11 +103,25 @@ export class BaseNodeController {
 
   @Put(':nodeId/move')
   @Permissions('base|update')
+  @BaseNodePermissions('base_node|update')
   async move(
     @Param('baseId') baseId: string,
     @Param('nodeId') nodeId: string,
     @Body(new ZodValidationPipe(moveBaseNodeRoSchema)) ro: IMoveBaseNodeRo
   ): Promise<IBaseNodeVo> {
     return this.baseNodeService.move(baseId, nodeId, ro);
   }
+
+  @Delete(':nodeId')
+  @Permissions('base|read')
+  @BaseNodePermissions('base_node|delete')
+  async delete(@Param('baseId') baseId: string, @Param('nodeId') nodeId: string): Promise<void> {
+    return this.baseNodeService.delete(baseId, nodeId);
+  }
+
+  protected async getPermissionContext(_baseId: string) {
+    const permissions = this.cls.get('permissions');
+    const permissionSet = new Set(permissions);
+    return { permissionSet };
+  }
 }