Merge branch 'main' into email-phone-filter-improvements

Author: lyubov-voloshko

backend/package.json

@@ -56,7 +56,7 @@
 		"@types/qrcode": "^1.5.6",
 		"@zapier/secret-scrubber": "^1.1.6",
 		"argon2": "0.44.0",
-		"axios": "^1.13.6",
+		"axios": "^1.15.0",
 		"base32-encode": "^2.0.0",
 		"basic-auth": "2.0.1",
 		"bcrypt": "6.0.0",

backend/src/entities/ai/ai.service.ts

@@ -301,12 +301,26 @@ IMPORTANT:
 			const tableInfo = tablesInformation.find((t) => t.table_name === tableSettings.table_name);
 			const validColumnNames = tableInfo?.structure.map((col) => col.column_name) || [];
 
+			const requiredFieldsWithoutDefault = new Set(
+				tableInfo?.structure
+					.filter((col) => !col.allow_null && col.column_default === null && !checkFieldAutoincrement(col.column_default, col.extra))
+					.map((col) => col.column_name) || [],
+			);
+
 			const settings = new TableSettingsEntity();
 			settings.table_name = tableSettings.table_name;
 			settings.display_name = tableSettings.display_name;
 			settings.search_fields = this.filterValidColumns(tableSettings.search_fields, validColumnNames);
-			settings.readonly_fields = this.filterValidColumns(tableSettings.readonly_fields, validColumnNames);
-			settings.columns_view = this.filterValidColumns(tableSettings.columns_view, validColumnNames);
+			settings.readonly_fields = this.filterValidColumns(tableSettings.readonly_fields, validColumnNames).filter(
+				(field) => !requiredFieldsWithoutDefault.has(field),
+			);
+			const filteredColumnsView = this.filterValidColumns(tableSettings.columns_view, validColumnNames);
+			for (const requiredField of requiredFieldsWithoutDefault) {
+				if (!filteredColumnsView.includes(requiredField)) {
+					filteredColumnsView.push(requiredField);
+				}
+			}
+			settings.columns_view = filteredColumnsView;
 			settings.ordering = this.mapOrdering(tableSettings.ordering);
 			settings.ordering_field = validColumnNames.includes(tableSettings.ordering_field)
 				? tableSettings.ordering_field

backend/src/entities/cedar-authorization/cedar-action-map.ts

@@ -11,13 +11,18 @@ export enum CedarAction {
 	DashboardCreate = 'dashboard:create',
 	DashboardEdit = 'dashboard:edit',
 	DashboardDelete = 'dashboard:delete',
+	PanelRead = 'panel:read',
+	PanelCreate = 'panel:create',
+	PanelEdit = 'panel:edit',
+	PanelDelete = 'panel:delete',
 }
 
 export enum CedarResourceType {
 	Connection = 'RocketAdmin::Connection',
 	Group = 'RocketAdmin::Group',
 	Table = 'RocketAdmin::Table',
 	Dashboard = 'RocketAdmin::Dashboard',
+	Panel = 'RocketAdmin::Panel',
 }
 
 export const CEDAR_ACTION_TYPE = 'RocketAdmin::Action';
@@ -31,4 +36,5 @@ export interface CedarValidationRequest {
 	groupId?: string;
 	tableName?: string;
 	dashboardId?: string;
+	panelId?: string;
 }

backend/src/entities/cedar-authorization/cedar-authorization.service.ts

@@ -34,7 +34,7 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 	}
 
 	async validate(request: CedarValidationRequest): Promise<boolean> {
-		const { userId, action, groupId, tableName, dashboardId } = request;
+		const { userId, action, groupId, tableName, dashboardId, panelId } = request;
 		let { connectionId } = request;
 
 		const actionPrefix = action.split(':')[0];
@@ -61,13 +61,20 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 				const needsSentinel = action === CedarAction.DashboardCreate || !dashboardId;
 				const effectiveDashboardId = needsSentinel ? '__new__' : dashboardId;
 				resourceId = `${connectionId}/${effectiveDashboardId}`;
-				return this.evaluate(userId, connectionId, action, resourceType, resourceId, tableName, effectiveDashboardId);
+				return this.evaluate(userId, connectionId, action, resourceType, resourceId, tableName, effectiveDashboardId, undefined);
+			}
+			case 'panel': {
+				resourceType = CedarResourceType.Panel;
+				const needsSentinel = action === CedarAction.PanelCreate || !panelId;
+				const effectivePanelId = needsSentinel ? '__new__' : panelId;
+				resourceId = `${connectionId}/${effectivePanelId}`;
+				return this.evaluate(userId, connectionId, action, resourceType, resourceId, tableName, undefined, effectivePanelId);
 			}
 			default:
 				return false;
 		}
 
-		return this.evaluate(userId, connectionId, action, resourceType, resourceId, tableName, dashboardId);
+		return this.evaluate(userId, connectionId, action, resourceType, resourceId, tableName, dashboardId, undefined);
 	}
 
 	invalidatePolicyCacheForConnection(connectionId: string): void {
@@ -169,6 +176,7 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 		resourceId: string,
 		tableName?: string,
 		dashboardId?: string,
+		panelId?: string,
 	): Promise<boolean> {
 		await this.assertUserNotSuspended(userId);
 
@@ -178,7 +186,7 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 		const groupPolicies = this.loadPoliciesPerGroup(userGroups);
 		if (groupPolicies.length === 0) return false;
 
-		const entities = buildCedarEntities(userId, userGroups, connectionId, tableName, dashboardId);
+		const entities = buildCedarEntities(userId, userGroups, connectionId, tableName, dashboardId, panelId);
 
 		for (const policy of groupPolicies) {
 			const call = {
@@ -303,6 +311,19 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 				);
 			}
 		}
+
+		const panelResourceIds = [...cedarPolicy.matchAll(/resource\s*==\s*RocketAdmin::Panel::"([^"]+)"/g)].map(
+			(m) => m[1],
+		);
+
+		for (const panelRef of panelResourceIds) {
+			if (!panelRef.startsWith(`${connectionId}/`)) {
+				throw new HttpException(
+					{ message: Messages.CEDAR_POLICY_REFERENCES_FOREIGN_CONNECTION },
+					HttpStatus.BAD_REQUEST,
+				);
+			}
+		}
 	}
 
 }

backend/src/entities/cedar-authorization/cedar-entity-builder.ts

@@ -12,6 +12,7 @@ export function buildCedarEntities(
 	connectionId: string,
 	tableName?: string,
 	dashboardId?: string,
+	panelId?: string,
 ): Array<CedarEntityRecord> {
 	const entities: Array<CedarEntityRecord> = [];
 
@@ -58,5 +59,13 @@ export function buildCedarEntities(
 		});
 	}
 
+	if (panelId) {
+		entities.push({
+			uid: { type: 'RocketAdmin::Panel', id: `${connectionId}/${panelId}` },
+			attrs: { connectionId: connectionId },
+			parents: [{ type: 'RocketAdmin::Connection', id: connectionId }],
+		});
+	}
+
 	return entities;
 }

backend/src/entities/cedar-authorization/cedar-permissions.service.ts

@@ -1,16 +1,16 @@
+import * as cedarWasm from '@cedar-policy/cedar-wasm/nodejs';
 import { HttpException, HttpStatus, Inject, Injectable } from '@nestjs/common';
+import { IGlobalDatabaseContext } from '../../common/application/global-database-context.interface.js';
+import { BaseType } from '../../common/data-injection.tokens.js';
 import { AccessLevelEnum } from '../../enums/index.js';
 import { Messages } from '../../exceptions/text/messages.js';
 import { Cacher } from '../../helpers/cache/cacher.js';
-import { IGlobalDatabaseContext } from '../../common/application/global-database-context.interface.js';
-import { BaseType } from '../../common/data-injection.tokens.js';
 import { GroupEntity } from '../group/group.entity.js';
 import { ITablePermissionData } from '../permission/permission.interface.js';
-import { CedarAction, CedarResourceType, CEDAR_ACTION_TYPE, CEDAR_USER_TYPE } from './cedar-action-map.js';
+import { IUserAccessRepository } from '../user-access/repository/user-access.repository.interface.js';
+import { CEDAR_ACTION_TYPE, CEDAR_USER_TYPE, CedarAction, CedarResourceType } from './cedar-action-map.js';
 import { buildCedarEntities } from './cedar-entity-builder.js';
 import { CEDAR_SCHEMA } from './cedar-schema.js';
-import * as cedarWasm from '@cedar-policy/cedar-wasm/nodejs';
-import { IUserAccessRepository } from '../user-access/repository/user-access.repository.interface.js';
 
 interface EvalContext {
 	userGroups: Array<GroupEntity>;
@@ -435,5 +435,4 @@ export class CedarPermissionsService implements IUserAccessRepository {
 
 		return { userGroups, policies };
 	}
-
 }

backend/src/entities/cedar-authorization/cedar-policy-generator.ts

@@ -87,6 +87,46 @@ export function generateCedarPolicyForGroup(
 		}
 	}
 
+	if (permissions.panels) {
+		let hasPanelCreatePermission = false;
+		let hasPanelReadPermission = false;
+		for (const panel of permissions.panels) {
+			const panelRef = `RocketAdmin::Panel::"${connectionId}/${panel.panelId}"`;
+			const access = panel.accessLevel;
+
+			if (access.read) {
+				hasPanelReadPermission = true;
+				policies.push(
+					`permit(\n  principal,\n  action == RocketAdmin::Action::"panel:read",\n  resource == ${panelRef}\n);`,
+				);
+			}
+			if (access.create) {
+				hasPanelCreatePermission = true;
+			}
+			if (access.edit) {
+				policies.push(
+					`permit(\n  principal,\n  action == RocketAdmin::Action::"panel:edit",\n  resource == ${panelRef}\n);`,
+				);
+			}
+			if (access.delete) {
+				policies.push(
+					`permit(\n  principal,\n  action == RocketAdmin::Action::"panel:delete",\n  resource == ${panelRef}\n);`,
+				);
+			}
+		}
+		const newPanelRef = `RocketAdmin::Panel::"${connectionId}/__new__"`;
+		if (hasPanelReadPermission) {
+			policies.push(
+				`permit(\n  principal,\n  action == RocketAdmin::Action::"panel:read",\n  resource == ${newPanelRef}\n);`,
+			);
+		}
+		if (hasPanelCreatePermission) {
+			policies.push(
+				`permit(\n  principal,\n  action == RocketAdmin::Action::"panel:create",\n  resource == ${newPanelRef}\n);`,
+			);
+		}
+	}
+
 	for (const table of permissions.tables) {
 		const tableRef = `RocketAdmin::Table::"${connectionId}/${table.tableName}"`;
 		const access = table.accessLevel;

backend/src/entities/cedar-authorization/cedar-policy-parser.ts

@@ -2,6 +2,7 @@ import { AccessLevelEnum } from '../../enums/index.js';
 import {
 	IComplexPermission,
 	IDashboardPermissionData,
+	IPanelPermissionData,
 	ITablePermissionData,
 } from '../permission/permission.interface.js';
 
@@ -24,10 +25,12 @@ export function parseCedarPolicyToClassicalPermissions(
 		group: { groupId, accessLevel: AccessLevelEnum.none },
 		tables: [],
 		dashboards: [],
+		panels: [],
 	};
 
 	const tableMap = new Map<string, ITablePermissionData>();
 	const dashboardMap = new Map<string, IDashboardPermissionData>();
+	const panelMap = new Map<string, IPanelPermissionData>();
 
 	for (const permit of permits) {
 		if (permit.isWildcard) {
@@ -75,6 +78,16 @@ export function parseCedarPolicyToClassicalPermissions(
 				applyDashboardAction(dashboardEntry, permit.action);
 				break;
 			}
+			case 'panel:read':
+			case 'panel:create':
+			case 'panel:edit':
+			case 'panel:delete': {
+				const panelId = extractPanelId(permit.resourceId, connectionId);
+				if (!panelId) break;
+				const panelEntry = getOrCreatePanelEntry(panelMap, panelId);
+				applyPanelAction(panelEntry, permit.action);
+				break;
+			}
 		}
 	}
 
@@ -84,6 +97,7 @@ export function parseCedarPolicyToClassicalPermissions(
 		a.readonly = a.visibility && !a.add && !a.edit && !a.delete;
 	}
 	result.dashboards = Array.from(dashboardMap.values());
+	result.panels = Array.from(panelMap.values());
 
 	return result;
 }
@@ -268,3 +282,49 @@ function applyDashboardAction(entry: IDashboardPermissionData, action: string):
 			break;
 	}
 }
+
+function extractPanelId(resourceId: string | null, connectionId: string): string | null {
+	if (!resourceId) return null;
+	const prefix = `${connectionId}/`;
+	if (resourceId.startsWith(prefix)) {
+		return resourceId.slice(prefix.length);
+	}
+	return resourceId;
+}
+
+function getOrCreatePanelEntry(
+	map: Map<string, IPanelPermissionData>,
+	panelId: string,
+): IPanelPermissionData {
+	let entry = map.get(panelId);
+	if (!entry) {
+		entry = {
+			panelId,
+			accessLevel: {
+				read: false,
+				create: false,
+				edit: false,
+				delete: false,
+			},
+		};
+		map.set(panelId, entry);
+	}
+	return entry;
+}
+
+function applyPanelAction(entry: IPanelPermissionData, action: string): void {
+	switch (action) {
+		case 'panel:read':
+			entry.accessLevel.read = true;
+			break;
+		case 'panel:create':
+			entry.accessLevel.create = true;
+			break;
+		case 'panel:edit':
+			entry.accessLevel.edit = true;
+			break;
+		case 'panel:delete':
+			entry.accessLevel.delete = true;
+			break;
+	}
+}

backend/src/entities/cedar-authorization/cedar-schema.ts

@@ -45,6 +45,15 @@ export const CEDAR_SCHEMA = {
 					},
 				},
 			},
+			Panel: {
+				memberOfTypes: ['Connection'],
+				shape: {
+					type: 'Record',
+					attributes: {
+						connectionId: { type: 'String' },
+					},
+				},
+			},
 		},
 		actions: {
 			'connection:read': {
@@ -119,6 +128,30 @@ export const CEDAR_SCHEMA = {
 					resourceTypes: ['Dashboard'],
 				},
 			},
+			'panel:read': {
+				appliesTo: {
+					principalTypes: ['User'],
+					resourceTypes: ['Panel'],
+				},
+			},
+			'panel:create': {
+				appliesTo: {
+					principalTypes: ['User'],
+					resourceTypes: ['Panel'],
+				},
+			},
+			'panel:edit': {
+				appliesTo: {
+					principalTypes: ['User'],
+					resourceTypes: ['Panel'],
+				},
+			},
+			'panel:delete': {
+				appliesTo: {
+					principalTypes: ['User'],
+					resourceTypes: ['Panel'],
+				},
+			},
 		},
 	},
 };

backend/src/entities/connection/connection.entity.ts

@@ -1,3 +1,4 @@
+import { ConnectionTypesEnum } from '@rocketadmin/shared-code/dist/src/shared/enums/connection-types-enum.js';
 import { Expose } from 'class-transformer';
 import { nanoid } from 'nanoid';
 import {
@@ -12,7 +13,6 @@ import {
 	PrimaryColumn,
 	Relation,
 } from 'typeorm';
-import { ConnectionTypesEnum } from '@rocketadmin/shared-code/dist/src/shared/enums/connection-types-enum.js';
 import { Encryptor } from '../../helpers/encryption/encryptor.js';
 import { isConnectionTypeAgent } from '../../helpers/index.js';
 import { AgentEntity } from '../agent/agent.entity.js';