fix(acl): incorrect data records when using m2m fields in collection permission data scope (#6304)

* fix(acl): incorrect data records when using m2m fields in collection permission data scope * fix: duplicate
2025-05-05 13:39:24 +08:00 · 2025-02-26 18:38:26 +08:00 · 2025-02-26 18:38:26 +08:00 · 414ec3c817
commit 414ec3c817
parent 55b70335cf
2 changed files with 76 additions and 1 deletions
--- a/packages/plugins/@nocobase/plugin-acl/src/server/tests/list-action.test.ts
+++ b/packages/plugins/@nocobase/plugin-acl/src/server/tests/list-action.test.ts
@ -216,6 +216,78 @@ describe('list action with acl', () => {
    expect(data.meta.allowedActions.destroy).toEqual([]);
  });

+  it('should list items meta permissions by m2m association field', async () => {
+    const userRole = app.acl.define({
+      role: 'user',
+    });
+
+    const Tag = app.db.collection({
+      name: 'tags',
+      fields: [{ type: 'string', name: 'name' }],
+    });
+
+    app.db.extendCollection({
+      name: 'posts',
+      fields: [
+        {
+          type: 'belongsToMany',
+          name: 'tags',
+          through: 'posts_tags',
+        },
+      ],
+    });
+    await app.db.sync();
+
+    await Tag.repository.create({
+      values: [{ name: 'a' }, { name: 'b' }, { name: 'c' }],
+    });
+    await Post.repository.create({
+      values: [
+        { title: 'p1', tags: [1, 2] },
+        { title: 'p2', tags: [1, 3] },
+        { title: 'p3', tags: [2, 3] },
+      ],
+    });
+
+    userRole.grantAction('posts:view', {});
+
+    userRole.grantAction('posts:update', {
+      filter: {
+        $and: [
+          {
+            tags: {
+              name: {
+                $includes: 'c',
+              },
+            },
+          },
+        ],
+      },
+    });
+
+    app.resourcer.use(
+      (ctx, next) => {
+        ctx.state.currentRole = 'user';
+        ctx.state.currentUser = {
+          id: 1,
+          tag: 'c',
+        };
+
+        return next();
+      },
+      {
+        before: 'acl',
+        after: 'auth',
+      },
+    );
+
+    const response = await (app as any).agent().set('X-With-ACL-Meta', true).resource('posts').list();
+    const data = response.body;
+    expect(data.meta.allowedActions.view).toEqual([1, 2, 3]);
+    expect(data.meta.allowedActions.update).toEqual([2, 3]);
+    expect(data.meta.allowedActions.destroy).toEqual([]);
+  });
+
  it('should list items with meta permission', async () => {
    const userRole = app.acl.define({
      role: 'user',
--- a/packages/plugins/@nocobase/plugin-acl/src/server/middlewares/with-acl-meta.ts
+++ b/packages/plugins/@nocobase/plugin-acl/src/server/middlewares/with-acl-meta.ts
@ -265,6 +265,7 @@ function createWithACLMetaMiddleware() {
        }),
      ],
      include: conditions.map((condition) => condition.include).flat(),
+      raw: true,
    });

    const allowedActions = inspectActions
@ -273,7 +274,9 @@ function createWithACLMetaMiddleware() {
          return [action, ids];
        }

-        return [action, results.filter((item) => Boolean(item.get(action))).map((item) => item.get(primaryKeyField))];
+        let actionIds = results.filter((item) => Boolean(item[action])).map((item) => item[primaryKeyField]);
+        actionIds = Array.from(new Set(actionIds));
+        return [action, actionIds];
      })
      .reduce((acc, [action, ids]) => {
        acc[action] = ids;