feat: add hasFullAccess field for unlimited resource access (#1574)

Author: boris-w

apps/nestjs-backend/src/features/access-token/access-token.service.ts

@@ -27,10 +27,19 @@ export class AccessTokenService {
       createdTime?: Date;
       lastUsedTime?: Date | null;
       expiredTime?: Date;
+      hasFullAccess?: boolean | null;
     },
   >(accessTokenEntity: T) {
-    const { scopes, spaceIds, baseIds, createdTime, lastUsedTime, expiredTime, description } =
-      accessTokenEntity;
+    const {
+      scopes,
+      spaceIds,
+      baseIds,
+      createdTime,
+      lastUsedTime,
+      expiredTime,
+      description,
+      hasFullAccess,
+    } = accessTokenEntity;
     return {
       ...accessTokenEntity,
       description: description || undefined,
@@ -40,6 +49,7 @@ export class AccessTokenService {
       createdTime: createdTime?.toISOString(),
       lastUsedTime: lastUsedTime?.toISOString(),
       expiredTime: expiredTime?.toISOString(),
+      hasFullAccess: hasFullAccess ?? undefined,
     };
   }
 
@@ -87,6 +97,7 @@ export class AccessTokenService {
         scopes: true,
         spaceIds: true,
         baseIds: true,
+        hasFullAccess: true,
         createdTime: true,
         expiredTime: true,
         lastUsedTime: true,
@@ -100,7 +111,7 @@ export class AccessTokenService {
     createAccessToken: CreateAccessTokenRo & { clientId?: string; userId?: string }
   ) {
     const userId = createAccessToken.userId ?? this.cls.get('user.id')!;
-    const { name, description, scopes, spaceIds, baseIds, expiredTime, clientId } =
+    const { name, description, scopes, spaceIds, baseIds, expiredTime, clientId, hasFullAccess } =
       createAccessToken;
     const id = generateAccessTokenId();
     const sign = getRandomString(16);
@@ -116,6 +127,7 @@ export class AccessTokenService {
         sign,
         clientId,
         expiredTime: new Date(expiredTime).toISOString(),
+        hasFullAccess,
       },
       select: {
         id: true,
@@ -127,6 +139,7 @@ export class AccessTokenService {
         expiredTime: true,
         createdTime: true,
         lastUsedTime: true,
+        hasFullAccess: true,
       },
     });
     return {
@@ -172,7 +185,7 @@ export class AccessTokenService {
 
   async updateAccessToken(id: string, updateAccessToken: UpdateAccessTokenRo) {
     const userId = this.cls.get('user.id');
-    const { name, description, scopes, spaceIds, baseIds } = updateAccessToken;
+    const { name, description, scopes, spaceIds, baseIds, hasFullAccess } = updateAccessToken;
     const accessTokenEntity = await this.prismaService.accessToken.update({
       where: { id, userId },
       data: {
@@ -181,6 +194,7 @@ export class AccessTokenService {
         scopes: JSON.stringify(scopes),
         spaceIds: spaceIds === null ? null : JSON.stringify(spaceIds),
         baseIds: baseIds === null ? null : JSON.stringify(baseIds),
+        hasFullAccess,
       },
       select: {
         id: true,
@@ -189,6 +203,7 @@ export class AccessTokenService {
         scopes: true,
         spaceIds: true,
         baseIds: true,
+        hasFullAccess: true,
       },
     });
     return this.transformAccessTokenEntity(accessTokenEntity);
@@ -208,6 +223,7 @@ export class AccessTokenService {
         createdTime: true,
         expiredTime: true,
         lastUsedTime: true,
+        hasFullAccess: true,
       },
     });
     const res = this.transformAccessTokenEntity(item);

apps/nestjs-backend/src/features/auth/guard/permission.guard.ts

@@ -57,6 +57,15 @@ export class PermissionGuard {
     return true;
   }
 
+  private async permissionSpaceRead() {
+    const accessTokenId = this.cls.get('accessTokenId');
+    if (accessTokenId) {
+      const { scopes } = await this.permissionService.getAccessToken(accessTokenId);
+      return scopes.includes('space|read');
+    }
+    return true;
+  }
+
   protected async resourcePermission(resourceId: string | undefined, permissions: Action[]) {
     if (!resourceId) {
       console.log('permissions', permissions);
@@ -122,9 +131,13 @@ export class PermissionGuard {
     if (permissions?.includes('base|read_all')) {
       return await this.permissionBaseReadAll();
     }
+    const resourceId = this.getResourceId(context);
+    if (!resourceId && permissions?.includes('space|read')) {
+      return await this.permissionSpaceRead();
+    }
 
     // resource permission check
-    return await this.resourcePermission(this.getResourceId(context), permissions);
+    return await this.resourcePermission(resourceId, permissions);
   }
 
   /**

apps/nestjs-backend/src/features/auth/permission.service.spec.ts

@@ -224,6 +224,7 @@ describe('PermissionService', () => {
         scopes,
         spaceIds,
         baseIds: undefined,
+        hasFullAccess: undefined,
       });
 
       const result = await service.getPermissionsByAccessToken(resourceId, accessTokenId);
@@ -240,6 +241,7 @@ describe('PermissionService', () => {
         scopes: ['table|update'],
         spaceIds,
         baseIds: undefined,
+        hasFullAccess: undefined,
       });
 
       await expect(
@@ -256,6 +258,7 @@ describe('PermissionService', () => {
         scopes: ['table|read'],
         baseIds,
         spaceIds: undefined,
+        hasFullAccess: undefined,
       });
 
       vi.spyOn(service as any, 'isBaseIdAllowedForResource').mockResolvedValueOnce(false);

apps/nestjs-backend/src/features/auth/permission.service.ts

@@ -84,9 +84,17 @@ export class PermissionService {
       baseIds,
       clientId,
       userId,
+      hasFullAccess,
     } = await this.prismaService.accessToken.findFirstOrThrow({
       where: { id: accessTokenId },
-      select: { scopes: true, spaceIds: true, baseIds: true, clientId: true, userId: true },
+      select: {
+        scopes: true,
+        spaceIds: true,
+        baseIds: true,
+        clientId: true,
+        userId: true,
+        hasFullAccess: true,
+      },
     });
     const scopes = JSON.parse(stringifyScopes) as Action[];
     if (clientId && clientId.startsWith(IdPrefix.OAuthClient)) {
@@ -102,6 +110,7 @@ export class PermissionService {
       scopes,
       spaceIds: spaceIds ? JSON.parse(spaceIds) : undefined,
       baseIds: baseIds ? JSON.parse(baseIds) : undefined,
+      hasFullAccess: hasFullAccess ?? undefined,
     };
   }
 
@@ -170,7 +179,11 @@ export class PermissionService {
     accessTokenId: string,
     includeInactiveResource?: boolean
   ) {
-    const { scopes, spaceIds, baseIds } = await this.getAccessToken(accessTokenId);
+    const { scopes, spaceIds, baseIds, hasFullAccess } = await this.getAccessToken(accessTokenId);
+
+    if (hasFullAccess) {
+      return scopes;
+    }
 
     if (
       !resourceId.startsWith(IdPrefix.Space) &&

apps/nestjs-backend/src/features/base/base.service.ts

@@ -110,54 +110,6 @@ export class BaseService {
     });
   }
 
-  async getAccessBaseList() {
-    const userId = this.cls.get('user.id');
-    const accessTokenId = this.cls.get('accessTokenId');
-    const { spaceIds, baseIds } =
-      await this.collaboratorService.getCurrentUserCollaboratorsBaseAndSpaceArray();
-
-    if (accessTokenId) {
-      const access = await this.prismaService.accessToken.findFirst({
-        select: {
-          baseIds: true,
-          spaceIds: true,
-        },
-        where: {
-          id: accessTokenId,
-          userId,
-        },
-      });
-      if (!access) {
-        return [];
-      }
-      spaceIds.push(...(access.spaceIds || []));
-      baseIds.push(...(access.baseIds || []));
-    }
-
-    return this.prismaService.base.findMany({
-      select: {
-        id: true,
-        name: true,
-      },
-      where: {
-        deletedTime: null,
-        OR: [
-          {
-            id: {
-              in: baseIds,
-            },
-          },
-          {
-            spaceId: {
-              in: spaceIds,
-            },
-          },
-        ],
-      },
-      orderBy: [{ spaceId: 'asc' }, { order: 'asc' }],
-    });
-  }
-
   private async getMaxOrder(spaceId: string) {
     const spaceAggregate = await this.prismaService.base.aggregate({
       where: { spaceId, deletedTime: null },

apps/nestjs-backend/src/features/space/space.controller.ts

@@ -89,6 +89,7 @@ export class SpaceController {
     return await this.spaceService.getSpaceById(spaceId);
   }
 
+  @Permissions('space|read')
   @Get()
   async getSpaceList(): Promise<IGetSpaceVo[]> {
     return await this.spaceService.getSpaceList();

apps/nestjs-backend/src/features/space/space.service.ts

@@ -83,6 +83,21 @@ export class SpaceService {
     };
   }
 
+  async filterSpaceListWithAccessToken(spaceList: { id: string; name: string }[]) {
+    const accessTokenId = this.cls.get('accessTokenId');
+    if (!accessTokenId) {
+      return spaceList;
+    }
+    const accessToken = await this.permissionService.getAccessToken(accessTokenId);
+    if (accessToken.hasFullAccess) {
+      return spaceList;
+    }
+    if (!accessToken.spaceIds?.length) {
+      return [];
+    }
+    return spaceList.filter((space) => accessToken.spaceIds.includes(space.id));
+  }
+
   async getSpaceList() {
     const userId = this.cls.get('user.id');
     const departmentIds = this.cls.get('organization.departments')?.map((d) => d.id);
@@ -118,7 +133,8 @@ export class SpaceService {
       },
       {} as Record<string, { roleName: string; resourceId: string }>
     );
-    return spaceList.map((space) => ({
+    const filteredSpaceList = await this.filterSpaceListWithAccessToken(spaceList);
+    return filteredSpaceList.map((space) => ({
       ...space,
       role: roleMap[space.id].roleName as IRole,
     }));

apps/nestjs-backend/test/access-token.e2e-spec.ts

@@ -5,6 +5,7 @@ import type {
   CreateAccessTokenRo,
   CreateAccessTokenVo,
   ICreateSpaceVo,
+  IGetSpaceVo,
   ITableFullVo,
   UpdateAccessTokenRo,
 } from '@teable/openapi';
@@ -31,6 +32,7 @@ import {
   deleteBase,
   getAccessToken,
   GET_BASE_ALL,
+  GET_SPACE_LIST,
 } from '@teable/openapi';
 import dayjs from 'dayjs';
 import { createNewUserAxios } from './utils/axios-instance/new-user';
@@ -151,6 +153,7 @@ describe('OpenAPI AccessTokenController (e2e)', () => {
     let tableReadToken: string;
     let recordReadToken: string;
     let baseReadAllToken: string;
+    let spaceReadToken: string;
     const axios = createAxios();
 
     beforeAll(async () => {
@@ -173,6 +176,13 @@ describe('OpenAPI AccessTokenController (e2e)', () => {
       });
       baseReadAllToken = baseReadAllTokenData.token;
       axios.defaults.baseURL = defaultAxios.defaults.baseURL;
+
+      const { data: spaceReadTokenData } = await createAccessToken({
+        ...defaultCreateRo,
+        name: 'space read token',
+        scopes: ['space|read'],
+      });
+      spaceReadToken = spaceReadTokenData.token;
     });
 
     it('get table list has table|read permission', async () => {
@@ -272,5 +282,58 @@ describe('OpenAPI AccessTokenController (e2e)', () => {
       expect(error?.status).toEqual(403);
       await newUserAxios.delete(urlBuilder(DELETE_SPACE, { spaceId }));
     });
+
+    it('get space list has space|read permission', async () => {
+      const res = await axios.get<IGetSpaceVo[]>(urlBuilder(GET_SPACE_LIST), {
+        headers: {
+          Authorization: `Bearer ${spaceReadToken}`,
+        },
+      });
+      expect(res.status).toEqual(200);
+      expect(res.data.map(({ id }) => id)).toEqual([spaceId]);
+    });
+
+    it('get space list has not space|read permission', async () => {
+      const error = await getError(() =>
+        axios.get<IGetSpaceVo[]>(urlBuilder(GET_SPACE_LIST), {
+          headers: {
+            Authorization: `Bearer ${tableReadToken}`,
+          },
+        })
+      );
+      expect(error?.status).toEqual(403);
+    });
+
+    it('hasFullAccess', async () => {
+      const space = await createSpace({ name: 'has full access space' }).then((res) => res.data);
+      const { data: newAccessToken } = await createAccessToken({
+        ...defaultCreateRo,
+        name: 'has full access token',
+        scopes: ['space|read'],
+      });
+      const { data: fullAccessToken } = await createAccessToken({
+        ...defaultCreateRo,
+        name: 'has full access token',
+        scopes: ['space|read'],
+        hasFullAccess: true,
+      });
+      const newAccessTokenRes = await axios.get<IGetSpaceVo[]>(urlBuilder(GET_SPACE_LIST), {
+        headers: {
+          Authorization: `Bearer ${newAccessToken.token}`,
+        },
+      });
+      const fullAccessTokenRes = await axios.get<IGetSpaceVo[]>(urlBuilder(GET_SPACE_LIST), {
+        headers: {
+          Authorization: `Bearer ${fullAccessToken.token}`,
+        },
+      });
+      await permanentDeleteSpace(space.id);
+      expect(newAccessTokenRes.status).toEqual(200);
+      expect(newAccessTokenRes.data.map(({ id }) => id)).toEqual([spaceId]);
+      expect(fullAccessTokenRes.status).toEqual(200);
+      expect(fullAccessTokenRes.data.map(({ id }) => id)).toEqual(
+        expect.arrayContaining([spaceId, space.id])
+      );
+    });
   });
 });