Merge pull request #175 from devforth/next

Next

Author: ivictbor

adminforth/commands/createApp/templates/adminuser.ts.hbs

@@ -88,15 +88,15 @@ export default {
   hooks: {
     create: {
       beforeSave: async ({ record, adminUser, resource }: { record: any, adminUser: AdminUser, resource: AdminForthResource }) => {
-        record.passwordHash = await AdminForth.Utils.generatePasswordHash(record.password);
+        record.password_hash = await AdminForth.Utils.generatePasswordHash(record.password);
         return { ok: true };
       }
     },
     edit: {
       beforeSave: async ({ updates, adminUser, resource }: { updates: any, adminUser: AdminUser, resource: AdminForthResource }) => {
         console.log('Updating user', updates);
         if (updates.password) {
-          updates.passwordHash = await AdminForth.Utils.generatePasswordHash(updates.password);
+          updates.password_hash = await AdminForth.Utils.generatePasswordHash(updates.password);
         }
         return { ok: true }
       },

adminforth/dataConnectors/baseConnector.ts

@@ -56,12 +56,17 @@ export default class AdminForthBaseConnector implements IAdminForthDataSourceCon
       }, { ok: true, error: '' });
     }
 
-    if (!filters.operator) {
-      return { ok: false, error: `Field "operator" not specified in filter object: ${JSON.stringify(filters)}` };
-    }
-
     if ((filters as IAdminForthSingleFilter).field) {
       // if "field" is present, filter must be Single
+      if (!filters.operator) {
+        return { ok: false, error: `Field "operator" not specified in filter object: ${JSON.stringify(filters)}` };
+      }
+      if ((filters as IAdminForthSingleFilter).value === undefined) {
+        return { ok: false, error: `Field "value" not specified in filter object: ${JSON.stringify(filters)}` };
+      }
+      if ((filters as IAdminForthSingleFilter).insecureRawSQL) {
+        return { ok: false, error: `Field "insecureRawSQL" should not be specified in filter object alongside "field": ${JSON.stringify(filters)}` };
+      }
       if (![AdminForthFilterOperators.EQ, AdminForthFilterOperators.NE, AdminForthFilterOperators.GT,
       AdminForthFilterOperators.LT, AdminForthFilterOperators.GTE, AdminForthFilterOperators.LTE,
       AdminForthFilterOperators.LIKE, AdminForthFilterOperators.ILIKE, AdminForthFilterOperators.IN,
@@ -73,6 +78,7 @@ export default class AdminForthBaseConnector implements IAdminForthDataSourceCon
         const similar = suggestIfTypo(resource.dataSourceColumns.map((col) => col.name), (filters as IAdminForthSingleFilter).field);
         throw new Error(`Field '${(filters as IAdminForthSingleFilter).field}' not found in resource '${resource.resourceId}'. ${similar ? `Did you mean '${similar}'?` : ''}`);
       }
+      // value normalization
       if (filters.operator == AdminForthFilterOperators.IN || filters.operator == AdminForthFilterOperators.NIN) {
         if (!Array.isArray(filters.value)) {
           return { ok: false, error: `Value for operator '${filters.operator}' should be an array, in filter object: ${JSON.stringify(filters) }` };
@@ -85,8 +91,19 @@ export default class AdminForthBaseConnector implements IAdminForthDataSourceCon
       } else {
         (filters as IAdminForthSingleFilter).value = this.setFieldValue(fieldObj, (filters as IAdminForthSingleFilter).value);
       }
+    } else if ((filters as IAdminForthSingleFilter).insecureRawSQL) {
+      // if "insecureRawSQL" filter is insecure sql string
+      if ((filters as IAdminForthSingleFilter).operator) {
+        return { ok: false, error: `Field "operator" should not be specified in filter object alongside "insecureRawSQL": ${JSON.stringify(filters)}` };
+      }
+      if ((filters as IAdminForthSingleFilter).value !== undefined) {
+        return { ok: false, error: `Field "value" should not be specified in filter object alongside "insecureRawSQL": ${JSON.stringify(filters)}` };
+      }
     } else if ((filters as IAdminForthAndOrFilter).subFilters) {
       // if "subFilters" is present, filter must be AndOr
+      if (!filters.operator) {
+        return { ok: false, error: `Field "operator" not specified in filter object: ${JSON.stringify(filters)}` };
+      }
       if (![AdminForthFilterOperators.AND, AdminForthFilterOperators.OR].includes(filters.operator)) {
         return { ok: false, error: `Field "operator" has wrong value in filter object: ${JSON.stringify(filters)}` };
       }

adminforth/dataConnectors/clickhouse.ts

@@ -185,9 +185,14 @@ class ClickhouseConnector extends AdminForthBaseConnector implements IAdminForth
         return `${field} ${operator} ${placeholder}`;
       }
 
+      // filter is a single insecure raw sql
+      if ((filter as IAdminForthSingleFilter).insecureRawSQL) {
+        return (filter as IAdminForthSingleFilter).insecureRawSQL;
+      }
+
       // filter is a AndOr filter
       return (filter as IAdminForthAndOrFilter).subFilters.map((f) => {
-        if ((f as IAdminForthSingleFilter).field) {
+        if ((f as IAdminForthSingleFilter).field || (f as IAdminForthSingleFilter).insecureRawSQL) {
           // subFilter is a Single filter
           return this.getFilterString(resource, f);
         }
@@ -209,6 +214,11 @@ class ClickhouseConnector extends AdminForthBaseConnector implements IAdminForth
         }
       }
 
+      // filter is a Single insecure raw sql
+      if ((filter as IAdminForthSingleFilter).insecureRawSQL) {
+        return [];
+      }
+
       // filter is a AndOrFilter
       return (filter as IAdminForthAndOrFilter).subFilters.reduce((params: any[], f: IAdminForthSingleFilter | IAdminForthAndOrFilter) => {
         return params.concat(this.getFilterParams(f));
@@ -310,6 +320,13 @@ class ClickhouseConnector extends AdminForthBaseConnector implements IAdminForth
       filters: IAdminForthAndOrFilter;
     }): Promise<number> {
       const tableName = resource.table;
+      // validate and normalize in case this method is called from dataAPI
+      if (filters) {
+        const filterValidation = this.validateAndNormalizeFilters(filters, resource);
+        if (!filterValidation.ok) {
+          throw new Error(filterValidation.error);
+        }
+      }
       const { where, params } = this.whereClause(resource, filters);
 
       const countQ = await this.client.query({

adminforth/dataConnectors/mongo.ts

@@ -125,7 +125,10 @@ class MongoConnector extends AdminForthBaseConnector implements IAdminForthDataS
         }
 
         // filter is a AndOr filter
-        return this.OperatorsMap[filter.operator]((filter as IAdminForthAndOrFilter).subFilters.map((f) => this.getFilterQuery(resource, f)));
+        return this.OperatorsMap[filter.operator]((filter as IAdminForthAndOrFilter).subFilters
+            // mongodb should ignore raw sql
+            .filter((f) => (f as IAdminForthSingleFilter).insecureRawSQL === undefined)
+            .map((f) => this.getFilterQuery(resource, f)));
     }
 
     async getDataWithOriginalTypes({ resource, limit, offset, sort, filters }:
@@ -162,7 +165,13 @@ class MongoConnector extends AdminForthBaseConnector implements IAdminForthDataS
         resource: AdminForthResource,
         filters: IAdminForthAndOrFilter,
     }): Promise<number> {
-
+        if (filters) {
+            // validate and normalize in case this method is called from dataAPI
+            const filterValidation = this.validateAndNormalizeFilters(filters, resource);
+            if (!filterValidation.ok) {
+                throw new Error(filterValidation.error);
+            }
+        }
         const collection = this.client.db().collection(resource.table);
         const query = filters.subFilters.length ? this.getFilterQuery(resource, filters) : {};
         return await collection.countDocuments(query);

adminforth/dataConnectors/mysql.ts

@@ -186,9 +186,14 @@ class MysqlConnector extends AdminForthBaseConnector implements IAdminForthDataS
       return `${field} ${operator} ${placeholder}`;
     }
 
+    // filter is a single insecure raw sql
+    if ((filter as IAdminForthSingleFilter).insecureRawSQL) {
+      return (filter as IAdminForthSingleFilter).insecureRawSQL;
+    }
+
     // filter is a AndOr filter
     return (filter as IAdminForthAndOrFilter).subFilters.map((f) => {
-      if ((f as IAdminForthSingleFilter).field) {
+      if ((f as IAdminForthSingleFilter).field || (f as IAdminForthSingleFilter).insecureRawSQL) {
         // subFilter is a Single filter
         return this.getFilterString(f);
       }
@@ -209,6 +214,11 @@ class MysqlConnector extends AdminForthBaseConnector implements IAdminForthDataS
       }
     }
 
+    // filter is a Single insecure raw sql
+    if ((filter as IAdminForthSingleFilter).insecureRawSQL) {
+      return [];
+    }
+
     // filter is a AndOrFilter
     return (filter as IAdminForthAndOrFilter).subFilters.reduce((params: any[], f: IAdminForthSingleFilter | IAdminForthAndOrFilter) => {
       return params.concat(this.getFilterParams(f));
@@ -252,6 +262,13 @@ class MysqlConnector extends AdminForthBaseConnector implements IAdminForthDataS
 
   async getCount({ resource, filters }: { resource: AdminForthResource; filters: IAdminForthAndOrFilter; }): Promise<number> {
     const tableName = resource.table;
+    // validate and normalize in case this method is called from dataAPI
+    if (filters) {
+      const filterValidation = this.validateAndNormalizeFilters(filters, resource);
+      if (!filterValidation.ok) {
+        throw new Error(filterValidation.error);
+      }
+    }
     const { sql: where, values: filterValues } = this.whereClauseAndValues(filters);
     const q = `SELECT COUNT(*) FROM ${tableName} ${where}`;
     if (process.env.HEAVY_DEBUG_QUERY) {

adminforth/dataConnectors/postgres.ts

@@ -219,9 +219,14 @@ class PostgresConnector extends AdminForthBaseConnector implements IAdminForthDa
             return `${field} ${operator} ${placeholder}`;
         }
 
+        // filter is a single insecure raw sql
+        if ((filter as IAdminForthSingleFilter).insecureRawSQL) {
+            return (filter as IAdminForthSingleFilter).insecureRawSQL;
+        }
+
         // filter is a AndOr filter
         return (filter as IAdminForthAndOrFilter).subFilters.map((f) => {
-            if ((f as IAdminForthSingleFilter).field) {
+            if ((f as IAdminForthSingleFilter).field || (f as IAdminForthSingleFilter).insecureRawSQL) {
                 // subFilter is a Single filter
                 return this.getFilterString(resource, f);
             }
@@ -243,6 +248,11 @@ class PostgresConnector extends AdminForthBaseConnector implements IAdminForthDa
             }
         }
 
+        // filter is a single insecure raw sql
+        if ((filter as IAdminForthSingleFilter).insecureRawSQL) {
+            return [];
+        }
+
         // filter is a AndOrFilter
         return (filter as IAdminForthAndOrFilter).subFilters.reduce((params: any[], f: IAdminForthSingleFilter | IAdminForthAndOrFilter) => {
             return params.concat(this.getFilterParams(f));
@@ -291,6 +301,13 @@ class PostgresConnector extends AdminForthBaseConnector implements IAdminForthDa
 
     async getCount({ resource, filters }: { resource: AdminForthResource; filters: IAdminForthAndOrFilter; }): Promise<number> {
         const tableName = resource.table;
+        // validate and normalize in case this method is called from dataAPI
+        if (filters) {
+            const filterValidation = this.validateAndNormalizeFilters(filters, resource);
+            if (!filterValidation.ok) {
+                throw new Error(filterValidation.error);
+            }
+        }
         const { sql: where, values: filterValues } = this.whereClauseAndValues(resource, filters);
         const q = `SELECT COUNT(*) FROM "${tableName}" ${where}`;
         if (process.env.HEAVY_DEBUG_QUERY) {

adminforth/dataConnectors/sqlite.ts

@@ -172,9 +172,14 @@ class SQLiteConnector extends AdminForthBaseConnector implements IAdminForthData
         return `${field} ${operator} ${placeholder}`;
       }
 
+      // filter is a single insecure raw sql
+      if ((filter as IAdminForthSingleFilter).insecureRawSQL) {
+        return (filter as IAdminForthSingleFilter).insecureRawSQL;
+      }
+
       // filter is a AndOr filter
       return (filter as IAdminForthAndOrFilter).subFilters.map((f) => {
-        if ((f as IAdminForthSingleFilter).field) {
+        if ((f as IAdminForthSingleFilter).field || (f as IAdminForthSingleFilter).insecureRawSQL) {
           // subFilter is a Single filter
           return this.getFilterString(f);
         }
@@ -195,6 +200,11 @@ class SQLiteConnector extends AdminForthBaseConnector implements IAdminForthData
         }
       }
 
+      // filter is a Single insecure raw sql
+      if ((filter as IAdminForthSingleFilter).insecureRawSQL) {
+        return [];
+      }
+
       // filter is a AndOrFilter
       return (filter as IAdminForthAndOrFilter).subFilters.reduce((params: any[], f: IAdminForthSingleFilter | IAdminForthAndOrFilter) => {
         return params.concat(this.getFilterParams(f));
@@ -234,6 +244,7 @@ class SQLiteConnector extends AdminForthBaseConnector implements IAdminForthData
 
     async getCount({ resource, filters }) {
       if (filters) {
+      // validate and normalize in case this method is called from dataAPI
         const filterValidation = this.validateAndNormalizeFilters(filters, resource);
         if (!filterValidation.ok) {
           throw new Error(filterValidation.error);

adminforth/documentation/docs/tutorial/03-Customization/03-virtualColumns.md

@@ -67,6 +67,8 @@ columns: [
       resource: AdminForthResourceCommon;
       adminUser: AdminUser
   }>();
+
+###
     
    function getFlagEmojiFromIso(iso) {
       return iso?.toUpperCase()?.replace(/./g, (char) => String.fromCodePoint(char.charCodeAt(0) + 127397));
@@ -78,6 +80,102 @@ Here is how it looks:
 
 ![alt text](<Virtual columns.png>)
 
+## Virtual columns for filtering.
+
+Virtual column can also be used as a shorthand for a complex filtering.
+Lets say we want to divide apartments into two types: "base" ones and "luxury" and then allow admins to filter apartments by this category. Condition for being a "luxury" apartment is either having more then 80 sq.m area or costing more then 100k.
+One way to do it is to actually add a real column to a table and then fill it every time new apartment is added. A more simple way is to add a virtual column and then use `list.beforeDatasourceRequest` hook to replace filtering on this column with desired one.
+For this purpose following changes will be required for apartments config:
+
+```ts title='./resources/apartments.ts'
+...
+resourceId: 'aparts',
+...
+hooks: {
+...
+  list: {
+    beforeDatasourceRequest: async ({ query }: { query: any }) => {
+      query.filters = query.filters.map((filter: any) => {
+        // replace apartment_type filter with complex one
+        if (filter.field === 'apartment_type') {
+          if (filter.value === 'luxury') {
+            return Filters.OR([Filters.GTE('square_meter', 80), Filters.GTE('price', 100000)]);
+          }
+
+          // filter for "base" apartment as default
+          return Filters.AND([Filters.LT('square_meter', 80), Filters.LT('price', 100000)]);
+        }
+
+        return filter;
+      });
+      return { ok: true, error: "" };
+    },
+    ...
+  },
+...
+},
+...
+columns: [
+  ...
+  {
+    name: "apartment_type",
+    virtual: true,
+    showIn: { all: false, filter: true }, // hide it from display everywhere, except filter page
+    enum: [
+      {
+        value: 'base',
+        label: 'Base',
+      },
+      {
+        value: 'luxury',
+        label: 'Luxury'
+      },
+    ],
+    filterOptions: {
+      multiselect: false, // allow to only select one category when filtering
+    },
+  },
+  ...
+]
+```
+This way, when admin selects, for example, "Luxury" option for "Apartment Type" filter, it will be replace with a more complex "or" filter.
+
+### Custom SQL queries with `insecureRawSQL`
+
+Rarely the sec of Filters supported by AdminForth is not enough for your needs.
+In this case you can use `insecureRawSQL` to write your own part of where clause.
+
+However the vital concern that the SQL passed to DB as is, so if you substitute any user inputs it will not be escaped and can lead to SQL injection. To miticate the issue we recommend using `sqlstring` package which will escape the inputs for you.
+
+```bash
+npm i sqlstring
+```
+
+Then you can use it like this:
+
+```ts title='./resources/apartments.ts'
+import sqlstring from 'sqlstring';
+...
+
+  beforeDatasourceRequest: async ({ query }: { query: any }) => {
+    query.filters = query.filters.map((filter: any) => {
+      // replace apartment_type filter with complex one
+      if (filter.field === 'some_json_b_field') {
+        return {
+          // check if some_json_b_field->'$.some_field' is equal to filter.value
+          insecureRawSQL: `some_json_b_field->'$.some_field' = ${sqlstring.escape(filter.value)}`,
+        }
+      }
+
+      return filter;
+    });
+    return { ok: true, error: "" };
+  }
+```
+
+This example will allow to search for some nested field in JSONB column, however you can use any SQL query here.
+
+
 
 ## Virtual columns for editing.
 

adminforth/modules/restApi.ts

@@ -1019,7 +1019,7 @@ export default class AdminForthRestAPI implements IAdminForthRestAPI {
               const fieldName = column.name;
               if (fieldName in record) {
                 if (!column.showIn?.create || column.backendOnly) {
-                  return { error: `Field "${fieldName}" cannot be modified as it is restricted from creation`, ok: false };
+                  return { error: `Field "${fieldName}" cannot be modified as it is restricted from creation (showIn.create is false, please set it to true)`, ok: false };
                 }
               }
             }
@@ -1115,7 +1115,7 @@ export default class AdminForthRestAPI implements IAdminForthRestAPI {
               const fieldName = column.name;
               if (fieldName in record) {
                 if (!column.showIn?.edit || column.editReadonly || column.backendOnly) {
-                  return { error: `Field "${fieldName}" cannot be modified as it is restricted from editing` };
+                  return { error: `Field "${fieldName}" cannot be modified as it is restricted from editing (showIn.edit is false, please set it to true)`, ok: false };
                 }
               }
             }