feat: implement backend-only column visibility logic in REST API

NoOne7135 · NoOne7135 · commit a74ae1abaa44 · 2025-08-12T12:17:24.000+03:00
diff --git a/adminforth/modules/restApi.ts b/adminforth/modules/restApi.ts
@@ -11,6 +11,7 @@ import {
   IAdminForthSort,
   HttpExtra,
   IAdminForthAndOrFilter,
+  BackendOnlyInput,
 } from "../types/Back.js";
 
 import { ADMINFORTH_VERSION, listify, md5hash, getLoginPromptHTML } from './utils.js';
@@ -23,6 +24,46 @@ import { ActionCheckSource, AdminForthConfigMenuItem, AdminForthDataTypes, Admin
    ShowInResolved} from "../types/Common.js";
 import { filtersTools } from "../modules/filtersTools.js";
 
+async function resolveBoolOrFn(
+  val: BackendOnlyInput | undefined,
+  ctx: {
+    adminUser: AdminUser;
+    resource: AdminForthResource;
+    meta: any;
+    source: ActionCheckSource;
+    adminforth: IAdminForth;
+  }
+): Promise<boolean> {
+  if (typeof val === 'function') {
+    return !!(await (val as any)(ctx));
+  }
+  return !!val;
+}
+
+async function isBackendOnly(
+  col: AdminForthResource['columns'][number],
+  ctx: {
+    adminUser: AdminUser;
+    resource: AdminForthResource;
+    meta: any;
+    source: ActionCheckSource;
+    adminforth: IAdminForth;
+  }
+): Promise<boolean> {
+  return await resolveBoolOrFn(col.backendOnly as BackendOnlyInput, ctx);
+}
+
+async function isShown(
+  col: AdminForthResource['columns'][number],
+  page: 'list' | 'show' | 'edit' | 'create' | 'filter',
+  ctx: Parameters<typeof isBackendOnly>[1]
+): Promise<boolean> {
+  const s = (col.showIn as any) || {};
+  if (s[page] !== undefined) return await resolveBoolOrFn(s[page], ctx);
+  if (s.all !== undefined) return await resolveBoolOrFn(s.all, ctx);
+  return true;
+}
+
 export async function interpretResource(
   adminUser: AdminUser, 
   resource: AdminForthResource, 
@@ -363,12 +404,22 @@ export default class AdminForthRestAPI implements IAdminForthRestAPI {
 
         // strip all backendOnly fields or not described in adminForth fields from dbUser
         // (when user defines column and does not set backendOnly, we assume it is not backendOnly)
-        Object.keys(adminUser.dbUser).forEach((key) => {
-          const col = userResource.columns.find((col) => col.name === key);
-          if (!col || col.backendOnly) {
-            delete adminUser.dbUser[key];
+        {
+          const ctx = {
+            adminUser,
+            resource: userResource,
+            meta: {},
+            source: ActionCheckSource.ShowRequest,
+            adminforth: this.adminforth,
+          };
+          for (const key of Object.keys(adminUser.dbUser)) {
+            const col = userResource.columns.find((c) => c.name === key);
+            const bo = col ? await isBackendOnly(col, ctx) : true;
+            if (!col || bo) {
+              delete adminUser.dbUser[key];
+            }
           }
-        })
+        }
 
         return {
           user: userData,
@@ -803,14 +854,30 @@ export default class AdminForthRestAPI implements IAdminForthRestAPI {
 
         const pkField = resource.columns.find((col) => col.primaryKey)?.name;
         // remove all columns which are not defined in resources, or defined but backendOnly
-        data.data.forEach((item) => {
-          Object.keys(item).forEach((key) => {
-            if (!resource.columns.find((col) => col.name === key) || resource.columns.find((col) => col.name === key && col.backendOnly)) {
-              delete item[key];
+        {
+          const ctx = {
+            adminUser,
+            resource,
+            meta,
+            source: {
+              show: ActionCheckSource.ShowRequest,
+              list: ActionCheckSource.ListRequest,
+              edit: ActionCheckSource.EditLoadRequest,
+            }[source],
+            adminforth: this.adminforth,
+          };
+        
+          for (const item of data.data) {
+            for (const key of Object.keys(item)) {
+              const col = resource.columns.find((c) => c.name === key);
+              const bo = col ? await isBackendOnly(col, ctx) : true;
+              if (!col || bo) {
+                delete item[key];
+              }
             }
-          })
-          item._label = resource.recordLabel(item);
-        });
+            item._label = resource.recordLabel(item);
+          }
+        }
         if (source === 'list' && resource.options.listTableClickUrl) {
           await Promise.all(
             data.data.map(async (item) => {
@@ -1076,11 +1143,30 @@ export default class AdminForthRestAPI implements IAdminForthRestAPI {
               }
             }
 
+            const ctxCreate = {
+              adminUser,
+              resource,
+              meta: { requestBody: body },
+              source: ActionCheckSource.CreateRequest,
+              adminforth: this.adminforth,
+            };
+
+            for (const column of resource.columns) {
+              if ((column.required as { create?: boolean })?.create) {
+                const shown = await isShown(column, 'create', ctxCreate);
+                if (shown && record[column.name] === undefined) {
+                  return { error: `Column '${column.name}' is required`, ok: false };
+                }
+              }
+            }
+
             for (const column of resource.columns) {
               const fieldName = column.name;
               if (fieldName in record) {
-                if (!column.showIn?.create || column.backendOnly) {
-                  return { error: `Field "${fieldName}" cannot be modified as it is restricted from creation (showIn.create is false, please set it to true)`, ok: false };
+                const shown = await isShown(column, 'create', ctxCreate);
+                const bo = await isBackendOnly(column, ctxCreate);
+                if (!shown || bo) {
+                  return { error: `Field "${fieldName}" cannot be modified as it is restricted from creation (backendOnly or showIn.create is false, please set it to true)`, ok: false };
                 }
               }
             }
@@ -1172,15 +1258,24 @@ export default class AdminForthRestAPI implements IAdminForthRestAPI {
               return { error: allowedError };
             }
 
+            const ctxEdit = {
+              adminUser,
+              resource,
+              meta: { requestBody: body, newRecord: record, oldRecord, pk: recordId },
+              source: ActionCheckSource.EditRequest,
+              adminforth: this.adminforth,
+            };
+            
             for (const column of resource.columns) {
               const fieldName = column.name;
               if (fieldName in record) {
-                if (!column.showIn?.edit || column.editReadonly || column.backendOnly) {
-                  return { error: `Field "${fieldName}" cannot be modified as it is restricted from editing (showIn.edit is false, please set it to true)`, ok: false };
+                const shown = await isShown(column, 'edit', ctxEdit);
+                const bo = await isBackendOnly(column, ctxEdit);
+                if (!shown || column.editReadonly || bo) {
+                  return { error: `Field "${fieldName}" cannot be modified as it is restricted from editing (backendOnly or showIn.edit is false, please set it to true)`, ok: false };
                 }
               }
             }
-
             // for polymorphic foreign resources, we need to find out the value for polymorphicOn column
             for (const column of resource.columns) {
               if (column.foreignResource?.polymorphicOn && record[column.name] === null) {
diff --git a/adminforth/types/Back.ts b/adminforth/types/Back.ts
@@ -1503,15 +1503,27 @@ export type ShowInInput = ShowInModernInput | ShowInLegacyInput;
 export type ShowIn = {
   [key in AdminForthResourcePages]: AllowedActionValue
 }
+export type BackendOnlyInput =
+  | boolean
+  | ((p: {
+      adminUser: AdminUser;
+      resource: AdminForthResource;
+      meta: any;
+      source: ActionCheckSource;
+      adminforth: IAdminForth;
+    }) => boolean | Promise<boolean>);
+
 
-export interface AdminForthResourceColumnInput extends Omit<AdminForthResourceColumnInputCommon, 'showIn'> {
+export interface AdminForthResourceColumnInput extends Omit<AdminForthResourceColumnInputCommon, 'showIn' | 'backendOnly'> {
   showIn?: ShowInInput,
   foreignResource?: AdminForthForeignResource,
+  backendOnly?: BackendOnlyInput;
 }
 
-export interface AdminForthResourceColumn extends Omit<AdminForthResourceColumnCommon, 'showIn'> {
+export interface AdminForthResourceColumn extends Omit<AdminForthResourceColumnCommon, 'showIn' | 'backendOnly'> {
   showIn?: ShowIn,
   foreignResource?: AdminForthForeignResource,
+  backendOnly?: BackendOnlyInput;
 }
 
 export interface IWebSocketClient {
