[sync] feat: add node permissions T1149 (#937)

Synced from teableio/teable-ee@7bc149e

Author: teable-bot

.github/workflows/templates/preview-template.yaml

@@ -179,8 +179,6 @@ spec:
             - name: BACKEND_CACHE_REDIS_URI
               value: >-
                 redis://$(REDIS_USERNAME):$(REDIS_PASSWORD)@$(REDIS_HOST).ns-__NAMESPACE__.svc:$(REDIS_PORT)/1
-            - name: NEXT_ENV_IMAGES_ALL_REMOTE
-              value: 'true'
           resources:
             requests:
               cpu: 200m

.gitignore

@@ -29,6 +29,9 @@ node_modules
 /build
 /dist/
 
+# Next.js auto-generated type definitions
+**/next-env.d.ts
+
 # Cache
 *.tsbuildinfo
 **/.eslintcache

apps/nestjs-backend/package.json

@@ -98,7 +98,7 @@
     "dotenv-flow-cli": "1.1.1",
     "es-check": "7.1.1",
     "eslint": "8.57.0",
-    "eslint-config-next": "14.2.14",
+    "eslint-config-next": "15.5.9",
     "get-tsconfig": "4.7.3",
     "istanbul-merge": "2.0.0",
     "npm-run-all2": "6.1.2",
@@ -138,7 +138,7 @@
     "@keyv/sqlite": "3.6.7",
     "@nestjs-modules/mailer": "1.11.2",
     "@nestjs/axios": "3.0.2",
-    "@nestjs/bullmq": "10.2.1",
+    "@nestjs/bullmq": "11.0.4",
     "@nestjs/common": "10.3.5",
     "@nestjs/config": "3.2.1",
     "@nestjs/core": "10.3.5",
@@ -179,7 +179,7 @@
     "archiver": "7.0.1",
     "axios": "1.7.7",
     "bcrypt": "5.1.1",
-    "bullmq": "5.21.2",
+    "bullmq": "5.66.5",
     "class-transformer": "0.5.1",
     "class-validator": "0.14.1",
     "cookie": "0.6.0",
@@ -197,7 +197,7 @@
     "handlebars": "4.7.8",
     "helmet": "7.1.0",
     "http-proxy-middleware": "3.0.3",
-    "ioredis": "5.4.1",
+    "ioredis": "5.9.1",
     "is-port-reachable": "3.1.0",
     "joi": "17.12.2",
     "keyv": "4.5.4",
@@ -213,7 +213,7 @@
     "nestjs-i18n": "10.5.1",
     "nestjs-pino": "4.4.1",
     "nestjs-redoc": "2.2.2",
-    "next": "14.2.35",
+    "next": "16.1.3",
     "node-fetch": "2.7.0",
     "node-sql-parser": "5.3.8",
     "nodemailer": "6.9.13",

apps/nestjs-backend/src/configs/threshold.config.ts

@@ -25,6 +25,11 @@ export const thresholdConfig = registerAs('threshold', () => ({
   maxOpenapiAttachmentUploadSize: Number(
     process.env.MAX_OPENAPI_ATTACHMENT_UPLOAD_SIZE ?? Infinity
   ),
+  webhook: {
+    bodyLimitBytes: Number(process.env.WEBHOOK_BODY_LIMIT_BYTES ?? 4 * 1024 * 1024),
+    baseRateLimit: Number(process.env.WEBHOOK_BASE_RATE_LIMIT ?? 50),
+    workflowRateLimit: Number(process.env.WEBHOOK_WORKFLOW_RATE_LIMIT ?? 2),
+  },
   dbDeadlock: {
     maxRetries: Number(process.env.BACKEND_DB_DEADLOCK_MAX_RETRIES ?? 3),
     initialBackoff: Number(process.env.BACKEND_DB_DEADLOCK_INITIAL_BACKOFF ?? 100),

apps/nestjs-backend/src/custom.exception.ts

@@ -39,6 +39,8 @@ export const getDefaultCodeByStatus = (status: HttpStatus) => {
       return HttpErrorCode.DATABASE_CONNECTION_UNAVAILABLE;
     case HttpStatus.REQUEST_TIMEOUT:
       return HttpErrorCode.REQUEST_TIMEOUT;
+    case HttpStatus.PAYLOAD_TOO_LARGE:
+      return HttpErrorCode.PAYLOAD_TOO_LARGE;
     default:
       return HttpErrorCode.UNKNOWN_ERROR_CODE;
   }

apps/nestjs-backend/src/event-emitter/event-job/fallback/fallback-queue.service.ts

@@ -52,7 +52,7 @@ export class FallbackQueueService implements OnModuleInit {
     });
   }
 
-  private handleListener(
+  private async handleListener(
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     wrapper: InstanceWrapper,
     job: Job<unknown>
@@ -63,6 +63,10 @@ export class FallbackQueueService implements OnModuleInit {
       this.logger.warn(`${instance.constructor.name} has no method ${methodName}`);
       return;
     }
-    instance[methodName].call(instance, job);
+    try {
+      await instance[methodName].call(instance, job);
+    } catch (error) {
+      this.logger.error(`Error processing job ${job.name}:`, error);
+    }
   }
 }

apps/nestjs-backend/src/features/auth/guard/base-node-permission.guard.ts

@@ -11,6 +11,7 @@ import {
   checkBaseNodePermission,
   checkBaseNodePermissionCreate,
 } from '../../base-node/base-node.permission.helper';
+import type { IBaseNodePermissionContext } from '../../base-node/types';
 import { BaseNodeAction } from '../../base-node/types';
 import { BASE_NODE_PERMISSIONS_KEY } from '../decorators/base-node-permissions.decorator';
 import { IS_DISABLED_PERMISSION } from '../decorators/disabled-permission.decorator';
@@ -59,10 +60,7 @@ export class BaseNodePermissionGuard extends PermissionGuard {
   async checkActivate(
     context: ExecutionContext,
     baseId: string,
-    permissionContext: {
-      permissionSet: Set<string>;
-      tablePermissionMap?: Record<string, string[]>;
-    }
+    permissionContext: IBaseNodePermissionContext
   ) {
     const baseNodePermissions = this.reflectorInner.getAllAndOverride<BaseNodeAction[] | undefined>(
       BASE_NODE_PERMISSIONS_KEY,

apps/nestjs-backend/src/features/base-node/base-node.permission.helper.ts

@@ -1,7 +1,9 @@
 /* eslint-disable sonarjs/no-duplicate-string */
+import type { TableAction, AppAction, AutomationAction } from '@teable/core';
 import { HttpErrorCode } from '@teable/core';
 import { BaseNodeResourceType } from '@teable/openapi';
 import { CustomHttpException } from '../../custom.exception';
+import type { IBaseNodePermissionContext } from './types';
 import { BaseNodeAction } from './types';
 
 const map: Record<BaseNodeResourceType, Record<BaseNodeAction, string>> = {
@@ -40,28 +42,29 @@ const map: Record<BaseNodeResourceType, Record<BaseNodeAction, string>> = {
 export const checkBaseNodePermission = (
   node: { resourceType: BaseNodeResourceType; resourceId: string },
   action: BaseNodeAction,
-  permissionContext: {
-    tablePermissionMap?: Record<string, string[]>;
-    permissionSet: Set<string>;
-  }
+  permissionContext: IBaseNodePermissionContext
 ): boolean => {
   const { resourceType } = node;
   const { resourceId } = node;
-  const { tablePermissionMap, permissionSet } = permissionContext;
+  const { tablePermissionMap, permissionSet, appPermissionMap, workflowPermissionMap } =
+    permissionContext;
   const checkAction = map[resourceType][action];
   if (resourceType === BaseNodeResourceType.Table && tablePermissionMap) {
-    return tablePermissionMap[resourceId]?.includes(checkAction) ?? false;
+    return tablePermissionMap[resourceId]?.includes(checkAction as TableAction) ?? false;
+  }
+  if (resourceType === BaseNodeResourceType.App && appPermissionMap) {
+    return appPermissionMap[resourceId]?.includes(checkAction as AppAction) ?? false;
+  }
+  if (resourceType === BaseNodeResourceType.Workflow && workflowPermissionMap) {
+    return workflowPermissionMap[resourceId]?.includes(checkAction as AutomationAction) ?? false;
   }
   return permissionSet.has(checkAction);
 };
 
 export const checkBaseNodePermissionCreate = (
   node: { resourceType: BaseNodeResourceType; resourceId: string },
   baseNodePermissions: BaseNodeAction[],
-  permissionContext: {
-    tablePermissionMap?: Record<string, string[]>;
-    permissionSet: Set<string>;
-  }
+  permissionContext: IBaseNodePermissionContext
 ): boolean => {
   const checkCreate = baseNodePermissions.includes(BaseNodeAction.Create);
   if (!checkCreate) {

apps/nestjs-backend/src/features/base-node/types.ts

@@ -1,6 +1,15 @@
+import type { AppAction, AutomationAction, TableAction } from '@teable/core';
+
 export enum BaseNodeAction {
   Read = 'base_node|read',
   Create = 'base_node|create',
   Update = 'base_node|update',
   Delete = 'base_node|delete',
 }
+
+export type IBaseNodePermissionContext = {
+  tablePermissionMap?: Record<string, TableAction[]>;
+  permissionSet: Set<string>;
+  appPermissionMap?: Record<string, AppAction[]>;
+  workflowPermissionMap?: Record<string, AutomationAction[]>;
+};

apps/nestjs-backend/src/features/next/next.service.ts

@@ -4,14 +4,13 @@ import { ConfigService } from '@nestjs/config';
 import { generateQueryId } from '@teable/core';
 import type { IQueryParamsRo, IQueryParamsVo } from '@teable/openapi';
 import createServer from 'next';
-import type { NextServer } from 'next/dist/server/next';
 import { CacheService } from '../../cache/cache.service';
 import type { ICacheStore } from '../../cache/types';
 
 @Injectable()
 export class NextService implements OnModuleInit, OnModuleDestroy {
   private logger = new Logger(NextService.name);
-  public server!: NextServer;
+  public server!: ReturnType<typeof createServer>;
   constructor(
     private configService: ConfigService,
     private readonly cacheService: CacheService<ICacheStore>