Releases: JaneJeon/objection-authorize
v3.1.2
Dependency and documentation updates
- add note about objection version support [skip ci] 17e9c18
- Merge branch 'master' of https://github.com/JaneJeon/objection-authorize bd532c4
- plug my plugin [skip ci] 5e2366b
- update runtime complexity analysis [skip ci] 68420e8
v3.1.1
This release fixes a critical bug where .delete() and .deleteById() would break for non-authorize calls.
All users of v3 are encouraged to update to this version!
- Merge branch 'master' of https://github.com/JaneJeon/objection-authorize 3e5c109
- fixes delete calls breaking for non-authorize calls 23f9868
- fix resource name extraction [skip ci] c71937f
- fix typo [skip ci] d109d93
- remove codeclimate support and add objection peer dependency 01c2446
- run new codeclimate settings e95de05
v3.1.0
v3.0.1
The release of version 3 took SO LONG that objection 2 actually came out in-between the time that I started working on v3 and the time I finished it.
So this release brings official support for BOTH Objection v1 and v2! 🎉
And yes, I know there's a deprecation message with objection@2: QueryBuilder#mergeContext method is deprecated. But since QueryBuilder#context doesn't work the same way in objection 1, we're going to keep using it until we have to drop support for objection 1!
- tests with objection v2 ed2385c
v3.0.0
Version 3 is here!
Version 3 brings a MASSIVE amount of internal rewrite to get casl and role-acl to play nice together (seriously, look at #61).
The only breaking changes are that the plugin initialization now requires you to specify a library (your choices currently are role-acl@3 and casl), and the resourceName option was dropped (unfortunately, due to the fundamental differences in the way the two libraries work).
That means once you plug in the library, you really shouldn't have to change your code at all!
There have been a bunch of cleanup (again, all internal), and a minor change with the way we handle resources: now, it's always wrapped in the model class.
This is the most exciting release this library has ever seen yet, and I hope it fixes all the little bugs and edge cases you had!
- V3 (#61) a9085f9
- closes #37 f99bf32
- wrap resource with model class only when it's a POJO 5177b62
- adds support for casl, closes #37 2a5ad1c
- [skip ci] 3.0 in progress 10f0a00
- factor out changes to allow testing separate plugins 45df2a3
- add notes about the ACL restrictions 14700ef
- update deps f3d5cc9
- rely on model class name for resource name 327c69d
- decouple authZ library with the plugin logic 40e6968
- add back readme changes c64f634
- Merge pull request #59 from JaneJeon/dependabot/npm_and_yarn/knex-0.20.6 2729d5b
- Merge pull request #60 from JaneJeon/dependabot/npm_and_yarn/types/jest-24.0.25 ecab7ba
- Bump @types/jest from 24.0.24 to 24.0.25 05aedb5
- Bump knex from 0.20.4 to 0.20.6 5154c5b
- Merge pull request #56 from JaneJeon/dependabot/npm_and_yarn/types/jest-24.0.24 ed7cfe0
- Bump @types/jest from 24.0.23 to 24.0.24 c32dd13
- Merge pull request #55 from JaneJeon/dependabot/npm_and_yarn/knex-0.20.4 1e3719c
- Merge pull request #54 from JaneJeon/dependabot/npm_and_yarn/prettier-standard-16.1.0 6ed40bf
- Merge pull request #53 from JaneJeon/dependabot/npm_and_yarn/sqlite3-4.1.1 2e04d86
- Bump knex from 0.20.3 to 0.20.4 ff50898
- Bump prettier-standard from 16.0.0 to 16.1.0 b5562bc
- Bump sqlite3 from 4.1.0 to 4.1.1 9b1a40e
- Bump prettier-standard from 15.0.1 to 16.0.0 (#49) 7a9ccb4
- Bump jest-junit from 9.0.0 to 10.0.0 (#50) bc18593
- Bump prettier-standard from 15.0.1 to 16.0.0 4563976
- Bump jest-junit from 9.0.0 to 10.0.0 6549bf9
- Merge pull request #51 from JaneJeon/dependabot/npm_and_yarn/lint-staged-9.5.0 93763d0
- Bump lint-staged from 9.4.3 to 9.5.0 c12c8a1
- Merge pull request #52 from JaneJeon/dependabot/npm_and_yarn/knex-0.20.3 cd0bf48
- Bump knex from 0.20.2 to 0.20.3 d9bc966
- [Security] Bump https-proxy-agent from 2.2.2 to 2.2.4 (#47) 4c2553c
- [Security] Bump https-proxy-agent from 2.2.2 to 2.2.4 c5ba244
- Merge pull request #43 from JaneJeon/dependabot/npm_and_yarn/lint-staged-9.4.3 58e8f22
- Bump lint-staged from 9.4.2 to 9.4.3 145623e
- Merge pull request #46 from JaneJeon/dependabot/npm_and_yarn/knex-0.20.2 54e3957
- Merge pull request #44 from JaneJeon/dependabot/npm_and_yarn/types/jest-24.0.23 55edf93
- Merge pull request #45 from JaneJeon/dependabot/npm_and_yarn/husky-3.1.0 e9d32c8
- Bump knex from 0.20.1 to 0.20.2 7129010
- Bump husky from 3.0.9 to 3.1.0 23329e1
- Bump @types/jest from 24.0.22 to 24.0.23 04c227f
- Merge pull request #41 from JaneJeon/dependabot/npm_and_yarn/types/jest-24.0.22 a999d90
- Merge pull request #40 from JaneJeon/dependabot/npm_and_yarn/knex-0.20.1 692a236
- Bump @types/jest from 24.0.20 to 24.0.22 1c9aa8c
- Bump knex from 0.20.0 to 0.20.1 ff6e505
- Merge remote-tracking branch 'origin/master' 92e079c
- add note on dropping support for role-acl@4 511704c
- Update README.md 7c97c55
v2.0.0
The 2.0 release is focused on reverting to synchronous methods and dropping support for role-acl@4, since the asynchronous nature was preventing us from checking the modelOrObjects in insert/update/create methods (yes, I know I said it would be supported in the 1.0 release, but it apparently slipped my mind, my apologies)!
Also, more methods are supported now (e.g. patchAndFetch, updateAndFetchById, insertAndFetch, etc) and we also added the ability to specify a custom action!
- Merge branch 'master' of https://github.com/JaneJeon/objection-authorize b143654
- support more queries, switch to sync aeafae1
- update tests for synchronous methods 0b4efa7
- Bump knex from 0.19.5 to 0.20.0 (#35) cd58265
- Bump @types/jest from 24.0.19 to 24.0.20 (#33) 336fab5
- Merge branch 'master' into dependabot/npm_and_yarn/knex-0.20.0 1c166af
- Bump jest-junit from 8.0.0 to 9.0.0 (#34) 338d2c0
- Bump knex from 0.19.5 to 0.20.0 78815ae
- Bump jest-junit from 8.0.0 to 9.0.0 502bfd1
- Bump @types/jest from 24.0.19 to 24.0.20 58d9e16
- Merge pull request #32 from JaneJeon/dependabot/npm_and_yarn/types/jest-24.0.19 c2e8212
- Bump @types/jest from 24.0.18 to 24.0.19 4daa069
- linter e83f21e
v1.1.2
v1.1.1
Mostly documentation update. There was a slight change in the order in which properties were merged (look at the Object.assign() call in the _checkAccess method) - basically, the resource object itself and the resource argument options take precedence over req.user and req.body now.
Documentation on the resource/access context was light to begin with, so I added some clarifications.
- Merge branch 'master' of https://github.com/JaneJeon/objection-authorize 265e4c8
- clarify resource context for acl 43f5956
- add blog link [skip ci] 5b3623c
- Merge pull request #30 from JaneJeon/dependabot/npm_and_yarn/husky-3.0.9 bc1ef36
- Bump husky from 3.0.8 to 3.0.9 cb9bf70
- Merge pull request #31 from JaneJeon/dependabot/npm_and_yarn/lint-staged-9.4.2 5ddc556
- Bump lint-staged from 9.4.1 to 9.4.2 6ac3bc2
v1.1.0
v1.0.0
This is a major release of objection-authorize.
The main change is working around the clusterfuck that came with role-acl v4, which turned EVERY method async.
Given that most of the hooks that this library was using were expected to be synchronous, I had to make major changes to the way it handles "access checks" (which, again, were now asynchronous).
Therefore, all of the actual access control checks had to be pushed to right after the query is built and before it is executed. The benefit of this approach is that it is very backwards-compatible - in fact, I didn't have to change a SINGLE line of tests!
HOWEVER, there is ONE breaking change (that was undocumented before) - when you passed in a body/object to insert/update/patch pre-1.0, when access was granted to the operation as a whole (e.g. a user is allowed to edit their own profile) BUT certain properties that the user was trying to create/modify were restricted (e.g. a user can't edit their own role), we simply trimmed off those restricted properties from the request body.
This is no longer possible as we're checking access only after the entire query has been built. So when you try to create/modify and you're trying to change some restricted fields (but your changes were otherwise allowed), you now will get an error instead of simply ignoring requests to change those fields.
- fix merge conflicts b174119
- works with ACL4 (breaking version) 167cf46
- combine standard with prettier ed2d056
- Merge pull request #26 from JaneJeon/dependabot/npm_and_yarn/lint-staged-9.4.1 458a6a6
- Bump lint-staged from 9.4.0 to 9.4.1 b78d5c9
- Merge pull request #25 from JaneJeon/dependabot/npm_and_yarn/knex-0.19.5 ecf8c58
- Merge pull request #23 from JaneJeon/dependabot/npm_and_yarn/husky-3.0.8 6e39a73
- Bump knex from 0.19.4 to 0.19.5 28136db
- Bump husky from 3.0.7 to 3.0.8 ce98e29
- Merge pull request #22 from JaneJeon/dependabot/npm_and_yarn/husky-3.0.7 0baa52a
- Merge pull request #21 from JaneJeon/dependabot/npm_and_yarn/lint-staged-9.4.0 da76a97
- Bump husky from 3.0.5 to 3.0.7 8278897
- Bump lint-staged from 9.3.0 to 9.4.0 2dffde8
- Update _config.yml 36f01e1
- Merge pull request #16 from JaneJeon/dependabot/npm_and_yarn/standard-14.3.1 c9009cb
- Merge pull request #19 from JaneJeon/dependabot/npm_and_yarn/objection-1.6.11 5dfc3bb
- Bump objection from 1.6.9 to 1.6.11 6f80a53
- Merge pull request #18 from JaneJeon/dependabot/npm_and_yarn/lint-staged-9.3.0 8ae38f0
- Merge pull request #17 from JaneJeon/dependabot/npm_and_yarn/codecov-3.6.1 153e4f0
- Bump lint-staged from 9.2.5 to 9.3.0 949ea34
- Bump codecov from 3.5.0 to 3.6.1 c940cf1
- Bump standard from 14.3.0 to 14.3.1 da6121b
- Merge pull request #14 from JaneJeon/dependabot/npm_and_yarn/standard-14.3.0 d3026d2
- Merge pull request #15 from JaneJeon/dependabot/npm_and_yarn/knex-0.19.4 85b035e
- Bump knex from 0.19.3 to 0.19.4 6fb9361
- Bump standard from 14.1.0 to 14.3.0 dd01a7f