Merge branch 'next' of github.com:devforth/adminforth into next

Author: SerVitasik

adminforth/dataConnectors/baseConnector.ts

@@ -94,26 +94,35 @@ export default class AdminForthBaseConnector implements IAdminForthDataSourceCon
       }, { ok: true, error: '' });
     }
 
-    if ((filters as IAdminForthSingleFilter).field) {
+    const filtersAsSingle = filters as IAdminForthSingleFilter;
+    if (filtersAsSingle.field) {
       // if "field" is present, filter must be Single
       if (!filters.operator) {
         return { ok: false, error: `Field "operator" not specified in filter object: ${JSON.stringify(filters)}` };
       }
-      if ((filters as IAdminForthSingleFilter).value === undefined) {
+      // Either compare with value or with rightField (field-to-field). If rightField is set, value must be undefined.
+      const comparingWithRightField = filtersAsSingle.rightField !== undefined && filtersAsSingle.rightField !== null;
+      if (!comparingWithRightField && filtersAsSingle.value === undefined) {
         return { ok: false, error: `Field "value" not specified in filter object: ${JSON.stringify(filters)}` };
       }
-      if ((filters as IAdminForthSingleFilter).insecureRawSQL) {
+      if (comparingWithRightField && filtersAsSingle.value !== undefined) {
+        return { ok: false, error: `Specify either "value" or "rightField", not both: ${JSON.stringify(filters)}` };
+      }
+      if (filtersAsSingle.insecureRawSQL) {
         return { ok: false, error: `Field "insecureRawSQL" should not be specified in filter object alongside "field": ${JSON.stringify(filters)}` };
       }
+      if (filtersAsSingle.insecureRawNoSQL) {
+        return { ok: false, error: `Field "insecureRawNoSQL" should not be specified in filter object alongside "field": ${JSON.stringify(filters)}` };
+      }
       if (![AdminForthFilterOperators.EQ, AdminForthFilterOperators.NE, AdminForthFilterOperators.GT,
       AdminForthFilterOperators.LT, AdminForthFilterOperators.GTE, AdminForthFilterOperators.LTE,
       AdminForthFilterOperators.LIKE, AdminForthFilterOperators.ILIKE, AdminForthFilterOperators.IN,
       AdminForthFilterOperators.NIN].includes(filters.operator)) {
         return { ok: false, error: `Field "operator" has wrong value in filter object: ${JSON.stringify(filters)}` };
       }
-      const fieldObj = resource.dataSourceColumns.find((col) => col.name == (filters as IAdminForthSingleFilter).field);
+      const fieldObj = resource.dataSourceColumns.find((col) => col.name == filtersAsSingle.field);
       if (!fieldObj) {
-        const similar = suggestIfTypo(resource.dataSourceColumns.map((col) => col.name), (filters as IAdminForthSingleFilter).field);
+        const similar = suggestIfTypo(resource.dataSourceColumns.map((col) => col.name), filtersAsSingle.field);
 
         let isPolymorphicTarget = false;
         if (global.adminforth?.config?.resources) {
@@ -126,20 +135,28 @@ export default class AdminForthBaseConnector implements IAdminForthDataSourceCon
           );
         }
         if (isPolymorphicTarget) {
-          process.env.HEAVY_DEBUG && console.log(`⚠️  Field '${(filters as IAdminForthSingleFilter).field}' not found in polymorphic target resource '${resource.resourceId}', allowing query to proceed.`);
+          process.env.HEAVY_DEBUG && console.log(`⚠️  Field '${filtersAsSingle.field}' not found in polymorphic target resource '${resource.resourceId}', allowing query to proceed.`);
           return { ok: true, error: '' };
         } else {
-          throw new Error(`Field '${(filters as IAdminForthSingleFilter).field}' not found in resource '${resource.resourceId}'. ${similar ? `Did you mean '${similar}'?` : ''}`);
+          throw new Error(`Field '${filtersAsSingle.field}' not found in resource '${resource.resourceId}'. ${similar ? `Did you mean '${similar}'?` : ''}`);
         }
       }
       // value normalization
-      if (filters.operator == AdminForthFilterOperators.IN || filters.operator == AdminForthFilterOperators.NIN) {
+      if (comparingWithRightField) {
+        // ensure rightField exists in resource
+        const rightFieldObj = resource.dataSourceColumns.find((col) => col.name == filtersAsSingle.rightField);
+        if (!rightFieldObj) {
+          const similar = suggestIfTypo(resource.dataSourceColumns.map((col) => col.name), filtersAsSingle.rightField as string);
+          throw new Error(`Field '${filtersAsSingle.rightField}' not found in resource '${resource.resourceId}'. ${similar ? `Did you mean '${similar}'?` : ''}`);
+        }
+        // No value conversion needed for field-to-field comparison here
+      } else if (filters.operator == AdminForthFilterOperators.IN || filters.operator == AdminForthFilterOperators.NIN) {
         if (!Array.isArray(filters.value)) {
           return { ok: false, error: `Value for operator '${filters.operator}' should be an array, in filter object: ${JSON.stringify(filters) }` };
         }
         if (filters.value.length === 0) {
           // nonsense, and some databases might not accept IN []
-          const colType = resource.dataSourceColumns.find((col) => col.name == (filters as IAdminForthSingleFilter).field)?.type;
+          const colType = resource.dataSourceColumns.find((col) => col.name == filtersAsSingle.field)?.type;
           if (colType === AdminForthDataTypes.STRING || colType === AdminForthDataTypes.TEXT) {
             filters.value = [randomUUID()];
             return { ok: true,  error: `` };
@@ -149,15 +166,15 @@ export default class AdminForthBaseConnector implements IAdminForthDataSourceCon
         }
         filters.value = filters.value.map((val: any) => this.setFieldValue(fieldObj, val));
       } else {
-        (filters as IAdminForthSingleFilter).value = this.setFieldValue(fieldObj, (filters as IAdminForthSingleFilter).value);
+        filtersAsSingle.value = this.setFieldValue(fieldObj, filtersAsSingle.value);
       }
-    } else if ((filters as IAdminForthSingleFilter).insecureRawSQL) {
+    } else if (filtersAsSingle.insecureRawSQL || filtersAsSingle.insecureRawNoSQL) {
       // if "insecureRawSQL" filter is insecure sql string
-      if ((filters as IAdminForthSingleFilter).operator) {
-        return { ok: false, error: `Field "operator" should not be specified in filter object alongside "insecureRawSQL": ${JSON.stringify(filters)}` };
+      if (filtersAsSingle.operator) {
+        return { ok: false, error: `Field "operator" should not be specified in filter object alongside "insecureRawSQL" or "insecureRawNoSQL": ${JSON.stringify(filters)}` };
       }
-      if ((filters as IAdminForthSingleFilter).value !== undefined) {
-        return { ok: false, error: `Field "value" should not be specified in filter object alongside "insecureRawSQL": ${JSON.stringify(filters)}` };
+      if (filtersAsSingle.value !== undefined) {
+        return { ok: false, error: `Field "value" should not be specified in filter object alongside "insecureRawSQL" or "insecureRawNoSQL": ${JSON.stringify(filters)}` };
       }
     } else if ((filters as IAdminForthAndOrFilter).subFilters) {
       // if "subFilters" is present, filter must be AndOr

adminforth/dataConnectors/clickhouse.ts

@@ -226,6 +226,13 @@ class ClickhouseConnector extends AdminForthBaseConnector implements IAdminForth
 
     getFilterString(resource: AdminForthResource, filter: IAdminForthSingleFilter | IAdminForthAndOrFilter): string {
       if ((filter as IAdminForthSingleFilter).field) {
+        // Field-to-field comparison support
+        if ((filter as IAdminForthSingleFilter).rightField) {
+          const left = (filter as IAdminForthSingleFilter).field;
+          const right = (filter as IAdminForthSingleFilter).rightField;
+          const operator = this.OperatorsMap[filter.operator];
+          return `${left} ${operator} ${right}`;
+        }
         // filter is a Single filter
         let field = (filter as IAdminForthSingleFilter).field;
         const column = resource.dataSourceColumns.find((col) => col.name == field);
@@ -280,6 +287,10 @@ class ClickhouseConnector extends AdminForthBaseConnector implements IAdminForth
 
     getFilterParams(filter: IAdminForthSingleFilter | IAdminForthAndOrFilter): any[] {
       if ((filter as IAdminForthSingleFilter).field) {
+        if ((filter as IAdminForthSingleFilter).rightField) {
+          // No params for field-to-field comparisons
+          return [];
+        }
         // filter is a Single filter
         if (filter.operator == AdminForthFilterOperators.LIKE || filter.operator == AdminForthFilterOperators.ILIKE) {
           return [{ 'f': `%${filter.value}%` }];

adminforth/dataConnectors/mongo.ts

@@ -212,7 +212,38 @@ class MongoConnector extends AdminForthBaseConnector implements IAdminForthDataS
     }
 
     getFilterQuery(resource: AdminForthResource, filter: IAdminForthSingleFilter | IAdminForthAndOrFilter): any {
+        // accept raw NoSQL filters for MongoDB
+        if ((filter as IAdminForthSingleFilter).insecureRawNoSQL !== undefined) {
+            return (filter as IAdminForthSingleFilter).insecureRawNoSQL;
+        }
+
+        // explicitly ignore raw SQL filters for MongoDB
+        if ((filter as IAdminForthSingleFilter).insecureRawSQL !== undefined) {
+            console.warn('⚠️  Ignoring insecureRawSQL filter for MongoDB:', (filter as IAdminForthSingleFilter).insecureRawSQL);
+            return {};
+        }
+
         if ((filter as IAdminForthSingleFilter).field) {
+            // Field-to-field comparisons via $expr
+            if ((filter as IAdminForthSingleFilter).rightField) {
+                const left = `$${(filter as IAdminForthSingleFilter).field}`;
+                const right = `$${(filter as IAdminForthSingleFilter).rightField}`;
+                const op = (filter as IAdminForthSingleFilter).operator;
+                const exprOpMap = {
+                    [AdminForthFilterOperators.GT]: '$gt',
+                    [AdminForthFilterOperators.GTE]: '$gte',
+                    [AdminForthFilterOperators.LT]: '$lt',
+                    [AdminForthFilterOperators.LTE]: '$lte',
+                    [AdminForthFilterOperators.EQ]: '$eq',
+                    [AdminForthFilterOperators.NE]: '$ne',
+                } as const;
+                const mongoExprOp = exprOpMap[op];
+                if (!mongoExprOp) {
+                    // For unsupported ops with rightField, return empty condition
+                    return {};
+                }
+                return { $expr: { [mongoExprOp]: [left, right] } };
+            }
             const column = resource.dataSourceColumns.find((col) => col.name === (filter as IAdminForthSingleFilter).field);
             if (['integer', 'decimal', 'float'].includes(column.type)) {
                 return { [(filter as IAdminForthSingleFilter).field]: this.OperatorsMap[filter.operator](+(filter as IAdminForthSingleFilter).value) };
@@ -222,7 +253,7 @@ class MongoConnector extends AdminForthBaseConnector implements IAdminForthDataS
 
         // filter is a AndOr filter
         return this.OperatorsMap[filter.operator]((filter as IAdminForthAndOrFilter).subFilters
-            // mongodb should ignore raw sql
+            // mongodb should ignore raw SQL, but allow raw NoSQL
             .filter((f) => (f as IAdminForthSingleFilter).insecureRawSQL === undefined)
             .map((f) => this.getFilterQuery(resource, f)));
     }

adminforth/dataConnectors/mysql.ts

@@ -204,6 +204,13 @@ class MysqlConnector extends AdminForthBaseConnector implements IAdminForthDataS
 
   getFilterString(filter: IAdminForthSingleFilter | IAdminForthAndOrFilter): string {
     if ((filter as IAdminForthSingleFilter).field) {
+      // Field-to-field comparison support
+      if ((filter as IAdminForthSingleFilter).rightField) {
+        const left = (filter as IAdminForthSingleFilter).field;
+        const right = (filter as IAdminForthSingleFilter).rightField;
+        const operator = this.OperatorsMap[filter.operator];
+        return `${left} ${operator} ${right}`;
+      }
       // filter is a Single filter
       let placeholder = '?';
       let field = (filter as IAdminForthSingleFilter).field;
@@ -249,6 +256,10 @@ class MysqlConnector extends AdminForthBaseConnector implements IAdminForthDataS
   }
   getFilterParams(filter: IAdminForthSingleFilter | IAdminForthAndOrFilter): any[] {
     if ((filter as IAdminForthSingleFilter).field) {
+      if ((filter as IAdminForthSingleFilter).rightField) {
+        // No params for field-to-field comparisons
+        return [];
+      }
       // filter is a Single filter
       if (filter.operator == AdminForthFilterOperators.LIKE || filter.operator == AdminForthFilterOperators.ILIKE) {
         return [`%${filter.value}%`];

adminforth/dataConnectors/postgres.ts

@@ -225,6 +225,13 @@ class PostgresConnector extends AdminForthBaseConnector implements IAdminForthDa
 
     getFilterString(resource: AdminForthResource, filter: IAdminForthSingleFilter | IAdminForthAndOrFilter): string {
         if ((filter as IAdminForthSingleFilter).field) {
+            // Field-to-field comparison support
+            if ((filter as IAdminForthSingleFilter).rightField) {
+                const left = `"${(filter as IAdminForthSingleFilter).field}"`;
+                const right = `"${(filter as IAdminForthSingleFilter).rightField}"`;
+                const operator = this.OperatorsMap[filter.operator];
+                return `${left} ${operator} ${right}`;
+            }
             let placeholder = '$?';
             let field = (filter as IAdminForthSingleFilter).field;
             const fieldData = resource.dataSourceColumns.find((col) => col.name == field);
@@ -265,6 +272,10 @@ class PostgresConnector extends AdminForthBaseConnector implements IAdminForthDa
 
     getFilterParams(filter: IAdminForthSingleFilter | IAdminForthAndOrFilter): any[] {
         if ((filter as IAdminForthSingleFilter).field) {
+            if ((filter as IAdminForthSingleFilter).rightField) {
+                // No params for field-to-field comparisons
+                return [];
+            }
             // filter is a Single filter
             if (filter.operator == AdminForthFilterOperators.LIKE || filter.operator == AdminForthFilterOperators.ILIKE) {
                 return [`%${filter.value}%`];

adminforth/dataConnectors/sqlite.ts

@@ -179,6 +179,13 @@ class SQLiteConnector extends AdminForthBaseConnector implements IAdminForthData
 
     getFilterString(filter: IAdminForthSingleFilter | IAdminForthAndOrFilter): string {
       if ((filter as IAdminForthSingleFilter).field) {
+        // Field-to-field comparison support
+        if ((filter as IAdminForthSingleFilter).rightField) {
+          const left = (filter as IAdminForthSingleFilter).field;
+          const right = (filter as IAdminForthSingleFilter).rightField;
+          const operator = this.OperatorsMap[filter.operator];
+          return `${left} ${operator} ${right}`;
+        }
         // filter is a Single filter
         let placeholder = '?';
         let field = (filter as IAdminForthSingleFilter).field;
@@ -222,6 +229,10 @@ class SQLiteConnector extends AdminForthBaseConnector implements IAdminForthData
     }
     getFilterParams(filter: IAdminForthSingleFilter | IAdminForthAndOrFilter): any[] {
       if ((filter as IAdminForthSingleFilter).field) {
+        if ((filter as IAdminForthSingleFilter).rightField) {
+          // No params for field-to-field comparisons
+          return [];
+        }
         // filter is a Single filter
         if (filter.operator == AdminForthFilterOperators.LIKE || filter.operator == AdminForthFilterOperators.ILIKE) {
           return [`%${filter.value}%`];

adminforth/documentation/docs/tutorial/03-Customization/03-virtualColumns.md

@@ -176,6 +176,48 @@ import sqlstring from 'sqlstring';
 This example will allow to search for some nested field in JSONB column, however you can use any SQL query here.
 
 
+### Custom Mongo queries with `insecureRawNoSQL`
+
+For MongoDB data sources, you can inject a raw Mongo filter object via `insecureRawNoSQL`. This is useful when the built-in filters are not enough or you need dot-notation and operators not covered by AdminForth helpers.
+
+Important: The object you provide is sent directly to MongoDB. Validate and sanitize any user inputs to prevent abuse of operators like `$where`, `$regex`, etc.
+
+Example — filter by nested field using dot-notation:
+
+```ts title='./resources/apartments.ts'
+...
+hooks: {
+  list: {
+    beforeDatasourceRequest: async ({ query, body }: { query: any, body: any }) => {
+      // Add raw Mongo filter: meta.is_active must equal body.is_active
+      query.filters.push({
+        insecureRawNoSQL: { 'meta.is_active': body.is_active },
+      });
+      return { ok: true, error: '' };
+    },
+  },
+},
+```
+
+You can combine it with other AdminForth filters using AND/OR:
+
+```ts
+import { Filters } from 'adminforth';
+
+query.filters = [
+  Filters.AND(
+    { insecureRawNoSQL: { 'meta.is_active': true } },
+    Filters.EQ('status', 'active'),
+  )
+];
+```
+
+Notes:
+- `insecureRawNoSQL` is Mongo-only. For SQL databases, use `insecureRawSQL`.
+- If both `field`/`operator`/`value` and `insecureRawNoSQL` are present in one filter object, validation will fail.
+- `insecureRawSQL` is ignored by the Mongo connector.
+
+
 
 ## Virtual columns for editing.
 

adminforth/documentation/docs/tutorial/07-Plugins/17-bulk-ai-flow.md

@@ -311,4 +311,24 @@ new BulkAiFlowPlugin({
 ```
 
 - Consider using lower resolution (`512x512`) for faster generation and lower costs
-- Test prompts thoroughly before applying to large datasets
+- Test prompts thoroughly before applying to large datasets
+
+## Comparing new and old images
+
+If you want to compare a generated image with an image stored in your storage, you need to add the preview prop in your upload plugin setup:
+
+```ts
+  new UploadPlugin({
+        ...
+    //diff-add
+    preview: {
+    //diff-add
+      previewUrl: ({filePath}) => `https://static.my-domain.com/${filePath}`,
+    //diff-add
+    }
+        ...
+  })
+```
+After generation, you’ll see a button labeled "old image". Clicking it will open a pop-up where you can compare the generated image with the stored one:
+
+![alt text](Bulk-vision-4.png)