Merge pull request #126 from devforth/fix-audit-log-record-create

ivictbor · web-flow · commit ae5731ccff7d · 2025-02-24T19:17:18.000+02:00
fix: move field-level restrictions for create and edit operations to api call
diff --git a/adminforth/index.ts b/adminforth/index.ts
@@ -413,15 +413,6 @@ class AdminForth implements IAdminForth {
       return { error: err };
     }
 
-    for (const column of resource.columns) {
-      const fieldName = column.name;
-      if (fieldName in record) {
-        if (!column.showIn?.create || column.backendOnly) {
-          return { error: `Field "${fieldName}" cannot be modified as it is restricted from creation` };
-        }
-      }
-    }
-
     // execute hook if needed
     for (const hook of listify(resource.hooks?.create?.beforeSave)) {
       console.log('🪲 Hook beforeSave', hook);
@@ -498,15 +489,6 @@ class AdminForth implements IAdminForth {
         delete record[column.name];
     }
 
-    for (const column of resource.columns) {
-      const fieldName = column.name;
-      if (fieldName in record) {
-        if (!column.showIn?.edit || column.editReadonly || column.backendOnly) {
-          return { error: `Field "${fieldName}" cannot be modified as it is restricted from editing` };
-        }
-      }
-    }
-
     // execute hook if needed
     for (const hook of listify(resource.hooks?.edit?.beforeSave)) {
       const resp = await hook({
diff --git a/adminforth/modules/restApi.ts b/adminforth/modules/restApi.ts
@@ -896,6 +896,15 @@ export default class AdminForthRestAPI implements IAdminForthRestAPI {
               }
             }
 
+            for (const column of resource.columns) {
+              const fieldName = column.name;
+              if (fieldName in record) {
+                if (!column.showIn?.create || column.backendOnly) {
+                  return { error: `Field "${fieldName}" cannot be modified as it is restricted from creation`, ok: false };
+                }
+              }
+            }
+
             const response = await this.adminforth.createResourceRecord({ resource, record, adminUser, extra: { body, query, headers, cookies, requestUrl } });
             if (response.error) {
               return { error: response.error, ok: false };
@@ -939,6 +948,15 @@ export default class AdminForthRestAPI implements IAdminForthRestAPI {
               return { error: allowedError };
             }
 
+            for (const column of resource.columns) {
+              const fieldName = column.name;
+              if (fieldName in record) {
+                if (!column.showIn?.edit || column.editReadonly || column.backendOnly) {
+                  return { error: `Field "${fieldName}" cannot be modified as it is restricted from editing` };
+                }
+              }
+            }
+
             const { error } = await this.adminforth.updateResourceRecord({ resource, record, adminUser, oldRecord, recordId, extra: { body, query, headers, cookies, requestUrl} });
             if (error) {
               return { error };
