fix: export should limit by permission

apps/nestjs-backend/src/features/export/open-api/export-open-api.controller.ts

@@ -6,7 +6,7 @@ import { ExportOpenApiService } from './export-open-api.service';
 
 @Controller('api/export')
 @UseGuards(PermissionGuard)
-export class ExportController {
+export class ExportOpenApiController {
   constructor(private readonly exportOpenService: ExportOpenApiService) {}
   @Get(':tableId')
   @Permissions('table|export', 'view|read')

apps/nestjs-backend/src/features/export/open-api/export-open-api.module.ts

@@ -1,12 +1,12 @@
 import { Module } from '@nestjs/common';
 import { FieldModule } from '../../field/field.module';
 import { RecordModule } from '../../record/record.module';
-import { ExportController } from './export-open-api.controller';
+import { ExportOpenApiController } from './export-open-api.controller';
 import { ExportOpenApiService } from './export-open-api.service';
 
 @Module({
   imports: [RecordModule, FieldModule],
-  controllers: [ExportController],
+  controllers: [ExportOpenApiController],
   providers: [ExportOpenApiService],
   exports: [ExportOpenApiService],
 })

apps/nestjs-backend/src/features/export/open-api/export-open-api.service.ts

@@ -1,7 +1,7 @@
 import { Readable } from 'stream';
 import { BadRequestException, Injectable, Logger } from '@nestjs/common';
-import type { IAttachmentCellValue } from '@teable/core';
-import { FieldType, ViewType } from '@teable/core';
+import type { IAttachmentCellValue, IFilter } from '@teable/core';
+import { FieldType, mergeFilter, ViewType } from '@teable/core';
 import { PrismaService } from '@teable/db-main-prisma';
 import type { Response } from 'express';
 import Papa from 'papaparse';
@@ -17,7 +17,15 @@ export class ExportOpenApiService {
     private readonly recordService: RecordService,
     private readonly prismaService: PrismaService
   ) {}
-  async exportCsvFromTable(response: Response, tableId: string, viewId?: string) {
+  async exportCsvFromTable(
+    response: Response,
+    tableId: string,
+    viewId?: string,
+    exportQuery?: {
+      projection?: string[];
+      recordFilter?: IFilter;
+    }
+  ) {
     let count = 0;
     let isOver = false;
     const csvStream = new Readable({
@@ -47,6 +55,7 @@ export class ExportOpenApiService {
             name: true,
             id: true,
             type: true,
+            filter: true,
           },
         })
         .catch((e) => {
@@ -68,9 +77,17 @@ export class ExportOpenApiService {
     csvStream.pipe(response);
 
     // set headers as first row
-    const headers = await this.fieldService.getFieldsByQuery(tableId, {
-      viewId: viewRaw?.id ? viewRaw?.id : undefined,
-      filterHidden: viewRaw?.id ? true : undefined,
+    const headers = (
+      await this.fieldService.getFieldsByQuery(tableId, {
+        viewId: viewRaw?.id ? viewRaw?.id : undefined,
+        filterHidden: viewRaw?.id ? true : undefined,
+      })
+    ).filter((field) => {
+      if (exportQuery?.projection?.length) {
+        return exportQuery?.projection.includes(field.id);
+      }
+
+      return true;
     });
     const headerData = Papa.unparse([headers.map((h) => h.name)]);
 
@@ -89,12 +106,17 @@ export class ExportOpenApiService {
     csvStream.push('\uFEFF');
     csvStream.push(headerData);
 
+    const mergedFilter = viewRaw?.filter
+      ? mergeFilter(JSON.parse(viewRaw?.filter), exportQuery?.recordFilter)
+      : exportQuery?.recordFilter;
+
     try {
       while (!isOver) {
         const { records } = await this.recordService.getRecords(tableId, {
           take: 1000,
           skip: count,
           viewId: viewRaw?.id ? viewRaw?.id : undefined,
+          filter: mergedFilter,
         });
         if (records.length === 0) {
           isOver = true;

apps/nextjs-app/src/features/app/blocks/view/list/ViewListItem.tsx

@@ -164,7 +164,7 @@ export const ViewListItem: React.FC<IProps> = ({ view, removable, isActive }) =>
                   {t('view.action.rename')}
                 </Button>
               )}
-              {view.type === 'grid' && permission['view|read'] && (
+              {view.type === 'grid' && permission['table|export'] && (
                 <Button
                   size="xs"
                   variant="ghost"

packages/core/src/auth/role/table.ts

@@ -1,6 +1,6 @@
 /* eslint-disable @typescript-eslint/naming-convention */
 import { z } from '../../zod';
-import { type FieldAction, type RecordAction, type ViewAction } from '../actions';
+import type { TableAction, FieldAction, RecordAction, ViewAction } from '../actions';
 import { Role } from './types';
 
 export const TableRole = {
@@ -13,4 +13,4 @@ export const tableRolesSchema = z.nativeEnum(TableRole);
 
 export type ITableRole = z.infer<typeof tableRolesSchema>;
 
-export type TablePermission = ViewAction | FieldAction | RecordAction;
+export type TablePermission = ViewAction | FieldAction | RecordAction | TableAction;