From 728743ab339e079c4148e26a5eeedf91fbf745dc Mon Sep 17 00:00:00 2001
From: Petr Kachanovsky <pkachanovsky@devforth.io>
Date: Mon, 24 Feb 2025 15:32:56 +0200
Subject: [PATCH] fix: move field-level restrictions for create and edit
 operations to api call

---
 adminforth/index.ts           | 18 ------------------
 adminforth/modules/restApi.ts | 18 ++++++++++++++++++
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/adminforth/index.ts b/adminforth/index.ts
index 00e7eada..ba151fda 100644
--- a/adminforth/index.ts
+++ b/adminforth/index.ts
@@ -413,15 +413,6 @@ class AdminForth implements IAdminForth {
       return { error: err };
     }
 
-    for (const column of resource.columns) {
-      const fieldName = column.name;
-      if (fieldName in record) {
-        if (!column.showIn?.create || column.backendOnly) {
-          return { error: `Field "${fieldName}" cannot be modified as it is restricted from creation` };
-        }
-      }
-    }
-
     // execute hook if needed
     for (const hook of listify(resource.hooks?.create?.beforeSave)) {
       console.log('🪲 Hook beforeSave', hook);
@@ -498,15 +489,6 @@ class AdminForth implements IAdminForth {
         delete record[column.name];
     }
 
-    for (const column of resource.columns) {
-      const fieldName = column.name;
-      if (fieldName in record) {
-        if (!column.showIn?.edit || column.editReadonly || column.backendOnly) {
-          return { error: `Field "${fieldName}" cannot be modified as it is restricted from editing` };
-        }
-      }
-    }
-
     // execute hook if needed
     for (const hook of listify(resource.hooks?.edit?.beforeSave)) {
       const resp = await hook({
diff --git a/adminforth/modules/restApi.ts b/adminforth/modules/restApi.ts
index d643f7f4..003a0b45 100644
--- a/adminforth/modules/restApi.ts
+++ b/adminforth/modules/restApi.ts
@@ -896,6 +896,15 @@ export default class AdminForthRestAPI implements IAdminForthRestAPI {
               }
             }
 
+            for (const column of resource.columns) {
+              const fieldName = column.name;
+              if (fieldName in record) {
+                if (!column.showIn?.create || column.backendOnly) {
+                  return { error: `Field "${fieldName}" cannot be modified as it is restricted from creation`, ok: false };
+                }
+              }
+            }
+
             const response = await this.adminforth.createResourceRecord({ resource, record, adminUser, extra: { body, query, headers, cookies, requestUrl } });
             if (response.error) {
               return { error: response.error, ok: false };
@@ -939,6 +948,15 @@ export default class AdminForthRestAPI implements IAdminForthRestAPI {
               return { error: allowedError };
             }
 
+            for (const column of resource.columns) {
+              const fieldName = column.name;
+              if (fieldName in record) {
+                if (!column.showIn?.edit || column.editReadonly || column.backendOnly) {
+                  return { error: `Field "${fieldName}" cannot be modified as it is restricted from editing` };
+                }
+              }
+            }
+
             const { error } = await this.adminforth.updateResourceRecord({ resource, record, adminUser, oldRecord, recordId, extra: { body, query, headers, cookies, requestUrl} });
             if (error) {
               return { error };