diff --git a/common/models/acl.js b/common/models/acl.js index b10fa1c1..af29d61f 100644 --- a/common/models/acl.js +++ b/common/models/acl.js @@ -109,16 +109,20 @@ module.exports = function(ACL) { var val2 = req[props[i]] || ACL.ALL; var isMatchingMethodName = props[i] === 'property' && req.methodNames.indexOf(val1) !== -1; - if (val1 === val2 || isMatchingMethodName) { + // accessType: EXECUTE should match READ or WRITE + var isMatchingAccessType = props[i] === 'accessType' && + val1 === ACL.EXECUTE; + + if (val1 === val2 || isMatchingMethodName || isMatchingAccessType) { // Exact match score += 3; } else if (val1 === ACL.ALL) { // Wildcard match score += 2; } else if (val2 === ACL.ALL) { - // Doesn't match at all score += 1; } else { + // Doesn't match at all return -1; } } @@ -304,7 +308,7 @@ module.exports = function(ACL) { property = property || ACL.ALL; var propertyQuery = (property === ACL.ALL) ? undefined : {inq: [property, ACL.ALL]}; accessType = accessType || ACL.ALL; - var accessTypeQuery = (accessType === ACL.ALL) ? undefined : {inq: [accessType, ACL.ALL]}; + var accessTypeQuery = (accessType === ACL.ALL) ? undefined : {inq: [accessType, ACL.ALL, ACL.EXECUTE]}; var req = new AccessRequest(model, property, accessType); diff --git a/test/acl.test.js b/test/acl.test.js index cd18d20e..db4e904e 100644 --- a/test/acl.test.js +++ b/test/acl.test.js @@ -139,22 +139,34 @@ describe('security ACLs', function() { ACL.create({principalType: ACL.USER, principalId: 'u001', model: 'testModel', property: ACL.ALL, accessType: ACL.READ, permission: ACL.ALLOW}, function(err, acl) { - ACL.checkPermission(ACL.USER, 'u001', 'testModel', 'name', ACL.READ, function(err, perm) { - assert(perm.permission === ACL.ALLOW); - }); + ACL.create({principalType: ACL.USER, principalId: 'u002', model: 'testModel', property: ACL.ALL, + accessType: ACL.EXECUTE, permission: ACL.ALLOW}, function(err, acl) { - ACL.checkPermission(ACL.USER, 'u001', 'testModel', ACL.ALL, ACL.READ, function(err, perm) { - assert(perm.permission === ACL.ALLOW); - }); + ACL.checkPermission(ACL.USER, 'u001', 'testModel', 'name', ACL.READ, function(err, perm) { + assert(perm.permission === ACL.ALLOW); + }); - ACL.checkPermission(ACL.USER, 'u001', 'testModel', 'name', ACL.WRITE, function(err, perm) { - assert(perm.permission === ACL.DENY); - }); + ACL.checkPermission(ACL.USER, 'u001', 'testModel', ACL.ALL, ACL.READ, function(err, perm) { + assert(perm.permission === ACL.ALLOW); + }); - ACL.checkPermission(ACL.USER, 'u001', 'testModel', 'name', ACL.ALL, function(err, perm) { - assert(perm.permission === ACL.DENY); - }); + ACL.checkPermission(ACL.USER, 'u001', 'testModel', 'name', ACL.WRITE, function(err, perm) { + assert(perm.permission === ACL.DENY); + }); + ACL.checkPermission(ACL.USER, 'u001', 'testModel', 'name', ACL.ALL, function(err, perm) { + assert(perm.permission === ACL.DENY); + }); + + ACL.checkPermission(ACL.USER, 'u002', 'testModel', 'name', ACL.WRITE, function(err, perm) { + assert(perm.permission === ACL.ALLOW); + }); + + ACL.checkPermission(ACL.USER, 'u002', 'testModel', 'name', ACL.READ, function(err, perm) { + assert(perm.permission === ACL.ALLOW); + }); + + }); }); }); @@ -203,7 +215,9 @@ describe('security ACLs', function() { } }, { acls: [ - {principalType: ACL.USER, principalId: 'u001', accessType: ACL.ALL, permission: ACL.ALLOW} + {principalType: ACL.USER, principalId: 'u001', accessType: ACL.ALL, permission: ACL.ALLOW}, + {principalType: ACL.USER, principalId: 'u002', accessType: ACL.EXECUTE, permission: ACL.ALLOW}, + {principalType: ACL.USER, principalId: 'u003', accessType: ACL.EXECUTE, permission: ACL.DENY} ] }); @@ -225,6 +239,14 @@ describe('security ACLs', function() { assert(perm.permission === ACL.ALLOW); }); + ACL.checkPermission(ACL.USER, 'u002', 'Customer', 'name', ACL.READ, function(err, perm) { + assert(perm.permission === ACL.ALLOW); + }); + + ACL.checkPermission(ACL.USER, 'u003', 'Customer', 'name', ACL.WRITE, function(err, perm) { + assert(perm.permission === ACL.DENY); + }); + }); it('should filter static ACLs by model/property', function() {